Bytecode-only runtime optimization for QuickJS

[yumin-chen]

Aggressively reduce QuickJS runtime bundle size by enabling a bytecode-only mode that strips the parser and compiler when they are not needed. This is achieved by gating compiler entry points with a new JS_BYTECODE_ONLY_RUNTIME macro and providing specialized minimal intrinsics.

---

PR created automatically by Jules for task 17643968534238357240 started by @yumin-chen

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[yumin-chen]

Please add automated tests to ensure the bytecode-only runtime is functional => parser/compiler no longer bundled and no dynamic code execution -- while precompiled bytecode embeded are working as expected

[google-labs-jules]

Please add automated tests to ensure the bytecode-only runtime is functional => parser/compiler no longer bundled and no dynamic code execution -- while precompiled bytecode embeded are working as expected

I have added automated tests for the bytecode-only mode in tests/test_bytecode.js, tests/test_bytecode_neg.js, and a shell script tests/test_bytecode.sh. I also updated the Makefile with a test-bytecode-only target that automates the verification process, including functionality checks and symbol-level verification to ensure the parser/compiler are not bundled in the final binary.

[yumin-chen]

QuickJS currently bundles the full engine — including the parser and compiler — into every binary, even when the binary only needs to execute pre-compiled bytecode. This feature introduces a safe, aggressive mechanism to strip the parser and compiler from runtime-only binaries, producing smaller embedded footprints, while keeping the full dev toolchain (parser + compiler via qjsc) fully functional.

The key insight already present in the codebase is that when all four flags are set simultaneously — -fno-eval, -fno-regexp, -fno-json, -fno-module-loader — every runtime code path that could invoke the parser or compiler is disabled. The CONFIG_BYTECODE_ONLY_RUNTIME compile-time define and the libquickjs-bytecode.a library already exist as a foundation. This feature formalises, completes, and validates that mechanism.

Glossary

• Runtime: The QuickJS execution engine (quickjs.c) responsible for evaluating pre-compiled bytecode.
• Parser: The JavaScript source-to-AST parser embedded in quickjs.c (functions prefixed js_parse_).
• Compiler: The AST-to-bytecode compiler embedded in quickjs.c (functions prefixed js_emit_, __JS_EvalInternal).
• Parser/Compiler: The combined parser and compiler subsystem; referred to together because they are co-located and always stripped or kept as a unit.
• Bytecode-Only Runtime: A build of the QuickJS runtime compiled with CONFIG_BYTECODE_ONLY_RUNTIME, in which the Parser/Compiler is unreachable and can be eliminated by the linker (with LTO) or by dead-code stripping.
• Dev Toolchain: The qjsc compiler binary and the full libquickjs.a / libquickjs.lto.a libraries, which always include the Parser/Compiler.
• qjsc: The QuickJS ahead-of-time compiler that compiles JavaScript source to C bytecode arrays at build time.
• LTO: Link-Time Optimization; enables the linker to eliminate unreachable code across translation units.
• Feature Flag: A -fno-<feature> command-line option passed to qjsc that disables a runtime feature in the generated output.
• Bytecode-Only Trigger: The condition where all four feature flags -fno-eval, -fno-regexp, -fno-json, and -fno-module-loader are simultaneously active, signalling that the Parser/Compiler is not needed at runtime.
• JS_AddIntrinsicEval: The function that installs __JS_EvalInternal into a context; its absence means eval() is disabled.
• JS_AddIntrinsicRegExpCompiler: The function that installs the regexp compiler into a context; its absence means runtime regexp compilation is disabled.
• libquickjs-bytecode.a: The static library variant compiled with CONFIG_BYTECODE_ONLY_RUNTIME, intended for linking into bytecode-only executables.
• libquickjs-bytecode.lto.a: The LTO variant of libquickjs-bytecode.a.
• compile_regexp pointer: A function pointer in JSContext that, when NULL, disables runtime regexp compilation.
• eval_internal pointer: A function pointer in JSContext that, when NULL, disables eval().
• Hidden Dependency: Any code path in the Runtime that calls into the Parser/Compiler without being guarded by a feature flag or the CONFIG_BYTECODE_ONLY_RUNTIME define.

---

Please validate that your implmentation meets below:

Requirements

Requirement 1: Bytecode-Only Trigger Condition

User Story: As an embedder, I want the runtime binary to automatically exclude the Parser/Compiler when I disable all parser-invoking features, so that I get the smallest possible binary without manually managing compile-time flags.

Acceptance Criteria

1. WHEN qjsc is invoked with all four flags -fno-eval -fno-regexp -fno-json -fno-module-loader simultaneously, THE qjsc tool SHALL set the Bytecode-Only Trigger and link the generated executable against libquickjs-bytecode.a (or its LTO variant) instead of libquickjs.a.
2. WHEN the Bytecode-Only Trigger is set, THE qjsc tool SHALL emit a JS_NewCustomContext that does not call JS_AddIntrinsicEval or JS_AddIntrinsicRegExpCompiler.
3. WHEN any one of the four flags is absent, THE qjsc tool SHALL link against the standard libquickjs.a and SHALL include the full intrinsic set.
4. THE runtime_needs_parser function in qjsc.c SHALL return FALSE if and only if all four of FE_EVAL, FE_REGEXP, FE_JSON, and FE_MODULE_LOADER are disabled.

---

Requirement 2: Parser/Compiler Exclusion from Bytecode-Only Runtime

User Story: As an embedder, I want the Parser/Compiler to be physically absent from the bytecode-only runtime binary, so that the binary is measurably smaller and the attack surface is reduced.

Acceptance Criteria

1. WHEN libquickjs-bytecode.a is compiled with CONFIG_BYTECODE_ONLY_RUNTIME, THE Runtime SHALL guard every call site that invokes the Parser/Compiler with #ifndef CONFIG_BYTECODE_ONLY_RUNTIME or an equivalent null-pointer check.
2. WHEN a bytecode-only executable is linked with LTO, THE Linker SHALL be able to eliminate all Parser/Compiler functions (including __JS_EvalInternal, all js_parse_* functions, js_compile_regexp, and JS_ParseJSON2) from the final binary.
3. THE nm or equivalent symbol inspection tool SHALL NOT find the symbols __JS_EvalInternal, js_parse_error, JS_ParseJSON2, js_compile_regexp, or JS_LoadModule (source-loading variant) in a bytecode-only executable linked with LTO.
4. WHEN CONFIG_BYTECODE_ONLY_RUNTIME is defined, THE Runtime SHALL NOT reference any function that is exclusively part of the Parser/Compiler subsystem from any code path reachable during normal bytecode execution.

---

Requirement 3: Runtime Safety — No Silent Fallback to Parser

User Story: As an embedder, I want any attempt to invoke the Parser/Compiler at runtime in a bytecode-only build to produce a clear error, so that misconfiguration is caught immediately rather than silently succeeding or crashing.

Acceptance Criteria

1. WHEN CONFIG_BYTECODE_ONLY_RUNTIME is defined and eval() is called, THE Runtime SHALL throw a TypeError with a descriptive message indicating that source compilation is not supported.
2. WHEN CONFIG_BYTECODE_ONLY_RUNTIME is defined and a RegExp literal requiring runtime compilation is encountered, THE Runtime SHALL throw a TypeError because compile_regexp is NULL.
3. WHEN CONFIG_BYTECODE_ONLY_RUNTIME is defined and JSON.parse() is called, THE Runtime SHALL throw a TypeError with a descriptive message indicating that JSON parsing is not supported.
4. WHEN CONFIG_BYTECODE_ONLY_RUNTIME is defined and a dynamic import() or require() of a source module is attempted, THE Runtime SHALL throw a TypeError because no source module loader is registered.
5. IF CONFIG_BYTECODE_ONLY_RUNTIME is defined and JS_AddIntrinsicEval is called on a context, THEN THE Runtime SHALL NOT install __JS_EvalInternal (the function pointer SHALL remain NULL).

---

Requirement 4: Dev Toolchain Unaffected

User Story: As a developer, I want qjsc and the full libquickjs.a to always include the Parser/Compiler, so that I can compile JavaScript source to bytecode at build time regardless of the target runtime configuration.

Acceptance Criteria

1. THE qjsc binary SHALL always be compiled without CONFIG_BYTECODE_ONLY_RUNTIME and SHALL include the full Parser/Compiler.
2. THE libquickjs.a and libquickjs.lto.a libraries SHALL always be compiled without CONFIG_BYTECODE_ONLY_RUNTIME.
3. WHEN qjsc compiles a JavaScript source file with the Bytecode-Only Trigger active, THE qjsc tool SHALL successfully parse and compile the source using its own embedded Parser/Compiler.
4. THE Makefile SHALL build both libquickjs.a (full) and libquickjs-bytecode.a (bytecode-only) as separate targets, ensuring neither variant is replaced by the other.

---

Requirement 5: Hidden Dependency Audit

User Story: As a contributor, I want a verified audit confirming that no hidden Parser/Compiler dependencies exist in the bytecode execution path, so that I can trust the bytecode-only build is genuinely parser-free.

Acceptance Criteria

1. THE Runtime SHALL be audited to confirm that the JS_CLASS_REGEXP object creation path does not invoke js_compile_regexp when compile_regexp is NULL.
2. THE Runtime SHALL be audited to confirm that Function.prototype.toString() does not invoke the Parser/Compiler in a bytecode-only build.
3. THE Runtime SHALL be audited to confirm that JSON.stringify() does not invoke the Parser/Compiler (it is a serializer, not a parser).
4. THE Runtime SHALL be audited to confirm that import.meta handling does not invoke the source module loader when CONFIG_BYTECODE_ONLY_RUNTIME is defined.
5. IF any hidden dependency is found during the audit, THEN THE Runtime SHALL guard that dependency with #ifndef CONFIG_BYTECODE_ONLY_RUNTIME and provide a safe fallback or error.

---

Requirement 6: Build System Integration

User Story: As a developer, I want the Makefile to correctly build and test the bytecode-only runtime variant, so that the feature is continuously validated in CI.

Acceptance Criteria

1. THE Makefile SHALL define a libquickjs-bytecode.a target that compiles all QJS_LIB_OBJS with -DCONFIG_BYTECODE_ONLY_RUNTIME.
2. THE Makefile SHALL define a libquickjs-bytecode.lto.a target that compiles all QJS_LIB_OBJS with both -DCONFIG_BYTECODE_ONLY_RUNTIME and -flto when CONFIG_LTO is enabled.
3. THE Makefile SHALL define a test-bytecode-runtime target that compiles a test script with BYTECODE_RUNTIME_OPTS, links it against libquickjs-bytecode.a, runs it, and verifies via symbol inspection that Parser/Compiler symbols are absent.
4. WHEN make test-bytecode-runtime is executed, THE Build System SHALL exit with a non-zero status if any of the forbidden symbols (__JS_EvalInternal, js_parse_error, JS_ParseJSON2, js_compile_regexp, JS_LoadModule source variant) are present in the output binary.

---

Requirement 7: Bytecode Serialization Round-Trip (Parser-Free Path)

User Story: As an embedder, I want to verify that bytecode written by qjsc can be read and executed by the bytecode-only runtime without invoking the Parser/Compiler, so that the full dev-to-deploy pipeline is validated end-to-end.

Acceptance Criteria

1. WHEN qjsc serializes a JavaScript module to a bytecode array using JS_WriteObject, THE Serializer SHALL produce a byte sequence that the Runtime can deserialize with JS_ReadObject without invoking the Parser/Compiler.
2. WHEN the bytecode-only Runtime deserializes a bytecode array with JS_ReadObject and executes it with js_std_eval_binary, THE Runtime SHALL produce the same observable output as the full runtime executing the original source.
3. FOR ALL valid JavaScript programs compilable by qjsc, serializing to bytecode then deserializing and executing in the bytecode-only Runtime SHALL produce an equivalent result to direct source execution in the full Runtime (round-trip equivalence property).
4. WHEN JS_ReadObject is called in a bytecode-only Runtime with a malformed or truncated bytecode buffer, THE Runtime SHALL return an exception and SHALL NOT invoke the Parser/Compiler.

[yumin-chen]

how can we test that => 1. we actually removed runtime parser/compiler? 2. The removal does not cause unexpected issues for programs that don't use any dynamic code parsing features like eval and new Function? 3. For programs that do use these features, what would happen? Error messge?

[yumin-chen]

The -fno-* flags already handles the forbidden functions. You don't have to stub out any functionalities.

I've updated the specs:
This feature introduces a bytecode-only runtime build mode for QuickJS. When qjsc is invoked with all four parser-disabling flags simultaneously (-fno-eval -fno-regexp -fno-json -fno-module-loader), the generated executable is linked against a minified runtime library (libquickjs-bytecode.a / libquickjs-bytecode.lto.a) that is compiled with CONFIG_BYTECODE_ONLY_RUNTIME defined. This causes LTO to dead-strip the parser and compiler from the final binary, producing a smaller executable suitable for embedded or deploy-only targets.

The feature's scope is strictly the parser/compiler dead-stripping mechanism: detecting when all four flags are simultaneously set, building the minified library, and ensuring LTO can eliminate the unreachable parser/compiler code. The behavioral consequences of the individual flags — such as TypeError on eval, absent JSON global, etc. — are pre-existing behaviors of those flags and are explicitly out of scope for this feature.

The feature formalises the existing "two-stage" qjsc workflow: qjsc (the Build_Engine) always remains full-featured; only the library embedded into the generated executable (the Runtime_Engine) is minified.

---

Glossary

• Build_Engine: The qjsc binary together with libquickjs.a / libquickjs.lto.a. Always compiled without CONFIG_BYTECODE_ONLY_RUNTIME. Retains the full parser, compiler, and all intrinsics. Used at build time to compile JS source to bytecode.
• Runtime_Engine: libquickjs-bytecode.a / libquickjs-bytecode.lto.a. Compiled with CONFIG_BYTECODE_ONLY_RUNTIME. Linked into the executable that qjsc produces. This is the binary that ships to end users or embedded targets.
• Bytecode_Only_Trigger: The condition where all four flags -fno-eval -fno-regexp -fno-json -fno-module-loader are passed to qjsc simultaneously.
• qjsc: The QuickJS ahead-of-time compiler tool. Always built against the Build_Engine.
• CONFIG_BYTECODE_ONLY_RUNTIME: A C preprocessor macro that, when defined, guards all parser/compiler call sites in quickjs.c so that LTO can dead-strip them.
• LTO: Link-Time Optimisation. Used to dead-strip unreachable code from the final linked binary.

---

Requirements

Requirement 1: Bytecode-Only Trigger Detection

User Story: As a developer embedding QuickJS in a resource-constrained target, I want qjsc to automatically select the minified Runtime_Engine when I disable all parser-dependent features, so that the generated executable is as small as possible without manual build-system changes.

Acceptance Criteria

1. WHEN qjsc is invoked with all four flags -fno-eval, -fno-regexp, -fno-json, and -fno-module-loader simultaneously, THE qjsc Compiler SHALL set an internal runtime_needs_parser() predicate to FALSE.
2. WHEN runtime_needs_parser() returns FALSE, THE qjsc Compiler SHALL link the generated executable against libquickjs-bytecode.lto.a (or libquickjs-bytecode.a when LTO is disabled) instead of libquickjs.lto.a / libquickjs.a.
3. WHEN fewer than all four flags are present, THE qjsc Compiler SHALL link against the standard libquickjs library and SHALL NOT activate the Bytecode_Only_Trigger.
4. THE qjsc Compiler SHALL accept the four flags in any order and SHALL treat them as independent, additive feature-disable switches.

---

Requirement 2: Runtime_Engine Build Targets

User Story: As a build-system maintainer, I want dedicated Makefile targets for the bytecode-only runtime libraries, so that CI and downstream embedders can build and depend on them explicitly.

Acceptance Criteria

1. THE Makefile SHALL provide a libquickjs-bytecode.a target that compiles quickjs.c and its dependencies with CONFIG_BYTECODE_ONLY_RUNTIME defined and without LTO.
2. THE Makefile SHALL provide a libquickjs-bytecode.lto.a target that compiles quickjs.c and its dependencies with both CONFIG_BYTECODE_ONLY_RUNTIME defined and LTO enabled.
3. THE Makefile SHALL ensure that libquickjs.a and libquickjs.lto.a (the Build_Engine libraries) are never compiled with CONFIG_BYTECODE_ONLY_RUNTIME.
4. THE Makefile SHALL ensure that the qjsc binary is never linked against libquickjs-bytecode.a or libquickjs-bytecode.lto.a.
5. WHEN make libquickjs-bytecode.a or make libquickjs-bytecode.lto.a is invoked, THE Makefile SHALL produce the corresponding archive without rebuilding the full Build_Engine.

---

Requirement 3: Parser/Compiler Absence from Runtime_Engine Binary

User Story: As a security-conscious embedder, I want to verify that the parser and compiler are physically absent from the Runtime_Engine binary, so that I can guarantee no source-code execution path exists at runtime.

Acceptance Criteria

1. WHEN quickjs.c is compiled with CONFIG_BYTECODE_ONLY_RUNTIME defined, THE Compiler SHALL guard every call site that invokes the JS parser or bytecode compiler behind #ifndef CONFIG_BYTECODE_ONLY_RUNTIME preprocessor blocks.
2. WHEN the Runtime_Engine is linked with LTO enabled, THE Linker SHALL dead-strip all parser and compiler translation units, leaving no reachable parser or compiler symbols in the final binary.
3. WHEN nm or an equivalent symbol-inspection tool is run against a binary linked with libquickjs-bytecode.lto.a, THE Binary SHALL contain no defined symbols whose names match the pattern of internal parser or compiler functions (e.g. js_parse_*, js_compile_*, __JS_EvalInternal).
4. THE test-bytecode-runtime CI target SHALL execute the symbol-inspection check described in criterion 3 and SHALL fail the build if any forbidden symbols are present.

---

Requirement 4: Build_Engine Integrity

User Story: As a developer using qjsc to compile JS source files, I want the Build_Engine to remain fully functional regardless of whether the bytecode-only feature is active, so that my compilation workflow is unaffected.

Acceptance Criteria

1. THE Build_Engine (qjsc binary and libquickjs.a / libquickjs.lto.a) SHALL always be compiled without CONFIG_BYTECODE_ONLY_RUNTIME.
2. THE Build_Engine SHALL retain the full parser, compiler, all intrinsics, and all JS_AddIntrinsic* functions regardless of which -fno-* flags are passed to qjsc.
3. WHEN qjsc compiles a JS source file with the Bytecode_Only_Trigger active, THE Build_Engine SHALL successfully parse and compile the source file to bytecode using the full parser.
4. IF the Build_Engine is accidentally compiled with CONFIG_BYTECODE_ONLY_RUNTIME defined, THEN THE Build_Engine SHALL emit a compile-time error (#error) to prevent a silently broken qjsc binary.

---

Requirement 5: Hidden Dependency Audit

User Story: As a security auditor, I want all indirect parser call sites to be identified and guarded, so that no parser invocation can leak through edge-case language features in the Runtime_Engine.

Acceptance Criteria

1. THE Runtime_Engine SHALL NOT invoke the parser or compiler through Function.prototype.toString() when called on a bytecode function object; THE Runtime_Engine SHALL return the source string stored in the bytecode debug info if present, or a placeholder string if debug info is stripped.
2. WHEN import.meta is accessed in a Runtime_Engine context for a pre-compiled module, THE Runtime_Engine SHALL return the import.meta object populated at compile time without invoking the parser.
3. THE Runtime_Engine SHALL NOT invoke the parser or compiler through any Reflect or Proxy trap that could trigger dynamic code evaluation.
4. WHEN CONFIG_BYTECODE_ONLY_RUNTIME is defined, THE Compiler SHALL emit a compile-time warning or static assertion if any guarded parser call site is found to be reachable through a non-guarded code path.

---

Requirement 6: Bytecode Round-Trip Equivalence

User Story: As a developer deploying pre-compiled bytecode, I want programs compiled by the Build_Engine and executed on the Runtime_Engine to produce identical results to running the same programs on the full runtime, so that I can trust the minification does not alter program semantics.

Acceptance Criteria

1. WHEN a JS program is compiled by the Build_Engine using JS_WriteObject and then loaded and executed on the Runtime_Engine using JS_ReadObject + JS_EvalFunction, THE Runtime_Engine SHALL produce output identical to executing the same program on the full runtime.
2. FOR ALL valid bytecode objects produced by JS_WriteObject on the Build_Engine, JS_ReadObject on the Runtime_Engine SHALL successfully deserialise the object without error.
3. FOR ALL valid bytecode objects b, serialising b with JS_WriteObject on the Build_Engine and then deserialising the result with JS_ReadObject on the Runtime_Engine SHALL produce a functionally equivalent bytecode object (round-trip property).
4. THE test-bytecode-runtime CI target SHALL include at least one round-trip test that compiles a non-trivial JS program on the Build_Engine and verifies identical output when run on the Runtime_Engine.

---

Requirement 7: CI Integration

User Story: As a CI maintainer, I want a dedicated test target that validates the bytecode-only runtime end-to-end, so that regressions in parser stripping or round-trip correctness are caught automatically.

Acceptance Criteria

1. THE Makefile SHALL provide a test-bytecode-runtime target that builds libquickjs-bytecode.lto.a, compiles a representative JS test program using the Bytecode_Only_Trigger, and executes the resulting binary.
2. WHEN the test-bytecode-runtime target is run, THE CI System SHALL verify that no parser or compiler symbols are present in the generated binary as specified in Requirement 3, criterion 3.
3. WHEN the test-bytecode-runtime target is run, THE CI System SHALL verify the bytecode round-trip equivalence property as specified in Requirement 6, criterion 4.
4. WHEN the test-bytecode-runtime target is run, THE CI System SHALL verify that the compiled binary executes correctly and produces the expected output.
5. THE test-bytecode-runtime target SHALL be runnable independently of the full test target and SHALL complete without requiring the test262 suite.

[yumin-chen]

Please follow this updated specs:
This feature introduces a bytecode-only runtime build mode for QuickJS. When qjsc is invoked with all four parser-disabling flags simultaneously (-fno-eval -fno-regexp -fno-json -fno-module-loader), the generated executable is linked against a minified runtime library (libquickjs-bytecode.a / libquickjs-bytecode.lto.a) that is compiled with CONFIG_BYTECODE_ONLY_RUNTIME defined. This causes LTO to dead-strip the parser and compiler from the final binary, producing a smaller executable suitable for embedded or deploy-only targets.

The feature's scope is strictly the parser/compiler dead-stripping mechanism: detecting when all four flags are simultaneously set, building the minified library, and ensuring LTO can eliminate the unreachable parser/compiler code. The behavioral consequences of the individual flags — such as TypeError on eval, absent JSON global, etc. — are pre-existing behaviors of those flags and are explicitly out of scope for this feature.

The feature formalises the existing "two-stage" qjsc workflow: qjsc (the Build_Engine) always remains full-featured; only the library embedded into the generated executable (the Runtime_Engine) is minified.

---

Glossary

• Build_Engine: The qjsc binary together with libquickjs.a / libquickjs.lto.a. Always compiled without CONFIG_BYTECODE_ONLY_RUNTIME. Retains the full parser, compiler, and all intrinsics. Used at build time to compile JS source to bytecode.
• Runtime_Engine: libquickjs-bytecode.a / libquickjs-bytecode.lto.a. Compiled with CONFIG_BYTECODE_ONLY_RUNTIME. Linked into the executable that qjsc produces. This is the binary that ships to end users or embedded targets.
• Bytecode_Only_Trigger: The condition where all four flags -fno-eval -fno-regexp -fno-json -fno-module-loader are passed to qjsc simultaneously.
• qjsc: The QuickJS ahead-of-time compiler tool. Always built against the Build_Engine.
• CONFIG_BYTECODE_ONLY_RUNTIME: A C preprocessor macro that, when defined, guards all parser/compiler call sites in quickjs.c so that LTO can dead-strip them.
• LTO: Link-Time Optimisation. Used to dead-strip unreachable code from the final linked binary.

---

Requirements

Requirement 1: Bytecode-Only Trigger Detection

User Story: As a developer embedding QuickJS in a resource-constrained target, I want qjsc to automatically select the minified Runtime_Engine when I disable all parser-dependent features, so that the generated executable is as small as possible without manual build-system changes.

Acceptance Criteria

1. WHEN qjsc is invoked with all four flags -fno-eval, -fno-regexp, -fno-json, and -fno-module-loader simultaneously, THE qjsc Compiler SHALL set an internal runtime_needs_parser() predicate to FALSE.
2. WHEN runtime_needs_parser() returns FALSE, THE qjsc Compiler SHALL link the generated executable against libquickjs-bytecode.lto.a (or libquickjs-bytecode.a when LTO is disabled) instead of libquickjs.lto.a / libquickjs.a.
3. WHEN fewer than all four flags are present, THE qjsc Compiler SHALL link against the standard libquickjs library and SHALL NOT activate the Bytecode_Only_Trigger.
4. THE qjsc Compiler SHALL accept the four flags in any order and SHALL treat them as independent, additive feature-disable switches.

---

Requirement 2: Runtime_Engine Build Targets

User Story: As a build-system maintainer, I want dedicated Makefile targets for the bytecode-only runtime libraries, so that CI and downstream embedders can build and depend on them explicitly.

Acceptance Criteria

1. THE Makefile SHALL provide a libquickjs-bytecode.a target that compiles quickjs.c and its dependencies with CONFIG_BYTECODE_ONLY_RUNTIME defined and without LTO.
2. THE Makefile SHALL provide a libquickjs-bytecode.lto.a target that compiles quickjs.c and its dependencies with both CONFIG_BYTECODE_ONLY_RUNTIME defined and LTO enabled.
3. THE Makefile SHALL ensure that libquickjs.a and libquickjs.lto.a (the Build_Engine libraries) are never compiled with CONFIG_BYTECODE_ONLY_RUNTIME.
4. THE Makefile SHALL ensure that the qjsc binary is never linked against libquickjs-bytecode.a or libquickjs-bytecode.lto.a.
5. WHEN make libquickjs-bytecode.a or make libquickjs-bytecode.lto.a is invoked, THE Makefile SHALL produce the corresponding archive without rebuilding the full Build_Engine.

---

Requirement 3: Parser/Compiler Absence from Runtime_Engine Binary

User Story: As a security-conscious embedder, I want to verify that the parser and compiler are physically absent from the Runtime_Engine binary, so that I can guarantee no source-code execution path exists at runtime.

Acceptance Criteria

1. WHEN quickjs.c is compiled with CONFIG_BYTECODE_ONLY_RUNTIME defined, THE Compiler SHALL guard every call site that invokes the JS parser or bytecode compiler behind #ifndef CONFIG_BYTECODE_ONLY_RUNTIME preprocessor blocks.
2. WHEN the Runtime_Engine is linked with LTO enabled, THE Linker SHALL dead-strip all parser and compiler translation units, leaving no reachable parser or compiler symbols in the final binary.
3. WHEN nm or an equivalent symbol-inspection tool is run against a binary linked with libquickjs-bytecode.lto.a, THE Binary SHALL contain no defined symbols whose names match the pattern of internal parser or compiler functions (e.g. js_parse_*, js_compile_*, __JS_EvalInternal).
4. THE test-bytecode-runtime CI target SHALL execute the symbol-inspection check described in criterion 3 and SHALL fail the build if any forbidden symbols are present.

---

Requirement 4: Build_Engine Integrity

User Story: As a developer using qjsc to compile JS source files, I want the Build_Engine to remain fully functional regardless of whether the bytecode-only feature is active, so that my compilation workflow is unaffected.

Acceptance Criteria

1. THE Build_Engine (qjsc binary and libquickjs.a / libquickjs.lto.a) SHALL always be compiled without CONFIG_BYTECODE_ONLY_RUNTIME.
2. THE Build_Engine SHALL retain the full parser, compiler, all intrinsics, and all JS_AddIntrinsic* functions regardless of which -fno-* flags are passed to qjsc.
3. WHEN qjsc compiles a JS source file with the Bytecode_Only_Trigger active, THE Build_Engine SHALL successfully parse and compile the source file to bytecode using the full parser.
4. IF the Build_Engine is accidentally compiled with CONFIG_BYTECODE_ONLY_RUNTIME defined, THEN THE Build_Engine SHALL emit a compile-time error (#error) to prevent a silently broken qjsc binary.

---

Requirement 5: Hidden Dependency Audit

User Story: As a security auditor, I want all indirect parser call sites to be identified and guarded, so that no parser invocation can leak through edge-case language features in the Runtime_Engine.

Acceptance Criteria

1. THE Runtime_Engine SHALL NOT invoke the parser or compiler through Function.prototype.toString() when called on a bytecode function object; THE Runtime_Engine SHALL return the source string stored in the bytecode debug info if present, or a placeholder string if debug info is stripped.
2. WHEN import.meta is accessed in a Runtime_Engine context for a pre-compiled module, THE Runtime_Engine SHALL return the import.meta object populated at compile time without invoking the parser.
3. THE Runtime_Engine SHALL NOT invoke the parser or compiler through any Reflect or Proxy trap that could trigger dynamic code evaluation.
4. WHEN CONFIG_BYTECODE_ONLY_RUNTIME is defined, THE Compiler SHALL emit a compile-time warning or static assertion if any guarded parser call site is found to be reachable through a non-guarded code path.

---

Requirement 6: Bytecode Round-Trip Equivalence

User Story: As a developer deploying pre-compiled bytecode, I want programs compiled by the Build_Engine and executed on the Runtime_Engine to produce identical results to running the same programs on the full runtime, so that I can trust the minification does not alter program semantics.

Acceptance Criteria

1. WHEN a JS program is compiled by the Build_Engine using JS_WriteObject and then loaded and executed on the Runtime_Engine using JS_ReadObject + JS_EvalFunction, THE Runtime_Engine SHALL produce output identical to executing the same program on the full runtime.
2. FOR ALL valid bytecode objects produced by JS_WriteObject on the Build_Engine, JS_ReadObject on the Runtime_Engine SHALL successfully deserialise the object without error.
3. FOR ALL valid bytecode objects b, serialising b with JS_WriteObject on the Build_Engine and then deserialising the result with JS_ReadObject on the Runtime_Engine SHALL produce a functionally equivalent bytecode object (round-trip property).
4. THE test-bytecode-runtime CI target SHALL include at least one round-trip test that compiles a non-trivial JS program on the Build_Engine and verifies identical output when run on the Runtime_Engine.

---

Requirement 7: CI Integration

User Story: As a CI maintainer, I want a dedicated test target that validates the bytecode-only runtime end-to-end, so that regressions in parser stripping or round-trip correctness are caught automatically.

Acceptance Criteria

1. THE Makefile SHALL provide a test-bytecode-runtime target that builds libquickjs-bytecode.lto.a, compiles a representative JS test program using the Bytecode_Only_Trigger, and executes the resulting binary.
2. WHEN the test-bytecode-runtime target is run, THE CI System SHALL verify that no parser or compiler symbols are present in the generated binary as specified in Requirement 3, criterion 3.
3. WHEN the test-bytecode-runtime target is run, THE CI System SHALL verify the bytecode round-trip equivalence property as specified in Requirement 6, criterion 4.
4. WHEN the test-bytecode-runtime target is run, THE CI System SHALL verify that the compiled binary executes correctly and produces the expected output.
5. THE test-bytecode-runtime target SHALL be runnable independently of the full test target and SHALL complete without requiring the test262 suite.

Design Document: Bytecode-Only Runtime

Overview

The bytecode-only runtime feature introduces a minified QuickJS library (libquickjs-bytecode.a / libquickjs-bytecode.lto.a) that has the JS parser and compiler dead-stripped by LTO. When qjsc is invoked with all four parser-dependent flags disabled simultaneously (-fno-eval -fno-regexp -fno-json -fno-module-loader), it automatically links the generated executable against this minified library instead of the standard one.

The key insight is that the four -fno-* flags already handle everything at the context level: the generated JS_NewCustomContext omits JS_AddIntrinsicEval (leaving ctx->eval_internal = NULL), omits JS_AddIntrinsicRegExpCompiler (leaving ctx->compile_regexp = NULL), omits JS_AddIntrinsicJSON, and the generated main() omits JS_SetModuleLoaderFunc2. None of those intrinsic functions need to be touched.

The only additional work is making the compiler call tree unreachable from the linker's perspective. Even though ctx->eval_internal is NULL at runtime, __JS_EvalInternal and everything it calls still exist as compiled code in the .o file. LTO can only dead-strip them if they are provably unreachable. Wrapping __JS_EvalInternal (and js_parse_program, js_create_function) in #ifndef CONFIG_BYTECODE_ONLY_RUNTIME makes the entire compiler call tree unreachable, allowing LTO to eliminate it.

---

Architecture

The feature formalises a two-engine model:

┌─────────────────────────────────────────────────────────────────┐
│  Build_Engine (build time)                                      │
│  qjsc + libquickjs.a / libquickjs.lto.a                        │
│  Always full — parser, compiler, all intrinsics                 │
│  Never compiled with CONFIG_BYTECODE_ONLY_RUNTIME               │
└────────────────────────┬────────────────────────────────────────┘
                         │ compiles JS → bytecode (.c file)
                         ▼
┌─────────────────────────────────────────────────────────────────┐
│  Generated executable (runtime)                                 │
│  Linked against Runtime_Engine library                          │
│                                                                 │
│  runtime_needs_parser() == TRUE  → libquickjs[-lto].a           │
│  runtime_needs_parser() == FALSE → libquickjs-bytecode[-lto].a  │
└─────────────────────────────────────────────────────────────────┘

The Runtime_Engine (libquickjs-bytecode.lto.a) is compiled with -DCONFIG_BYTECODE_ONLY_RUNTIME. This single macro causes __JS_EvalInternal and its call tree to be excluded from compilation, making them unreachable for LTO dead-stripping.

---

Parser/Compiler Runtime Dependency Analysis

This section documents the complete dependency graph of the parser/compiler and proves that the four trigger flags are necessary and sufficient to make __JS_EvalInternal the sole remaining entry point.

All runtime paths to the parser/compiler

There are exactly four runtime paths that can invoke the parser or compiler:

1. eval() / new Function() / GeneratorFunction() / AsyncFunction()
       js_function_constructor()        [registered in JS_AddIntrinsicBaseObjects — always present]
           └── JS_EvalObject()          [static, always compiled in]
                   └── JS_EvalInternal()  [static, always compiled in]
                           └── ctx->eval_internal  ← THE GATE (NULL if -fno-eval)
                                   └── __JS_EvalInternal() ──► js_parse_program()
                                                              └── js_create_function()

2. RegExp literal / new RegExp(pattern)
       js_regexp_constructor() / parser regexp literal path
           └── ctx->compile_regexp  ← THE GATE (NULL if -fno-regexp)
                   └── js_compile_regexp()

3. JSON.parse() / JSON.stringify()
       JSON global object
           └── not registered (JS_AddIntrinsicJSON not called if -fno-json)

4. dynamic import() / JS_LoadModule()
       js_dynamic_import_job()
           └── rt->module_loader_func  ← THE GATE (NULL if -fno-module-loader)
                   └── user-provided loader (which calls JS_Eval internally)

Why -fno-promise is NOT needed

AsyncFunction and AsyncGeneratorFunction are registered inside JS_AddIntrinsicPromise and use js_function_constructor as their C implementation. This looks like a concern — but it isn't, because of how LTO reachability works:

js_function_constructor()     ← always compiled in (registered in BaseObjects)
    └── JS_EvalObject()       ← static, always compiled in
            └── JS_EvalInternal()  ← static, always compiled in
                    └── ctx->eval_internal(...)  ← FUNCTION POINTER
                                                   LTO STOPS HERE

LTO cannot follow through a function pointer. It cannot prove ctx->eval_internal is ever set to __JS_EvalInternal. Therefore __JS_EvalInternal is not reachable from js_function_constructor as far as the linker is concerned. The function pointer is the complete barrier.

The behavioral safety (TypeError when called) is already guaranteed by the null check in JS_EvalInternal:

if (unlikely(!ctx->eval_internal)) {
    return JS_ThrowTypeError(ctx, "eval is not supported");
}

Why the four flags are sufficient

Each flag kills one gate:

Flag	Gate killed	Effect
-fno-eval	ctx->eval_internal stays NULL	All paths through JS_EvalInternal throw TypeError
-fno-regexp	ctx->compile_regexp stays NULL	All RegExp compilation throws TypeError
-fno-json	JS_AddIntrinsicJSON not called	JSON global absent from context
-fno-module-loader	rt->module_loader_func stays NULL	Dynamic import throws ReferenceError

Together they close every runtime path to the parser/compiler. No additional flags (-fno-promise, -fno-generator, etc.) are needed.

Why CONFIG_BYTECODE_ONLY_RUNTIME is still needed

The four flags handle behavioral safety — the parser is never called. But __JS_EvalInternal and its entire call tree (js_parse_program, js_create_function, and all parser functions) still exist as compiled machine code in the .o file. LTO cannot dead-strip them because:

1. ctx->eval_internal is a function pointer — LTO cannot prove it is always NULL
2. JS_AddIntrinsicEval takes the address of __JS_EvalInternal and stores it — this is a direct reference that keeps __JS_EvalInternal alive in the linker's symbol table

The #ifndef CONFIG_BYTECODE_ONLY_RUNTIME guard around __JS_EvalInternal removes it from the translation unit entirely before the compiler sees it. With no definition, there is no symbol, and LTO has nothing to keep. The entire downstream call tree becomes unreachable and is eliminated.

---

Components and Interfaces

Trigger Predicate (qjsc.c)

The trigger is a predicate over feature_bitmap. The four relevant feature indices are:

Index	Flag	feature_list entry
1	-fno-eval	"eval"
3	-fno-regexp	"regexp"
4	-fno-json	"json"
9	-fno-module-loader	"module-loader"

#define FE_MASK(i) ((uint64_t)1 << (i))
#define BYTECODE_ONLY_TRIGGER_MASK \
    (FE_MASK(1) | FE_MASK(3) | FE_MASK(4) | FE_MASK(FE_MODULE_LOADER))

static BOOL runtime_needs_parser(void) {
    return (feature_bitmap & BYTECODE_ONLY_TRIGGER_MASK) != 0;
}

output_executable() uses this to select the library suffix:

lib_suffix = runtime_needs_parser() ? "" : "-bytecode";
// produces: libquickjs[-bytecode][.lto].a

qjsc.c also carries a compile-time guard to prevent accidental misconfiguration:

#ifdef CONFIG_BYTECODE_ONLY_RUNTIME
#error "qjsc must be built with the full QuickJS engine"
#endif

The One Source Change (quickjs.c)

The only change to quickjs.c is wrapping the compiler entry point and its direct callees:

#ifndef CONFIG_BYTECODE_ONLY_RUNTIME

static JSValue __JS_EvalInternal(JSContext *ctx, JSValueConst this_obj,
                                 const char *input, size_t input_len,
                                 const char *filename, int flags, int scope_idx)
{
    /* ... full parser/compiler body ... */
}

static int js_parse_program(JSParseState *s, ...) { ... }
static JSFunctionDef *js_create_function(JSContext *ctx, ...) { ... }

#endif /* CONFIG_BYTECODE_ONLY_RUNTIME */

Because __JS_EvalInternal is the sole entry point into the parser/compiler (it is only ever called via ctx->eval_internal, which is NULL when JS_AddIntrinsicEval is not called), guarding it makes the entire downstream call tree unreachable. LTO then eliminates all parser and compiler functions from the final binary.

JS_AddIntrinsicEval, JS_AddIntrinsicRegExpCompiler, and JS_AddIntrinsicJSON do not need guards — they are small stubs that set function pointers, and the generated JS_NewCustomContext simply never calls them when the corresponding -fno-* flags are active.

Makefile Targets

New .bytecode.o compile rules compile each source file with -DCONFIG_BYTECODE_ONLY_RUNTIME:

OBJDIR_RT=.obj-rt

$(OBJDIR_RT)/%.bytecode.o: %.c | $(OBJDIR_RT)
	$(CC) $(CFLAGS_NOLTO) -DCONFIG_BYTECODE_ONLY_RUNTIME -c -o $@ $<

$(OBJDIR_RT)/%.bytecode.lto.o: %.c | $(OBJDIR_RT)
	$(CC) $(CFLAGS_OPT) -DCONFIG_BYTECODE_ONLY_RUNTIME -c -o $@ $<

QJS_BYTECODE_OBJS=$(OBJDIR_RT)/quickjs.bytecode.o \
                  $(OBJDIR_RT)/dtoa.bytecode.o \
                  $(OBJDIR_RT)/libregexp.bytecode.o \
                  $(OBJDIR_RT)/libunicode.bytecode.o \
                  $(OBJDIR_RT)/cutils.bytecode.o \
                  $(OBJDIR_RT)/quickjs-libc.bytecode.o

QJS_BYTECODE_LTO_OBJS=$(OBJDIR_RT)/quickjs.bytecode.lto.o \
                      $(OBJDIR_RT)/dtoa.bytecode.lto.o \
                      $(OBJDIR_RT)/libregexp.bytecode.lto.o \
                      $(OBJDIR_RT)/libunicode.bytecode.lto.o \
                      $(OBJDIR_RT)/cutils.bytecode.lto.o \
                      $(OBJDIR_RT)/quickjs-libc.bytecode.lto.o

libquickjs-bytecode.a: $(QJS_BYTECODE_OBJS)
	$(AR) rcs $@ $^

libquickjs-bytecode.lto.a: $(QJS_BYTECODE_LTO_OBJS)
	$(AR) rcs $@ $^

The test-bytecode-runtime CI target:

test-bytecode-runtime: libquickjs-bytecode.lto.a qjsc$(EXE)
	$(QJSC) -fno-eval -fno-regexp -fno-json -fno-module-loader \
	        -o /tmp/test-bytecode-rt examples/hello.js
	@nm /tmp/test-bytecode-rt | grep -E ' T (__JS_EvalInternal|js_parse_|js_compile_)' \
	    && (echo "FAIL: parser symbols found in bytecode-only binary" && exit 1) \
	    || echo "PASS: no parser symbols"
	@/tmp/test-bytecode-rt

---

Data Models

feature_bitmap

A uint64_t bitmask in qjsc.c. Bit i is set when feature_list[i] is enabled. Starts as FE_ALL (-1, all bits set). Each -fno-X flag clears the corresponding bit.

BYTECODE_ONLY_TRIGGER_MASK is the OR of bits 1, 3, 4, and 9. runtime_needs_parser() returns FALSE iff all four bits are clear — i.e., (feature_bitmap & BYTECODE_ONLY_TRIGGER_MASK) == 0.

Library Selection in output_executable()

const char *lib_suffix;
lib_suffix = runtime_needs_parser() ? "" : "-bytecode";
// lto_suffix is "" or ".lto" depending on use_lto
snprintf(libjsname, sizeof(libjsname), "%s/libquickjs%s%s.a",
         lib_dir, lib_suffix, lto_suffix);

This produces one of four library names:

• libquickjs.a
• libquickjs.lto.a
• libquickjs-bytecode.a
• libquickjs-bytecode.lto.a

---

Correctness Properties

A property is a characteristic or behavior that should hold true across all valid executions of a system — essentially, a formal statement about what the system should do. Properties serve as the bridge between human-readable specifications and machine-verifiable correctness guarantees.

Property 1: Trigger predicate exactness

For any combination of the 16 possible on/off states of the four flags (-fno-eval, -fno-regexp, -fno-json, -fno-module-loader), runtime_needs_parser() SHALL return FALSE if and only if all four flags are simultaneously disabled; it SHALL return TRUE for all other 15 combinations.

Validates: Requirements 1.1, 1.3

Property 2: Library selection follows trigger

For any feature_bitmap value, the library name suffix chosen by output_executable() SHALL be "-bytecode" when runtime_needs_parser() is FALSE, and "" when runtime_needs_parser() is TRUE.

Validates: Requirements 1.2

Property 3: Flag order independence

For any subset of the four trigger flags, applying them in any permutation to feature_bitmap SHALL produce the same final feature_bitmap value and therefore the same runtime_needs_parser() result.

Validates: Requirements 1.4

Property 4: Parser symbols absent from Runtime_Engine binary

For any executable linked against libquickjs-bytecode.lto.a, nm SHALL report no defined text symbols (T) matching __JS_EvalInternal, js_parse_*, or js_compile_*.

Validates: Requirements 3.2, 3.3

Property 5: Build_Engine retains full compiler

For any build of qjsc (regardless of which -fno-* flags are used at compile time of JS sources), nm on the qjsc binary SHALL show __JS_EvalInternal and JS_AddIntrinsicEval as defined symbols.

Validates: Requirements 4.1, 4.2

Property 6: Bytecode round-trip equivalence

For any valid JS program P, compiling P with the Build_Engine to bytecode B, then loading and executing B on the Runtime_Engine SHALL produce output identical to executing P on the full runtime.

Validates: Requirements 6.1, 6.3

---

Testing Strategy

Unit Tests

Focused on specific examples and edge cases:

• Symbol absence: run nm on a binary linked with libquickjs-bytecode.lto.a; assert no __JS_EvalInternal, js_parse_*, js_compile_* symbols are defined.
• Build_Engine symbol presence: run nm on qjsc; assert __JS_EvalInternal and JS_AddIntrinsicEval are present.
• Round-trip output: compile examples/hello.js with all four trigger flags; run the resulting binary; assert output matches expected string.
• Function.prototype.toString safety: in a Runtime_Engine context, call .toString() on a bytecode function; assert it returns a placeholder or stored source string without crashing.
• import.meta safety: compile a module that accesses import.meta.url; run on Runtime_Engine; assert it returns the expected value without invoking the parser.
• Compile-time guard: attempt to compile qjsc.c with -DCONFIG_BYTECODE_ONLY_RUNTIME; assert the build fails with the #error message.

Property-Based Tests

Each property test uses a property-based testing library (e.g., theft for C, or a shell-level harness with randomised inputs). Minimum 100 iterations per property.

Property 1 — Trigger predicate exactness

// Feature: bytecode-only-runtime, Property 1: trigger predicate exactness
// For all 16 combinations of the four trigger bits, verify runtime_needs_parser()
for each subset S of {eval=1, regexp=3, json=4, module-loader=9}:
    set feature_bitmap = FE_ALL with bits in S cleared
    expected = (S == all_four) ? FALSE : TRUE
    assert runtime_needs_parser() == expected

Property 2 — Library selection follows trigger

// Feature: bytecode-only-runtime, Property 2: library selection follows trigger
// For all feature_bitmap values, lib_suffix == "-bytecode" iff !runtime_needs_parser()
for each of 16 flag combinations:
    assert (lib_suffix == "-bytecode") == (!runtime_needs_parser())

Property 3 — Flag order independence

// Feature: bytecode-only-runtime, Property 3: flag order independence
// For any permutation of flag application order, feature_bitmap is the same
for each permutation of the four flags:
    apply flags in that order to a fresh FE_ALL bitmap
    assert result == (FE_ALL & ~BYTECODE_ONLY_TRIGGER_MASK)

Property 4 — Parser symbols absent from Runtime_Engine binary

// Feature: bytecode-only-runtime, Property 4: parser symbols absent
// Compile a representative JS program with all four trigger flags
// Run nm and assert no forbidden symbols appear
compile hello.js with -fno-eval -fno-regexp -fno-json -fno-module-loader
nm output | grep -E 'T (__JS_EvalInternal|js_parse_|js_compile_)' → must be empty

Property 5 — Build_Engine retains full compiler

// Feature: bytecode-only-runtime, Property 5: Build_Engine symbol presence
nm qjsc | grep '__JS_EvalInternal' → must be non-empty
nm qjsc | grep 'JS_AddIntrinsicEval' → must be non-empty

Property 6 — Bytecode round-trip equivalence

// Feature: bytecode-only-runtime, Property 6: bytecode round-trip equivalence
// For any valid JS program, Build_Engine output == Runtime_Engine output
for each test program P in {hello.js, pi_bigint.js, test_fib.js, ...}:
    full_output = run P on qjs (full runtime)
    bytecode_output = compile P with trigger flags, run resulting binary
    assert full_output == bytecode_output

Both unit tests and property tests are required. Unit tests catch concrete bugs and edge cases; property tests verify universal correctness across all inputs. The test-bytecode-runtime Makefile target runs both.