05fdb767cc4ef307e530d6f9bd5e9d6c69c93347
[WebKit-https.git] / JSTests / ChangeLog
1 2019-02-15  Robin Morisset  <rmorisset@apple.com>
2         CodeBlock::jettison should clear related watchpoints
3         https://bugs.webkit.org/show_bug.cgi?id=194544
4
5         Reviewed by Mark Lam.
6
7         * stress/regexp-replace-double-watchpoint.js: Added.
8         (foo):
9
10 2019-02-15  Saam barati  <sbarati@apple.com>
11
12         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
13         https://bugs.webkit.org/show_bug.cgi?id=194036
14
15         Reviewed by Yusuke Suzuki.
16
17         * stress/tail-call-many-arguments.js: Added.
18         (foo):
19         (bar):
20
21 2019-02-14  Saam Barati  <sbarati@apple.com>
22
23         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
24         https://bugs.webkit.org/show_bug.cgi?id=194583
25         <rdar://problem/48028140>
26
27         Reviewed by Yusuke Suzuki.
28
29         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
30
31 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
32
33         [JSC] String.fromCharCode's slow path always generates 16bit string
34         https://bugs.webkit.org/show_bug.cgi?id=194466
35
36         Reviewed by Keith Miller.
37
38         * stress/string-from-char-code-slow-path.js: Added.
39         (shouldBe):
40         (testWithLength):
41
42 2019-02-08  Saam barati  <sbarati@apple.com>
43
44         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
45         https://bugs.webkit.org/show_bug.cgi?id=194334
46         <rdar://problem/47844327>
47
48         Reviewed by Mark Lam.
49
50         * stress/check-in-bounds-should-be-a-child-use.js: Added.
51         (func):
52
53 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
54
55         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
56         https://bugs.webkit.org/show_bug.cgi?id=194369
57         <rdar://problem/47813087>
58
59         Reviewed by Saam Barati.
60
61         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
62         (A):
63
64 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
65
66         [JSC] PrivateName to PublicName hash table is wasteful
67         https://bugs.webkit.org/show_bug.cgi?id=194277
68
69         Reviewed by Michael Saboff.
70
71         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
72
73         * ChakraCore.yaml:
74
75 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
76
77         [ARM] Test running out of executable memory
78         https://bugs.webkit.org/show_bug.cgi?id=194285
79
80         Unreviewed. Do no execute test with LLInt disabled, test runs out of
81         executable memory otherwise.
82
83         * stress/class-subclassing-function.js:
84
85 2019-02-04  Robin Morisset  <rmorisset@apple.com>
86
87         when lowering AssertNotEmpty, create the value before creating the patchpoint
88         https://bugs.webkit.org/show_bug.cgi?id=194231
89
90         Reviewed by Saam Barati.
91
92         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
93         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
94         So even tiny changes to this test can change the path code taken.
95
96         * stress/assert-not-empty.js: Added.
97         (foo):
98
99 2019-02-01  Mark Lam  <mark.lam@apple.com>
100
101         Remove invalid assertion in DFG's compileDoubleRep().
102         https://bugs.webkit.org/show_bug.cgi?id=194130
103         <rdar://problem/47699474>
104
105         Reviewed by Saam Barati.
106
107         * stress/constant-fold-double-rep-into-double-constant.js: Added.
108
109 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
110
111         Import latest Test262 updates.
112
113         Rubber-stamped by Keith Miller.
114
115         * test262.yaml: Deleted.
116         * test262/config.yaml:
117         * test262/expectations.yaml:
118         * test262/latest-changes-summary.txt:
119         * test262/test/:
120         * test262/test262-Revision.txt:
121
122 2019-01-30  Robin Morisset  <rmorisset@apple.com>
123
124         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
125         https://bugs.webkit.org/show_bug.cgi?id=194050
126         <rdar://problem/47595592>
127
128         Reviewed by Yusuke Suzuki.
129
130         * stress/object-keys-osr-exit.js: Added.
131         (foo):
132         (catch):
133
134 2019-01-29  Mark Lam  <mark.lam@apple.com>
135
136         ValueRecovery::recover() should purify NaN values it recovers.
137         https://bugs.webkit.org/show_bug.cgi?id=193978
138         <rdar://problem/47625488>
139
140         Reviewed by Saam Barati.
141
142         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
143
144 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
145
146         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
147         https://bugs.webkit.org/show_bug.cgi?id=193713
148
149         * stress/try-get-by-id-should-spill-registers-dfg.js:
150         (let.f.createBuiltin):
151
152 2019-01-28  Mark Lam  <mark.lam@apple.com>
153
154         ToString node actually does GC.
155         https://bugs.webkit.org/show_bug.cgi?id=193920
156         <rdar://problem/46695900>
157
158         Reviewed by Yusuke Suzuki.
159
160         * stress/dfg-to-string-on-int-does-gc.js: Added.
161         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
162         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
163
164 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
165
166         [JSC] NativeErrorConstructor should not have own IsoSubspace
167         https://bugs.webkit.org/show_bug.cgi?id=193713
168
169         Reviewed by Saam Barati.
170
171         Remove @Error use.
172
173         * stress/try-get-by-id-should-spill-registers-dfg.js:
174         (let.f.createBuiltin):
175
176 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
177
178         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
179         https://bugs.webkit.org/show_bug.cgi?id=190693
180
181         Reviewed by Michael Saboff.
182
183         * stress/regress-190693.js: Added.
184         (truth):
185         (assert):
186         (shouldThrowInvalidConstAssignment):
187         (taz):
188
189 2019-01-24  Saam Barati  <sbarati@apple.com>
190
191         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
192         https://bugs.webkit.org/show_bug.cgi?id=193751
193         <rdar://problem/47280215>
194
195         Reviewed by Michael Saboff.
196
197         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
198         (let.thing):
199         (foo.let.hello):
200         (foo):
201
202 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
203
204         [JSC] Reenable baseline JIT on mips
205         https://bugs.webkit.org/show_bug.cgi?id=192983
206
207         Reviewed by Mark Lam.
208
209         Added a new test for a case that was triggering a RELEASE_ASSERT when
210         testing.
211         Disable some slow tests that were already disabled for arm and x86.
212
213         * stress/json-parse-big-object.js: Added.
214         * stress/new-largeish-contiguous-array-with-size.js:
215         * stress/op_add.js:
216         * stress/op_bitand.js:
217         * stress/op_bitor.js:
218         * stress/op_bitxor.js:
219         * stress/op_lshift-ConstVar.js:
220         * stress/op_lshift-VarConst.js:
221         * stress/op_lshift-VarVar.js:
222         * stress/op_mod-ConstVar.js:
223         * stress/op_mod-VarConst.js:
224         * stress/op_mod-VarVar.js:
225         * stress/op_mul-ConstVar.js:
226         * stress/op_mul-VarConst.js:
227         * stress/op_mul-VarVar.js:
228         * stress/op_rshift-ConstVar.js:
229         * stress/op_rshift-VarConst.js:
230         * stress/op_rshift-VarVar.js:
231         * stress/op_sub-ConstVar.js:
232         * stress/op_sub-VarConst.js:
233         * stress/op_sub-VarVar.js:
234         * stress/op_urshift-ConstVar.js:
235         * stress/op_urshift-VarConst.js:
236         * stress/op_urshift-VarVar.js:
237         * stress/sampling-profiler-richards.js:
238         * stress/spread-forward-call-varargs-stack-overflow.js:
239
240 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
241
242         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
243         https://bugs.webkit.org/show_bug.cgi?id=193711
244         <rdar://problem/47250262>
245
246         Reviewed by Saam Barati.
247
248         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
249         (shouldBe):
250         (foo):
251         (bar):
252         (baz):
253
254 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
255
256         Unreviewed, fix initial global lexical binding epoch
257         https://bugs.webkit.org/show_bug.cgi?id=193603
258         <rdar://problem/47380869>
259
260         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
261         (f1.f2.f3.f4):
262         (f1.f2.f3):
263         (f1.f2):
264         (f1):
265
266 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
267
268         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
269         https://bugs.webkit.org/show_bug.cgi?id=193709
270         <rdar://problem/47363838>
271
272         Unreviewed, rollout to watch the tests.
273
274         * stress/object-tostring-changed-proto.js: Removed.
275         * stress/object-tostring-changed.js: Removed.
276         * stress/object-tostring-misc.js: Removed.
277         * stress/object-tostring-other.js: Removed.
278         * stress/object-tostring-untyped.js: Removed.
279
280 2019-01-22  Saam Barati  <sbarati@apple.com>
281
282         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
283
284         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
285         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
286         (testUncheckedLessThanZero):
287         (testUncheckedLessThanOrEqualZero):
288         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
289         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
290
291 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
292
293         [JSC] Invalidate old scope operations using global lexical binding epoch
294         https://bugs.webkit.org/show_bug.cgi?id=193603
295         <rdar://problem/47380869>
296
297         Reviewed by Saam Barati.
298
299         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
300         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
301         (shouldThrow):
302         (bar):
303         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
304         (shouldBe):
305         (get1):
306         (get2):
307         (get1If):
308         (get2If):
309         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
310         (shouldThrow):
311         (foo):
312
313 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
314
315         Unreviewed, roll out r240220 due to date-format-xparb regression
316         https://bugs.webkit.org/show_bug.cgi?id=193603
317
318         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
319         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
320         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
321         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
322
323 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
324
325         DoesGC rule is wrong for nodes with BigIntUse
326         https://bugs.webkit.org/show_bug.cgi?id=193652
327
328         Reviewed by Saam Barati.
329
330         * stress/big-int-value-op-update-gc-rules.js: Added.
331         (assert):
332         (doesGCAdd):
333         (doesGCSub):
334         (doesGCDiv):
335         (doesGCMul):
336         (doesGCBitAnd):
337         (doesGCBitOr):
338         (doesGCBitXor):
339
340 2019-01-20  Saam Barati  <sbarati@apple.com>
341
342         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
343         https://bugs.webkit.org/show_bug.cgi?id=193644
344         <rdar://problem/46209745>
345
346         Reviewed by Yusuke Suzuki.
347
348         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
349         (foo):
350         * stress/data-view-set-intrinsic-undefined-result.js: Added.
351         (foo):
352         (bar):
353
354 2019-01-20  Saam Barati  <sbarati@apple.com>
355
356         MovHint must merge NodeBytecodeUsesAsValue for its child
357         https://bugs.webkit.org/show_bug.cgi?id=186916
358         <rdar://problem/41396612>
359
360         Reviewed by Yusuke Suzuki.
361
362         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
363         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
364
365 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
366
367         [JSC] Invalidate old scope operations using global lexical binding epoch
368         https://bugs.webkit.org/show_bug.cgi?id=193603
369         <rdar://problem/47380869>
370
371         Reviewed by Saam Barati.
372
373         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
374         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
375         (shouldThrow):
376         (bar):
377         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
378         (shouldBe):
379         (get1):
380         (get2):
381         (get1If):
382         (get2If):
383         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
384         (shouldThrow):
385         (foo):
386
387 2019-01-17  Saam barati  <sbarati@apple.com>
388
389         StringObjectUse should not be a structure check for the original string object structure
390         https://bugs.webkit.org/show_bug.cgi?id=193483
391         <rdar://problem/47280522>
392
393         Reviewed by Yusuke Suzuki.
394
395         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
396         (foo):
397         (a.valueOf.0):
398
399 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
400
401         [JSC] ToThis omission in DFGByteCodeParser is wrong
402         https://bugs.webkit.org/show_bug.cgi?id=193513
403         <rdar://problem/45842236>
404
405         Reviewed by Saam Barati.
406
407         * stress/to-this-omission-with-different-strict-modes.js: Added.
408         (thisA):
409         (thisAStrictWrapper):
410
411 2019-01-15  Mark Lam  <mark.lam@apple.com>
412
413         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
414         https://bugs.webkit.org/show_bug.cgi?id=193423
415         <rdar://problem/46209355>
416
417         Reviewed by Saam Barati.
418
419         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
420         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
421         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
422         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
423
424 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
425
426         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
427         https://bugs.webkit.org/show_bug.cgi?id=193438
428         <rdar://problem/45581249>
429
430         Reviewed by Saam Barati and Keith Miller.
431
432         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
433         Then, GetByVal(String) crashed.
434
435         * stress/string-get-by-val-lowering.js: Added.
436         (shouldBe):
437         (test):
438         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
439         (Hello):
440         (foo):
441
442 2019-01-15  Tomas Popela  <tpopela@redhat.com>
443
444         Unreviewed, skip JIT tests if it's not enabled
445
446         * stress/bit-op-with-object-returning-int32.js:
447
448 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
449
450         DFGByteCodeParser rules for bitwise operations should consider type of their operands
451         https://bugs.webkit.org/show_bug.cgi?id=192966
452
453         Reviewed by Yusuke Suzuki.
454
455         * stress/bit-op-with-object-returning-int32.js: Added.
456
457 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
458
459         Skip a slow test and a flakey test on arm
460
461         Unreviewed gardening.
462
463         * typeProfiler/getter-richards.js:
464         this test always times out, it used to be always skipped on arm and
465         mips, but got accidentally enabled by r237919 now that we have DFG on
466         arm. Also skipping on mips as we plan to soon enable DFG for it too.
467
468 2019-01-14  Keith Miller  <keith_miller@apple.com>
469
470         Skip type-check-hoisting-phase-hoist... with no jit
471         https://bugs.webkit.org/show_bug.cgi?id=193421
472
473         Reviewed by Mark Lam.
474
475         It's timing out the 32-bit bots and takes 330 seconds
476         on my machine when run by itself.
477
478         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
479
480 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
481
482         [JSC] AI should check the given constant's array type when folding GetByVal into constant
483         https://bugs.webkit.org/show_bug.cgi?id=193413
484         <rdar://problem/46092389>
485
486         Reviewed by Keith Miller.
487
488         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
489         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
490         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
491         but GetByVal does not have appropriate ArrayModes, JSC crashes.
492
493         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
494         (compareArray):
495
496 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
497
498         [BigInt] Literal parsing is crashing when used inside a Object Literal
499         https://bugs.webkit.org/show_bug.cgi?id=193404
500
501         Reviewed by Yusuke Suzuki.
502
503         * stress/big-int-literal-inside-literal-object.js: Added.
504
505 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
506
507         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
508         https://bugs.webkit.org/show_bug.cgi?id=193372
509
510         Reviewed by Saam Barati.
511
512         * stress/typed-array-array-modes-profile.js: Added.
513         (foo):
514
515 2019-01-14  Mark Lam  <mark.lam@apple.com>
516
517         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
518         https://bugs.webkit.org/show_bug.cgi?id=193402
519         <rdar://problem/46012309>
520
521         Reviewed by Keith Miller.
522
523         * stress/regexp-compile-oom.js:
524         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
525           is enabled.  As a result, it will fail on cloop builds though there is no bug.
526
527 2019-01-11  Saam barati  <sbarati@apple.com>
528
529         DFG combined liveness can be wrong for terminal basic blocks
530         https://bugs.webkit.org/show_bug.cgi?id=193304
531         <rdar://problem/45268632>
532
533         Reviewed by Yusuke Suzuki.
534
535         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
536
537 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
538
539         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
540         https://bugs.webkit.org/show_bug.cgi?id=193308
541         <rdar://problem/45546542>
542
543         Reviewed by Saam Barati.
544
545         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
546         (shouldThrow):
547         (shouldBe):
548         (foo):
549         (get shouldThrow):
550         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
551         (shouldThrow):
552         (shouldBe):
553         (foo):
554         (get shouldBe):
555         (get shouldThrow):
556         (get return):
557         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
558         (shouldThrow):
559         (shouldBe):
560         (foo):
561         (get shouldBe):
562         (get shouldThrow):
563         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
564         (shouldThrow):
565         (shouldBe):
566         (foo):
567         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
568         (shouldThrow):
569         (shouldBe):
570         (foo):
571         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
572         (shouldThrow):
573         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
574         (shouldThrow):
575         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
576         (shouldThrow):
577         (shouldBe):
578         (foo):
579         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
580         (shouldThrow):
581         (shouldBe):
582         (foo):
583         (get shouldBe):
584         (get shouldThrow):
585         (get return):
586         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
587         (shouldThrow):
588         (shouldBe):
589         (foo):
590         (get shouldBe):
591         (get shouldThrow):
592         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
593         (shouldThrow):
594         (shouldBe):
595         (foo):
596         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
597         (shouldThrow):
598         (shouldBe):
599         (foo):
600
601 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
602
603         Enable DFG on ARM/Linux again
604         https://bugs.webkit.org/show_bug.cgi?id=192496
605
606         Reviewed by Yusuke Suzuki.
607
608         Test wasn't really skipped before moving the line with skip
609         to the top.
610
611         * stress/regress-192717.js:
612
613 2019-01-10  Commit Queue  <commit-queue@webkit.org>
614
615         Unreviewed, rolling out r239825.
616         https://bugs.webkit.org/show_bug.cgi?id=193330
617
618         Broke tests on armv7/linux bots (Requested by guijemont on
619         #webkit).
620
621         Reverted changeset:
622
623         "Enable DFG on ARM/Linux again"
624         https://bugs.webkit.org/show_bug.cgi?id=192496
625         https://trac.webkit.org/changeset/239825
626
627 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
628
629         Enable DFG on ARM/Linux again
630         https://bugs.webkit.org/show_bug.cgi?id=192496
631
632         Reviewed by Yusuke Suzuki.
633
634         Test wasn't really skipped before moving the line with skip
635         to the top.
636
637         * stress/regress-192717.js:
638
639 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
640
641         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
642         https://bugs.webkit.org/show_bug.cgi?id=193127
643
644         Reviewed by Saam Barati.
645
646         * stress/array-species-create-should-handle-masquerader.js: Added.
647         (shouldThrow):
648         * stress/is-undefined-or-null-builtin.js: Added.
649         (shouldBe):
650         (isUndefinedOrNull.vm.createBuiltin):
651
652 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
653
654         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
655         https://bugs.webkit.org/show_bug.cgi?id=193221
656
657         Reviewed by Mark Lam.
658
659         * stress/put-by-id-flags.js: Added.
660         (f):
661         (g):
662         (numberOfDFGCompiles):
663
664 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
665
666         Baseline version of get_by_id may corrupt metadata
667         https://bugs.webkit.org/show_bug.cgi?id=193085
668         <rdar://problem/23453006>
669
670         Reviewed by Saam Barati.
671
672         * stress/get-by-id-change-mode.js: Added.
673         (forEach):
674
675 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
676
677         [JSC] Optimize Object.prototype.toString
678         https://bugs.webkit.org/show_bug.cgi?id=193031
679
680         Reviewed by Saam Barati.
681
682         * stress/object-tostring-changed-proto.js: Added.
683         (shouldBe):
684         (test):
685         * stress/object-tostring-changed.js: Added.
686         (shouldBe):
687         (test):
688         * stress/object-tostring-misc.js: Added.
689         (shouldBe):
690         (test):
691         (i.switch):
692         * stress/object-tostring-other.js: Added.
693         (shouldBe):
694         (test):
695         * stress/object-tostring-untyped.js: Added.
696         (shouldBe):
697         (test):
698         (i.switch):
699
700 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
701
702         test262-runner misbehaves when test file YAML has a trailing space
703         https://bugs.webkit.org/show_bug.cgi?id=193053
704
705         Reviewed by Yusuke Suzuki.
706
707         * test262/expectations.yaml:
708         Mark two dozen tests as passing (and correct the output of another).
709
710 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
711
712         Unreviewed, JSTests gardening with memoryLimited
713
714         * stress/string-overflow-createError.js:
715
716 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
717
718         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
719         https://bugs.webkit.org/show_bug.cgi?id=193050
720
721         Reviewed by Yusuke Suzuki.
722
723         * test262.yaml:
724         * test262/expectations.yaml:
725         Mark 16 tests as passing.
726
727 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
728
729         [BigInt] Support BigInt in JSON.stringify
730         https://bugs.webkit.org/show_bug.cgi?id=192624
731
732         Reviewed by Saam Barati.
733
734         * stress/big-int-json-stringify-to-json.js: Added.
735         (shouldBe):
736         (shouldThrow):
737         (BigInt.prototype.toJSON):
738         (shouldBe.JSON.stringify):
739         * stress/big-int-json-stringify.js: Added.
740         (shouldBe):
741         (shouldThrow):
742
743 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
744
745         [JSC] Implement "well-formed JSON.stringify" proposal
746         https://bugs.webkit.org/show_bug.cgi?id=191677
747
748         Reviewed by Darin Adler.
749
750         * stress/json-surrogate-pair.js: Added.
751         (shouldBe):
752         * test262/expectations.yaml:
753
754 2018-12-20  Keith Miller  <keith_miller@apple.com>
755
756         Add support for globalThis
757         https://bugs.webkit.org/show_bug.cgi?id=165171
758
759         Reviewed by Mark Lam.
760
761         * test262/config.yaml:
762
763 2018-12-19  Keith Miller  <keith_miller@apple.com>
764
765         Update test262 configuration to not run tests dependent on ICU version.
766         https://bugs.webkit.org/show_bug.cgi?id=192920
767
768         Reviewed by Saam Barati.
769
770         * test262/expectations.yaml:
771
772 2018-12-20  Mark Lam  <mark.lam@apple.com>
773
774         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
775         https://bugs.webkit.org/show_bug.cgi?id=192939
776         <rdar://problem/46869516>
777
778         Reviewed by Keith Miller.
779
780         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
781
782 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
783
784         WTF::String and StringImpl overflow MaxLength
785         https://bugs.webkit.org/show_bug.cgi?id=192853
786         <rdar://problem/45726906>
787
788         Reviewed by Mark Lam.
789
790         * stress/string-16bit-repeat-overflow.js: Added.
791         (catch):
792
793 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
794
795         Unreviewed follow-up to r192914.
796
797         * test262/expectations.yaml:
798         Add the last 20 missing expectations.
799
800 2018-12-19  Keith Miller  <keith_miller@apple.com>
801
802         Fix test262 expectations
803         https://bugs.webkit.org/show_bug.cgi?id=192914
804
805         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
806
807         * test262/expectations.yaml:
808
809 2018-12-19  Keith Miller  <keith_miller@apple.com>
810
811         Update test262 tests.
812         https://bugs.webkit.org/show_bug.cgi?id=192907
813
814         Rubber stamped by Mark Lam.
815
816         * test262/*: Omitted because prepare-changelog crashes.
817
818 2018-12-19  Mark Lam  <mark.lam@apple.com>
819
820         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
821         https://bugs.webkit.org/show_bug.cgi?id=192464
822         <rdar://problem/46519455>
823
824         Reviewed by Saam Barati.
825
826         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
827         microbenchmark.
828
829         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
830         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
831
832 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
833
834         String overflow in JSC::createError results in ASSERT in WTF::makeString
835         https://bugs.webkit.org/show_bug.cgi?id=192833
836         <rdar://problem/45706868>
837
838         Reviewed by Mark Lam.
839
840         * stress/string-overflow-createError.js: Added.
841
842 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
843
844         Error message for `-x ** y` contains a typo.
845         https://bugs.webkit.org/show_bug.cgi?id=192832
846
847         Reviewed by Saam Barati.
848
849         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
850         (assert.assert.return.throws):
851         * stress/pow-expects-update-expression-on-lhs.js:
852         (throw.new.Error):
853         Update test expectations which match against the exact error message.
854
855 2018-12-18  Mark Lam  <mark.lam@apple.com>
856
857         Gardening: test options fix.
858         https://bugs.webkit.org/show_bug.cgi?id=192822
859
860         Unreviewed.
861
862         * stress/json-stringify-string-builder-overflow.js:
863
864 2018-12-18  Mark Lam  <mark.lam@apple.com>
865
866         JSON.stringify() should throw OOM on StringBuilder overflows.
867         https://bugs.webkit.org/show_bug.cgi?id=192822
868         <rdar://problem/46670577>
869
870         Reviewed by Saam Barati.
871
872         * stress/json-stringify-string-builder-overflow.js: Added.
873
874 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
875
876         Redeclaration of var over let/const/class should be a syntax error.
877         https://bugs.webkit.org/show_bug.cgi?id=192298
878
879         Reviewed by Keith Miller.
880
881         * test262.yaml:
882         * test262/expectations.yaml:
883         Mark 46 tests as passing.
884
885         * stress/block-scope-redeclarations.js:
886         Add some new tests.
887
888         * stress/for-in-invalidate-context-weird-assignments.js:
889         * stress/for-in-tests.js:
890         Replace tests for outdated behavior with tests for SyntaxError.
891
892         * ChakraCore/test/LetConst/defer3.baseline-jsc:
893         * ChakraCore/test/LetConst/letvar.baseline-jsc:
894         Update expectations.
895
896 2018-12-18  Mark Lam  <mark.lam@apple.com>
897
898         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
899         https://bugs.webkit.org/show_bug.cgi?id=191374
900         <rdar://problem/46525447>
901
902         Reviewed by Yusuke Suzuki.
903
904         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
905
906         * stress/elidable-new-object-roflcopter-then-exit.js:
907
908 2018-12-17  Mark Lam  <mark.lam@apple.com>
909
910         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
911         https://bugs.webkit.org/show_bug.cgi?id=192019
912         <rdar://problem/46525456>
913
914         Reviewed by Yusuke Suzuki.
915
916         The test runs too slow on 32-bit.
917
918         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
919
920 2018-12-17  Mark Lam  <mark.lam@apple.com>
921
922         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
923         https://bugs.webkit.org/show_bug.cgi?id=191373
924         <rdar://problem/46525458>
925
926         Reviewed by Yusuke Suzuki.
927
928         The test is already slow running with a JIT on 64-bit.  It will always timeout
929         on 32-bit without a JIT.
930
931         * stress/materialize-regexp-cyclic-regexp.js:
932
933 2018-12-17  Mark Lam  <mark.lam@apple.com>
934
935         Array unshift/shift should not race against the AI in the compiler thread.
936         https://bugs.webkit.org/show_bug.cgi?id=192795
937         <rdar://problem/46724263>
938
939         Reviewed by Saam Barati.
940
941         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
942
943 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
944
945         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
946         https://bugs.webkit.org/show_bug.cgi?id=190047
947
948         Reviewed by Saam Barati.
949
950         * stress/object-keys-cached-zero.js: Added.
951         (shouldBe):
952         (test):
953         * stress/object-keys-changed-attribute.js: Added.
954         (shouldBe):
955         (test):
956         * stress/object-keys-changed-index.js: Added.
957         (shouldBe):
958         (test):
959         * stress/object-keys-changed.js: Added.
960         (shouldBe):
961         (test):
962         * stress/object-keys-indexed-non-cache.js: Added.
963         (shouldBe):
964         (test):
965         * stress/object-keys-overrides-get-property-names.js: Added.
966         (shouldBe):
967         (test):
968         (noInline):
969
970 2018-12-17  Mark Lam  <mark.lam@apple.com>
971
972         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
973         https://bugs.webkit.org/show_bug.cgi?id=192779
974         <rdar://problem/46775869>
975
976         Reviewed by Saam Barati.
977
978         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
979
980 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
981
982         Unreviewed test gardening, address a syntax error in a new test.
983
984         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
985
986 2018-12-17  Mark Lam  <mark.lam@apple.com>
987
988         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
989         https://bugs.webkit.org/show_bug.cgi?id=192776
990         <rdar://problem/46772368>
991
992         Reviewed by Keith Miller.
993
994         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
995
996 2018-12-17  Mark Lam  <mark.lam@apple.com>
997
998         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
999         https://bugs.webkit.org/show_bug.cgi?id=192770
1000         <rdar://problem/46449037>
1001
1002         Reviewed by Keith Miller.
1003
1004         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1005
1006 2018-12-14  Mark Lam  <mark.lam@apple.com>
1007
1008         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1009         https://bugs.webkit.org/show_bug.cgi?id=192717
1010         <rdar://problem/46660677>
1011
1012         Reviewed by Saam Barati.
1013
1014         * stress/regress-192717.js: Added.
1015
1016 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1017
1018         Unreviewed, rolling out r239153, r239154, and r239155.
1019         https://bugs.webkit.org/show_bug.cgi?id=192715
1020
1021         Caused flaky GC-related crashes seen with layout tests
1022         (Requested by ryanhaddad on #webkit).
1023
1024         Reverted changesets:
1025
1026         "[JSC] Optimize Object.keys by caching own keys results in
1027         StructureRareData"
1028         https://bugs.webkit.org/show_bug.cgi?id=190047
1029         https://trac.webkit.org/changeset/239153
1030
1031         "Unreviewed, build fix after r239153"
1032         https://bugs.webkit.org/show_bug.cgi?id=190047
1033         https://trac.webkit.org/changeset/239154
1034
1035         "Unreviewed, build fix after r239153, part 2"
1036         https://bugs.webkit.org/show_bug.cgi?id=190047
1037         https://trac.webkit.org/changeset/239155
1038
1039 2018-12-14  Keith Miller  <keith_miller@apple.com>
1040
1041         Callers of JSString::getIndex should check for OOM exceptions
1042         https://bugs.webkit.org/show_bug.cgi?id=192709
1043
1044         Reviewed by Mark Lam.
1045
1046         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1047
1048 2018-12-13  Mark Lam  <mark.lam@apple.com>
1049
1050         Add a missing exception check.
1051         https://bugs.webkit.org/show_bug.cgi?id=192626
1052         <rdar://problem/46662163>
1053
1054         Reviewed by Keith Miller.
1055
1056         * stress/regress-192626.js: Added.
1057
1058 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1059
1060         [BigInt] Add ValueDiv into DFG
1061         https://bugs.webkit.org/show_bug.cgi?id=186178
1062
1063         Reviewed by Yusuke Suzuki.
1064
1065         * stress/big-int-div-jit-osr.js: Added.
1066         * stress/big-int-div-jit-untyped.js: Added.
1067         * stress/value-div-fixup-int32-big-int.js: Added.
1068
1069 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1070
1071         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1072         https://bugs.webkit.org/show_bug.cgi?id=190047
1073
1074         Reviewed by Keith Miller.
1075
1076         * stress/object-keys-cached-zero.js: Added.
1077         (shouldBe):
1078         (test):
1079         * stress/object-keys-changed-attribute.js: Added.
1080         (shouldBe):
1081         (test):
1082         * stress/object-keys-changed-index.js: Added.
1083         (shouldBe):
1084         (test):
1085         * stress/object-keys-changed.js: Added.
1086         (shouldBe):
1087         (test):
1088         * stress/object-keys-indexed-non-cache.js: Added.
1089         (shouldBe):
1090         (test):
1091         * stress/object-keys-overrides-get-property-names.js: Added.
1092         (shouldBe):
1093         (test):
1094         (noInline):
1095
1096 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1097
1098         [DFG][FTL] Add NewSymbol
1099         https://bugs.webkit.org/show_bug.cgi?id=192620
1100
1101         Reviewed by Saam Barati.
1102
1103         * microbenchmarks/symbol-creation.js: Added.
1104         (test):
1105         * stress/symbol-description-identity.js: Added.
1106         (shouldBe):
1107         (test):
1108         * stress/symbol-identity.js: Added.
1109         (shouldBe):
1110         (test):
1111         * stress/symbol-with-description-throw-error.js: Added.
1112         (shouldBe):
1113         (shouldThrow):
1114         (test):
1115         (object.toString):
1116
1117 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1118
1119         [BigInt] Implement DFG/FTL typeof for BigInt
1120         https://bugs.webkit.org/show_bug.cgi?id=192619
1121
1122         Reviewed by Keith Miller.
1123
1124         * stress/big-int-boolean-proven-type.js: Added.
1125         (assert):
1126         (bool):
1127         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1128         (assert):
1129         (typeOf):
1130         (i.switch):
1131         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1132         (assert):
1133         (typeOf):
1134         * stress/big-int-type-of.js:
1135         (typeOf):
1136         (func):
1137
1138 2018-12-10  Mark Lam  <mark.lam@apple.com>
1139
1140         PropertyAttribute needs a CustomValue bit.
1141         https://bugs.webkit.org/show_bug.cgi?id=191993
1142         <rdar://problem/46264467>
1143
1144         Reviewed by Saam Barati.
1145
1146         * stress/regress-191993.js: Added.
1147
1148 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1149
1150         [BigInt] Add ValueMul into DFG
1151         https://bugs.webkit.org/show_bug.cgi?id=186175
1152
1153         Reviewed by Yusuke Suzuki.
1154
1155         * stress/big-int-mul-jit-osr.js: Added.
1156         * stress/big-int-mul-jit-untyped.js: Added.
1157         * stress/value-mul-fixup-int32-big-int.js: Added.
1158
1159 2018-12-06  Keith Miller  <keith_miller@apple.com>
1160
1161         stress/big-wasm-memory tests failing on 32-bit JSC bot
1162         https://bugs.webkit.org/show_bug.cgi?id=192020
1163
1164         Reviewed by Saam Barati.
1165
1166         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1167         the wasm stress tests if the WebAssembly object does not exist.
1168
1169         * stress/big-wasm-memory-grow-no-max.js:
1170         (test.foo):
1171         (test):
1172         (foo): Deleted.
1173         (catch): Deleted.
1174         * stress/big-wasm-memory-grow.js:
1175         (test.foo):
1176         (test):
1177         (foo): Deleted.
1178         (catch): Deleted.
1179         * stress/big-wasm-memory.js:
1180         (test.foo):
1181         (test):
1182         (foo): Deleted.
1183         (catch): Deleted.
1184
1185 2018-12-05  Mark Lam  <mark.lam@apple.com>
1186
1187         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1188         https://bugs.webkit.org/show_bug.cgi?id=192441
1189         <rdar://problem/46480355>
1190
1191         Reviewed by Saam Barati.
1192
1193         * stress/regress-192441.js: Added.
1194
1195 2018-12-04  Mark Lam  <mark.lam@apple.com>
1196
1197         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1198         https://bugs.webkit.org/show_bug.cgi?id=192386
1199         <rdar://problem/46445516>
1200
1201         Reviewed by Saam Barati.
1202
1203         * stress/regress-192386.js: Added.
1204
1205 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1206
1207         [ESNext][BigInt] Support logic operations
1208         https://bugs.webkit.org/show_bug.cgi?id=179903
1209
1210         Reviewed by Yusuke Suzuki.
1211
1212         * stress/big-int-branch-usage.js: Added.
1213         * stress/big-int-logical-and.js: Added.
1214         * stress/big-int-logical-not.js: Added.
1215         * stress/big-int-logical-or.js: Added.
1216
1217 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1218
1219         Unreviewed, rolling out r238833.
1220
1221         Breaks macOS and iOS debug builds.
1222
1223         Reverted changeset:
1224
1225         "[ESNext][BigInt] Support logic operations"
1226         https://bugs.webkit.org/show_bug.cgi?id=179903
1227         https://trac.webkit.org/changeset/238833
1228
1229 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1230
1231         [ESNext][BigInt] Support logic operations
1232         https://bugs.webkit.org/show_bug.cgi?id=179903
1233
1234         Reviewed by Yusuke Suzuki.
1235
1236         * stress/big-int-branch-usage.js: Added.
1237         * stress/big-int-logical-and.js: Added.
1238         * stress/big-int-logical-not.js: Added.
1239         * stress/big-int-logical-or.js: Added.
1240
1241 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1242
1243         [ESNext][BigInt] Implement support for "<<" and ">>"
1244         https://bugs.webkit.org/show_bug.cgi?id=186233
1245
1246         Reviewed by Yusuke Suzuki.
1247
1248         * stress/big-int-left-shift-general.js: Added.
1249         * stress/big-int-left-shift-range-error.js: Added.
1250         * stress/big-int-left-shift-type-error.js: Added.
1251         * stress/big-int-left-shift-wrapped-value.js: Added.
1252         * stress/big-int-right-shift-general.js: Added.
1253         * stress/big-int-right-shift-type-error.js: Added.
1254         * stress/big-int-right-shift-wrapped-value.js: Added.
1255         * stress/left-shift-to-primitive-precedence.js: Added.
1256         * stress/right-shift-to-primitive-precedence.js: Added.
1257
1258 2018-11-30  Dean Jackson  <dino@apple.com>
1259
1260         Add first-class support for .mjs files in jsc binary
1261         https://bugs.webkit.org/show_bug.cgi?id=192190
1262         <rdar://problem/46375715>
1263
1264         Reviewed by Keith Miller.
1265
1266         * stress/simple-module.mjs: Added.
1267         * stress/simple-script.js: Added.
1268
1269 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1270
1271         [BigInt] Implement ValueBitXor into DFG
1272         https://bugs.webkit.org/show_bug.cgi?id=190264
1273
1274         Reviewed by Yusuke Suzuki.
1275
1276         * stress/big-int-bitwise-xor-jit.js: Added.
1277         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1278         * stress/big-int-bitwise-xor-untyped.js: Added.
1279
1280 2018-11-27  Saam barati  <sbarati@apple.com>
1281
1282         r238510 broke scopes of size zero
1283         https://bugs.webkit.org/show_bug.cgi?id=192033
1284         <rdar://problem/46281734>
1285
1286         Reviewed by Keith Miller.
1287
1288         * stress/r238510-bad-loop.js: Added.
1289         (foo):
1290
1291 2018-11-27  Mark Lam  <mark.lam@apple.com>
1292
1293         [Re-landing] NaNs read from Wasm code needs to be be purified.
1294         https://bugs.webkit.org/show_bug.cgi?id=191056
1295         <rdar://problem/45660341>
1296
1297         Reviewed by Filip Pizlo.
1298
1299         * wasm/regress/regress-191056.js: Added.
1300
1301 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1302
1303         Unreviewed, rolling out r238509.
1304
1305         Causes JSC tests to fail on iOS.
1306
1307         Reverted changeset:
1308
1309         "NaNs read from Wasm code needs to be be purified."
1310         https://bugs.webkit.org/show_bug.cgi?id=191056
1311         https://trac.webkit.org/changeset/238509
1312
1313 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1314
1315         Re-introduce op_bitnot
1316         https://bugs.webkit.org/show_bug.cgi?id=190923
1317
1318         Reviewed by Yusuke Suzuki.
1319
1320         * stress/bit-not-must-generate.js: Added.
1321         * stress/bitwise-not-no-int32.js: Added.
1322
1323 2018-11-26  Saam barati  <sbarati@apple.com>
1324
1325         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1326         https://bugs.webkit.org/show_bug.cgi?id=191956
1327         <rdar://problem/45665806>
1328
1329         Reviewed by Yusuke Suzuki.
1330
1331         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1332         (bar):
1333         (foo):
1334
1335 2018-11-26  Saam barati  <sbarati@apple.com>
1336
1337         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1338         https://bugs.webkit.org/show_bug.cgi?id=191958
1339         <rdar://problem/46221877>
1340
1341         Reviewed by Yusuke Suzuki.
1342
1343         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1344         (x):
1345         (foo):
1346
1347 2018-11-26  Mark Lam  <mark.lam@apple.com>
1348
1349         NaNs read from Wasm code needs to be be purified.
1350         https://bugs.webkit.org/show_bug.cgi?id=191056
1351         <rdar://problem/45660341>
1352
1353         Reviewed by Filip Pizlo.
1354
1355         * wasm/regress/regress-191056.js: Added.
1356
1357 2018-11-26  Michael Saboff  <msaboff@apple.com>
1358
1359         32-bit JSC test failure: stress/regexp-compile-oom.js
1360         https://bugs.webkit.org/show_bug.cgi?id=191375
1361
1362         Reviewed by Mark Lam.
1363
1364         Disabled the test for 32 bit platforms.
1365
1366         * stress/regexp-compile-oom.js:
1367
1368 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1369
1370         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1371         https://bugs.webkit.org/show_bug.cgi?id=191716
1372         <rdar://problem/45723878>
1373
1374         Reviewed by Saam Barati.
1375
1376         * stress/regress-187373.js: Added.
1377         (async.fn):
1378
1379 2018-11-21  Saam barati  <sbarati@apple.com>
1380
1381         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1382         https://bugs.webkit.org/show_bug.cgi?id=191897
1383         <rdar://problem/45871998>
1384
1385         Reviewed by Mark Lam.
1386
1387         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1388         (bar):
1389         (foo):
1390
1391 2018-11-21  Saam barati  <sbarati@apple.com>
1392
1393         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1394         https://bugs.webkit.org/show_bug.cgi?id=191895
1395         <rdar://problem/46167406>
1396
1397         Reviewed by Mark Lam.
1398
1399         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1400         (foo):
1401         (bar):
1402
1403 2018-11-21  Mark Lam  <mark.lam@apple.com>
1404
1405         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1406         https://bugs.webkit.org/show_bug.cgi?id=191776
1407         <rdar://problem/46152851>
1408
1409         Reviewed by Saam Barati.
1410
1411         * stress/big-wasm-memory-grow-no-max.js:
1412         * stress/big-wasm-memory-grow.js:
1413         * stress/big-wasm-memory.js:
1414         - updated these to expect an OutOfMemoryError.
1415
1416         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1417         (Binary.prototype.emit_u8):
1418         (Binary.prototype.emit_u32v):
1419         (Binary.prototype.emit_header):
1420         (Binary.prototype.emit_section):
1421         (Binary):
1422         (WasmModuleBuilder):
1423         (WasmModuleBuilder.prototype.addMemory):
1424         (WasmModuleBuilder.prototype.toArray):
1425         (WasmModuleBuilder.prototype.toBuffer):
1426         (WasmModuleBuilder.prototype.instantiate):
1427         (catch):
1428         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1429         (catch):
1430
1431 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1432
1433         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1434         https://bugs.webkit.org/show_bug.cgi?id=190836
1435
1436         Reviewed by Saam Barati and Yusuke Suzuki.
1437
1438         * stress/big-int-out-of-memory-tests.js: Added.
1439
1440 2018-11-20  Mark Lam  <mark.lam@apple.com>
1441
1442         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1443         https://bugs.webkit.org/show_bug.cgi?id=191856
1444         <rdar://problem/46089992>
1445
1446         Reviewed by Yusuke Suzuki.
1447
1448         * stress/regress-191856.js: Added.
1449         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1450
1451 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1452
1453         Enable JIT on ARM/Linux
1454         https://bugs.webkit.org/show_bug.cgi?id=191548
1455
1456         Reviewed by Yusuke Suzuki.
1457
1458         Disable test on system with limited memory. Program was killed by
1459         the OS before the exception was thrown.
1460
1461         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1462
1463 2018-11-20  Saam barati  <sbarati@apple.com>
1464
1465         Merging an IC variant may lead to the IC status containing overlapping structure sets
1466         https://bugs.webkit.org/show_bug.cgi?id=191869
1467         <rdar://problem/45403453>
1468
1469         Reviewed by Mark Lam.
1470
1471         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1472
1473 2018-11-19  Mark Lam  <mark.lam@apple.com>
1474
1475         globalFuncImportModule() should return a promise when it clears exceptions.
1476         https://bugs.webkit.org/show_bug.cgi?id=191792
1477         <rdar://problem/46090763>
1478
1479         Reviewed by Michael Saboff.
1480
1481         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1482
1483 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1484
1485         Skip new memory-hungry tests on memory limited devices
1486
1487         Unreviewed gardening.
1488
1489         * stress/big-wasm-memory-grow-no-max.js:
1490         * stress/big-wasm-memory-grow.js:
1491         * stress/big-wasm-memory.js:
1492
1493 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1494
1495         Unreviewed, rolling in the rest of r237254
1496         https://bugs.webkit.org/show_bug.cgi?id=190340
1497
1498         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1499         * stress/function-cache-with-parameters-end-position.js: Added.
1500         (shouldBe):
1501         (shouldThrow):
1502         (i.anonymous):
1503         * stress/function-constructor-name.js: Added.
1504         (shouldBe):
1505         (GeneratorFunction):
1506         (AsyncFunction.async):
1507         (AsyncGeneratorFunction.async):
1508         (anonymous):
1509         (async.anonymous):
1510         * test262/expectations.yaml:
1511
1512 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1513
1514         All users of ArrayBuffer should agree on the same max size
1515         https://bugs.webkit.org/show_bug.cgi?id=191771
1516
1517         Reviewed by Mark Lam.
1518
1519         * stress/big-wasm-memory-grow-no-max.js: Added.
1520         (foo):
1521         (catch):
1522         * stress/big-wasm-memory-grow.js: Added.
1523         (foo):
1524         (catch):
1525         * stress/big-wasm-memory.js: Added.
1526         (foo):
1527         (catch):
1528
1529 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1530
1531         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1532         run for each JSC config since they're regression tests for runtime bugs.
1533
1534         * stress/json-stringified-overflow-2.js:
1535         * stress/json-stringified-overflow.js:
1536
1537 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1538
1539         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1540         config since they're regression tests for runtime bugs.
1541
1542         * stress/large-unshift-splice.js:
1543         * stress/regress-185888.js:
1544
1545 2018-11-16  Saam Barati  <sbarati@apple.com>
1546
1547         KnownCellUse should also have SpecCellCheck as its type filter
1548         https://bugs.webkit.org/show_bug.cgi?id=191729
1549         <rdar://problem/45872852>
1550
1551         Reviewed by Filip Pizlo.
1552
1553         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1554         (C):
1555
1556 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1557
1558         Fix assertion failure on BytecodeGenerator::recordOpcode
1559         https://bugs.webkit.org/show_bug.cgi?id=191724
1560         <rdar://problem/45724395>
1561
1562         Reviewed by Saam Barati.
1563
1564         * stress/regress-187373-2.js: Added.
1565         (foo):
1566
1567 2018-11-15  Mark Lam  <mark.lam@apple.com>
1568
1569         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1570         https://bugs.webkit.org/show_bug.cgi?id=191730
1571         <rdar://problem/46048517>
1572
1573         Reviewed by Saam Barati.
1574
1575         * stress/regress-187006.js: Removed.
1576           - this test is invalid because its sole purpose is to test for the non-spec
1577             compliant behavior that we just fixed.
1578
1579         * stress/regress-191730.js: Added.
1580
1581 2018-11-15  Mark Lam  <mark.lam@apple.com>
1582
1583         RegExp operations should not take fast patch if lastIndex is not numeric.
1584         https://bugs.webkit.org/show_bug.cgi?id=191731
1585         <rdar://problem/46017305>
1586
1587         Reviewed by Saam Barati.
1588
1589         * stress/regress-191731.js: Added.
1590
1591 2018-11-13  Saam Barati  <sbarati@apple.com>
1592
1593         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1594         https://bugs.webkit.org/show_bug.cgi?id=191600
1595
1596         Reviewed by Mark Lam.
1597
1598         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1599         (foo):
1600         (test):
1601         (bar):
1602
1603 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1604
1605         Unreviewed, rolling out r238132.
1606
1607         The test added with this change is timing out on Debug JSC
1608         bots.
1609
1610         Reverted changeset:
1611
1612         "[BigInt] JSBigInt::createWithLength should throw when length
1613         is greater than JSBigInt::maxLength"
1614         https://bugs.webkit.org/show_bug.cgi?id=190836
1615         https://trac.webkit.org/changeset/238132
1616
1617 2018-11-13  Mark Lam  <mark.lam@apple.com>
1618
1619         Add OOM detection to StringPrototype's substituteBackreferences().
1620         https://bugs.webkit.org/show_bug.cgi?id=191563
1621         <rdar://problem/45720428>
1622
1623         Reviewed by Saam Barati.
1624
1625         * stress/regress-191563.js: Added.
1626
1627 2018-11-13  Mark Lam  <mark.lam@apple.com>
1628
1629         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1630         https://bugs.webkit.org/show_bug.cgi?id=191579
1631         <rdar://problem/45942472>
1632
1633         Reviewed by Saam Barati.
1634
1635         * stress/regress-191579.js: Added.
1636
1637 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1638
1639         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1640         https://bugs.webkit.org/show_bug.cgi?id=190836
1641
1642         Reviewed by Saam Barati.
1643
1644         * stress/big-int-out-of-memory-tests.js: Added.
1645
1646 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1647
1648         U+180E is no longer a whitespace character
1649         https://bugs.webkit.org/show_bug.cgi?id=191415
1650
1651         Reviewed by Saam Barati.
1652
1653         * ChakraCore/test/es5/regexSpace.baseline:
1654         * ChakraCore/test/es6/unicode_whitespace.js:
1655         Update tests to latest version.
1656         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1657
1658         * test262.yaml:
1659         * test262/config.yaml:
1660         * test262/expectations.yaml:
1661         Update expectations.
1662
1663 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1664
1665         [BigInt] Add support to BigInt into ValueAdd
1666         https://bugs.webkit.org/show_bug.cgi?id=186177
1667
1668         Reviewed by Keith Miller.
1669
1670         * stress/big-int-negate-jit.js:
1671         * stress/value-add-big-int-and-string.js: Added.
1672         * stress/value-add-big-int-prediction-propagation.js: Added.
1673         * stress/value-add-big-int-untyped.js: Added.
1674
1675 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1676
1677         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1678         https://bugs.webkit.org/show_bug.cgi?id=191184
1679
1680         Reviewed by Saam Barati.
1681
1682         Most tests were failing due to timeouts, since they are too slow to
1683         run on CLoop. The exceptions are:
1684
1685         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1686         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1687         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1688         to change the stack size since CLoop requires it to be page aligned.
1689
1690         * microbenchmarks/array-push-1.js:
1691         * microbenchmarks/array-push-2.js:
1692         * microbenchmarks/elidable-new-object-dag.js:
1693         * microbenchmarks/elidable-new-object-roflcopter.js:
1694         * microbenchmarks/elidable-new-object-tree.js:
1695         * microbenchmarks/getter-richards.js:
1696         * microbenchmarks/sinkable-new-object-dag.js:
1697         * microbenchmarks/string-concat-long-convert.js:
1698         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1699         * slowMicrobenchmarks/array-push-3.js:
1700         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1701         * slowMicrobenchmarks/spread-small-array.js:
1702         * slowMicrobenchmarks/undefined-property-access.js:
1703         * stress/activation-sink-default-value-tdz-error.js:
1704         * stress/activation-sink-default-value.js:
1705         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1706         * stress/activation-sink-osrexit-default-value.js:
1707         * stress/activation-sink-osrexit.js:
1708         * stress/activation-sink.js:
1709         * stress/allow-math-ic-b3-code-duplication.js:
1710         * stress/array-push-multiple-int32.js:
1711         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1712         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1713         * stress/arrowfunction-lexical-this-activation-sink.js:
1714         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1715         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1716         * stress/elide-new-object-dag-then-exit.js:
1717         * stress/materialize-regexp-cyclic.js:
1718         * stress/new-regex-inline.js:
1719         * stress/op_add.js:
1720         * stress/op_bitand.js:
1721         * stress/op_bitor.js:
1722         * stress/op_bitxor.js:
1723         * stress/op_div-ConstVar.js:
1724         * stress/op_div-VarConst.js:
1725         * stress/op_div-VarVar.js:
1726         * stress/op_lshift-ConstVar.js:
1727         * stress/op_lshift-VarConst.js:
1728         * stress/op_lshift-VarVar.js:
1729         * stress/op_mod-ConstVar.js:
1730         * stress/op_mod-VarConst.js:
1731         * stress/op_mod-VarVar.js:
1732         * stress/op_mul-ConstVar.js:
1733         * stress/op_mul-VarConst.js:
1734         * stress/op_mul-VarVar.js:
1735         * stress/op_rshift-ConstVar.js:
1736         * stress/op_rshift-VarConst.js:
1737         * stress/op_rshift-VarVar.js:
1738         * stress/op_sub-ConstVar.js:
1739         * stress/op_sub-VarConst.js:
1740         * stress/op_sub-VarVar.js:
1741         * stress/op_urshift-ConstVar.js:
1742         * stress/op_urshift-VarConst.js:
1743         * stress/op_urshift-VarVar.js:
1744         * stress/proxy-get-set-correct-receiver.js:
1745         * stress/regress-179562.js:
1746         * stress/rest-parameter-many-arguments.js:
1747         * stress/sampling-profiler-richards.js:
1748         * stress/splay-flash-access-1ms.js:
1749         * stress/tailCallForwardArguments.js:
1750         * stress/typed-array-get-by-val-profiling.js:
1751         * typeProfiler/getter-richards.js:
1752
1753 2018-11-06  Michael Saboff  <msaboff@apple.com>
1754
1755         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1756         https://bugs.webkit.org/show_bug.cgi?id=191271
1757
1758         Reviewed by Saam Barati.
1759
1760         Added more test cases and made all test cases run with the same deeply recursive stack
1761         instead of finding that same point for each test case.
1762
1763         * stress/regexp-compile-oom.js:
1764         (prototype.runTest):
1765         (recurseAndTest):
1766         (testList.push.new.TestAndExpectedException):
1767
1768 2018-11-05  Michael Saboff  <msaboff@apple.com>
1769
1770         Unreviewed build fix for linux.
1771
1772         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1773
1774 2018-11-02  Michael Saboff  <msaboff@apple.com>
1775
1776         Rolling in r237753 with unreviewed build fix.
1777
1778         Fixed issues with DECLARE_THROW_SCOPE placement.
1779
1780 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1781
1782         Unreviewed, rolling out r237753.
1783
1784         Introduced JSC test failures
1785
1786         Reverted changeset:
1787
1788         "Running out of stack space not properly handled in
1789         RegExp::compile() and its callers"
1790         https://bugs.webkit.org/show_bug.cgi?id=191206
1791         https://trac.webkit.org/changeset/237753
1792
1793 2018-11-02  Michael Saboff  <msaboff@apple.com>
1794
1795         Running out of stack space not properly handled in RegExp::compile() and its callers
1796         https://bugs.webkit.org/show_bug.cgi?id=191206
1797
1798         Reviewed by Filip Pizlo.
1799
1800         New regression test.
1801
1802         * stress/regexp-compile-oom.js: Added.
1803         (recurseAndTest):
1804
1805 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1806
1807         Skip tests on arm/mips that time out now we're running on CLoop
1808
1809         Unreviewed gardening.
1810
1811         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1812         time out on the bots and need to be disabled. There's more tests
1813         disabled on arm because the timeout is longer on the mips bot (as the
1814         device is slower to start with), so many of the tests don't time out
1815         there.
1816
1817         * microbenchmarks/getter-richards.js: disable on arm and mips.
1818         * stress/op_add.js: disable on arm.
1819         * stress/op_bitand.js: disable on arm.
1820         * stress/op_bitor.js: disable on arm.
1821         * stress/op_bitxor.js: disable on arm.
1822         * stress/op_lshift-ConstVar.js: disable on arm.
1823         * stress/op_lshift-VarConst.js: disable on arm.
1824         * stress/op_lshift-VarVar.js: disable on arm.
1825         * stress/op_mod-ConstVar.js: disable on arm.
1826         * stress/op_mod-VarConst.js: disable on arm.
1827         * stress/op_mod-VarVar.js: disable on arm.
1828         * stress/op_mul-ConstVar.js: disable on arm.
1829         * stress/op_mul-VarConst.js: disable on arm.
1830         * stress/op_mul-VarVar.js: disable on arm.
1831         * stress/op_rshift-ConstVar.js: disable on arm.
1832         * stress/op_rshift-VarConst.js: disable on arm.
1833         * stress/op_rshift-VarVar.js: disable on arm.
1834         * stress/op_sub-ConstVar.js: disable on arm.
1835         * stress/op_sub-VarConst.js: disable on arm.
1836         * stress/op_sub-VarVar.js: disable on arm.
1837         * stress/op_urshift-ConstVar.js: disable on arm.
1838         * stress/op_urshift-VarConst.js: disable on arm.
1839         * stress/op_urshift-VarVar.js: disable on arm.
1840         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1841         * stress/value-to-boolean.js: disable on arm and mips.
1842
1843 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1844
1845         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1846         https://bugs.webkit.org/show_bug.cgi?id=191108
1847         <rdar://problem/45690700>
1848
1849         Reviewed by Saam Barati.
1850
1851         * stress/wide-op_catch.js: Added.
1852         (catch):
1853
1854 2018-10-29  Mark Lam  <mark.lam@apple.com>
1855
1856         Correctly detect string overflow when using the 'Function' constructor.
1857         https://bugs.webkit.org/show_bug.cgi?id=184883
1858         <rdar://problem/36320331>
1859
1860         Reviewed by Saam Barati.
1861
1862         I've verified that this passes on 32-bit as well.
1863
1864         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1865
1866 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1867
1868         Add support for GetStack FlushedDouble
1869         https://bugs.webkit.org/show_bug.cgi?id=191012
1870         <rdar://problem/45265141>
1871
1872         Reviewed by Saam Barati.
1873
1874         * stress/get-stack-double.js: Added.
1875         (bar):
1876         (noInline):
1877
1878 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1879
1880         New bytecode format for JSC
1881         https://bugs.webkit.org/show_bug.cgi?id=187373
1882         <rdar://problem/44186758>
1883
1884         Reviewed by Filip Pizlo.
1885
1886         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1887
1888         * stress/maximum-inline-capacity.js: Added.
1889         (test1):
1890         (test3.Foo):
1891         (test3):
1892
1893 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1894
1895         Unreviewed, rolling out r237479 and r237484.
1896         https://bugs.webkit.org/show_bug.cgi?id=190978
1897
1898         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1899
1900         Reverted changesets:
1901
1902         "New bytecode format for JSC"
1903         https://bugs.webkit.org/show_bug.cgi?id=187373
1904         https://trac.webkit.org/changeset/237479
1905
1906         "Gardening: Build fix after r237479."
1907         https://bugs.webkit.org/show_bug.cgi?id=187373
1908         https://trac.webkit.org/changeset/237484
1909
1910 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1911
1912         New bytecode format for JSC
1913         https://bugs.webkit.org/show_bug.cgi?id=187373
1914         <rdar://problem/44186758>
1915
1916         Reviewed by Filip Pizlo.
1917
1918         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1919
1920         * stress/maximum-inline-capacity.js: Added.
1921         (test1):
1922         (test3.Foo):
1923         (test3):
1924
1925 2018-10-26  Mark Lam  <mark.lam@apple.com>
1926
1927         Fix missing edge cases with JSGlobalObjects having a bad time.
1928         https://bugs.webkit.org/show_bug.cgi?id=189028
1929         <rdar://problem/45204939>
1930
1931         Reviewed by Saam Barati.
1932
1933         * stress/regress-189028.js: Added.
1934
1935 2018-10-22  Mark Lam  <mark.lam@apple.com>
1936
1937         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1938         https://bugs.webkit.org/show_bug.cgi?id=190515
1939         <rdar://problem/45222379>
1940
1941         Rubber-stamped by Saam Barati.
1942
1943         Adding another test.
1944
1945         * stress/regress-190515-2.js: Added.
1946
1947 2018-10-22  Mark Lam  <mark.lam@apple.com>
1948
1949         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1950         https://bugs.webkit.org/show_bug.cgi?id=190515
1951         <rdar://problem/45222379>
1952
1953         Reviewed by Saam Barati.
1954
1955         * stress/regress-190515.js: Added.
1956
1957 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1958
1959         Unreviewed, rolling out r237254.
1960         https://bugs.webkit.org/show_bug.cgi?id=190760
1961
1962         "It regresses JetStream 2 by 5% on some iOS devices"
1963         (Requested by saamyjoon on #webkit).
1964
1965         Reverted changeset:
1966
1967         "[JSC] JSC should have "parseFunction" to optimize Function
1968         constructor"
1969         https://bugs.webkit.org/show_bug.cgi?id=190340
1970         https://trac.webkit.org/changeset/237254
1971
1972 2018-10-19  Saam Barati  <sbarati@apple.com>
1973
1974         vmCall should check if we exit before emitting an OSR exit due to exceptions
1975         https://bugs.webkit.org/show_bug.cgi?id=190740
1976         <rdar://problem/45220139>
1977
1978         Reviewed by Mark Lam.
1979
1980         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1981         (foo):
1982
1983 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1984
1985         [ESNext][BigInt] Implement support for "^"
1986         https://bugs.webkit.org/show_bug.cgi?id=186235
1987
1988         Reviewed by Yusuke Suzuki.
1989
1990         * stress/big-int-bitwise-xor-general.js: Added.
1991         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1992         * stress/big-int-bitwise-xor-type-error.js: Added.
1993         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1994
1995 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1996
1997         [BigInt] Add ValueSub into DFG
1998         https://bugs.webkit.org/show_bug.cgi?id=186176
1999
2000         Reviewed by Yusuke Suzuki.
2001
2002         * stress/big-int-subtraction-jit.js:
2003         * stress/value-sub-big-int-prediction-propagation.js: Added.
2004         * stress/value-sub-big-int-untyped.js: Added.
2005         * stress/value-sub-spec-none-case.js: Added.
2006
2007 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2008
2009         [JSC] JSC should have "parseFunction" to optimize Function constructor
2010         https://bugs.webkit.org/show_bug.cgi?id=190340
2011
2012         Reviewed by Mark Lam.
2013
2014         This patch fixes the line number of syntax errors raised by the Function constructor,
2015         since we now parse the final code only once. And we no longer use block statement
2016         for Function constructor's parsing.
2017
2018         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2019         * stress/function-cache-with-parameters-end-position.js: Added.
2020         (shouldBe):
2021         (shouldThrow):
2022         (i.anonymous):
2023         * stress/function-constructor-name.js: Added.
2024         (shouldBe):
2025         (GeneratorFunction):
2026         (AsyncFunction.async):
2027         (AsyncGeneratorFunction.async):
2028         (anonymous):
2029         (async.anonymous):
2030         * test262/expectations.yaml:
2031
2032 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2033
2034         Unreviewed, rolling out r237242.
2035         https://bugs.webkit.org/show_bug.cgi?id=190701
2036
2037         it breaks "stress/sampling-profiler-basic.js" (Requested by
2038         caiolima on #webkit).
2039
2040         Reverted changeset:
2041
2042         "[BigInt] Add ValueSub into DFG"
2043         https://bugs.webkit.org/show_bug.cgi?id=186176
2044         https://trac.webkit.org/changeset/237242
2045
2046 2018-10-17  Keith Miller  <keith_miller@apple.com>
2047
2048         AI does not clear Phantom allocation nodes.
2049         https://bugs.webkit.org/show_bug.cgi?id=190694
2050
2051         Reviewed by Saam Barati.
2052
2053         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2054         (Day):
2055         (DaysInYear):
2056         (TimeInYear):
2057         (TimeFromYear):
2058         (DayFromYear):
2059         (InLeapYear):
2060         (YearFromTime):
2061         (WeekDay):
2062         (DaylightSavingTA):
2063         (GetSecondSundayInMarch):
2064         (TimeInMonth):
2065
2066 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2067
2068         [BigInt] Add ValueSub into DFG
2069         https://bugs.webkit.org/show_bug.cgi?id=186176
2070
2071         Reviewed by Yusuke Suzuki.
2072
2073         * stress/big-int-subtraction-jit.js:
2074         * stress/value-sub-big-int-prediction-propagation.js: Added.
2075         * stress/value-sub-big-int-untyped.js: Added.
2076
2077 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2078
2079         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2080         https://bugs.webkit.org/show_bug.cgi?id=190611
2081
2082         Reviewed by Saam Barati.
2083
2084         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2085         to improve test runtime. On ARM/MIPS this test even timed out when running all
2086         tests.
2087
2088         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2089         (test):
2090
2091 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2092
2093         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2094
2095         Unreviewed gardening.
2096
2097         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2098
2099 2018-10-15  Saam barati  <sbarati@apple.com>
2100
2101         Emit fjcvtzs on ARM64E on Darwin
2102         https://bugs.webkit.org/show_bug.cgi?id=184023
2103
2104         Reviewed by Yusuke Suzuki and Filip Pizlo.
2105
2106         * stress/double-to-int32-NaN.js: Added.
2107         (assert):
2108         (foo):
2109
2110 2018-10-15  Saam Barati  <sbarati@apple.com>
2111
2112         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2113         https://bugs.webkit.org/show_bug.cgi?id=190262
2114         <rdar://problem/44986241>
2115
2116         Reviewed by Mark Lam.
2117
2118         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2119         (test):
2120         * stress/slice-array-storage-with-holes.js: Added.
2121         (main):
2122
2123 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2124
2125         Unreviewed, rolling out r237054.
2126         https://bugs.webkit.org/show_bug.cgi?id=190593
2127
2128         "this regressed JetStream 2 by 6% on iOS" (Requested by
2129         saamyjoon on #webkit).
2130
2131         Reverted changeset:
2132
2133         "[JSC] JSC should have "parseFunction" to optimize Function
2134         constructor"
2135         https://bugs.webkit.org/show_bug.cgi?id=190340
2136         https://trac.webkit.org/changeset/237054
2137
2138 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2139
2140         [JSC] JSON.stringify can accept call-with-no-arguments
2141         https://bugs.webkit.org/show_bug.cgi?id=190343
2142
2143         Reviewed by Mark Lam.
2144
2145         * stress/json-stringify-no-arguments.js: Added.
2146         (shouldBe):
2147
2148 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2149
2150         [JSC] JSC should have "parseFunction" to optimize Function constructor
2151         https://bugs.webkit.org/show_bug.cgi?id=190340
2152
2153         Reviewed by Mark Lam.
2154
2155         This patch fixes the line number of syntax errors raised by the Function constructor,
2156         since we now parse the final code only once. And we no longer use block statement
2157         for Function constructor's parsing.
2158
2159         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2160         * stress/function-cache-with-parameters-end-position.js: Added.
2161         (shouldBe):
2162         (shouldThrow):
2163         (i.anonymous):
2164         * stress/function-constructor-name.js: Added.
2165         (shouldBe):
2166         (GeneratorFunction):
2167         (AsyncFunction.async):
2168         (AsyncGeneratorFunction.async):
2169         (anonymous):
2170         (async.anonymous):
2171         * test262/expectations.yaml:
2172
2173 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2174
2175         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2176         https://bugs.webkit.org/show_bug.cgi?id=190426
2177
2178         Unreviewed gardening.
2179
2180         * stress/sampling-profiler-richards.js:
2181
2182 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2183
2184         [ESNext][BigInt] Implement support for "|"
2185         https://bugs.webkit.org/show_bug.cgi?id=186229
2186
2187         Reviewed by Yusuke Suzuki.
2188
2189         * stress/big-int-bitwise-and-jit.js:
2190         * stress/big-int-bitwise-or-general.js: Added.
2191         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2192         * stress/big-int-bitwise-or-jit.js: Added.
2193         * stress/big-int-bitwise-or-memory-stress.js: Added.
2194         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2195         * stress/big-int-bitwise-or-type-error.js: Added.
2196         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2197
2198 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2199
2200         Skip test on systems with limited memory
2201         https://bugs.webkit.org/show_bug.cgi?id=190310
2202
2203         Invoking runDefault adds test to runlist, skipping the test in the next
2204         line does not prevent the test from executing. Change order of lines such
2205         that runDefault is only executed if test is not executed.
2206
2207         Reviewed by Mark Lam.
2208
2209         * stress/regress-190187.js:
2210
2211 2018-10-03  Saam barati  <sbarati@apple.com>
2212
2213         lowXYZ in FTLLower should always filter the type of the incoming edge
2214         https://bugs.webkit.org/show_bug.cgi?id=189939
2215         <rdar://problem/44407030>
2216
2217         Reviewed by Michael Saboff.
2218
2219         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2220         (foo):
2221         (test):
2222
2223 2018-10-03  Mark Lam  <mark.lam@apple.com>
2224
2225         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2226         https://bugs.webkit.org/show_bug.cgi?id=190187
2227         <rdar://problem/42512909>
2228
2229         Reviewed by Michael Saboff.
2230
2231         * stress/regress-190187.js: Added.
2232
2233 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2234
2235         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2236         https://bugs.webkit.org/show_bug.cgi?id=190033
2237
2238         Reviewed by Yusuke Suzuki.
2239
2240         * stress/big-int-to-string.js:
2241
2242 2018-10-01  Mark Lam  <mark.lam@apple.com>
2243
2244         Function.toString() should also copy the source code Functions that are class definitions.
2245         https://bugs.webkit.org/show_bug.cgi?id=190186
2246         <rdar://problem/44733360>
2247
2248         Reviewed by Saam Barati.
2249
2250         * stress/regress-190186.js: Added.
2251
2252 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2253
2254         Split NaN-check into separate test
2255         https://bugs.webkit.org/show_bug.cgi?id=190010
2256
2257         Reviewed by Saam Barati.
2258
2259         DataView exposes NaN-representation, which is not necessarily the same on each
2260         architecture. Therefore move the check of the NaN-representation into its own
2261         file such that we can disable this test on MIPS where NaN-representation can be
2262         different on older CPUs.
2263
2264         * stress/dataview-jit-set-nan.js: Added.
2265         (assert):
2266         (test.storeLittleEndian):
2267         (test.storeBigEndian):
2268         (test.store):
2269         (test):
2270         * stress/dataview-jit-set.js:
2271         (test5):
2272
2273 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2274
2275         Unreviewed, rolling out r236647.
2276         https://bugs.webkit.org/show_bug.cgi?id=190124
2277
2278         Breaking test stress/big-int-to-string.js (Requested by
2279         caiolima_ on #webkit).
2280
2281         Reverted changeset:
2282
2283         "[BigInt] BigInt.proptotype.toString is broken when radix is
2284         power of 2"
2285         https://bugs.webkit.org/show_bug.cgi?id=190033
2286         https://trac.webkit.org/changeset/236647
2287
2288 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2289
2290         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2291         https://bugs.webkit.org/show_bug.cgi?id=190033
2292
2293         Reviewed by Yusuke Suzuki.
2294
2295         * stress/big-int-to-string.js:
2296
2297 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2298
2299         [ESNext][BigInt] Implement support for "&"
2300         https://bugs.webkit.org/show_bug.cgi?id=186228
2301
2302         Reviewed by Yusuke Suzuki.
2303
2304         * stress/big-int-bitwise-and-general.js: Added.
2305         (assert):
2306         (assert.sameValue):
2307         * stress/big-int-bitwise-and-jit.js: Added.
2308         (let.assert.sameValue):
2309         (bigIntBitAnd):
2310         * stress/big-int-bitwise-and-memory-stress.js: Added.
2311         (assert):
2312         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2313         (assert.sameValue):
2314         (let.o.Symbol.toPrimitive):
2315         (catch):
2316         * stress/big-int-bitwise-and-type-error.js: Added.
2317         (assert):
2318         (assertThrowTypeError):
2319         (let.o.valueOf):
2320         (o.valueOf):
2321         (o.toString):
2322         (o.Symbol.toPrimitive):
2323         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2324         (assert.sameValue):
2325         (testBitAnd):
2326         (let.o.Symbol.toPrimitive):
2327         (o.valueOf):
2328         (o.toString):
2329
2330 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2331
2332         JSC test stress/jsc-read.js doesn't support CRLF
2333         https://bugs.webkit.org/show_bug.cgi?id=190063
2334
2335         Reviewed by Yusuke Suzuki.
2336
2337         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2338
2339         * stress/jsc-read.js:
2340         (test):
2341
2342 2018-09-27  Saam barati  <sbarati@apple.com>
2343
2344         Verify the contents of AssemblerBuffer on arm64e
2345         https://bugs.webkit.org/show_bug.cgi?id=190057
2346         <rdar://problem/38916630>
2347
2348         Reviewed by Mark Lam.
2349
2350         * stress/regress-189132.js:
2351
2352 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2353
2354         Disable test without LLInt on ARMv7
2355         https://bugs.webkit.org/show_bug.cgi?id=190037
2356
2357         Reviewed by Mark Lam.
2358
2359         Test runs out of executable memory on ARMv7, do not run
2360         this test without LLInt enabled.
2361
2362         * stress/regress-169445.js:
2363
2364 2018-09-26  Keith Miller  <keith_miller@apple.com>
2365
2366         We should zero unused property storage when rebalancing array storage.
2367         https://bugs.webkit.org/show_bug.cgi?id=188151
2368
2369         Reviewed by Michael Saboff.
2370
2371         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2372
2373 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2374
2375         [JSC] Optimize Array#lastIndexOf
2376         https://bugs.webkit.org/show_bug.cgi?id=189780
2377
2378         Reviewed by Saam Barati.
2379
2380         * stress/array-lastindexof-array-prototype-trap.js: Added.
2381         (shouldBe):
2382         (AncestorArray.prototype.get 2):
2383         (AncestorArray):
2384         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2385         (shouldBe):
2386         * stress/array-lastindexof-hole-nan.js: Added.
2387         (shouldBe):
2388         (throw.new.Error):
2389         * stress/array-lastindexof-infinity.js: Added.
2390         (shouldBe):
2391         (throw.new.Error):
2392         * stress/array-lastindexof-negative-zero.js: Added.
2393         (shouldBe):
2394         (throw.new.Error):
2395         * stress/array-lastindexof-own-getter.js: Added.
2396         (shouldBe):
2397         (throw.new.Error.get array):
2398         (get array):
2399         * stress/array-lastindexof-prototype-trap.js: Added.
2400         (shouldBe):
2401         (DerivedArray.prototype.get 2):
2402         (DerivedArray):
2403
2404 2018-09-25  Saam Barati  <sbarati@apple.com>
2405
2406         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2407         https://bugs.webkit.org/show_bug.cgi?id=189940
2408         <rdar://problem/43640987>
2409
2410         Reviewed by Mark Lam.
2411
2412         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2413
2414 2018-09-24  Saam Barati  <sbarati@apple.com>
2415
2416         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2417         https://bugs.webkit.org/show_bug.cgi?id=189922
2418         <rdar://problem/44651275>
2419
2420         Reviewed by Mark Lam.
2421
2422         * stress/array-indexof-fast-path-effects.js: Added.
2423         * stress/array-indexof-cached-length.js: Added.
2424
2425 2018-09-24  Saam barati  <sbarati@apple.com>
2426
2427         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2428         https://bugs.webkit.org/show_bug.cgi?id=189682
2429         <rdar://problem/43557315>
2430
2431         Reviewed by Mark Lam.
2432
2433         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2434         (foo):
2435
2436 2018-09-22  Saam barati  <sbarati@apple.com>
2437
2438         The sampling should not use Strong<CodeBlock> in its machineLocation field
2439         https://bugs.webkit.org/show_bug.cgi?id=189319
2440
2441         Reviewed by Filip Pizlo.
2442
2443         * stress/sampling-profiler-richards.js: Added.
2444
2445 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2446
2447         [JSC] Optimize Array#indexOf in C++ runtime
2448         https://bugs.webkit.org/show_bug.cgi?id=189507
2449
2450         Reviewed by Saam Barati.
2451
2452         * stress/array-indexof-array-prototype-trap.js: Added.
2453         (shouldBe):
2454         (AncestorArray.prototype.get 2):
2455         (AncestorArray):
2456         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2457         (shouldBe):
2458         * stress/array-indexof-hole-nan.js: Added.
2459         (shouldBe):
2460         (throw.new.Error):
2461         * stress/array-indexof-infinity.js: Added.
2462         (shouldBe):
2463         (throw.new.Error):
2464         * stress/array-indexof-negative-zero.js: Added.
2465         (shouldBe):
2466         (throw.new.Error):
2467         * stress/array-indexof-own-getter.js: Added.
2468         (shouldBe):
2469         (throw.new.Error.get array):
2470         (get array):
2471         * stress/array-indexof-prototype-trap.js: Added.
2472         (shouldBe):
2473         (DerivedArray.prototype.get 2):
2474         (DerivedArray):
2475
2476 2018-09-19  Saam barati  <sbarati@apple.com>
2477
2478         AI rule for MultiPutByOffset executes its effects in the wrong order
2479         https://bugs.webkit.org/show_bug.cgi?id=189757
2480         <rdar://problem/43535257>
2481
2482         Reviewed by Michael Saboff.
2483
2484         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2485         (foo):
2486         (Foo):
2487         (g):
2488
2489 2018-09-17  Mark Lam  <mark.lam@apple.com>
2490
2491         Ensure that ForInContexts are invalidated if their loop local is over-written.
2492         https://bugs.webkit.org/show_bug.cgi?id=189571
2493         <rdar://problem/44402277>
2494
2495         Reviewed by Saam Barati.
2496
2497         * stress/regress-189571.js: Added.
2498
2499 2018-09-17  Saam barati  <sbarati@apple.com>
2500
2501         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2502         https://bugs.webkit.org/show_bug.cgi?id=189676
2503         <rdar://problem/39682897>
2504
2505         Reviewed by Michael Saboff.
2506
2507         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2508         (A):
2509         (K):
2510         (i.catch):
2511
2512 2018-09-14  Saam barati  <sbarati@apple.com>
2513
2514         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2515         https://bugs.webkit.org/show_bug.cgi?id=189628
2516         <rdar://problem/39481690>
2517
2518         Reviewed by Mark Lam.
2519
2520         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2521         (foo):
2522
2523 2018-09-11  Mark Lam  <mark.lam@apple.com>
2524
2525         Test for array initialization in arrayProtoFuncSplice.
2526         https://bugs.webkit.org/show_bug.cgi?id=170253
2527         <rdar://problem/31328773>
2528
2529         Rubber-stamped by Saam Barati.
2530
2531         * stress/regress-170253.js: Added.
2532
2533 2018-09-11  Mark Lam  <mark.lam@apple.com>
2534
2535         Test for IntlObject initialization.
2536         https://bugs.webkit.org/show_bug.cgi?id=170251
2537         <rdar://problem/31328419>
2538
2539         Rubber-stamped by Saam Barati.
2540
2541         * stress/regress-170251.js: Added.
2542
2543 2018-09-11  Mark Lam  <mark.lam@apple.com>
2544
2545         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2546         https://bugs.webkit.org/show_bug.cgi?id=169889
2547         <rdar://problem/31155607>
2548
2549         Reviewed by Saam Barati.
2550
2551         * stress/regress-169889-array-concat.js: Added.
2552         * stress/regress-169889-array-concat1.js: Added.
2553         * stress/regress-169889-array-slice.js: Added.
2554
2555 2018-09-11  Mark Lam  <mark.lam@apple.com>
2556
2557         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2558         https://bugs.webkit.org/show_bug.cgi?id=169445
2559         <rdar://problem/30957435>
2560
2561         Reviewed by Saam Barati.
2562
2563         * stress/regress-169445.js: Added.
2564         (let.gun.eval.A):
2565         (let.gun.eval.B.C):
2566         (let.gun.eval.B.C.prototype.trigger):
2567         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2568         (let.gun.eval.B):
2569         (let.gun.eval):
2570
2571 == Rolled over to ChangeLog-2018-09-11 ==