Placate exception check validation in constructJSWebAssemblyLinkError().
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-22  Mark Lam  <mark.lam@apple.com>
2
3         Placate exception check validation in constructJSWebAssemblyLinkError().
4         https://bugs.webkit.org/show_bug.cgi?id=196152
5         <rdar://problem/49145257>
6
7         Reviewed by Michael Saboff.
8
9         * stress/web-assembly-link-error-exception-check.js: Added.
10
11 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
12
13         Skip tests running out of memory on ARM/MIPS
14         https://bugs.webkit.org/show_bug.cgi?id=196131
15
16         Unreviewed. Skip test if memory is limited.
17
18         * microbenchmarks/put-by-val-direct-large-index.js:
19
20 2019-03-21  Mark Lam  <mark.lam@apple.com>
21
22         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
23         https://bugs.webkit.org/show_bug.cgi?id=196116
24         <rdar://problem/48976951>
25
26         Reviewed by Filip Pizlo.
27
28         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
29
30 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
31
32         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
33         https://bugs.webkit.org/show_bug.cgi?id=196078
34         <rdar://problem/35925380>
35
36         Reviewed by Mark Lam.
37
38         Add a new benchmark that allocates several objects and invokes put_by_val_direct
39         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
40
41         * microbenchmarks/put-by-val-direct-large-index.js: Added.
42
43 2019-03-21  Mark Lam  <mark.lam@apple.com>
44
45         Placate exception check validation in operationArrayIndexOfString().
46         https://bugs.webkit.org/show_bug.cgi?id=196067
47         <rdar://problem/49056572>
48
49         Reviewed by Michael Saboff.
50
51         * stress/string-equal-exception-check.js: Added.
52
53 2019-03-21  Mark Lam  <mark.lam@apple.com>
54
55         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
56         https://bugs.webkit.org/show_bug.cgi?id=196055
57         <rdar://problem/49067448>
58
59         Reviewed by Yusuke Suzuki.
60
61         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
62
63 2019-03-20  Saam Barati  <sbarati@apple.com>
64
65         typeOfDoubleSum is wrong for when NaN can be produced
66         https://bugs.webkit.org/show_bug.cgi?id=196030
67
68         Reviewed by Filip Pizlo.
69
70         * stress/double-add-sub-mul-can-produce-nan.js: Added.
71         (assert):
72         (noInline.sub):
73         (noInline):
74         (assert.mul):
75         (assert.add):
76
77 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
78
79         Update the test to ensure OutOfMemoryError is thrown as intended
80         https://bugs.webkit.org/show_bug.cgi?id=196032
81         <rdar://problem/46842740>
82
83         Rubber stamped by Saam Barati.
84
85         * stress/create-error-out-of-memory-rope-string.js:
86         (assert):
87         (catch):
88
89 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
90
91         JSC::createError needs to check for OOM in errorDescriptionForValue
92         https://bugs.webkit.org/show_bug.cgi?id=196032
93         <rdar://problem/46842740>
94
95         Reviewed by Mark Lam.
96
97         * stress/create-error-out-of-memory-rope-string.js: Added.
98
99 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
100
101         Unreviewed, reduce # of iterations to avoid timing out after r242991
102         https://bugs.webkit.org/show_bug.cgi?id=195791
103
104         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
105
106         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
107
108 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
109
110         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
111         https://bugs.webkit.org/show_bug.cgi?id=195950
112
113         Unreviewed, reducing the amount of memory used on this test to avoid
114         OOM on devices with memory restrictions.
115
116         * microbenchmarks/generate-multiple-llint-entrypoints.js:
117
118 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
119
120         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
121         https://bugs.webkit.org/show_bug.cgi?id=194648
122
123         Reviewed by Keith Miller.
124
125         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
126
127 2019-03-18  Mark Lam  <mark.lam@apple.com>
128
129         Missing a ThrowScope release in JSObject::toString().
130         https://bugs.webkit.org/show_bug.cgi?id=195893
131         <rdar://problem/48970986>
132
133         Reviewed by Michael Saboff.
134
135         * stress/to-string-exception-check-release.js: Added.
136
137 2019-03-18  Mark Lam  <mark.lam@apple.com>
138
139         Structure::flattenDictionary() should clear unused property slots.
140         https://bugs.webkit.org/show_bug.cgi?id=195871
141         <rdar://problem/48959497>
142
143         Reviewed by Michael Saboff.
144
145         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
146
147 2019-03-15  Mark Lam  <mark.lam@apple.com>
148
149         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
150         https://bugs.webkit.org/show_bug.cgi?id=195827
151         <rdar://problem/48845513>
152
153         Reviewed by Filip Pizlo.
154
155         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
156
157 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
158
159         [ARM,MIPS] Skip slow tests
160         https://bugs.webkit.org/show_bug.cgi?id=195799
161
162         Unreviewed, test does not finish on ARM and MIPS within the
163         timeout limit.
164
165         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
166
167 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
168
169         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
170         https://bugs.webkit.org/show_bug.cgi?id=195791
171         <rdar://problem/48806130>
172
173         Reviewed by Mark Lam.
174
175         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
176         (foo):
177
178 2019-03-14  Saam barati  <sbarati@apple.com>
179
180         We can't remove code after ForceOSRExit until after FixupPhase
181         https://bugs.webkit.org/show_bug.cgi?id=186916
182         <rdar://problem/41396612>
183
184         Reviewed by Yusuke Suzuki.
185
186         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
187         (foo):
188         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
189         (foo):
190
191 2019-03-13  Michael Saboff  <msaboff@apple.com>
192
193         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
194         https://bugs.webkit.org/show_bug.cgi?id=195735
195
196         Reviewed by Mark Lam.
197
198         New regression test.
199
200         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
201         (foo):
202         (bar):
203
204 2019-03-14  Saam barati  <sbarati@apple.com>
205
206         Fixup uses KnownInt32 incorrectly in some nodes
207         https://bugs.webkit.org/show_bug.cgi?id=195279
208         <rdar://problem/47915654>
209
210         Reviewed by Yusuke Suzuki.
211
212         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
213         (foo):
214
215 2019-03-14  Keith Miller  <keith_miller@apple.com>
216
217         DFG liveness can't skip tail caller inline frames
218         https://bugs.webkit.org/show_bug.cgi?id=195715
219
220         Reviewed by Saam Barati.
221
222         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
223         (i.foo):
224
225 2019-03-13  Mark Lam  <mark.lam@apple.com>
226
227         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
228         https://bugs.webkit.org/show_bug.cgi?id=195415
229
230         Not reviewed.
231
232         Changed these tests to only run the default configuration.
233         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
234         There's no strong need to run this test on that variant.
235
236         * stress/dfg-to-string-on-int-does-gc.js:
237         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
238
239 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
240
241         String overflow when using StringBuilder in JSC::createError
242         https://bugs.webkit.org/show_bug.cgi?id=194957
243
244         Reviewed by Mark Lam.
245
246         Add test string-overflow-createError-bulder.js that overflows
247         StringBuilder in notAFunctionSourceAppender. The second new test
248         string-overflow-createError-fit.js has an error message that doesn't
249         overflow, it still failed since the String's capacity can't be doubled.
250         Run test string-overflow-createError.js only in the default
251         configuration to reduce memory consumption when running the test
252         in all configurations on multiple CPUs in parallel.
253
254         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
255         (catch):
256         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
257         (catch):
258         * stress/string-overflow-createError.js:
259
260 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
261
262         [JSC] OSR entry should respect abstract values in addition to flush formats
263         https://bugs.webkit.org/show_bug.cgi?id=195653
264
265         Reviewed by Mark Lam.
266
267         * stress/osr-entry-locals-none.js: Added.
268
269 2019-03-12  Michael Saboff  <msaboff@apple.com>
270
271         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
272         https://bugs.webkit.org/show_bug.cgi?id=195613
273
274         Reviewed by Mark Lam.
275
276         New regression test.
277
278         * stress/regexp-backref-inbounds.js: Added.
279         (testRegExp):
280
281 2019-03-12  Mark Lam  <mark.lam@apple.com>
282
283         The HasIndexedProperty node does GC.
284         https://bugs.webkit.org/show_bug.cgi?id=195559
285         <rdar://problem/48767923>
286
287         Reviewed by Yusuke Suzuki.
288
289         * stress/HasIndexedProperty-does-gc.js: Added.
290
291 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
292
293         [ESNext][BigInt] Implement "~" unary operation
294         https://bugs.webkit.org/show_bug.cgi?id=182216
295
296         Reviewed by Keith Miller.
297
298         * stress/big-int-bit-not-general.js: Added.
299         * stress/big-int-bitwise-not-jit.js: Added.
300         * stress/big-int-bitwise-not-wrapped-value.js: Added.
301         * stress/bit-op-with-object-returning-int32.js:
302         * stress/bitwise-not-fixup-rules.js: Added.
303         * stress/value-bit-not-ai-rule.js: Added.
304
305 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
306
307         Invalid flags in a RegExp literal should be an early SyntaxError
308         https://bugs.webkit.org/show_bug.cgi?id=195514
309
310         Reviewed by Darin Adler.
311
312         * test262/expectations.yaml:
313         Mark 4 test cases as passing.
314
315         * stress/regexp-syntax-error-invalid-flags.js:
316         * stress/regress-161995.js: Removed.
317         Update existing test, merging in an older test for the same behavior.
318
319 2019-03-08  Mark Lam  <mark.lam@apple.com>
320
321         Stack overflow crash in JSC::JSObject::hasInstance.
322         https://bugs.webkit.org/show_bug.cgi?id=195458
323         <rdar://problem/48710195>
324
325         Reviewed by Yusuke Suzuki.
326
327         * stress/stack-overflow-in-custom-hasInstance.js: Added.
328
329 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
330
331         op_check_tdz does not def its argument
332         https://bugs.webkit.org/show_bug.cgi?id=192880
333         <rdar://problem/46221598>
334
335         Reviewed by Saam Barati.
336
337         * microbenchmarks/let-for-in.js: Added.
338         (foo):
339
340 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
341
342         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
343         https://bugs.webkit.org/show_bug.cgi?id=195429
344
345         Reviewed by Saam Barati.
346
347         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
348         (foo):
349         * stress/string-from-char-code-255.js: Added.
350
351 2019-03-06  Mark Lam  <mark.lam@apple.com>
352
353         Fix incorrect handling of try-finally completion values.
354         https://bugs.webkit.org/show_bug.cgi?id=195131
355         <rdar://problem/46222079>
356
357         Reviewed by Saam Barati and Yusuke Suzuki.
358
359         Added many permutations of new test case to test-finally.js.  test-finally.js has
360         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
361         tests passes there as well.
362
363         * stress/test-finally.js:
364
365 2019-03-06  Saam Barati  <sbarati@apple.com>
366
367         Air::reportUsedRegisters must padInterference
368         https://bugs.webkit.org/show_bug.cgi?id=195303
369         <rdar://problem/48270343>
370
371         Reviewed by Keith Miller.
372
373         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
374
375 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
376
377         [JSC] AI should not propagate AbstractValue relying on constant folding phase
378         https://bugs.webkit.org/show_bug.cgi?id=195375
379
380         Reviewed by Saam Barati.
381
382         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
383         (let.array):
384
385 2019-03-05  Saam barati  <sbarati@apple.com>
386
387         op_switch_char broken for rope strings after JSRopeString layout rewrite
388         https://bugs.webkit.org/show_bug.cgi?id=195339
389         <rdar://problem/48592545>
390
391         Reviewed by Yusuke Suzuki.
392
393         * stress/switch-on-char-llint-rope.js: Added.
394
395 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
396
397         [JSC] Store bits for JSRopeString in 3 stores
398         https://bugs.webkit.org/show_bug.cgi?id=195234
399
400         Reviewed by Saam Barati.
401
402         * stress/null-rope-and-collectors.js: Added.
403
404 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
405
406         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
407         https://bugs.webkit.org/show_bug.cgi?id=195207
408
409         Unreviewed. After test runtime was reduced in r242213, test can be
410         run again on ARM/MIPS.
411
412         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
413
414 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
415
416         [JSC] sizeof(JSString) should be 16
417         https://bugs.webkit.org/show_bug.cgi?id=194375
418
419         Reviewed by Saam Barati.
420
421         * microbenchmarks/make-rope.js: Added.
422         (makeRope):
423         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
424         (returnRope.helper): Deleted.
425         (returnRope): Deleted.
426
427 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
428
429         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
430         https://bugs.webkit.org/show_bug.cgi?id=195144
431
432         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
433         Change the number from 1e8 to 1e5.
434
435         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
436         (foo):
437
438 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
439
440         Test times out on ARM/MIPS
441         https://bugs.webkit.org/show_bug.cgi?id=195168
442
443         Unreviewed. Skip test on ARM/MIPS.
444
445         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
446
447 2019-02-27  Mark Lam  <mark.lam@apple.com>
448
449         The parser is failing to record the token location of new in new.target.
450         https://bugs.webkit.org/show_bug.cgi?id=195127
451         <rdar://problem/39645578>
452
453         Reviewed by Yusuke Suzuki.
454
455         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
456
457 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
458
459         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
460         https://bugs.webkit.org/show_bug.cgi?id=195144
461         <rdar://problem/47595961>
462
463         Reviewed by Mark Lam.
464
465         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
466         (bar):
467         (foo):
468         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
469         (bar):
470         (foo):
471
472 2019-02-27  Robin Morisset  <rmorisset@apple.com>
473
474         DFG: Loop-invariant code motion (LICM) should not hoist dead code
475         https://bugs.webkit.org/show_bug.cgi?id=194945
476         <rdar://problem/48311657>
477
478         Reviewed by Mark Lam.
479
480         * stress/licm-dead-code.js: Added.
481
482 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
483
484         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
485         https://bugs.webkit.org/show_bug.cgi?id=194677
486         <rdar://problem/48112492>
487
488         Reviewed by Mark Lam.
489
490         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
491         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
492         it immediately fails due the large size.
493
494         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
495         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
496         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
497         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
498
499         This patch changes the test to produce 16bit string from String.fromCharCode.
500
501         * stress/regress-178386.js:
502
503 2019-02-26  Mark Lam  <mark.lam@apple.com>
504
505         wasmToJS() should purify incoming NaNs.
506         https://bugs.webkit.org/show_bug.cgi?id=194807
507         <rdar://problem/48189132>
508
509         Reviewed by Saam Barati.
510
511         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
512
513 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
514
515         [JSC] Repeat string created from Array.prototype.join() take too much memory
516         https://bugs.webkit.org/show_bug.cgi?id=193912
517
518         Reviewed by Saam Barati.
519
520         Added a test and a microbenchmark for corner cases of
521         Array.prototype.join() with an uninitialized array.
522
523         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
524         * stress/array-prototype-join-uninitialized.js: Added.
525         (testArray):
526         (testABC):
527         (B):
528         (C):
529
530 2019-02-22  Robin Morisset  <rmorisset@apple.com>
531
532         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
533         https://bugs.webkit.org/show_bug.cgi?id=194953
534         <rdar://problem/47595253>
535
536         Reviewed by Saam Barati.
537
538         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
539
540         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
541
542 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
543
544         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
545         https://bugs.webkit.org/show_bug.cgi?id=172848
546         <rdar://problem/25709212>
547
548         Reviewed by Mark Lam.
549
550         * typeProfiler/inheritance.js:
551         Rewrite the test slightly for clarity. The hoisting was confusing.
552
553         * heapProfiler/class-names.js: Added.
554         (MyES5Class):
555         (MyES6Class):
556         (MyES6Subclass):
557         Test object types and improved class names.
558
559         * heapProfiler/driver/driver.js:
560         (CheapHeapSnapshotNode):
561         (CheapHeapSnapshot):
562         (createCheapHeapSnapshot):
563         (HeapSnapshot):
564         (createHeapSnapshot):
565         Update snapshot parsing from version 1 to version 2.
566
567 2019-02-19  Truitt Savell  <tsavell@apple.com>
568
569         Unreviewed, rolling out r241784.
570
571         Broke all OpenSource builds.
572
573         Reverted changeset:
574
575         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
576         instances view"
577         https://bugs.webkit.org/show_bug.cgi?id=172848
578         https://trac.webkit.org/changeset/241784
579
580 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
581
582         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
583         https://bugs.webkit.org/show_bug.cgi?id=172848
584         <rdar://problem/25709212>
585
586         Reviewed by Mark Lam.
587
588         * typeProfiler/inheritance.js:
589         Rewrite the test slightly for clarity. The hoisting was confusing.
590
591         * heapProfiler/class-names.js: Added.
592         (MyES5Class):
593         (MyES6Class):
594         (MyES6Subclass):
595         Test object types and improved class names.
596
597         * heapProfiler/driver/driver.js:
598         (CheapHeapSnapshotNode):
599         (CheapHeapSnapshot):
600         (createCheapHeapSnapshot):
601         (HeapSnapshot):
602         (createHeapSnapshot):
603         Update snapshot parsing from version 1 to version 2.
604
605 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
606
607         [ARM] Fix crash with sampling profiler
608         https://bugs.webkit.org/show_bug.cgi?id=194772
609
610         Reviewed by Mark Lam.
611
612         Do not skip test since crash with sampling profiler is now fixed.
613
614         * stress/sampling-profiler-richards.js:
615
616 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
617
618         [JSC] Add LazyClassStructure::getInitializedOnMainThread
619         https://bugs.webkit.org/show_bug.cgi?id=194784
620         <rdar://problem/48154820>
621
622         Reviewed by Mark Lam.
623
624         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
625         (getProperties):
626         (getRandomProperty):
627         (i.catch):
628
629 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
630
631         [ARM] Test gardening: Test running out of executable memory
632         https://bugs.webkit.org/show_bug.cgi?id=194771
633
634         Unreviewed. Do not run test without LLInt, test is running out of executable
635         memory on ARM otherwise.
636
637         * stress/tagged-template-object-collect.js:
638
639 2019-02-18  Tomas Popela  <tpopela@redhat.com>
640
641         Unreviewed, skip the test on platforms without sampling profiler
642
643         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
644         (platformSupportsSamplingProfiler.foo):
645         (platformSupportsSamplingProfiler.test):
646         (platformSupportsSamplingProfiler):
647         (foo): Deleted.
648         (test): Deleted.
649
650 2019-02-17  Saam Barati  <sbarati@apple.com>
651
652         Deadlock when adding a Structure property transition and then doing incremental marking
653         https://bugs.webkit.org/show_bug.cgi?id=194767
654
655         Reviewed by Mark Lam.
656
657         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
658
659 2019-02-15  Michael Saboff  <msaboff@apple.com>
660
661         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
662         https://bugs.webkit.org/show_bug.cgi?id=194558
663
664         Reviewed by Saam Barati.
665
666         New regression test.
667
668         * stress/regexp-unicode-within-string.js: Added.
669
670 2019-02-15  Mark Lam  <mark.lam@apple.com>
671
672         SamplingProfiler::stackTracesAsJSON() should escape strings.
673         https://bugs.webkit.org/show_bug.cgi?id=194649
674         <rdar://problem/48072386>
675
676         Reviewed by Saam Barati.
677
678         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
679         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
680         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
681         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
682
683 2019-02-15  Robin Morisset  <rmorisset@apple.com>
684         CodeBlock::jettison should clear related watchpoints
685         https://bugs.webkit.org/show_bug.cgi?id=194544
686
687         Reviewed by Mark Lam.
688
689         * stress/regexp-replace-double-watchpoint.js: Added.
690         (foo):
691
692 2019-02-15  Saam barati  <sbarati@apple.com>
693
694         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
695         https://bugs.webkit.org/show_bug.cgi?id=194036
696
697         Reviewed by Yusuke Suzuki.
698
699         * stress/tail-call-many-arguments.js: Added.
700         (foo):
701         (bar):
702
703 2019-02-14  Saam Barati  <sbarati@apple.com>
704
705         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
706         https://bugs.webkit.org/show_bug.cgi?id=194583
707         <rdar://problem/48028140>
708
709         Reviewed by Yusuke Suzuki.
710
711         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
712
713 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
714
715         [JSC] String.fromCharCode's slow path always generates 16bit string
716         https://bugs.webkit.org/show_bug.cgi?id=194466
717
718         Reviewed by Keith Miller.
719
720         * stress/string-from-char-code-slow-path.js: Added.
721         (shouldBe):
722         (testWithLength):
723
724 2019-02-08  Saam barati  <sbarati@apple.com>
725
726         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
727         https://bugs.webkit.org/show_bug.cgi?id=194334
728         <rdar://problem/47844327>
729
730         Reviewed by Mark Lam.
731
732         * stress/check-in-bounds-should-be-a-child-use.js: Added.
733         (func):
734
735 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
736
737         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
738         https://bugs.webkit.org/show_bug.cgi?id=194369
739         <rdar://problem/47813087>
740
741         Reviewed by Saam Barati.
742
743         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
744         (A):
745
746 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
747
748         [JSC] PrivateName to PublicName hash table is wasteful
749         https://bugs.webkit.org/show_bug.cgi?id=194277
750
751         Reviewed by Michael Saboff.
752
753         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
754
755         * ChakraCore.yaml:
756
757 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
758
759         [ARM] Test running out of executable memory
760         https://bugs.webkit.org/show_bug.cgi?id=194285
761
762         Unreviewed. Do no execute test with LLInt disabled, test runs out of
763         executable memory otherwise.
764
765         * stress/class-subclassing-function.js:
766
767 2019-02-04  Robin Morisset  <rmorisset@apple.com>
768
769         when lowering AssertNotEmpty, create the value before creating the patchpoint
770         https://bugs.webkit.org/show_bug.cgi?id=194231
771
772         Reviewed by Saam Barati.
773
774         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
775         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
776         So even tiny changes to this test can change the path code taken.
777
778         * stress/assert-not-empty.js: Added.
779         (foo):
780
781 2019-02-01  Mark Lam  <mark.lam@apple.com>
782
783         Remove invalid assertion in DFG's compileDoubleRep().
784         https://bugs.webkit.org/show_bug.cgi?id=194130
785         <rdar://problem/47699474>
786
787         Reviewed by Saam Barati.
788
789         * stress/constant-fold-double-rep-into-double-constant.js: Added.
790
791 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
792
793         Import latest Test262 updates.
794
795         Rubber-stamped by Keith Miller.
796
797         * test262.yaml: Deleted.
798         * test262/config.yaml:
799         * test262/expectations.yaml:
800         * test262/latest-changes-summary.txt:
801         * test262/test/:
802         * test262/test262-Revision.txt:
803
804 2019-01-30  Robin Morisset  <rmorisset@apple.com>
805
806         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
807         https://bugs.webkit.org/show_bug.cgi?id=194050
808         <rdar://problem/47595592>
809
810         Reviewed by Yusuke Suzuki.
811
812         * stress/object-keys-osr-exit.js: Added.
813         (foo):
814         (catch):
815
816 2019-01-29  Mark Lam  <mark.lam@apple.com>
817
818         ValueRecovery::recover() should purify NaN values it recovers.
819         https://bugs.webkit.org/show_bug.cgi?id=193978
820         <rdar://problem/47625488>
821
822         Reviewed by Saam Barati.
823
824         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
825
826 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
827
828         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
829         https://bugs.webkit.org/show_bug.cgi?id=193713
830
831         * stress/try-get-by-id-should-spill-registers-dfg.js:
832         (let.f.createBuiltin):
833
834 2019-01-28  Mark Lam  <mark.lam@apple.com>
835
836         ToString node actually does GC.
837         https://bugs.webkit.org/show_bug.cgi?id=193920
838         <rdar://problem/46695900>
839
840         Reviewed by Yusuke Suzuki.
841
842         * stress/dfg-to-string-on-int-does-gc.js: Added.
843         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
844         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
845
846 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
847
848         [JSC] NativeErrorConstructor should not have own IsoSubspace
849         https://bugs.webkit.org/show_bug.cgi?id=193713
850
851         Reviewed by Saam Barati.
852
853         Remove @Error use.
854
855         * stress/try-get-by-id-should-spill-registers-dfg.js:
856         (let.f.createBuiltin):
857
858 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
859
860         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
861         https://bugs.webkit.org/show_bug.cgi?id=190693
862
863         Reviewed by Michael Saboff.
864
865         * stress/regress-190693.js: Added.
866         (truth):
867         (assert):
868         (shouldThrowInvalidConstAssignment):
869         (taz):
870
871 2019-01-24  Saam Barati  <sbarati@apple.com>
872
873         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
874         https://bugs.webkit.org/show_bug.cgi?id=193751
875         <rdar://problem/47280215>
876
877         Reviewed by Michael Saboff.
878
879         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
880         (let.thing):
881         (foo.let.hello):
882         (foo):
883
884 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
885
886         [JSC] Reenable baseline JIT on mips
887         https://bugs.webkit.org/show_bug.cgi?id=192983
888
889         Reviewed by Mark Lam.
890
891         Added a new test for a case that was triggering a RELEASE_ASSERT when
892         testing.
893         Disable some slow tests that were already disabled for arm and x86.
894
895         * stress/json-parse-big-object.js: Added.
896         * stress/new-largeish-contiguous-array-with-size.js:
897         * stress/op_add.js:
898         * stress/op_bitand.js:
899         * stress/op_bitor.js:
900         * stress/op_bitxor.js:
901         * stress/op_lshift-ConstVar.js:
902         * stress/op_lshift-VarConst.js:
903         * stress/op_lshift-VarVar.js:
904         * stress/op_mod-ConstVar.js:
905         * stress/op_mod-VarConst.js:
906         * stress/op_mod-VarVar.js:
907         * stress/op_mul-ConstVar.js:
908         * stress/op_mul-VarConst.js:
909         * stress/op_mul-VarVar.js:
910         * stress/op_rshift-ConstVar.js:
911         * stress/op_rshift-VarConst.js:
912         * stress/op_rshift-VarVar.js:
913         * stress/op_sub-ConstVar.js:
914         * stress/op_sub-VarConst.js:
915         * stress/op_sub-VarVar.js:
916         * stress/op_urshift-ConstVar.js:
917         * stress/op_urshift-VarConst.js:
918         * stress/op_urshift-VarVar.js:
919         * stress/sampling-profiler-richards.js:
920         * stress/spread-forward-call-varargs-stack-overflow.js:
921
922 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
923
924         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
925         https://bugs.webkit.org/show_bug.cgi?id=193711
926         <rdar://problem/47250262>
927
928         Reviewed by Saam Barati.
929
930         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
931         (shouldBe):
932         (foo):
933         (bar):
934         (baz):
935
936 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
937
938         Unreviewed, fix initial global lexical binding epoch
939         https://bugs.webkit.org/show_bug.cgi?id=193603
940         <rdar://problem/47380869>
941
942         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
943         (f1.f2.f3.f4):
944         (f1.f2.f3):
945         (f1.f2):
946         (f1):
947
948 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
949
950         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
951         https://bugs.webkit.org/show_bug.cgi?id=193709
952         <rdar://problem/47363838>
953
954         Unreviewed, rollout to watch the tests.
955
956         * stress/object-tostring-changed-proto.js: Removed.
957         * stress/object-tostring-changed.js: Removed.
958         * stress/object-tostring-misc.js: Removed.
959         * stress/object-tostring-other.js: Removed.
960         * stress/object-tostring-untyped.js: Removed.
961
962 2019-01-22  Saam Barati  <sbarati@apple.com>
963
964         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
965
966         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
967         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
968         (testUncheckedLessThanZero):
969         (testUncheckedLessThanOrEqualZero):
970         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
971         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
972
973 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
974
975         [JSC] Invalidate old scope operations using global lexical binding epoch
976         https://bugs.webkit.org/show_bug.cgi?id=193603
977         <rdar://problem/47380869>
978
979         Reviewed by Saam Barati.
980
981         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
982         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
983         (shouldThrow):
984         (bar):
985         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
986         (shouldBe):
987         (get1):
988         (get2):
989         (get1If):
990         (get2If):
991         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
992         (shouldThrow):
993         (foo):
994
995 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
996
997         Unreviewed, roll out r240220 due to date-format-xparb regression
998         https://bugs.webkit.org/show_bug.cgi?id=193603
999
1000         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1001         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1002         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1003         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1004
1005 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1006
1007         DoesGC rule is wrong for nodes with BigIntUse
1008         https://bugs.webkit.org/show_bug.cgi?id=193652
1009
1010         Reviewed by Saam Barati.
1011
1012         * stress/big-int-value-op-update-gc-rules.js: Added.
1013         (assert):
1014         (doesGCAdd):
1015         (doesGCSub):
1016         (doesGCDiv):
1017         (doesGCMul):
1018         (doesGCBitAnd):
1019         (doesGCBitOr):
1020         (doesGCBitXor):
1021
1022 2019-01-20  Saam Barati  <sbarati@apple.com>
1023
1024         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1025         https://bugs.webkit.org/show_bug.cgi?id=193644
1026         <rdar://problem/46209745>
1027
1028         Reviewed by Yusuke Suzuki.
1029
1030         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1031         (foo):
1032         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1033         (foo):
1034         (bar):
1035
1036 2019-01-20  Saam Barati  <sbarati@apple.com>
1037
1038         MovHint must merge NodeBytecodeUsesAsValue for its child
1039         https://bugs.webkit.org/show_bug.cgi?id=186916
1040         <rdar://problem/41396612>
1041
1042         Reviewed by Yusuke Suzuki.
1043
1044         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1045         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1046
1047 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1048
1049         [JSC] Invalidate old scope operations using global lexical binding epoch
1050         https://bugs.webkit.org/show_bug.cgi?id=193603
1051         <rdar://problem/47380869>
1052
1053         Reviewed by Saam Barati.
1054
1055         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1056         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1057         (shouldThrow):
1058         (bar):
1059         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1060         (shouldBe):
1061         (get1):
1062         (get2):
1063         (get1If):
1064         (get2If):
1065         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1066         (shouldThrow):
1067         (foo):
1068
1069 2019-01-17  Saam barati  <sbarati@apple.com>
1070
1071         StringObjectUse should not be a structure check for the original string object structure
1072         https://bugs.webkit.org/show_bug.cgi?id=193483
1073         <rdar://problem/47280522>
1074
1075         Reviewed by Yusuke Suzuki.
1076
1077         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1078         (foo):
1079         (a.valueOf.0):
1080
1081 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1082
1083         [JSC] ToThis omission in DFGByteCodeParser is wrong
1084         https://bugs.webkit.org/show_bug.cgi?id=193513
1085         <rdar://problem/45842236>
1086
1087         Reviewed by Saam Barati.
1088
1089         * stress/to-this-omission-with-different-strict-modes.js: Added.
1090         (thisA):
1091         (thisAStrictWrapper):
1092
1093 2019-01-15  Mark Lam  <mark.lam@apple.com>
1094
1095         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1096         https://bugs.webkit.org/show_bug.cgi?id=193423
1097         <rdar://problem/46209355>
1098
1099         Reviewed by Saam Barati.
1100
1101         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1102         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1103         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1104         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1105
1106 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1107
1108         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1109         https://bugs.webkit.org/show_bug.cgi?id=193438
1110         <rdar://problem/45581249>
1111
1112         Reviewed by Saam Barati and Keith Miller.
1113
1114         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1115         Then, GetByVal(String) crashed.
1116
1117         * stress/string-get-by-val-lowering.js: Added.
1118         (shouldBe):
1119         (test):
1120         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1121         (Hello):
1122         (foo):
1123
1124 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1125
1126         Unreviewed, skip JIT tests if it's not enabled
1127
1128         * stress/bit-op-with-object-returning-int32.js:
1129
1130 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1131
1132         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1133         https://bugs.webkit.org/show_bug.cgi?id=192966
1134
1135         Reviewed by Yusuke Suzuki.
1136
1137         * stress/bit-op-with-object-returning-int32.js: Added.
1138
1139 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1140
1141         Skip a slow test and a flakey test on arm
1142
1143         Unreviewed gardening.
1144
1145         * typeProfiler/getter-richards.js:
1146         this test always times out, it used to be always skipped on arm and
1147         mips, but got accidentally enabled by r237919 now that we have DFG on
1148         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1149
1150 2019-01-14  Keith Miller  <keith_miller@apple.com>
1151
1152         Skip type-check-hoisting-phase-hoist... with no jit
1153         https://bugs.webkit.org/show_bug.cgi?id=193421
1154
1155         Reviewed by Mark Lam.
1156
1157         It's timing out the 32-bit bots and takes 330 seconds
1158         on my machine when run by itself.
1159
1160         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1161
1162 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1163
1164         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1165         https://bugs.webkit.org/show_bug.cgi?id=193413
1166         <rdar://problem/46092389>
1167
1168         Reviewed by Keith Miller.
1169
1170         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1171         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1172         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1173         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1174
1175         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1176         (compareArray):
1177
1178 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1179
1180         [BigInt] Literal parsing is crashing when used inside a Object Literal
1181         https://bugs.webkit.org/show_bug.cgi?id=193404
1182
1183         Reviewed by Yusuke Suzuki.
1184
1185         * stress/big-int-literal-inside-literal-object.js: Added.
1186
1187 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1188
1189         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1190         https://bugs.webkit.org/show_bug.cgi?id=193372
1191
1192         Reviewed by Saam Barati.
1193
1194         * stress/typed-array-array-modes-profile.js: Added.
1195         (foo):
1196
1197 2019-01-14  Mark Lam  <mark.lam@apple.com>
1198
1199         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1200         https://bugs.webkit.org/show_bug.cgi?id=193402
1201         <rdar://problem/46012309>
1202
1203         Reviewed by Keith Miller.
1204
1205         * stress/regexp-compile-oom.js:
1206         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1207           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1208
1209 2019-01-11  Saam barati  <sbarati@apple.com>
1210
1211         DFG combined liveness can be wrong for terminal basic blocks
1212         https://bugs.webkit.org/show_bug.cgi?id=193304
1213         <rdar://problem/45268632>
1214
1215         Reviewed by Yusuke Suzuki.
1216
1217         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1218
1219 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1220
1221         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1222         https://bugs.webkit.org/show_bug.cgi?id=193308
1223         <rdar://problem/45546542>
1224
1225         Reviewed by Saam Barati.
1226
1227         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1228         (shouldThrow):
1229         (shouldBe):
1230         (foo):
1231         (get shouldThrow):
1232         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1233         (shouldThrow):
1234         (shouldBe):
1235         (foo):
1236         (get shouldBe):
1237         (get shouldThrow):
1238         (get return):
1239         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1240         (shouldThrow):
1241         (shouldBe):
1242         (foo):
1243         (get shouldBe):
1244         (get shouldThrow):
1245         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1246         (shouldThrow):
1247         (shouldBe):
1248         (foo):
1249         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1250         (shouldThrow):
1251         (shouldBe):
1252         (foo):
1253         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1254         (shouldThrow):
1255         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1256         (shouldThrow):
1257         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1258         (shouldThrow):
1259         (shouldBe):
1260         (foo):
1261         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1262         (shouldThrow):
1263         (shouldBe):
1264         (foo):
1265         (get shouldBe):
1266         (get shouldThrow):
1267         (get return):
1268         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1269         (shouldThrow):
1270         (shouldBe):
1271         (foo):
1272         (get shouldBe):
1273         (get shouldThrow):
1274         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1275         (shouldThrow):
1276         (shouldBe):
1277         (foo):
1278         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1279         (shouldThrow):
1280         (shouldBe):
1281         (foo):
1282
1283 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1284
1285         Enable DFG on ARM/Linux again
1286         https://bugs.webkit.org/show_bug.cgi?id=192496
1287
1288         Reviewed by Yusuke Suzuki.
1289
1290         Test wasn't really skipped before moving the line with skip
1291         to the top.
1292
1293         * stress/regress-192717.js:
1294
1295 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1296
1297         Unreviewed, rolling out r239825.
1298         https://bugs.webkit.org/show_bug.cgi?id=193330
1299
1300         Broke tests on armv7/linux bots (Requested by guijemont on
1301         #webkit).
1302
1303         Reverted changeset:
1304
1305         "Enable DFG on ARM/Linux again"
1306         https://bugs.webkit.org/show_bug.cgi?id=192496
1307         https://trac.webkit.org/changeset/239825
1308
1309 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1310
1311         Enable DFG on ARM/Linux again
1312         https://bugs.webkit.org/show_bug.cgi?id=192496
1313
1314         Reviewed by Yusuke Suzuki.
1315
1316         Test wasn't really skipped before moving the line with skip
1317         to the top.
1318
1319         * stress/regress-192717.js:
1320
1321 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1322
1323         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1324         https://bugs.webkit.org/show_bug.cgi?id=193127
1325
1326         Reviewed by Saam Barati.
1327
1328         * stress/array-species-create-should-handle-masquerader.js: Added.
1329         (shouldThrow):
1330         * stress/is-undefined-or-null-builtin.js: Added.
1331         (shouldBe):
1332         (isUndefinedOrNull.vm.createBuiltin):
1333
1334 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1335
1336         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1337         https://bugs.webkit.org/show_bug.cgi?id=193221
1338
1339         Reviewed by Mark Lam.
1340
1341         * stress/put-by-id-flags.js: Added.
1342         (f):
1343         (g):
1344         (numberOfDFGCompiles):
1345
1346 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1347
1348         Baseline version of get_by_id may corrupt metadata
1349         https://bugs.webkit.org/show_bug.cgi?id=193085
1350         <rdar://problem/23453006>
1351
1352         Reviewed by Saam Barati.
1353
1354         * stress/get-by-id-change-mode.js: Added.
1355         (forEach):
1356
1357 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1358
1359         [JSC] Optimize Object.prototype.toString
1360         https://bugs.webkit.org/show_bug.cgi?id=193031
1361
1362         Reviewed by Saam Barati.
1363
1364         * stress/object-tostring-changed-proto.js: Added.
1365         (shouldBe):
1366         (test):
1367         * stress/object-tostring-changed.js: Added.
1368         (shouldBe):
1369         (test):
1370         * stress/object-tostring-misc.js: Added.
1371         (shouldBe):
1372         (test):
1373         (i.switch):
1374         * stress/object-tostring-other.js: Added.
1375         (shouldBe):
1376         (test):
1377         * stress/object-tostring-untyped.js: Added.
1378         (shouldBe):
1379         (test):
1380         (i.switch):
1381
1382 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1383
1384         test262-runner misbehaves when test file YAML has a trailing space
1385         https://bugs.webkit.org/show_bug.cgi?id=193053
1386
1387         Reviewed by Yusuke Suzuki.
1388
1389         * test262/expectations.yaml:
1390         Mark two dozen tests as passing (and correct the output of another).
1391
1392 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1393
1394         Unreviewed, JSTests gardening with memoryLimited
1395
1396         * stress/string-overflow-createError.js:
1397
1398 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1399
1400         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1401         https://bugs.webkit.org/show_bug.cgi?id=193050
1402
1403         Reviewed by Yusuke Suzuki.
1404
1405         * test262.yaml:
1406         * test262/expectations.yaml:
1407         Mark 16 tests as passing.
1408
1409 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1410
1411         [BigInt] Support BigInt in JSON.stringify
1412         https://bugs.webkit.org/show_bug.cgi?id=192624
1413
1414         Reviewed by Saam Barati.
1415
1416         * stress/big-int-json-stringify-to-json.js: Added.
1417         (shouldBe):
1418         (shouldThrow):
1419         (BigInt.prototype.toJSON):
1420         (shouldBe.JSON.stringify):
1421         * stress/big-int-json-stringify.js: Added.
1422         (shouldBe):
1423         (shouldThrow):
1424
1425 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1426
1427         [JSC] Implement "well-formed JSON.stringify" proposal
1428         https://bugs.webkit.org/show_bug.cgi?id=191677
1429
1430         Reviewed by Darin Adler.
1431
1432         * stress/json-surrogate-pair.js: Added.
1433         (shouldBe):
1434         * test262/expectations.yaml:
1435
1436 2018-12-20  Keith Miller  <keith_miller@apple.com>
1437
1438         Add support for globalThis
1439         https://bugs.webkit.org/show_bug.cgi?id=165171
1440
1441         Reviewed by Mark Lam.
1442
1443         * test262/config.yaml:
1444
1445 2018-12-19  Keith Miller  <keith_miller@apple.com>
1446
1447         Update test262 configuration to not run tests dependent on ICU version.
1448         https://bugs.webkit.org/show_bug.cgi?id=192920
1449
1450         Reviewed by Saam Barati.
1451
1452         * test262/expectations.yaml:
1453
1454 2018-12-20  Mark Lam  <mark.lam@apple.com>
1455
1456         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1457         https://bugs.webkit.org/show_bug.cgi?id=192939
1458         <rdar://problem/46869516>
1459
1460         Reviewed by Keith Miller.
1461
1462         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1463
1464 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1465
1466         WTF::String and StringImpl overflow MaxLength
1467         https://bugs.webkit.org/show_bug.cgi?id=192853
1468         <rdar://problem/45726906>
1469
1470         Reviewed by Mark Lam.
1471
1472         * stress/string-16bit-repeat-overflow.js: Added.
1473         (catch):
1474
1475 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1476
1477         Unreviewed follow-up to r192914.
1478
1479         * test262/expectations.yaml:
1480         Add the last 20 missing expectations.
1481
1482 2018-12-19  Keith Miller  <keith_miller@apple.com>
1483
1484         Fix test262 expectations
1485         https://bugs.webkit.org/show_bug.cgi?id=192914
1486
1487         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1488
1489         * test262/expectations.yaml:
1490
1491 2018-12-19  Keith Miller  <keith_miller@apple.com>
1492
1493         Update test262 tests.
1494         https://bugs.webkit.org/show_bug.cgi?id=192907
1495
1496         Rubber stamped by Mark Lam.
1497
1498         * test262/*: Omitted because prepare-changelog crashes.
1499
1500 2018-12-19  Mark Lam  <mark.lam@apple.com>
1501
1502         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1503         https://bugs.webkit.org/show_bug.cgi?id=192464
1504         <rdar://problem/46519455>
1505
1506         Reviewed by Saam Barati.
1507
1508         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1509         microbenchmark.
1510
1511         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1512         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1513
1514 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1515
1516         String overflow in JSC::createError results in ASSERT in WTF::makeString
1517         https://bugs.webkit.org/show_bug.cgi?id=192833
1518         <rdar://problem/45706868>
1519
1520         Reviewed by Mark Lam.
1521
1522         * stress/string-overflow-createError.js: Added.
1523
1524 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1525
1526         Error message for `-x ** y` contains a typo.
1527         https://bugs.webkit.org/show_bug.cgi?id=192832
1528
1529         Reviewed by Saam Barati.
1530
1531         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1532         (assert.assert.return.throws):
1533         * stress/pow-expects-update-expression-on-lhs.js:
1534         (throw.new.Error):
1535         Update test expectations which match against the exact error message.
1536
1537 2018-12-18  Mark Lam  <mark.lam@apple.com>
1538
1539         Gardening: test options fix.
1540         https://bugs.webkit.org/show_bug.cgi?id=192822
1541
1542         Unreviewed.
1543
1544         * stress/json-stringify-string-builder-overflow.js:
1545
1546 2018-12-18  Mark Lam  <mark.lam@apple.com>
1547
1548         JSON.stringify() should throw OOM on StringBuilder overflows.
1549         https://bugs.webkit.org/show_bug.cgi?id=192822
1550         <rdar://problem/46670577>
1551
1552         Reviewed by Saam Barati.
1553
1554         * stress/json-stringify-string-builder-overflow.js: Added.
1555
1556 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1557
1558         Redeclaration of var over let/const/class should be a syntax error.
1559         https://bugs.webkit.org/show_bug.cgi?id=192298
1560
1561         Reviewed by Keith Miller.
1562
1563         * test262.yaml:
1564         * test262/expectations.yaml:
1565         Mark 46 tests as passing.
1566
1567         * stress/block-scope-redeclarations.js:
1568         Add some new tests.
1569
1570         * stress/for-in-invalidate-context-weird-assignments.js:
1571         * stress/for-in-tests.js:
1572         Replace tests for outdated behavior with tests for SyntaxError.
1573
1574         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1575         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1576         Update expectations.
1577
1578 2018-12-18  Mark Lam  <mark.lam@apple.com>
1579
1580         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1581         https://bugs.webkit.org/show_bug.cgi?id=191374
1582         <rdar://problem/46525447>
1583
1584         Reviewed by Yusuke Suzuki.
1585
1586         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1587
1588         * stress/elidable-new-object-roflcopter-then-exit.js:
1589
1590 2018-12-17  Mark Lam  <mark.lam@apple.com>
1591
1592         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1593         https://bugs.webkit.org/show_bug.cgi?id=192019
1594         <rdar://problem/46525456>
1595
1596         Reviewed by Yusuke Suzuki.
1597
1598         The test runs too slow on 32-bit.
1599
1600         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1601
1602 2018-12-17  Mark Lam  <mark.lam@apple.com>
1603
1604         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1605         https://bugs.webkit.org/show_bug.cgi?id=191373
1606         <rdar://problem/46525458>
1607
1608         Reviewed by Yusuke Suzuki.
1609
1610         The test is already slow running with a JIT on 64-bit.  It will always timeout
1611         on 32-bit without a JIT.
1612
1613         * stress/materialize-regexp-cyclic-regexp.js:
1614
1615 2018-12-17  Mark Lam  <mark.lam@apple.com>
1616
1617         Array unshift/shift should not race against the AI in the compiler thread.
1618         https://bugs.webkit.org/show_bug.cgi?id=192795
1619         <rdar://problem/46724263>
1620
1621         Reviewed by Saam Barati.
1622
1623         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1624
1625 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1626
1627         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1628         https://bugs.webkit.org/show_bug.cgi?id=190047
1629
1630         Reviewed by Saam Barati.
1631
1632         * stress/object-keys-cached-zero.js: Added.
1633         (shouldBe):
1634         (test):
1635         * stress/object-keys-changed-attribute.js: Added.
1636         (shouldBe):
1637         (test):
1638         * stress/object-keys-changed-index.js: Added.
1639         (shouldBe):
1640         (test):
1641         * stress/object-keys-changed.js: Added.
1642         (shouldBe):
1643         (test):
1644         * stress/object-keys-indexed-non-cache.js: Added.
1645         (shouldBe):
1646         (test):
1647         * stress/object-keys-overrides-get-property-names.js: Added.
1648         (shouldBe):
1649         (test):
1650         (noInline):
1651
1652 2018-12-17  Mark Lam  <mark.lam@apple.com>
1653
1654         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1655         https://bugs.webkit.org/show_bug.cgi?id=192779
1656         <rdar://problem/46775869>
1657
1658         Reviewed by Saam Barati.
1659
1660         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1661
1662 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1663
1664         Unreviewed test gardening, address a syntax error in a new test.
1665
1666         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1667
1668 2018-12-17  Mark Lam  <mark.lam@apple.com>
1669
1670         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1671         https://bugs.webkit.org/show_bug.cgi?id=192776
1672         <rdar://problem/46772368>
1673
1674         Reviewed by Keith Miller.
1675
1676         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1677
1678 2018-12-17  Mark Lam  <mark.lam@apple.com>
1679
1680         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1681         https://bugs.webkit.org/show_bug.cgi?id=192770
1682         <rdar://problem/46449037>
1683
1684         Reviewed by Keith Miller.
1685
1686         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1687
1688 2018-12-14  Mark Lam  <mark.lam@apple.com>
1689
1690         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1691         https://bugs.webkit.org/show_bug.cgi?id=192717
1692         <rdar://problem/46660677>
1693
1694         Reviewed by Saam Barati.
1695
1696         * stress/regress-192717.js: Added.
1697
1698 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1699
1700         Unreviewed, rolling out r239153, r239154, and r239155.
1701         https://bugs.webkit.org/show_bug.cgi?id=192715
1702
1703         Caused flaky GC-related crashes seen with layout tests
1704         (Requested by ryanhaddad on #webkit).
1705
1706         Reverted changesets:
1707
1708         "[JSC] Optimize Object.keys by caching own keys results in
1709         StructureRareData"
1710         https://bugs.webkit.org/show_bug.cgi?id=190047
1711         https://trac.webkit.org/changeset/239153
1712
1713         "Unreviewed, build fix after r239153"
1714         https://bugs.webkit.org/show_bug.cgi?id=190047
1715         https://trac.webkit.org/changeset/239154
1716
1717         "Unreviewed, build fix after r239153, part 2"
1718         https://bugs.webkit.org/show_bug.cgi?id=190047
1719         https://trac.webkit.org/changeset/239155
1720
1721 2018-12-14  Keith Miller  <keith_miller@apple.com>
1722
1723         Callers of JSString::getIndex should check for OOM exceptions
1724         https://bugs.webkit.org/show_bug.cgi?id=192709
1725
1726         Reviewed by Mark Lam.
1727
1728         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1729
1730 2018-12-13  Mark Lam  <mark.lam@apple.com>
1731
1732         Add a missing exception check.
1733         https://bugs.webkit.org/show_bug.cgi?id=192626
1734         <rdar://problem/46662163>
1735
1736         Reviewed by Keith Miller.
1737
1738         * stress/regress-192626.js: Added.
1739
1740 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1741
1742         [BigInt] Add ValueDiv into DFG
1743         https://bugs.webkit.org/show_bug.cgi?id=186178
1744
1745         Reviewed by Yusuke Suzuki.
1746
1747         * stress/big-int-div-jit-osr.js: Added.
1748         * stress/big-int-div-jit-untyped.js: Added.
1749         * stress/value-div-fixup-int32-big-int.js: Added.
1750
1751 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1752
1753         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1754         https://bugs.webkit.org/show_bug.cgi?id=190047
1755
1756         Reviewed by Keith Miller.
1757
1758         * stress/object-keys-cached-zero.js: Added.
1759         (shouldBe):
1760         (test):
1761         * stress/object-keys-changed-attribute.js: Added.
1762         (shouldBe):
1763         (test):
1764         * stress/object-keys-changed-index.js: Added.
1765         (shouldBe):
1766         (test):
1767         * stress/object-keys-changed.js: Added.
1768         (shouldBe):
1769         (test):
1770         * stress/object-keys-indexed-non-cache.js: Added.
1771         (shouldBe):
1772         (test):
1773         * stress/object-keys-overrides-get-property-names.js: Added.
1774         (shouldBe):
1775         (test):
1776         (noInline):
1777
1778 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1779
1780         [DFG][FTL] Add NewSymbol
1781         https://bugs.webkit.org/show_bug.cgi?id=192620
1782
1783         Reviewed by Saam Barati.
1784
1785         * microbenchmarks/symbol-creation.js: Added.
1786         (test):
1787         * stress/symbol-description-identity.js: Added.
1788         (shouldBe):
1789         (test):
1790         * stress/symbol-identity.js: Added.
1791         (shouldBe):
1792         (test):
1793         * stress/symbol-with-description-throw-error.js: Added.
1794         (shouldBe):
1795         (shouldThrow):
1796         (test):
1797         (object.toString):
1798
1799 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1800
1801         [BigInt] Implement DFG/FTL typeof for BigInt
1802         https://bugs.webkit.org/show_bug.cgi?id=192619
1803
1804         Reviewed by Keith Miller.
1805
1806         * stress/big-int-boolean-proven-type.js: Added.
1807         (assert):
1808         (bool):
1809         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1810         (assert):
1811         (typeOf):
1812         (i.switch):
1813         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1814         (assert):
1815         (typeOf):
1816         * stress/big-int-type-of.js:
1817         (typeOf):
1818         (func):
1819
1820 2018-12-10  Mark Lam  <mark.lam@apple.com>
1821
1822         PropertyAttribute needs a CustomValue bit.
1823         https://bugs.webkit.org/show_bug.cgi?id=191993
1824         <rdar://problem/46264467>
1825
1826         Reviewed by Saam Barati.
1827
1828         * stress/regress-191993.js: Added.
1829
1830 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1831
1832         [BigInt] Add ValueMul into DFG
1833         https://bugs.webkit.org/show_bug.cgi?id=186175
1834
1835         Reviewed by Yusuke Suzuki.
1836
1837         * stress/big-int-mul-jit-osr.js: Added.
1838         * stress/big-int-mul-jit-untyped.js: Added.
1839         * stress/value-mul-fixup-int32-big-int.js: Added.
1840
1841 2018-12-06  Keith Miller  <keith_miller@apple.com>
1842
1843         stress/big-wasm-memory tests failing on 32-bit JSC bot
1844         https://bugs.webkit.org/show_bug.cgi?id=192020
1845
1846         Reviewed by Saam Barati.
1847
1848         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1849         the wasm stress tests if the WebAssembly object does not exist.
1850
1851         * stress/big-wasm-memory-grow-no-max.js:
1852         (test.foo):
1853         (test):
1854         (foo): Deleted.
1855         (catch): Deleted.
1856         * stress/big-wasm-memory-grow.js:
1857         (test.foo):
1858         (test):
1859         (foo): Deleted.
1860         (catch): Deleted.
1861         * stress/big-wasm-memory.js:
1862         (test.foo):
1863         (test):
1864         (foo): Deleted.
1865         (catch): Deleted.
1866
1867 2018-12-05  Mark Lam  <mark.lam@apple.com>
1868
1869         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1870         https://bugs.webkit.org/show_bug.cgi?id=192441
1871         <rdar://problem/46480355>
1872
1873         Reviewed by Saam Barati.
1874
1875         * stress/regress-192441.js: Added.
1876
1877 2018-12-04  Mark Lam  <mark.lam@apple.com>
1878
1879         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1880         https://bugs.webkit.org/show_bug.cgi?id=192386
1881         <rdar://problem/46445516>
1882
1883         Reviewed by Saam Barati.
1884
1885         * stress/regress-192386.js: Added.
1886
1887 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1888
1889         [ESNext][BigInt] Support logic operations
1890         https://bugs.webkit.org/show_bug.cgi?id=179903
1891
1892         Reviewed by Yusuke Suzuki.
1893
1894         * stress/big-int-branch-usage.js: Added.
1895         * stress/big-int-logical-and.js: Added.
1896         * stress/big-int-logical-not.js: Added.
1897         * stress/big-int-logical-or.js: Added.
1898
1899 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1900
1901         Unreviewed, rolling out r238833.
1902
1903         Breaks macOS and iOS debug builds.
1904
1905         Reverted changeset:
1906
1907         "[ESNext][BigInt] Support logic operations"
1908         https://bugs.webkit.org/show_bug.cgi?id=179903
1909         https://trac.webkit.org/changeset/238833
1910
1911 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1912
1913         [ESNext][BigInt] Support logic operations
1914         https://bugs.webkit.org/show_bug.cgi?id=179903
1915
1916         Reviewed by Yusuke Suzuki.
1917
1918         * stress/big-int-branch-usage.js: Added.
1919         * stress/big-int-logical-and.js: Added.
1920         * stress/big-int-logical-not.js: Added.
1921         * stress/big-int-logical-or.js: Added.
1922
1923 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1924
1925         [ESNext][BigInt] Implement support for "<<" and ">>"
1926         https://bugs.webkit.org/show_bug.cgi?id=186233
1927
1928         Reviewed by Yusuke Suzuki.
1929
1930         * stress/big-int-left-shift-general.js: Added.
1931         * stress/big-int-left-shift-range-error.js: Added.
1932         * stress/big-int-left-shift-type-error.js: Added.
1933         * stress/big-int-left-shift-wrapped-value.js: Added.
1934         * stress/big-int-right-shift-general.js: Added.
1935         * stress/big-int-right-shift-type-error.js: Added.
1936         * stress/big-int-right-shift-wrapped-value.js: Added.
1937         * stress/left-shift-to-primitive-precedence.js: Added.
1938         * stress/right-shift-to-primitive-precedence.js: Added.
1939
1940 2018-11-30  Dean Jackson  <dino@apple.com>
1941
1942         Add first-class support for .mjs files in jsc binary
1943         https://bugs.webkit.org/show_bug.cgi?id=192190
1944         <rdar://problem/46375715>
1945
1946         Reviewed by Keith Miller.
1947
1948         * stress/simple-module.mjs: Added.
1949         * stress/simple-script.js: Added.
1950
1951 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1952
1953         [BigInt] Implement ValueBitXor into DFG
1954         https://bugs.webkit.org/show_bug.cgi?id=190264
1955
1956         Reviewed by Yusuke Suzuki.
1957
1958         * stress/big-int-bitwise-xor-jit.js: Added.
1959         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1960         * stress/big-int-bitwise-xor-untyped.js: Added.
1961
1962 2018-11-27  Saam barati  <sbarati@apple.com>
1963
1964         r238510 broke scopes of size zero
1965         https://bugs.webkit.org/show_bug.cgi?id=192033
1966         <rdar://problem/46281734>
1967
1968         Reviewed by Keith Miller.
1969
1970         * stress/r238510-bad-loop.js: Added.
1971         (foo):
1972
1973 2018-11-27  Mark Lam  <mark.lam@apple.com>
1974
1975         [Re-landing] NaNs read from Wasm code needs to be be purified.
1976         https://bugs.webkit.org/show_bug.cgi?id=191056
1977         <rdar://problem/45660341>
1978
1979         Reviewed by Filip Pizlo.
1980
1981         * wasm/regress/regress-191056.js: Added.
1982
1983 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1984
1985         Unreviewed, rolling out r238509.
1986
1987         Causes JSC tests to fail on iOS.
1988
1989         Reverted changeset:
1990
1991         "NaNs read from Wasm code needs to be be purified."
1992         https://bugs.webkit.org/show_bug.cgi?id=191056
1993         https://trac.webkit.org/changeset/238509
1994
1995 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1996
1997         Re-introduce op_bitnot
1998         https://bugs.webkit.org/show_bug.cgi?id=190923
1999
2000         Reviewed by Yusuke Suzuki.
2001
2002         * stress/bit-not-must-generate.js: Added.
2003         * stress/bitwise-not-no-int32.js: Added.
2004
2005 2018-11-26  Saam barati  <sbarati@apple.com>
2006
2007         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2008         https://bugs.webkit.org/show_bug.cgi?id=191956
2009         <rdar://problem/45665806>
2010
2011         Reviewed by Yusuke Suzuki.
2012
2013         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2014         (bar):
2015         (foo):
2016
2017 2018-11-26  Saam barati  <sbarati@apple.com>
2018
2019         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2020         https://bugs.webkit.org/show_bug.cgi?id=191958
2021         <rdar://problem/46221877>
2022
2023         Reviewed by Yusuke Suzuki.
2024
2025         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2026         (x):
2027         (foo):
2028
2029 2018-11-26  Mark Lam  <mark.lam@apple.com>
2030
2031         NaNs read from Wasm code needs to be be purified.
2032         https://bugs.webkit.org/show_bug.cgi?id=191056
2033         <rdar://problem/45660341>
2034
2035         Reviewed by Filip Pizlo.
2036
2037         * wasm/regress/regress-191056.js: Added.
2038
2039 2018-11-26  Michael Saboff  <msaboff@apple.com>
2040
2041         32-bit JSC test failure: stress/regexp-compile-oom.js
2042         https://bugs.webkit.org/show_bug.cgi?id=191375
2043
2044         Reviewed by Mark Lam.
2045
2046         Disabled the test for 32 bit platforms.
2047
2048         * stress/regexp-compile-oom.js:
2049
2050 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2051
2052         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2053         https://bugs.webkit.org/show_bug.cgi?id=191716
2054         <rdar://problem/45723878>
2055
2056         Reviewed by Saam Barati.
2057
2058         * stress/regress-187373.js: Added.
2059         (async.fn):
2060
2061 2018-11-21  Saam barati  <sbarati@apple.com>
2062
2063         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2064         https://bugs.webkit.org/show_bug.cgi?id=191897
2065         <rdar://problem/45871998>
2066
2067         Reviewed by Mark Lam.
2068
2069         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2070         (bar):
2071         (foo):
2072
2073 2018-11-21  Saam barati  <sbarati@apple.com>
2074
2075         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2076         https://bugs.webkit.org/show_bug.cgi?id=191895
2077         <rdar://problem/46167406>
2078
2079         Reviewed by Mark Lam.
2080
2081         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2082         (foo):
2083         (bar):
2084
2085 2018-11-21  Mark Lam  <mark.lam@apple.com>
2086
2087         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2088         https://bugs.webkit.org/show_bug.cgi?id=191776
2089         <rdar://problem/46152851>
2090
2091         Reviewed by Saam Barati.
2092
2093         * stress/big-wasm-memory-grow-no-max.js:
2094         * stress/big-wasm-memory-grow.js:
2095         * stress/big-wasm-memory.js:
2096         - updated these to expect an OutOfMemoryError.
2097
2098         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2099         (Binary.prototype.emit_u8):
2100         (Binary.prototype.emit_u32v):
2101         (Binary.prototype.emit_header):
2102         (Binary.prototype.emit_section):
2103         (Binary):
2104         (WasmModuleBuilder):
2105         (WasmModuleBuilder.prototype.addMemory):
2106         (WasmModuleBuilder.prototype.toArray):
2107         (WasmModuleBuilder.prototype.toBuffer):
2108         (WasmModuleBuilder.prototype.instantiate):
2109         (catch):
2110         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2111         (catch):
2112
2113 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2114
2115         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2116         https://bugs.webkit.org/show_bug.cgi?id=190836
2117
2118         Reviewed by Saam Barati and Yusuke Suzuki.
2119
2120         * stress/big-int-out-of-memory-tests.js: Added.
2121
2122 2018-11-20  Mark Lam  <mark.lam@apple.com>
2123
2124         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2125         https://bugs.webkit.org/show_bug.cgi?id=191856
2126         <rdar://problem/46089992>
2127
2128         Reviewed by Yusuke Suzuki.
2129
2130         * stress/regress-191856.js: Added.
2131         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2132
2133 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2134
2135         Enable JIT on ARM/Linux
2136         https://bugs.webkit.org/show_bug.cgi?id=191548
2137
2138         Reviewed by Yusuke Suzuki.
2139
2140         Disable test on system with limited memory. Program was killed by
2141         the OS before the exception was thrown.
2142
2143         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2144
2145 2018-11-20  Saam barati  <sbarati@apple.com>
2146
2147         Merging an IC variant may lead to the IC status containing overlapping structure sets
2148         https://bugs.webkit.org/show_bug.cgi?id=191869
2149         <rdar://problem/45403453>
2150
2151         Reviewed by Mark Lam.
2152
2153         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2154
2155 2018-11-19  Mark Lam  <mark.lam@apple.com>
2156
2157         globalFuncImportModule() should return a promise when it clears exceptions.
2158         https://bugs.webkit.org/show_bug.cgi?id=191792
2159         <rdar://problem/46090763>
2160
2161         Reviewed by Michael Saboff.
2162
2163         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2164
2165 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2166
2167         Skip new memory-hungry tests on memory limited devices
2168
2169         Unreviewed gardening.
2170
2171         * stress/big-wasm-memory-grow-no-max.js:
2172         * stress/big-wasm-memory-grow.js:
2173         * stress/big-wasm-memory.js:
2174
2175 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2176
2177         Unreviewed, rolling in the rest of r237254
2178         https://bugs.webkit.org/show_bug.cgi?id=190340
2179
2180         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2181         * stress/function-cache-with-parameters-end-position.js: Added.
2182         (shouldBe):
2183         (shouldThrow):
2184         (i.anonymous):
2185         * stress/function-constructor-name.js: Added.
2186         (shouldBe):
2187         (GeneratorFunction):
2188         (AsyncFunction.async):
2189         (AsyncGeneratorFunction.async):
2190         (anonymous):
2191         (async.anonymous):
2192         * test262/expectations.yaml:
2193
2194 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2195
2196         All users of ArrayBuffer should agree on the same max size
2197         https://bugs.webkit.org/show_bug.cgi?id=191771
2198
2199         Reviewed by Mark Lam.
2200
2201         * stress/big-wasm-memory-grow-no-max.js: Added.
2202         (foo):
2203         (catch):
2204         * stress/big-wasm-memory-grow.js: Added.
2205         (foo):
2206         (catch):
2207         * stress/big-wasm-memory.js: Added.
2208         (foo):
2209         (catch):
2210
2211 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2212
2213         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2214         run for each JSC config since they're regression tests for runtime bugs.
2215
2216         * stress/json-stringified-overflow-2.js:
2217         * stress/json-stringified-overflow.js:
2218
2219 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2220
2221         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2222         config since they're regression tests for runtime bugs.
2223
2224         * stress/large-unshift-splice.js:
2225         * stress/regress-185888.js:
2226
2227 2018-11-16  Saam Barati  <sbarati@apple.com>
2228
2229         KnownCellUse should also have SpecCellCheck as its type filter
2230         https://bugs.webkit.org/show_bug.cgi?id=191729
2231         <rdar://problem/45872852>
2232
2233         Reviewed by Filip Pizlo.
2234
2235         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2236         (C):
2237
2238 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2239
2240         Fix assertion failure on BytecodeGenerator::recordOpcode
2241         https://bugs.webkit.org/show_bug.cgi?id=191724
2242         <rdar://problem/45724395>
2243
2244         Reviewed by Saam Barati.
2245
2246         * stress/regress-187373-2.js: Added.
2247         (foo):
2248
2249 2018-11-15  Mark Lam  <mark.lam@apple.com>
2250
2251         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2252         https://bugs.webkit.org/show_bug.cgi?id=191730
2253         <rdar://problem/46048517>
2254
2255         Reviewed by Saam Barati.
2256
2257         * stress/regress-187006.js: Removed.
2258           - this test is invalid because its sole purpose is to test for the non-spec
2259             compliant behavior that we just fixed.
2260
2261         * stress/regress-191730.js: Added.
2262
2263 2018-11-15  Mark Lam  <mark.lam@apple.com>
2264
2265         RegExp operations should not take fast patch if lastIndex is not numeric.
2266         https://bugs.webkit.org/show_bug.cgi?id=191731
2267         <rdar://problem/46017305>
2268
2269         Reviewed by Saam Barati.
2270
2271         * stress/regress-191731.js: Added.
2272
2273 2018-11-13  Saam Barati  <sbarati@apple.com>
2274
2275         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2276         https://bugs.webkit.org/show_bug.cgi?id=191600
2277
2278         Reviewed by Mark Lam.
2279
2280         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2281         (foo):
2282         (test):
2283         (bar):
2284
2285 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2286
2287         Unreviewed, rolling out r238132.
2288
2289         The test added with this change is timing out on Debug JSC
2290         bots.
2291
2292         Reverted changeset:
2293
2294         "[BigInt] JSBigInt::createWithLength should throw when length
2295         is greater than JSBigInt::maxLength"
2296         https://bugs.webkit.org/show_bug.cgi?id=190836
2297         https://trac.webkit.org/changeset/238132
2298
2299 2018-11-13  Mark Lam  <mark.lam@apple.com>
2300
2301         Add OOM detection to StringPrototype's substituteBackreferences().
2302         https://bugs.webkit.org/show_bug.cgi?id=191563
2303         <rdar://problem/45720428>
2304
2305         Reviewed by Saam Barati.
2306
2307         * stress/regress-191563.js: Added.
2308
2309 2018-11-13  Mark Lam  <mark.lam@apple.com>
2310
2311         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2312         https://bugs.webkit.org/show_bug.cgi?id=191579
2313         <rdar://problem/45942472>
2314
2315         Reviewed by Saam Barati.
2316
2317         * stress/regress-191579.js: Added.
2318
2319 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2320
2321         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2322         https://bugs.webkit.org/show_bug.cgi?id=190836
2323
2324         Reviewed by Saam Barati.
2325
2326         * stress/big-int-out-of-memory-tests.js: Added.
2327
2328 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2329
2330         U+180E is no longer a whitespace character
2331         https://bugs.webkit.org/show_bug.cgi?id=191415
2332
2333         Reviewed by Saam Barati.
2334
2335         * ChakraCore/test/es5/regexSpace.baseline:
2336         * ChakraCore/test/es6/unicode_whitespace.js:
2337         Update tests to latest version.
2338         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2339
2340         * test262.yaml:
2341         * test262/config.yaml:
2342         * test262/expectations.yaml:
2343         Update expectations.
2344
2345 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2346
2347         [BigInt] Add support to BigInt into ValueAdd
2348         https://bugs.webkit.org/show_bug.cgi?id=186177
2349
2350         Reviewed by Keith Miller.
2351
2352         * stress/big-int-negate-jit.js:
2353         * stress/value-add-big-int-and-string.js: Added.
2354         * stress/value-add-big-int-prediction-propagation.js: Added.
2355         * stress/value-add-big-int-untyped.js: Added.
2356
2357 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2358
2359         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2360         https://bugs.webkit.org/show_bug.cgi?id=191184
2361
2362         Reviewed by Saam Barati.
2363
2364         Most tests were failing due to timeouts, since they are too slow to
2365         run on CLoop. The exceptions are:
2366
2367         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2368         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2369         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2370         to change the stack size since CLoop requires it to be page aligned.
2371
2372         * microbenchmarks/array-push-1.js:
2373         * microbenchmarks/array-push-2.js:
2374         * microbenchmarks/elidable-new-object-dag.js:
2375         * microbenchmarks/elidable-new-object-roflcopter.js:
2376         * microbenchmarks/elidable-new-object-tree.js:
2377         * microbenchmarks/getter-richards.js:
2378         * microbenchmarks/sinkable-new-object-dag.js:
2379         * microbenchmarks/string-concat-long-convert.js:
2380         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2381         * slowMicrobenchmarks/array-push-3.js:
2382         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2383         * slowMicrobenchmarks/spread-small-array.js:
2384         * slowMicrobenchmarks/undefined-property-access.js:
2385         * stress/activation-sink-default-value-tdz-error.js:
2386         * stress/activation-sink-default-value.js:
2387         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2388         * stress/activation-sink-osrexit-default-value.js:
2389         * stress/activation-sink-osrexit.js:
2390         * stress/activation-sink.js:
2391         * stress/allow-math-ic-b3-code-duplication.js:
2392         * stress/array-push-multiple-int32.js:
2393         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2394         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2395         * stress/arrowfunction-lexical-this-activation-sink.js:
2396         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2397         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2398         * stress/elide-new-object-dag-then-exit.js:
2399         * stress/materialize-regexp-cyclic.js:
2400         * stress/new-regex-inline.js:
2401         * stress/op_add.js:
2402         * stress/op_bitand.js:
2403         * stress/op_bitor.js:
2404         * stress/op_bitxor.js:
2405         * stress/op_div-ConstVar.js:
2406         * stress/op_div-VarConst.js:
2407         * stress/op_div-VarVar.js:
2408         * stress/op_lshift-ConstVar.js:
2409         * stress/op_lshift-VarConst.js:
2410         * stress/op_lshift-VarVar.js:
2411         * stress/op_mod-ConstVar.js:
2412         * stress/op_mod-VarConst.js:
2413         * stress/op_mod-VarVar.js:
2414         * stress/op_mul-ConstVar.js:
2415         * stress/op_mul-VarConst.js:
2416         * stress/op_mul-VarVar.js:
2417         * stress/op_rshift-ConstVar.js:
2418         * stress/op_rshift-VarConst.js:
2419         * stress/op_rshift-VarVar.js:
2420         * stress/op_sub-ConstVar.js:
2421         * stress/op_sub-VarConst.js:
2422         * stress/op_sub-VarVar.js:
2423         * stress/op_urshift-ConstVar.js:
2424         * stress/op_urshift-VarConst.js:
2425         * stress/op_urshift-VarVar.js:
2426         * stress/proxy-get-set-correct-receiver.js:
2427         * stress/regress-179562.js:
2428         * stress/rest-parameter-many-arguments.js:
2429         * stress/sampling-profiler-richards.js:
2430         * stress/splay-flash-access-1ms.js:
2431         * stress/tailCallForwardArguments.js:
2432         * stress/typed-array-get-by-val-profiling.js:
2433         * typeProfiler/getter-richards.js:
2434
2435 2018-11-06  Michael Saboff  <msaboff@apple.com>
2436
2437         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2438         https://bugs.webkit.org/show_bug.cgi?id=191271
2439
2440         Reviewed by Saam Barati.
2441
2442         Added more test cases and made all test cases run with the same deeply recursive stack
2443         instead of finding that same point for each test case.
2444
2445         * stress/regexp-compile-oom.js:
2446         (prototype.runTest):
2447         (recurseAndTest):
2448         (testList.push.new.TestAndExpectedException):
2449
2450 2018-11-05  Michael Saboff  <msaboff@apple.com>
2451
2452         Unreviewed build fix for linux.
2453
2454         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2455
2456 2018-11-02  Michael Saboff  <msaboff@apple.com>
2457
2458         Rolling in r237753 with unreviewed build fix.
2459
2460         Fixed issues with DECLARE_THROW_SCOPE placement.
2461
2462 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2463
2464         Unreviewed, rolling out r237753.
2465
2466         Introduced JSC test failures
2467
2468         Reverted changeset:
2469
2470         "Running out of stack space not properly handled in
2471         RegExp::compile() and its callers"
2472         https://bugs.webkit.org/show_bug.cgi?id=191206
2473         https://trac.webkit.org/changeset/237753
2474
2475 2018-11-02  Michael Saboff  <msaboff@apple.com>
2476
2477         Running out of stack space not properly handled in RegExp::compile() and its callers
2478         https://bugs.webkit.org/show_bug.cgi?id=191206
2479
2480         Reviewed by Filip Pizlo.
2481
2482         New regression test.
2483
2484         * stress/regexp-compile-oom.js: Added.
2485         (recurseAndTest):
2486
2487 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2488
2489         Skip tests on arm/mips that time out now we're running on CLoop
2490
2491         Unreviewed gardening.
2492
2493         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2494         time out on the bots and need to be disabled. There's more tests
2495         disabled on arm because the timeout is longer on the mips bot (as the
2496         device is slower to start with), so many of the tests don't time out
2497         there.
2498
2499         * microbenchmarks/getter-richards.js: disable on arm and mips.
2500         * stress/op_add.js: disable on arm.
2501         * stress/op_bitand.js: disable on arm.
2502         * stress/op_bitor.js: disable on arm.
2503         * stress/op_bitxor.js: disable on arm.
2504         * stress/op_lshift-ConstVar.js: disable on arm.
2505         * stress/op_lshift-VarConst.js: disable on arm.
2506         * stress/op_lshift-VarVar.js: disable on arm.
2507         * stress/op_mod-ConstVar.js: disable on arm.
2508         * stress/op_mod-VarConst.js: disable on arm.
2509         * stress/op_mod-VarVar.js: disable on arm.
2510         * stress/op_mul-ConstVar.js: disable on arm.
2511         * stress/op_mul-VarConst.js: disable on arm.
2512         * stress/op_mul-VarVar.js: disable on arm.
2513         * stress/op_rshift-ConstVar.js: disable on arm.
2514         * stress/op_rshift-VarConst.js: disable on arm.
2515         * stress/op_rshift-VarVar.js: disable on arm.
2516         * stress/op_sub-ConstVar.js: disable on arm.
2517         * stress/op_sub-VarConst.js: disable on arm.
2518         * stress/op_sub-VarVar.js: disable on arm.
2519         * stress/op_urshift-ConstVar.js: disable on arm.
2520         * stress/op_urshift-VarConst.js: disable on arm.
2521         * stress/op_urshift-VarVar.js: disable on arm.
2522         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2523         * stress/value-to-boolean.js: disable on arm and mips.
2524
2525 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2526
2527         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2528         https://bugs.webkit.org/show_bug.cgi?id=191108
2529         <rdar://problem/45690700>
2530
2531         Reviewed by Saam Barati.
2532
2533         * stress/wide-op_catch.js: Added.
2534         (catch):
2535
2536 2018-10-29  Mark Lam  <mark.lam@apple.com>
2537
2538         Correctly detect string overflow when using the 'Function' constructor.
2539         https://bugs.webkit.org/show_bug.cgi?id=184883
2540         <rdar://problem/36320331>
2541
2542         Reviewed by Saam Barati.
2543
2544         I've verified that this passes on 32-bit as well.
2545
2546         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2547
2548 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2549
2550         Add support for GetStack FlushedDouble
2551         https://bugs.webkit.org/show_bug.cgi?id=191012
2552         <rdar://problem/45265141>
2553
2554         Reviewed by Saam Barati.
2555
2556         * stress/get-stack-double.js: Added.
2557         (bar):
2558         (noInline):
2559
2560 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2561
2562         New bytecode format for JSC
2563         https://bugs.webkit.org/show_bug.cgi?id=187373
2564         <rdar://problem/44186758>
2565
2566         Reviewed by Filip Pizlo.
2567
2568         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2569
2570         * stress/maximum-inline-capacity.js: Added.
2571         (test1):
2572         (test3.Foo):
2573         (test3):
2574
2575 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2576
2577         Unreviewed, rolling out r237479 and r237484.
2578         https://bugs.webkit.org/show_bug.cgi?id=190978
2579
2580         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2581
2582         Reverted changesets:
2583
2584         "New bytecode format for JSC"
2585         https://bugs.webkit.org/show_bug.cgi?id=187373
2586         https://trac.webkit.org/changeset/237479
2587
2588         "Gardening: Build fix after r237479."
2589         https://bugs.webkit.org/show_bug.cgi?id=187373
2590         https://trac.webkit.org/changeset/237484
2591
2592 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2593
2594         New bytecode format for JSC
2595         https://bugs.webkit.org/show_bug.cgi?id=187373
2596         <rdar://problem/44186758>
2597
2598         Reviewed by Filip Pizlo.
2599
2600         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2601
2602         * stress/maximum-inline-capacity.js: Added.
2603         (test1):
2604         (test3.Foo):
2605         (test3):
2606
2607 2018-10-26  Mark Lam  <mark.lam@apple.com>
2608
2609         Fix missing edge cases with JSGlobalObjects having a bad time.
2610         https://bugs.webkit.org/show_bug.cgi?id=189028
2611         <rdar://problem/45204939>
2612
2613         Reviewed by Saam Barati.
2614
2615         * stress/regress-189028.js: Added.
2616
2617 2018-10-22  Mark Lam  <mark.lam@apple.com>
2618
2619         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2620         https://bugs.webkit.org/show_bug.cgi?id=190515
2621         <rdar://problem/45222379>
2622
2623         Rubber-stamped by Saam Barati.
2624
2625         Adding another test.
2626
2627         * stress/regress-190515-2.js: Added.
2628
2629 2018-10-22  Mark Lam  <mark.lam@apple.com>
2630
2631         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2632         https://bugs.webkit.org/show_bug.cgi?id=190515
2633         <rdar://problem/45222379>
2634
2635         Reviewed by Saam Barati.
2636
2637         * stress/regress-190515.js: Added.
2638
2639 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2640
2641         Unreviewed, rolling out r237254.
2642         https://bugs.webkit.org/show_bug.cgi?id=190760
2643
2644         "It regresses JetStream 2 by 5% on some iOS devices"
2645         (Requested by saamyjoon on #webkit).
2646
2647         Reverted changeset:
2648
2649         "[JSC] JSC should have "parseFunction" to optimize Function
2650         constructor"
2651         https://bugs.webkit.org/show_bug.cgi?id=190340
2652         https://trac.webkit.org/changeset/237254
2653
2654 2018-10-19  Saam Barati  <sbarati@apple.com>
2655
2656         vmCall should check if we exit before emitting an OSR exit due to exceptions
2657         https://bugs.webkit.org/show_bug.cgi?id=190740
2658         <rdar://problem/45220139>
2659
2660         Reviewed by Mark Lam.
2661
2662         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2663         (foo):
2664
2665 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2666
2667         [ESNext][BigInt] Implement support for "^"
2668         https://bugs.webkit.org/show_bug.cgi?id=186235
2669
2670         Reviewed by Yusuke Suzuki.
2671
2672         * stress/big-int-bitwise-xor-general.js: Added.
2673         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2674         * stress/big-int-bitwise-xor-type-error.js: Added.
2675         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2676
2677 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2678
2679         [BigInt] Add ValueSub into DFG
2680         https://bugs.webkit.org/show_bug.cgi?id=186176
2681
2682         Reviewed by Yusuke Suzuki.
2683
2684         * stress/big-int-subtraction-jit.js:
2685         * stress/value-sub-big-int-prediction-propagation.js: Added.
2686         * stress/value-sub-big-int-untyped.js: Added.
2687         * stress/value-sub-spec-none-case.js: Added.
2688
2689 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2690
2691         [JSC] JSC should have "parseFunction" to optimize Function constructor
2692         https://bugs.webkit.org/show_bug.cgi?id=190340
2693
2694         Reviewed by Mark Lam.
2695
2696         This patch fixes the line number of syntax errors raised by the Function constructor,
2697         since we now parse the final code only once. And we no longer use block statement
2698         for Function constructor's parsing.
2699
2700         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2701         * stress/function-cache-with-parameters-end-position.js: Added.
2702         (shouldBe):
2703         (shouldThrow):
2704         (i.anonymous):
2705         * stress/function-constructor-name.js: Added.
2706         (shouldBe):
2707         (GeneratorFunction):
2708         (AsyncFunction.async):
2709         (AsyncGeneratorFunction.async):
2710         (anonymous):
2711         (async.anonymous):
2712         * test262/expectations.yaml:
2713
2714 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2715
2716         Unreviewed, rolling out r237242.
2717         https://bugs.webkit.org/show_bug.cgi?id=190701
2718
2719         it breaks "stress/sampling-profiler-basic.js" (Requested by
2720         caiolima on #webkit).
2721
2722         Reverted changeset:
2723
2724         "[BigInt] Add ValueSub into DFG"
2725         https://bugs.webkit.org/show_bug.cgi?id=186176
2726         https://trac.webkit.org/changeset/237242
2727
2728 2018-10-17  Keith Miller  <keith_miller@apple.com>
2729
2730         AI does not clear Phantom allocation nodes.
2731         https://bugs.webkit.org/show_bug.cgi?id=190694
2732
2733         Reviewed by Saam Barati.
2734
2735         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2736         (Day):
2737         (DaysInYear):
2738         (TimeInYear):
2739         (TimeFromYear):
2740         (DayFromYear):
2741         (InLeapYear):
2742         (YearFromTime):
2743         (WeekDay):
2744         (DaylightSavingTA):
2745         (GetSecondSundayInMarch):
2746         (TimeInMonth):
2747
2748 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2749
2750         [BigInt] Add ValueSub into DFG
2751         https://bugs.webkit.org/show_bug.cgi?id=186176
2752
2753         Reviewed by Yusuke Suzuki.
2754
2755         * stress/big-int-subtraction-jit.js:
2756         * stress/value-sub-big-int-prediction-propagation.js: Added.
2757         * stress/value-sub-big-int-untyped.js: Added.
2758
2759 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2760
2761         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2762         https://bugs.webkit.org/show_bug.cgi?id=190611
2763
2764         Reviewed by Saam Barati.
2765
2766         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2767         to improve test runtime. On ARM/MIPS this test even timed out when running all
2768         tests.
2769
2770         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2771         (test):
2772
2773 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2774
2775         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2776
2777         Unreviewed gardening.
2778
2779         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2780
2781 2018-10-15  Saam barati  <sbarati@apple.com>
2782
2783         Emit fjcvtzs on ARM64E on Darwin
2784         https://bugs.webkit.org/show_bug.cgi?id=184023
2785
2786         Reviewed by Yusuke Suzuki and Filip Pizlo.
2787
2788         * stress/double-to-int32-NaN.js: Added.
2789         (assert):
2790         (foo):
2791
2792 2018-10-15  Saam Barati  <sbarati@apple.com>
2793
2794         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2795         https://bugs.webkit.org/show_bug.cgi?id=190262
2796         <rdar://problem/44986241>
2797
2798         Reviewed by Mark Lam.
2799
2800         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2801         (test):
2802         * stress/slice-array-storage-with-holes.js: Added.
2803         (main):
2804
2805 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2806
2807         Unreviewed, rolling out r237054.
2808         https://bugs.webkit.org/show_bug.cgi?id=190593
2809
2810         "this regressed JetStream 2 by 6% on iOS" (Requested by
2811         saamyjoon on #webkit).
2812
2813         Reverted changeset:
2814
2815         "[JSC] JSC should have "parseFunction" to optimize Function
2816         constructor"
2817         https://bugs.webkit.org/show_bug.cgi?id=190340
2818         https://trac.webkit.org/changeset/237054
2819
2820 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2821
2822         [JSC] JSON.stringify can accept call-with-no-arguments
2823         https://bugs.webkit.org/show_bug.cgi?id=190343
2824
2825         Reviewed by Mark Lam.
2826
2827         * stress/json-stringify-no-arguments.js: Added.
2828         (shouldBe):
2829
2830 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2831
2832         [JSC] JSC should have "parseFunction" to optimize Function constructor
2833         https://bugs.webkit.org/show_bug.cgi?id=190340
2834
2835         Reviewed by Mark Lam.
2836
2837         This patch fixes the line number of syntax errors raised by the Function constructor,
2838         since we now parse the final code only once. And we no longer use block statement
2839         for Function constructor's parsing.
2840
2841         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2842         * stress/function-cache-with-parameters-end-position.js: Added.
2843         (shouldBe):
2844         (shouldThrow):
2845         (i.anonymous):
2846         * stress/function-constructor-name.js: Added.
2847         (shouldBe):
2848         (GeneratorFunction):
2849         (AsyncFunction.async):
2850         (AsyncGeneratorFunction.async):
2851         (anonymous):
2852         (async.anonymous):
2853         * test262/expectations.yaml:
2854
2855 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2856
2857         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2858         https://bugs.webkit.org/show_bug.cgi?id=190426
2859
2860         Unreviewed gardening.
2861
2862         * stress/sampling-profiler-richards.js:
2863
2864 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2865
2866         [ESNext][BigInt] Implement support for "|"
2867         https://bugs.webkit.org/show_bug.cgi?id=186229
2868
2869         Reviewed by Yusuke Suzuki.
2870
2871         * stress/big-int-bitwise-and-jit.js:
2872         * stress/big-int-bitwise-or-general.js: Added.
2873         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2874         * stress/big-int-bitwise-or-jit.js: Added.
2875         * stress/big-int-bitwise-or-memory-stress.js: Added.
2876         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2877         * stress/big-int-bitwise-or-type-error.js: Added.
2878         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2879
2880 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2881
2882         Skip test on systems with limited memory
2883         https://bugs.webkit.org/show_bug.cgi?id=190310
2884
2885         Invoking runDefault adds test to runlist, skipping the test in the next
2886         line does not prevent the test from executing. Change order of lines such
2887         that runDefault is only executed if test is not executed.
2888
2889         Reviewed by Mark Lam.
2890
2891         * stress/regress-190187.js:
2892
2893 2018-10-03  Saam barati  <sbarati@apple.com>
2894
2895         lowXYZ in FTLLower should always filter the type of the incoming edge
2896         https://bugs.webkit.org/show_bug.cgi?id=189939
2897         <rdar://problem/44407030>
2898
2899         Reviewed by Michael Saboff.
2900
2901         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2902         (foo):
2903         (test):
2904
2905 2018-10-03  Mark Lam  <mark.lam@apple.com>
2906
2907         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2908         https://bugs.webkit.org/show_bug.cgi?id=190187
2909         <rdar://problem/42512909>
2910
2911         Reviewed by Michael Saboff.
2912
2913         * stress/regress-190187.js: Added.
2914
2915 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2916
2917         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2918         https://bugs.webkit.org/show_bug.cgi?id=190033
2919
2920         Reviewed by Yusuke Suzuki.
2921
2922         * stress/big-int-to-string.js:
2923
2924 2018-10-01  Mark Lam  <mark.lam@apple.com>
2925
2926         Function.toString() should also copy the source code Functions that are class definitions.
2927         https://bugs.webkit.org/show_bug.cgi?id=190186
2928         <rdar://problem/44733360>
2929
2930         Reviewed by Saam Barati.
2931
2932         * stress/regress-190186.js: Added.
2933
2934 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2935
2936         Split NaN-check into separate test
2937         https://bugs.webkit.org/show_bug.cgi?id=190010
2938
2939         Reviewed by Saam Barati.
2940
2941         DataView exposes NaN-representation, which is not necessarily the same on each
2942         architecture. Therefore move the check of the NaN-representation into its own
2943         file such that we can disable this test on MIPS where NaN-representation can be
2944         different on older CPUs.
2945
2946         * stress/dataview-jit-set-nan.js: Added.
2947         (assert):
2948         (test.storeLittleEndian):
2949         (test.storeBigEndian):
2950         (test.store):
2951         (test):
2952         * stress/dataview-jit-set.js:
2953         (test5):
2954
2955 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2956
2957         Unreviewed, rolling out r236647.
2958         https://bugs.webkit.org/show_bug.cgi?id=190124
2959
2960         Breaking test stress/big-int-to-string.js (Requested by
2961         caiolima_ on #webkit).
2962
2963         Reverted changeset:
2964
2965         "[BigInt] BigInt.proptotype.toString is broken when radix is
2966         power of 2"
2967         https://bugs.webkit.org/show_bug.cgi?id=190033
2968         https://trac.webkit.org/changeset/236647
2969
2970 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2971
2972         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2973         https://bugs.webkit.org/show_bug.cgi?id=190033
2974
2975         Reviewed by Yusuke Suzuki.
2976
2977         * stress/big-int-to-string.js:
2978
2979 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2980
2981         [ESNext][BigInt] Implement support for "&"
2982         https://bugs.webkit.org/show_bug.cgi?id=186228
2983
2984         Reviewed by Yusuke Suzuki.
2985
2986         * stress/big-int-bitwise-and-general.js: Added.
2987         (assert):
2988         (assert.sameValue):
2989         * stress/big-int-bitwise-and-jit.js: Added.
2990         (let.assert.sameValue):
2991         (bigIntBitAnd):
2992         * stress/big-int-bitwise-and-memory-stress.js: Added.
2993         (assert):
2994         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2995         (assert.sameValue):
2996         (let.o.Symbol.toPrimitive):
2997         (catch):
2998         * stress/big-int-bitwise-and-type-error.js: Added.
2999         (assert):
3000         (assertThrowTypeError):
3001         (let.o.valueOf):
3002         (o.valueOf):
3003         (o.toString):
3004         (o.Symbol.toPrimitive):
3005         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3006         (assert.sameValue):
3007         (testBitAnd):
3008         (let.o.Symbol.toPrimitive):
3009         (o.valueOf):
3010         (o.toString):
3011
3012 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3013
3014         JSC test stress/jsc-read.js doesn't support CRLF
3015         https://bugs.webkit.org/show_bug.cgi?id=190063
3016
3017         Reviewed by Yusuke Suzuki.
3018
3019         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3020
3021         * stress/jsc-read.js:
3022         (test):
3023
3024 2018-09-27  Saam barati  <sbarati@apple.com>
3025
3026         Verify the contents of AssemblerBuffer on arm64e
3027         https://bugs.webkit.org/show_bug.cgi?id=190057
3028         <rdar://problem/38916630>
3029
3030         Reviewed by Mark Lam.
3031
3032         * stress/regress-189132.js:
3033
3034 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3035
3036         Disable test without LLInt on ARMv7
3037         https://bugs.webkit.org/show_bug.cgi?id=190037
3038
3039         Reviewed by Mark Lam.
3040
3041         Test runs out of executable memory on ARMv7, do not run
3042         this test without LLInt enabled.
3043
3044         * stress/regress-169445.js:
3045
3046 2018-09-26  Keith Miller  <keith_miller@apple.com>
3047
3048         We should zero unused property storage when rebalancing array storage.
3049         https://bugs.webkit.org/show_bug.cgi?id=188151
3050
3051         Reviewed by Michael Saboff.
3052
3053         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3054
3055 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3056
3057         [JSC] Optimize Array#lastIndexOf
3058         https://bugs.webkit.org/show_bug.cgi?id=189780
3059
3060         Reviewed by Saam Barati.
3061
3062         * stress/array-lastindexof-array-prototype-trap.js: Added.
3063         (shouldBe):
3064         (AncestorArray.prototype.get 2):
3065         (AncestorArray):
3066         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3067         (shouldBe):
3068         * stress/array-lastindexof-hole-nan.js: Added.
3069         (shouldBe):
3070         (throw.new.Error):
3071         * stress/array-lastindexof-infinity.js: Added.
3072         (shouldBe):
3073         (throw.new.Error):
3074         * stress/array-lastindexof-negative-zero.js: Added.
3075         (shouldBe):
3076         (throw.new.Error):
3077         * stress/array-lastindexof-own-getter.js: Added.
3078         (shouldBe):
3079         (throw.new.Error.get array):
3080         (get array):
3081         * stress/array-lastindexof-prototype-trap.js: Added.
3082         (shouldBe):
3083         (DerivedArray.prototype.get 2):
3084         (DerivedArray):
3085
3086 2018-09-25  Saam Barati  <sbarati@apple.com>
3087
3088         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3089         https://bugs.webkit.org/show_bug.cgi?id=189940
3090         <rdar://problem/43640987>
3091
3092         Reviewed by Mark Lam.
3093
3094         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3095
3096 2018-09-24  Saam Barati  <sbarati@apple.com>
3097
3098         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3099         https://bugs.webkit.org/show_bug.cgi?id=189922
3100         <rdar://problem/44651275>
3101
3102         Reviewed by Mark Lam.
3103
3104         * stress/array-indexof-fast-path-effects.js: Added.
3105         * stress/array-indexof-cached-length.js: Added.
3106
3107 2018-09-24  Saam barati  <sbarati@apple.com>
3108
3109         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3110         https://bugs.webkit.org/show_bug.cgi?id=189682
3111         <rdar://problem/43557315>
3112
3113         Reviewed by Mark Lam.
3114
3115         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3116         (foo):
3117
3118 2018-09-22  Saam barati  <sbarati@apple.com>
3119
3120         The sampling should not use Strong<CodeBlock> in its machineLocation field
3121         https://bugs.webkit.org/show_bug.cgi?id=189319
3122
3123         Reviewed by Filip Pizlo.
3124
3125         * stress/sampling-profiler-richards.js: Added.
3126
3127 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3128
3129         [JSC] Optimize Array#indexOf in C++ runtime
3130         https://bugs.webkit.org/show_bug.cgi?id=189507
3131
3132         Reviewed by Saam Barati.
3133
3134         * stress/array-indexof-array-prototype-trap.js: Added.
3135         (shouldBe):
3136         (AncestorArray.prototype.get 2):
3137         (AncestorArray):
3138         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3139         (shouldBe):
3140         * stress/array-indexof-hole-nan.js: Added.
3141         (shouldBe):
3142         (throw.new.Error):
3143         * stress/array-indexof-infinity.js: Added.
3144         (shouldBe):
3145         (throw.new.Error):
3146         * stress/array-indexof-negative-zero.js: Added.
3147         (shouldBe):
3148         (throw.new.Error):
3149         * stress/array-indexof-own-getter.js: Added.
3150         (shouldBe):
3151         (throw.new.Error.get array):
3152         (get array):
3153         * stress/array-indexof-prototype-trap.js: Added.
3154         (shouldBe):
3155         (DerivedArray.prototype.get 2):
3156         (DerivedArray):
3157
3158 2018-09-19  Saam barati  <sbarati@apple.com>
3159
3160         AI rule for MultiPutByOffset executes its effects in the wrong order
3161         https://bugs.webkit.org/show_bug.cgi?id=189757
3162         <rdar://problem/43535257>
3163
3164         Reviewed by Michael Saboff.
3165
3166         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3167         (foo):
3168         (Foo):
3169         (g):
3170
3171 2018-09-17  Mark Lam  <mark.lam@apple.com>
3172
3173         Ensure that ForInContexts are invalidated if their loop local is over-written.
3174         https://bugs.webkit.org/show_bug.cgi?id=189571
3175         <rdar://problem/44402277>
3176
3177         Reviewed by Saam Barati.
3178
3179         * stress/regress-189571.js: Added.
3180
3181 2018-09-17  Saam barati  <sbarati@apple.com>
3182
3183         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3184         https://bugs.webkit.org/show_bug.cgi?id=189676
3185         <rdar://problem/39682897>
3186
3187         Reviewed by Michael Saboff.
3188
3189         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3190         (A):
3191         (K):
3192         (i.catch):
3193
3194 2018-09-14  Saam barati  <sbarati@apple.com>
3195
3196         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3197         https://bugs.webkit.org/show_bug.cgi?id=189628
3198         <rdar://problem/39481690>
3199
3200         Reviewed by Mark Lam.
3201
3202         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3203         (foo):
3204
3205 2018-09-11  Mark Lam  <mark.lam@apple.com>
3206
3207         Test for array initialization in arrayProtoFuncSplice.
3208         https://bugs.webkit.org/show_bug.cgi?id=170253
3209         <rdar://problem/31328773>
3210
3211         Rubber-stamped by Saam Barati.
3212
3213         * stress/regress-170253.js: Added.
3214
3215 2018-09-11  Mark Lam  <mark.lam@apple.com>
3216
3217         Test for IntlObject initialization.
3218         https://bugs.webkit.org/show_bug.cgi?id=170251
3219         <rdar://problem/31328419>
3220
3221         Rubber-stamped by Saam Barati.
3222
3223         * stress/regress-170251.js: Added.
3224
3225 2018-09-11  Mark Lam  <mark.lam@apple.com>
3226
3227         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3228         https://bugs.webkit.org/show_bug.cgi?id=169889
3229         <rdar://problem/31155607>
3230
3231         Reviewed by Saam Barati.
3232
3233         * stress/regress-169889-array-concat.js: Added.
3234         * stress/regress-169889-array-concat1.js: Added.
3235         * stress/regress-169889-array-slice.js: Added.
3236
3237 2018-09-11  Mark Lam  <mark.lam@apple.com>
3238
3239         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3240         https://bugs.webkit.org/show_bug.cgi?id=169445
3241         <rdar://problem/30957435>
3242
3243         Reviewed by Saam Barati.
3244
3245         * stress/regress-169445.js: Added.
3246         (let.gun.eval.A):
3247         (let.gun.eval.B.C):
3248         (let.gun.eval.B.C.prototype.trigger):
3249         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3250         (let.gun.eval.B):
3251         (let.gun.eval):
3252
3253 == Rolled over to ChangeLog-2018-09-11 ==