[webkit-changes] [WebKit/WebKit] d54aaf: [JSC] Unroll zero-fill for `NewTypedArray` with sm...

Fri, 01 May 2026 09:03:06 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: d54aaf250be959db593d49672fccc7a2d490d8ce
      
https://github.com/WebKit/WebKit/commit/d54aaf250be959db593d49672fccc7a2d490d8ce
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-05-01 (Fri, 01 May 2026)

  Changed paths:
    A JSTests/stress/new-typed-array-constant-size-zero-fill.js
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  [JSC] Unroll zero-fill for `NewTypedArray` with small constant length
https://bugs.webkit.org/show_bug.cgi?id=312225

Reviewed by Yusuke Suzuki.

When the length of `new TypedArray(N)` is a small Int32 constant, DFG/FTL
still emitted a runtime zero-fill loop and fastSizeLimit branch even
though the byte size is known at compile time.

This patch derives the constant byte size in emitNewTypedArrayWithSizeInRegister
and, when set, skips the fastSizeLimit branch, materializes the byte size as
an immediate, and zero-fills via emitFillStorageWithJSEmpty (unrolled
`stp xzr, xzr` on ARM64) for up to 16 words. Guarded by USE(JSVALUE64) since
JSEmpty is non-zero on JSVALUE32_64. In FTL, a constInt32 word count is passed
to splatWords so its existing unroll path is taken and Air fuses the stores
into stp.

For `new Float64Array(4)` on ARM64, the NewTypedArray fast path goes from
74 to 47 dynamic instructions in DFG (-36%) and 52 to 36 in FTL (-31%):

    DFG before: cmp x0,#0x3e8; b.hi; lsl w4,w0,#3; ...
                cbz w0; mov; lsl; (sub; str wzr; cbnz) x8
    DFG after:  orr w4,wzr,#0x20; ...
                stp xzr,xzr,[x3]; stp xzr,xzr,[x3,#0x10]

Test: JSTests/stress/new-typed-array-constant-size-zero-fill.js

* JSTests/stress/new-typed-array-constant-size-zero-fill.js: Added.
(shouldBeZeroFilled):
(f64_0):
(i8_0):
(f64_1):
(u8_1):
(i8_3):
(i8_7):
(i8_9):
(u16_5):
(f32_3):
(f64_16):
(f64_17):
(u32_32):
(u32_33):
(i8_128):
(i8_129):
(f64_10):
(f64_11):
(f64_1000):
(f64_1001):
(bi64_2):
(bu64_16):
(i32_neg):
(dirty):
(fresh):
(i.catch):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::emitNewTypedArrayWithSize):

Canonical link: https://commits.webkit.org/312432@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to