MuscalietJS: Rethinking Layered Dynamic Web Runtimes · MuscalietJS: Rethinking Layered Dynamic Web...

MuscalietJS: Rethinking Layered Dynamic Web Runtimes

Behnam Robatmili† Calin Cascaval† Mehrdad Reshadi‡1 Madhukar N. Kedlaya‖

Seth Fowler§1 Vrajesh Bhavsar† Michael Weber† Ben Hardekopf‖†Qualcomm Research Silicon Valley ‖University of California, Santa Barbara ‡InstartLogic §Mozilla

[email protected]

AbstractLayered JavaScript engines, in which the JavaScript run-time is built on top another managed runtime, provide betterextensibility and portability compared to traditional mono-lithic engines. In this paper, we revisit the design of layeredJavaScript engines and propose a layered architecture, calledMuscalietJS2, that splits the responsibilities of a JavaScriptengine between a high-level, JavaScript-specific componentand a low-level, language-agnostic .NET VM. To make upfor the performance loss due to layering, we propose a twopronged approach: high-level JavaScript optimizations andexploitation of low-level VM features that produce very effi-cient code for hot functions. We demonstrate the validity ofthe MuscalietJS design through a comprehensive evaluationusing both the Sunspider benchmarks and a set of web work-loads. We demonstrate that our approach outperforms otherlayered engines such as IronJS and Rhino engines while pro-viding extensibility, adaptability and portability.

Categories and Subject Descriptors D.3.4 [Program-ming Languages]: Processors–Run-time environments

Keywords JavaScript; layered virtual machine; dynamiclanguages

1. IntroductionJavaScript is a language in which almost everything is dy-namically modifiable: it is dynamically typed, object prop-erties (the JavaScript name for object members) can be dy-namically inserted and deleted, inheritance hierarchy (viaprototype chains) can be changed dynamically, new code

1Work performed while at Qualcomm Research Silicon Valley.2MuscalietJS can be found at http://www.github.com/mcjs/mcjs.git

Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page. Copyrights for components of this work owned by others than ACMmust be honored. Abstracting with credit is permitted. To copy otherwise, or republish,to post on servers or to redistribute to lists, requires prior specific permission and/or afee. Request permissions from [email protected] ’14, March 1–2, 2014, Salt Lake City, Utah, USA.Copyright c© 2014 ACM 978-1-4503-2764-0 /14/03. . . $15.00.http://dx.doi.org/10.1145/2576195.2576211

can be injected dynamically, and so on. These propertiesmake JavaScript application development flexible. However,they also make compiling JavaScript a significant challenge.In addition, JavaScript is still a relatively new and evolv-ing language, requiring an extensible compilation engine toenable easy exploration of new language features. Addinglanguage-level compiler optimizations should be easy, espe-cially in an engine architecture that supports different com-pilers and optimization levels. JavaScript engines are usedin a variety of environments, from web page loading to webapplications and server processing [14]. As such, an engineneeds to adapt the quality of generated code and the timespent compiling to the particular workload. Finally, porta-bility is critical, especially in the browser case, as JavaScriptengines run on a wide variety of platforms.

Given the significant advancements in virtual machinessuch as .NET and JVM, both in terms of improved efficiencyand large number of available features, a fundamental ques-tion is whether we can exploit these VMs to efficiently buildand run a dynamic language like JavaScript in an adaptablemanner. Such an approach can potentially ease new languagefeature extensions and improve portability. Concentrating al-most exclusively on performance, traditional engines [9, 18]implement the entire dynamic managed runtime using anunmanaged language such as C or C++. In these engines,the basic constructs of the dynamic runtime such as objectlayout, heap, garbage collector, compilers, profilers and callframes, have been designed and implemented from scratchin the low-level language. This approach achieves high per-formance and requires significant effort. Since everythingis designed together, the monolithic architecture ends upless extensible, making it more challenging to implement anevolving dynamic language.

Recently, there have been several efforts [1, 2, 10, 16]for building a high-level dynamic VM runtime (such asJavaScript) on top of another low-level VM (such as JVM or.NET). We call such a runtime a layered runtime. Although alayered runtime can experience a performance hit due to thepresence of the low-level VM, it can significantly ease de-velopment and improve extensibility. In this paper, we reex-amine and reenvision the architecture of layered JavaScriptengines with the goal of providing a flexible and performant

framework for optimization. The specific contributions ofthis paper are:• A new, layered JavaScript engine, MuscalietJS (or MCJS),

for decent performance, rapid prototyping and explorationof research ideas implemented on top of the .NET com-mon language runtime (CLR). This architecture is differ-ent than any previously proposed layered engines such asSPUR [1], IronJS [10] or Rhino [16] in how it dividesresponsibilities between high-level and low-level enginesand achieves better performance (Section 3). JavaScript-specific optimizations, such as property lookup and typeinference, are performed in the high-level engine (Sec-tion 4). Code generation and hardware-specific optimiza-tions are performed at the low-level VM. MuscalietJS ex-ploits features provided by the low-level VM runtime, suchas Reflection and Runtime Method Attributes, to emit effi-cient code for hot functions (Section 5).

• Insights into the low-level VM features that will maximizethe performance benefits of the JavaScript runtime with-out losing generality. Examples include eliminating arraybounds checks on data structures that are either used bythe JavaScript JIT or generated by it, and which are guar-anteed not to overflow, explicit object initialization, andavoiding JITed code validation checks (Section 5.3).

• We demonstrate the validity of our approach by comparingthe performance of MuscalietJS to previously proposedlayered engines implemented in managed languages, in-cluding Rhino [16] and IronJS [10] and also monolithicengines such as V8 [9] (Section 6). We find that on bothtraditional JavaScript benchmarks and several record-and-replay benchmarks based on real websites, MuscalietJSsignificantly outperforms other layered engines such asRhino and IronJS (by a factor of 2 to 3), while still sup-porting extensibility and portability.

2. Design Space of JavaScript EnginesGiven the pace of change experienced in web developmentand the growing ubiquity of JavaScript, we identify the fol-lowing criteria for evaluating JavaScript engines:

• Performance. Performance is the key criterion by whichproduction JavaScript engines are evaluated. Given theincrease in dynamic execution of web pages [15] and thetrend toward web apps, better JavaScript performance inbrowsers is increasingly important.

• Adaptability. A JavaScript engine must be adaptableenough to recognize different workloads, ranging fromserver-side [14] to latency-sensitive page-load and itera-tive hot-spot workloads, and react accordingly to providethe best possible quality of service.

• Extensibility. The JavaScript language is constantly evolv-ing both formally, (e.g., the new ECMAScript standard [7]),and informally [19–21]. This means that JavaScript en-gines must evolve constantly and must be designed such

that extensions can be added and integrated easily, whiletaking advantage of the full feature set of optimizations.Changes must be localized and modular, and avoid re-engineering the engine flow.

• Portability. Browsers, and hence JavaScript, are widelyused on many platforms, from desktops to mobile devices;thus an engine should be easily portable to different hard-ware architectures. This implies that engines should be de-coupled from the underlying hardware, treating the hard-ware interface as a separate concern. However, it is stillcritical for performance that an engine take advantage ofany available hardware-specific features.

2.1 Traditional Monolithic Architectures

The traditional engines are designed to achieve the best per-formance and adapt to different Web workloads. For exam-ple, the Google V8 JavaScript engine [9] is a native C++application that has two just-in-time (JIT) compilers and nointerpreter. One is a quick, simple compiler that generatesvery fast generic code using inline caches, and the second isa profile-based optimizing JIT compiler called Crankshaft.The optimizing compiler applies a wide range of low-leveloptimizations such as SSA (Static Single Assignment) re-dundancy elimination, register allocation, and static type in-ference when generating native code. It also uses type feed-back from the inline caches from the simple compiler. V8does not use a bytecode-based IR (intermediate representa-tion); instead, it uses both high-level and low-level graph-based IRs for different levels of optimization. SpiderMon-key [18], Firefox’s JavaScript engine, is another monolithicengine written in C/C++ and comprised of a bytecode-basedinterpreter, a baseline JIT compiler, and an optimizing JITcompiler (IonMonkey). The baseline compiler is similar tothe V8 engine’s simple compiler and uses inline caches togenerate fast code.

While these runtimes are usually implemented and com-piled in a low-level unmanaged language such as C++, theyneed to provide complete JIT compilers with several IRs andoptimizations at different levels, and assembly code gener-ators for all target machines. The compiler stack and thecode generators must be updated frequently to support newlyadded language features. Significant development effort isrequired to extend and maintain such engines and port themto new platforms. Researchers have been experimenting withvarious JIT compilers in the Mozilla framework, such as thetracing JIT in Gal et al. [8], and highlight the complexityof implementing such components in monolithic engines.Additionally, in these architectures, there is an impedancemismatch between the runtime call stack (generally C++)and the call stack of the executing generated code in thetarget language (JavaScript). Consequently, communicationbetween the executing JITed code and the runtime is com-plex and has high overhead.

Table 1. Traditional vs. Layered JavaScript Engines.Architecture Name Host Language Compilation methodology LOCMonolithic V8 C++ Adaptive: Inline-cache based fast compiler wit no IR for cold code; 1M

an JavaScript optimizing compiler (HIR and LIR) for hot codeMonolithic SpiderMonkey C++ Adaptive: A byte-code based interpreter for cold code; 300K

a trace JIT and method JIT for hot JavaScript code

Layered MuscalietJS CLR (C#) Adaptive: an IR-based interpreter implemented in CIL for cold code; 95Kan JavaScript optimizing compiler (implemented in CIL) anda CIL code generator for hot code

Layered SPUR CLR (C#) Translate JavaScript to CIL; leaves dynamic optimizations to tracing CIL JIT N/ALayered IronJS DLR (F#) Translate JavaScript to DLR; leaves dynamic optimizations to DLR 23KLayered Rhino JVM (Java) Non-adaptive but can be reconfigured ahead of time (AOT); 115K

supports various degrees of optimizations (interpreter to optimized code)

2.2 Layered Architectures

In layered JavaScript (also called Repurposed JIT) archi-tectures, the target dynamic runtime is built on top of an-other runtime engine, rather than building an entire compilerfrom scratch. These designs are typically more portable thanmonolithic ones, as hardware-specific optimizations andfunctionality are provided by the low-level VM. Addition-ally, the target runtime may take advantage of features andresources provided by the host runtime including object lay-out, garbage collection and code generators. Therefore, thesedesigns can better fit the quick development cycles neededfor evolving dynamic languages. For example, as shown inTable 1, the code size for these architecture is significantlysmaller (up to 10x) than the code size of traditional engines.Adding new features to the layered engines is usually easier.For example, adding support for parallel execution or par-allel compilation to monolithic engines is a significant taskas it requires major changes to the memory system, garbagecollector and runtime. Whereas, basic parallelism support ina layered engine that runs on top of .NET for example, suchas MuscalietJS, can be provided using Task-Parallel Library(TPL) already available in the .NET runtime.

Table 1 compares MuscalietJS against three common lay-ered JavaScript engines and two traditional engines. Mus-calietJS is a layered JavaScript engine architecture built ontop of the .NET Common Language Runtime (CLR). Mostother layered engine provide a thin layer on the top andrely on the low-level engine to provide the optimizations.MuscalietJS, however, implements many language-level op-timizations at the high-level, where the semantics of thelanguage allows for better decisions. And it delegates thetraditional compiler optimizations to the low-level engine(e.g. register allocation). MuscalietJS performs adaptiveJavaScript-specific optimizations and uses CIL code gen-eration to JIT optimized versions of hot function after ap-plying high-level JavaScript optimizations. These high-leveloptimizations include hidden classes, property lookup, typeanalysis, and restricted dataflow analysis. MuscalietJS alsoexploits special features in CLR runtimes to generate high-

performance optimized code. For example, MuscalietJS usesreflection and inlining hints to generate optimized code fordynamic JavaScript operations. MuscalietJS communicatesspecial hints to the CLR engine to avoid array-bounds checksand object initialization for JavaScript property access andJavaScript object creation.

SPUR [1] is a tracing JIT compiler for Common In-termediate Language (CIL) in which JavaScript is directlycompiled to CIL and CIL is trace-compiled by SPUR forbetter optimization. The authors show that tracing CIL gen-erated by compiling JavaScript programs gives similar per-formance gains to a JavaScript tracing compiler. Due to themodular nature of our engine, we believe that it is possiblefor MuscalietJS to run on top of any CIL compiler includingSPUR. Given the effectiveness of SPUR over Microsoft’s.NET runtime, MuscalietJS might benefit from it; unfortu-nately, SPUR is not available for general use and thus wecould not test this setup. IronJS [10] translates JavaScriptto Dynamic Language Runtime (DLR) expression trees [5]and leaves dynamic optimizations to the DLR. DLR usesthe concept of dynamic callsites to generate type specializedversions of each operation. This is similar to polymorphicinline caches. Rhino [16] is a JavaScript engine on top of theJVM which offers various levels of optimization. The defaultconfiguration of the runtime invokes a naıve bytecode-basedinterpreter written in Java. Other optimization levels invokea code generator that generates Java class files. When setto the highest optimization level, Rhino performs optimiza-tions such as detection of numerical operations, commonsub-expression elimination, and function call target caching.Though the current implementation lacks adaptive compi-lation, optimizations can be enabled or disabled ahead oftime. Nashorn [13] is a more recent implementation of aJavaScript runtime on the JVM. Nashorn uses the invoke-dynamic bytecode instruction, which was added to recentversions of the JVM to enable efficient implementation ofdynamic language runtimes. We were not able to find a per-formant version of Nashorn to compare against.

Some prior studies [2] have stressed the importance ofhaving matching semantics of the two layers. We believe se-

mantics of the low-level VM might be of some importancebut the overall architecture and work breakdown betweenhigh-level and low-level VMs are more important. For exam-ple, by moving JavaScript optimizations (similar to the oneexplained in Section 4) to the high-level engine, it is possi-ble to achieve significant speedups regardless of the seman-tics of the lower-level language. As our results show whilesemantics of DLR used by IronJS are relatively close to dy-namic languages such as JavaScript, with better engineeringMuscalietJS outperforms IronJS.

3. MuscalietJS Architectural OverviewMuscalietJS’s architecture is shown in Figure 1. It splitsresponsibilities across two levels: a JavaScript-specific en-gine and a language-agnostic low-level VM. In principle,any managed language VM can serve as the low-level en-gine. Our current implementation uses the Common Lan-guage Runtime (CLR), as implemented by Mono [12]. Thelow-level VM provides traditional compiler optimizations:instruction scheduling, register allocation, constant propa-gation, common subexpression elimination, etc., as well ascode generation and machine specific optimizations. In addi-tion it provides managed language services such as garbagecollection, allowing us to focus on the JavaScript-specificaspects of the engine.

The JavaScript specific layer is further decomposed intoseveral components:

• JavaScript runtime. The high-level runtime consists ofa parser, an interpreter, a parallel JIT compiler, and a pro-filer. The parser takes in JavaScript code and producesa custom IR (see Sec. 4.1). The interpreter executes theIR directly, while the JIT compiler applies JavaScript-specific transformations and optimizations, and generatesCIL bytecodes for hot functions. Some examples of per-formed optimizations are: type analysis and type infer-ence, array analysis, and signature-based specialization;these are further discussed in Section 4.The combination of interpreter, JIT, and profiler providesadaptability in our design by deciding which compila-tion path is more appropriate given the workload. Forlatency-sensitive scenarios, like browser page load, weprovide an interpreter which can directly execute the out-put of the parser without any intermediate bytecode gen-eration. As functions are invoked multiple times and be-come hot, the JIT compiler will optimize them sincethe compilation time can be amortized. For the hottest,most performance-sensitive code, we apply more expen-sive optimizations at both the high-level JavaScript en-gine layer and the low-level VM layer.

• Dynamic runtime. The dynamic runtime provides thenecessary support to enable compilation for dynamic,prototype-based languages. This includes dynamic val-ues, objects, types, and hidden classes.

JavaScript

MCJS

Common Language Run5me (CLR: Mono/.NET)

ARM / x86

Code Gen, Garbage Collec5on

Dynamic Run5me

Basic support needed for dynamic languages (Dynamic Objects, Types, Hidden classes)

Web Run5me (Browser DOM Bindings, HTML5 APIs, JS

Events, Timers, etc.)

JavaScript Virtual Machine

Web JavaScript

IR

CIL JIT

Parser

Interpreter

CIL JavaScript

Op5miza5ons

Cmd line JavaScrip

t

Hot func CIL & hints

Figure 1. MuscalietJS Architecture.

• Web runtime. The web runtime handles the integrationwith the browser. MuscalietJS was designed in concertwith a browser architecture [? ] to optimize the bindingsbetween the browser and the engine. The web runtimeunderstands the semantics of the DOM and implementsDOM bindings as well as other browser-related serviceslike events and timers.

Running the JavaScript engine inside another VM hasperformance implications. Our split design relies on JavaScriptspecific optimizations at the high-level to help mitigate theoverhead of running on the CLR. The JavaScript engine codegenerator exploits advanced high-level techniques combinedwith type analysis and special hints to lead the low-level VMto generate high-quality optimized code. There are perfor-mance advantages to running on top of the CLR.

4. JavaScript Specific OptimizationsThis section discusses JavaScript-specific optimizations ap-plied to the input JavaScript code in the JavaScript runtime(JSR) and dynamic runtime (DR) components.

4.1 Parsing and IR Generation

The MuscalietJS engine uses a graph-based intermediaterepresentation (IR) that describes JavaScript code using sim-ple operations that are easy to analyze. The IR describes theflow of data through operations by placing edges in the graphbetween expressions that generate values (Writers) and ex-pressions that use those values (Users). It also represents im-plicit operations like type conversions explicitly so that theycan be taken into account during later phases. This simplifiesthe implementation of analyses like type inference. The in-terpreter, optimization passes, and code generator all operateusing this IR.

We depart from common practice when constructing theIR. Rather than building a temporary abstract syntax tree(AST) which is then used to build the IR in a separate pass,the parser directly generates the IR. The structure of the IRis designed such that constructing it also performs some ofanalyses. For example, dataflow analysis is performed com-pletely at parse time by connecting Writers and Users asthey are constructed. We build a symbol table for each func-tion and determine useful metadata like whether the func-tion uses eval or closes over its environment. This has sig-nificant advantages in the context of a latency-sensitive sys-tem like a web browser: it reduces the number of passes, im-proves locality (since multiple passes are fused), and elim-inates the overhead of constructing temporary AST nodesthat will later be discarded. The disadvantage is the com-plexity involved in implementing the semantic actions of theparser. To address it, we separate the parser’s view of the IRfrom that of the IR factory which constructs the IR nodes.From the parser’s perspective, we maintain the illusion thatwe are building an AST that follows the structure of the EC-MAScript 5 [7] grammar very closely, by tagging the realIR node classes with empty interfaces corresponding to non-terminals in the grammar. These interfaces have no effectat runtime, but they provide static type-level constraints thatmake it easier to ensure the parser behaves correctly whenconstructing the IR graph. They also hide the complexity ofthe underlying graph nodes by presenting the parser with asimple, uniform interface. The IR factory, meanwhile, workswith the concrete IR node types, and does not concern itselfwith the structure of the grammar at all.

Since there is such an impedance mismatch between thegrammar and the IR, we cannot always hide the truth fromthe parser perfectly. However, by obeying two requirementswhen designing the IR and the factory code that constructsit, we were able to isolate these issues to a few small partsin the parser. One requirement was that the IR could beconstructed in a recursive fashion, matching the parser’salgorithmic structure. This was fundamentally needed toallow the construction of the IR without using a separatepass. We also needed to allow the parser to backtrack incertain circumstances. To support this, we required that theIR factory act only on local state stored within the IR nodesthemselves, so that IR subgraphs could be thrown awaywithout corrupting global data structures. The combinationof these constraints also has another advantage: the designsof the parser and the IR factory lend themselves nicely toparallelism. We leave further exploration of that approachfor future work. Once the IR for a parsed function is created,it can be used by the interpreter to run the function or by theCIL JIT engine to apply type optimizations and eventuallygenerate optimized code.

4.2 Adaptive Function-level Execution

To achieve adaptability and performance, traditional JavaScriptengines support different modes of execution (interpretation,

basic JIT and advanced JIT with specialization) at functiongranularity. For example, V8 first quickly generates an unop-timized version of the code for each function. After a certainnumber of executions a trampoline code section replacesthe code pointer with a runtime function that generates aheavily optimized version of the code. The code pointer isthen changed to point to the optimized code. It remains inthis state unless the assumptions made during optimizationprove false, in which case a deoptimization happens whichrestores the unoptimized code.

Providing this type of dynamic code adjustment (espe-cially across the runtime function and JITed code) requiresaccess to stack frames, control over stack semantics, andsometimes support for self-modifying code. This is hard toachieve in a layered design given the restrictions imposedby host VMs like the CLR. We therefore take a differentapproach to achieve the same degree of adaptability. EachJavaScript function object in MuscalietJS has a codePtr: afunction pointer (C# delegate) that takes as its only argu-ment a CallFrame object. The CallFrame includes a refer-ence to the function object for that function as well as theactual input arguments and their types. A codePtr can pointto different runtime functions that manage the execution andoptimization of the function, or to different JITed specializa-tions of the function. Each JavaScript function object alsostores function metadata, which includes the current compi-lation state of the function (parse, analyze, JIT, specializedJIT), the IR graph of the function, and a code cache to storethe function’s JITed CIL code. The codePtr of a JavaScriptfunction can point to one of the following functions:

• FirstExecute (runtime function): When the JavaScriptfunction is called by the JavaScript code for the first time,this function performs pre-JIT analysis and the initializa-tion of the JIT code cache for that function. At the end, thecodePtr is changed to point to another runtime functionresponsible for normal execution.

• NormalExecute (runtime): Depending on the status ofthe JavaScript function, the normal execution function ei-ther calls the interpreter (for “cold” functions) or JITs thefunction at one of several optimization settings.

• Interpret: The interpreter executes the function by travers-ing its IR graph and calling runtime functions that imple-ment operations, property lookup, and other JavaScriptsemantics.

• CIL JITed code: For hot functions, normal executionstarts the JIT to generate a specialized version of the func-tion for the current arguments’ types. The generated codewill be added to the code cache and codePtr will be up-dated to point to it.

Tight coupling between the target and host runtime allowslow overhead switching between interpreter and JIT codesimilar to traditional monolithic runtimes.

4.3 Type Analysis

Advanced monolithic engines employ type analysis to JITefficient code for hot functions. MuscalietJS also imple-ments an advanced type analysis by combining type feed-back and type inference before JITing optimized code forhot functions. An initial type inference pass is first appliedto reduce type feedback overhead by enabling more intelli-gent placement of profiling hooks. After profiling, when ahot function is detected in the next invocation of that func-tion, a second type inference pass uses the profiling type in-formation to infer the types of most variables or expressionsin the function.

MuscalietJS supports type signature-based method dis-patch for JavaScript. The basic concept is to dynamicallygenerate different JITed implementations of the same func-tion, each specialized for one observed signature [4], i.e.the types of the function’s arguments for a particular invo-cation. At each invocation of the method the current signa-ture is used to dispatch to an appropriate implementation.The type analysis and signature-based method dispatch al-gorithm used by MuscalietJS is similar to the type inferenceand analysis explained in [11].

4.4 Property Lookup

As in any dynamic runtime, the way objects and their fieldsare stored in memory affects the performance and efficiencyof the memory allocation and object and field accesses [3]. Inmonolithic engines such as V8 [9], object layouts are com-plex and tightly coupled to the garbage collector, imposing ahuge burden on extending the engine with new object typesand features. For JavaScript, engines also have an internaldata structure representing the implicit class of each objectat a given point during execution, known as a hidden classor map. The hidden class of an object can change at anypoint given the dynamic nature of the language. This affectsthe way optimizing compilers generate efficient JITed code,and the JIT must take this layout into account in order toprovide efficient property lookups using low-level optimiza-tions such as inline caches. In MuscalietJS, both JavaScriptobjects and their hidden classes are normal CIL objects.Adding new features is easy, since it requires no translationbetween layers. This extensibility does not come at the costof speed; the MuscalietJS representation is capable of fastproperty lookups using techniques like multi-level cachingand property propagation. The same lookup mechanism isused directly by the interpreter and the JIT engine in the JSR.

MuscalietJS employs a data structure for representinghidden classes that is customized for prototype-based lan-guages. In such languages, objects act as multi-level dictio-nary, where each level adds or replaces properties and in-herits the rest from another object, its prototype. Since anobject may both be a prototype and have a prototype of itsown, a prototype chain is formed. The prototype chain ishighly dynamic in nature because any of the objects forming

PDescp PDescp [x,0]

PDescp [z,1]

z x

….

Fields

HClass

Children

… h

….

Fields

Children

Proto

Root

MapMetaData LocalCache

Inherited PDs

Pare

nt

Root

Obj2

ProtoObj

MapMetaData LocalCache

Inherited PDs

PDesc

PDescp [y,1]

y x

….

Fields

HClass Obj1

PDescp [h,0]

HClass

IPDescp [h,0,ProtoObj]

Children

Global Cache

HClass PDescp … … … …

PropID for “x”

Cache hit situation for Obj2.x

Figure 2. Property description data structure for represent-ing hidden classes (maps) in MuscalietJS DR.

the chain may be changed at any time. To address the chal-lenge of inferring hidden classes from these chains of objectsat runtime, we use a data structure with a tree of propertydescriptors at each level of inheritance or prototype depth.Each node in the tree represents an owned property – thatis, a property which is set directly on the object rather thanbeing inherited. Each property descriptor includes the prop-erty name and the offset at which the corresponding fieldis stored in the objects that share this prototype. Every pathfrom a node to the root of the tree represents the fields ofan object in the order they were added. Each node thus cor-responds to a particular hidden class, shared by all objectswhose fields were constructed in the same manner. This datastructure makes it easy to keep the inferred hidden class ofan object up to date as properties are added at runtime. Theroot of the tree has no property info. Therefore, the root nodealone represents any object with no properties of its own.Note that such an object may still inherit properties from itsprototype chain.

All of the property descriptors in a tree share a map meta-data structure that includes a reference to the prototype ob-ject, a list of properties inherited through the prototype, anda cache for recently accessed property descriptors. Figure 2shows an example of the two-level map data structure usedby MuscalietJS for managing dynamic objects and proper-ties. In this particular example, the prototype has one fieldcalled ”h”. Objects Obj1 and Obj2 inherit ”h” from thatprototype and add { ”x”, ”y” } and {”x”, ”z”}, respectivelyas sets of owned fields stored directly on each object.Slow Path Lookup: The default process for looking up aproperty name in an object (e.g. obj1.x in Figure 2) includeswalking the tree of property descriptors, starting at the nodecorresponding to the hidden class (map) of the object and

continuing towards the root of the tree. If a property descrip-tor with the desired property name is found, the value is re-trieved from the field at the corresponding offset in the ob-ject. Otherwise, the search is continued on the next object inthe prototype chain. For instance, looking up obj1.h in Fig-ure 2 will cause the property descriptors to be walked start-ing from Obj1 until the root property descriptor is reached.Since the property won’t be found, this will be followed re-cursively by a walk of ProtoObj’s property descriptors (sinceProtoObj is the prototype of Obj1), eventually reaching theproperty descriptor for ”h”. To reduce the cost of futurelookups, when a lookup on an object results in an inher-ited property being found, an inherited property descriptoris added to the map metadata structure at the object’s pro-totype depth. The inherited property descriptor indicates theprototype object that owns the property and the offset of thecorresponding field in the prototype object.Fast Path Lookup: MuscalietJS employs two levels ofcaching to speed up the property lookup process: a globalcache shared between all hidden classes and objects and acache at the map metadata level. For faster lookups in thesecaches, the MuscalietJS runtime globally assigns an integerID (called a propID) to each statically known string prop-erty name and manages the propIDs during code generationand use these IDs to access these caches for known propertynames. The global cache is a small array, indexed by thelow-order bits of the propID, that contains tuples composedof a hidden class (identified by a node in the tree of prop-erty descriptors) and the last property descriptor retrievedfor that propID. If the looked up hidden class matches thehidden class of the object on which we are performing thelookup, then the property descriptor is still correct and canbe used to access the corresponding value. A global cachehit for Obj2.x (or any other object with the same hiddenclass accessing property ”x”) is shown in Figure 2. If thereis no hit in the global cache, we check a second-level cacheassociated with the map metadata of that object (for exam-ple the cache in Obj1.HClass.MapMetadata for Obj1 in theexample). This map metadata local cache similarly maps aproperty name to the last property descriptor matched forthat name and the hidden class the match was for. Whileslower, this cache achieves better locality than the globalcache given that it is limited to the hidden classes associatedwith a particular map metadata.

If the propID cannot be obtained for a property statically,the generated code bypasses the cache and uses the runtimeproperty name as a string through the slow lookup path.Using these compile time assigned propIDs, the cachingoverhead is significantly reduced. Some engines, such asV8 [9], use transient maps for representing hidden classesand use inline caches for fast property lookup and requiresdeoptimization in case of inline cache miss. MuscalietJS’shidden class model requires a tree walk for cache missesand is amenable to property caching at the runtime level.

Also it uses two levels of caching and the results in Section 6report good hit rates for different types of workloads usingthis mechanism.

5. CIL Code Generation for Hot FunctionsIn JavaScript, most operations are dynamically defined de-pending on the types of their operands. For example, a prop-erty load operation such as object.a can turn into a directfield access in object, a field access in object’s prototypechain, a call to a getter function call, or a call back to abrowser function. A binary addition can translate to integeror double addition, a string concatenation or a complicateduser-defined conversion on operands followed by a numeri-cal addition or a concatenation, depending on the value typesof the operands.

Given the heavy use of the dynamic operations in JavaScript(and most other dynamic languages), generating efficientcode based on the inferred or profiled types is very importantwhen JITing code for hot functions. With the large numberof variants for each of these operations, producing low-levelcode for all of the variants, as is done in traditional engines,is challenging and hard to debug. MuscalietJS exploits therich features of the host engine such as reflection and specialcode-generation hints to JIT efficient code while maintain-ing scalability and debuggability. This section discusses howMuscalietJS performs code generation for operations in hotfunctions.

5.1 Operation Implementation

Initially, we generated the CIL bytecode implementing eachoperation manually; there were many variations dependingon the operand type information extracted during type in-ference. However, this approach is very tedious and hardto maintain because the relationships between the inputand output types of the operations and their correspondingimplementations were separated and implicitly captured inmultiple places, including the type inference and JIT algo-rithms. Debugging was also very difficult.

To address these problems, we created an operationdatabase. This is essentially a series of overloaded functions,each implementing one particular instance of an operation’sbehavior. During type inference, we use reflection to mapoperand types (function argument types) to operation resulttypes (function return value types). During JIT we again usereflection to look up the appropriate operation implementa-tion function based on the types of the operand and simplygenerate a call to that function. Figure 3 (B) shows a simpli-fied code for binary addition operator for three of the pos-sible many cases including (Int, Int), (Undefined, Bool) and(Bool, Float) in the MuscalietJS operation code database.

This approach produces very robust, maintainable, andeasy to debug code. Since we use reflection to take advan-tage of the overloading functionality of the host language,we do not even need to generate lookup code. By assigningproper CIL method attributes to these operator implementa-

/**** (A) CodeGen for binary operations ***********/Visit(BinaryExp node, OpCache operation){

var ltype = Visit(node.Left);var rypet = Visit(node.Right);/* Using reflection to extract the expected type and call*/var methodInfo = operation.Get(ltype, rtype);var resultType = operation.ReturnType(ltype, rtype);GenerateCall(methodInfo, resultType);

}

/**** (B) Addition operation ***********/public static class Add{

...[MethodImplAttribute(MethodImplOptions.AggressiveInlining)]public static float Run(bool i0, float i1){ return Run((float)Convert.ToNumber.Run(i0), i1); }...[MethodImplAttribute(MethodImplOptions.AggressiveInlining)]public static double Run(mdr.DUndefined i0, bool i1){ return double.NaN; }...[MethodImplAttribute(MethodImplOptions.AggressiveInlining)]public static int Run(int i0, int i1) { return i0 + i1); }...

}

Figure 3. CodeGeneration (JIT) code for binary operationIR nodes (A) and Addition operation implementation (B).

tion functions, the runtime is forced to inline them, and thecompiled code achieves the same performance as the previ-ous manually-generated CIL bytecode implementation. Wedeveloped a template-based code generator to generate mostof the C# code for the various possible implementations ofeach operation, and used the “partial classes” feature of theC# language to manually implement the corner cases and in-tegrate them with the rest of the auto-generated code.

5.2 CIL Code Generation

The MuscalietJS code generator (JIT engine) traverses theIR of the function being JITed and uses information addedto the IR during type inference or other pre-JIT phases togenerate efficient CIL code. This section discusses some ofthe techniques used by the engine and how it interacts withthe low-level VM to achieve high performance.

The engine generates CIL for JavaScript code using theCLR’s reflection API. The various JavaScript-level expres-sions are implemented by generating calls to appropriate op-eration functions specialized for the inferred types of theiroperands as shown in Figure 3. To show how our code gen-erator uses operand types and hints to the low-level VM tohelp the underlying platform generate efficient code, Fig-ure 4 illustrates: (A) a sample JavaScript function, (B) itscorresponding CIL code generated by MuscalietJS and, (C)the x86 code generated by the low-level engine. The call tothe doublePlusOne function shown in the figure passesan Int value (a) as argument, and the literals in the func-tion are all integer constants. Therefore, the type inferencepass infers the type of the operands to both the multipli-

/********* (A) JavaScript Source ***********/function doublePlusOne(a){

return 2 * a + 1;}doublePlusOne(20)............/*** (B) Generated CIL code for doublePlusOne ***/............0.0 ldarg.0 ;loading call frame1.1 ldflda ;loading arg0 in callframe (a)2.1 call Int32 DValue:AsInt32 () ;unboxing arg02.2 stloc.13.0 ldarg.04.0 ldflda5.1 ldc.i4 25.2 ldloc.15.3 call Int32 Binary.Mul:Run (Int32, Int32)6.1 ldc.i4 16.2 call Int32 Binary.Add:Run (Int32, Int32)7.0 call Void DValue:Set (Int32) ;boxing for return............/*** (C) x86 assembly code generated by mono ***/............0 addl $0x10,%esp1 leal 0x34(%edi),%eax ;load arg0 (a)2 movl 0x04(%eax),%ecx3 movl %ecx,0xf4(%ebp)4 leal 0x0c(%edi),%eax5 shll %ecx ;inlined/optimized integer multiply6 incl %ecx ;inlined/optimized integer addition7 movl %ecx,0x04(%eax) ; boxing for return8 movl $0x00000009,(%eax)9 leal 0xfc(%ebp),%esp

Figure 4. JITed CIL and assembly for a sample code.

cation and addition operations to be Int. During JIT com-pilation, as shown in Figure 3, the JIT engine uses reflec-tion to look up the multiplication and addition functions for(Int, Int) operands. The resulting functions, which are calledin the JITed code (CIL lines 5.3 and 6.2), are the basic in-teger addition and multiply functions Binary.Mul:Runand Binary.Add:Run, which are implemented in termsof CIL-level primitive operations. Since these functions re-turn Int as well, the intermediate value passing the multipli-cation result to the addition operation is inferred to be an Intas well, and so it does not generate any boxing or unboxingoperations. All the operations in the function are pure inte-ger operations except the unboxing of the function argumentread from the call frame (CIL line 2.1) and the boxing forthe return (CIL line 7.0).

When the low-level VM sees this specialized version ofdoublePlusOne, it is guaranteed to inline the calls toBinary.Mul:Run, Binary.Add:Run, and the runtimefunctions that handle boxing, because we annotate them withCIL attributes that require this behavior (AggressiveInlin-ing). After inlining, the calls are replaced with simple inte-ger + and * operations. The low-level VM then applies otheroptimizations such as dead code elimination, register alloca-tion, and constant folding on the resulting code. Finally, opti-mized code is generated for the target hardware architecture.For example, as shown in Figure 4, the x86 generated codeimplements the multiplication and addition operations in the

original JavaScript function with a shift left instruc-tion and an increment instruction.

We implement property access expressions (the . opera-tor) at the JavaScript level with calls to the property lookupruntime operation discussed in Subsection 4.4. These callsare also inlined by the low-level VM. For indexing opera-tions (the [] operator), MuscalietJS performs special opti-mizations: if the inferred type of the expression that is beingindexed is Array, and the indexing expression’s inferred typeis Int, then we can skip the property lookup code and cacheaccesses. Instead, the engine generates a simple array access,using the integer to directly index the internal CIL-level ar-ray used to implement the array object.

In traditional JavaScript engines, calls to runtime func-tions from the JITed code is usually very costly, given thatthe runtime is unmanaged while the JITed code exists in amanaged environment. The primary source of overhead isthe difference in stack frame models between the two envi-ronments. In the MuscalietJS runtime, however, JavaScriptobjects, the runtime, calls to operations, boxing and unbox-ing, and JITed code all exist in the same managed world andso communication between them has essentially no over-head. As shown, MuscalietJS effectively exploits this low-overhead during CIL code generation for hot functions.

5.3 Special Hints

Through significant profiling and evaluation of the Monoand .NET VMs, we designed a set of hints that can bepassed to the low-level VM to significantly improve the gen-erated code in a layered architecture like MuscalietJS. Mostof these hints can be provided as per-value or function at-tributes passed to the runtime once. We were able to imple-ment some of these features in the Mono runtime:

• Avoiding array bound check for property access opera-tions: MuscalietJS can guarantee the validity of the lengthof the property array in the objects through hidden classes,so the low-level code that would be generated by the low-level .NET VM for those checks is redundant.

• Avoiding object zero initialization for JavaScript ob-jects created by MuscalietJS: MuscalietJS explicitly setsthe fields of JavaScript objects after creating them in JITedCIL codes.

• Avoiding IL validation security checks for CIL codeemitted by MuscalietJS: We found that the Microsoft.NET runtime [6] spends a huge amount of time on secu-rity validation of our JITed CIL code. Our profiling showsthat with .NET, Sunspider benchmarks are slowed on av-erage by 2× (and sometimes as much as 5×) because ofthe JIT method access check done on every invocation ofMuscalietJS generated code for hot methods. This is ob-served in the .NET runtime, but we did not observe this is-sue with the Mono runtime [12]. This security check is re-dundant because MuscalietJS performs code validation fortype safety during code generation. We were not able to fix

this issue and so could not fully evaluate MuscalietJS on.NET. Having a selective IL validation check can improvethe code quality of layered designs such as MuscalietJS.

• Allowing on-stack replacement (OSR) between twoCIL emitted methods: As MuscalietJS employs typeprofiles as well as type inference, it sometimes generatesspeculative code protected by guards. As a result, it needssupport for deoptimization and jumps back to the inter-preter if the guard condition is violated. Switching con-texts between the optimized method and the interpreterand continuing execution is a challenging task given thecurrent limitations of the CIL stack machine. Since bothMono and .NET internally support OSR, having high-levelaccess to that feature would have simplified the implemen-tation of such a deoptimizer.

6. EvaluationWe evaluated MuscalietJS against three existing JavaScriptengines: Rhino [16] and IronJS [10], which both have lay-ered architectures (one running on top of JVM and theother one on top of .NET DLR) similar in some respects toMuscalietJS (MuscalietJS performs many more high-levelJavaScript-specific type analysis and optimizations), andV8 [9], which is a state-of-the-art native engine. We werenot able to evaluate against SPUR [1] as SPUR is not pub-licly available. We used the latest release of each engine asof this writing: Rhino v1.7, and IronJS v0.2.0.1. Our engine,MuscalietJS v0.9, and IronJS run on top of Mono 2.10. Allexperiments were carried out on a 2.80GHz Intel Core i7machine with 8 GB of RAM, running Ubuntu 11.04.

Table 2. JavaScript Engines Configurations.Name DescriptionMCJS I MuscalietJS interpreter onlyMCJS J MuscalietJS JITMCJS J+ MuscalietJS JIT + type inference/specialization and

array optimizationMCJS IJ MuscalietJS interpreter/JIT for cold/hot functionsRhino I Rhino interpreter onlyRhino C Rhino basic compiler (-O 0)Rhino C+ Rhino compiler with maximum optimizations (-O 9)IronJS IronJS translates to DLR expression trees, DLR performs

dynamic optimizationsOur test configurations are described in Table 2. Note

that Rhino does not JIT code on a per-function basis asMuscalietJS does; instead, depending on its configuration,it is either a pure interpreter or a pure AOT compiler. Toreduce variation, we run each benchmark four times on eachengine and average the execution times. For the results, wemeasured confidence intervals of 1%, 2%, 5%, and 2% forV8, Rhino, IronJS, and MuscalietJS, respectively.Benchmark Selection: Selecting the right set of bench-marks across all platforms and configuration was challeng-ing. Rhino and IronJS fail to execute JSBench [17] bench-marks and several Octane benchmarks require typed arrays

0

10

20

30

40

50

60

70

3d-‐cube

3d-‐morph

3d-‐raytrace

access-‐binary-‐trees

access-‐fannkuch

access-‐nbody

access-‐nsieve

bitops-‐3bits-‐bits-‐in-‐byte

bitops-‐bits-‐in-‐byte

bitops-‐bitwise-‐and

bitops-‐nsieve-‐bits

controlflow-‐recursive

crypto-‐aes

crypto-‐md5

crypto-‐sha1

date-‐format-‐xparb

math-‐cordic

math-‐parBal-‐sums

Total

Rela%v

e speedu

ps against Rhino

_I

Rhino_C Rhino_C+ MCJS_I MCJS_J MCJS_J+ IronJS V8

124.6 160.7 176.6 167.8

Figure 5. Relative speedups against Rhino I for Sunspider benchmarks.

not yet supported by MCJS. We present results for the Sun-spider and V8 benchmark suites. We run each test in loop4 times to increase the running time and improve the confi-dence of our results.

In addition we want to capture workloads that are char-acteristic of web page loading, in which large amounts ofJavaScript code are downloaded, but only small portions areexecuted most of the time, and these portions are usuallyonly executed once [15]. To evaluate these types of work-loads, we generate a set of benchmarks using a record-and-replay mechanism. For a given web page, we record theprocess of loading the web page in the browser. Then, ourbenchmark generation tool reconstructs all the JavaScriptcode locally, modeling the DOM-based interaction betweenthe browser and the JavaScript engine as follows: prefixeach script with additional code that initializes a simulatedDOM tree represented by a tree of JavaScript objects, eachof which has the same properties that were read from theirreal counterparts during execution. The performance over-head introduced by the simulated DOM tree is similar to thebrowser-integration, as the JavaScript side of the DOM bind-ings also wraps native objects and accesses them in the man-aged JavaScript heap.

6.1 Traditional Benchmarks

Figure 5 presents average execution time for the Sunspi-der benchmark suite on the configurations of MuscalietJS,Rhino, and IronJS listed in Table 2. The last column (total)shows the total Sunspider score speedup, also relative to theRhino interpreter. A few benchmarks crash on IronJS run-ning with Mono; therefore we present 18 benchmarks run-ning correctly on all platforms. The IJ and IJ+ results forMuscalietJS are very close to I and J+ so the table does notinclude them. On Sunspider, the MuscalietJS interpreter (I)performs close to the Rhino AOT compiler (C). The Mus-calietJS JIT (J) improves performance over the MuscalietJSinterpreter by a factor of 2 to 3, and delivers almost 3×the performance of the Rhino AOT compiler at its maxi-mum optimization level (C+), despite the overhead of JIT-ing code at runtime. This is slightly higher than the speedups

achieved by IronJS using .NET DLR. This is not surprising,since we implemented hidden classes and property lookupdirectly in the managed runtime using its internal data struc-tures. In addition, when we enable JavaScript-specific typeoptimizations, such as array optimization and type analysis(J+), MuscalietJS outperforms IronJS (1.3× on average up to4× on some benchmarks such as access-nsieve). The speedups over Rhino C+ is about 4×. These significant speedupsemphasize the effectiveness of our JavaScript-specific opti-mizations such as property lookup, array optimizations andtype analysis. On average MCJS J+ achieves about 75% ofthe speed of the V8 engine on Sunspider benchmarks, whichis by far the highest reported performance for a layered en-gine.

Table 3. Speedups vs. Rhino I for V8 benchmarks.

BenchmarkRhino MCJS

IronJSC C+ I J J+

deltablue 3.05 2.69 1.37 2.50 3.78 1.53navier-stokes 5.43 7.93 1.42 5.84 10.62 4.20regex 1.22 1.19 0.56 0.59 0.58 0.58richards 2.17 2.20 1.55 3.05 3.09 1.90splay 2.50 2.40 1.25 1.49 1.48 2.10

Average 2.88 3.28 1.23 2.69 3.91 2.06

Table 3 presents average execution time for a subset of theV8 benchmark suite that runs on all of MuscalietJS, Rhino,and IronJS configurations. Rhino AOT compiler performsvery well, achieving an average speed up of 3.8 comparedto Rhino interpreter, since for these long-running bench-marks, the compilation time is negligible and several staticoptimizations pay off. On the other hand, the MuscalietJSoptimizing CIL compiler, relies on JavaScript-specific opti-mizations and outperform both IronJS and Rhino best con-figurations. On average, the best MuscalietJS configuration(MCJS J+) outperforms the IronJS and Rhino best configu-rations by about 2× and 1.2×, respectively. The two slowbenchmarks for MuscalietJS are Splay and Regex. Splaystresses garbage collector and the slowdown can be related

J+). The MuscalietJS interpreter also outperforms the Rhinointerpreter by a factor of up to 3.98 (2.53× on average).

6.3 Effectiveness of Property Lookup Operations

To study the difference between these workloads and mea-sure the effectiveness of the property lookup algorithm usedby MuscalietJS, Table 5 reports the hit rate of our globalproperty lookup cache (Section 4.4) and also percentage ofinherited properties. For the traditional benchmarks, nearly90% of property lookups hit in the global cache. Althoughnot shown here, the hit rate for the second-level local prop-erty lookup caches is also very high for these benchmarks.However, for the web replay benchmarks less than half ofthe lookups could be found in the global cache. This reflectsthe fact that during page load, not only is execution timedistributed across many more functions than in the data pro-cessing benchmarks, but data access patterns are also dis-tributed across a much larger set of properties. Another in-teresting point here is that even for web non-repetitive Webreplay benchmarks, the property cache hit rate is more than40% which mean for over 40% of property accesses in theMuscalietJS interpreter the slow path lookup is avoided;speeding up execution as shown in Table 4.

Table 5. MuscalietJS benchmark optimization statistics.Benchmark Global property Percent of Inherited

cache hit properties

Traditional 88.0% 33.6%Web Replay 41.2% 33.4%

7. ConclusionsIn this paper, we argue that JavaScript engines can be ar-chitected for performance without sacrificing other desirableproperties. We presented a layered JavaScript engine, witha high-level runtime handling language-specific optimiza-tions, relying on a low-level host virtual machine to provideruntime services and machine-specific optimizations. Thislayered architecture combined with general-purpose code-generation hints passed from the top-level VM to the .NETVM achieves significantly performance when compared toprior layered architectures. The layered approach lets us fo-cus on language-level optimizations, while relying on thelow-level VM for efficient code generation, and using hostVM features like reflection to improve performance. Wesee significant value in this approach, and we believe thistrend will continue for other languages. As existing low-level managed VMs like CLR continue to mature, there willbe an incentive to expose APIs to some of their low-levelfeatures to ease the development of layered engines.

References[1] M. Bebenita, F. Brandner, M. Fahndrich, F. Logozzo, W. Schulte,

N. Tillmann, and H. Venter. SPUR: a trace-based JIT compiler forCIL. In Proceedings of the ACM international conference on Ob-

ject oriented programming systems languages and applications, pages708–725, Reno/Tahoe, Nevada, USA, 2010.

[2] J. Castanos, D. Edelsohn, K. Ishizaki, P. Nagpurkar, T. Nakatani,T. Ogasawara, and P. Wu. On the benefits and pitfalls of extending astatically typed language jit compiler for dynamic scripting languages.In International Conference on Object Oriented Programming Sys-tems Languages and Applications, pages 195–212, Tucson, 2012.

[3] C. Chambers, J. Hennessy, and M. Linton. The design and implemen-tation of the self compiler, an optimizing compiler for object-orientedprogramming languages. Technical report, Stanford University, De-partment of Computer Science, 1992.

[4] J. Dean, C. Chambers, and D. Grove. Selective specialization forobject-oriented languages. In ACM Conference on Programming Lan-guage Design and Implementation, pages 93–102, La Jolla, 1995.

[5] Dynamic Language Runtime. http://msdn.microsoft.com/en-us/library/dd233052.aspx.

[6] .NET Framework. http://msdn.microsoft.com/en-us/vstudio/aa496123.aspx.

[7] ECMAScript. http://www.ecmascript.org/.

[8] A. Gal, B. Eich, M. Shaver, D. Anderson, D. Mandelin, M. R.Haghighat, B. Kaplan, G. Hoare, B. Zbarsky, J. Orendorff, J. Ru-derman, E. W. Smith, R. Reitmaier, M. Bebenita, M. Chang, andM. Franz. Trace-based just-in-time type specialization for dynamiclanguages. In ACM conference on Programming language design andimplementation, pages 465–478, Dublin, Ireland, 2009.

[9] Google Inc. V8 JavaScript virtual machine. http://code.google.com/p/v8/.

[10] IronJS. https://github.com/fholm/IronJS.

[11] M. N. Kedlaya, J. Roesch, B. Robatmili, M. Reshadi, and B. Hard-ekopf. Improved type specialization for dynamic scripting languages.In Dynamic Languages Symposium, pages 37–48, October 2013.

[12] Mono Project. http://www.mono-project.com.

[13] Nashorn JavaScript engine. http://openjdk.java.net/projects/nashorn.

[14] Node.js. http://nodejs.org.

[15] P. Ratanaworabhan, B. Livshits, and B. G. Zorn. Jsmeter: comparingthe behavior of javascript benchmarks with real web applications. InUSENIX Conference on Web Application Development, WebApps’10,pages 3–3, 2010.

[16] Rhino JavaScript engine. https://developer.mozilla.org/en-US/docs/Rhino.

[17] G. Richards, A. Gal, B. Eich, and J. Vitek. Automated construction ofjavascript benchmarks. In ACM International Conference on ObjectOriented Programming Systems Languages and Applications, OOP-SLA ’11, pages 677–694, Portland, Oregon, USA, 2011.

[18] SpiderMonkey: Mozilla’s JavaScript engine. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey.

[19] ECMAScript typed arrays. http://www.khronos.org/registry/typedarray/specs/latest/.

[20] Typescript. http://www.typescriptlang.org/.

[21] ECMAScript web workers. http://www.whatwg.org/specs/web-apps/current-work/multipage/workers.html#workers.

MuscalietJS: Rethinking Layered Dynamic Web Runtimes · MuscalietJS: Rethinking Layered Dynamic Web...

Documents

Transcript of MuscalietJS: Rethinking Layered Dynamic Web Runtimes · MuscalietJS: Rethinking Layered Dynamic Web...