Merge mozilla-central to autoland.
authorCosmin Sabou <csabou@mozilla.com>
Fri, 02 Aug 2019 19:05:40 +0300
changeset 485986 cc5b3d1d6869db8c61a46f87b635386279503329
parent 485969 fa992fc16bf6e1cbfaaa077feed1aea95f4d64e2 (current diff)
parent 485985 c0b4e42898753dfb4537cb39d03125e7a32a224c (diff)
child 485987 1f622156e9eab1d2c58d5d77bb5908fcc83db253
push id91567
push usercsabou@mozilla.com
push dateFri, 02 Aug 2019 16:05:38 +0000
treeherderautoland@cc5b3d1d6869 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
milestone70.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Merge mozilla-central to autoland.
security/nss/lib/freebl/aes-armv8.c
security/nss/lib/freebl/aes-armv8.h
--- a/build/build-clang/build-clang.py
+++ b/build/build-clang/build-clang.py
@@ -1,75 +1,90 @@
-#!/usr/bin/python2.7
+#!/usr/bin/python3
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
+# Only necessary for flake8 to be happy...
+from __future__ import print_function
+
 import os
 import os.path
 import shutil
 import subprocess
 import platform
 import json
 import argparse
 import fnmatch
 import glob
 import errno
 import re
 import sys
 from contextlib import contextmanager
 from distutils.dir_util import copy_tree
 
-from mozfile import which
+from shutil import which
 
 URL_REPO = "https://github.com/llvm/llvm-project"
 
 
 def symlink(source, link_name):
     os_symlink = getattr(os, "symlink", None)
     if callable(os_symlink):
         os_symlink(source, link_name)
     else:
         if os.path.isdir(source):
             # Fall back to copying the directory :(
             copy_tree(source, link_name)
 
 
 def check_run(args):
-    print >> sys.stderr, ' '.join(args)
-    p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-    # CMake `message(STATUS)` messages, as appearing in failed source code
-    # compiles, appear on stdout, so we only capture that.
-    (out, _) = p.communicate()
-    r = p.returncode
-    if r != 0:
-        cmake_output_re = re.compile("See also \"(.*/CMakeOutput.log)\"")
-        cmake_error_re = re.compile("See also \"(.*/CMakeError.log)\"")
-        output_match = cmake_output_re.search(out)
-        error_match = cmake_error_re.search(out)
+    print(' '.join(args), file=sys.stderr)
+    if args[0] == 'cmake':
+        # CMake `message(STATUS)` messages, as appearing in failed source code
+        # compiles, appear on stdout, so we only capture that.
+        p = subprocess.Popen(args, stdout=subprocess.PIPE)
+        lines = []
+        for line in p.stdout:
+            lines.append(line)
+            sys.stdout.write(line.decode())
+            sys.stdout.flush()
+        r = p.wait()
+        if r != 0:
+            cmake_output_re = re.compile("See also \"(.*/CMakeOutput.log)\"")
+            cmake_error_re = re.compile("See also \"(.*/CMakeError.log)\"")
 
-        print >> sys.stderr, out
+            def find_first_match(re):
+                for l in lines:
+                    match = re.search(l)
+                    if match:
+                        return match
+
+            output_match = find_first_match(cmake_output_re)
+            error_match = find_first_match(cmake_error_re)
 
-        def dump_file(log):
-            with open(log, 'rb') as f:
-                print >> sys.stderr, "\nContents of", log, "follow\n"
-                print >> sys.stderr, f.read()
-        if output_match:
-            dump_file(output_match.group(1))
-        if error_match:
-            dump_file(error_match.group(1))
+            def dump_file(log):
+                with open(log, 'rb') as f:
+                    print("\nContents of", log, "follow\n", file=sys.stderr)
+                    print(f.read(), file=sys.stderr)
+            if output_match:
+                dump_file(output_match.group(1))
+            if error_match:
+                dump_file(error_match.group(1))
+    else:
+        r = subprocess.call(args)
     assert r == 0
 
 
 def run_in(path, args):
     d = os.getcwd()
-    print >> sys.stderr, 'cd "%s"' % path
+    print('cd "%s"' % path, file=sys.stderr)
     os.chdir(path)
     check_run(args)
-    print >> sys.stderr, 'cd "%s"' % d
+    print('cd "%s"' % d, file=sys.stderr)
     os.chdir(d)
 
 
 def patch(patch, srcdir):
     patch = os.path.realpath(patch)
     check_run(['patch', '-d', srcdir, '-p1', '-i', patch, '--fuzz=0',
                '-s'])
 
@@ -91,17 +106,17 @@ def build_package(package_build_dir, cma
     # arguments, so we need to re-run it.  Make sure the cached copy of the
     # previous CMake run is cleared before running it again.
     if os.path.exists(package_build_dir + "/CMakeCache.txt"):
         os.remove(package_build_dir + "/CMakeCache.txt")
     if os.path.exists(package_build_dir + "/CMakeFiles"):
         shutil.rmtree(package_build_dir + "/CMakeFiles")
 
     run_in(package_build_dir, ["cmake"] + cmake_args)
-    run_in(package_build_dir, ["ninja", "install"])
+    run_in(package_build_dir, ["ninja", "install", "-v"])
 
 
 @contextmanager
 def updated_env(env):
     old_env = os.environ.copy()
     os.environ.update(env)
     yield
     os.environ.clear()
@@ -157,17 +172,17 @@ def install_libgcc(gcc_dir, clang_dir, i
     if not is_final_stage:
         x64_bin_dir = os.path.join(clang_dir, 'x86_64-unknown-linux-gnu', 'bin')
         mkdir_p(x64_bin_dir)
         shutil.copy2(os.path.join(gcc_bin_dir, 'ld'), x64_bin_dir)
 
     out = subprocess.check_output([os.path.join(gcc_bin_dir, "gcc"),
                                    '-print-libgcc-file-name'])
 
-    libgcc_dir = os.path.dirname(out.rstrip())
+    libgcc_dir = os.path.dirname(out.decode().rstrip())
     clang_lib_dir = os.path.join(clang_dir, "lib", "gcc",
                                  "x86_64-unknown-linux-gnu",
                                  os.path.basename(libgcc_dir))
     mkdir_p(clang_lib_dir)
     copy_tree(libgcc_dir, clang_lib_dir)
     libgcc_dir = os.path.join(gcc_dir, "lib64")
     clang_lib_dir = os.path.join(clang_dir, "lib")
     copy_tree(libgcc_dir, clang_lib_dir)
@@ -335,17 +350,17 @@ def build_one_stage(cc, cxx, asm, ld, ar
     # make that work.
     if is_final_stage and android_targets:
         cmake_args += [
             "-DLLVM_LIBDIR_SUFFIX=64",
         ]
 
         android_link_flags = "-fuse-ld=lld"
 
-        for target, cfg in android_targets.iteritems():
+        for target, cfg in android_targets.items():
             sysroot_dir = cfg["ndk_sysroot"]
             android_gcc_dir = cfg["ndk_toolchain"]
             android_include_dirs = cfg["ndk_includes"]
             api_level = cfg["api_level"]
 
             android_flags = ["-isystem %s" % d for d in android_include_dirs]
             android_flags += ["--gcc-toolchain=%s" % android_gcc_dir]
             android_flags += ["-D__ANDROID_API__=%s" % api_level]
@@ -652,26 +667,26 @@ if __name__ == "__main__":
         gcc_dir = config["gcc_dir"]
         if not os.path.exists(gcc_dir):
             raise ValueError("gcc_dir must point to an existing path")
     ndk_dir = None
     android_targets = None
     if "android_targets" in config:
         android_targets = config["android_targets"]
         for attr in ("ndk_toolchain", "ndk_sysroot", "ndk_includes", "api_level"):
-            for target, cfg in android_targets.iteritems():
+            for target, cfg in android_targets.items():
                 if attr not in cfg:
                     raise ValueError("must specify '%s' as a key for android target: %s" %
                                      (attr, target))
     extra_targets = None
     if "extra_targets" in config:
         extra_targets = config["extra_targets"]
         if not isinstance(extra_targets, list):
             raise ValueError("extra_targets must be a list")
-        if not all(isinstance(t, (str, unicode)) for t in extra_targets):
+        if not all(isinstance(t, str) for t in extra_targets):
             raise ValueError("members of extra_targets should be strings")
     if is_linux() and gcc_dir is None:
         raise ValueError("Config file needs to set gcc_dir")
     cc = get_tool(config, "cc")
     cxx = get_tool(config, "cxx")
     asm = get_tool(config, "ml" if is_windows() else "as")
     ld = get_tool(config, "link" if is_windows() else "ld")
     ar = get_tool(config, "lib" if is_windows() else "ar")
--- a/build/clang-plugin/ThirdPartyPaths.py
+++ b/build/clang-plugin/ThirdPartyPaths.py
@@ -1,9 +1,9 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 
 import json
 
 
 def generate(output, tpp_txt):
     """
     This file generates a ThirdPartyPaths.cpp file from the ThirdPartyPaths.txt
     file in /tools/rewriting, which is used by the Clang Plugin to help identify
--- a/build/clang-plugin/import_mozilla_checks.py
+++ b/build/clang-plugin/import_mozilla_checks.py
@@ -1,9 +1,9 @@
-#!/usr/bin/python2.7
+#!/usr/bin/python3
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 import os
 import sys
 import glob
 import shutil
@@ -29,19 +29,18 @@ def copy_dir_contents(src, dest):
                 else:
                     os.remove(destname)
                     shutil.copy2(f, destname)
             else:
                 raise Exception('Directory not copied. Error: %s' % e)
 
 
 def write_cmake(module_path):
-    names = map(lambda f: '  ' + os.path.basename(f),
-                glob.glob("%s/*.cpp" % module_path))
-    with open(os.path.join(module_path, 'CMakeLists.txt'), 'wb') as f:
+    names = ['  ' + os.path.basename(f) for f in glob.glob("%s/*.cpp" % module_path)]
+    with open(os.path.join(module_path, 'CMakeLists.txt'), 'w') as f:
         f.write("""set(LLVM_LINK_COMPONENTS support)
 
 add_definitions( -DCLANG_TIDY )
 add_definitions( -DHAVE_NEW_ASTMATCHER_NAMES )
 
 add_clang_library(clangTidyMozillaModule
   ThirdPartyPaths.cpp
 %(names)s
@@ -71,23 +70,23 @@ def add_item_to_cmake_section(cmake_path
         elif seen_target_libs:
             if line.find(')') > -1:
                 break
             else:
                 libs.append(line.strip())
     libs.append(library)
     libs = sorted(libs, key=lambda s: s.lower())
 
-    with open(cmake_path, 'wb') as f:
+    with open(cmake_path, 'w') as f:
         seen_target_libs = False
         for line in lines:
             if line.find(section) > -1:
                 seen_target_libs = True
                 f.write(line)
-                f.writelines(map(lambda p: '  ' + p + '\n', libs))
+                f.writelines(['  ' + p + '\n' for p in libs])
                 continue
             elif seen_target_libs:
                 if line.find(')') > -1:
                     seen_target_libs = False
                 else:
                     continue
             f.write(line)
 
--- a/build/unix/build-hfsplus/build-hfsplus.sh
+++ b/build/unix/build-hfsplus/build-hfsplus.sh
@@ -3,43 +3,31 @@
 # hfsplus needs to be rebuilt when changing the clang version used to build it.
 # Until bug 1471905 is addressed, increase the following number
 # when that happens: 1
 
 set -e
 set -x
 
 hfplus_version=540.1.linux3
-md5sum=0435afc389b919027b69616ad1b05709
-filename=diskdev_cmds-${hfplus_version}.tar.gz
+dirname=diskdev_cmds-${hfplus_version}
 make_flags="-j$(nproc)"
 
 root_dir="$1"
 if [ -z "$root_dir" -o ! -d "$root_dir" ]; then
   root_dir=$(mktemp -d)
 fi
 cd $root_dir
 
 if test -z $TMPDIR; then
   TMPDIR=/tmp/
 fi
 
-# Set an md5 check file to validate input
-echo "${md5sum} *${TMPDIR}/${filename}" > $TMPDIR/hfsplus.MD5
-
-# Most-upstream is https://opensource.apple.com/source/diskdev_cmds/
-
-# Download the source of the specified version of hfsplus
-wget -c --progress=dot:mega -P $TMPDIR https://src.fedoraproject.org/repo/pkgs/hfsplus-tools/${filename}/${md5sum}/${filename} || exit 1
-md5sum -c $TMPDIR/hfsplus.MD5 || exit 1
-mkdir hfsplus-source
-tar xzf $TMPDIR/${filename} -C hfsplus-source --strip-components=1
-
 # Build
-cd hfsplus-source
+cd $dirname
 # We want to statically link against libcrypto. On CentOS, that requires zlib
 # and libdl, because of FIPS functions pulling in more than necessary from
 # libcrypto (only SHA1 functions are used), but not on Debian, thus
 # --as-needed.
 patch -p1 << 'EOF'
 --- a/newfs_hfs.tproj/Makefile.lnx
 +++ b/newfs_hfs.tproj/Makefile.lnx
 @@ -6,3 +6,3 @@
@@ -47,15 +35,15 @@ patch -p1 << 'EOF'
 -	${CC} ${CFLAGS} ${LDFLAGS} -o newfs_hfs ${OFILES} -lcrypto
 +	${CC} ${CFLAGS} ${LDFLAGS} -o newfs_hfs ${OFILES} -Wl,-Bstatic -lcrypto -Wl,-Bdynamic,--as-needed,-lz,-ldl
  
 EOF
 make $make_flags || exit 1
 cd ..
 
 mkdir hfsplus-tools
-cp hfsplus-source/newfs_hfs.tproj/newfs_hfs hfsplus-tools/newfs_hfs
+cp $dirname/newfs_hfs.tproj/newfs_hfs hfsplus-tools/newfs_hfs
 ## XXX fsck_hfs is unused, but is small and built from the package.
-cp hfsplus-source/fsck_hfs.tproj/fsck_hfs hfsplus-tools/fsck_hfs
+cp $dirname/fsck_hfs.tproj/fsck_hfs hfsplus-tools/fsck_hfs
 
 # Make a package of the built utils
 cd $root_dir
 tar caf $root_dir/hfsplus-tools.tar.xz hfsplus-tools
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-009a7163c80a
+a31fc0eefc4c
--- a/security/nss/cmd/lib/secpwd.c
+++ b/security/nss/cmd/lib/secpwd.c
@@ -61,17 +61,17 @@ SEC_GetPassword(FILE *input, FILE *outpu
 #if defined(_WINDOWS)
     int isTTY = (input == stdin);
 #define echoOn(x)
 #define echoOff(x)
 #else
     int infd = fileno(input);
     int isTTY = isatty(infd);
 #endif
-    char phrase[500] = { '\0' }; /* ensure EOF doesn't return junk */
+    char phrase[200] = { '\0' }; /* ensure EOF doesn't return junk */
 
     for (;;) {
         /* Prompt for password */
         if (isTTY) {
             fprintf(output, "%s", prompt);
             fflush(output);
             echoOff(infd);
         }
--- a/security/nss/cmd/pk11mode/pk11mode.c
+++ b/security/nss/cmd/pk11mode/pk11mode.c
@@ -5224,17 +5224,17 @@ PKM_Digest(CK_FUNCTION_LIST_PTR pFunctio
     }
 
     return crv;
 }
 
 char *
 PKM_FilePasswd(char *pwFile)
 {
-    unsigned char phrase[500];
+    unsigned char phrase[200];
     PRFileDesc *fd;
     PRInt32 nb;
     int i;
 
     if (!pwFile)
         return 0;
 
     fd = PR_Open(pwFile, PR_RDONLY, 0);
--- a/security/nss/cmd/shlibsign/shlibsign.c
+++ b/security/nss/cmd/shlibsign/shlibsign.c
@@ -609,17 +609,17 @@ cleanup:
     }
 
     return crv;
 }
 
 static char *
 filePasswd(char *pwFile)
 {
-    unsigned char phrase[500];
+    unsigned char phrase[200];
     PRFileDesc *fd;
     PRInt32 nb;
     int i;
 
     if (!pwFile)
         return 0;
 
     fd = PR_Open(pwFile, PR_RDONLY, 0);
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/gtests/softoken_gtest/softoken_gtest.cc
+++ b/security/nss/gtests/softoken_gtest/softoken_gtest.cc
@@ -1,14 +1,13 @@
 #include "cert.h"
 #include "certdb.h"
 #include "nspr.h"
 #include "nss.h"
 #include "pk11pub.h"
-#include "secmod.h"
 #include "secerr.h"
 
 #include "nss_scoped_ptrs.h"
 #include "util.h"
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 
@@ -115,37 +114,16 @@ TEST_F(SoftokenTest, CreateObjectChangeP
   EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
   EXPECT_EQ(SECSuccess, PK11_ChangePW(slot.get(), "", "password"));
   EXPECT_EQ(SECSuccess, PK11_Logout(slot.get()));
   ScopedPK11GenericObject obj(PK11_CreateGenericObject(
       slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
   EXPECT_EQ(nullptr, obj);
 }
 
-/* The size limit for a password is 500 characters as defined in pkcs11i.h */
-TEST_F(SoftokenTest, CreateObjectChangeToBigPassword) {
-  ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
-  ASSERT_TRUE(slot);
-  EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
-  EXPECT_EQ(
-      SECSuccess,
-      PK11_ChangePW(slot.get(), "",
-                    "rUIFIFr2bxKnbJbitsfkyqttpk6vCJzlYMNxcxXcaN37gSZKbLk763X7iR"
-                    "yeVNWZHQ02lSF69HYjzTyPW3318ZD0DBFMMbALZ8ZPZP73CIo5uIQlaowV"
-                    "IbP8eOhRYtGUqoLGlcIFNEYogV8Q3GN58VeBMs0KxrIOvPQ9s8SnYYkqvt"
-                    "zzgntmAvCgvk64x6eQf0okHwegd5wi6m0WVJytEepWXkP9J629FSa5kNT8"
-                    "FvL3jvslkiImzTNuTvl32fQDXXMSc8vVk5Q3mH7trMZM0VDdwHWYERjHbz"
-                    "kGxFgp0VhediHx7p9kkz6H6ac4et9sW4UkTnN7xhYc1Zr17wRSk2heQtcX"
-                    "oZJGwuzhiKm8A8wkuVxms6zO56P4JORIk8oaUW6lyNTLo2kWWnTA"));
-  EXPECT_EQ(SECSuccess, PK11_Logout(slot.get()));
-  ScopedPK11GenericObject obj(PK11_CreateGenericObject(
-      slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
-  EXPECT_EQ(nullptr, obj);
-}
-
 TEST_F(SoftokenTest, CreateObjectChangeToEmptyPassword) {
   ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
   ASSERT_TRUE(slot);
   EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
   EXPECT_EQ(SECSuccess, PK11_ChangePW(slot.get(), "password", ""));
   // PK11_Logout returnes an error and SEC_ERROR_TOKEN_NOT_LOGGED_IN if the user
   // is not "logged in".
   EXPECT_EQ(SECFailure, PK11_Logout(slot.get()));
@@ -282,109 +260,15 @@ TEST_F(SoftokenNoDBTest, NeedUserInitNoD
   ASSERT_TRUE(slot);
   EXPECT_EQ(PR_FALSE, PK11_NeedUserInit(slot.get()));
 
   // When shutting down in here we have to release the slot first.
   slot = nullptr;
   ASSERT_EQ(SECSuccess, NSS_Shutdown());
 }
 
-#ifndef NSS_FIPS_DISABLED
-
-class SoftokenFipsTest : public SoftokenTest {
- protected:
-  SoftokenFipsTest() : SoftokenTest("SoftokenFipsTest.d-") {}
-
-  virtual void SetUp() {
-    SoftokenTest::SetUp();
-
-    // Turn on FIPS mode (code borrowed from FipsMode in modutil/pk11.c)
-    char *internal_name;
-    ASSERT_FALSE(PK11_IsFIPS());
-    internal_name = PR_smprintf("%s", SECMOD_GetInternalModule()->commonName);
-    ASSERT_EQ(SECSuccess, SECMOD_DeleteInternalModule(internal_name));
-    PR_smprintf_free(internal_name);
-    ASSERT_TRUE(PK11_IsFIPS());
-  }
-};
-
-const std::vector<std::string> kFipsPasswordCases[] = {
-    // FIPS level1 -> level1 -> level1
-    {"", "", ""},
-    // FIPS level1 -> level1 -> level2
-    {"", "", "strong-_123"},
-    // FIXME: this should work: FIPS level1 -> level2 -> level2
-    // {"", "strong-_123", "strong-_456"},
-    // FIPS level2 -> level2 -> level2
-    {"strong-_123", "strong-_456", "strong-_123"}};
-
-const std::vector<std::string> kFipsPasswordBadCases[] = {
-    // FIPS level1 -> level2 -> level1
-    {"", "strong-_123", ""},
-    // FIPS level2 -> level1 -> level1
-    {"strong-_123", ""},
-    // FIPS level2 -> level2 -> level1
-    {"strong-_123", "strong-_456", ""},
-    // initialize with a weak password
-    {"weak"},
-    // FIPS level1 -> weak password
-    {"", "weak"},
-    // FIPS level2 -> weak password
-    {"strong-_123", "weak"}};
-
-class SoftokenFipsPasswordTest
-    : public SoftokenFipsTest,
-      public ::testing::WithParamInterface<std::vector<std::string>> {};
-
-class SoftokenFipsBadPasswordTest
-    : public SoftokenFipsTest,
-      public ::testing::WithParamInterface<std::vector<std::string>> {};
-
-TEST_P(SoftokenFipsPasswordTest, SetPassword) {
-  const std::vector<std::string> &passwords = GetParam();
-  ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
-  ASSERT_TRUE(slot);
-
-  auto it = passwords.begin();
-  auto prev_it = it;
-  EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, (*it).c_str()));
-  for (it++; it != passwords.end(); it++, prev_it++) {
-    EXPECT_EQ(SECSuccess,
-              PK11_ChangePW(slot.get(), (*prev_it).c_str(), (*it).c_str()));
-  }
-}
-
-TEST_P(SoftokenFipsBadPasswordTest, SetBadPassword) {
-  const std::vector<std::string> &passwords = GetParam();
-  ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
-  ASSERT_TRUE(slot);
-
-  auto it = passwords.begin();
-  auto prev_it = it;
-  SECStatus rv = PK11_InitPin(slot.get(), nullptr, (*it).c_str());
-  if (it + 1 == passwords.end())
-    EXPECT_EQ(SECFailure, rv);
-  else
-    EXPECT_EQ(SECSuccess, rv);
-  for (it++; it != passwords.end(); it++, prev_it++) {
-    rv = PK11_ChangePW(slot.get(), (*prev_it).c_str(), (*it).c_str());
-    if (it + 1 == passwords.end())
-      EXPECT_EQ(SECFailure, rv);
-    else
-      EXPECT_EQ(SECSuccess, rv);
-  }
-}
-
-INSTANTIATE_TEST_CASE_P(FipsPasswordCases, SoftokenFipsPasswordTest,
-                        ::testing::ValuesIn(kFipsPasswordCases));
-
-INSTANTIATE_TEST_CASE_P(BadFipsPasswordCases, SoftokenFipsBadPasswordTest,
-                        ::testing::ValuesIn(kFipsPasswordBadCases));
-
-#endif
-
 }  // namespace nss_test
 
 int main(int argc, char **argv) {
   ::testing::InitGoogleTest(&argc, argv);
 
   return RUN_ALL_TESTS();
 }
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -236,34 +236,19 @@ ifeq ($(CPU_ARCH),x86)
     DEFINES += -DMP_ASSEMBLY_DIV_2DX1D -DMP_USE_UINT_DIGIT
     DEFINES += -DMP_IS_LITTLE_ENDIAN
 endif
 ifeq ($(CPU_ARCH),arm)
     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
     DEFINES += -DMP_USE_UINT_DIGIT
     DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512
     MPI_SRCS += mpi_arm.c
-    ifdef CC_IS_CLANG
-        DEFINES += -DUSE_HW_AES
-        EXTRA_SRCS += aes-armv8.c
-    else ifeq (1,$(CC_IS_GCC))
-        # Old compiler doesn't support ARM AES.
-        ifneq (,$(filter 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
-            DEFINES += -DUSE_HW_AES
-            EXTRA_SRCS += aes-armv8.c
-        endif
-        ifeq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
-            DEFINES += -DUSE_HW_AES
-            EXTRA_SRCS += aes-armv8.c
-        endif
-    endif
 endif
 ifeq ($(CPU_ARCH),aarch64)
-    DEFINES += -DUSE_HW_AES
-    EXTRA_SRCS += aes-armv8.c gcm-aarch64.c
+    EXTRA_SRCS += gcm-aarch64.c
 endif
 ifeq ($(CPU_ARCH),ppc)
 ifdef USE_64
     DEFINES += -DNSS_NO_INIT_SUPPORT
 endif # USE_64
 endif # ppc
 endif # Linux
 
@@ -771,15 +756,11 @@ endif
 
 ifdef INTEL_GCM_CLANG_CL
 #
 # clang-cl needs -mssse3
 #
 $(OBJDIR)/$(PROG_PREFIX)intel-gcm-wrap$(OBJ_SUFFIX): CFLAGS += -mssse3
 endif
 
-ifeq ($(CPU_ARCH),arm)
-$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8
-endif
 ifeq ($(CPU_ARCH),aarch64)
-$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
 $(OBJDIR)/$(PROG_PREFIX)gcm-aarch64$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
 endif
deleted file mode 100644
--- a/security/nss/lib/freebl/aes-armv8.c
+++ /dev/null
@@ -1,1168 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "secerr.h"
-#include "rijndael.h"
-
-#if (defined(__clang__) ||                            \
-     (defined(__GNUC__) && defined(__GNUC_MINOR__) && \
-      (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 8))))
-
-#ifndef __ARM_FEATURE_CRYPTO
-#error "Compiler option is invalid"
-#endif
-
-#include <arm_neon.h>
-
-SECStatus
-arm_aes_encrypt_ecb_128(AESContext *cx, unsigned char *output,
-                        unsigned int *outputLen,
-                        unsigned int maxOutputLen,
-                        const unsigned char *input,
-                        unsigned int inputLen,
-                        unsigned int blocksize)
-{
-#if !defined(HAVE_UNALIGNED_ACCESS)
-    pre_align unsigned char buf[16] post_align;
-#endif
-    uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
-    uint8x16_t key11;
-    const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
-
-    if (!inputLen) {
-        return SECSuccess;
-    }
-
-    key1 = vld1q_u8(__builtin_assume_aligned(key, 16));
-    key2 = vld1q_u8(__builtin_assume_aligned(key + 16, 16));
-    key3 = vld1q_u8(__builtin_assume_aligned(key + 32, 16));
-    key4 = vld1q_u8(__builtin_assume_aligned(key + 48, 16));
-    key5 = vld1q_u8(__builtin_assume_aligned(key + 64, 16));
-    key6 = vld1q_u8(__builtin_assume_aligned(key + 80, 16));
-    key7 = vld1q_u8(__builtin_assume_aligned(key + 96, 16));
-    key8 = vld1q_u8(__builtin_assume_aligned(key + 112, 16));
-    key9 = vld1q_u8(__builtin_assume_aligned(key + 128, 16));
-    key10 = vld1q_u8(__builtin_assume_aligned(key + 144, 16));
-    key11 = vld1q_u8(__builtin_assume_aligned(key + 160, 16));
-
-    while (inputLen > 0) {
-        uint8x16_t state;
-#if defined(HAVE_UNALIGNED_ACCESS)
-        state = vld1q_u8(input);
-#else
-        if ((uintptr_t)input & 0x7) {
-            memcpy(buf, input, 16);
-            state = vld1q_u8(__builtin_assume_aligned(buf, 16));
-        } else {
-            state = vld1q_u8(__builtin_assume_aligned(input, 8));
-        }
-#endif
-        input += 16;
-        inputLen -= 16;
-
-        /* Rounds */
-        state = vaeseq_u8(state, key1);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key2);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key3);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key4);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key5);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key6);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key7);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key8);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key9);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key10);
-        /* AddRoundKey */
-        state = veorq_u8(state, key11);
-
-#if defined(HAVE_UNALIGNED_ACCESS)
-        vst1q_u8(output, state);
-#else
-        if ((uintptr_t)output & 0x7) {
-            vst1q_u8(__builtin_assume_aligned(buf, 16), state);
-            memcpy(output, buf, 16);
-        } else {
-            vst1q_u8(__builtin_assume_aligned(output, 8), state);
-        }
-#endif
-        output += 16;
-    }
-
-    return SECSuccess;
-}
-
-SECStatus
-arm_aes_decrypt_ecb_128(AESContext *cx, unsigned char *output,
-                        unsigned int *outputLen,
-                        unsigned int maxOutputLen,
-                        const unsigned char *input,
-                        unsigned int inputLen,
-                        unsigned int blocksize)
-{
-#if !defined(HAVE_UNALIGNED_ACCESS)
-    pre_align unsigned char buf[16] post_align;
-#endif
-    uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
-    uint8x16_t key11;
-    const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
-
-    if (inputLen == 0) {
-        return SECSuccess;
-    }
-
-    key1 = vld1q_u8(__builtin_assume_aligned(key, 16));
-    key2 = vld1q_u8(__builtin_assume_aligned(key + 16, 16));
-    key3 = vld1q_u8(__builtin_assume_aligned(key + 32, 16));
-    key4 = vld1q_u8(__builtin_assume_aligned(key + 48, 16));
-    key5 = vld1q_u8(__builtin_assume_aligned(key + 64, 16));
-    key6 = vld1q_u8(__builtin_assume_aligned(key + 80, 16));
-    key7 = vld1q_u8(__builtin_assume_aligned(key + 96, 16));
-    key8 = vld1q_u8(__builtin_assume_aligned(key + 112, 16));
-    key9 = vld1q_u8(__builtin_assume_aligned(key + 128, 16));
-    key10 = vld1q_u8(__builtin_assume_aligned(key + 144, 16));
-    key11 = vld1q_u8(__builtin_assume_aligned(key + 160, 16));
-
-    while (inputLen > 0) {
-        uint8x16_t state;
-#if defined(HAVE_UNALIGNED_ACCESS)
-        state = vld1q_u8(input);
-#else
-        if ((uintptr_t)input & 0x7) {
-            memcpy(buf, input, 16);
-            state = vld1q_u8(__builtin_assume_aligned(buf, 16));
-        } else {
-            state = vld1q_u8(__builtin_assume_aligned(input, 8));
-        }
-#endif
-        input += 16;
-        inputLen -= 16;
-
-        /* Rounds */
-        state = vaesdq_u8(state, key11);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key10);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key9);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key8);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key7);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key6);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key5);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key4);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key3);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key2);
-        /* AddRoundKey */
-        state = veorq_u8(state, key1);
-
-#if defined(HAVE_UNALIGNED_ACCESS)
-        vst1q_u8(output, state);
-#else
-        if ((uintptr_t)output & 0x7) {
-            vst1q_u8(__builtin_assume_aligned(buf, 16), state);
-            memcpy(output, buf, 16);
-        } else {
-            vst1q_u8(__builtin_assume_aligned(output, 8), state);
-        }
-#endif
-        output += 16;
-    }
-
-    return SECSuccess;
-}
-
-SECStatus
-arm_aes_encrypt_cbc_128(AESContext *cx, unsigned char *output,
-                        unsigned int *outputLen,
-                        unsigned int maxOutputLen,
-                        const unsigned char *input,
-                        unsigned int inputLen,
-                        unsigned int blocksize)
-{
-#if !defined(HAVE_UNALIGNED_ACCESS)
-    pre_align unsigned char buf[16] post_align;
-#endif
-    uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
-    uint8x16_t key11;
-    uint8x16_t iv;
-    const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
-
-    if (!inputLen) {
-        return SECSuccess;
-    }
-
-    /* iv */
-    iv = vld1q_u8(__builtin_assume_aligned(cx->iv, 16));
-
-    /* expanedKey */
-    key1 = vld1q_u8(__builtin_assume_aligned(key, 16));
-    key2 = vld1q_u8(__builtin_assume_aligned(key + 16, 16));
-    key3 = vld1q_u8(__builtin_assume_aligned(key + 32, 16));
-    key4 = vld1q_u8(__builtin_assume_aligned(key + 48, 16));
-    key5 = vld1q_u8(__builtin_assume_aligned(key + 64, 16));
-    key6 = vld1q_u8(__builtin_assume_aligned(key + 80, 16));
-    key7 = vld1q_u8(__builtin_assume_aligned(key + 96, 16));
-    key8 = vld1q_u8(__builtin_assume_aligned(key + 112, 16));
-    key9 = vld1q_u8(__builtin_assume_aligned(key + 128, 16));
-    key10 = vld1q_u8(__builtin_assume_aligned(key + 144, 16));
-    key11 = vld1q_u8(__builtin_assume_aligned(key + 160, 16));
-
-    while (inputLen > 0) {
-        uint8x16_t state;
-#if defined(HAVE_UNALIGNED_ACCESS)
-        state = vld1q_u8(input);
-#else
-        if ((uintptr_t)input & 0x7) {
-            memcpy(buf, input, 16);
-            state = vld1q_u8(__builtin_assume_aligned(buf, 16));
-        } else {
-            state = vld1q_u8(__builtin_assume_aligned(input, 8));
-        }
-#endif
-        input += 16;
-        inputLen -= 16;
-
-        state = veorq_u8(state, iv);
-
-        /* Rounds */
-        state = vaeseq_u8(state, key1);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key2);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key3);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key4);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key5);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key6);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key7);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key8);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key9);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key10);
-        /* AddRoundKey */
-        state = veorq_u8(state, key11);
-
-#if defined(HAVE_UNALIGNED_ACCESS)
-        vst1q_u8(output, state);
-#else
-        if ((uintptr_t)output & 0x7) {
-            vst1q_u8(__builtin_assume_aligned(buf, 16), state);
-            memcpy(output, buf, 16);
-        } else {
-            vst1q_u8(__builtin_assume_aligned(output, 8), state);
-        }
-#endif
-        output += 16;
-        iv = state;
-    }
-    vst1q_u8(__builtin_assume_aligned(cx->iv, 16), iv);
-
-    return SECSuccess;
-}
-
-SECStatus
-arm_aes_decrypt_cbc_128(AESContext *cx, unsigned char *output,
-                        unsigned int *outputLen,
-                        unsigned int maxOutputLen,
-                        const unsigned char *input,
-                        unsigned int inputLen,
-                        unsigned int blocksize)
-{
-#if !defined(HAVE_UNALIGNED_ACCESS)
-    pre_align unsigned char buf[16] post_align;
-#endif
-    uint8x16_t iv;
-    uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
-    uint8x16_t key11;
-    const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
-
-    if (!inputLen) {
-        return SECSuccess;
-    }
-
-    /* iv */
-    iv = vld1q_u8(__builtin_assume_aligned(cx->iv, 16));
-
-    /* expanedKey */
-    key1 = vld1q_u8(__builtin_assume_aligned(key, 16));
-    key2 = vld1q_u8(__builtin_assume_aligned(key + 16, 16));
-    key3 = vld1q_u8(__builtin_assume_aligned(key + 32, 16));
-    key4 = vld1q_u8(__builtin_assume_aligned(key + 48, 16));
-    key5 = vld1q_u8(__builtin_assume_aligned(key + 64, 16));
-    key6 = vld1q_u8(__builtin_assume_aligned(key + 80, 16));
-    key7 = vld1q_u8(__builtin_assume_aligned(key + 96, 16));
-    key8 = vld1q_u8(__builtin_assume_aligned(key + 112, 16));
-    key9 = vld1q_u8(__builtin_assume_aligned(key + 128, 16));
-    key10 = vld1q_u8(__builtin_assume_aligned(key + 144, 16));
-    key11 = vld1q_u8(__builtin_assume_aligned(key + 160, 16));
-
-    while (inputLen > 0) {
-        uint8x16_t state, old_state;
-#if defined(HAVE_UNALIGNED_ACCESS)
-        state = vld1q_u8(input);
-#else
-        if ((uintptr_t)input & 0x7) {
-            memcpy(buf, input, 16);
-            state = vld1q_u8(__builtin_assume_aligned(buf, 16));
-        } else {
-            state = vld1q_u8(__builtin_assume_aligned(input, 8));
-        }
-#endif
-        old_state = state;
-        input += 16;
-        inputLen -= 16;
-
-        /* Rounds */
-        state = vaesdq_u8(state, key11);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key10);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key9);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key8);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key7);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key6);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key5);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key4);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key3);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key2);
-        /* AddRoundKey */
-        state = veorq_u8(state, key1);
-
-        state = veorq_u8(state, iv);
-
-#if defined(HAVE_UNALIGNED_ACCESS)
-        vst1q_u8(output, state);
-#else
-        if ((uintptr_t)output & 0x7) {
-            vst1q_u8(__builtin_assume_aligned(buf, 16), state);
-            memcpy(output, buf, 16);
-        } else {
-            vst1q_u8(__builtin_assume_aligned(output, 8), state);
-        }
-#endif
-        output += 16;
-
-        iv = old_state;
-    }
-    vst1q_u8(__builtin_assume_aligned(cx->iv, 16), iv);
-
-    return SECSuccess;
-}
-
-SECStatus
-arm_aes_encrypt_ecb_192(AESContext *cx, unsigned char *output,
-                        unsigned int *outputLen,
-                        unsigned int maxOutputLen,
-                        const unsigned char *input,
-                        unsigned int inputLen,
-                        unsigned int blocksize)
-{
-#if !defined(HAVE_UNALIGNED_ACCESS)
-    pre_align unsigned char buf[16] post_align;
-#endif
-    uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
-    uint8x16_t key11, key12, key13;
-    PRUint8 *key = (PRUint8 *)cx->expandedKey;
-
-    if (!inputLen) {
-        return SECSuccess;
-    }
-
-    key1 = vld1q_u8(__builtin_assume_aligned(key, 16));
-    key2 = vld1q_u8(__builtin_assume_aligned(key + 16, 16));
-    key3 = vld1q_u8(__builtin_assume_aligned(key + 32, 16));
-    key4 = vld1q_u8(__builtin_assume_aligned(key + 48, 16));
-    key5 = vld1q_u8(__builtin_assume_aligned(key + 64, 16));
-    key6 = vld1q_u8(__builtin_assume_aligned(key + 80, 16));
-    key7 = vld1q_u8(__builtin_assume_aligned(key + 96, 16));
-    key8 = vld1q_u8(__builtin_assume_aligned(key + 112, 16));
-    key9 = vld1q_u8(__builtin_assume_aligned(key + 128, 16));
-    key10 = vld1q_u8(__builtin_assume_aligned(key + 144, 16));
-    key11 = vld1q_u8(__builtin_assume_aligned(key + 160, 16));
-    key12 = vld1q_u8(__builtin_assume_aligned(key + 176, 16));
-    key13 = vld1q_u8(__builtin_assume_aligned(key + 192, 16));
-
-    while (inputLen > 0) {
-        uint8x16_t state;
-#if defined(HAVE_UNALIGNED_ACCESS)
-        state = vld1q_u8(input);
-#else
-        if ((uintptr_t)input & 0x7) {
-            memcpy(buf, input, 16);
-            state = vld1q_u8(__builtin_assume_aligned(buf, 16));
-        } else {
-            state = vld1q_u8(__builtin_assume_aligned(input, 8));
-        }
-#endif
-        input += 16;
-        inputLen -= 16;
-
-        /* Rounds */
-        state = vaeseq_u8(state, key1);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key2);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key3);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key4);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key5);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key6);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key7);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key8);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key9);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key10);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key11);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key12);
-        /* AddRoundKey */
-        state = veorq_u8(state, key13);
-
-#if defined(HAVE_UNALIGNED_ACCESS)
-        vst1q_u8(output, state);
-#else
-        if ((uintptr_t)output & 0x7) {
-            vst1q_u8(__builtin_assume_aligned(buf, 16), state);
-            memcpy(output, buf, 16);
-        } else {
-            vst1q_u8(__builtin_assume_aligned(output, 8), state);
-        }
-#endif
-        output += 16;
-    }
-
-    return SECSuccess;
-}
-
-SECStatus
-arm_aes_decrypt_ecb_192(AESContext *cx, unsigned char *output,
-                        unsigned int *outputLen,
-                        unsigned int maxOutputLen,
-                        const unsigned char *input,
-                        unsigned int inputLen,
-                        unsigned int blocksize)
-{
-#if !defined(HAVE_UNALIGNED_ACCESS)
-    pre_align unsigned char buf[16] post_align;
-#endif
-    uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
-    uint8x16_t key11, key12, key13;
-    const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
-
-    if (!inputLen) {
-        return SECSuccess;
-    }
-
-    key1 = vld1q_u8(__builtin_assume_aligned(key, 16));
-    key2 = vld1q_u8(__builtin_assume_aligned(key + 16, 16));
-    key3 = vld1q_u8(__builtin_assume_aligned(key + 32, 16));
-    key4 = vld1q_u8(__builtin_assume_aligned(key + 48, 16));
-    key5 = vld1q_u8(__builtin_assume_aligned(key + 64, 16));
-    key6 = vld1q_u8(__builtin_assume_aligned(key + 80, 16));
-    key7 = vld1q_u8(__builtin_assume_aligned(key + 96, 16));
-    key8 = vld1q_u8(__builtin_assume_aligned(key + 112, 16));
-    key9 = vld1q_u8(__builtin_assume_aligned(key + 128, 16));
-    key10 = vld1q_u8(__builtin_assume_aligned(key + 144, 16));
-    key11 = vld1q_u8(__builtin_assume_aligned(key + 160, 16));
-    key12 = vld1q_u8(__builtin_assume_aligned(key + 176, 16));
-    key13 = vld1q_u8(__builtin_assume_aligned(key + 192, 16));
-
-    while (inputLen > 0) {
-        uint8x16_t state;
-#if defined(HAVE_UNALIGNED_ACCESS)
-        state = vld1q_u8(input);
-#else
-        if ((uintptr_t)input & 0x7) {
-            memcpy(buf, input, 16);
-            state = vld1q_u8(__builtin_assume_aligned(buf, 16));
-        } else {
-            state = vld1q_u8(__builtin_assume_aligned(input, 8));
-        }
-#endif
-        input += 16;
-        inputLen -= 16;
-
-        /* Rounds */
-        state = vaesdq_u8(state, key13);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key12);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key11);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key10);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key9);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key8);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key7);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key6);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key5);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key4);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key3);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key2);
-        /* AddRoundKey */
-        state = veorq_u8(state, key1);
-
-#if defined(HAVE_UNALIGNED_ACCESS)
-        vst1q_u8(output, state);
-#else
-        if ((uintptr_t)output & 0x7) {
-            vst1q_u8(__builtin_assume_aligned(buf, 16), state);
-            memcpy(output, buf, 16);
-        } else {
-            vst1q_u8(__builtin_assume_aligned(output, 8), state);
-        }
-#endif
-        output += 16;
-    }
-
-    return SECSuccess;
-}
-
-SECStatus
-arm_aes_encrypt_cbc_192(AESContext *cx, unsigned char *output,
-                        unsigned int *outputLen,
-                        unsigned int maxOutputLen,
-                        const unsigned char *input,
-                        unsigned int inputLen,
-                        unsigned int blocksize)
-{
-#if !defined(HAVE_UNALIGNED_ACCESS)
-    pre_align unsigned char buf[16] post_align;
-#endif
-    uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
-    uint8x16_t key11, key12, key13;
-    uint8x16_t iv;
-    PRUint8 *key = (PRUint8 *)cx->expandedKey;
-
-    if (!inputLen) {
-        return SECSuccess;
-    }
-
-    /* iv */
-    iv = vld1q_u8(cx->iv);
-
-    /* expanedKey */
-    key1 = vld1q_u8(__builtin_assume_aligned(key, 16));
-    key2 = vld1q_u8(__builtin_assume_aligned(key + 16, 16));
-    key3 = vld1q_u8(__builtin_assume_aligned(key + 32, 16));
-    key4 = vld1q_u8(__builtin_assume_aligned(key + 48, 16));
-    key5 = vld1q_u8(__builtin_assume_aligned(key + 64, 16));
-    key6 = vld1q_u8(__builtin_assume_aligned(key + 80, 16));
-    key7 = vld1q_u8(__builtin_assume_aligned(key + 96, 16));
-    key8 = vld1q_u8(__builtin_assume_aligned(key + 112, 16));
-    key9 = vld1q_u8(__builtin_assume_aligned(key + 128, 16));
-    key10 = vld1q_u8(__builtin_assume_aligned(key + 144, 16));
-    key11 = vld1q_u8(__builtin_assume_aligned(key + 160, 16));
-    key12 = vld1q_u8(__builtin_assume_aligned(key + 176, 16));
-    key13 = vld1q_u8(__builtin_assume_aligned(key + 192, 16));
-
-    while (inputLen > 0) {
-        uint8x16_t state;
-#if defined(HAVE_UNALIGNED_ACCESS)
-        state = vld1q_u8(input);
-#else
-        if ((uintptr_t)input & 0x7) {
-            memcpy(buf, input, 16);
-            state = vld1q_u8(__builtin_assume_aligned(buf, 16));
-        } else {
-            state = vld1q_u8(__builtin_assume_aligned(input, 8));
-        }
-#endif
-        input += 16;
-        inputLen -= 16;
-
-        state = veorq_u8(state, iv);
-
-        /* Rounds */
-        state = vaeseq_u8(state, key1);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key2);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key3);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key4);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key5);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key6);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key7);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key8);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key9);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key10);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key11);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key12);
-        state = veorq_u8(state, key13);
-
-#if defined(HAVE_UNALIGNED_ACCESS)
-        vst1q_u8(output, state);
-#else
-        if ((uintptr_t)output & 0x7) {
-            vst1q_u8(__builtin_assume_aligned(buf, 16), state);
-            memcpy(output, buf, 16);
-        } else {
-            vst1q_u8(__builtin_assume_aligned(output, 8), state);
-        }
-#endif
-        output += 16;
-        iv = state;
-    }
-    vst1q_u8(__builtin_assume_aligned(cx->iv, 16), iv);
-
-    return SECSuccess;
-}
-
-SECStatus
-arm_aes_decrypt_cbc_192(AESContext *cx, unsigned char *output,
-                        unsigned int *outputLen,
-                        unsigned int maxOutputLen,
-                        const unsigned char *input,
-                        unsigned int inputLen,
-                        unsigned int blocksize)
-{
-#if !defined(HAVE_UNALIGNED_ACCESS)
-    pre_align unsigned char buf[16] post_align;
-#endif
-    uint8x16_t iv;
-    uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
-    uint8x16_t key11, key12, key13;
-    const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
-
-    if (!inputLen) {
-        return SECSuccess;
-    }
-
-    /* iv */
-    iv = vld1q_u8(__builtin_assume_aligned(cx->iv, 16));
-
-    /* expanedKey */
-    key1 = vld1q_u8(__builtin_assume_aligned(key, 16));
-    key2 = vld1q_u8(__builtin_assume_aligned(key + 16, 16));
-    key3 = vld1q_u8(__builtin_assume_aligned(key + 32, 16));
-    key4 = vld1q_u8(__builtin_assume_aligned(key + 48, 16));
-    key5 = vld1q_u8(__builtin_assume_aligned(key + 64, 16));
-    key6 = vld1q_u8(__builtin_assume_aligned(key + 80, 16));
-    key7 = vld1q_u8(__builtin_assume_aligned(key + 96, 16));
-    key8 = vld1q_u8(__builtin_assume_aligned(key + 112, 16));
-    key9 = vld1q_u8(__builtin_assume_aligned(key + 128, 16));
-    key10 = vld1q_u8(__builtin_assume_aligned(key + 144, 16));
-    key11 = vld1q_u8(__builtin_assume_aligned(key + 160, 16));
-    key12 = vld1q_u8(__builtin_assume_aligned(key + 176, 16));
-    key13 = vld1q_u8(__builtin_assume_aligned(key + 192, 16));
-
-    while (inputLen > 0) {
-        uint8x16_t state, old_state;
-#if defined(HAVE_UNALIGNED_ACCESS)
-        state = vld1q_u8(input);
-#else
-        if ((uintptr_t)input & 0x7) {
-            memcpy(buf, input, 16);
-            state = vld1q_u8(__builtin_assume_aligned(buf, 16));
-        } else {
-            state = vld1q_u8(__builtin_assume_aligned(input, 8));
-        }
-#endif
-        old_state = state;
-        input += 16;
-        inputLen -= 16;
-
-        /* Rounds */
-        state = vaesdq_u8(state, key13);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key12);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key11);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key10);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key9);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key8);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key7);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key6);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key5);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key4);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key3);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key2);
-        /* AddRoundKey */
-        state = veorq_u8(state, key1);
-
-        state = veorq_u8(state, iv);
-
-#if defined(HAVE_UNALIGNED_ACCESS)
-        vst1q_u8(output, state);
-#else
-        if ((uintptr_t)output & 0x7) {
-            vst1q_u8(__builtin_assume_aligned(buf, 16), state);
-            memcpy(output, buf, 16);
-        } else {
-            vst1q_u8(__builtin_assume_aligned(output, 8), state);
-        }
-#endif
-        output += 16;
-
-        iv = old_state;
-    }
-    vst1q_u8(__builtin_assume_aligned(cx->iv, 16), iv);
-
-    return SECSuccess;
-}
-
-SECStatus
-arm_aes_encrypt_ecb_256(AESContext *cx, unsigned char *output,
-                        unsigned int *outputLen,
-                        unsigned int maxOutputLen,
-                        const unsigned char *input,
-                        unsigned int inputLen,
-                        unsigned int blocksize)
-{
-#if !defined(HAVE_UNALIGNED_ACCESS)
-    pre_align unsigned char buf[16] post_align;
-#endif
-    uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
-    uint8x16_t key11, key12, key13, key14, key15;
-    PRUint8 *key = (PRUint8 *)cx->expandedKey;
-
-    if (inputLen == 0) {
-        return SECSuccess;
-    }
-
-    key1 = vld1q_u8(__builtin_assume_aligned(key, 16));
-    key2 = vld1q_u8(__builtin_assume_aligned(key + 16, 16));
-    key3 = vld1q_u8(__builtin_assume_aligned(key + 32, 16));
-    key4 = vld1q_u8(__builtin_assume_aligned(key + 48, 16));
-    key5 = vld1q_u8(__builtin_assume_aligned(key + 64, 16));
-    key6 = vld1q_u8(__builtin_assume_aligned(key + 80, 16));
-    key7 = vld1q_u8(__builtin_assume_aligned(key + 96, 16));
-    key8 = vld1q_u8(__builtin_assume_aligned(key + 112, 16));
-    key9 = vld1q_u8(__builtin_assume_aligned(key + 128, 16));
-    key10 = vld1q_u8(__builtin_assume_aligned(key + 144, 16));
-    key11 = vld1q_u8(__builtin_assume_aligned(key + 160, 16));
-    key12 = vld1q_u8(__builtin_assume_aligned(key + 176, 16));
-    key13 = vld1q_u8(__builtin_assume_aligned(key + 192, 16));
-    key14 = vld1q_u8(__builtin_assume_aligned(key + 208, 16));
-    key15 = vld1q_u8(__builtin_assume_aligned(key + 224, 16));
-
-    while (inputLen > 0) {
-        uint8x16_t state;
-#if defined(HAVE_UNALIGNED_ACCESS)
-        state = vld1q_u8(input);
-#else
-        if ((uintptr_t)input & 0x7) {
-            memcpy(buf, input, 16);
-            state = vld1q_u8(__builtin_assume_aligned(buf, 16));
-        } else {
-            state = vld1q_u8(__builtin_assume_aligned(input, 8));
-        }
-#endif
-        input += 16;
-        inputLen -= 16;
-
-        /* Rounds */
-        state = vaeseq_u8(state, key1);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key2);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key3);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key4);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key5);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key6);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key7);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key8);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key9);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key10);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key11);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key12);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key13);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key14);
-        /* AddRoundKey */
-        state = veorq_u8(state, key15);
-
-#if defined(HAVE_UNALIGNED_ACCESS)
-        vst1q_u8(output, state);
-#else
-        if ((uintptr_t)output & 0x7) {
-            vst1q_u8(__builtin_assume_aligned(buf, 16), state);
-            memcpy(output, buf, 16);
-        } else {
-            vst1q_u8(__builtin_assume_aligned(output, 8), state);
-        }
-#endif
-        output += 16;
-    }
-    return SECSuccess;
-}
-
-SECStatus
-arm_aes_decrypt_ecb_256(AESContext *cx, unsigned char *output,
-                        unsigned int *outputLen,
-                        unsigned int maxOutputLen,
-                        const unsigned char *input,
-                        unsigned int inputLen,
-                        unsigned int blocksize)
-{
-#if !defined(HAVE_UNALIGNED_ACCESS)
-    pre_align unsigned char buf[16] post_align;
-#endif
-    uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
-    uint8x16_t key11, key12, key13, key14, key15;
-    const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
-
-    if (!inputLen) {
-        return SECSuccess;
-    }
-
-    key1 = vld1q_u8(__builtin_assume_aligned(key, 16));
-    key2 = vld1q_u8(__builtin_assume_aligned(key + 16, 16));
-    key3 = vld1q_u8(__builtin_assume_aligned(key + 32, 16));
-    key4 = vld1q_u8(__builtin_assume_aligned(key + 48, 16));
-    key5 = vld1q_u8(__builtin_assume_aligned(key + 64, 16));
-    key6 = vld1q_u8(__builtin_assume_aligned(key + 80, 16));
-    key7 = vld1q_u8(__builtin_assume_aligned(key + 96, 16));
-    key8 = vld1q_u8(__builtin_assume_aligned(key + 112, 16));
-    key9 = vld1q_u8(__builtin_assume_aligned(key + 128, 16));
-    key10 = vld1q_u8(__builtin_assume_aligned(key + 144, 16));
-    key11 = vld1q_u8(__builtin_assume_aligned(key + 160, 16));
-    key12 = vld1q_u8(__builtin_assume_aligned(key + 176, 16));
-    key13 = vld1q_u8(__builtin_assume_aligned(key + 192, 16));
-    key14 = vld1q_u8(__builtin_assume_aligned(key + 208, 16));
-    key15 = vld1q_u8(__builtin_assume_aligned(key + 224, 16));
-
-    while (inputLen > 0) {
-        uint8x16_t state;
-#if defined(HAVE_UNALIGNED_ACCESS)
-        state = vld1q_u8(input);
-#else
-        if ((uintptr_t)input & 0x7) {
-            memcpy(buf, input, 16);
-            state = vld1q_u8(__builtin_assume_aligned(buf, 16));
-        } else {
-            state = vld1q_u8(__builtin_assume_aligned(input, 8));
-        }
-#endif
-        input += 16;
-        inputLen -= 16;
-
-        /* Rounds */
-        state = vaesdq_u8(state, key15);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key14);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key13);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key12);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key11);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key10);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key9);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key8);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key7);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key6);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key5);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key4);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key3);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key2);
-        /* AddRoundKey */
-        state = veorq_u8(state, key1);
-
-#if defined(HAVE_UNALIGNED_ACCESS)
-        vst1q_u8(output, state);
-#else
-        if ((uintptr_t)output & 0x7) {
-            vst1q_u8(__builtin_assume_aligned(buf, 16), state);
-            memcpy(output, buf, 16);
-        } else {
-            vst1q_u8(__builtin_assume_aligned(output, 8), state);
-        }
-#endif
-        output += 16;
-    }
-
-    return SECSuccess;
-}
-
-SECStatus
-arm_aes_encrypt_cbc_256(AESContext *cx, unsigned char *output,
-                        unsigned int *outputLen,
-                        unsigned int maxOutputLen,
-                        const unsigned char *input,
-                        unsigned int inputLen,
-                        unsigned int blocksize)
-{
-#if !defined(HAVE_UNALIGNED_ACCESS)
-    pre_align unsigned char buf[16] post_align;
-#endif
-    uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
-    uint8x16_t key11, key12, key13, key14, key15;
-    uint8x16_t iv;
-    const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
-
-    if (!inputLen) {
-        return SECSuccess;
-    }
-
-    /* iv */
-    iv = vld1q_u8(cx->iv);
-
-    /* expanedKey */
-    key1 = vld1q_u8(__builtin_assume_aligned(key, 16));
-    key2 = vld1q_u8(__builtin_assume_aligned(key + 16, 16));
-    key3 = vld1q_u8(__builtin_assume_aligned(key + 32, 16));
-    key4 = vld1q_u8(__builtin_assume_aligned(key + 48, 16));
-    key5 = vld1q_u8(__builtin_assume_aligned(key + 64, 16));
-    key6 = vld1q_u8(__builtin_assume_aligned(key + 80, 16));
-    key7 = vld1q_u8(__builtin_assume_aligned(key + 96, 16));
-    key8 = vld1q_u8(__builtin_assume_aligned(key + 112, 16));
-    key9 = vld1q_u8(__builtin_assume_aligned(key + 128, 16));
-    key10 = vld1q_u8(__builtin_assume_aligned(key + 144, 16));
-    key11 = vld1q_u8(__builtin_assume_aligned(key + 160, 16));
-    key12 = vld1q_u8(__builtin_assume_aligned(key + 176, 16));
-    key13 = vld1q_u8(__builtin_assume_aligned(key + 192, 16));
-    key14 = vld1q_u8(__builtin_assume_aligned(key + 208, 16));
-    key15 = vld1q_u8(__builtin_assume_aligned(key + 224, 16));
-
-    while (inputLen > 0) {
-        uint8x16_t state;
-#if defined(HAVE_UNALIGNED_ACCESS)
-        state = vld1q_u8(input);
-#else
-        if ((uintptr_t)input & 0x7) {
-            memcpy(buf, input, 16);
-            state = vld1q_u8(__builtin_assume_aligned(buf, 16));
-        } else {
-            state = vld1q_u8(__builtin_assume_aligned(input, 8));
-        }
-#endif
-        input += 16;
-        inputLen -= 16;
-
-        state = veorq_u8(state, iv);
-
-        /* Rounds */
-        state = vaeseq_u8(state, key1);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key2);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key3);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key4);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key5);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key6);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key7);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key8);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key9);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key10);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key11);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key12);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key13);
-        state = vaesmcq_u8(state);
-        state = vaeseq_u8(state, key14);
-        /* AddRoundKey */
-        state = veorq_u8(state, key15);
-
-#if defined(HAVE_UNALIGNED_ACCESS)
-        vst1q_u8(output, state);
-#else
-        if ((uintptr_t)output & 0x7) {
-            vst1q_u8(__builtin_assume_aligned(buf, 16), state);
-            memcpy(output, buf, 16);
-        } else {
-            vst1q_u8(__builtin_assume_aligned(output, 8), state);
-        }
-#endif
-        output += 16;
-        iv = state;
-    }
-    vst1q_u8(__builtin_assume_aligned(cx->iv, 16), iv);
-
-    return SECSuccess;
-}
-
-SECStatus
-arm_aes_decrypt_cbc_256(AESContext *cx, unsigned char *output,
-                        unsigned int *outputLen,
-                        unsigned int maxOutputLen,
-                        const unsigned char *input,
-                        unsigned int inputLen,
-                        unsigned int blocksize)
-{
-#if !defined(HAVE_UNALIGNED_ACCESS)
-    pre_align unsigned char buf[16] post_align;
-#endif
-    uint8x16_t iv;
-    uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
-    uint8x16_t key11, key12, key13, key14, key15;
-    const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
-
-    if (!inputLen) {
-        return SECSuccess;
-    }
-
-    /* iv */
-    iv = vld1q_u8(cx->iv);
-
-    /* expanedKey */
-    key1 = vld1q_u8(__builtin_assume_aligned(key, 16));
-    key2 = vld1q_u8(__builtin_assume_aligned(key + 16, 16));
-    key3 = vld1q_u8(__builtin_assume_aligned(key + 32, 16));
-    key4 = vld1q_u8(__builtin_assume_aligned(key + 48, 16));
-    key5 = vld1q_u8(__builtin_assume_aligned(key + 64, 16));
-    key6 = vld1q_u8(__builtin_assume_aligned(key + 80, 16));
-    key7 = vld1q_u8(__builtin_assume_aligned(key + 96, 16));
-    key8 = vld1q_u8(__builtin_assume_aligned(key + 112, 16));
-    key9 = vld1q_u8(__builtin_assume_aligned(key + 128, 16));
-    key10 = vld1q_u8(__builtin_assume_aligned(key + 144, 16));
-    key11 = vld1q_u8(__builtin_assume_aligned(key + 160, 16));
-    key12 = vld1q_u8(__builtin_assume_aligned(key + 176, 16));
-    key13 = vld1q_u8(__builtin_assume_aligned(key + 192, 16));
-    key14 = vld1q_u8(__builtin_assume_aligned(key + 208, 16));
-    key15 = vld1q_u8(__builtin_assume_aligned(key + 224, 16));
-
-    while (inputLen > 0) {
-        uint8x16_t state, old_state;
-#if defined(HAVE_UNALIGNED_ACCESS)
-        state = vld1q_u8(input);
-#else
-        if ((uintptr_t)input & 0x7) {
-            memcpy(buf, input, 16);
-            state = vld1q_u8(__builtin_assume_aligned(buf, 16));
-        } else {
-            state = vld1q_u8(__builtin_assume_aligned(input, 8));
-        }
-#endif
-        old_state = state;
-        input += 16;
-        inputLen -= 16;
-
-        /* Rounds */
-        state = vaesdq_u8(state, key15);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key14);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key13);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key12);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key11);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key10);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key9);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key8);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key7);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key6);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key5);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key4);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key3);
-        state = vaesimcq_u8(state);
-        state = vaesdq_u8(state, key2);
-        /* AddRoundKey */
-        state = veorq_u8(state, key1);
-
-        state = veorq_u8(state, iv);
-
-#if defined(HAVE_UNALIGNED_ACCESS)
-        vst1q_u8(output, state);
-#else
-        if ((uintptr_t)output & 0x7) {
-            vst1q_u8(__builtin_assume_aligned(buf, 16), state);
-            memcpy(output, buf, 16);
-        } else {
-            vst1q_u8(__builtin_assume_aligned(output, 8), state);
-        }
-#endif
-        output += 16;
-
-        iv = old_state;
-    }
-    vst1q_u8(__builtin_assume_aligned(cx->iv, 16), iv);
-
-    return SECSuccess;
-}
-
-#endif
deleted file mode 100644
--- a/security/nss/lib/freebl/aes-armv8.h
+++ /dev/null
@@ -1,103 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-SECStatus arm_aes_encrypt_ecb_128(AESContext *cx, unsigned char *output,
-                                  unsigned int *outputLen,
-                                  unsigned int maxOutputLen,
-                                  const unsigned char *input,
-                                  unsigned int inputLen,
-                                  unsigned int blocksize);
-SECStatus arm_aes_decrypt_ecb_128(AESContext *cx, unsigned char *output,
-                                  unsigned int *outputLen,
-                                  unsigned int maxOutputLen,
-                                  const unsigned char *input,
-                                  unsigned int inputLen,
-                                  unsigned int blocksize);
-SECStatus arm_aes_encrypt_cbc_128(AESContext *cx, unsigned char *output,
-                                  unsigned int *outputLen,
-                                  unsigned int maxOutputLen,
-                                  const unsigned char *input,
-                                  unsigned int inputLen,
-                                  unsigned int blocksize);
-SECStatus arm_aes_decrypt_cbc_128(AESContext *cx, unsigned char *output,
-                                  unsigned int *outputLen,
-                                  unsigned int maxOutputLen,
-                                  const unsigned char *input,
-                                  unsigned int inputLen,
-                                  unsigned int blocksize);
-SECStatus arm_aes_encrypt_ecb_192(AESContext *cx, unsigned char *output,
-                                  unsigned int *outputLen,
-                                  unsigned int maxOutputLen,
-                                  const unsigned char *input,
-                                  unsigned int inputLen,
-                                  unsigned int blocksize);
-SECStatus arm_aes_decrypt_ecb_192(AESContext *cx, unsigned char *output,
-                                  unsigned int *outputLen,
-                                  unsigned int maxOutputLen,
-                                  const unsigned char *input,
-                                  unsigned int inputLen,
-                                  unsigned int blocksize);
-SECStatus arm_aes_encrypt_cbc_192(AESContext *cx, unsigned char *output,
-                                  unsigned int *outputLen,
-                                  unsigned int maxOutputLen,
-                                  const unsigned char *input,
-                                  unsigned int inputLen,
-                                  unsigned int blocksize);
-SECStatus arm_aes_decrypt_cbc_192(AESContext *cx, unsigned char *output,
-                                  unsigned int *outputLen,
-                                  unsigned int maxOutputLen,
-                                  const unsigned char *input,
-                                  unsigned int inputLen,
-                                  unsigned int blocksize);
-SECStatus arm_aes_encrypt_ecb_256(AESContext *cx, unsigned char *output,
-                                  unsigned int *outputLen,
-                                  unsigned int maxOutputLen,
-                                  const unsigned char *input,
-                                  unsigned int inputLen,
-                                  unsigned int blocksize);
-SECStatus arm_aes_decrypt_ecb_256(AESContext *cx, unsigned char *output,
-                                  unsigned int *outputLen,
-                                  unsigned int maxOutputLen,
-                                  const unsigned char *input,
-                                  unsigned int inputLen,
-                                  unsigned int blocksize);
-SECStatus arm_aes_encrypt_cbc_256(AESContext *cx, unsigned char *output,
-                                  unsigned int *outputLen,
-                                  unsigned int maxOutputLen,
-                                  const unsigned char *input,
-                                  unsigned int inputLen,
-                                  unsigned int blocksize);
-SECStatus arm_aes_decrypt_cbc_256(AESContext *cx, unsigned char *output,
-                                  unsigned int *outputLen,
-                                  unsigned int maxOutputLen,
-                                  const unsigned char *input,
-                                  unsigned int inputLen,
-                                  unsigned int blocksize);
-
-#define native_aes_ecb_worker(encrypt, keysize)                          \
-    ((encrypt)                                                           \
-         ? ((keysize) == 16 ? arm_aes_encrypt_ecb_128                    \
-                            : (keysize) == 24 ? arm_aes_encrypt_ecb_192  \
-                                              : arm_aes_encrypt_ecb_256) \
-         : ((keysize) == 16 ? arm_aes_decrypt_ecb_128                    \
-                            : (keysize) == 24 ? arm_aes_decrypt_ecb_192  \
-                                              : arm_aes_decrypt_ecb_256))
-
-#define native_aes_cbc_worker(encrypt, keysize)                          \
-    ((encrypt)                                                           \
-         ? ((keysize) == 16 ? arm_aes_encrypt_cbc_128                    \
-                            : (keysize) == 24 ? arm_aes_encrypt_cbc_192  \
-                                              : arm_aes_encrypt_cbc_256) \
-         : ((keysize) == 16 ? arm_aes_decrypt_cbc_128                    \
-                            : (keysize) == 24 ? arm_aes_decrypt_cbc_192  \
-                                              : arm_aes_decrypt_cbc_256))
-
-#define native_aes_init(encrypt, keysize)           \
-    do {                                            \
-        if (encrypt) {                              \
-            rijndael_key_expansion(cx, key, Nk);    \
-        } else {                                    \
-            rijndael_invkey_expansion(cx, key, Nk); \
-        }                                           \
-    } while (0)
--- a/security/nss/lib/freebl/freebl.gyp
+++ b/security/nss/lib/freebl/freebl.gyp
@@ -128,45 +128,16 @@
       'cflags': [
         '-march=armv8-a+crypto'
       ],
       'cflags_mozilla': [
         '-march=armv8-a+crypto'
       ]
     },
     {
-      'target_name': 'armv8_c_lib',
-      'type': 'static_library',
-      'sources': [
-        'aes-armv8.c',
-      ],
-      'dependencies': [
-        '<(DEPTH)/exports.gyp:nss_exports'
-      ],
-      'conditions': [
-        [ 'target_arch=="arm"', {
-          'cflags': [
-            '-march=armv8-a',
-            '-mfpu=crypto-neon-fp-armv8'
-          ],
-          'cflags_mozilla': [
-            '-march=armv8-a',
-            '-mfpu=crypto-neon-fp-armv8'
-          ],
-        }, 'target_arch=="arm64" or target_arch=="aarch64"', {
-          'cflags': [
-            '-march=armv8-a+crypto'
-          ],
-          'cflags_mozilla': [
-            '-march=armv8-a+crypto'
-          ],
-        }]
-      ]
-    },
-    {
       'target_name': 'freebl',
       'type': 'static_library',
       'sources': [
         'loader.c'
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports'
       ]
@@ -184,20 +155,16 @@
         '<(DEPTH)/exports.gyp:nss_exports',
         'hw-acc-crypto',
       ],
       'conditions': [
         [ 'target_arch=="ia32" or target_arch=="x64"', {
           'dependencies': [
             'gcm-aes-x86_c_lib',
           ],
-        }, 'target_arch=="arm" or target_arch=="arm64" or target_arch=="aarch64"', {
-          'dependencies': [
-            'armv8_c_lib'
-          ],
         }],
         [ 'target_arch=="arm64" or target_arch=="aarch64"', {
           'dependencies': [
             'gcm-aes-aarch64_c_lib',
           ],
         }],
         [ 'OS=="linux"', {
           'defines!': [
@@ -230,20 +197,16 @@
         '<(DEPTH)/exports.gyp:nss_exports',
         'hw-acc-crypto',
       ],
       'conditions': [
         [ 'target_arch=="ia32" or target_arch=="x64"', {
           'dependencies': [
             'gcm-aes-x86_c_lib',
           ]
-        }, 'target_arch=="arm" or target_arch=="arm64" or target_arch=="aarch64"', {
-          'dependencies': [
-            'armv8_c_lib',
-          ],
         }],
         [ 'target_arch=="arm64" or target_arch=="aarch64"', {
           'dependencies': [
             'gcm-aes-aarch64_c_lib',
           ],
         }],
         [ 'OS!="linux"', {
           'conditions': [
@@ -461,22 +424,16 @@
           }],
           [ 'target_arch=="arm"', {
             'defines': [
               'MP_ASSEMBLY_MULTIPLY',
               'MP_ASSEMBLY_SQUARE',
               'MP_USE_UINT_DIGIT',
               'SHA_NO_LONG_LONG',
               'ARMHF',
-              'USE_HW_AES',
-            ],
-          }],
-          [ 'target_arch=="arm64" or target_arch=="aarch64"', {
-            'defines': [
-              'USE_HW_AES',
             ],
           }],
         ],
       }],
     ],
   },
   'variables': {
     'module': 'nss',
--- a/security/nss/lib/freebl/intel-aes.h
+++ b/security/nss/lib/freebl/intel-aes.h
@@ -95,40 +95,40 @@ SECStatus intel_aes_decrypt_cbc_256(AESC
                                     unsigned int blocksize);
 SECStatus intel_aes_encrypt_ctr_256(CTRContext *cx, unsigned char *output,
                                     unsigned int *outputLen,
                                     unsigned int maxOutputLen,
                                     const unsigned char *input,
                                     unsigned int inputLen,
                                     unsigned int blocksize);
 
-#define native_aes_ecb_worker(encrypt, keysize)                            \
+#define intel_aes_ecb_worker(encrypt, keysize)                             \
     ((encrypt)                                                             \
          ? ((keysize) == 16 ? intel_aes_encrypt_ecb_128                    \
                             : (keysize) == 24 ? intel_aes_encrypt_ecb_192  \
                                               : intel_aes_encrypt_ecb_256) \
          : ((keysize) == 16 ? intel_aes_decrypt_ecb_128                    \
                             : (keysize) == 24 ? intel_aes_decrypt_ecb_192  \
                                               : intel_aes_decrypt_ecb_256))
 
-#define native_aes_cbc_worker(encrypt, keysize)                            \
+#define intel_aes_cbc_worker(encrypt, keysize)                             \
     ((encrypt)                                                             \
          ? ((keysize) == 16 ? intel_aes_encrypt_cbc_128                    \
                             : (keysize) == 24 ? intel_aes_encrypt_cbc_192  \
                                               : intel_aes_encrypt_cbc_256) \
          : ((keysize) == 16 ? intel_aes_decrypt_cbc_128                    \
                             : (keysize) == 24 ? intel_aes_decrypt_cbc_192  \
                                               : intel_aes_decrypt_cbc_256))
 
 #define intel_aes_ctr_worker(nr)                         \
     ((nr) == 10 ? intel_aes_encrypt_ctr_128              \
                 : (nr) == 12 ? intel_aes_encrypt_ctr_192 \
                              : intel_aes_encrypt_ctr_256)
 
-#define native_aes_init(encrypt, keysize)                         \
+#define intel_aes_init(encrypt, keysize)                          \
     do {                                                          \
         if (encrypt) {                                            \
             if (keysize == 16)                                    \
                 intel_aes_encrypt_init_128(key, cx->expandedKey); \
             else if (keysize == 24)                               \
                 intel_aes_encrypt_init_192(key, cx->expandedKey); \
             else                                                  \
                 intel_aes_encrypt_init_256(key, cx->expandedKey); \
--- a/security/nss/lib/freebl/pqg.c
+++ b/security/nss/lib/freebl/pqg.c
@@ -885,17 +885,17 @@ findQfromSeed(
     const SECItem *seed,        /* input.  */
     mp_int *Q,                  /* input. */
     mp_int *Q_,                 /* output. */
     unsigned int *qseed_len,    /* output */
     HASH_HashType *hashtypePtr, /* output. Hash uses */
     pqgGenType *typePtr,        /* output. Generation Type used */
     unsigned int *qgen_counter) /* output. q_counter */
 {
-    HASH_HashType hashtype = HASH_AlgNULL;
+    HASH_HashType hashtype;
     SECItem firstseed = { 0, 0, 0 };
     SECItem qseed = { 0, 0, 0 };
     SECStatus rv;
 
     *qseed_len = 0; /* only set if FIPS186_3_ST_TYPE */
 
     /* handle legacy small DSA first can only be FIPS186_1_TYPE */
     if (L < 1024) {
@@ -1234,17 +1234,17 @@ pqg_ParamGen(unsigned int L, unsigned in
              unsigned int seedBytes, PQGParams **pParams, PQGVerify **pVfy)
 {
     unsigned int n;       /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
     unsigned int seedlen; /* Per FIPS 186-3 app A.1.1.2  (was 'g' 186-1)*/
     unsigned int counter; /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
     unsigned int offset;  /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
     unsigned int outlen;  /* Per FIPS 186-3, appendix A.1.1.2. */
     unsigned int maxCount;
-    HASH_HashType hashtype = HASH_AlgNULL;
+    HASH_HashType hashtype;
     SECItem *seed; /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
     PLArenaPool *arena = NULL;
     PQGParams *params = NULL;
     PQGVerify *verify = NULL;
     PRBool passed;
     SECItem hit = { 0, 0, 0 };
     SECItem firstseed = { 0, 0, 0 };
     SECItem qseed = { 0, 0, 0 };
@@ -1625,18 +1625,18 @@ PQG_VerifyParams(const PQGParams *params
     unsigned int g, n, L, N, offset, outlen;
     mp_int p0, P, Q, G, P_, Q_, G_, r, h;
     mp_err err = MP_OKAY;
     int j;
     unsigned int counter_max = 0; /* handle legacy L < 1024 */
     unsigned int qseed_len;
     unsigned int qgen_counter_ = 0;
     SECItem pseed_ = { 0, 0, 0 };
-    HASH_HashType hashtype = HASH_AlgNULL;
-    pqgGenType type = FIPS186_1_TYPE;
+    HASH_HashType hashtype;
+    pqgGenType type;
 
 #define CHECKPARAM(cond)      \
     if (!(cond)) {            \
         *result = SECFailure; \
         goto cleanup;         \
     }
     if (!params || !vfy || !result) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
--- a/security/nss/lib/freebl/rijndael.c
+++ b/security/nss/lib/freebl/rijndael.c
@@ -15,28 +15,19 @@
 #include "blapi.h"
 #include "rijndael.h"
 
 #include "cts.h"
 #include "ctr.h"
 #include "gcm.h"
 #include "mpi.h"
 
-#if !defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64)
-// not test yet on big endian platform of arm
-#undef USE_HW_AES
+#ifdef USE_HW_AES
+#include "intel-aes.h"
 #endif
-
-#ifdef USE_HW_AES
-#ifdef NSS_X86_OR_X64
-#include "intel-aes.h"
-#else
-#include "aes-armv8.h"
-#endif
-#endif /* USE_HW_AES */
 #ifdef INTEL_GCM
 #include "intel-gcm.h"
 #endif /* INTEL_GCM */
 
 /* Forward declarations */
 void rijndael_native_key_expansion(AESContext *cx, const unsigned char *key,
                                    unsigned int Nk);
 void rijndael_native_encryptBlock(AESContext *cx,
@@ -851,62 +842,58 @@ aes_InitContext(AESContext *cx, const un
     if (mode == NSS_AES_CBC && iv == NULL) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     if (!cx) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
-#if defined(NSS_X86_OR_X64) || defined(USE_HW_AES)
-    use_hw_aes = (aesni_support() || arm_aes_support()) && (keysize % 8) == 0;
-#else
-    use_hw_aes = PR_FALSE;
-#endif
+    use_hw_aes = aesni_support() && (keysize % 8) == 0;
     /* Nb = (block size in bits) / 32 */
     cx->Nb = AES_BLOCK_SIZE / 4;
     /* Nk = (key size in bits) / 32 */
     Nk = keysize / 4;
     /* Obtain number of rounds from "table" */
     cx->Nr = RIJNDAEL_NUM_ROUNDS(Nk, cx->Nb);
     /* copy in the iv, if neccessary */
     if (mode == NSS_AES_CBC) {
         memcpy(cx->iv, iv, AES_BLOCK_SIZE);
 #ifdef USE_HW_AES
         if (use_hw_aes) {
             cx->worker = (freeblCipherFunc)
-                native_aes_cbc_worker(encrypt, keysize);
+                intel_aes_cbc_worker(encrypt, keysize);
         } else
 #endif
         {
             cx->worker = (freeblCipherFunc)(encrypt
                                                 ? &rijndael_encryptCBC
                                                 : &rijndael_decryptCBC);
         }
     } else {
 #ifdef USE_HW_AES
         if (use_hw_aes) {
             cx->worker = (freeblCipherFunc)
-                native_aes_ecb_worker(encrypt, keysize);
+                intel_aes_ecb_worker(encrypt, keysize);
         } else
 #endif
         {
             cx->worker = (freeblCipherFunc)(encrypt
                                                 ? &rijndael_encryptECB
                                                 : &rijndael_decryptECB);
         }
     }
     PORT_Assert((cx->Nb * (cx->Nr + 1)) <= RIJNDAEL_MAX_EXP_KEY_SIZE);
     if ((cx->Nb * (cx->Nr + 1)) > RIJNDAEL_MAX_EXP_KEY_SIZE) {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
 #ifdef USE_HW_AES
     if (use_hw_aes) {
-        native_aes_init(encrypt, keysize);
+        intel_aes_init(encrypt, keysize);
     } else
 #endif
     {
         /* Generate expanded key */
         if (encrypt) {
             if (use_hw_aes && (cx->mode == NSS_AES_GCM || cx->mode == NSS_AES ||
                                cx->mode == NSS_AES_CTR)) {
                 PORT_Assert(keysize == 16 || keysize == 24 || keysize == 32);
--- a/security/nss/lib/softoken/fipstokn.c
+++ b/security/nss/lib/softoken/fipstokn.c
@@ -640,47 +640,27 @@ FC_InitPIN(CK_SESSION_HANDLE hSession,
 CK_RV
 FC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
           CK_ULONG usOldLen, CK_CHAR_PTR pNewPin, CK_ULONG usNewLen)
 {
     CK_RV rv;
 
     CHECK_FORK();
 
-    rv = sftk_fipsCheck();
-    if (rv != CKR_OK) {
-        goto loser;
-    }
-
-    if (isLevel2 || usNewLen > 0) {
-        rv = sftk_newPinCheck(pNewPin, usNewLen);
-        if (rv != CKR_OK) {
-            goto loser;
-        }
+    if ((rv = sftk_fipsCheck()) == CKR_OK &&
+        (rv = sftk_newPinCheck(pNewPin, usNewLen)) == CKR_OK) {
         rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen);
-        if (rv != CKR_OK) {
-            goto loser;
-        }
-        if (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID) {
+        if ((rv == CKR_OK) &&
+            (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) {
             /* if we set the password in level1 we now go
              * to level2. NOTE: we don't allow the user to
              * go from level2 to level1 */
             isLevel2 = PR_TRUE;
         }
-    } else {
-        /* here both old and new passwords are empty, but we need to
-         * call NSC_SetPIN to force rekey the database entries */
-        PORT_Assert(usNewLen == 0);
-        rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen);
-        if (rv != CKR_OK) {
-            goto loser;
-        }
     }
-
-loser:
     if (sftk_audit_enabled) {
         char msg[128];
         NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
         PR_snprintf(msg, sizeof msg,
                     "C_SetPIN(hSession=0x%08lX)=0x%08lX",
                     (PRUint32)hSession, (PRUint32)rv);
         sftk_LogAuditMessage(severity, NSS_AUDIT_SET_PIN, msg);
     }
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -3895,20 +3895,17 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, C
     sftk_FreeSession(sp);
     sp = NULL;
 
     /* make sure the pins aren't too long */
     if ((ulNewLen > SFTK_MAX_PIN) || (ulOldLen > SFTK_MAX_PIN)) {
         crv = CKR_PIN_LEN_RANGE;
         goto loser;
     }
-    /* check the length of new pin, unless both old and new passwords
-     * are empty */
-    if ((ulNewLen != 0 || ulOldLen != 0) &&
-        ulNewLen < (CK_ULONG)slot->minimumPinLen) {
+    if (ulNewLen < (CK_ULONG)slot->minimumPinLen) {
         crv = CKR_PIN_LEN_RANGE;
         goto loser;
     }
 
     /* convert to null terminated string */
     PORT_Memcpy(newPinStr, pNewPin, ulNewLen);
     newPinStr[ulNewLen] = 0;
     PORT_Memcpy(oldPinStr, pOldPin, ulOldLen);
--- a/security/nss/lib/softoken/pkcs11i.h
+++ b/security/nss/lib/softoken/pkcs11i.h
@@ -454,17 +454,17 @@ struct SFTKItemTemplateStr {
 /* certdb (high bit == 1) */
 #define SFTK_TOKEN_TYPE_TRUST 0x40000000L
 #define SFTK_TOKEN_TYPE_CRL 0x50000000L
 #define SFTK_TOKEN_TYPE_SMIME 0x60000000L
 #define SFTK_TOKEN_TYPE_CERT 0x70000000L
 
 #define SFTK_TOKEN_KRL_HANDLE (SFTK_TOKEN_MAGIC | SFTK_TOKEN_TYPE_CRL | 1)
 /* how big (in bytes) a password/pin we can deal with */
-#define SFTK_MAX_PIN 500
+#define SFTK_MAX_PIN 255
 /* minimum password/pin length (in Unicode characters) in FIPS mode */
 #define FIPS_MIN_PIN 7
 
 /* slot ID's */
 #define NETSCAPE_SLOT_ID 1
 #define PRIVATE_KEY_SLOT_ID 2
 #define FIPS_SLOT_ID 3
 
--- a/security/nss/mach
+++ b/security/nss/mach
@@ -192,23 +192,16 @@ class coverityAction(argparse.Action):
 
     def cov_is_file_in_source(self, abs_path):
         if os.path.islink(abs_path):
             abs_path = os.path.realpath(abs_path)
         return abs_path
 
     def dump_cov_artifact(self, cov_results, source, output):
         import json
-
-        def relpath(path):
-            '''Build path relative to repository root'''
-            if path.startswith(cwd):
-                return os.path.relpath(path, cwd)
-            return path
-
         # Parse Coverity json into structured issues
         with open(cov_results) as f:
             result = json.load(f)
 
             # Parse the issues to a standard json format
             issues_dict = {'files': {}}
 
             files_list = issues_dict['files']
@@ -225,31 +218,30 @@ class coverityAction(argparse.Action):
                         'category': issue['checkerProperties']['category'],
                         'stateOnServer': issue['stateOnServer'],
                         'stack': []
                     }
                 }
 
                 # Embed all events into extra message
                 for event in issue['events']:
-                    dict_issue['extra']['stack'].append({'file_path': relpath(event['strippedFilePathname']),
+                    dict_issue['extra']['stack'].append({'file_path': event['strippedFilePathname'],
                                                          'line_number': event['lineNumber'],
                                                          'path_type': event['eventTag'],
                                                          'description': event['eventDescription']})
 
                 return dict_issue
 
             for issue in result['issues']:
                 path = self.cov_is_file_in_source(issue['strippedMainEventFilePathname'])
                 if path is None:
                     # Since we skip a result we should log it
                     print('Skipping CID: {0} from file: {1} since it\'s not related with the current patch.'.format(
                         issue['stateOnServer']['cid'], issue['strippedMainEventFilePathname']))
                     continue
-                path = relpath(path)
                 if path in files_list:
                     files_list[path]['warnings'].append(build_element(issue))
                 else:
                     files_list[path] = {'warnings': [build_element(issue)]}
 
             with open(output, 'w') as f:
                 json.dump(issues_dict, f)
 
--- a/taskcluster/ci/fetch/toolchains.yml
+++ b/taskcluster/ci/fetch/toolchains.yml
@@ -264,16 +264,25 @@ libtapi:
 
 libdmg-hfsplus:
     description: libdmg-hfsplug source code
     fetch:
         type: git
         repo: https://github.com/mozilla/libdmg-hfsplus/
         revision: 2ee327795680101d36f9700bd0fb618362237718
 
+hfsplus-tools:
+    description: hfstools-plus source code
+    fetch:
+        type: static-url
+        # Most-upstream is https://opensource.apple.com/source/diskdev_cmds/
+        url: https://src.fedoraproject.org/repo/pkgs/hfsplus-tools/diskdev_cmds-540.1.linux3.tar.gz/0435afc389b919027b69616ad1b05709/diskdev_cmds-540.1.linux3.tar.gz
+        sha256: b01b203a97f9a3bf36a027c13ddfc59292730552e62722d690d33bd5c24f5497
+        size: 411205
+
 llvm-for-dsymutil:
     description: llvm source code for dsymutil
     fetch:
         type: git
         repo: https://github.com/llvm/llvm-project
         revision: 3b7811f6441be13c9f613f81ef93297d231b4f8e
 
 tup:
--- a/taskcluster/ci/geckodriver-repack/kind.yml
+++ b/taskcluster/ci/geckodriver-repack/kind.yml
@@ -23,16 +23,17 @@ job-defaults:
         tier: 2
     worker-type: b-linux
     worker:
         max-run-time: 1200
         docker-image: {in-tree: debian9-amd64-build}
         chain-of-trust: true
     run:
         using: run-task
+        checkout: false
 
 jobs:
     linux-nightly/opt:
         treeherder:
             platform: linux32/opt
         dependencies:
             build-linux/opt: build-linux-shippable/opt
         fetches:
--- a/taskcluster/ci/generate-profile/kind.yml
+++ b/taskcluster/ci/generate-profile/kind.yml
@@ -49,18 +49,18 @@ jobs:
                 - type: file
                   name: public/build/profile-run-1.log
                   path: /builds/worker/artifacts/profile-run-1.log
                 - type: file
                   name: public/build/profile-run-2.log
                   path: /builds/worker/artifacts/profile-run-2.log
         run:
             using: run-task
+            cwd: '{checkout}'
             command: >
-                cd /builds/worker/checkouts/gecko &&
                 ./taskcluster/scripts/misc/run-profileserver.sh
 
     linux64-shippable/opt:
         description: "Linux64 Profile Generation"
         shipping-phase: build
         shipping-product: firefox
         index:
             product: firefox
@@ -83,18 +83,18 @@ jobs:
                 - type: file
                   name: public/build/profile-run-1.log
                   path: /builds/worker/artifacts/profile-run-1.log
                 - type: file
                   name: public/build/profile-run-2.log
                   path: /builds/worker/artifacts/profile-run-2.log
         run:
             using: run-task
+            cwd: '{checkout}'
             command: >
-                cd /builds/worker/checkouts/gecko &&
                 ./taskcluster/scripts/misc/run-profileserver.sh
 
     android-api-16/pgo:
         description: "Android 4.0 api-16+ Profile Generation"
         shipping-phase: build
         shipping-product: fennec
         index:
             product: mobile
@@ -152,17 +152,18 @@ jobs:
                   name: public/build/profile-run-1.log
                   path: build/src/artifacts/profile-run-1.log
                 - type: file
                   name: public/build/profile-run-2.log
                   path: build/src/artifacts/profile-run-2.log
         run:
             using: run-task
             sparse-profile: profile-generate
-            command: cd build/src && ./taskcluster/scripts/misc/run-profileserver.sh
+            cwd: '{checkout}'
+            command: ./taskcluster/scripts/misc/run-profileserver.sh
 
     win64-shippable/opt:
         description: "Win64 Profile Generation"
         shipping-phase: build
         shipping-product: firefox
         index:
             product: firefox
             job-name: win64-profile
@@ -181,9 +182,10 @@ jobs:
                   name: public/build/profile-run-1.log
                   path: build/src/artifacts/profile-run-1.log
                 - type: file
                   name: public/build/profile-run-2.log
                   path: build/src/artifacts/profile-run-2.log
         run:
             using: run-task
             sparse-profile: profile-generate
-            command: cd build/src && ./taskcluster/scripts/misc/run-profileserver.sh
+            cwd: '{checkout}'
+            command: ./taskcluster/scripts/misc/run-profileserver.sh
--- a/taskcluster/ci/source-test/clang.yml
+++ b/taskcluster/ci/source-test/clang.yml
@@ -44,35 +44,35 @@ job-defaults:
             - '**/*.hpp'
             - '**/*.hxx'
 
 tidy:
     description: Run static-analysis (clang-tidy) on C/C++ patches
     treeherder:
         symbol: clang(tidy)
     run:
+        cwd: '{checkout}'
         command: >-
-            source $HOME/checkouts/gecko/taskcluster/scripts/misc/source-test-clang-setup.sh &&
-            cd $HOME/checkouts/gecko &&
+            source taskcluster/scripts/misc/source-test-clang-setup.sh &&
             ./mach --log-no-times static-analysis check --outgoing --output $HOME/clang-tidy.json --format json
 
     worker:
         artifacts:
             - type: file
               name: public/code-review/clang-tidy.json
               path: /builds/worker/clang-tidy.json
 
 format:
     description: Run clang-format on C/C++ patches
     treeherder:
         symbol: clang(format)
     run:
+        cwd: '{checkout}'
         command: >-
-            source $HOME/checkouts/gecko/taskcluster/scripts/misc/source-test-clang-setup.sh &&
-            cd $HOME/checkouts/gecko &&
+            source taskcluster/scripts/misc/source-test-clang-setup.sh &&
             ./mach --log-no-times clang-format --outgoing --output $HOME/clang-format.json --format json &&
             ./mach --log-no-times clang-format --outgoing --output $HOME/clang-format.diff --format diff
     worker:
         artifacts:
             - type: file
               name: public/code-review/clang-format.json
               path: /builds/worker/clang-format.json
             - type: file
--- a/taskcluster/ci/source-test/coverity.yml
+++ b/taskcluster/ci/source-test/coverity.yml
@@ -42,19 +42,19 @@ job-defaults:
             - '**/*.hpp'
             - '**/*.hxx'
 
 coverity:
     description: Run static-analysis (Coverity) on C/C++ patches
     treeherder:
         symbol: coverity(cvsa)
     run:
+        cwd: '{checkout}'
         command: >-
-            source $HOME/checkouts/gecko/taskcluster/scripts/misc/source-test-clang-setup.sh &&
-            cd $HOME/checkouts/gecko &&
+            source taskcluster/scripts/misc/source-test-clang-setup.sh &&
             ./mach --log-no-times static-analysis check-coverity --outgoing --output $HOME/coverity.json
     scopes:
         - secrets:get:project/relman/coverity
     worker:
         artifacts:
             - type: file
               name: public/code-review/coverity.json
               path: /builds/worker/coverity.json
--- a/taskcluster/ci/source-test/infer.yml
+++ b/taskcluster/ci/source-test/infer.yml
@@ -36,19 +36,19 @@ job-defaults:
         files-changed:
             - 'mobile/**/*.java'
 
 infer:
     description: Run static-analysis (infer) on Java patches
     treeherder:
         symbol: infer
     run:
+        cwd: '{checkout}'
         command: >-
-            source $HOME/checkouts/gecko/taskcluster/scripts/misc/source-test-infer-setup.sh &&
-            cd $HOME/checkouts/gecko &&
+            source taskcluster/scripts/misc/source-test-infer-setup.sh &&
             ./mach --log-no-times configure &&
             ./mach --log-no-times static-analysis check-java --outgoing --output $HOME/infer.json
 
     worker:
         artifacts:
             - type: file
               name: public/code-review/infer.json
               path: /builds/worker/infer.json
--- a/taskcluster/ci/source-test/mozlint.yml
+++ b/taskcluster/ci/source-test/mozlint.yml
@@ -68,18 +68,18 @@ cpp-virtual-final:
 
 eslint:
     description: JS lint check
     platform: lint/opt
     treeherder:
         symbol: ES
     run:
         using: run-task
+        cwd: '{checkout}'
         command: >
-            cd /builds/worker/checkouts/gecko/ &&
             cp -r /build/node_modules_eslint node_modules &&
             ln -s ../tools/lint/eslint/eslint-plugin-mozilla node_modules &&
             ln -s ../tools/lint/eslint/eslint-plugin-spidermonkey-js node_modules &&
             ./mach lint -l eslint -f treeherder --quiet -f json:/builds/worker/mozlint.json
     when:
         files-changed:
             # Files that are likely audited.
             - '**/*.js'
--- a/taskcluster/ci/source-test/node.yml
+++ b/taskcluster/ci/source-test/node.yml
@@ -11,20 +11,20 @@ debugger-tests:
         tier: 1
     worker-type: t-linux-xlarge
     worker:
         docker-image: {in-tree: "lint"}
         max-run-time: 1800
     run:
         using: run-task
         cache-dotcache: true
+        cwd: '{checkout}'
         command: >
-            cd /builds/worker/checkouts/gecko/ &&
             npm install &&
-            cd /builds/worker/checkouts/gecko/devtools/client/debugger/ &&
+            cd devtools/client/debugger/ &&
             yarn &&
             node bin/try-runner.js
     when:
         files-changed:
             - 'devtools/client/debugger/**'
 
 devtools-tests:
     description: devtools node-based tests (for instance jest)
@@ -35,20 +35,20 @@ devtools-tests:
         tier: 1
     worker-type: t-linux-xlarge
     worker:
         docker-image: {in-tree: "lint"}
         max-run-time: 1800
     run:
         using: run-task
         cache-dotcache: true
+        cwd: '{checkout}'
         command: >
-            cd /builds/worker/checkouts/gecko/ &&
             npm install &&
-            cd /builds/worker/checkouts/gecko/devtools/client/bin/ &&
+            cd devtools/client/bin/ &&
             node devtools-node-test-runner.js --suite=aboutdebugging-new &&
             node devtools-node-test-runner.js --suite=accessibility &&
             node devtools-node-test-runner.js --suite=application &&
             node devtools-node-test-runner.js --suite=framework &&
             node devtools-node-test-runner.js --suite=netmonitor &&
             node devtools-node-test-runner.js --suite=webconsole
     when:
         files-changed:
@@ -64,15 +64,15 @@ eslint-plugin-mozilla:
         tier: 1
     worker-type: t-linux-xlarge
     worker:
         docker-image: {in-tree: "lint"}
         max-run-time: 1800
     run:
         using: run-task
         cache-dotcache: true
+        cwd: '{checkout}/tools/lint/eslint/eslint-plugin-mozilla'
         command: >
-            cd /builds/worker/checkouts/gecko/tools/lint/eslint/eslint-plugin-mozilla &&
             cp -r /build/node_modules_eslint-plugin-mozilla node_modules &&
             npm run test
     when:
         files-changed:
             - 'tools/lint/eslint/eslint-plugin-mozilla/**'
--- a/taskcluster/ci/source-test/python.yml
+++ b/taskcluster/ci/source-test/python.yml
@@ -86,22 +86,22 @@ mochitest-harness:
         symbol: py2(mch)
     worker:
         by-platform:
             linux64.*:
                 docker-image: {in-tree: "desktop1604-test"}
                 max-run-time: 3600
     run:
         using: run-task
+        cwd: '{checkout}'
         command: >
             source /builds/worker/scripts/xvfb.sh &&
             start_xvfb '1600x1200x24' 0 &&
             export GECKO_BINARY_PATH=$MOZ_FETCHES_DIR/firefox/firefox &&
             export TEST_HARNESS_ROOT=$MOZ_FETCHES_DIR/tests &&
-            cd /builds/worker/checkouts/gecko &&
             ./mach python-test --python 2 --subsuite mochitest
     fetches:
         build:
             - target.tar.bz2
             - artifact: target.common.tests.tar.gz
               dest: tests
             - artifact: target.mochitest.tests.tar.gz
               dest: tests
@@ -132,18 +132,18 @@ mozbase:
 
 mozharness:
     description: mozharness integration tests
     treeherder:
         symbol: py2(mh)
     run:
         using: run-task
         cache-dotcache: true
+        cwd: '{checkout}/testing/mozharness'
         command: >
-            cd /builds/worker/checkouts/gecko/testing/mozharness &&
             /usr/local/bin/tox -e py27-hg4.3
     when:
         files-changed:
             - 'testing/mozharness/**'
 
 mozlint:
     description: python/mozlint unit tests
     platform:
@@ -227,22 +227,22 @@ reftest-harness:
         symbol: py2(ref)
     worker:
         by-platform:
             linux64.*:
                 docker-image: {in-tree: "desktop1604-test"}
                 max-run-time: 3600
     run:
         using: run-task
+        cwd: '{checkout}'
         command: >
             source /builds/worker/scripts/xvfb.sh &&
             start_xvfb '1600x1200x24' 0 &&
             export GECKO_BINARY_PATH=$MOZ_FETCHES_DIR/firefox/firefox &&
             export TEST_HARNESS_ROOT=$MOZ_FETCHES_DIR/tests &&
-            cd /builds/worker/checkouts/gecko &&
             ./mach python-test --python 2 --subsuite reftest
     fetches:
         build:
             - target.tar.bz2
             - artifact: target.common.tests.tar.gz
               dest: tests
             - artifact: target.reftest.tests.tar.gz
               dest: tests
--- a/taskcluster/ci/source-test/wpt-manifest.yml
+++ b/taskcluster/ci/source-test/wpt-manifest.yml
@@ -17,19 +17,19 @@ upload:
     treeherder:
         symbol: Wm
     index:
         product: source
         job-name: manifest-upload
         rank: build_date
     run:
         using: run-task
+        cwd: '{checkout}'
         command: >
-            cd /builds/worker/checkouts/gecko
-            && ./mach wpt-manifest-update --config testing/web-platform/wptrunner.ini --no-download
+            ./mach wpt-manifest-update --config testing/web-platform/wptrunner.ini --no-download
             && tar -cvzf manifests.tar.gz -C testing/web-platform/ meta/MANIFEST.json mozilla/meta/MANIFEST.json
     worker:
         artifacts:
             - type: file
               path: /builds/worker/checkouts/gecko/manifests.tar.gz
               name: public/manifests.tar.gz
 
         max-run-time: 3600
--- a/taskcluster/ci/toolchain/misc.yml
+++ b/taskcluster/ci/toolchain/misc.yml
@@ -59,16 +59,19 @@ linux64-hfsplus:
     run:
         script: build-hfsplus-linux.sh
         resources:
             - 'build/unix/build-hfsplus/build-hfsplus.sh'
             - 'taskcluster/scripts/misc/tooltool-download.sh'
         toolchain-artifact: public/build/hfsplus-tools.tar.xz
     toolchains:
         - linux64-clang-8
+    fetches:
+        fetch:
+            - hfsplus-tools
 
 linux64-libdmg:
     description: "libdmg-hfsplus toolchain build"
     treeherder:
         symbol: TL(libdmg-hfs+)
     run:
         script: build-libdmg-hfsplus.sh
         toolchain-artifact: public/build/dmg.tar.xz
--- a/taskcluster/ci/toolchain/rust.yml
+++ b/taskcluster/ci/toolchain/rust.yml
@@ -2,18 +2,16 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ---
 job-defaults:
     description: "rust repack"
     worker-type: b-linux
     worker:
         max-run-time: 7200
-        env:
-            UPLOAD_DIR: artifacts
     run:
         script: repack_rust.py
         toolchain-artifact: public/build/rustc.tar.xz
 
 linux64-rust-1.28:
     treeherder:
         symbol: TL(rust-1.28)
     run:
--- a/taskcluster/ci/webrender/kind.yml
+++ b/taskcluster/ci/webrender/kind.yml
@@ -28,18 +28,18 @@ job-defaults:
 jobs:
     lint-tidy:
         description: Runs linting checks on WebRender code
         worker-type: b-linux
         worker:
             docker-image: {in-tree: webrender}
         run:
             using: run-task
+            cwd: '{checkout}/gfx/wr'
             command: >-
-                cd $HOME/checkouts/gecko/gfx/wr &&
                 servo-tidy
         treeherder:
             platform: linux64-qr/opt
             symbol: WR(tidy)
         when:
             files-changed:
                 - 'gfx/wr/**'
 
@@ -137,18 +137,18 @@ jobs:
         dependencies:
             webrender-wrench-macos-build: webrender-wrench-macos-build
         fetches:
             webrender-wrench-macos-build:
                 - 'wrench-macos.tar.bz2'
                 - 'wrench-macos-headless.tar.bz2'
         run:
             using: run-task
+            cwd: '{checkout}/gfx/wr'
             command: >-
-                cd $GECKO_PATH/gfx/wr &&
                 export WRENCH_HEADLESS_TARGET=$PWD/wrench-macos-headless/ &&
                 export WRENCH_BINARY=$PWD/wrench-macos/bin/wrench &&
                 ci-scripts/macos-release-tests.sh
         treeherder:
             platform: macosx64-qr/opt
             symbol: WR(wrench)
         when:
             files-changed:
@@ -196,18 +196,18 @@ jobs:
                 MOZ_FETCHES_DIR: 'checkouts/gecko/gfx/wr'
         dependencies:
             webrender-cargotest-macos-build: webrender-cargotest-macos-build
         fetches:
             webrender-cargotest-macos-build:
                 - 'cargo-test-binaries.tar.bz2'
         run:
             using: run-task
+            cwd: '{checkout}/gfx/wr'
             command: >-
-                cd $GECKO_PATH/gfx/wr &&
                 mv cargo-test-binaries target &&
                 cd target &&
                 for i in debug/*; do $i; done
         treeherder:
             platform: macosx64-qr/debug
             symbol: WR(cargotest)
         when:
             files-changed:
@@ -249,19 +249,20 @@ jobs:
                 - type: file
                   name: public/build/wrench-debug.apk
                   path: /builds/worker/checkouts/gecko/gfx/wr/target/android-artifacts/app/build/outputs/apk/debug/app-debug.apk
                 - type: file
                   name: public/build/reftests.tar.gz
                   path: /builds/worker/checkouts/gecko/gfx/wr/wrench/reftests.tar.gz
         run:
             using: run-task
+            cwd: '{checkout}/gfx/wr/wrench'
             command: >-
                 $GECKO_PATH/taskcluster/scripts/misc/wrench-android-build.sh debug &&
-                cd $GECKO_PATH/gfx/wr/wrench && tar czf reftests.tar.gz reftests/
+                tar czf reftests.tar.gz reftests/
         fetches:
             toolchain:
                 - android-gradle-dependencies
                 - android-ndk-linux
                 - android-sdk-linux
                 - linux64-rust-android
                 - wrench-deps
         treeherder:
@@ -283,19 +284,20 @@ jobs:
                 - type: file
                   name: public/build/wrench-release.apk
                   path: /builds/worker/checkouts/gecko/gfx/wr/target/android-artifacts/app/build/outputs/apk/release/app-release-unsigned.apk
                 - type: file
                   name: public/build/reftests.tar.gz
                   path: /builds/worker/checkouts/gecko/gfx/wr/wrench/reftests.tar.gz
         run:
             using: run-task
+            cwd: '{checkout}/gfx/wr/wrench'
             command: >-
                 $GECKO_PATH/taskcluster/scripts/misc/wrench-android-build.sh release &&
-                cd $GECKO_PATH/gfx/wr/wrench && tar czf reftests.tar.gz reftests/
+                tar czf reftests.tar.gz reftests/
         fetches:
             toolchain:
                 - android-gradle-dependencies
                 - android-ndk-linux
                 - android-sdk-linux
                 - linux64-rust-android
                 - wrench-deps
         treeherder:
--- a/taskcluster/docker/debian-base/Dockerfile
+++ b/taskcluster/docker/debian-base/Dockerfile
@@ -54,9 +54,12 @@ COPY topsrcdir/taskcluster/docker/recipe
 
 # Add pip configuration, among other things.
 # %include taskcluster/docker/recipes/dot-config
 COPY topsrcdir/taskcluster/docker/recipes/dot-config /builds/worker/.config
 
 # %include taskcluster/scripts/run-task
 COPY topsrcdir/taskcluster/scripts/run-task /builds/worker/bin/run-task
 
+# %include taskcluster/scripts/misc/fetch-content
+ADD topsrcdir/taskcluster/scripts/misc/fetch-content /builds/worker/bin/fetch-content
+
 RUN chown -R worker:worker /builds/worker/bin && chmod 755 /builds/worker/bin/*
--- a/taskcluster/scripts/misc/build-binutils-linux.sh
+++ b/taskcluster/scripts/misc/build-binutils-linux.sh
@@ -1,16 +1,15 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for building binutils for Linux.
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 cd $HOME_DIR/src
 
 build/unix/build-binutils/build-binutils.sh $HOME_DIR
 
 # Put a tarball in the artifacts dir
 mkdir -p $UPLOAD_DIR
 cp $HOME_DIR/binutils.tar.* $UPLOAD_DIR
--- a/taskcluster/scripts/misc/build-cbindgen.sh
+++ b/taskcluster/scripts/misc/build-cbindgen.sh
@@ -4,17 +4,16 @@ set -x -e -v
 # If you update this, make sure to update the minimum version in
 # build/moz.configure/bindgen.configure as well.
 CBINDGEN_REVISION=e19526e00b3fe6921b881682147a1fe5d6b64124 # v0.9.0
 TARGET="$1"
 
 case "$(uname -s)" in
 Linux)
     WORKSPACE=$HOME/workspace
-    UPLOAD_DIR=$HOME/artifacts
     COMPRESS_EXT=xz
     ;;
 MINGW*)
     WORKSPACE=$PWD
     UPLOAD_DIR=$WORKSPACE/public/build
     WIN_WORKSPACE="$(pwd -W)"
     COMPRESS_EXT=bz2
 
--- a/taskcluster/scripts/misc/build-cctools-port.sh
+++ b/taskcluster/scripts/misc/build-cctools-port.sh
@@ -4,17 +4,16 @@
 # Until bug 1471905 is addressed, increase the following number
 # when a forced rebuild of cctools is necessary: 1
 
 set -x -e -v
 
 # This script is for building cctools (Apple's binutils) for Linux using
 # cctools-port (https://github.com/tpoechtrager/cctools-port).
 WORKSPACE=$HOME/workspace
-UPLOAD_DIR=$HOME/artifacts
 
 # Set some crosstools-port and libtapi directories
 CROSSTOOLS_SOURCE_DIR=$MOZ_FETCHES_DIR/cctools-port
 CROSSTOOLS_CCTOOLS_DIR=$CROSSTOOLS_SOURCE_DIR/cctools
 CROSSTOOLS_BUILD_DIR=$WORKSPACE/cctools
 LIBTAPI_SOURCE_DIR=$MOZ_FETCHES_DIR/apple-libtapi
 LIBTAPI_BUILD_DIR=$WORKSPACE/libtapi-build
 CLANG_DIR=$WORKSPACE/build/src/clang
--- a/taskcluster/scripts/misc/build-clang-4.0-linux.sh
+++ b/taskcluster/scripts/misc/build-clang-4.0-linux.sh
@@ -1,25 +1,23 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for building clang for Linux.
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 cd $HOME_DIR/src
 
 . taskcluster/scripts/misc/tooltool-download.sh
 
 # gets a bit too verbose here
 set +x
 
 cd build/build-clang
-# |mach python| sets up a virtualenv for us!
-../../mach python ./build-clang.py -c clang-4.0-linux64.json
+python3 ./build-clang.py -c clang-4.0-linux64.json
 
 set -x
 
 # Put a tarball in the artifacts dir
 mkdir -p $UPLOAD_DIR
 cp clang.tar.* $UPLOAD_DIR
--- a/taskcluster/scripts/misc/build-clang-7-linux.sh
+++ b/taskcluster/scripts/misc/build-clang-7-linux.sh
@@ -1,25 +1,23 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for building clang for Linux.
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 cd $HOME_DIR/src
 
 . taskcluster/scripts/misc/tooltool-download.sh
 
 # gets a bit too verbose here
 set +x
 
 cd build/build-clang
-# |mach python| sets up a virtualenv for us!
-../../mach python ./build-clang.py -c clang-7-linux64.json
+python3 ./build-clang.py -c clang-7-linux64.json
 
 set -x
 
 # Put a tarball in the artifacts dir
 mkdir -p $UPLOAD_DIR
 cp clang.tar.* $UPLOAD_DIR
--- a/taskcluster/scripts/misc/build-clang-8-android.sh
+++ b/taskcluster/scripts/misc/build-clang-8-android.sh
@@ -1,26 +1,24 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for building clang on a Linux host with android compiler rt
 # libs.
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 cd $HOME_DIR/src
 
 . taskcluster/scripts/misc/tooltool-download.sh
 
 # gets a bit too verbose here
 set +x
 
 cd build/build-clang
-# |mach python| sets up a virtualenv for us!
-../../mach python ./build-clang.py -c clang-8-android.json
+python3 ./build-clang.py -c clang-8-android.json
 
 set -x
 
 # Put a tarball in the artifacts dir
 mkdir -p $UPLOAD_DIR
 cp clang.tar.* $UPLOAD_DIR
--- a/taskcluster/scripts/misc/build-clang-8-linux-aarch64-cross.sh
+++ b/taskcluster/scripts/misc/build-clang-8-linux-aarch64-cross.sh
@@ -1,27 +1,25 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for building clang for Linux.
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 cd $HOME_DIR/src
 
 . taskcluster/scripts/misc/tooltool-download.sh
 
 export PATH="$WORKSPACE/build/src/binutils/bin:$PATH"
 
 # gets a bit too verbose here
 set +x
 
 cd build/build-clang
-# |mach python| sets up a virtualenv for us!
-../../mach python ./build-clang.py -c clang-8-linux64-aarch64-cross.json
+python3 ./build-clang.py -c clang-8-linux64-aarch64-cross.json
 
 set -x
 
 # Put a tarball in the artifacts dir
 mkdir -p $UPLOAD_DIR
 cp clang.tar.* $UPLOAD_DIR
--- a/taskcluster/scripts/misc/build-clang-8-linux-macosx-cross.sh
+++ b/taskcluster/scripts/misc/build-clang-8-linux-macosx-cross.sh
@@ -1,32 +1,30 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for building clang for Mac OS X targets on a Linux host,
 # including native Mac OS X Compiler-RT libraries and llvm-symbolizer.
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 cd $HOME_DIR/src
 
 . taskcluster/scripts/misc/tooltool-download.sh
 
 # these variables are used in build-clang.py
 export CROSS_CCTOOLS_PATH=$HOME_DIR/src/cctools
 export CROSS_SYSROOT=$HOME_DIR/src/MacOSX10.11.sdk
 export PATH=$PATH:$CROSS_CCTOOLS_PATH/bin
 
 # gets a bit too verbose here
 set +x
 
 cd build/build-clang
-# |mach python| sets up a virtualenv for us!
-../../mach python ./build-clang.py -c clang-8-macosx64.json --skip-tar
+python3 ./build-clang.py -c clang-8-macosx64.json --skip-tar
 
 # We now have a native macosx64 toolchain.
 # What we want is a native linux64 toolchain which can target macosx64 and use the sanitizer dylibs.
 # Overlay the linux64 toolchain that we used for this build (except llvm-symbolizer).
 (
 cd "$WORKSPACE/moz-toolchain/build/stage1"
 # Need the macosx64 native llvm-symbolizer since this gets shipped with sanitizer builds
 mv clang/bin/llvm-symbolizer $HOME_DIR/src/clang/bin/
--- a/taskcluster/scripts/misc/build-clang-8-linux.sh
+++ b/taskcluster/scripts/misc/build-clang-8-linux.sh
@@ -1,25 +1,23 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for building clang for Linux.
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 cd $HOME_DIR/src
 
 . taskcluster/scripts/misc/tooltool-download.sh
 
 # gets a bit too verbose here
 set +x
 
 cd build/build-clang
-# |mach python| sets up a virtualenv for us!
-../../mach python ./build-clang.py -c clang-8-linux64.json
+python3 ./build-clang.py -c clang-8-linux64.json
 
 set -x
 
 # Put a tarball in the artifacts dir
 mkdir -p $UPLOAD_DIR
 cp clang.tar.* $UPLOAD_DIR
--- a/taskcluster/scripts/misc/build-clang-8-mingw.sh
+++ b/taskcluster/scripts/misc/build-clang-8-mingw.sh
@@ -18,17 +18,16 @@ elif [ "$1" == "x64" ]; then
   WRAPPER_FLAGS=""
 else
   echo "Provide either x86 or x64 to specify a toolchain."
   exit 1;
 fi
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 TOOLCHAIN_DIR=$WORKSPACE/moz-toolchain
 INSTALL_DIR=$TOOLCHAIN_DIR/build/stage3/clang
 CROSS_PREFIX_DIR=$INSTALL_DIR/$machine-w64-mingw32
 SRC_DIR=$TOOLCHAIN_DIR/src
 
 make_flags="-j$(nproc)"
 
@@ -284,18 +283,17 @@ build_utils() {
 export PATH=$INSTALL_DIR/bin:$PATH
 
 prepare
 
 # gets a bit too verbose here
 set +x
 
 cd build/build-clang
-# |mach python| sets up a virtualenv for us!
-../../mach python ./build-clang.py -c clang-8-mingw.json --skip-tar
+python3 ./build-clang.py -c clang-8-mingw.json --skip-tar
 
 set -x
 
 pushd $TOOLCHAIN_DIR/build
 
 install_wrappers
 build_mingw
 build_compiler_rt
--- a/taskcluster/scripts/misc/build-clang-macosx.sh
+++ b/taskcluster/scripts/misc/build-clang-macosx.sh
@@ -1,29 +1,27 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for building clang for Mac OS X on Linux.
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 cd $HOME_DIR/src
 
 . taskcluster/scripts/misc/tooltool-download.sh
 
 # these variables are used in build-clang.py
 export CROSS_CCTOOLS_PATH=$HOME_DIR/src/cctools
 export CROSS_SYSROOT=$HOME_DIR/src/MacOSX10.11.sdk
 export PATH=$PATH:$CROSS_CCTOOLS_PATH/bin
 
 # gets a bit too verbose here
 set +x
 
 cd build/build-clang
-# |mach python| sets up a virtualenv for us!
-../../mach python ./build-clang.py -c clang-8-macosx64.json
+python3 ./build-clang.py -c clang-8-macosx64.json
 
 set -x
 
 # Put a tarball in the artifacts dir
 mkdir -p $UPLOAD_DIR
 cp clang.tar.* $UPLOAD_DIR
--- a/taskcluster/scripts/misc/build-clang-tidy-linux.sh
+++ b/taskcluster/scripts/misc/build-clang-tidy-linux.sh
@@ -1,25 +1,23 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for building clang for Linux.
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 cd $HOME_DIR/src
 
 . taskcluster/scripts/misc/tooltool-download.sh
 
 # gets a bit too verbose here
 set +x
 
 cd build/build-clang
-# |mach python| sets up a virtualenv for us!
-../../mach python ./build-clang.py -c clang-tidy-linux64.json
+python3 ./build-clang.py -c clang-tidy-linux64.json
 
 set -x
 
 # Put a tarball in the artifacts dir
 mkdir -p $UPLOAD_DIR
 cp clang-tidy.tar.* $UPLOAD_DIR
--- a/taskcluster/scripts/misc/build-clang-tidy-macosx.sh
+++ b/taskcluster/scripts/misc/build-clang-tidy-macosx.sh
@@ -1,29 +1,27 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for building clang for Mac OS X on Linux.
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 cd $HOME_DIR/src
 
 . taskcluster/scripts/misc/tooltool-download.sh
 
 # these variables are used in build-clang.py
 export CROSS_CCTOOLS_PATH=$HOME_DIR/src/cctools
 export CROSS_SYSROOT=$HOME_DIR/src/MacOSX10.11.sdk
 export PATH=$PATH:$CROSS_CCTOOLS_PATH/bin
 
 # gets a bit too verbose here
 set +x
 
 cd build/build-clang
-# |mach python| sets up a virtualenv for us!
-../../mach python ./build-clang.py -c clang-tidy-macosx64.json
+python3 ./build-clang.py -c clang-tidy-macosx64.json
 
 set -x
 
 # Put a tarball in the artifacts dir
 mkdir -p $UPLOAD_DIR
 cp clang-tidy.tar.* $UPLOAD_DIR
--- a/taskcluster/scripts/misc/build-clang-windows-helper64.sh
+++ b/taskcluster/scripts/misc/build-clang-windows-helper64.sh
@@ -34,30 +34,22 @@ export PATH="${VSWINPATH}/VC/bin/Hostx64
 export INCLUDE="${VSWINPATH}/VC/include:${VSWINPATH}/VC/atlmfc/include:${VSWINPATH}/SDK/Include/10.0.17134.0/ucrt:${VSWINPATH}/SDK/Include/10.0.17134.0/shared:${VSWINPATH}/SDK/Include/10.0.17134.0/um:${VSWINPATH}/SDK/Include/10.0.17134.0/winrt:${VSWINPATH}/DIA SDK/include"
 export LIB="${VSWINPATH}/VC/lib/x64:${VSWINPATH}/VC/atlmfc/lib/x64:${VSWINPATH}/SDK/Lib/10.0.17134.0/ucrt/x64:${VSWINPATH}/SDK/Lib/10.0.17134.0/um/x64:${VSWINPATH}/DIA SDK/lib/amd64"
 
 # Add git.exe to the path
 export PATH="$(pwd)/cmd:${PATH}"
 export PATH="$(cd cmake && pwd)/bin:${PATH}"
 export PATH="$(cd ninja && pwd)/bin:${PATH}"
 
-# We use |mach python| to set up a virtualenv automatically for us.  We create
-# a dummy mozconfig, because the default machinery for config.guess-choosing
-# of the objdir doesn't work very well.
-MOZCONFIG="$(pwd)/mozconfig"
-cat > ${MOZCONFIG} <<EOF
-mk_add_options MOZ_OBJDIR=$(pwd)/objdir
-EOF
-
 # gets a bit too verbose here
 set +x
 
 BUILD_CLANG_DIR=build/src/build/build-clang
 cd ${BUILD_CLANG_DIR}
-MOZCONFIG=${MOZCONFIG} ../../mach python ./build-clang.py -c ./${1}
+python3 ./build-clang.py -c ./${1}
 cd -
 
 
 set -x
 
 # Put a tarball in the artifacts dir
 UPLOAD_PATH=public/build
 mkdir -p ${UPLOAD_PATH}
--- a/taskcluster/scripts/misc/build-custom-v8.sh
+++ b/taskcluster/scripts/misc/build-custom-v8.sh
@@ -16,17 +16,16 @@ else
 	CONFIG=$(echo $* | tr -d "'")
 fi
 
 echo "Config: $CONFIG"
 echo "Artifact name: $ARTIFACT_NAME"
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 cd $HOME_DIR/src
 
 # Setup depot_tools
 git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
 export PATH=$PATH:$HOME_DIR/src/depot_tools
 
 # Get v8 source code and dependencies
--- a/taskcluster/scripts/misc/build-dist-toolchains.sh
+++ b/taskcluster/scripts/misc/build-dist-toolchains.sh
@@ -1,13 +1,12 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for packaging toolchains suitable for use by distributed sccache.
 WORKSPACE=$HOME/workspace
-UPLOAD_DIR=$HOME/artifacts
 TL_NAME="$1"
 
 cd $WORKSPACE/build/src
 
 . taskcluster/scripts/misc/tooltool-download.sh
 
 sccache/sccache --package-toolchain $PWD/$TL_NAME/bin/$TL_NAME $HOME/artifacts/$TL_NAME-dist-toolchain.tar.xz
--- a/taskcluster/scripts/misc/build-gcc-6-linux.sh
+++ b/taskcluster/scripts/misc/build-gcc-6-linux.sh
@@ -1,16 +1,15 @@
 #!/bin/bash
 set -e
 
 # This script is for building GCC 6 for Linux.
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 root_dir=$HOME_DIR
 data_dir=$HOME_DIR/src/build/unix/build-gcc
 
 . $data_dir/build-gcc.sh
 
 gcc_version=6.4.0
 gcc_ext=xz
--- a/taskcluster/scripts/misc/build-gcc-7-linux.sh
+++ b/taskcluster/scripts/misc/build-gcc-7-linux.sh
@@ -1,16 +1,15 @@
 #!/bin/bash
 set -e
 
 # This script is for building GCC 7 for Linux.
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 root_dir=$HOME_DIR
 data_dir=$HOME_DIR/src/build/unix/build-gcc
 
 . $data_dir/build-gcc.sh
 
 gcc_version=7.4.0
 gcc_ext=xz
--- a/taskcluster/scripts/misc/build-gcc-8-linux.sh
+++ b/taskcluster/scripts/misc/build-gcc-8-linux.sh
@@ -1,16 +1,15 @@
 #!/bin/bash
 set -e
 
 # This script is for building GCC 7 for Linux.
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 root_dir=$HOME_DIR
 data_dir=$HOME_DIR/src/build/unix/build-gcc
 
 . $data_dir/build-gcc.sh
 
 gcc_version=8.3.0
 gcc_ext=xz
--- a/taskcluster/scripts/misc/build-gcc-9-linux.sh
+++ b/taskcluster/scripts/misc/build-gcc-9-linux.sh
@@ -1,16 +1,15 @@
 #!/bin/bash
 set -e
 
 # This script is for building GCC 7 for Linux.
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 root_dir=$HOME_DIR
 data_dir=$HOME_DIR/src/build/unix/build-gcc
 
 . $data_dir/build-gcc.sh
 
 gcc_version=9.1.0
 gcc_ext=xz
--- a/taskcluster/scripts/misc/build-gcc-mingw32.sh
+++ b/taskcluster/scripts/misc/build-gcc-mingw32.sh
@@ -1,16 +1,15 @@
 #!/bin/bash
 set -e
 
 # This script is for building a MinGW GCC (and headers) to be used on Linux to compile for Windows.
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 root_dir=$HOME_DIR
 data_dir=$HOME_DIR/src/build/unix/build-gcc
 
 . $data_dir/build-gcc.sh
 
 gcc_version=6.4.0
 gcc_ext=xz
--- a/taskcluster/scripts/misc/build-gcc-sixgill-plugin-linux.sh
+++ b/taskcluster/scripts/misc/build-gcc-sixgill-plugin-linux.sh
@@ -4,17 +4,16 @@ set -e
 set -x
 
 # This script is for building the sixgill GCC plugin for Linux. It relies on
 # the gcc checkout because it needs to recompile gmp and the gcc build script
 # determines the version of gmp to download.
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 root_dir=$HOME_DIR
 build_dir=$HOME_DIR/src/build
 data_dir=$HOME_DIR/src/build/unix/build-gcc
 
 # Download and unpack upstream toolchain artifacts (ie, the gcc binary).
 . $(dirname $0)/tooltool-download.sh
 
--- a/taskcluster/scripts/misc/build-gn-linux.sh
+++ b/taskcluster/scripts/misc/build-gn-linux.sh
@@ -1,15 +1,14 @@
 #!/bin/bash
 set -e -v
 
 # This script is for building GN on Linux.
 
 WORKSPACE=$HOME/workspace
-UPLOAD_DIR=$HOME/artifacts
 COMPRESS_EXT=xz
 export CC=$WORKSPACE/build/src/gcc/bin/gcc
 export CXX=$WORKSPACE/build/src/gcc/bin/g++
 export LDFLAGS=-lrt
 
 # Gn build scripts use #!/usr/bin/env python, which will be python 2.6 on
 # the worker and cause failures. Work around this by putting python2.7
 # ahead of it in PATH.
--- a/taskcluster/scripts/misc/build-gn-macosx.sh
+++ b/taskcluster/scripts/misc/build-gn-macosx.sh
@@ -1,15 +1,14 @@
 #!/bin/bash
 set -e -v
 
 # This script is for building GN.
 
 WORKSPACE=$HOME/workspace
-UPLOAD_DIR=$HOME/artifacts
 COMPRESS_EXT=xz
 
 CROSS_CCTOOLS_PATH=$WORKSPACE/build/src/cctools
 CROSS_SYSROOT=$WORKSPACE/build/src/MacOSX10.11.sdk
 
 export CC=$WORKSPACE/build/src/clang/bin/clang
 export CXX=$WORKSPACE/build/src/clang/bin/clang++
 export AR=$WORKSPACE/build/src/clang/bin/llvm-ar
--- a/taskcluster/scripts/misc/build-grcov.sh
+++ b/taskcluster/scripts/misc/build-grcov.sh
@@ -6,17 +6,16 @@ set -x -e -v
 OWNER=marco-c
 PROJECT=grcov
 PROJECT_REVISION=9214a916805838265764f9c69eaed657ea3db021
 
 # This script is for building rust-size
 case "$(uname -s)" in
 Linux)
     WORKSPACE=$HOME/workspace
-    UPLOAD_DIR=$HOME/artifacts
     COMPRESS_EXT=xz
     ;;
 MINGW*)
     WORKSPACE=$PWD
     UPLOAD_DIR=$WORKSPACE/public/build
     WIN_WORKSPACE="$(pwd -W)"
     COMPRESS_EXT=bz2
 
--- a/taskcluster/scripts/misc/build-hfsplus-linux.sh
+++ b/taskcluster/scripts/misc/build-hfsplus-linux.sh
@@ -1,15 +1,14 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for building hfsplus for Linux.
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 cd $HOME_DIR/src
 
 . taskcluster/scripts/misc/tooltool-download.sh
 
 export PATH=$PATH:$HOME_DIR/src/clang/bin
 
 build/unix/build-hfsplus/build-hfsplus.sh $HOME_DIR
--- a/taskcluster/scripts/misc/build-infer-linux.sh
+++ b/taskcluster/scripts/misc/build-infer-linux.sh
@@ -1,16 +1,15 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for building infer for Linux.
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 cd $HOME_DIR/src
 
 # gets a bit too verbose here
 set +x
 
 cd build/build-infer
 ./build-infer.py -c infer-linux64.json
--- a/taskcluster/scripts/misc/build-libdmg-hfsplus.sh
+++ b/taskcluster/scripts/misc/build-libdmg-hfsplus.sh
@@ -1,17 +1,16 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for building libdmg-hfsplus to get the `dmg` and `hfsplus`
 # tools for producing DMG archives on Linux.
 
 WORKSPACE=$HOME/workspace
 STAGE=$WORKSPACE/dmg
-UPLOAD_DIR=$HOME/artifacts
 
 mkdir -p $UPLOAD_DIR $STAGE
 
 cd $MOZ_FETCHES_DIR/libdmg-hfsplus
 
 cmake -DOPENSSL_USE_STATIC_LIBS=1 .
 make -j$(nproc)
 
--- a/taskcluster/scripts/misc/build-llvm-dsymutil.sh
+++ b/taskcluster/scripts/misc/build-llvm-dsymutil.sh
@@ -1,16 +1,15 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for building clang for Linux.
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
-UPLOAD_DIR=$HOME/artifacts
 
 cd $HOME_DIR/src
 
 . taskcluster/scripts/misc/tooltool-download.sh
 
 cd $MOZ_FETCHES_DIR/llvm-project/llvm
 
 mkdir build
--- a/taskcluster/scripts/misc/build-mar-tools.sh
+++ b/taskcluster/scripts/misc/build-mar-tools.sh
@@ -1,15 +1,14 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for building mar and mbsdiff
 
 WORKSPACE=$HOME/workspace
-UPLOAD_DIR=$HOME/artifacts
 COMPRESS_EXT=xz
 
 cd $WORKSPACE/build/src
 
 . taskcluster/scripts/misc/tooltool-download.sh
 
 export MOZ_OBJDIR=obj-mar
 
--- a/taskcluster/scripts/misc/build-mingw-fxc2-x86.sh
+++ b/taskcluster/scripts/misc/build-mingw-fxc2-x86.sh
@@ -1,16 +1,15 @@
 #!/bin/bash
 set -x -e -v
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
 INSTALL_DIR=$WORKSPACE/fxc2
 TOOLTOOL_DIR=$WORKSPACE/build/src
-UPLOAD_DIR=$HOME/artifacts
 
 mkdir -p $INSTALL_DIR/bin
 
 cd $TOOLTOOL_DIR
 . taskcluster/scripts/misc/tooltool-download.sh
 export PATH="$TOOLTOOL_DIR/clang/bin:$PATH"
 
 cd $WORKSPACE
--- a/taskcluster/scripts/misc/build-mingw32-nsis.sh
+++ b/taskcluster/scripts/misc/build-mingw32-nsis.sh
@@ -10,17 +10,16 @@ set -x -e -v
 #   DEBUG: | Error: opening stub "/home/worker/workspace/mingw32/
 #   DEBUG: | Error initalizing CEXEBuild: error setting
 #   ERROR: Failed to get nsis version.
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
 INSTALL_DIR=$WORKSPACE/build/src/mingw32
 TOOLTOOL_DIR=$WORKSPACE/build/src
-UPLOAD_DIR=$HOME/artifacts
 
 mkdir -p $INSTALL_DIR
 
 cd $TOOLTOOL_DIR
 . taskcluster/scripts/misc/tooltool-download.sh
 # After tooltool runs, we move the stuff we just downloaded.
 # As explained above, we have to build nsis to the directory it
 # will eventually be run from, which is the same place we just
--- a/taskcluster/scripts/misc/build-minidump-stackwalk.sh
+++ b/taskcluster/scripts/misc/build-minidump-stackwalk.sh
@@ -1,15 +1,14 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for building minidump_stackwalk
 
 WORKSPACE=$HOME/workspace
-UPLOAD_DIR=$HOME/artifacts
 COMPRESS_EXT=xz
 
 cd $WORKSPACE/build/src
 
 . taskcluster/scripts/misc/tooltool-download.sh
 
 export MOZ_OBJDIR=obj-minidump
 
--- a/taskcluster/scripts/misc/build-nasm.sh
+++ b/taskcluster/scripts/misc/build-nasm.sh
@@ -1,14 +1,12 @@
-
 #!/bin/bash
 set -x -e -v
 
 WORKSPACE=$HOME/workspace
-UPLOAD_DIR=$HOME/artifacts
 COMPRESS_EXT=bz2
 
 cd $WORKSPACE/build/src
 
 . taskcluster/scripts/misc/tooltool-download.sh
 
 cd $WORKSPACE/build/nasm-*
 case "$1" in
--- a/taskcluster/scripts/misc/build-rust-size.sh
+++ b/taskcluster/scripts/misc/build-rust-size.sh
@@ -4,17 +4,16 @@ set -x -e -v
 OWNER=luser
 PROJECT=rust-size
 PROJECT_REVISION=ab659d93b1faba95307df952aefe3fbed3583669
 
 # This script is for building rust-size
 case "$(uname -s)" in
 Linux)
     WORKSPACE=$HOME/workspace
-    UPLOAD_DIR=$HOME/artifacts
     COMPRESS_EXT=xz
     ;;
 MINGW*)
     WORKSPACE=$PWD
     UPLOAD_DIR=$WORKSPACE/public/build
     WIN_WORKSPACE="$(pwd -W)"
     COMPRESS_EXT=bz2
 
--- a/taskcluster/scripts/misc/build-sccache.sh
+++ b/taskcluster/scripts/misc/build-sccache.sh
@@ -5,17 +5,16 @@ set -x -e -v
 SCCACHE_REVISION=93475f3458f7776c37b08201ae0d83ecac4b8fa2
 TARGET="$1"
 
 # This script is for building sccache
 
 case "$(uname -s)" in
 Linux)
     WORKSPACE=$HOME/workspace
-    UPLOAD_DIR=$HOME/artifacts
     COMPRESS_EXT=xz
     PATH="$WORKSPACE/build/src/binutils/bin:$PATH"
     ;;
 MINGW*)
     WORKSPACE=$PWD
     UPLOAD_DIR=$WORKSPACE/public/build
     WIN_WORKSPACE="$(pwd -W)"
     COMPRESS_EXT=bz2
--- a/taskcluster/scripts/misc/build-tup-linux.sh
+++ b/taskcluster/scripts/misc/build-tup-linux.sh
@@ -1,15 +1,14 @@
 #!/bin/bash
 set -e -v
 
 # This script is for building tup on Linux.
 
 WORKSPACE=$HOME/workspace
-UPLOAD_DIR=$HOME/artifacts
 COMPRESS_EXT=xz
 export PATH=$WORKSPACE/build/src/gcc/bin:$PATH
 
 cd $WORKSPACE/build/src
 
 . taskcluster/scripts/misc/tooltool-download.sh
 
 cd $MOZ_FETCHES_DIR/tup
--- a/taskcluster/scripts/misc/build-upx.sh
+++ b/taskcluster/scripts/misc/build-upx.sh
@@ -1,15 +1,14 @@
 #!/bin/bash
 set -x -e -v
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
 INSTALL_DIR=$WORKSPACE/upx
-UPLOAD_DIR=$HOME/artifacts
 
 mkdir -p $INSTALL_DIR/bin
 
 cd $WORKSPACE
 
 git clone -n https://github.com/upx/upx.git upx-clone
 cd upx-clone
 # https://github.com/upx/upx/releases/tag/v3.95
--- a/taskcluster/scripts/misc/build-wine.sh
+++ b/taskcluster/scripts/misc/build-wine.sh
@@ -1,15 +1,14 @@
 #!/bin/bash
 set -x -e -v
 
 WORKSPACE=$HOME/workspace
 HOME_DIR=$WORKSPACE/build
 INSTALL_DIR=$WORKSPACE/wine
-UPLOAD_DIR=$HOME/artifacts
 
 mkdir -p $INSTALL_DIR
 
 cd $HOME_DIR
 
 # --------------
 cd wine-3.0.3
 ./configure --prefix=$INSTALL_DIR/
--- a/taskcluster/scripts/misc/repack-node.sh
+++ b/taskcluster/scripts/misc/repack-node.sh
@@ -1,15 +1,14 @@
 #!/bin/bash
 set -x -e -v
 
 # This script is for repacking Node (and NPM) from nodejs.org.
 
 WORKSPACE=$HOME/workspace
-UPLOAD_DIR=$HOME/artifacts
 SUFFIX=tar.xz
 UNARCHIVE="tar xaf"
 REPACK_TAR_COMPRESSION_SWITCH=J
 REPACK_SUFFIX=tar.xz
 
 case "$1" in
 linux64)
     ARCH=linux-x64
--- a/taskcluster/scripts/misc/source-test-common.sh
+++ b/taskcluster/scripts/misc/source-test-common.sh
@@ -1,20 +1,22 @@
 #! /bin/bash -vex
 
 set -x -e
 
 export MOZBUILD_STATE_PATH=$HOME/workspace
 
 # Setup toolchains
-cd $MOZBUILD_STATE_PATH
+pushd $MOZBUILD_STATE_PATH
 $HOME/checkouts/gecko/mach artifact toolchain -v $MOZ_TOOLCHAINS
 
 # Add toolchain binaries to PATH to run ./mach configure
 export PATH=$MOZBUILD_STATE_PATH/clang/bin:$PATH
 export PATH=$MOZBUILD_STATE_PATH/rustc/bin:$PATH
 export PATH=$MOZBUILD_STATE_PATH/cbindgen:$PATH
 export PATH=$MOZBUILD_STATE_PATH/nasm:$PATH
 export PATH=$MOZBUILD_STATE_PATH/node/bin:$PATH
 
 # Use clang as host compiler
 export CC=$MOZBUILD_STATE_PATH/clang/bin/clang
 export CXX=$MOZBUILD_STATE_PATH/clang/bin/clang++
+
+popd
--- a/taskcluster/scripts/run-task
+++ b/taskcluster/scripts/run-task
@@ -102,22 +102,25 @@ IS_WINDOWS = os.name == 'nt'
 def print_line(prefix, m):
     now = datetime.datetime.utcnow().isoformat().encode('utf-8')
     # slice microseconds to 3 decimals.
     now = now[:-3] if now[-7:-6] == b'.' else now
     sys.stdout.buffer.write(b'[%s %sZ] %s' % (prefix, now, m))
     sys.stdout.buffer.flush()
 
 
-def run_and_prefix_output(prefix, args, extra_env=None):
+def run_and_prefix_output(prefix, args, *, extra_env=None, cwd=None):
     """Runs a process and prefixes its output with the time.
 
     Returns the process exit code.
     """
-    print_line(prefix, b'executing %r\n' % args)
+    print_line(
+        prefix,
+        b"executing %r%s\n" % (args, b"in %s" % (cwd.encode("utf-8"),) if cwd else b""),
+    )
 
     env = dict(os.environ)
     env.update(extra_env or {})
 
     # Note: TaskCluster's stdin is a TTY. This attribute is lost
     # when we pass sys.stdin to the invoked process. If we cared
     # to preserve stdin as a TTY, we could make this work. But until
     # someone needs it, don't bother.
@@ -131,17 +134,18 @@ def run_and_prefix_output(prefix, args, 
     p = subprocess.Popen(args,
                          # Disable buffering because we want to receive output
                          # as it is generated so timestamps in logs are
                          # accurate.
                          bufsize=0,
                          stdout=subprocess.PIPE,
                          stderr=subprocess.STDOUT,
                          stdin=sys.stdin.fileno(),
-                         env=env)
+                         env=env,
+                         cwd=cwd)
 
     stdout = io.TextIOWrapper(p.stdout, encoding='latin1')
 
     while True:
         data = stdout.readline().encode('latin1')
 
         if data == b'':
             break
@@ -664,16 +668,17 @@ def main(args):
         task_args = args[i + 1:]
     except ValueError:
         our_args = args
         task_args = []
 
     parser = argparse.ArgumentParser()
     parser.add_argument('--user', default='worker', help='user to run as')
     parser.add_argument('--group', default='worker', help='group to run as')
+    parser.add_argument('--task-cwd', help='directory to run the provided command in')
 
     add_vcs_arguments(parser, 'gecko', 'Firefox')
     add_vcs_arguments(parser, 'comm', 'Comm')
 
     parser.add_argument('--fetch-hgfingerprint', action='store_true',
                         help='Fetch the latest hgfingerprint from the secrets store, '
                         'using the taskclsuerProxy')
 
@@ -824,27 +829,27 @@ def main(args):
         os.umask(0o22)
         os.setresgid(gid, gid, gid)
         os.setresuid(uid, uid, uid)
 
     vcs_checkout_from_args(args, 'gecko')
     vcs_checkout_from_args(args, 'comm')
 
     try:
-        for k in ('GECKO_PATH', 'MOZ_FETCHES_DIR'):
+        for k in ('GECKO_PATH', 'MOZ_FETCHES_DIR', 'UPLOAD_DIR'):
             if k in os.environ:
                 os.environ[k] = os.path.abspath(os.environ[k])
                 print_line(b'setup', b'%s is %s\n' % (
                     k.encode('utf-8'),
                     os.environ[k].encode('utf-8')))
 
         if 'MOZ_FETCHES' in os.environ:
             fetch_artifacts()
 
-        return run_and_prefix_output(b'task', task_args)
+        return run_and_prefix_output(b'task', task_args, cwd=args.task_cwd)
     finally:
         fetches_dir = os.environ.get('MOZ_FETCHES_DIR')
         if fetches_dir and os.path.isdir(fetches_dir):
             print_line(b'fetches', b'removing %s\n' % fetches_dir.encode('utf-8'))
             shutil.rmtree(fetches_dir)
             print_line(b'fetches', b'finished\n')
 
 
--- a/taskcluster/taskgraph/transforms/final_verify.py
+++ b/taskcluster/taskgraph/transforms/final_verify.py
@@ -21,16 +21,16 @@ def add_command(config, tasks):
         final_verify_configs = []
         for upstream in task.get("dependencies", {}).keys():
             if 'update-verify-config' in upstream:
                 final_verify_configs.append(
                     "<{}/public/build/update-verify.cfg>".format(upstream),
                 )
         task['run'] = {
             'using': 'run-task',
+            'cwd': '{checkout}',
             'command': {
-                'artifact-reference': 'cd /builds/worker/checkouts/gecko && '
-                                      'tools/update-verify/release/final-verification.sh '
+                'artifact-reference': 'tools/update-verify/release/final-verification.sh '
                                       + ' '.join(final_verify_configs),
             },
             'sparse-profile': 'update-verify',
         }
         yield task
--- a/taskcluster/taskgraph/transforms/job/common.py
+++ b/taskcluster/taskgraph/transforms/job/common.py
@@ -79,17 +79,19 @@ def add_artifacts(config, job, taskdesc,
         'name': get_artifact_prefix(taskdesc),
         'path': path,
         'type': 'directory',
     })
 
 
 def docker_worker_add_artifacts(config, job, taskdesc):
     """ Adds an artifact directory to the task """
-    add_artifacts(config, job, taskdesc, path='{workdir}/artifacts/'.format(**job['run']))
+    path = '{workdir}/artifacts/'.format(**job['run'])
+    taskdesc['worker']['env']['UPLOAD_DIR'] = path
+    add_artifacts(config, job, taskdesc, path)
 
 
 def generic_worker_add_artifacts(config, job, taskdesc):
     """ Adds an artifact directory to the task """
     # The path is the location on disk; it doesn't necessarily
     # mean the artifacts will be public or private; that is set via the name
     # attribute in add_artifacts.
     add_artifacts(config, job, taskdesc, path=get_artifact_prefix(taskdesc))
--- a/taskcluster/taskgraph/transforms/job/mach.py
+++ b/taskcluster/taskgraph/transforms/job/mach.py
@@ -45,22 +45,23 @@ def configure_mach(config, job, taskdesc
 
     additional_prefix = []
     if job['worker-type'].endswith('1014'):
         additional_prefix = [
             'LC_ALL=en_US.UTF-8',
             'LANG=en_US.UTF-8'
         ]
 
-    command_prefix = ' '.join(['cd $GECKO_PATH'] + additional_prefix + ['&& ./mach '])
+    command_prefix = ' '.join(additional_prefix + ['./mach '])
 
     mach = run['mach']
     if isinstance(mach, dict):
         ref, pattern = next(iter(mach.items()))
         command = {ref: command_prefix + pattern}
     else:
         command = command_prefix + mach
 
     # defer to the run_task implementation
     run['command'] = command
+    run['cwd'] = '{checkout}'
     run['using'] = 'run-task'
     del run['mach']
     configure_taskdesc_for_run(config, job, taskdesc, job['worker']['implementation'])
--- a/taskcluster/taskgraph/transforms/job/mozharness.py
+++ b/taskcluster/taskgraph/transforms/job/mozharness.py
@@ -169,17 +169,16 @@ def mozharness_on_docker_worker_setup(co
         'MOZHARNESS_CONFIG': ' '.join(run.pop('config')),
         'MOZHARNESS_SCRIPT': run.pop('script'),
         'MH_BRANCH': config.params['project'],
         'MOZ_SOURCE_CHANGESET': get_branch_rev(config),
         'MOZ_SOURCE_REPO': get_branch_repo(config),
         'MH_BUILD_POOL': 'taskcluster',
         'MOZ_BUILD_DATE': config.params['moz_build_date'],
         'MOZ_SCM_LEVEL': config.params['level'],
-        'MOZ_AUTOMATION': '1',
         'PYTHONUNBUFFERED': '1',
     })
 
     if 'actions' in run:
         env['MOZHARNESS_ACTIONS'] = ' '.join(run.pop('actions'))
 
     if 'options' in run:
         env['MOZHARNESS_OPTIONS'] = ' '.join(run.pop('options'))
@@ -262,17 +261,16 @@ def mozharness_on_generic_worker(config,
     })
     if not worker.get('skip-artifacts', False):
         generic_worker_add_artifacts(config, job, taskdesc)
 
     env = worker['env']
     env.update({
         'MOZ_BUILD_DATE': config.params['moz_build_date'],
         'MOZ_SCM_LEVEL': config.params['level'],
-        'MOZ_AUTOMATION': '1',
         'MH_BRANCH': config.params['project'],
         'MOZ_SOURCE_CHANGESET': get_branch_rev(config),
         'MOZ_SOURCE_REPO': get_branch_repo(config),
     })
     if run.pop('use-simple-package'):
         env.update({'MOZ_SIMPLE_PACKAGE_NAME': 'target'})
 
     if 'extra-config' in run:
--- a/taskcluster/taskgraph/transforms/job/mozharness_test.py
+++ b/taskcluster/taskgraph/transforms/job/mozharness_test.py
@@ -106,17 +106,16 @@ def mozharness_test_on_docker(config, jo
     env.update({
         'MOZHARNESS_CONFIG': ' '.join(mozharness['config']),
         'MOZHARNESS_SCRIPT': mozharness['script'],
         'MOZILLA_BUILD_URL': {'task-reference': installer_url},
         'NEED_PULSEAUDIO': 'true',
         'NEED_WINDOW_MANAGER': 'true',
         'NEED_COMPIZ': 'true',
         'ENABLE_E10S': str(bool(test.get('e10s'))).lower(),
-        'MOZ_AUTOMATION': '1',
         'WORKING_DIR': '/builds/worker',
     })
 
     # by default, require compiz unless proven otherwise, hence a whitelist.
     # See https://bugzilla.mozilla.org/show_bug.cgi?id=1552563
     # if using regex this list can be shortened greatly.
     suites_not_need_compiz = [
         'mochitest-webgl1-core',
@@ -283,17 +282,16 @@ def mozharness_test_on_generic_worker(co
 
     if test['reboot']:
         raise Exception('reboot: {} not supported on generic-worker'.format(test['reboot']))
 
     worker['max-run-time'] = test['max-run-time']
     worker['artifacts'] = artifacts
 
     env = worker.setdefault('env', {})
-    env['MOZ_AUTOMATION'] = '1'
     env['GECKO_HEAD_REPOSITORY'] = config.params['head_repository']
     env['GECKO_HEAD_REV'] = config.params['head_rev']
 
     # this list will get cleaned up / reduced / removed in bug 1354088
     if is_macosx:
         env.update({
             'IDLEIZER_DISABLE_SHUTDOWN': 'true',
             'LANG': 'en_US.UTF-8',
@@ -463,17 +461,16 @@ def mozharness_test_on_script_engine_aut
         'MOZHARNESS_SCRIPT': mozharness['script'],
         'MOZHARNESS_URL': {'task-reference': mozharness_url},
         'MOZILLA_BUILD_URL': {'task-reference': installer_url},
         "MOZ_NO_REMOTE": '1',
         "XPCOM_DEBUG_BREAK": 'warn',
         "NO_FAIL_ON_TEST_ERRORS": '1',
         "MOZ_HIDE_RESULTS_TABLE": '1',
         "MOZ_NODE_PATH": "/usr/local/bin/node",
-        'MOZ_AUTOMATION': '1',
         'WORKING_DIR': '/builds/worker',
         'WORKSPACE': '/builds/worker/workspace',
         'TASKCLUSTER_WORKER_TYPE': job['worker-type'],
     }
 
     # for fetch tasks on mobile
     if 'env' in job['worker'] and 'MOZ_FETCHES' in job['worker']['env']:
         env['MOZ_FETCHES'] = job['worker']['env']['MOZ_FETCHES']
--- a/taskcluster/taskgraph/transforms/job/run_task.py
+++ b/taskcluster/taskgraph/transforms/job/run_task.py
@@ -2,16 +2,20 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 """
 Support for running jobs that are invoked via the `run-task` script.
 """
 
 from __future__ import absolute_import, print_function, unicode_literals
 
+from six import text_type
+
+from mozpack import path
+
 from taskgraph.transforms.task import taskref_or_string
 from taskgraph.transforms.job import run_job_using
 from taskgraph.util.schema import Schema
 from taskgraph.transforms.job.common import (
         docker_worker_add_tooltool,
         support_vcs_checkout
 )
 from voluptuous import Any, Optional, Required
@@ -25,16 +29,22 @@ run_task_schema = Schema({
     Required('cache-dotcache'): bool,
 
     # Whether or not to use caches.
     Optional('use-caches'): bool,
 
     # if true (the default), perform a checkout of gecko on the worker
     Required('checkout'): bool,
 
+    Optional(
+        "cwd",
+        description="Path to run command in. If a checkout is present, the path "
+        "to the checkout will be interpolated with the key `checkout`",
+    ): text_type,
+
     # The sparse checkout profile to use. Value is the filename relative to the
     # directory where sparse profiles are defined (build/sparse-profiles/).
     Required('sparse-profile'): Any(basestring, None),
 
     # if true, perform a checkout of a comm-central based branch inside the
     # gecko checkout
     Required('comm-checkout'): bool,
 
@@ -105,25 +115,38 @@ def docker_worker_run_task(config, job, 
         worker['caches'].append({
             'type': 'persistent',
             'name': '{project}-dotcache'.format(**config.params),
             'mount-point': '{workdir}/.cache'.format(**run),
             'skip-untrusted': True,
         })
 
     run_command = run['command']
+    run_cwd = run.get('cwd')
+    if run_cwd and run['checkout']:
+        run_cwd = path.normpath(run_cwd.format(checkout=taskdesc['worker']['env']['GECKO_PATH']))
+    elif run_cwd and "{checkout}" in run_cwd:
+        raise Exception(
+            "Found `{{checkout}}` interpolation in `cwd` for task {name} "
+            "but the task doesn't have a checkout: {cwd}".format(
+                cwd=run_cwd, name=job.get("name", job.get("label"))
+            )
+        )
+
     # dict is for the case of `{'task-reference': basestring}`.
     if isinstance(run_command, (basestring, dict)):
         run_command = ['bash', '-cx', run_command]
     if run['comm-checkout']:
         command.append('--comm-checkout={}/comm'.format(
             taskdesc['worker']['env']['GECKO_PATH']))
     command.append('--fetch-hgfingerprint')
     if run['run-as-root']:
         command.extend(('--user', 'root', '--group', 'root'))
+    if run_cwd:
+        command.extend(('--task-cwd', run_cwd))
     command.append('--')
     command.extend(run_command)
     worker['command'] = command
 
 
 @run_job_using("generic-worker", "run-task", schema=run_task_schema, defaults=worker_defaults)
 def generic_worker_run_task(config, job, taskdesc):
     run = job['run']
@@ -159,27 +182,40 @@ def generic_worker_run_task(config, job,
         worker['mounts'].append({
             'content': {
                 'url': script_url(config, 'misc/fetch-content'),
             },
             'file': './fetch-content',
         })
 
     run_command = run['command']
+    run_cwd = run.get('cwd')
+    if run_cwd and run['checkout']:
+        run_cwd = path.normpath(run_cwd.format(checkout=taskdesc['worker']['env']['GECKO_PATH']))
+    elif run_cwd and "{checkout}" in run_cwd:
+        raise Exception(
+            "Found `{{checkout}}` interpolation in `cwd` for task {name} "
+            "but the task doesn't have a checkout: {cwd}".format(
+                cwd=run_cwd, name=job.get("name", job.get("label"))
+            )
+        )
+
     if isinstance(run_command, basestring):
         if is_win:
             run_command = '"{}"'.format(run_command)
         run_command = ['bash', '-cx', run_command]
 
     if run['comm-checkout']:
         command.append('--comm-checkout={}/comm'.format(
             taskdesc['worker']['env']['GECKO_PATH']))
 
     if run['run-as-root']:
         command.extend(('--user', 'root', '--group', 'root'))
+    if run_cwd:
+        command.extend(('--task-cwd', run_cwd))
     command.append('--')
     if is_bitbar:
         # Use the bitbar wrapper script which sets up the device and adb
         # environment variables
         command.append('/builds/taskcluster/script.py')
     command.extend(run_command)
 
     if is_win:
--- a/taskcluster/taskgraph/transforms/job/toolchain.py
+++ b/taskcluster/taskgraph/transforms/job/toolchain.py
@@ -3,28 +3,27 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 """
 Support for running toolchain-building jobs via dedicated scripts
 """
 
 from __future__ import absolute_import, print_function, unicode_literals
 
 from mozbuild.shellutil import quote as shell_quote
+from mozpack import path
 
 from taskgraph.util.schema import Schema
 from voluptuous import Optional, Required, Any
 
 from taskgraph.transforms.job import (
     configure_taskdesc_for_run,
     run_job_using,
 )
 from taskgraph.transforms.job.common import (
     docker_worker_add_artifacts,
-    docker_worker_add_tooltool,
-    support_vcs_checkout,
 )
 from taskgraph.util.hash import hash_paths
 from taskgraph import GECKO
 import taskgraph
 
 
 CACHE_TYPE = 'toolchains.v3'
 
@@ -108,88 +107,69 @@ toolchain_defaults = {
 }
 
 
 @run_job_using("docker-worker", "toolchain-script",
                schema=toolchain_run_schema, defaults=toolchain_defaults)
 def docker_worker_toolchain(config, job, taskdesc):
     run = job['run']
 
-    worker = taskdesc['worker']
+    worker = taskdesc['worker'] = job['worker']
     worker['chain-of-trust'] = True
 
     # If the task doesn't have a docker-image, set a default
     worker.setdefault('docker-image', {'in-tree': 'toolchain-build'})
 
     # Allow the job to specify where artifacts come from, but add
     # public/build if it's not there already.
     artifacts = worker.setdefault('artifacts', [])
     if not any(artifact.get('name') == 'public/build' for artifact in artifacts):
         docker_worker_add_artifacts(config, job, taskdesc)
 
-    support_vcs_checkout(config, job, taskdesc, sparse=('sparse-profile' in run))
-
     # Toolchain checkouts don't live under {workdir}/checkouts
     workspace = '{workdir}/workspace/build'.format(**run)
     gecko_path = '{}/src'.format(workspace)
 
     env = worker['env']
     env.update({
         'MOZ_BUILD_DATE': config.params['moz_build_date'],
         'MOZ_SCM_LEVEL': config.params['level'],
-        'TOOLS_DISABLE': 'true',
-        'MOZ_AUTOMATION': '1',
         'MOZ_FETCHES_DIR': workspace,
         'GECKO_PATH': gecko_path,
     })
 
-    if run['tooltool-downloads']:
-        internal = run['tooltool-downloads'] == 'internal'
-        docker_worker_add_tooltool(config, job, taskdesc, internal=internal)
-
-    # Use `mach` to invoke python scripts so in-tree libraries are available.
-    if run['script'].endswith('.py'):
-        wrapper = '{}/mach python '.format(gecko_path)
-    else:
-        wrapper = ''
-
-    args = run.get('arguments', '')
-    if args:
-        args = ' ' + shell_quote(*args)
-
-    sparse_profile = []
-    if run.get('sparse-profile'):
-        sparse_profile = ['--gecko-sparse-profile=build/sparse-profiles/{}'
-                          .format(run['sparse-profile'])]
-
-    worker['command'] = [
-        '{workdir}/bin/run-task'.format(**run),
-        '--gecko-checkout={}'.format(gecko_path),
-    ] + sparse_profile + [
-        '--',
-        'bash',
-        '-c',
-        'cd {} && '
-        '{}workspace/build/src/taskcluster/scripts/misc/{}{}'.format(
-            run['workdir'], wrapper, run['script'], args)
-    ]
-
     attributes = taskdesc.setdefault('attributes', {})
-    attributes['toolchain-artifact'] = run['toolchain-artifact']
+    attributes['toolchain-artifact'] = run.pop('toolchain-artifact')
     if 'toolchain-alias' in run:
-        attributes['toolchain-alias'] = run['toolchain-alias']
+        attributes['toolchain-alias'] = run.pop('toolchain-alias')
 
     if not taskgraph.fast:
         name = taskdesc['label'].replace('{}-'.format(config.kind), '', 1)
         taskdesc['cache'] = {
             'type': CACHE_TYPE,
             'name': name,
             'digest-data': get_digest_data(config, run, taskdesc),
         }
 
+    # Use `mach` to invoke python scripts so in-tree libraries are available.
+    if run['script'].endswith('.py'):
+        wrapper = [path.join(gecko_path, 'mach'), 'python']
+    else:
+        wrapper = []
+
+    run['using'] = 'run-task'
+    run['cwd'] = run['workdir']
+    run["command"] = (
+        wrapper
+        + ["workspace/build/src/taskcluster/scripts/misc/{}".format(run.pop("script"))]
+        + run.pop("arguments", [])
+    )
+
+    configure_taskdesc_for_run(config, job, taskdesc, worker['implementation'])
+
 
 @run_job_using("generic-worker", "toolchain-script",
                schema=toolchain_run_schema, defaults=toolchain_defaults)
 def windows_toolchain(config, job, taskdesc):
     run = job['run']
 
     worker = taskdesc['worker'] = job['worker']
 
@@ -203,17 +183,16 @@ def windows_toolchain(config, job, taskd
     # all sorts of problems with toolchain tasks, disable them until
     # tasks are ready.
     run['use-caches'] = False
 
     env = worker['env']
     env.update({
         'MOZ_BUILD_DATE': config.params['moz_build_date'],
         'MOZ_SCM_LEVEL': config.params['level'],
-        'MOZ_AUTOMATION': '1',
     })
 
     # Use `mach` to invoke python scripts so in-tree libraries are available.
     if run['script'].endswith('.py'):
         raise NotImplementedError("Python scripts don't work on Windows")
 
     args = run.get('arguments', '')
     if args:
--- a/taskcluster/taskgraph/transforms/update_verify.py
+++ b/taskcluster/taskgraph/transforms/update_verify.py
@@ -39,18 +39,18 @@ def add_command(config, tasks):
                 chunked["treeherder"]["symbol"], this_chunk)
             chunked["label"] = "release-update-verify-{}-{}/{}".format(
                 chunked["name"], this_chunk, total_chunks
             )
             if not chunked["worker"].get("env"):
                 chunked["worker"]["env"] = {}
             chunked["run"] = {
                 'using': 'run-task',
-                'command': 'cd /builds/worker/checkouts/gecko && '
-                           'tools/update-verify/scripts/chunked-verify.sh '
+                'cwd': '{checkout}',
+                'command': 'tools/update-verify/scripts/chunked-verify.sh '
                            '{} {}'.format(
                                total_chunks,
                                this_chunk,
                            ),
                 'sparse-profile': 'update-verify',
             }
 
             yield chunked