Playing with QuickJS

A few days ago Fabrice Bellard released QuickJS, a small JS engine that targets embedded systems.

Curious to give it a try, I downloaded and set it up on my system to try and understand this incredible piece of software.

Installation

Setting up QuickJS is dead simple:

…and that’s it: the installation will leave you with a few interesting binaries, the most interesting one being qjsc, the compiler you can use to create executables out of your JS code.

Trying it out

Let’s try to write a simple script that calculates powersets for a given list:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
function powerSet(str) {
    var obj = {}

    for(var i = 0; i < str.length; i++){
       obj[str[i]] = true;
    }

    var array = Object.keys(obj);
    var result = [[]];

    for(var i = 0; i < array.length; i++){
       var len = result.length;

       for(var x = 0; x < len; x++){
         let set = result[x].concat(array[i])
         console.log(set)
         result.push(set)
       }
    }

    return result;
}

powerSet([1,2,3,4])

then we can compile it down to a binary:

1
./qjsc -o powerset powerset.js

and execute it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ ./powerset
1
2
1,2
3
1,3
2,3
1,2,3
4
1,4
2,4
1,2,4
3,4
1,3,4
2,3,4
1,2,3,4

That’s it — quite of a breeze!

Where’s the catch?

Well, QuickJS’ standard library is fairly limited at the moment, meaning you won’t be able to use most NPM modules or the NodeJS standard library since it’s not really implemented: QuickJS simply implements the ES2019 specification, which doesn’t include any kind of standard item you might be used to, like require or process.

The full documentation for QuickJS is available here, and you will notice that the only standard objects you can work with are std and os — very limited when compared to other, fully-bloated engines but useful nevertheless (again, you have to think of QuickJS as an engine to be embedded, and not something you can use to write your next web app).

Still, quite an impressive piece of work!


Hi there! I recently wrote an ebook on web application security, currently sold on leanpub, the Amazon Kindle store and gumroad.

It contains 160+ pages of content dedicated to securing web applications and improving your security awareness when building web apps, with chapters ranging from explaining how to secure HTTP cookies with the right flags to understanding why it is important to consider joining a bug bounty program.

Feel free to skim through some of the free chapters published on this blog and, if the content seems interesting enough to you, grab a copy on leanpub, the Amazon Kindle store, gumroad or simply checkout right down below!

Buy the Web Application Security ebook for $9.99

In the mood for some more reading?

...or check the archives.