In Chrome's JavaScript console:
> function create(proto) {
function Created() {}
Created.prototype = proto
return new Created
}
undefined
> cc = create()
Created {}
> cc
Created {}
Created
is a function private to the create
function; after create
completes, there are no (known to me) references to Created
. Yet Chrome can show the function's name at any time, starting from the object created by it.
Chrome didn't achieve this by following the "naïve" approach:
> cc.constructor
function Object() { [native code] }
> cc.toString()
"object [Object]"
and anyway, I didn't set constructor
on the proto
argument passed to create
:
> cc.__proto__.hasOwnProperty("constructor")
false
One guess I had is that the JavaScript VM holds on to Created
for the sake of the instanceof
mechanism. It is said that instanceof
tests whether an object has in its prototype chain the prototype property of a constructor.
But in the above code I typed create()
, effectively passing undefined
as prototype; consequently Created
doesn't even have its prototype
set to the actual cc.__proto__
. We can verify this if we hack create
to expose the Created
function:
function create(proto) {
function Created() {}
Created.prototype = proto
GlobalCreated = Created
return new Created
}
now let's type
> cc = create()
Created {}
> GlobalCreated
function Created() {}
> GlobalCreated.prototype
undefined
> cc instanceof GlobalCreated
TypeError: Function has non-object prototype 'undefined' in instanceof check
My questions (all closely related):
What exactly does Chrome's JavaScript engine retain to make that object presentation in the console work? Is it the constructor function, or just the function name?
Is that retention needed for anything more substantial than console printout?
What is the effect of such retention on memory consumption? What if, for example, the constructor function (or even its name) is abnormally huge?
Is it just Chrome? I've retested with Firebug and Safari, their consoles don't present the object that way. But do they still retain the same data, for other possible purposes (e.g. due to a genuine concern inherent to a JavaScript VM)?
Late edit:
I recently revisited this question/answer, and I think I've figured out why chrome seems to "hang on" to the
Created
name. It's not really something that is exclusive to V8, but I think it's the result of how V8 works behind the scenes (the hidden objects I explained in my initial answer), and what V8 is required to do (to conform to the ECMAScript standard).Any function, constructor functions or otherwise, share the same constructor and prototype-chain by default:
This tells us a few things: All functions share the native
Function
constructor, and inherit from a specific function instance (function Empty(){}
) that is used as their prototype. However, a function'sprototype
property is required to be an object, that the function would return if it were called as a constructor (see ECMAScript standard).We can verify this easily by looking at the
Created.prototype.constructor
:Now let's, for a moment, list the hidden classes V8 needs to, and probably will, create in order for it to comply to the standard:
Hidden classes:
Object
, of course: the mother of all objects, of whichFunction
is a specific childFunction
: This native object is, as we've demonstrated, the constructorfunction Empty
: The prototype, from which our function will inheritCreated
our empty function that will inherit from all of the aboveAt this stage, nothing unusual has happened, and it's self-evident that, when we return an instance of this
Created
constructor, theCreated
function will get exposed because of its prototype.Now, because we're reassigning the
prototype
property you could argue that this instance will be discarded, and is lost, but from what I understand, that's not how V8 will handle this situation. Instead, it'll create an additional hidden class, that simply overrides theprototype
property of its parent after this statement is encountered:Created.prototype = proto;
Its internal structure will end up looking something like this (numbered this time, because I'll refer back to certain stages within this inheritance chain further down):
Object
, of course: the mother of all objects, of whichFunction
is a specific childFunction
: This native object is, as we've demonstrated, the constructorfunction Empty
: The prototype, from which our function will inheritCreated
our empty function that will inherit from all of the aboveCreated2
: extends the previous class (Created
), and overridesprototype
So why is
Created
still visible?That's the million dollar question, to which I think I have the answer now: Optimization
V8 simply can't, nor should it be allowed to, optimize out the
Created
hidden class (stage 4). Why? Because what will overrideprototype
is an argument. It's something that can't be predicted. What V8 will probably do to optimize the code is to store a hidden object 4, and whenever thecreate
function is called, it'll create a new hidden class that extends stage 4, overriding theprototype
property with whatever value is passed to the function.Because of this,
Created.prototype
will always exist somewhere inside each instance's internal representation. It's also important to note you could replace theprototype
property with one that actually referenced an instance ofCreated
(with a mucked-up prototype chain, but still):How's that for a mind-bender? Inception script-writers, eat your hearts out...
Anyway, I hope all of this dribble made some sense to someone out here, if not, I do respond to comments, so corrections to mistakes I may have made, or questions regarding some part of this update that is a bit unclear are welcome...
I'll try to answer question by question, but as you say, they're all closely related, so the answers overlap up to a point.
While reading this, bare in mind that I wrote this in one go, whilst feeling a bit feverish. I am not a V8 expert, and based this on recollections of my doing some digging in the V8 internals some time ago. The link at the bottom is to the official docs, and will of course contain more accurate and up-to-date information on the subject.
What is going on
What chrome's V8 engine actually does is create a hidden class for each object, and this class is mapped to the JS representation of the object.
Or as the people at google say so themselves:
What happens in your case, extending, creating a new constructor from a particular instance and overriding the
constructor
property is actually nothing more than what you can see on this graph:Where hidden class C0 could be regarded as the standard
Object
class. Basically, V8 interprets your code, builds a set of C++ like classes, and creates an instance if needed. The JS objects you have are set to point to the different instances whenever you change/add a property.In your
create
function, this is -very likely- what is going on:Function
is a native construct. The way V8 works means that there is a Function class that is referenced by all functions. They reference this class indirectly, though, because each function has its own specifcs, which are specified in a derived hidden class.create
, then, should be seen as a reference tocreate extends HiddenFunction
class.Or, if you wish, in C++ syntax:
class create : public Hidden::Function{/*specifics here*/}
Create
function references a hidden function identical tocreate
. However, after declaring it, the class receives 1 propriety property, calledprototype
, so another hidden class is created, specifying this property. This is the basis of your constructor. Because the function body ofcreate
, where all of this happens, this is a given, and V8 will probably be clever enough to create these classes beforehand, anyway: in C++ pseudo-code, it'll look similar to code listing 1 below.Each function call will assign a reference to a new instance Of the hidden class described above, to the
Created
name, which is local tocreate
's scope. Of course, the returned instance ofcreate
does still retain the reference to this instance, but that's how JS scopes work, and so this applies to all engines... think of closures and you'll get what I mean (I'm really struggling with this nasty fever... sorry to nag about this)Create
points to an instance of this hidden class, which extends a class that extends a class (as I tried to explain in point 2). Using thenew
keyword triggers behaviour defined by theFunction
class, of course (as it's a JS language construct). This results in a hidden class to be created which is probably the same for all instances: it extends the native object, and this has aconstructor
property, which references the instance ofCreated
we've just made. The instances returned bycreate
though are all alike. Sure their constructors may have a differentprototype
property, but the objects they churn out all look the same. I'm fairly confident that V8 will only create 1 hidden class for the objectscreate
returns. I can't see why the instances should require different hidden classes: their property names & count are the same, but each instance references another instance, but that's what classes are forAnyway: code listing for item 2, a pseudo-code representation of what
Created
might look like in hidden-class terms:Ignore any (likely) syntax oddities (it's been over a year since I wrote a line of C++), and ignoring namespaces and wacky names, The listed classes are, apart from the
Hidden::Function
effectively all the hidden classes that will ever need to be created to run your code. All your code then does is assign references to instances of these classes. The classes themselves don't take up much space in memory. And any other engine will create just as many objects, because they, too, need to comply with the ECMAScript specs.So I guess, looking at it like this, this sort of answers all your questions: no not all engines work like this, but this approach won't cause massive amounts of memory to be used, Yes, this does mean a lot of information/data/references to all objects is retained, but that's just an unavoidable, and in some cases happy side-effect of this approach.
Update: I did a bit more digging, and found an example of how you could add JS functions to V8 using templates, it illustrates how V8 translates JS objects/functions to C++ classes, see the example here
This is just me speculating, but I wouldn't at all be surprized to learn that the way V8 works, and this retention business is heavily used in garbage-collection and memory management in general (EG: deleting a property changing hidden classes and the like)
For example:
That last bit is just me guessing, but it could be possible for the GC to do this.
What is this retention used for
As I said, in V8, a JS object is actually a sort-of pointer to a C++ class. Accessing properties (and this includes the magic properties of arrays, too!), is fast. Really, really fast. In theory, accessing a property is an O(1) operation.
That's why, on IE:
Is faster than:
While on chrome,
arr.length
is faster as shown her. I also answered that question, and it, too, contains some details on V8 you may want to check. It could be that my answer there doesn't (completely) apply anymore, because browsers and their engines change fast...What about the memory
Not a big problem. Yes, Chrome can be a bit of resource hog at times, but the JS isn't always to blame. Write clean code, and the memory footprint won't be too different on most browsers.
If you create a huge constructor, then V8 will create a larger hidden class, but if that class specifies a lot of properties already, then chances of their being a need for additional hidden classes is smaller.
And of course, each function is an instance of the
Function
class. This being a native (and very important) type in a functional language will most likely be a highly optimized class anyway.Anyway: as far as memory usage is concerned: V8 does a pretty good job managing memory. Far better than IE's of old, for example. So much so that the V8 engine is used for server-side JS (as in node.js), if memory really was an issue, then you wouldn't dream of running V8 on a server that must be up and running as much as possible, now would you?
Is this just Chrome
Yes, in a way. V8 does have a special take on how it consumes and runs JS. Rather than JIT-compiling your code to bytecode and running that, it compiles the AST straight into machine code. Again, like the hidden-classes trickery, this is to increase performance.
I know I included this graph in my answer on CR, but just for completeness' sake: Here's a graph that shows the differences between chrome (bottom) and other JS engines (top)
Notice that below the bytecode instructions and the CPU, there's an (orange) interpreter layer. That's what V8 doesn't need, owing to the JS being translated into machine code directly.
The downside being that this makes certain optimizations harder to do, especially concerning the ones where DOM data and user input is being used in the code (for example:
someObject[document.getElementById('inputField').value]
) and that the initial processing of the code is harder on the CPU.The upside is: once the code is compiled into machine code, it's the fastest you're going to get, and running the code is likely to cause less overhead. A bytecode interpreter is heavier on the CPU most of the time, that's why busy loops on FF and IE can cause the browser to alert the user of a "running script" asking them if they want to stop it.
more on V8 internals here
Disclaimer: I am not a Google Chrome expert, however I think that these are not browser-specific, and can be explained by basic Javascript rules.
Each Object or Function in Javascript has its inheritance chain, going up, all the way to the basic prototype.
You can not circumvent this by setting the prototype property to undefined, although it may seem like it from the console output.
So it is the whole constructor function that is retained because of inheritance, although not available to be accessed through global scope.
Yes, it is needed for the prototype inheritance system to work.
Yes, this can cause a memory leak if used improperly.
This is why you should always delete and clean unused variables, so these and their prototypes can get collected by the garbage collector.
This should work the same way across all browsers, because prototypal inheritance works the same. I have however not specifically tested for it. Please note that the console outputs int browsers can differ, and this does not mean anything, as each browser can implement its console in its own way.
You return a new instance from create to a object called Created.
If you were to remove the 'new' keyword, then you would expose the Created function to the caller's scope.
I don't know much about Chrome's internals, so this is just a guess, but it seems to me that Chrome is performing some kind of static analysis on the code which created the function, and storing that for debugging purposes.
Take a look at this example:
x.func
? There's no way JavaScript has any built-in way for you to access the name of the variable a function was initially assigned to. Chrome must be doing that for its own reasons.Now look at this example:
In this example, since we created the function in a separate closure before assigning it to a variable, Chrome doesn't know the "name" of the function, so it just says "Object".
These examples lead me to guess the following answers to your questions:
It performs a static analysis of the code, and stores a string containing the function's "name" somewhere.
Probably not.
I'm not sure, but I'm guessing it's very unlikely to be an issue. Since the name of the function is determined using static analysis, the potential size of the function name is limited by the size of variable names in the script which created it (unless perhaps you're using
eval
, in which case I'm not sure).I doubt it, this seems to be something specific to Chrome used to make debugging a bit easier. As far as I can tell, there's no other reason for a feature like this to exist.