Closed Bug 677743 Opened 9 years ago Closed 9 years ago

Store base of data directly in typed arrays

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla8

People

(Reporter: bhackett1024, Assigned: bhackett1024)

References

Details

Attachments

(1 file)

Per bug 664249 comment 34, handling of byte offsets in JM typed array ICs is incorrect, and slower than it needs to be.  Here is a testcase exposing the problem:

function f(x, y) {
  for (var i = 0; i < 100; i++)
    assertEq(x[0], y);
}
var a = ArrayBuffer(20);
var b = Int32Array(a, 12, 2);
var c = Int32Array(a, 0, 2);
b[0] = 10;
f(b, 10);
c[0] = 20;
f(c, 20);

> js test.js
> js -m test.js
test.js:3: Error: Assertion failed: got 10, expected 20

The base of the data in a typed array is split across two Values because it may be unaligned, and unaligned private pointers cannot be stored in Values on x64.  The .privateData of typed array JSObjects is unused, however, and can store unaligned pointers.  Using this instead allows fixing the ICs and faster accesses on the typed arrays.
Attached patch patchSplinter Review
Attachment #551928 - Flags: review?(mrbkap)
Landing to JM for some post-merge greenification.

http://hg.mozilla.org/projects/jaegermonkey/rev/7f3e8f6ba47a
Attachment #551928 - Flags: review?(mrbkap) → review+
Blocks: 677854
No longer blocks: 677854
Merged:
http://hg.mozilla.org/mozilla-central/rev/d8838be30903
Assignee: general → bhackett1024
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
OS: Mac OS X → All
Hardware: x86 → All
Resolution: --- → FIXED
Whiteboard: inbound
Target Milestone: --- → mozilla8
Version: unspecified → Trunk
You need to log in before you can comment on or make changes to this bug.