In an attempt to make Edge more secure, the Microsoft Vulnerability Research team has started to experiment with disabling Just-In-Time (JIT) compilation in the browser’s V8 JavaScript engine, to create what it’s calling Super Duper Secure Mode.

The reasoning behind this experiment sounds valid. A little under half of the CVEs issued for V8 are relate to the JIT compiler and more than half of all ‘in-the-wild’ Chrome exploits abuse JIT bugs. (Modern versions of Edge are based on the same Chromium code as Google’s Chrome browser, so Chrome exploits also affect Edge.) Microsoft is wondering out loud if the simplest way to deal with such a problematic sub-system is to just disable it and see where it takes them.

Disabling JIT compilation comes at a price though: speed. JIT compilation is a performance feature that speeds up the execution of JavaScript, the most popular programming language used on the web. Because it sits behind so many web applications, the speed that JavaScript runs has a direct effect on how fast and responsive web applications are.

We were curious just how big an effect it would have.

What is JIT compilation?

A good definition of JIT compilation is this one:

“Just-in-time (JIT) compilation … is a way of executing computer code that involves compilation during execution of a program (at run time) rather than before execution.”

The reason to use JIT compilation is simple: speed. JIT compilation combines the speed of compiled code with the flexibility of interpretation. It allows for more optimized code to be generated. And to limit the overhead, many JIT compilers only compile the code paths that are frequently used.

V8 is Google’s open source high-performance JavaScript and WebAssembly engine, written in C++. It is used in Chrome and in Node.js, among others. Since Edge is based on Chromium it uses V8 as well.

The speed impact of disabling Edge’s JIT compiler

We ran a few quick tests to see how big the impact of disabling JIT would be. To run these tests we compared the latest official release of Edge (Version 92.0.902.67) with the latest available Microsoft Edge Beta (Version 93.0.961.11) with Super Duper Secure Mode enabled and disabled. We found that the speed differences between the latest official release and the beta were marginal, so we we have left those out of the results.

The tests were done in a VM on a slow connection. As a benchmark we used Sunspider 1.0.2. We wanted to try the more elaborate JetStream2, but for some reason that never made it to the end. (If you get it to work with JetStream2, we’d love to hear from you.)

Sunspider says its benchmarking focusses “on the kinds of actual problems developers solve with JavaScript today”, is “balanced between different areas of the [JavaScript] language”, and runs each test multiple times to determine a 95% confidence interval and whether you have a statistically significant result.