Changeset 246240 in webkit

Timestamp:

Jun 9, 2019 1:28:18 PM (5 years ago)

Author:

commit-queue@webkit.org

Message:

Unreviewed, rolling out r246150, r246160, and r246166.
​https://bugs.webkit.org/show_bug.cgi?id=198698

Regresses page loading time on iOS 13 (Requested by keith_m
on #webkit).

Reverted changesets:

"Reenable Gigacage on ARM64."
​https://bugs.webkit.org/show_bug.cgi?id=198453
​https://trac.webkit.org/changeset/246150

"Unrevied build fix for FTL without Gigacage."
​https://trac.webkit.org/changeset/246160

"Fix typo in cageWithoutUntagging"
​https://bugs.webkit.org/show_bug.cgi?id=198617
​https://trac.webkit.org/changeset/246166

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/assembler/MacroAssemblerARM64.h (modified) (1 diff)
• JavaScriptCore/assembler/MacroAssemblerARM64E.h (modified) (1 diff)
• JavaScriptCore/assembler/testmasm.cpp (modified) (4 diffs)
• JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (6 diffs)
• JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (4 diffs)
• JavaScriptCore/jit/AssemblyHelpers.h (modified) (3 diffs)
• JavaScriptCore/jit/JITPropertyAccess.cpp (modified) (4 diffs)
• JavaScriptCore/llint/LowLevelInterpreter.asm (modified) (1 diff)
• JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (1 diff)
• JavaScriptCore/offlineasm/arm64.rb (modified) (2 diffs)
• JavaScriptCore/offlineasm/instructions.rb (modified) (1 diff)
• JavaScriptCore/offlineasm/registers.rb (modified) (1 diff)
• JavaScriptCore/wasm/WasmAirIRGenerator.cpp (modified) (3 diffs)
• JavaScriptCore/wasm/WasmB3IRGenerator.cpp (modified) (3 diffs)
• JavaScriptCore/wasm/WasmBinding.cpp (modified) (1 diff)
• JavaScriptCore/wasm/js/JSToWasm.cpp (modified) (1 diff)
• JavaScriptCore/wasm/js/WebAssemblyFunction.cpp (modified) (1 diff)
• bmalloc/ChangeLog (modified) (1 diff)
• bmalloc/bmalloc/Gigacage.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-06-09  Commit Queue  <commit-queue@webkit.org>
+
+        Unreviewed, rolling out r246150, r246160, and r246166.
+        https://bugs.webkit.org/show_bug.cgi?id=198698
+
+        Regresses page loading time on iOS 13 (Requested by keith_m__
+        on #webkit).
+
+        Reverted changesets:
+
+        "Reenable Gigacage on ARM64."
+        https://bugs.webkit.org/show_bug.cgi?id=198453
+        https://trac.webkit.org/changeset/246150
+
+        "Unrevied build fix for FTL without Gigacage."
+        https://trac.webkit.org/changeset/246160
+
+        "Fix typo in cageWithoutUntagging"
+        https://bugs.webkit.org/show_bug.cgi?id=198617
+        https://trac.webkit.org/changeset/246166
+
 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h

@@ -2527 +2527 @@
     }
 
-    // Bit field operations:
-
-    // destBitOffset is the top bit of the destination where the bits should be copied to. Zero is the lowest order bit.
-    void bitFieldInsert64(RegisterID source, unsigned destBitOffset, unsigned width, RegisterID dest)
-    {
-        ASSERT(width <= 64 - destBitOffset && destBitOffset < 64);
-        m_assembler.bfi<64>(dest, source, destBitOffset, width);
-    }
-
     // Forwards / external control flow operations:
     //

trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h

@@ -40 +40 @@
 class MacroAssemblerARM64E : public MacroAssemblerARM64 {
 public:
-    static constexpr unsigned numberOfPACBits = 25;
-
     ALWAYS_INLINE void tagReturnAddress()
     {

trunk/Source/JavaScriptCore/assembler/testmasm.cpp

@@ -40 +40 @@
 #include <wtf/Lock.h>
 #include <wtf/NumberOfCores.h>
-#include <wtf/PtrTag.h>
 #include <wtf/Threading.h>
 #include <wtf/text/StringCommon.h>
@@ -108 +107 @@
         dataLog("FAILED while testing " #_actual ": expected: ", _expected, ", actual: ", _actual, "\n"); \
         WTFReportAssertionFailure(__FILE__, __LINE__, WTF_PRETTY_FUNCTION, "CHECK_EQ("#_actual ", " #_expected ")"); \
-        CRASH();                                                        \
-    } while (false)
-
-#define CHECK_NOT_EQ(_actual, _expected) do {                               \
-        if ((_actual) != (_expected))                                   \
-            break;                                                      \
-        crashLock.lock();                                               \
-        dataLog("FAILED while testing " #_actual ": expected not: ", _expected, ", actual: ", _actual, "\n"); \
-        WTFReportAssertionFailure(__FILE__, __LINE__, WTF_PRETTY_FUNCTION, "CHECK_NOT_EQ("#_actual ", " #_expected ")"); \
         CRASH();                                                        \
     } while (false)
@@ -1012 +1002 @@
 
 #endif
-}
-
-static void testCagePreservesPACFailureBit()
-{
-    auto cage = compile([] (CCallHelpers& jit) {
-        jit.emitFunctionPrologue();
-        jit.cageConditionally(Gigacage::Primitive, GPRInfo::argumentGPR0, GPRInfo::argumentGPR1, GPRInfo::argumentGPR2);
-        jit.move(GPRInfo::argumentGPR0, GPRInfo::returnValueGPR);
-        jit.emitFunctionEpilogue();
-        jit.ret();
-    });
-
-    void* ptr = Gigacage::tryMalloc(Gigacage::Primitive, 1);
-    void* taggedPtr = tagArrayPtr(ptr, 1);
-    dataLogLn("starting test");
-    if (isARM64E()) {
-        // FIXME: This won't work if authentication failures trap but I don't know how to test for that right now.
-        CHECK_NOT_EQ(invoke<void*>(cage, taggedPtr, 2), ptr);
-    } else
-        CHECK_EQ(invoke<void*>(cage, taggedPtr, 2), ptr);
-
-    CHECK_EQ(invoke<void*>(cage, taggedPtr, 1), ptr);
-
-    auto cageWithoutAuthentication = compile([] (CCallHelpers& jit) {
-        jit.emitFunctionPrologue();
-        jit.cageWithoutUntagging(Gigacage::Primitive, GPRInfo::argumentGPR0);
-        jit.move(GPRInfo::argumentGPR0, GPRInfo::returnValueGPR);
-        jit.emitFunctionEpilogue();
-        jit.ret();
-    });
-
-    if (isARM64E()) {
-        // FIXME: This won't work if authentication failures trap but I don't know how to test for that right now.
-        CHECK_NOT_EQ(invoke<void*>(cageWithoutAuthentication, untagArrayPtr(taggedPtr, 2)), ptr);
-    } else
-        CHECK_EQ(invoke<void*>(cageWithoutAuthentication, untagArrayPtr(taggedPtr, 2)), ptr);
-
-    CHECK_EQ(untagArrayPtr(taggedPtr, 1), ptr);
-    CHECK_EQ(invoke<void*>(cageWithoutAuthentication, untagArrayPtr(taggedPtr, 1)), ptr);
-
-    Gigacage::free(Gigacage::Primitive, ptr);
 }
 
@@ -1140 +1089 @@
     RUN(testMoveDoubleConditionally64());
 
-    RUN(testCagePreservesPACFailureBit());
-
     if (tasks.isEmpty())
         usage();

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -2874 +2874 @@
 
             JITCompiler::Jump hasNullVector;
-#if CPU(ARM64E)
+#if !GIGACAGE_ENABLED && CPU(ARM64E)
             {
                 GPRReg scratch = m_jit.scratchRegister();
@@ -2883 +2883 @@
                 hasNullVector = m_jit.branchTestPtr(MacroAssembler::Zero, scratch);
             }
-#else // CPU(ARM64E)
+#else // !GIGACAGE_ENABLED && CPU(ARM64E)
             hasNullVector = m_jit.branchTestPtr(
                 MacroAssembler::Zero,
@@ -6761 +6761 @@
 void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg)
 {
-#if CPU(ARM64E)
-    m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg);
-#else
-    UNUSED_PARAM(baseReg);
-    UNUSED_PARAM(storageReg);
-#endif
-
 #if GIGACAGE_ENABLED
     UNUSED_PARAM(baseReg);
@@ -6780 +6773 @@
     }
     
-    m_jit.cageWithoutUntagging(Gigacage::Primitive, storageReg);
+    m_jit.cage(Gigacage::Primitive, storageReg);
+#elif CPU(ARM64E)
+    m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg);
+#else
+    UNUSED_PARAM(baseReg);
+    UNUSED_PARAM(storageReg);
 #endif
 }
@@ -6844 +6842 @@
 
     m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), dataGPR);
-    m_jit.cageWithoutUntagging(Gigacage::JSValue, dataGPR);
+    m_jit.cage(Gigacage::JSValue, dataGPR);
 
     cageTypedArrayStorage(baseGPR, vectorGPR);
@@ -9848 +9846 @@
     m_jit.branchTest32(MacroAssembler::NonZero, scratchGPR).linkTo(loop, &m_jit);
     done.link(&m_jit);
-#if CPU(ARM64E)
+#if !GIGACAGE_ENABLED && CPU(ARM64E)
     // sizeGPR is still boxed as a number and there is no 32-bit variant of the PAC instructions.
     m_jit.zeroExtend32ToPtr(sizeGPR, scratchGPR);

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -6486 +6486 @@
                 m_heaps.typedArrayProperties);
 
-#if CPU(ARM64E)
+#if !GIGACAGE_ENABLED && CPU(ARM64E)
             {
                 LValue sizePtr = m_out.zeroExtPtr(size);
@@ -14158 +14158 @@
     LValue caged(Gigacage::Kind kind, LValue ptr, LValue base)
     {
-#if CPU(ARM64E)
-        if (kind == Gigacage::Primitive) {
-            LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length);
-            ptr = untagArrayPtr(ptr, size);
-        }
-#else
-        UNUSED_PARAM(kind);
-        UNUSED_PARAM(base);
-#endif
-
 #if GIGACAGE_ENABLED
         UNUSED_PARAM(base);
@@ -14186 +14176 @@
         LValue result = m_out.add(masked, basePtr);
 
-#if CPU(ARM64E)
-        {
-            PatchpointValue* merge = m_out.patchpoint(pointerType());
-            merge->append(result, B3::ValueRep(B3::ValueRep::SomeLateRegister));
-            merge->appendSomeRegister(ptr);
-            merge->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
-                jit.move(params[2].gpr(), params[0].gpr());
-                jit.bitFieldInsert64(params[1].gpr(), 0, 64 - MacroAssembler::numberOfPACBits, params[0].gpr());
-            });
-            result = merge;
-        }
-#endif
         // Make sure that B3 doesn't try to do smart reassociation of these pointer bits.
         // FIXME: In an ideal world, B3 would not do harmful reassociations, and if it did, it would be able
@@ -14210 +14188 @@
         // https://bugs.webkit.org/show_bug.cgi?id=175493
         return m_out.opaque(result);
+#elif CPU(ARM64E)
+        if (kind == Gigacage::Primitive) {
+            LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length);
+            return untagArrayPtr(ptr, size);
+        }
+
+        return ptr;
+#else
+        UNUSED_PARAM(kind);
+        UNUSED_PARAM(base);
+        return ptr;
 #endif
-        return ptr;
     }
     

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -1555 +1555 @@
         ok.link(this);
     }
-
-    void cageWithoutUntagging(Gigacage::Kind kind, GPRReg storage)
+    
+    void cage(Gigacage::Kind kind, GPRReg storage)
     {
 #if GIGACAGE_ENABLED
         if (!Gigacage::isEnabled(kind))
             return;
-
-#if CPU(ARM64E)
-        RegisterID tempReg = InvalidGPRReg;
-        if (kind == Gigacage::Primitive) {
-            tempReg = getCachedMemoryTempRegisterIDAndInvalidate();
-            move(storage, tempReg);
-            // Flip the registers since bitFieldInsert only inserts into the low bits.
-            std::swap(storage, tempReg);
-        }
-#endif
+        
         andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage);
         addPtr(TrustedImmPtr(Gigacage::basePtr(kind)), storage);
-#if CPU(ARM64E)
-        if (kind == Gigacage::Primitive)
-            bitFieldInsert64(storage, 0, 64 - numberOfPACBits, tempReg);
-#endif
-
 #else
         UNUSED_PARAM(kind);
@@ -1583 +1569 @@
 #endif
     }
-
-    // length may be the same register as scratch.
-    void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg length, GPRReg scratch)
-    {
-#if CPU(ARM64E)
-        if (kind == Gigacage::Primitive)
-            untagArrayPtr(length, storage);
-#else
-        UNUSED_PARAM(kind);
-        UNUSED_PARAM(storage);
-        UNUSED_PARAM(length);
-#endif
-
+    
+    void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratchOrLength)
+    {
 #if GIGACAGE_ENABLED
         if (!Gigacage::isEnabled(kind))
@@ -1601 +1577 @@
         
         if (kind != Gigacage::Primitive || Gigacage::isDisablingPrimitiveGigacageDisabled())
-            cageWithoutUntagging(kind, storage);
-        else {
-            loadPtr(&Gigacage::basePtr(kind), scratch);
-            Jump done = branchTestPtr(Zero, scratch);
-#if CPU(ARM64E)
-            auto tempReg = getCachedMemoryTempRegisterIDAndInvalidate();
-            move(storage, tempReg);
-            andPtr(TrustedImmPtr(Gigacage::mask(kind)), tempReg);
-            addPtr(scratch, tempReg);
-            bitFieldInsert64(tempReg, 0, 64 - numberOfPACBits, storage);
-#else
-            andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage);
-            addPtr(scratch, storage);
-#endif
-            done.link(this);
-
-
-        }
-#else
-        UNUSED_PARAM(scratch);
-#endif
-
+            return cage(kind, storage);
+        
+        loadPtr(&Gigacage::basePtr(kind), scratchOrLength);
+        Jump done = branchTestPtr(Zero, scratchOrLength);
+        andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage);
+        addPtr(scratchOrLength, storage);
+        done.link(this);
+#elif CPU(ARM64E)
+        if (kind == Gigacage::Primitive)
+            untagArrayPtr(scratchOrLength, storage);
+#else
+        UNUSED_PARAM(kind);
+        UNUSED_PARAM(storage);
+        UNUSED_PARAM(scratchOrLength);
+#endif
     }
 

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -1673 +1673 @@
     slowCases.append(branch32(AboveOrEqual, property, scratch2));
     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
-    cageConditionally(Gigacage::Primitive, scratch, scratch2, scratch2);
+    cageConditionally(Gigacage::Primitive, scratch, scratch2);
 
     switch (elementSize(type)) {
@@ -1737 +1737 @@
     slowCases.append(branch32(AboveOrEqual, property, scratch2));
     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
-    cageConditionally(Gigacage::Primitive, scratch, scratch2, scratch2);
+    cageConditionally(Gigacage::Primitive, scratch, scratch2);
     
     switch (elementSize(type)) {
@@ -1802 +1802 @@
     // path expects the base to be unclobbered.
     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
-    cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2);
+    cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
     
     if (isClamped(type)) {
@@ -1891 +1891 @@
     // path expects the base to be unclobbered.
     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
-    cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2);
+    cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
     
     switch (elementSize(type)) {

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -77 +77 @@
 #  - pc holds the (native) program counter on 32-bits ARM architectures (ARMv7)
 #
-#  - t0, t1, t2, t3, t4, and optionally t5, t6, and t7 are temporary registers that can get trashed on
+#  - t0, t1, t2, t3, t4 and optionally t5 are temporary registers that can get trashed on
 #  calls, and are pairwise distinct registers. t4 holds the JS program counter, so use
 #  with caution in opcodes (actually, don't use it in opcodes at all, except as PC).

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -435 +435 @@
 macro loadCagedPrimitive(source, dest, scratchOrLength)
     loadp source, dest
-    if ARM64E
-        const result = t7
+    if GIGACAGE_ENABLED
+        uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, dest, scratchOrLength)
+    elsif ARM64E
         untagArrayPtr scratchOrLength, dest
-        move dest, result
-    else
-        const result = dest
-    end
-    if GIGACAGE_ENABLED
-        uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, result, scratchOrLength)
-        if ARM64E
-            const numberOfPACBits = constexpr MacroAssembler::numberOfPACBits
-            bfiq result, 0, 64 - numberOfPACBits, dest
-        end
     end
 end

trunk/Source/JavaScriptCore/offlineasm/arm64.rb

@@ -127 +127 @@
         when 't6'
           arm64GPRName('x6', kind)
-        when 't7'
-          arm64GPRName('x7', kind)
         when 'cfr'
             arm64GPRName('x29', kind)
@@ -1022 +1020 @@
         when "memfence"
             $asm.puts "dmb sy"
-        when "bfiq"
-            $asm.puts "bfi #{operands[3].arm64Operand(:quad)}, #{operands[0].arm64Operand(:quad)}, #{operands[1].value}, #{operands[2].value}"
         when "pcrtoaddr"
             $asm.puts "adr #{operands[1].arm64Operand(:quad)}, #{operands[0].value}"

trunk/Source/JavaScriptCore/offlineasm/instructions.rb

@@ -274 +274 @@
 ARM64_INSTRUCTIONS =
     [
-     "bfiq", # Bit field insert <source reg> <last bit written> <width immediate> <dest reg>
      "pcrtoaddr",   # Address from PC relative offset - adr instruction
      "nopFixCortexA53Err835769", # nop on Cortex-A53 (nothing otherwise)

trunk/Source/JavaScriptCore/offlineasm/registers.rb

@@ -33 +33 @@
      "t5",
      "t6",
-     "t7",
      "cfr",
      "a0",

trunk/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp

@@ -849 +849 @@
 
         patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
-            AllowMacroScratchRegisterUsage allowScratch(jit);
+            RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64());
+            AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64());
             GPRReg baseMemory = pinnedRegs->baseMemoryPointer;
             GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister;
@@ -856 +857 @@
             jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory);
 
-            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->sizeRegister, scratchOrSize);
+            jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
         });
 
@@ -1988 +1989 @@
             jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*.
 
-            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize);
+            jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
         });
 

trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

@@ -492 +492 @@
         patchpoint->append(instance, ValueRep::SomeRegister);
         patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
-            AllowMacroScratchRegisterUsage allowScratch(jit);
+            RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64());
+            AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64());
             GPRReg baseMemory = pinnedRegs->baseMemoryPointer;
             GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister;
@@ -499 +500 @@
             jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory);
 
-            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->sizeRegister, scratchOrSize);
+            jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
         });
     }
@@ -1401 +1402 @@
             jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*.
 
-            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize);
+            jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
         });
         doContextSwitch->appendNewControlValue(m_proc, Jump, origin(), continuation);

trunk/Source/JavaScriptCore/wasm/WasmBinding.cpp

@@ -68 +68 @@
     // Set up the callee's baseMemory register as well as the memory size registers.
     {
-        GPRReg scratchOrSize = !Gigacage::isEnabled(Gigacage::Primitive) ? pinnedRegs.sizeRegister : wasmCallingConventionAir().prologueScratch(1);
+        GPRReg scratchOrSize = isARM64E() ? pinnedRegs.sizeRegister : wasmCallingConventionAir().prologueScratch(1);
 
         jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
         jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::TaggedArrayStoragePtr<void> (void*).
-        jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize);
+        jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
     }
 

trunk/Source/JavaScriptCore/wasm/js/JSToWasm.cpp

@@ -229 +229 @@
 
         jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
-        jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize, scratchOrSize);
+        jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
     }
 

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp

@@ -424 +424 @@
 
         jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
-        jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize, scratchOrSize);
+        jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
     }
 

trunk/Source/bmalloc/ChangeLog

@@ +1 @@
+2019-06-09  Commit Queue  <commit-queue@webkit.org>
+
+        Unreviewed, rolling out r246150, r246160, and r246166.
+        https://bugs.webkit.org/show_bug.cgi?id=198698
+
+        Regresses page loading time on iOS 13 (Requested by keith_m__
+        on #webkit).
+
+        Reverted changesets:
+
+        "Reenable Gigacage on ARM64."
+        https://bugs.webkit.org/show_bug.cgi?id=198453
+        https://trac.webkit.org/changeset/246150
+
+        "Unrevied build fix for FTL without Gigacage."
+        https://trac.webkit.org/changeset/246160
+
+        "Fix typo in cageWithoutUntagging"
+        https://bugs.webkit.org/show_bug.cgi?id=198617
+        https://trac.webkit.org/changeset/246166
+
 2019-06-06  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/bmalloc/bmalloc/Gigacage.h

@@ -35 +35 @@
 #include <inttypes.h>
 
-#if ((BOS(DARWIN) || BOS(LINUX)) && \
-    (BCPU(X86_64) || (BCPU(ARM64) && !defined(__ILP32__) && (!BPLATFORM(IOS_FAMILY) || BPLATFORM(IOS)))))
+#if ((BOS(DARWIN) || BOS(LINUX)) && BCPU(X86_64))
 #define GIGACAGE_ENABLED 1
 #else