Created attachment 367808 [details] WIP

Created attachment 368301 [details] WIP

Created attachment 368517 [details] WIP

Created attachment 369032 [details] Mostly done needs cleanup

Created attachment 369130 [details] Patch

Attachment 369130 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/runtime/JSArrayBufferView.cpp:53: Wrong number of spaces before statement. (expected: 8) [whitespace/indent] [4] ERROR: Source/WTF/wtf/CagedPtr.h:79: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] ERROR: Source/JavaScriptCore/runtime/CagedBarrierPtr.h:68: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Total errors found: 3 in 66 files If any of these errors are false positives, please file a bug against check-webkit-style.

Created attachment 369131 [details] Patch

Attachment 369131 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/runtime/JSArrayBufferView.cpp:53: Wrong number of spaces before statement. (expected: 8) [whitespace/indent] [4] ERROR: Source/WTF/wtf/CagedPtr.h:79: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] ERROR: Source/JavaScriptCore/runtime/CagedBarrierPtr.h:68: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Total errors found: 3 in 64 files If any of these errors are false positives, please file a bug against check-webkit-style.

Created attachment 369141 [details] Patch

Attachment 369141 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/runtime/JSArrayBufferView.cpp:53: Wrong number of spaces before statement. (expected: 8) [whitespace/indent] [4] ERROR: Source/WTF/wtf/CagedPtr.h:79: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] ERROR: Source/JavaScriptCore/runtime/CagedBarrierPtr.h:68: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Total errors found: 3 in 64 files If any of these errors are false positives, please file a bug against check-webkit-style.

Created attachment 369144 [details] Patch

Attachment 369144 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/runtime/JSArrayBufferView.cpp:53: Wrong number of spaces before statement. (expected: 8) [whitespace/indent] [4] ERROR: Source/WTF/wtf/CagedPtr.h:79: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] ERROR: Source/JavaScriptCore/runtime/CagedBarrierPtr.h:68: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Total errors found: 3 in 65 files If any of these errors are false positives, please file a bug against check-webkit-style.

Created attachment 369145 [details] Patch

Attachment 369145 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/runtime/JSArrayBufferView.cpp:53: Wrong number of spaces before statement. (expected: 8) [whitespace/indent] [4] ERROR: Source/WTF/wtf/CagedPtr.h:79: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] ERROR: Source/JavaScriptCore/runtime/CagedBarrierPtr.h:68: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Total errors found: 3 in 65 files If any of these errors are false positives, please file a bug against check-webkit-style.

Created attachment 369146 [details] Patch

Attachment 369146 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/runtime/JSArrayBufferView.cpp:53: Wrong number of spaces before statement. (expected: 8) [whitespace/indent] [4] ERROR: Source/WTF/wtf/CagedPtr.h:79: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] ERROR: Source/JavaScriptCore/runtime/CagedBarrierPtr.h:68: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Total errors found: 3 in 66 files If any of these errors are false positives, please file a bug against check-webkit-style.

Created attachment 369150 [details] Patch

Attachment 369150 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/runtime/JSArrayBufferView.cpp:53: Wrong number of spaces before statement. (expected: 8) [whitespace/indent] [4] ERROR: Source/WTF/wtf/CagedPtr.h:79: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] ERROR: Source/JavaScriptCore/runtime/CagedBarrierPtr.h:68: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Total errors found: 3 in 66 files If any of these errors are false positives, please file a bug against check-webkit-style.

Comment on attachment 369150 [details] Patch Attachment 369150 [details] did not pass mac-wk2-ews (mac-wk2): Output: https://webkit-queues.webkit.org/results/12114098 Number of test failures exceeded the failure limit.

Created attachment 369158 [details] Archive of layout-test-results from ews104 for mac-highsierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews104 Port: mac-highsierra-wk2 Platform: Mac OS X 10.13.6

Comment on attachment 369150 [details] Patch Attachment 369150 [details] did not pass mac-ews (mac): Output: https://webkit-queues.webkit.org/results/12114119 Number of test failures exceeded the failure limit.

Created attachment 369159 [details] Archive of layout-test-results from ews101 for mac-highsierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-highsierra Platform: Mac OS X 10.13.6

Comment on attachment 369150 [details] Patch Attachment 369150 [details] did not pass mac-debug-ews (mac): Output: https://webkit-queues.webkit.org/results/12114185 Number of test failures exceeded the failure limit.

Created attachment 369162 [details] Archive of layout-test-results from ews116 for mac-highsierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews116 Port: mac-highsierra Platform: Mac OS X 10.13.6

Comment on attachment 369150 [details] Patch Attachment 369150 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/12114406 Number of test failures exceeded the failure limit.

Created attachment 369164 [details] Archive of layout-test-results from ews215 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews215 Port: win-future Platform: CYGWIN_NT-10.0-17763-3.0.5-338.x86_64-x86_64-64bit

Created attachment 369167 [details] Patch

Attachment 369167 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h:36: Code inside a namespace should not be indented. [whitespace/indent] [4] ERROR: Source/JavaScriptCore/runtime/JSArrayBufferView.cpp:53: Wrong number of spaces before statement. (expected: 8) [whitespace/indent] [4] ERROR: Source/WTF/wtf/CagedPtr.h:79: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] ERROR: Source/JavaScriptCore/runtime/CagedBarrierPtr.h:68: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Total errors found: 4 in 66 files If any of these errors are false positives, please file a bug against check-webkit-style.

Comment on attachment 369167 [details] Patch Attachment 369167 [details] did not pass mac-ews (mac): Output: https://webkit-queues.webkit.org/results/12115341 Number of test failures exceeded the failure limit.

Created attachment 369177 [details] Archive of layout-test-results from ews101 for mac-highsierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-highsierra Platform: Mac OS X 10.13.6

Comment on attachment 369167 [details] Patch Attachment 369167 [details] did not pass mac-wk2-ews (mac-wk2): Output: https://webkit-queues.webkit.org/results/12115403 Number of test failures exceeded the failure limit.

Created attachment 369183 [details] Archive of layout-test-results from ews106 for mac-highsierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-highsierra-wk2 Platform: Mac OS X 10.13.6

Comment on attachment 369167 [details] Patch Attachment 369167 [details] did not pass mac-debug-ews (mac): Output: https://webkit-queues.webkit.org/results/12115337 Number of test failures exceeded the failure limit.

Created attachment 369186 [details] Archive of layout-test-results from ews115 for mac-highsierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews115 Port: mac-highsierra Platform: Mac OS X 10.13.6

Comment on attachment 369167 [details] Patch Attachment 369167 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: https://webkit-queues.webkit.org/results/12115422 Number of test failures exceeded the failure limit.

Created attachment 369191 [details] Archive of layout-test-results from ews126 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews126 Port: ios-simulator-wk2 Platform: Mac OS X 10.14.4

Created attachment 369192 [details] Patch

Attachment 369192 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h:36: Code inside a namespace should not be indented. [whitespace/indent] [4] ERROR: Source/JavaScriptCore/runtime/JSArrayBufferView.cpp:53: Wrong number of spaces before statement. (expected: 8) [whitespace/indent] [4] ERROR: Source/WTF/wtf/CagedPtr.h:79: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] ERROR: Source/JavaScriptCore/runtime/CagedBarrierPtr.h:68: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Total errors found: 4 in 63 files If any of these errors are false positives, please file a bug against check-webkit-style.

Comment on attachment 369192 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=369192&action=review > Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h:105 > + ALWAYS_INLINE void tagArrayPtr(RegisterID target, RegisterID length) > + { > + m_assembler.pacdb(target, length); > + } > + > + ALWAYS_INLINE void untagArrayPtr(RegisterID target, RegisterID length) > + { > + m_assembler.autdb(target, length); > + } > + > + ALWAYS_INLINE void untagArrayPtr(RegisterID target, Address length) > + { > + auto lengthGPR = getCachedDataTempRegisterIDAndInvalidate(); > + load32(length, lengthGPR); > + m_assembler.autdb(target, lengthGPR); > + } > + > + ALWAYS_INLINE void removeArrayPtrTag(RegisterID target) > + { > + m_assembler.xpacd(target); > + } your destinations are on the wrong side.

Comment on attachment 369192 [details] Patch Attachment 369192 [details] did not pass mac-debug-ews (mac): Output: https://webkit-queues.webkit.org/results/12117975 New failing tests: imported/w3c/web-platform-tests/IndexedDB/idb-binary-key-detached.htm fast/canvas/webgl/arraybuffer-transfer-of-control.html

Created attachment 369217 [details] Archive of layout-test-results from ews114 for mac-highsierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews114 Port: mac-highsierra Platform: Mac OS X 10.13.6

Comment on attachment 369192 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=369192&action=review r=me > Source/JavaScriptCore/ChangeLog:11 > + Change CagedBarrierPtr to work with PAC so constructors and accessors not expect to receive a length. I'm confused in this sentence, I think you're missing a word somewhere. > Source/JavaScriptCore/ChangeLog:15 > + Add arm64e.rb backend as we missed that when originally open sourcing our code. our code => our arm64e code > Source/JavaScriptCore/ChangeLog:16 > + Add a new optional t6 temporary, which is only used currently on arm64e for GetByVal on a TypedArray. optional? > Source/JavaScriptCore/ChangeLog:26 > + Wasm: > + Use the TaggedArrayStoragePtr class for the memory base pointer. In theory we should be caging those pointers but I don't want to risk introducing a performance regression with the rest of this change. I've filed https://bugs.webkit.org/show_bug.cgi?id=197620 to do this later. You should also say you're enabling fast memory. And perhaps also JS2 perf impact. > Source/bmalloc/ChangeLog:9 > + cage but returns a nullptr if the incoming pointer is already null.n null.n => null. > Source/JavaScriptCore/b3/B3ValueRep.h:79 > + // that the use happens after any of the effects of the patchpoint. effects => def. Perhaps instead just write "use interferes with the def" > Source/JavaScriptCore/b3/B3ValueRep.h:81 > + SomeLateRegister, Can we have some patchpoint test where we assert this isn't the same as the input in a situation that forces the register allocator's hand to spill something perhaps? > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2879 > + GPRReg scratch = m_jit.scratchRegister(); > + DisallowMacroScratchRegisterUsage disallowScratch(m_jit); (This is kinda funky.) > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2883 > + m_jit.loadPtr(MacroAssembler::Address(base, JSArrayBufferView::offsetOfVector()), scratch); > + m_jit.removeArrayPtrTag(scratch); > + hasNullVector = m_jit.branchTestPtr(MacroAssembler::Zero, scratch); Why not just do a `test` on the bits we care about? Probably can be encoded in a single insn too instead of having the strip. Alternatively, null implies length of zero. So you could just tag nullptr with zero in this compiler thread and compare to that constant value. I kinda like my previous suggestion more though since I think it'll be fewer instructions. > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:14079 > + style nit: remove this blank line > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:14128 > + if (kind == Gigacage::Primitive) { Primitive always means typed arrays right now? > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:16558 > +#if !GIGACAGE_ENABLED && CPU(ARM64E) > + PatchpointValue* authenticate = m_out.patchpoint(pointerType()); > + authenticate->appendSomeRegister(vector); > + authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) { > + jit.move(params[1].gpr(), params[0].gpr()); > + jit.removeArrayPtrTag(params[0].gpr()); > + }); > + vector = authenticate; > +#endif nit: Might be worth having a fully different code path instead of isZero64 here so B3 can nicely instruction select the test. > Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp:-61 > - if (Options::dumpDisassembly()) > - dataLog("Clearing call link info for polymorphic call at ", m_callLinkInfo->callReturnLocation(), ", ", m_callLinkInfo->codeOrigin(), "\n"); probably worth reverting this? > Source/JavaScriptCore/offlineasm/arm64e.rb:1 > +# Copyright (C) 2018 Apple Inc. All rights reserved. 2018-2019 Please also remove this file from the Internal repo (feel free to email me a bug link to that and I will review it). > Source/JavaScriptCore/runtime/ArrayBuffer.cpp:45 > + m_destructor(m_data.getUnsafe()); why unsafe? Let's at least open a bug about fixing this. > Source/JavaScriptCore/runtime/CagedBarrierPtr.h:68 > + /* T& */ at(unsigned index, unsigned size) const { return get(size)[index]; } did you mean to leave the comment here? > Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:321 > + FINALIZE_CODE(linkBuffer, B3CompilationPtrTag, "WebAssembly BBQ function[%i] %s", functionIndex, signature.toString().ascii().data()), nice > Source/JavaScriptCore/wasm/WasmMemory.cpp:271 > + this->memory(); what is this doing? Just debug assert? > Source/JavaScriptCore/wasm/WasmMemory.cpp:445 > + memory(); Is this just for the debug assert? > Source/JavaScriptCore/wasm/js/JSToWasm.cpp:227 > + GPRReg scratch = jit.scratchRegister(); > + DisallowMacroScratchRegisterUsage disallowScratch(jit); nit: let's just use Wasm::wasmCallingConventionAir().prologueScratch(0); instead of scratchRegister() > Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp:410 > + GPRReg scratch = jit.scratchRegister(); > + DisallowMacroScratchRegisterUsage disallowScratch(jit); > + just use scratch2GPR here instead of this. > Source/WTF/wtf/CagedUniquePtr.h:33 > +class CagedUniquePtr : public CagedPtr<kind, T, shouldTag> { There doesn't appear to be a single place where shouldTag is true. Am I missing something? > Source/WTF/wtf/PtrTag.h:155 > +template<typename T> > +inline T* tagArrayPtr(nullptr_t ptr, size_t length) > +{ > + ASSERT(!length); > + return ptrauth_sign_unauthenticated(static_cast<T*>(ptr), ptrauth_key_process_dependent_data, length); > +} > + > + > +template<typename T> > +inline T* tagArrayPtr(T* ptr, size_t length) > +{ > + return ptrauth_sign_unauthenticated(ptr, ptrauth_key_process_dependent_data, length); > +} > + > +template<typename T> > +inline T* untagArrayPtr(T* ptr, size_t length) > +{ > + return ptrauth_auth_data(ptr, ptrauth_key_process_dependent_data, length); > +} > + > +template<typename T> > +inline T* removeArrayPtrTag(T* ptr) > +{ > + return ptrauth_strip(ptr, ptrauth_key_process_dependent_data); > +} > + > +template<typename T> > +inline T* retagArrayPtr(T* ptr, size_t oldLength, size_t newLength) > +{ > + return ptrauth_auth_and_resign(ptr, ptrauth_key_process_dependent_data, oldLength, ptrauth_key_process_dependent_data, newLength); > +} can we add `using XYZ` for these functions so we don't have to prefix calls with WTF::?

Comment on attachment 369192 [details] Patch Attachment 369192 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/12119340 New failing tests: legacy-animation-engine/compositing/reflections/load-video-in-reflection.html

Created attachment 369235 [details] Archive of layout-test-results from ews213 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews213 Port: win-future Platform: CYGWIN_NT-10.0-17763-3.0.5-338.x86_64-x86_64-64bit

Comment on attachment 369192 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=369192&action=review >> Source/JavaScriptCore/ChangeLog:11 >> + Change CagedBarrierPtr to work with PAC so constructors and accessors not expect to receive a length. > > I'm confused in this sentence, I think you're missing a word somewhere. it's a typo that's throwing you off: not => now. >> Source/JavaScriptCore/ChangeLog:16 >> + Add a new optional t6 temporary, which is only used currently on arm64e for GetByVal on a TypedArray. > > optional? It's optional in so far as it's not required to have it for every platform to work. >> Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h:105 >> + } > > your destinations are on the wrong side. Fixed. I filed https://bugs.webkit.org/show_bug.cgi?id=197677 for the other functions. >> Source/JavaScriptCore/b3/B3ValueRep.h:79 >> + // that the use happens after any of the effects of the patchpoint. > > effects => def. Perhaps instead just write "use interferes with the def" done. >> Source/JavaScriptCore/b3/B3ValueRep.h:81 >> + SomeLateRegister, > > Can we have some patchpoint test where we assert this isn't the same as the input in a situation that forces the register allocator's hand to spill something perhaps? Sure. >> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2879 >> + DisallowMacroScratchRegisterUsage disallowScratch(m_jit); > > (This is kinda funky.) Yeah, but it probably more efficient than using a scratch here? I suppose I could ask for some caller save register and clobber that but it seems like this is the most available scratch. >> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2883 >> + hasNullVector = m_jit.branchTestPtr(MacroAssembler::Zero, scratch); > > Why not just do a `test` on the bits we care about? Probably can be encoded in a single insn too instead of having the strip. > > Alternatively, null implies length of zero. So you could just tag nullptr with zero in this compiler thread and compare to that constant value. I kinda like my previous suggestion more though since I think it'll be fewer instructions. That *might* work because we don't support tagged pointers but I'd rather do it in a follow up. Materializing the value is still at least one instruction. Additionally, IIRC, stripping the pointer is only 1 cycle. >> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:14079 >> + > > style nit: remove this blank line Done. >> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:14128 >> + if (kind == Gigacage::Primitive) { > > Primitive always means typed arrays right now? For this function yeah. We put other arguments data in the primitive cage but we access them through other helpers... :/ >> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:16558 >> +#endif > > nit: Might be worth having a fully different code path instead of isZero64 here so B3 can nicely instruction select the test. Sure, I'll file a bug for this and add a FIXME. >> Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp:-61 >> - dataLog("Clearing call link info for polymorphic call at ", m_callLinkInfo->callReturnLocation(), ", ", m_callLinkInfo->codeOrigin(), "\n"); > > probably worth reverting this? It's actually incorrect. Since we call this when we are in final path and codeOrigin() loads other cells we can crash. >> Source/JavaScriptCore/offlineasm/arm64e.rb:1 >> +# Copyright (C) 2018 Apple Inc. All rights reserved. > > 2018-2019 > Please also remove this file from the Internal repo (feel free to email me a bug link to that and I will review it). Will do. >> Source/JavaScriptCore/runtime/ArrayBuffer.cpp:45 >> + m_destructor(m_data.getUnsafe()); > > why unsafe? Let's at least open a bug about fixing this. Done. https://bugs.webkit.org/show_bug.cgi?id=197698 >> Source/JavaScriptCore/runtime/CagedBarrierPtr.h:68 >> + /* T& */ at(unsigned index, unsigned size) const { return get(size)[index]; } > > did you mean to leave the comment here? Yeah, so the result type is more obviously visible. Otherwise you have to parse the entire enable_if... :( >> Source/JavaScriptCore/wasm/WasmMemory.cpp:271 >> + this->memory(); > > what is this doing? Just debug assert? Yeah, removed. >> Source/JavaScriptCore/wasm/WasmMemory.cpp:445 >> + memory(); > > Is this just for the debug assert? Yeah, removed. >> Source/JavaScriptCore/wasm/js/JSToWasm.cpp:227 >> + DisallowMacroScratchRegisterUsage disallowScratch(jit); > > nit: let's just use Wasm::wasmCallingConventionAir().prologueScratch(0); instead of scratchRegister() Done. >> Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp:410 >> + > > just use scratch2GPR here instead of this. Done. >> Source/WTF/wtf/CagedUniquePtr.h:33 >> +class CagedUniquePtr : public CagedPtr<kind, T, shouldTag> { > > There doesn't appear to be a single place where shouldTag is true. Am I missing something? I exposed a global: constexpr bool tagCagedPtr = true, which I use as an "enum". >> Source/WTF/wtf/PtrTag.h:155 >> +} > > can we add `using XYZ` for these functions so we don't have to prefix calls with WTF::? Done.

Created attachment 369405 [details] Patch for landing

Comment on attachment 369405 [details] Patch for landing Clearing flags on attachment: 369405 Committed r245064: <https://trac.webkit.org/changeset/245064>

All reviewed patches have been landed. Closing bug.

Committed r245093: <https://trac.webkit.org/changeset/245093>