V8 Bytecode Reference

on 29.07.2023 by Kuter Dinel.

Here is a list of bytecode instructions that are used by the V8. JavaScript function gets compiled into bytecode and then gets interpreted by the Ignition interpreter. When there is sufficient feedback, the bytecode gets compiled to efficient native code, either by Turobfan, Turboprop or Maglev.

Extracted from v8/src/interpreter/interpreter-generator.cc

LdaZero: Load literal '0' into the accumulator.
LdaSmi <imm>: Load an integer literal into the accumulator as a Smi.
LdaConstant <idx>: Load constant literal at idx in the constant pool into the accumulator.
LdaUndefined: Load Undefined into the accumulator.
LdaNull: Load Null into the accumulator.
LdaTheHole: Load TheHole into the accumulator.
LdaTrue: Load True into the accumulator.
LdaFalse: Load False into the accumulator.
Ldar <src>: Load accumulator with value from register src.
Star <dst>: Store accumulator to register dst.
Star0 - StarN: Store accumulator to one of a special batch of registers, without using a; second byte to specify the destination.; Even though this handler is declared as Star0, multiple entries in; the jump table point to this handler.
Mov <src> <dst>: Stores the value of register src to register dst.
LdaGlobal <name_index> <slot>: Load the global with name in constant pool entry name_index into the; accumulator using FeedBackVector slot slot outside of a typeof.
LdaGlobalInsideTypeof <name_index> <slot>: Load the global with name in constant pool entry name_index into the; accumulator using FeedBackVector slot slot inside of a typeof.
StaGlobal <name_index> <slot>: Store the value in the accumulator into the global with name in constant pool; entry name_index using FeedBackVector slot slot.
LdaContextSlot <context> <slot_index> <depth>: Load the object in slot_index of the context at depth in the context; chain starting at context into the accumulator.
LdaImmutableContextSlot <context> <slot_index> <depth>: Load the object in slot_index of the context at depth in the context; chain starting at context into the accumulator.
LdaCurrentContextSlot <slot_index>: Load the object in slot_index of the current context into the accumulator.
LdaImmutableCurrentContextSlot <slot_index>: Load the object in slot_index of the current context into the accumulator.
StaContextSlot <context> <slot_index> <depth>: Stores the object in the accumulator into slot_index of the context at; depth in the context chain starting at context.
StaCurrentContextSlot <slot_index>: Stores the object in the accumulator into slot_index of the current; context.
LdaLookupSlot <name_index>: Lookup the object with the name in constant pool entry name_index; dynamically.
LdaLookupSlotInsideTypeof <name_index>: Lookup the object with the name in constant pool entry name_index; dynamically without causing a NoReferenceError.
LdaLookupContextSlot <name_index>: Lookup the object with the name in constant pool entry name_index; dynamically.
LdaLookupContextSlotInsideTypeof <name_index>: Lookup the object with the name in constant pool entry name_index; dynamically without causing a NoReferenceError.
LdaLookupGlobalSlot <name_index> <feedback_slot> <depth>: Lookup the object with the name in constant pool entry name_index; dynamically.
LdaLookupGlobalSlotInsideTypeof <name_index> <feedback_slot> <depth>: Lookup the object with the name in constant pool entry name_index; dynamically without causing a NoReferenceError.
StaLookupSlot <name_index> <flags>: Store the object in accumulator to the object with the name in constant; pool entry name_index.
GetNamedProperty <object> <name_index> <slot>: Calls the LoadIC at FeedBackVector slot slot for object and the name at; constant pool entry name_index.
GetNamedPropertyFromSuper <receiver> <name_index> <slot>: Calls the LoadSuperIC at FeedBackVector slot slot for receiver, home; object's prototype (home object in the accumulator) and the name at constant; pool entry name_index.
GetKeyedProperty <object> <slot>: Calls the KeyedLoadIC at FeedBackVector slot slot for object and the key; in the accumulator.
SetNamedProperty <object> <name_index> <slot>: Calls the StoreIC at FeedBackVector slot slot for object and; the name in constant pool entry name_index with the value in the; accumulator.
DefineNamedOwnProperty <object> <name_index> <slot>: Calls the DefineNamedOwnIC at FeedBackVector slot slot for object and; the name in constant pool entry name_index with the value in the; accumulator.
SetKeyedProperty <object> <key> <slot>: Calls the KeyedStoreIC at FeedbackVector slot slot for object and; the key key with the value in the accumulator. This could trigger; the setter and the set traps if necessary.
DefineKeyedOwnProperty <object> <key> <flags> <slot>: Calls the DefineKeyedOwnIC at FeedbackVector slot slot for object and; the key key with the value in the accumulator. Whether set_function_name; is stored in DefineKeyedOwnPropertyFlags flags.; This is similar to SetKeyedProperty, but avoids checking the prototype; chain, and in the case of private names, throws if the private name already; exists.
StaInArrayLiteral <array> <index> <slot>: Calls the StoreInArrayLiteralIC at FeedbackVector slot slot for array and; the key index with the value in the accumulator.
DefineKeyedOwnPropertyInLiteral <object> <name> <flags> <slot>: Define a property name with value from the accumulator in object.; Property attributes and whether set_function_name are stored in; DefineKeyedOwnPropertyInLiteralFlags flags.; This definition is not observable and is used only for definitions; in object or class literals.
LdaModuleVariable <cell_index> <depth>: Load the contents of a module variable into the accumulator. The variable is; identified by cell_index. depth is the depth of the current context; relative to the module context.
StaModuleVariable <cell_index> <depth>: Store accumulator to the module variable identified by cell_index.; depth is the depth of the current context relative to the module context.
PushContext <context>: Saves the current context in context, and pushes the accumulator as the; new current context.
PopContext <context>: Pops the current context and sets context as the new context.
Add <src>: Add register src to accumulator.
Sub <src>: Subtract register src from accumulator.
Mul <src>: Multiply accumulator by register src.
Div <src>: Divide register src by accumulator.
Mod <src>: Modulo register src by accumulator.
Exp <src>: Exponentiate register src (base) with accumulator (exponent).
AddSmi <imm>: Adds an immediate value imm to the value in the accumulator.
SubSmi <imm>: Subtracts an immediate value imm from the value in the accumulator.
MulSmi <imm>: Multiplies an immediate value imm to the value in the accumulator.
DivSmi <imm>: Divides the value in the accumulator by immediate value imm.
ModSmi <imm>: Modulo accumulator by immediate value imm.
ExpSmi <imm>: Exponentiate accumulator (base) with immediate value imm (exponent).
BitwiseOr <src>: BitwiseOr register src to accumulator.
BitwiseXor <src>: BitwiseXor register src to accumulator.
BitwiseAnd <src>: BitwiseAnd register src to accumulator.
ShiftLeft <src>: Left shifts register src by the count specified in the accumulator.; Register src is converted to an int32 and the accumulator to uint32; before the operation. 5 lsb bits from the accumulator are used as count; i.e. src << (accumulator & 0x1F).
ShiftRight <src>: Right shifts register src by the count specified in the accumulator.; Result is sign extended. Register src is converted to an int32 and the; accumulator to uint32 before the operation. 5 lsb bits from the accumulator; are used as count i.e. src >> (accumulator & 0x1F).
ShiftRightLogical <src>: Right Shifts register src by the count specified in the accumulator.; Result is zero-filled. The accumulator and register src are converted to; uint32 before the operation 5 lsb bits from the accumulator are used as; count i.e. src << (accumulator & 0x1F).
BitwiseOrSmi <imm>: BitwiseOrSmi accumulator with imm.
BitwiseXorSmi <imm>: BitwiseXorSmi accumulator with imm.
BitwiseAndSmi <imm>: BitwiseAndSmi accumulator with imm.
BitwiseNot <feedback_slot>: Perform bitwise-not on the accumulator.
ShiftLeftSmi <imm>: Left shifts accumulator by the count specified in imm.; The accumulator is converted to an int32 before the operation. The 5; lsb bits from imm are used as count i.e. src < (<imm & 0x1F).
ShiftRightSmi <imm>: Right shifts accumulator by the count specified in imm. Result is sign; extended. The accumulator is converted to an int32 before the operation. The; 5 lsb bits from imm are used as count i.e. src >> (imm & 0x1F).
ShiftRightLogicalSmi <imm>: Right shifts accumulator by the count specified in imm. Result is zero; extended. The accumulator is converted to an int32 before the operation. The; 5 lsb bits from imm are used as count i.e. src >>> (imm & 0x1F).
Negate <feedback_slot>: Perform arithmetic negation on the accumulator.
ToName <dst>: Convert the object referenced by the accumulator to a name.
ToNumber <slot>: Convert the object referenced by the accumulator to a number.
ToNumeric <slot>: Convert the object referenced by the accumulator to a numeric.
ToObject <dst>: Convert the object referenced by the accumulator to a JSReceiver.
ToString: Convert the accumulator to a String.
ToString: Convert the accumulator to a String.
Inc: Increments value in the accumulator by one.
Dec: Decrements value in the accumulator by one.
ToBooleanLogicalNot: Perform logical-not on the accumulator, first casting the; accumulator to a boolean value if required.
LogicalNot: Perform logical-not on the accumulator, which must already be a boolean; value.
TypeOf: Load the accumulator with the string representating type of the; object in the accumulator.
DeletePropertyStrict: Delete the property specified in the accumulator from the object; referenced by the register operand following strict mode semantics.
DeletePropertySloppy: Delete the property specified in the accumulator from the object; referenced by the register operand following sloppy mode semantics.
GetSuperConstructor: Get the super constructor from the object referenced by the accumulator.; The result is stored in register reg.
Call <callable> <receiver> <arg_count> <feedback_slot_id>: Call a JSfunction or Callable in callable with the receiver and; arg_count arguments in subsequent registers. Collect type feedback; into feedback_slot_id
CallProperty
CallProperty0
CallProperty1
CallProperty2
CallUndefinedReceiver
CallUndefinedReceiver0
CallUndefinedReceiver1
CallUndefinedReceiver2CallRuntime <function_id> <first_arg> <arg_count>: Call the runtime function function_id with the first argument in; register first_arg and arg_count arguments in subsequent; registers.
InvokeIntrinsic <function_id> <first_arg> <arg_count>: Implements the semantic equivalent of calling the runtime function; function_id with the first argument in first_arg and arg_count; arguments in subsequent registers.
CallRuntimeForPair <function_id> <first_arg> <arg_count> <first_return>: Call the runtime function function_id which returns a pair, with the; first argument in register first_arg and arg_count arguments in; subsequent registers. Returns the result in first_return and; first_return + 1
CallJSRuntime <context_index> <receiver> <arg_count>: Call the JS runtime function that has the context_index with the receiver; in register receiver and arg_count arguments in subsequent registers.
CallWithSpread <callable> <first_arg> <arg_count>: Call a JSfunction or Callable in callable with the receiver in; first_arg and arg_count - 1 arguments in subsequent registers. The; final argument is always a spread.
ConstructWithSpread <first_arg> <arg_count>: Call the constructor in constructor with the first argument in register; first_arg and arg_count arguments in subsequent registers. The final; argument is always a spread. The new.target is in the accumulator.
Construct <constructor> <first_arg> <arg_count>: Call operator construct with constructor and the first argument in; register first_arg and arg_count arguments in subsequent; registers. The new.target is in the accumulator.
TestEqual <src>: Test if the value in the src register equals the accumulator.
TestEqualStrict <src>: Test if the value in the src register is strictly equal to the accumulator.
TestLessThan <src>: Test if the value in the src register is less than the accumulator.
TestGreaterThan <src>: Test if the value in the src register is greater than the accumulator.
TestLessThanOrEqual <src>: Test if the value in the src register is less than or equal to the; accumulator.
TestGreaterThanOrEqual <src>: Test if the value in the src register is greater than or equal to the; accumulator.
TestReferenceEqual <src>: Test if the value in the src register is equal to the accumulator; by means of simple comparison. For SMIs and simple reference comparisons.
TestIn <src> <feedback_slot>: Test if the object referenced by the register operand is a property of the; object referenced by the accumulator.
TestInstanceOf <src> <feedback_slot>: Test if the object referenced by the src register is an an instance of type; referenced by the accumulator.
TestUndetectable: Test if the value in the accumulator is undetectable (null, undefined or; document.all).
TestNull: Test if the value in accumulator is strictly equal to null.
TestUndefined: Test if the value in the accumulator is strictly equal to undefined.
TestTypeOf <literal_flag>: Tests if the object in the accumulator is typeof the literal represented; by literal_flag.
Jump <imm>: Jump by the number of bytes represented by the immediate operand imm.
JumpConstant <idx>: Jump by the number of bytes in the Smi in the idx entry in the constant; pool.
JumpIfTrue <imm>: Jump by the number of bytes represented by an immediate operand if the; accumulator contains true. This only works for boolean inputs, and; will misbehave if passed arbitrary input values.
JumpIfTrueConstant <idx>: Jump by the number of bytes in the Smi in the idx entry in the constant; pool if the accumulator contains true. This only works for boolean inputs,; and will misbehave if passed arbitrary input values.
JumpIfFalse <imm>: Jump by the number of bytes represented by an immediate operand if the; accumulator contains false. This only works for boolean inputs, and; will misbehave if passed arbitrary input values.
JumpIfFalseConstant <idx>: Jump by the number of bytes in the Smi in the idx entry in the constant; pool if the accumulator contains false. This only works for boolean inputs,; and will misbehave if passed arbitrary input values.
JumpIfToBooleanTrue <imm>: Jump by the number of bytes represented by an immediate operand if the object; referenced by the accumulator is true when the object is cast to boolean.
JumpIfToBooleanTrueConstant <idx>: Jump by the number of bytes in the Smi in the idx entry in the constant; pool if the object referenced by the accumulator is true when the object is; cast to boolean.
JumpIfToBooleanFalse <imm>: Jump by the number of bytes represented by an immediate operand if the object; referenced by the accumulator is false when the object is cast to boolean.
JumpIfToBooleanFalseConstant <idx>: Jump by the number of bytes in the Smi in the idx entry in the constant; pool if the object referenced by the accumulator is false when the object is; cast to boolean.
JumpIfNull <imm>: Jump by the number of bytes represented by an immediate operand if the object; referenced by the accumulator is the null constant.
JumpIfNullConstant <idx>: Jump by the number of bytes in the Smi in the idx entry in the constant; pool if the object referenced by the accumulator is the null constant.
JumpIfNotNull <imm>: Jump by the number of bytes represented by an immediate operand if the object; referenced by the accumulator is not the null constant.
JumpIfNotNullConstant <idx>: Jump by the number of bytes in the Smi in the idx entry in the constant; pool if the object referenced by the accumulator is not the null constant.
JumpIfUndefined <imm>: Jump by the number of bytes represented by an immediate operand if the object; referenced by the accumulator is the undefined constant.
JumpIfUndefinedConstant <idx>: Jump by the number of bytes in the Smi in the idx entry in the constant; pool if the object referenced by the accumulator is the undefined constant.
JumpIfNotUndefined <imm>: Jump by the number of bytes represented by an immediate operand if the object; referenced by the accumulator is not the undefined constant.
JumpIfNotUndefinedConstant <idx>: Jump by the number of bytes in the Smi in the idx entry in the constant; pool if the object referenced by the accumulator is not the undefined; constant.
JumpIfUndefinedOrNull <imm>: Jump by the number of bytes represented by an immediate operand if the object; referenced by the accumulator is the undefined constant or the null constant.
JumpIfUndefinedOrNullConstant <idx>: Jump by the number of bytes in the Smi in the idx entry in the constant; pool if the object referenced by the accumulator is the undefined constant or; the null constant.
JumpIfJSReceiver <imm>: Jump by the number of bytes represented by an immediate operand if the object; referenced by the accumulator is a JSReceiver.
JumpIfJSReceiverConstant <idx>: Jump by the number of bytes in the Smi in the idx entry in the constant; pool if the object referenced by the accumulator is a JSReceiver.
JumpLoop <imm> <loop_depth>: Jump by the number of bytes represented by the immediate operand imm. Also; performs a loop nesting check, a stack check, and potentially triggers OSR.
SwitchOnSmiNoFeedback <table_start> <table_length> <case_value_base>: Jump by the number of bytes defined by a Smi in a table in the constant pool,; where the table starts at table_start and has table_length entries.; The table is indexed by the accumulator, minus case_value_base. If the; case_value falls outside of the table table_length, fall-through to the; next bytecode.
CreateRegExpLiteral <pattern_idx> <literal_idx> <flags>: Creates a regular expression literal for literal index literal_idx with; flags and the pattern in pattern_idx.
CreateArrayLiteral <element_idx> <literal_idx> <flags>: Creates an array literal for literal index literal_idx with; CreateArrayLiteral flags flags and constant elements in element_idx.
CreateEmptyArrayLiteral <literal_idx>: Creates an empty JSArray literal for literal index literal_idx.
CreateArrayFromIterable: Spread the given iterable from the accumulator into a new JSArray.; TODO(neis): Turn this into an intrinsic when we're running out of bytecodes.
CreateObjectLiteral <element_idx> <literal_idx> <flags>: Creates an object literal for literal index literal_idx with; CreateObjectLiteralFlags flags and constant elements in element_idx.
CreateEmptyObjectLiteral: Creates an empty JSObject literal.
CloneObject <source_idx> <flags> <feedback_slot>: Allocates a new JSObject with each enumerable own property copied from; {source}, converting getters into data properties.
GetTemplateObject <descriptor_idx> <literal_idx>: Creates the template to pass for tagged templates and returns it in the; accumulator, creating and caching the site object on-demand as per the; specification.
CreateClosure <index> <slot> <flags>: Creates a new closure for SharedFunctionInfo at position index in the; constant pool and with pretenuring controlled by flags.
CreateBlockContext <index>: Creates a new block context with the scope info constant at index.
CreateCatchContext <exception> <scope_info_idx>: Creates a new context for a catch block with the exception in a register; and the ScopeInfo at scope_info_idx.
CreateFunctionContext <scope_info_idx> <slots>: Creates a new context with number of slots for the function closure.
CreateEvalContext <scope_info_idx> <slots>: Creates a new context with number of slots for an eval closure.
CreateWithContext <register> <scope_info_idx>: Creates a new context with the ScopeInfo at scope_info_idx for a; with-statement with the object in register.
CreateMappedArguments: Creates a new mapped arguments object.
CreateUnmappedArguments: Creates a new unmapped arguments object.
CreateRestParameter: Creates a new rest parameter array.
SetPendingMessage: Sets the pending message to the value in the accumulator, and returns the; previous pending message in the accumulator.
Throw: Throws the exception in the accumulator.
ReThrow: Re-throws the exception in the accumulator.
Abort <abort_reason>: Aborts execution (via a call to the runtime function).
Return: Return the value in the accumulator.
ThrowReferenceErrorIfHole <variable_name>: Throws an exception if the value in the accumulator is TheHole.
ThrowSuperNotCalledIfHole: Throws an exception if the value in the accumulator is TheHole.
ThrowSuperAlreadyCalledIfNotHole: Throws SuperAlreadyCalled exception if the value in the accumulator is not; TheHole.
ThrowIfNotSuperConstructor <constructor>: Throws an exception if the value in constructor is not in fact a; constructor.
FindNonDefaultConstructorOrConstruct <this_function> <new_target> <output>: Walks the prototype chain from this_function's super ctor until we see a; non-default ctor. If the walk ends at a default base ctor, creates an; instance and stores it in output[1] and stores true into output[0].; Otherwise, stores the first non-default ctor into output[1] and false into; output[0].
Debugger: Call runtime to handle debugger statement.
IncBlockCounter <slot>: Increment the execution count for the given slot. Used for block code; coverage.
ForInEnumerate <receiver>: Enumerates the enumerable keys of the receiver and either returns the; map of the receiver if it has a usable enum cache or a fixed array; with the keys to enumerate in the accumulator.
ForInPrepare <cache_info_triple>: Returns state for for..in loop execution based on the enumerator in; the accumulator register, which is the result of calling ForInEnumerate; on a JSReceiver object.; The result is output in registers cache_info_triple to; cache_info_triple + 2, with the registers holding cache_type, cache_array,; and cache_length respectively.
ForInNext <receiver> <index> <cache_info_pair>: Returns the next enumerable property in the the accumulator.
ForInContinue <index> <cache_length>: Returns false if the end of the enumerable properties has been reached.
ForInStep <index>: Increments the loop counter in register index and stores the result; in the accumulator.
GetIterator <object>: Retrieves the object[Symbol.iterator] method, calls it and stores; the result in the accumulator. If the result is not JSReceiver,; throw SymbolIteratorInvalid runtime exception.
Wide: Prefix bytecode indicating next bytecode has wide (16-bit) operands.
ExtraWide: Prefix bytecode indicating next bytecode has extra-wide (32-bit) operands.
Illegal: An invalid bytecode aborting execution if dispatched.
SuspendGenerator <generator> <first input register> <register count> <suspend_id>: Stores the parameters and the register file in the generator. Also stores; the current context, suspend_id, and the current bytecode offset; (for debugging purposes) into the generator. Then, returns the value; in the accumulator.
SwitchOnGeneratorState <generator> <table_start> <table_length>: If generator is undefined, falls through. Otherwise, loads the; generator's state (overwriting it with kGeneratorExecuting), sets the context; to the generator's resume context, and performs state dispatch on the; generator's state by looking up the generator state in a jump table in the; constant pool, starting at table_start, and of length table_length.
ResumeGenerator <generator> <first output register> <register count>: Imports the register file stored in the generator and marks the generator; state as executing.

Kuter Dinel's blog