I’ve been putting together a series of blog posts on deep diving into the internals of JavaScriptCore, which is the JS engine that powers WebKit. This series was created to help me with crash analysis and bug triage when fuzzing JavaScriptCore with Fuzzilli. The blog series is hosted at zon8.re.

The series covers the four execution tiers in the engine and walks through the process of converting javascript into machine code that is exeucted by the browser.

Part I: Tracing JavaScript Source to Bytecode

Part II: The LLInt and Baseline JIT

Part III: The DFG (Data Flow Graph) JIT – Graph Building

Part IV: The DFG (Data Flow Graph) JIT – Graph Optimisation

Part V: The DFG (Data Flow Graph) JIT – On Stack Replacement

Parts to VI and VII are work in progress and cover the FTL JIT engine. Once published on zon8, this post will be updated.