After Chrome 61 was released, it was revealed that there were security vulnerabilities, and the Chrome team found some vulnerabilities caused by V8 escape Analysis (#765433 #752423, etc.) during the process of fixing the security vulnerabilities.
Escape analysis is the scientific name for escape analysis. In compiler optimization theory, escape analysis is a way of determining the dynamic range of a pointer — analyzing where a pointer can be accessed in a program.
V8 V6.1 and earlier uses a complex implementation of escape analysis that has produced many errors since its introduction (2333). This implementation has been removed and a new escape analysis code base is available in V8 V6.2.
To protect users, the Chrome team has turned off escape analysis in Chrome 61. Turning off escape analysis can have a negative impact on performance because it disables certain optimizations. Specifically, the following ES2015 features may be slower:
- Deconstruction (destructuring)
- For-of iteration (for-of Iteration)
- Array Spread
- Rest Parameters
By doing so, the Chrome team has slowed down hundreds of millions of pages.
However, it can be confirmed that disabling escape analysis is only a temporary measure. The new escape analysis feature in V8 6.2 will be available in Chrome 62.
This currently only affects Chrome 61, but Node 8 is not affected because the bug exploits untrusted JavaScript execution unless eval() is used in Node.js, according to issue #15564. Otherwise node.js will run trusted code written by the developer, and Node 8 will still have escape analysis enabled by default.
It’s not deoptimized. It’s just that one phase of the optimization pipeline is disabled, and this bug only affects Chrome. Node can still turn it on (with an appropriate bugfix in place).
What is escape analysis?
In JavaScript, if an object is accessible from outside the current function, the allocated object “escapes”.
A word is, V8 new objects allocated on the heap JavaScript, use the escape analysis, when the V8 analyze the object only work within the functions (and functions) have the same life cycle, the V8 can distributing the object on the stack, can even put some variable assigned to register, the object as a simple local variables.
If the object escapes, it must be allocated on the heap.
For example, escape analysis enables V8 to effectively rewrite the following code:
function foo(a, b) {
const object = { a, b };
return object.a + object.b;
// Note: `object` does not escape.
}Copy the code. This code can be optimized as follows:
function foo(a, b) {
const object_a = a;
const object_b = b;
return object_a + object_b;
}Copy the codeObject_a and object_b are allocated on the stack or even on registers.
In addition to converting heap allocation to stack allocation, escape analysis can also:
- Synchronous elision: If an object is found to be accessible only from one thread, operations on the object may be performed without regard to synchronization.
- Detached objects or scalar replacements: Some objects may be accessible without needing to exist as a contiguous memory structure, so part (or all) of the object can be stored not in memory, but in CPU registers.
Most dynamic languages are optimized using escape analysis. The next version of V8 will feature a new generation of escape analysis technology.