First, raw bytecode (%00 %23 %A1 ...) is mapped back to mnemonics. V8 provides the --print-bytecode flag for this (in d8 or Node.js with --print-bytecode). Example output:
[generated bytecode for function: add (0x2a0a2815f39 <SharedFunctionInfo add>)]
Parameter count 3
Register count 2
0x2a0a2815f7e @ 0 : 0c 02 Ldar a1
0x2a0a2815f80 @ 2 : 2a 02 00 Add a2, [0]
0x2a0a2815f83 @ 5 : 11 00 Return
V8 bytecode is stack-based (conceptually, though it uses registers internally) and operates on an accumulator model. Understanding its characteristics highlights the challenges of decompilation.
To understand a decompiler, you must first understand what it consumes. Since 2016 (the “Ignition” pipeline), V8 no longer generates machine code directly from JavaScript (the old Full-codegen compiler). Instead, it follows a two-tiered architecture: v8 bytecode decompiler
Ignition is a register-based bytecode interpreter. Unlike stack-based bytecodes (like Java’s JVM or Python’s), register-based bytecode is denser and more efficient. For example, the JavaScript a = b + c might translate to V8 bytecode like:
Ldar a1 ; Load accumulator with register a1
Add a2, [0] ; Add register a2 to accumulator
Sta a0 ; Store accumulator to register a0
Key characteristics of V8 bytecode:
This bytecode is stored in a BytecodeArray object, but it’s not meant for human eyes. It’s serialized, optimized for execution speed, and stripped of original variable names, comments, and control flow structure.
To understand bytecode decompilation, one must understand how V8 processes JavaScript. Modern V8 uses a pipeline often referred to as Ignition + TurboFan. First, raw bytecode ( %00 %23 %A1
Decompilation targets the Ignition Bytecode stage. Once code reaches the TurboFan stage (machine code), reverse engineering becomes standard binary analysis rather than bytecode analysis.
Date: October 26, 2023 Subject: Technical Overview of V8 Ignition Bytecode and Decompilation Feasibility V8 bytecode is stack-based (conceptually, though it uses