Read OSS
webKit/webkit

Navigating WebKit: Architecture Overview and Codebase Map

Beginner

Prerequisites

  • General software engineering fundamentals
  • Basic familiarity with how browsers work (parse, render, execute)
  • Comfort reading C++ file and directory structures

Navigating WebKit: Architecture Overview and Codebase Map

WebKit powers Safari on every Apple device, ships as the engine behind Mail, Books, News, and the App Store, and runs on Linux via the GTK and WPE ports. The repository is enormous — millions of lines of C++ spread across dozens of top-level directories. Before you can meaningfully contribute to or even read the codebase, you need a mental map. This article provides that map.

We will trace the repository layout, the strict six-layer dependency hierarchy encoded directly in the build tool, the multi-process security architecture that isolates web content from the rest of your system, and the conditional-compilation macros that let one source tree build for macOS, iOS, Linux, PlayStation, and Windows.

Repository Layout at a Glance

The top-level directory structure splits cleanly into source code, tooling, and tests:

Directory Purpose
Source/ All production source code — every component from bmalloc to WebDriver
Tools/ Build scripts, test runners, developer utilities, and the git-webkit CLI
JSTests/ JavaScript conformance and regression tests for JavaScriptCore
LayoutTests/ HTML/CSS/DOM rendering tests (the primary test suite for WebCore)
PerformanceTests/ Benchmarks including JetStream and MallocBench
Configurations/ Xcode .xcconfig files for Apple-platform builds
Source/cmake/ Shared CMake modules used by all components on non-Apple ports

The root CMakeLists.txt declares the project, sets up the module path to Source/cmake/, and then adds Source/ as a single subdirectory:

cmake_minimum_required(VERSION 3.20)
project(WebKit LANGUAGES C CXX)
set(CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}/Source/cmake")

Everything else flows from there. The Makefile at the root is a thin wrapper that delegates to either Xcode or CMake depending on the platform.

Tip: When navigating the repo for the first time, start with Source/CMakeLists.txt. Its add_subdirectory() calls are an ordered table of contents for the entire engine.

The Six-Layer Build Stack

Open Source/CMakeLists.txt and you'll see the dependency hierarchy spelled out in build order. Each add_subdirectory() call can only reference libraries from earlier calls:

graph BT
    bmalloc["bmalloc<br/><i>Memory allocator</i>"]
    WTF["WTF<br/><i>Web Template Framework</i>"]
    JSC["JavaScriptCore<br/><i>JS engine</i>"]
    WebCore["WebCore<br/><i>Web standards</i>"]
    WebKit2["WebKit (WebKit2)<br/><i>Multi-process embedding</i>"]
    WebDriver["WebDriver<br/><i>Automation</i>"]
    
    WTF --> bmalloc
    JSC --> WTF
    WebCore --> JSC
    WebKit2 --> WebCore
    WebDriver --> WebKit2

The build file makes this explicit in its first four unconditional lines:

add_subdirectory(bmalloc)
add_subdirectory(WTF)
...
add_subdirectory(JavaScriptCore)

These are unconditional — every port needs them. Later entries like WebCore, WebKit, and WebDriver are gated behind ENABLE(...) flags, allowing minimal builds that include only the JS engine.

Here is what each layer provides:

Layer Directory Responsibility
bmalloc Source/bmalloc/ Custom memory allocator with type-segregated IsoHeap pages for security
WTF Source/WTF/ Template library: containers (Vector, HashMap), smart pointers (Ref, RefPtr, WeakPtr), threading primitives
JavaScriptCore Source/JavaScriptCore/ Full JavaScript engine with 4-tier JIT compilation pipeline
WebCore Source/WebCore/ HTML/CSS/DOM parsing, layout, rendering, and 30+ Web API modules
WebKit Source/WebKit/ Multi-process architecture: IPC, process management, embedding API (WKWebView)
WebDriver Source/WebDriver/ W3C WebDriver automation protocol implementation

The strict layering is a deliberate architectural constraint. WebCore never calls into WebKit2; JavaScriptCore never calls into WebCore. Dependencies flow in one direction only — upward.

Multi-Process Security Architecture

WebKit's defining architectural feature is process isolation. Every web page runs in a sandboxed process separate from the application. If a page crashes, the application survives. If an attacker finds a vulnerability in the renderer, they're trapped inside a sandbox with minimal system access.

flowchart LR
    UI["UI Process<br/>(Safari, Mail)"]
    WC1["WebContent Process<br/>(Tab 1)"]
    WC2["WebContent Process<br/>(Tab 2)"]
    NP["Network Process"]
    GP["GPU Process"]
    
    UI <-->|IPC| WC1
    UI <-->|IPC| WC2
    UI <-->|IPC| NP
    UI <-->|IPC| GP
    WC1 <-->|IPC| NP
    WC2 <-->|IPC| NP
    WC1 <-->|IPC| GP

The process types are:

  • UI Process — The application itself (Safari, Mail, your custom app using WKWebView). Owns the address bar, tabs, and all UI chrome. Never runs untrusted web code.
  • WebContent Process — Runs HTML parsing, CSS layout, JavaScript execution, and rendering for one or more web pages. Heavily sandboxed. On macOS/iOS, launched via XPC as seen in WebContentServiceEntryPoint.mm.
  • Network Process — Handles all HTTP/HTTPS requests, cookies, and storage. Shared across all WebContent processes in a session.
  • GPU Process — Manages WebGL, WebGPU, media decoding, and compositing. Isolates GPU driver attack surface from the renderer.

The entry point file for the WebContent process on Apple platforms is remarkably concise:

Source/WebKit/WebProcess/EntryPoint/Cocoa/XPCService/WebContentServiceEntryPoint.mm#L44-L61

The function initializes the main thread, cleans up environment variables, and then calls XPCServiceInitializer<WebKit::WebProcess> — a single template instantiation that bootstraps the entire WebContent process.

Tip: Each process type derives from AuxiliaryProcess, a base class that provides IPC connection management and message dispatch. We'll examine this in detail in Part 5.

Platform Ports and Conditional Compilation

WebKit builds for macOS, iOS, watchOS, tvOS, Linux (GTK and WPE ports), PlayStation, and Windows — all from the same source tree. Three macro families control what gets compiled:

Macro Family Purpose Examples
PLATFORM(X) Target operating system or hardware PLATFORM(COCOA), PLATFORM(GTK), PLATFORM(IOS_FAMILY)
ENABLE(X) Optional web-platform features that can be toggled ENABLE(WEBGL), ENABLE(FTL_JIT), ENABLE(CSS_SELECTOR_JIT)
USE(X) Swappable implementation choices USE(TZONE_MALLOC), USE(LIBWEBRTC), USE(SKIA)

These macros are defined in platform header files and flow from either CMake cache variables or Xcode build settings. Every source file begins with #include "config.h", which pulls in the platform definitions before any other code.

The CMake path uses CMakePresets.json to define named build configurations. For example, the GTK port has a preset that sets the Ninja generator and GTK-specific cache variables. You'd configure with:

cmake --preset gtk-debug

Apple-platform builds skip CMake entirely and use the Xcode workspace with .xcconfig files in the Configurations/ directory.

flowchart TD
    A[Developer runs build-webkit] --> B{Host platform?}
    B -->|macOS/iOS| C[Xcode workspace<br/>Configurations/*.xcconfig]
    B -->|Linux/Windows/PS| D[CMake + Presets<br/>CMakePresets.json]
    C --> E[Build products]
    D --> E

This dual build system is a pragmatic decision: Apple engineers work in Xcode daily, but non-Apple port maintainers need CMake. The build-webkit script in Tools/Scripts/ detects the platform and delegates to the right backend automatically.

What Lives Where: A Source Directory Map

Inside Source/, each component directory follows a consistent internal structure:

graph TD
    Source["Source/"]
    Source --> bmalloc["bmalloc/"]
    Source --> WTF["WTF/wtf/"]
    Source --> JSC["JavaScriptCore/"]
    Source --> WC["WebCore/"]
    Source --> WK["WebKit/"]
    Source --> WD["WebDriver/"]
    Source --> TP["ThirdParty/"]
    
    JSC --> parser["parser/"]
    JSC --> bytecode["bytecode/"]
    JSC --> jit["jit/, dfg/, ftl/, b3/"]
    JSC --> runtime["runtime/"]
    JSC --> heap["heap/"]
    
    WC --> dom["dom/"]
    WC --> css["css/"]
    WC --> layout["layout/"]
    WC --> rendering["rendering/"]
    WC --> Modules["Modules/"]
    WC --> platform["platform/"]
    
    WK --> UIProcess["UIProcess/"]
    WK --> WebProcess["WebProcess/"]
    WK --> NetworkProcess["NetworkProcess/"]
    WK --> GPUProcess["GPUProcess/"]
    WK --> IPC["Platform/IPC/"]

A few patterns to notice:

  • JavaScriptCore is organized by compilation phase: parser/bytecompiler/llint/jit/dfg/ftl/b3/.
  • WebCore is organized by web standard: dom/, css/, html/, svg/, plus a Modules/ directory containing 30+ Web API implementations.
  • WebKit (the multi-process layer) is organized by process type: UIProcess/, WebProcess/, NetworkProcess/, GPUProcess/.

The Source/ThirdParty/ directory bundles external dependencies that WebKit vendors: ANGLE (OpenGL ES), libwebrtc, Skia (optional graphics backend for non-Apple ports), BoringSSL, and others.

Bridging to the Rest of the Series

With this map in hand, you know where things live and why they're layered the way they are. In the next article, we'll descend into the foundation layer — WTF and bmalloc — and examine the ownership idioms (Ref, RefPtr, WeakPtr, ProtectedThis) that appear in virtually every file in the repository. Understanding these patterns is prerequisite to reading any WebKit code productively.