Created attachment 371113 [details] Patch

Comment on attachment 371113 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=371113&action=review > Source/JavaScriptCore/ChangeLog:11 > + Gigacaging would otherwise strip a PAC failed authenticate bit we > + force a load of the pointer into some garbage register. I was thinking this would be free because we would load the length from the base of the pointer anyway. Unfortunately, that is only true for butterflies and not for TypedArray storage. I'm not sure what the right fix is... perhaps this is still fine but it's probably better to not pollute the caching hierarchy...

Comment on attachment 371113 [details] Patch Clearing flags on attachment: 371113 Committed r246022: <https://trac.webkit.org/changeset/246022>

All reviewed patches have been landed. Closing bug.

<rdar://problem/51340879>

Re-opened since this is blocked by bug 198486

Note: Internal tests also show a 3-5x magnitude performance regression on arm64e, compared to arm64. Probably a bug there.

Gonna take this over since Keith is busy at the moment with standards meetings.

Created attachment 371487 [details] Patch

(In reply to Saam Barati from comment #8) > Gonna take this over since Keith is busy at the moment with standards > meetings. But I have a patch!

Created attachment 371488 [details] Patch

Comment on attachment 371488 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=371488&action=review r=me with one comment. > Source/JavaScriptCore/offlineasm/instructions.rb:276 > + "bfiq", # Bit field insert <source reg> <width immediate> <last bit written> <dest reg> The order of width and last bit written seem to be backwards.

Created attachment 371490 [details] Patch for landing

Comment on attachment 371490 [details] Patch for landing Clearing flags on attachment: 371490 Committed r246150: <https://trac.webkit.org/changeset/246150>

All reviewed patches have been landed. Closing bug.

Comment on attachment 371490 [details] Patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=371490&action=review > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:6846 > + m_jit.cageWithoutUntaging(Gigacage::JSValue, dataGPR); “Untaging” => “Untagging”

(In reply to Keith Miller from comment #10) > (In reply to Saam Barati from comment #8) > > Gonna take this over since Keith is busy at the moment with standards > > meetings. > > But I have a patch! 👍🏼

What was the perf regression from the prior patch?

(In reply to Saam Barati from comment #18) > What was the perf regression from the prior patch? I was forcing a load of the untagged PC before passing it off to the gigacage stripping code.

Comment on attachment 371490 [details] Patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=371490&action=review >> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:6846 >> + m_jit.cageWithoutUntaging(Gigacage::JSValue, dataGPR); > > “Untaging” => “Untagging” I uploaded a patch to fix the typo: https://bugs.webkit.org/show_bug.cgi?id=198617

Re-opened since this is blocked by bug 198698