Bug 233905

Summary: TypedArray prototype set should go down the fast path when using non clamped integer types of the same byte size
Product: WebKit Reporter: Saam Barati <saam>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch
keith_miller: review+, ews-feeder: commit-queue-
patch for landing none

Description Saam Barati 2021-12-06 17:39:02 PST 
...
Comment 1 Saam Barati 2021-12-06 18:27:47 PST 
Created attachment 446106 [details]
patch
Comment 2 Keith Miller 2021-12-06 18:33:32 PST 
Comment on attachment 446106 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=446106&action=review

> Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:283
> +    if (isInt(Adaptor::typeValue) && isInt(ci->typedArrayStorageType) && !isClamped(Adaptor::typeValue) && JSC::elementSize(Adaptor::typeValue) == JSC::elementSize(ci->typedArrayStorageType))

Nit: Why do you need the isClamped check? Shouldn't that follow from the if above and the fact that the elementSizes are the same? It might still be worth having as an ASSERT in the body of this if though.
Comment 3 Saam Barati 2021-12-06 21:50:06 PST 
Comment on attachment 446106 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=446106&action=review

>> Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:283
>> +    if (isInt(Adaptor::typeValue) && isInt(ci->typedArrayStorageType) && !isClamped(Adaptor::typeValue) && JSC::elementSize(Adaptor::typeValue) == JSC::elementSize(ci->typedArrayStorageType))
> 
> Nit: Why do you need the isClamped check? Shouldn't that follow from the if above and the fact that the elementSizes are the same? It might still be worth having as an ASSERT in the body of this if though.

No, because we could have something like, |this| is Uint8ClampedArray and the source is Int8Array. Above check doesn't hit, element sizes are the same, but we can't use this copying path.
Comment 4 Saam Barati 2021-12-06 21:50:24 PST 
Created attachment 446120 [details]
patch for landing
Comment 5 Saam Barati 2021-12-06 21:51:12 PST 
Comment on attachment 446120 [details]
patch for landing

View in context: https://bugs.webkit.org/attachment.cgi?id=446120&action=review

> Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:219
> +        || (elementSize == otherElementSize && (static_cast<void*>(typedVector() + offset) <= static_cast<void*>(other->typedVector() + otherOffset)))

this fixes a pre-existing bug where we sometimes do a forwards loop even though we should've been doing a backwards loop. I added a test for this.
Comment 6 Keith Miller 2021-12-07 06:08:10 PST 
Comment on attachment 446120 [details]
patch for landing

r=me again.
Comment 7 EWS 2021-12-07 20:00:30 PST 
Committed r286639 (244952@main): <https://commits.webkit.org/244952@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 446120 [details].
Comment 8 Radar WebKit Bug Importer 2021-12-07 20:01:22 PST 
<rdar://problem/86189423>