The bytecode VMs hiding inside SQLite, eBPF, GDB, and even WinRAR

Bytecode interpreters aren’t just for languages like Python and JavaScript — they show up in surprising corners of the software stack. SQLite compiles SQL to bytecode for a custom VM. The Linux kernel ships eBPF, which began as a packet-filter evaluator and grew into a general-purpose in-kernel VM with ten registers, a JIT, and hooks across kernel subsystems. DWARF debug info embeds a stack-based expression language so debuggers can locate variables that may live in registers, on the stack, or nowhere at all, and GDB carries a second bytecode for remote agents to evaluate trace expressions without a full symbolic interpreter.

The pattern extends well past systems software. The RAR archive format includes RarVM, an x86-like virtual machine used to run reversible data transforms that boost compression ratios — a detail surfaced by Google’s Tavis Ormandy. GPU rendering research and emulators like Dolphin use “ubershaders” that interpret a rendering pipeline on the GPU itself to dodge shader-compilation stutter. TrueType ships over 200 instructions for glyph hinting, and PostScript is a full stack-based programming language masquerading as a page format.

The through-line: when a system needs to ship user-defined logic across a trust or compilation boundary — kernel/user, compiler/debugger, archiver/extractor, CPU/GPU — a small bytecode VM keeps the executor simple, bounded, and portable. It’s a recurring design answer to a recurring problem, which is why these VMs keep turning up in places nobody expects.