V8 JIT pipeline, HTTP priorities, and bundle security

Two apps have the same 100 KB homepage bundle. One has LCP 1.4 s; the other 2.3 s. The bundle sizes are identical. The difference is in how the bundle is delivered — resource priorities, Early Hints, and whether critical functions reach V8’s optimised tiers before the page is interactive.

V8’s tiered compilation pipeline

V8 compiles JavaScript through four progressive tiers, trading compile cost for execution speed.

Ignition — the bytecode interpreter. Every function starts here. Compile cost is minimal; execution is ~5-10x slower than optimised native code. Code that runs only once (module-level initialisation) typically stays in Ignition.

Sparkplug (Chrome 91, 2021) — a non-optimising baseline JIT. Compiles bytecode to machine code with no inlining or type speculation. Compile cost is similar to Ignition; execution is ~5x faster. Functions automatically promote to Sparkplug after running roughly 100 times.

Maglev (Chrome 117, 2023) — a mid-tier optimising JIT with some inlining and type speculation. Promotes after more iterations.

TurboFan — the top-tier optimising compiler. Full inlining, escape analysis, type speculation, loop unrolling. Compile cost is high (10-100 ms per hot function) but execution approaches native speed. Functions reach TurboFan only after proven hot.

Implications for bundle budgets: total parse cost is proportional to bundle bytes — every byte must be parsed once regardless of tier. Initial compile cost is proportional to code that actually runs at startup. Code that never runs is parsed but never compiled (V8’s lazy compilation). Bundle size matters most for parse and initial compile; execution speed of hot functions depends more on code shape (type stability, allocation patterns) than on bundle size.

Deoptimisation traps: V8 speculatively optimises functions based on observed types. If a function that was compiled assuming argument is always number receives a string, V8 deoptimises it — throws away the TurboFan-compiled version and falls back to Sparkplug or Ignition. A deopt loop is a function that optimises, deoptimises, and re-optimises repeatedly — it can burn CPU even with a small bundle. Diagnose with Chrome DevTools Performance tab; look for “Deoptimize” events.

HTTP/3 Extensible Priorities (RFC 9218)

HTTP/1.1 and HTTP/2 have no reliable client-to-server priority signalling. HTTP/3 (over QUIC) implements RFC 9218: browsers send a Priority header with each request. Servers and CDNs that implement it serve critical resources first even if they were requested last.

Priority: u=1          # High urgency (0=highest, 7=lowest)
Priority: u=3, i       # Medium urgency, incremental delivery

Browsers automatically assign priorities: CSS in <head> gets urgency 0; lazy-loaded images get urgency 5-6. A small critical bundle competing with a large deferred vendor chunk for bandwidth is served first when the CDN honours priorities.

Misconfiguration risk: misconfigured HTTP/3 priority can erase 20-30% of code-splitting benefits if the CDN sends the large deferred chunk first despite browser priority hints. Verify in Chrome’s Network panel under the “Priority” column.

103 Early Hints (RFC 8297)

A server that knows it will serve index.html also knows the critical resources that page will need — the critical JS chunk, the main font, the hero image. With 103 Early Hints, the server sends an informational 103 response with Link: ...; rel=preload headers before finishing HTML generation. The browser starts fetching critical resources while the server is still building the response.

HTTP/2 103 Early Hints
Link: </static/app.abc123.js>; rel=preload; as=script
Link: </fonts/inter.woff2>; rel=preload; as=font; crossorigin

Typical gain: 100-500 ms on critical resource delivery, depending on the server’s HTML generation time and network latency. Cloudflare, Fastly, and Vercel support 103. Most production teams do not use Early Hints yet; it is a senior-level optimisation that shows up in 95th-percentile LCP improvements.

Subresource Integrity and CSP

Subresource Integrity (SRI): the integrity attribute on <script> and <link> tags includes a hash of the expected file content. If a CDN or third-party host is compromised and serves a modified script, the browser computes the hash and rejects the file.

<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
        crossorigin="anonymous"></script>

Without SRI, a CDN compromise ships malicious JS to all users silently. With SRI, the browser refuses the script. Production-grade: SRI on all third-party script tags; build tooling generates SRI hashes for first-party assets automatically.

CSP + bundle delivery: script-src 'self' https://cdn.example.com restricts which origins can serve scripts. Common misconfiguration: 'unsafe-inline' allows inline scripts, defeating the protection against XSS-injected scripts. Use nonces or hashes for intentional inline scripts instead.

Production observability: bundle size as a RUM metric

Beyond LCP/INP/CLS, senior teams track gzip’d bundle size per route as a custom RUM metric. When LCP degrades, the first correlation to check is whether the bundle size changed in the same deploy. Some platforms (Vercel Analytics, Sentry Performance) expose this automatically; others require a custom beacon.

Production failure patterns: Pinterest 2017 (single large bundle → 12 s main-thread block, rewrite to chunks → bounce -40%); Tinder 2019 (admin panel on consumer routes → 200 KB removed → conversion +5%); Stripe 2020 (Stripe.js 80 KB on every checkout → small loader + lazy → TTI -35%). The pattern is always structural: split, lazy, replace — not compress-more.