[JSC] AI should not propagate AbstractValue relying on constant folding phase
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] AI should not propagate AbstractValue relying on constant folding phase
4         https://bugs.webkit.org/show_bug.cgi?id=195375
5
6         Reviewed by Saam Barati.
7
8         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
9         (let.array):
10
11 2019-03-05  Saam barati  <sbarati@apple.com>
12
13         op_switch_char broken for rope strings after JSRopeString layout rewrite
14         https://bugs.webkit.org/show_bug.cgi?id=195339
15         <rdar://problem/48592545>
16
17         Reviewed by Yusuke Suzuki.
18
19         * stress/switch-on-char-llint-rope.js: Added.
20
21 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
22
23         [JSC] Store bits for JSRopeString in 3 stores
24         https://bugs.webkit.org/show_bug.cgi?id=195234
25
26         Reviewed by Saam Barati.
27
28         * stress/null-rope-and-collectors.js: Added.
29
30 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
31
32         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
33         https://bugs.webkit.org/show_bug.cgi?id=195207
34
35         Unreviewed. After test runtime was reduced in r242213, test can be
36         run again on ARM/MIPS.
37
38         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
39
40 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
41
42         [JSC] sizeof(JSString) should be 16
43         https://bugs.webkit.org/show_bug.cgi?id=194375
44
45         Reviewed by Saam Barati.
46
47         * microbenchmarks/make-rope.js: Added.
48         (makeRope):
49         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
50         (returnRope.helper): Deleted.
51         (returnRope): Deleted.
52
53 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
54
55         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
56         https://bugs.webkit.org/show_bug.cgi?id=195144
57
58         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
59         Change the number from 1e8 to 1e5.
60
61         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
62         (foo):
63
64 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
65
66         Test times out on ARM/MIPS
67         https://bugs.webkit.org/show_bug.cgi?id=195168
68
69         Unreviewed. Skip test on ARM/MIPS.
70
71         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
72
73 2019-02-27  Mark Lam  <mark.lam@apple.com>
74
75         The parser is failing to record the token location of new in new.target.
76         https://bugs.webkit.org/show_bug.cgi?id=195127
77         <rdar://problem/39645578>
78
79         Reviewed by Yusuke Suzuki.
80
81         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
82
83 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
84
85         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
86         https://bugs.webkit.org/show_bug.cgi?id=195144
87         <rdar://problem/47595961>
88
89         Reviewed by Mark Lam.
90
91         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
92         (bar):
93         (foo):
94         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
95         (bar):
96         (foo):
97
98 2019-02-27  Robin Morisset  <rmorisset@apple.com>
99
100         DFG: Loop-invariant code motion (LICM) should not hoist dead code
101         https://bugs.webkit.org/show_bug.cgi?id=194945
102         <rdar://problem/48311657>
103
104         Reviewed by Mark Lam.
105
106         * stress/licm-dead-code.js: Added.
107
108 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
109
110         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
111         https://bugs.webkit.org/show_bug.cgi?id=194677
112         <rdar://problem/48112492>
113
114         Reviewed by Mark Lam.
115
116         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
117         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
118         it immediately fails due the large size.
119
120         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
121         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
122         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
123         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
124
125         This patch changes the test to produce 16bit string from String.fromCharCode.
126
127         * stress/regress-178386.js:
128
129 2019-02-26  Mark Lam  <mark.lam@apple.com>
130
131         wasmToJS() should purify incoming NaNs.
132         https://bugs.webkit.org/show_bug.cgi?id=194807
133         <rdar://problem/48189132>
134
135         Reviewed by Saam Barati.
136
137         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
138
139 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
140
141         [JSC] Repeat string created from Array.prototype.join() take too much memory
142         https://bugs.webkit.org/show_bug.cgi?id=193912
143
144         Reviewed by Saam Barati.
145
146         Added a test and a microbenchmark for corner cases of
147         Array.prototype.join() with an uninitialized array.
148
149         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
150         * stress/array-prototype-join-uninitialized.js: Added.
151         (testArray):
152         (testABC):
153         (B):
154         (C):
155
156 2019-02-22  Robin Morisset  <rmorisset@apple.com>
157
158         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
159         https://bugs.webkit.org/show_bug.cgi?id=194953
160         <rdar://problem/47595253>
161
162         Reviewed by Saam Barati.
163
164         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
165
166         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
167
168 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
169
170         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
171         https://bugs.webkit.org/show_bug.cgi?id=172848
172         <rdar://problem/25709212>
173
174         Reviewed by Mark Lam.
175
176         * typeProfiler/inheritance.js:
177         Rewrite the test slightly for clarity. The hoisting was confusing.
178
179         * heapProfiler/class-names.js: Added.
180         (MyES5Class):
181         (MyES6Class):
182         (MyES6Subclass):
183         Test object types and improved class names.
184
185         * heapProfiler/driver/driver.js:
186         (CheapHeapSnapshotNode):
187         (CheapHeapSnapshot):
188         (createCheapHeapSnapshot):
189         (HeapSnapshot):
190         (createHeapSnapshot):
191         Update snapshot parsing from version 1 to version 2.
192
193 2019-02-19  Truitt Savell  <tsavell@apple.com>
194
195         Unreviewed, rolling out r241784.
196
197         Broke all OpenSource builds.
198
199         Reverted changeset:
200
201         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
202         instances view"
203         https://bugs.webkit.org/show_bug.cgi?id=172848
204         https://trac.webkit.org/changeset/241784
205
206 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
207
208         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
209         https://bugs.webkit.org/show_bug.cgi?id=172848
210         <rdar://problem/25709212>
211
212         Reviewed by Mark Lam.
213
214         * typeProfiler/inheritance.js:
215         Rewrite the test slightly for clarity. The hoisting was confusing.
216
217         * heapProfiler/class-names.js: Added.
218         (MyES5Class):
219         (MyES6Class):
220         (MyES6Subclass):
221         Test object types and improved class names.
222
223         * heapProfiler/driver/driver.js:
224         (CheapHeapSnapshotNode):
225         (CheapHeapSnapshot):
226         (createCheapHeapSnapshot):
227         (HeapSnapshot):
228         (createHeapSnapshot):
229         Update snapshot parsing from version 1 to version 2.
230
231 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
232
233         [ARM] Fix crash with sampling profiler
234         https://bugs.webkit.org/show_bug.cgi?id=194772
235
236         Reviewed by Mark Lam.
237
238         Do not skip test since crash with sampling profiler is now fixed.
239
240         * stress/sampling-profiler-richards.js:
241
242 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
243
244         [JSC] Add LazyClassStructure::getInitializedOnMainThread
245         https://bugs.webkit.org/show_bug.cgi?id=194784
246         <rdar://problem/48154820>
247
248         Reviewed by Mark Lam.
249
250         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
251         (getProperties):
252         (getRandomProperty):
253         (i.catch):
254
255 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
256
257         [ARM] Test gardening: Test running out of executable memory
258         https://bugs.webkit.org/show_bug.cgi?id=194771
259
260         Unreviewed. Do not run test without LLInt, test is running out of executable
261         memory on ARM otherwise.
262
263         * stress/tagged-template-object-collect.js:
264
265 2019-02-18  Tomas Popela  <tpopela@redhat.com>
266
267         Unreviewed, skip the test on platforms without sampling profiler
268
269         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
270         (platformSupportsSamplingProfiler.foo):
271         (platformSupportsSamplingProfiler.test):
272         (platformSupportsSamplingProfiler):
273         (foo): Deleted.
274         (test): Deleted.
275
276 2019-02-17  Saam Barati  <sbarati@apple.com>
277
278         Deadlock when adding a Structure property transition and then doing incremental marking
279         https://bugs.webkit.org/show_bug.cgi?id=194767
280
281         Reviewed by Mark Lam.
282
283         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
284
285 2019-02-15  Michael Saboff  <msaboff@apple.com>
286
287         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
288         https://bugs.webkit.org/show_bug.cgi?id=194558
289
290         Reviewed by Saam Barati.
291
292         New regression test.
293
294         * stress/regexp-unicode-within-string.js: Added.
295
296 2019-02-15  Mark Lam  <mark.lam@apple.com>
297
298         SamplingProfiler::stackTracesAsJSON() should escape strings.
299         https://bugs.webkit.org/show_bug.cgi?id=194649
300         <rdar://problem/48072386>
301
302         Reviewed by Saam Barati.
303
304         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
305         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
306         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
307         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
308
309 2019-02-15  Robin Morisset  <rmorisset@apple.com>
310         CodeBlock::jettison should clear related watchpoints
311         https://bugs.webkit.org/show_bug.cgi?id=194544
312
313         Reviewed by Mark Lam.
314
315         * stress/regexp-replace-double-watchpoint.js: Added.
316         (foo):
317
318 2019-02-15  Saam barati  <sbarati@apple.com>
319
320         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
321         https://bugs.webkit.org/show_bug.cgi?id=194036
322
323         Reviewed by Yusuke Suzuki.
324
325         * stress/tail-call-many-arguments.js: Added.
326         (foo):
327         (bar):
328
329 2019-02-14  Saam Barati  <sbarati@apple.com>
330
331         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
332         https://bugs.webkit.org/show_bug.cgi?id=194583
333         <rdar://problem/48028140>
334
335         Reviewed by Yusuke Suzuki.
336
337         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
338
339 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
340
341         [JSC] String.fromCharCode's slow path always generates 16bit string
342         https://bugs.webkit.org/show_bug.cgi?id=194466
343
344         Reviewed by Keith Miller.
345
346         * stress/string-from-char-code-slow-path.js: Added.
347         (shouldBe):
348         (testWithLength):
349
350 2019-02-08  Saam barati  <sbarati@apple.com>
351
352         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
353         https://bugs.webkit.org/show_bug.cgi?id=194334
354         <rdar://problem/47844327>
355
356         Reviewed by Mark Lam.
357
358         * stress/check-in-bounds-should-be-a-child-use.js: Added.
359         (func):
360
361 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
362
363         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
364         https://bugs.webkit.org/show_bug.cgi?id=194369
365         <rdar://problem/47813087>
366
367         Reviewed by Saam Barati.
368
369         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
370         (A):
371
372 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
373
374         [JSC] PrivateName to PublicName hash table is wasteful
375         https://bugs.webkit.org/show_bug.cgi?id=194277
376
377         Reviewed by Michael Saboff.
378
379         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
380
381         * ChakraCore.yaml:
382
383 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
384
385         [ARM] Test running out of executable memory
386         https://bugs.webkit.org/show_bug.cgi?id=194285
387
388         Unreviewed. Do no execute test with LLInt disabled, test runs out of
389         executable memory otherwise.
390
391         * stress/class-subclassing-function.js:
392
393 2019-02-04  Robin Morisset  <rmorisset@apple.com>
394
395         when lowering AssertNotEmpty, create the value before creating the patchpoint
396         https://bugs.webkit.org/show_bug.cgi?id=194231
397
398         Reviewed by Saam Barati.
399
400         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
401         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
402         So even tiny changes to this test can change the path code taken.
403
404         * stress/assert-not-empty.js: Added.
405         (foo):
406
407 2019-02-01  Mark Lam  <mark.lam@apple.com>
408
409         Remove invalid assertion in DFG's compileDoubleRep().
410         https://bugs.webkit.org/show_bug.cgi?id=194130
411         <rdar://problem/47699474>
412
413         Reviewed by Saam Barati.
414
415         * stress/constant-fold-double-rep-into-double-constant.js: Added.
416
417 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
418
419         Import latest Test262 updates.
420
421         Rubber-stamped by Keith Miller.
422
423         * test262.yaml: Deleted.
424         * test262/config.yaml:
425         * test262/expectations.yaml:
426         * test262/latest-changes-summary.txt:
427         * test262/test/:
428         * test262/test262-Revision.txt:
429
430 2019-01-30  Robin Morisset  <rmorisset@apple.com>
431
432         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
433         https://bugs.webkit.org/show_bug.cgi?id=194050
434         <rdar://problem/47595592>
435
436         Reviewed by Yusuke Suzuki.
437
438         * stress/object-keys-osr-exit.js: Added.
439         (foo):
440         (catch):
441
442 2019-01-29  Mark Lam  <mark.lam@apple.com>
443
444         ValueRecovery::recover() should purify NaN values it recovers.
445         https://bugs.webkit.org/show_bug.cgi?id=193978
446         <rdar://problem/47625488>
447
448         Reviewed by Saam Barati.
449
450         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
451
452 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
453
454         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
455         https://bugs.webkit.org/show_bug.cgi?id=193713
456
457         * stress/try-get-by-id-should-spill-registers-dfg.js:
458         (let.f.createBuiltin):
459
460 2019-01-28  Mark Lam  <mark.lam@apple.com>
461
462         ToString node actually does GC.
463         https://bugs.webkit.org/show_bug.cgi?id=193920
464         <rdar://problem/46695900>
465
466         Reviewed by Yusuke Suzuki.
467
468         * stress/dfg-to-string-on-int-does-gc.js: Added.
469         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
470         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
471
472 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
473
474         [JSC] NativeErrorConstructor should not have own IsoSubspace
475         https://bugs.webkit.org/show_bug.cgi?id=193713
476
477         Reviewed by Saam Barati.
478
479         Remove @Error use.
480
481         * stress/try-get-by-id-should-spill-registers-dfg.js:
482         (let.f.createBuiltin):
483
484 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
485
486         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
487         https://bugs.webkit.org/show_bug.cgi?id=190693
488
489         Reviewed by Michael Saboff.
490
491         * stress/regress-190693.js: Added.
492         (truth):
493         (assert):
494         (shouldThrowInvalidConstAssignment):
495         (taz):
496
497 2019-01-24  Saam Barati  <sbarati@apple.com>
498
499         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
500         https://bugs.webkit.org/show_bug.cgi?id=193751
501         <rdar://problem/47280215>
502
503         Reviewed by Michael Saboff.
504
505         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
506         (let.thing):
507         (foo.let.hello):
508         (foo):
509
510 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
511
512         [JSC] Reenable baseline JIT on mips
513         https://bugs.webkit.org/show_bug.cgi?id=192983
514
515         Reviewed by Mark Lam.
516
517         Added a new test for a case that was triggering a RELEASE_ASSERT when
518         testing.
519         Disable some slow tests that were already disabled for arm and x86.
520
521         * stress/json-parse-big-object.js: Added.
522         * stress/new-largeish-contiguous-array-with-size.js:
523         * stress/op_add.js:
524         * stress/op_bitand.js:
525         * stress/op_bitor.js:
526         * stress/op_bitxor.js:
527         * stress/op_lshift-ConstVar.js:
528         * stress/op_lshift-VarConst.js:
529         * stress/op_lshift-VarVar.js:
530         * stress/op_mod-ConstVar.js:
531         * stress/op_mod-VarConst.js:
532         * stress/op_mod-VarVar.js:
533         * stress/op_mul-ConstVar.js:
534         * stress/op_mul-VarConst.js:
535         * stress/op_mul-VarVar.js:
536         * stress/op_rshift-ConstVar.js:
537         * stress/op_rshift-VarConst.js:
538         * stress/op_rshift-VarVar.js:
539         * stress/op_sub-ConstVar.js:
540         * stress/op_sub-VarConst.js:
541         * stress/op_sub-VarVar.js:
542         * stress/op_urshift-ConstVar.js:
543         * stress/op_urshift-VarConst.js:
544         * stress/op_urshift-VarVar.js:
545         * stress/sampling-profiler-richards.js:
546         * stress/spread-forward-call-varargs-stack-overflow.js:
547
548 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
549
550         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
551         https://bugs.webkit.org/show_bug.cgi?id=193711
552         <rdar://problem/47250262>
553
554         Reviewed by Saam Barati.
555
556         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
557         (shouldBe):
558         (foo):
559         (bar):
560         (baz):
561
562 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
563
564         Unreviewed, fix initial global lexical binding epoch
565         https://bugs.webkit.org/show_bug.cgi?id=193603
566         <rdar://problem/47380869>
567
568         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
569         (f1.f2.f3.f4):
570         (f1.f2.f3):
571         (f1.f2):
572         (f1):
573
574 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
575
576         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
577         https://bugs.webkit.org/show_bug.cgi?id=193709
578         <rdar://problem/47363838>
579
580         Unreviewed, rollout to watch the tests.
581
582         * stress/object-tostring-changed-proto.js: Removed.
583         * stress/object-tostring-changed.js: Removed.
584         * stress/object-tostring-misc.js: Removed.
585         * stress/object-tostring-other.js: Removed.
586         * stress/object-tostring-untyped.js: Removed.
587
588 2019-01-22  Saam Barati  <sbarati@apple.com>
589
590         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
591
592         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
593         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
594         (testUncheckedLessThanZero):
595         (testUncheckedLessThanOrEqualZero):
596         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
597         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
598
599 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
600
601         [JSC] Invalidate old scope operations using global lexical binding epoch
602         https://bugs.webkit.org/show_bug.cgi?id=193603
603         <rdar://problem/47380869>
604
605         Reviewed by Saam Barati.
606
607         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
608         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
609         (shouldThrow):
610         (bar):
611         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
612         (shouldBe):
613         (get1):
614         (get2):
615         (get1If):
616         (get2If):
617         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
618         (shouldThrow):
619         (foo):
620
621 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
622
623         Unreviewed, roll out r240220 due to date-format-xparb regression
624         https://bugs.webkit.org/show_bug.cgi?id=193603
625
626         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
627         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
628         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
629         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
630
631 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
632
633         DoesGC rule is wrong for nodes with BigIntUse
634         https://bugs.webkit.org/show_bug.cgi?id=193652
635
636         Reviewed by Saam Barati.
637
638         * stress/big-int-value-op-update-gc-rules.js: Added.
639         (assert):
640         (doesGCAdd):
641         (doesGCSub):
642         (doesGCDiv):
643         (doesGCMul):
644         (doesGCBitAnd):
645         (doesGCBitOr):
646         (doesGCBitXor):
647
648 2019-01-20  Saam Barati  <sbarati@apple.com>
649
650         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
651         https://bugs.webkit.org/show_bug.cgi?id=193644
652         <rdar://problem/46209745>
653
654         Reviewed by Yusuke Suzuki.
655
656         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
657         (foo):
658         * stress/data-view-set-intrinsic-undefined-result.js: Added.
659         (foo):
660         (bar):
661
662 2019-01-20  Saam Barati  <sbarati@apple.com>
663
664         MovHint must merge NodeBytecodeUsesAsValue for its child
665         https://bugs.webkit.org/show_bug.cgi?id=186916
666         <rdar://problem/41396612>
667
668         Reviewed by Yusuke Suzuki.
669
670         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
671         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
672
673 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
674
675         [JSC] Invalidate old scope operations using global lexical binding epoch
676         https://bugs.webkit.org/show_bug.cgi?id=193603
677         <rdar://problem/47380869>
678
679         Reviewed by Saam Barati.
680
681         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
682         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
683         (shouldThrow):
684         (bar):
685         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
686         (shouldBe):
687         (get1):
688         (get2):
689         (get1If):
690         (get2If):
691         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
692         (shouldThrow):
693         (foo):
694
695 2019-01-17  Saam barati  <sbarati@apple.com>
696
697         StringObjectUse should not be a structure check for the original string object structure
698         https://bugs.webkit.org/show_bug.cgi?id=193483
699         <rdar://problem/47280522>
700
701         Reviewed by Yusuke Suzuki.
702
703         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
704         (foo):
705         (a.valueOf.0):
706
707 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
708
709         [JSC] ToThis omission in DFGByteCodeParser is wrong
710         https://bugs.webkit.org/show_bug.cgi?id=193513
711         <rdar://problem/45842236>
712
713         Reviewed by Saam Barati.
714
715         * stress/to-this-omission-with-different-strict-modes.js: Added.
716         (thisA):
717         (thisAStrictWrapper):
718
719 2019-01-15  Mark Lam  <mark.lam@apple.com>
720
721         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
722         https://bugs.webkit.org/show_bug.cgi?id=193423
723         <rdar://problem/46209355>
724
725         Reviewed by Saam Barati.
726
727         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
728         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
729         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
730         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
731
732 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
733
734         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
735         https://bugs.webkit.org/show_bug.cgi?id=193438
736         <rdar://problem/45581249>
737
738         Reviewed by Saam Barati and Keith Miller.
739
740         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
741         Then, GetByVal(String) crashed.
742
743         * stress/string-get-by-val-lowering.js: Added.
744         (shouldBe):
745         (test):
746         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
747         (Hello):
748         (foo):
749
750 2019-01-15  Tomas Popela  <tpopela@redhat.com>
751
752         Unreviewed, skip JIT tests if it's not enabled
753
754         * stress/bit-op-with-object-returning-int32.js:
755
756 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
757
758         DFGByteCodeParser rules for bitwise operations should consider type of their operands
759         https://bugs.webkit.org/show_bug.cgi?id=192966
760
761         Reviewed by Yusuke Suzuki.
762
763         * stress/bit-op-with-object-returning-int32.js: Added.
764
765 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
766
767         Skip a slow test and a flakey test on arm
768
769         Unreviewed gardening.
770
771         * typeProfiler/getter-richards.js:
772         this test always times out, it used to be always skipped on arm and
773         mips, but got accidentally enabled by r237919 now that we have DFG on
774         arm. Also skipping on mips as we plan to soon enable DFG for it too.
775
776 2019-01-14  Keith Miller  <keith_miller@apple.com>
777
778         Skip type-check-hoisting-phase-hoist... with no jit
779         https://bugs.webkit.org/show_bug.cgi?id=193421
780
781         Reviewed by Mark Lam.
782
783         It's timing out the 32-bit bots and takes 330 seconds
784         on my machine when run by itself.
785
786         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
787
788 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
789
790         [JSC] AI should check the given constant's array type when folding GetByVal into constant
791         https://bugs.webkit.org/show_bug.cgi?id=193413
792         <rdar://problem/46092389>
793
794         Reviewed by Keith Miller.
795
796         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
797         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
798         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
799         but GetByVal does not have appropriate ArrayModes, JSC crashes.
800
801         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
802         (compareArray):
803
804 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
805
806         [BigInt] Literal parsing is crashing when used inside a Object Literal
807         https://bugs.webkit.org/show_bug.cgi?id=193404
808
809         Reviewed by Yusuke Suzuki.
810
811         * stress/big-int-literal-inside-literal-object.js: Added.
812
813 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
814
815         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
816         https://bugs.webkit.org/show_bug.cgi?id=193372
817
818         Reviewed by Saam Barati.
819
820         * stress/typed-array-array-modes-profile.js: Added.
821         (foo):
822
823 2019-01-14  Mark Lam  <mark.lam@apple.com>
824
825         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
826         https://bugs.webkit.org/show_bug.cgi?id=193402
827         <rdar://problem/46012309>
828
829         Reviewed by Keith Miller.
830
831         * stress/regexp-compile-oom.js:
832         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
833           is enabled.  As a result, it will fail on cloop builds though there is no bug.
834
835 2019-01-11  Saam barati  <sbarati@apple.com>
836
837         DFG combined liveness can be wrong for terminal basic blocks
838         https://bugs.webkit.org/show_bug.cgi?id=193304
839         <rdar://problem/45268632>
840
841         Reviewed by Yusuke Suzuki.
842
843         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
844
845 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
846
847         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
848         https://bugs.webkit.org/show_bug.cgi?id=193308
849         <rdar://problem/45546542>
850
851         Reviewed by Saam Barati.
852
853         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
854         (shouldThrow):
855         (shouldBe):
856         (foo):
857         (get shouldThrow):
858         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
859         (shouldThrow):
860         (shouldBe):
861         (foo):
862         (get shouldBe):
863         (get shouldThrow):
864         (get return):
865         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
866         (shouldThrow):
867         (shouldBe):
868         (foo):
869         (get shouldBe):
870         (get shouldThrow):
871         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
872         (shouldThrow):
873         (shouldBe):
874         (foo):
875         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
876         (shouldThrow):
877         (shouldBe):
878         (foo):
879         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
880         (shouldThrow):
881         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
882         (shouldThrow):
883         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
884         (shouldThrow):
885         (shouldBe):
886         (foo):
887         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
888         (shouldThrow):
889         (shouldBe):
890         (foo):
891         (get shouldBe):
892         (get shouldThrow):
893         (get return):
894         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
895         (shouldThrow):
896         (shouldBe):
897         (foo):
898         (get shouldBe):
899         (get shouldThrow):
900         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
901         (shouldThrow):
902         (shouldBe):
903         (foo):
904         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
905         (shouldThrow):
906         (shouldBe):
907         (foo):
908
909 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
910
911         Enable DFG on ARM/Linux again
912         https://bugs.webkit.org/show_bug.cgi?id=192496
913
914         Reviewed by Yusuke Suzuki.
915
916         Test wasn't really skipped before moving the line with skip
917         to the top.
918
919         * stress/regress-192717.js:
920
921 2019-01-10  Commit Queue  <commit-queue@webkit.org>
922
923         Unreviewed, rolling out r239825.
924         https://bugs.webkit.org/show_bug.cgi?id=193330
925
926         Broke tests on armv7/linux bots (Requested by guijemont on
927         #webkit).
928
929         Reverted changeset:
930
931         "Enable DFG on ARM/Linux again"
932         https://bugs.webkit.org/show_bug.cgi?id=192496
933         https://trac.webkit.org/changeset/239825
934
935 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
936
937         Enable DFG on ARM/Linux again
938         https://bugs.webkit.org/show_bug.cgi?id=192496
939
940         Reviewed by Yusuke Suzuki.
941
942         Test wasn't really skipped before moving the line with skip
943         to the top.
944
945         * stress/regress-192717.js:
946
947 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
948
949         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
950         https://bugs.webkit.org/show_bug.cgi?id=193127
951
952         Reviewed by Saam Barati.
953
954         * stress/array-species-create-should-handle-masquerader.js: Added.
955         (shouldThrow):
956         * stress/is-undefined-or-null-builtin.js: Added.
957         (shouldBe):
958         (isUndefinedOrNull.vm.createBuiltin):
959
960 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
961
962         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
963         https://bugs.webkit.org/show_bug.cgi?id=193221
964
965         Reviewed by Mark Lam.
966
967         * stress/put-by-id-flags.js: Added.
968         (f):
969         (g):
970         (numberOfDFGCompiles):
971
972 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
973
974         Baseline version of get_by_id may corrupt metadata
975         https://bugs.webkit.org/show_bug.cgi?id=193085
976         <rdar://problem/23453006>
977
978         Reviewed by Saam Barati.
979
980         * stress/get-by-id-change-mode.js: Added.
981         (forEach):
982
983 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
984
985         [JSC] Optimize Object.prototype.toString
986         https://bugs.webkit.org/show_bug.cgi?id=193031
987
988         Reviewed by Saam Barati.
989
990         * stress/object-tostring-changed-proto.js: Added.
991         (shouldBe):
992         (test):
993         * stress/object-tostring-changed.js: Added.
994         (shouldBe):
995         (test):
996         * stress/object-tostring-misc.js: Added.
997         (shouldBe):
998         (test):
999         (i.switch):
1000         * stress/object-tostring-other.js: Added.
1001         (shouldBe):
1002         (test):
1003         * stress/object-tostring-untyped.js: Added.
1004         (shouldBe):
1005         (test):
1006         (i.switch):
1007
1008 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1009
1010         test262-runner misbehaves when test file YAML has a trailing space
1011         https://bugs.webkit.org/show_bug.cgi?id=193053
1012
1013         Reviewed by Yusuke Suzuki.
1014
1015         * test262/expectations.yaml:
1016         Mark two dozen tests as passing (and correct the output of another).
1017
1018 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1019
1020         Unreviewed, JSTests gardening with memoryLimited
1021
1022         * stress/string-overflow-createError.js:
1023
1024 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1025
1026         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1027         https://bugs.webkit.org/show_bug.cgi?id=193050
1028
1029         Reviewed by Yusuke Suzuki.
1030
1031         * test262.yaml:
1032         * test262/expectations.yaml:
1033         Mark 16 tests as passing.
1034
1035 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1036
1037         [BigInt] Support BigInt in JSON.stringify
1038         https://bugs.webkit.org/show_bug.cgi?id=192624
1039
1040         Reviewed by Saam Barati.
1041
1042         * stress/big-int-json-stringify-to-json.js: Added.
1043         (shouldBe):
1044         (shouldThrow):
1045         (BigInt.prototype.toJSON):
1046         (shouldBe.JSON.stringify):
1047         * stress/big-int-json-stringify.js: Added.
1048         (shouldBe):
1049         (shouldThrow):
1050
1051 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1052
1053         [JSC] Implement "well-formed JSON.stringify" proposal
1054         https://bugs.webkit.org/show_bug.cgi?id=191677
1055
1056         Reviewed by Darin Adler.
1057
1058         * stress/json-surrogate-pair.js: Added.
1059         (shouldBe):
1060         * test262/expectations.yaml:
1061
1062 2018-12-20  Keith Miller  <keith_miller@apple.com>
1063
1064         Add support for globalThis
1065         https://bugs.webkit.org/show_bug.cgi?id=165171
1066
1067         Reviewed by Mark Lam.
1068
1069         * test262/config.yaml:
1070
1071 2018-12-19  Keith Miller  <keith_miller@apple.com>
1072
1073         Update test262 configuration to not run tests dependent on ICU version.
1074         https://bugs.webkit.org/show_bug.cgi?id=192920
1075
1076         Reviewed by Saam Barati.
1077
1078         * test262/expectations.yaml:
1079
1080 2018-12-20  Mark Lam  <mark.lam@apple.com>
1081
1082         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1083         https://bugs.webkit.org/show_bug.cgi?id=192939
1084         <rdar://problem/46869516>
1085
1086         Reviewed by Keith Miller.
1087
1088         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1089
1090 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1091
1092         WTF::String and StringImpl overflow MaxLength
1093         https://bugs.webkit.org/show_bug.cgi?id=192853
1094         <rdar://problem/45726906>
1095
1096         Reviewed by Mark Lam.
1097
1098         * stress/string-16bit-repeat-overflow.js: Added.
1099         (catch):
1100
1101 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1102
1103         Unreviewed follow-up to r192914.
1104
1105         * test262/expectations.yaml:
1106         Add the last 20 missing expectations.
1107
1108 2018-12-19  Keith Miller  <keith_miller@apple.com>
1109
1110         Fix test262 expectations
1111         https://bugs.webkit.org/show_bug.cgi?id=192914
1112
1113         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1114
1115         * test262/expectations.yaml:
1116
1117 2018-12-19  Keith Miller  <keith_miller@apple.com>
1118
1119         Update test262 tests.
1120         https://bugs.webkit.org/show_bug.cgi?id=192907
1121
1122         Rubber stamped by Mark Lam.
1123
1124         * test262/*: Omitted because prepare-changelog crashes.
1125
1126 2018-12-19  Mark Lam  <mark.lam@apple.com>
1127
1128         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1129         https://bugs.webkit.org/show_bug.cgi?id=192464
1130         <rdar://problem/46519455>
1131
1132         Reviewed by Saam Barati.
1133
1134         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1135         microbenchmark.
1136
1137         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1138         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1139
1140 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1141
1142         String overflow in JSC::createError results in ASSERT in WTF::makeString
1143         https://bugs.webkit.org/show_bug.cgi?id=192833
1144         <rdar://problem/45706868>
1145
1146         Reviewed by Mark Lam.
1147
1148         * stress/string-overflow-createError.js: Added.
1149
1150 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1151
1152         Error message for `-x ** y` contains a typo.
1153         https://bugs.webkit.org/show_bug.cgi?id=192832
1154
1155         Reviewed by Saam Barati.
1156
1157         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1158         (assert.assert.return.throws):
1159         * stress/pow-expects-update-expression-on-lhs.js:
1160         (throw.new.Error):
1161         Update test expectations which match against the exact error message.
1162
1163 2018-12-18  Mark Lam  <mark.lam@apple.com>
1164
1165         Gardening: test options fix.
1166         https://bugs.webkit.org/show_bug.cgi?id=192822
1167
1168         Unreviewed.
1169
1170         * stress/json-stringify-string-builder-overflow.js:
1171
1172 2018-12-18  Mark Lam  <mark.lam@apple.com>
1173
1174         JSON.stringify() should throw OOM on StringBuilder overflows.
1175         https://bugs.webkit.org/show_bug.cgi?id=192822
1176         <rdar://problem/46670577>
1177
1178         Reviewed by Saam Barati.
1179
1180         * stress/json-stringify-string-builder-overflow.js: Added.
1181
1182 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1183
1184         Redeclaration of var over let/const/class should be a syntax error.
1185         https://bugs.webkit.org/show_bug.cgi?id=192298
1186
1187         Reviewed by Keith Miller.
1188
1189         * test262.yaml:
1190         * test262/expectations.yaml:
1191         Mark 46 tests as passing.
1192
1193         * stress/block-scope-redeclarations.js:
1194         Add some new tests.
1195
1196         * stress/for-in-invalidate-context-weird-assignments.js:
1197         * stress/for-in-tests.js:
1198         Replace tests for outdated behavior with tests for SyntaxError.
1199
1200         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1201         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1202         Update expectations.
1203
1204 2018-12-18  Mark Lam  <mark.lam@apple.com>
1205
1206         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1207         https://bugs.webkit.org/show_bug.cgi?id=191374
1208         <rdar://problem/46525447>
1209
1210         Reviewed by Yusuke Suzuki.
1211
1212         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1213
1214         * stress/elidable-new-object-roflcopter-then-exit.js:
1215
1216 2018-12-17  Mark Lam  <mark.lam@apple.com>
1217
1218         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1219         https://bugs.webkit.org/show_bug.cgi?id=192019
1220         <rdar://problem/46525456>
1221
1222         Reviewed by Yusuke Suzuki.
1223
1224         The test runs too slow on 32-bit.
1225
1226         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1227
1228 2018-12-17  Mark Lam  <mark.lam@apple.com>
1229
1230         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1231         https://bugs.webkit.org/show_bug.cgi?id=191373
1232         <rdar://problem/46525458>
1233
1234         Reviewed by Yusuke Suzuki.
1235
1236         The test is already slow running with a JIT on 64-bit.  It will always timeout
1237         on 32-bit without a JIT.
1238
1239         * stress/materialize-regexp-cyclic-regexp.js:
1240
1241 2018-12-17  Mark Lam  <mark.lam@apple.com>
1242
1243         Array unshift/shift should not race against the AI in the compiler thread.
1244         https://bugs.webkit.org/show_bug.cgi?id=192795
1245         <rdar://problem/46724263>
1246
1247         Reviewed by Saam Barati.
1248
1249         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1250
1251 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1252
1253         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1254         https://bugs.webkit.org/show_bug.cgi?id=190047
1255
1256         Reviewed by Saam Barati.
1257
1258         * stress/object-keys-cached-zero.js: Added.
1259         (shouldBe):
1260         (test):
1261         * stress/object-keys-changed-attribute.js: Added.
1262         (shouldBe):
1263         (test):
1264         * stress/object-keys-changed-index.js: Added.
1265         (shouldBe):
1266         (test):
1267         * stress/object-keys-changed.js: Added.
1268         (shouldBe):
1269         (test):
1270         * stress/object-keys-indexed-non-cache.js: Added.
1271         (shouldBe):
1272         (test):
1273         * stress/object-keys-overrides-get-property-names.js: Added.
1274         (shouldBe):
1275         (test):
1276         (noInline):
1277
1278 2018-12-17  Mark Lam  <mark.lam@apple.com>
1279
1280         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1281         https://bugs.webkit.org/show_bug.cgi?id=192779
1282         <rdar://problem/46775869>
1283
1284         Reviewed by Saam Barati.
1285
1286         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1287
1288 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1289
1290         Unreviewed test gardening, address a syntax error in a new test.
1291
1292         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1293
1294 2018-12-17  Mark Lam  <mark.lam@apple.com>
1295
1296         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1297         https://bugs.webkit.org/show_bug.cgi?id=192776
1298         <rdar://problem/46772368>
1299
1300         Reviewed by Keith Miller.
1301
1302         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1303
1304 2018-12-17  Mark Lam  <mark.lam@apple.com>
1305
1306         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1307         https://bugs.webkit.org/show_bug.cgi?id=192770
1308         <rdar://problem/46449037>
1309
1310         Reviewed by Keith Miller.
1311
1312         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1313
1314 2018-12-14  Mark Lam  <mark.lam@apple.com>
1315
1316         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1317         https://bugs.webkit.org/show_bug.cgi?id=192717
1318         <rdar://problem/46660677>
1319
1320         Reviewed by Saam Barati.
1321
1322         * stress/regress-192717.js: Added.
1323
1324 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1325
1326         Unreviewed, rolling out r239153, r239154, and r239155.
1327         https://bugs.webkit.org/show_bug.cgi?id=192715
1328
1329         Caused flaky GC-related crashes seen with layout tests
1330         (Requested by ryanhaddad on #webkit).
1331
1332         Reverted changesets:
1333
1334         "[JSC] Optimize Object.keys by caching own keys results in
1335         StructureRareData"
1336         https://bugs.webkit.org/show_bug.cgi?id=190047
1337         https://trac.webkit.org/changeset/239153
1338
1339         "Unreviewed, build fix after r239153"
1340         https://bugs.webkit.org/show_bug.cgi?id=190047
1341         https://trac.webkit.org/changeset/239154
1342
1343         "Unreviewed, build fix after r239153, part 2"
1344         https://bugs.webkit.org/show_bug.cgi?id=190047
1345         https://trac.webkit.org/changeset/239155
1346
1347 2018-12-14  Keith Miller  <keith_miller@apple.com>
1348
1349         Callers of JSString::getIndex should check for OOM exceptions
1350         https://bugs.webkit.org/show_bug.cgi?id=192709
1351
1352         Reviewed by Mark Lam.
1353
1354         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1355
1356 2018-12-13  Mark Lam  <mark.lam@apple.com>
1357
1358         Add a missing exception check.
1359         https://bugs.webkit.org/show_bug.cgi?id=192626
1360         <rdar://problem/46662163>
1361
1362         Reviewed by Keith Miller.
1363
1364         * stress/regress-192626.js: Added.
1365
1366 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1367
1368         [BigInt] Add ValueDiv into DFG
1369         https://bugs.webkit.org/show_bug.cgi?id=186178
1370
1371         Reviewed by Yusuke Suzuki.
1372
1373         * stress/big-int-div-jit-osr.js: Added.
1374         * stress/big-int-div-jit-untyped.js: Added.
1375         * stress/value-div-fixup-int32-big-int.js: Added.
1376
1377 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1378
1379         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1380         https://bugs.webkit.org/show_bug.cgi?id=190047
1381
1382         Reviewed by Keith Miller.
1383
1384         * stress/object-keys-cached-zero.js: Added.
1385         (shouldBe):
1386         (test):
1387         * stress/object-keys-changed-attribute.js: Added.
1388         (shouldBe):
1389         (test):
1390         * stress/object-keys-changed-index.js: Added.
1391         (shouldBe):
1392         (test):
1393         * stress/object-keys-changed.js: Added.
1394         (shouldBe):
1395         (test):
1396         * stress/object-keys-indexed-non-cache.js: Added.
1397         (shouldBe):
1398         (test):
1399         * stress/object-keys-overrides-get-property-names.js: Added.
1400         (shouldBe):
1401         (test):
1402         (noInline):
1403
1404 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1405
1406         [DFG][FTL] Add NewSymbol
1407         https://bugs.webkit.org/show_bug.cgi?id=192620
1408
1409         Reviewed by Saam Barati.
1410
1411         * microbenchmarks/symbol-creation.js: Added.
1412         (test):
1413         * stress/symbol-description-identity.js: Added.
1414         (shouldBe):
1415         (test):
1416         * stress/symbol-identity.js: Added.
1417         (shouldBe):
1418         (test):
1419         * stress/symbol-with-description-throw-error.js: Added.
1420         (shouldBe):
1421         (shouldThrow):
1422         (test):
1423         (object.toString):
1424
1425 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1426
1427         [BigInt] Implement DFG/FTL typeof for BigInt
1428         https://bugs.webkit.org/show_bug.cgi?id=192619
1429
1430         Reviewed by Keith Miller.
1431
1432         * stress/big-int-boolean-proven-type.js: Added.
1433         (assert):
1434         (bool):
1435         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1436         (assert):
1437         (typeOf):
1438         (i.switch):
1439         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1440         (assert):
1441         (typeOf):
1442         * stress/big-int-type-of.js:
1443         (typeOf):
1444         (func):
1445
1446 2018-12-10  Mark Lam  <mark.lam@apple.com>
1447
1448         PropertyAttribute needs a CustomValue bit.
1449         https://bugs.webkit.org/show_bug.cgi?id=191993
1450         <rdar://problem/46264467>
1451
1452         Reviewed by Saam Barati.
1453
1454         * stress/regress-191993.js: Added.
1455
1456 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1457
1458         [BigInt] Add ValueMul into DFG
1459         https://bugs.webkit.org/show_bug.cgi?id=186175
1460
1461         Reviewed by Yusuke Suzuki.
1462
1463         * stress/big-int-mul-jit-osr.js: Added.
1464         * stress/big-int-mul-jit-untyped.js: Added.
1465         * stress/value-mul-fixup-int32-big-int.js: Added.
1466
1467 2018-12-06  Keith Miller  <keith_miller@apple.com>
1468
1469         stress/big-wasm-memory tests failing on 32-bit JSC bot
1470         https://bugs.webkit.org/show_bug.cgi?id=192020
1471
1472         Reviewed by Saam Barati.
1473
1474         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1475         the wasm stress tests if the WebAssembly object does not exist.
1476
1477         * stress/big-wasm-memory-grow-no-max.js:
1478         (test.foo):
1479         (test):
1480         (foo): Deleted.
1481         (catch): Deleted.
1482         * stress/big-wasm-memory-grow.js:
1483         (test.foo):
1484         (test):
1485         (foo): Deleted.
1486         (catch): Deleted.
1487         * stress/big-wasm-memory.js:
1488         (test.foo):
1489         (test):
1490         (foo): Deleted.
1491         (catch): Deleted.
1492
1493 2018-12-05  Mark Lam  <mark.lam@apple.com>
1494
1495         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1496         https://bugs.webkit.org/show_bug.cgi?id=192441
1497         <rdar://problem/46480355>
1498
1499         Reviewed by Saam Barati.
1500
1501         * stress/regress-192441.js: Added.
1502
1503 2018-12-04  Mark Lam  <mark.lam@apple.com>
1504
1505         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1506         https://bugs.webkit.org/show_bug.cgi?id=192386
1507         <rdar://problem/46445516>
1508
1509         Reviewed by Saam Barati.
1510
1511         * stress/regress-192386.js: Added.
1512
1513 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1514
1515         [ESNext][BigInt] Support logic operations
1516         https://bugs.webkit.org/show_bug.cgi?id=179903
1517
1518         Reviewed by Yusuke Suzuki.
1519
1520         * stress/big-int-branch-usage.js: Added.
1521         * stress/big-int-logical-and.js: Added.
1522         * stress/big-int-logical-not.js: Added.
1523         * stress/big-int-logical-or.js: Added.
1524
1525 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1526
1527         Unreviewed, rolling out r238833.
1528
1529         Breaks macOS and iOS debug builds.
1530
1531         Reverted changeset:
1532
1533         "[ESNext][BigInt] Support logic operations"
1534         https://bugs.webkit.org/show_bug.cgi?id=179903
1535         https://trac.webkit.org/changeset/238833
1536
1537 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1538
1539         [ESNext][BigInt] Support logic operations
1540         https://bugs.webkit.org/show_bug.cgi?id=179903
1541
1542         Reviewed by Yusuke Suzuki.
1543
1544         * stress/big-int-branch-usage.js: Added.
1545         * stress/big-int-logical-and.js: Added.
1546         * stress/big-int-logical-not.js: Added.
1547         * stress/big-int-logical-or.js: Added.
1548
1549 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1550
1551         [ESNext][BigInt] Implement support for "<<" and ">>"
1552         https://bugs.webkit.org/show_bug.cgi?id=186233
1553
1554         Reviewed by Yusuke Suzuki.
1555
1556         * stress/big-int-left-shift-general.js: Added.
1557         * stress/big-int-left-shift-range-error.js: Added.
1558         * stress/big-int-left-shift-type-error.js: Added.
1559         * stress/big-int-left-shift-wrapped-value.js: Added.
1560         * stress/big-int-right-shift-general.js: Added.
1561         * stress/big-int-right-shift-type-error.js: Added.
1562         * stress/big-int-right-shift-wrapped-value.js: Added.
1563         * stress/left-shift-to-primitive-precedence.js: Added.
1564         * stress/right-shift-to-primitive-precedence.js: Added.
1565
1566 2018-11-30  Dean Jackson  <dino@apple.com>
1567
1568         Add first-class support for .mjs files in jsc binary
1569         https://bugs.webkit.org/show_bug.cgi?id=192190
1570         <rdar://problem/46375715>
1571
1572         Reviewed by Keith Miller.
1573
1574         * stress/simple-module.mjs: Added.
1575         * stress/simple-script.js: Added.
1576
1577 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1578
1579         [BigInt] Implement ValueBitXor into DFG
1580         https://bugs.webkit.org/show_bug.cgi?id=190264
1581
1582         Reviewed by Yusuke Suzuki.
1583
1584         * stress/big-int-bitwise-xor-jit.js: Added.
1585         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1586         * stress/big-int-bitwise-xor-untyped.js: Added.
1587
1588 2018-11-27  Saam barati  <sbarati@apple.com>
1589
1590         r238510 broke scopes of size zero
1591         https://bugs.webkit.org/show_bug.cgi?id=192033
1592         <rdar://problem/46281734>
1593
1594         Reviewed by Keith Miller.
1595
1596         * stress/r238510-bad-loop.js: Added.
1597         (foo):
1598
1599 2018-11-27  Mark Lam  <mark.lam@apple.com>
1600
1601         [Re-landing] NaNs read from Wasm code needs to be be purified.
1602         https://bugs.webkit.org/show_bug.cgi?id=191056
1603         <rdar://problem/45660341>
1604
1605         Reviewed by Filip Pizlo.
1606
1607         * wasm/regress/regress-191056.js: Added.
1608
1609 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1610
1611         Unreviewed, rolling out r238509.
1612
1613         Causes JSC tests to fail on iOS.
1614
1615         Reverted changeset:
1616
1617         "NaNs read from Wasm code needs to be be purified."
1618         https://bugs.webkit.org/show_bug.cgi?id=191056
1619         https://trac.webkit.org/changeset/238509
1620
1621 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1622
1623         Re-introduce op_bitnot
1624         https://bugs.webkit.org/show_bug.cgi?id=190923
1625
1626         Reviewed by Yusuke Suzuki.
1627
1628         * stress/bit-not-must-generate.js: Added.
1629         * stress/bitwise-not-no-int32.js: Added.
1630
1631 2018-11-26  Saam barati  <sbarati@apple.com>
1632
1633         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1634         https://bugs.webkit.org/show_bug.cgi?id=191956
1635         <rdar://problem/45665806>
1636
1637         Reviewed by Yusuke Suzuki.
1638
1639         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1640         (bar):
1641         (foo):
1642
1643 2018-11-26  Saam barati  <sbarati@apple.com>
1644
1645         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1646         https://bugs.webkit.org/show_bug.cgi?id=191958
1647         <rdar://problem/46221877>
1648
1649         Reviewed by Yusuke Suzuki.
1650
1651         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1652         (x):
1653         (foo):
1654
1655 2018-11-26  Mark Lam  <mark.lam@apple.com>
1656
1657         NaNs read from Wasm code needs to be be purified.
1658         https://bugs.webkit.org/show_bug.cgi?id=191056
1659         <rdar://problem/45660341>
1660
1661         Reviewed by Filip Pizlo.
1662
1663         * wasm/regress/regress-191056.js: Added.
1664
1665 2018-11-26  Michael Saboff  <msaboff@apple.com>
1666
1667         32-bit JSC test failure: stress/regexp-compile-oom.js
1668         https://bugs.webkit.org/show_bug.cgi?id=191375
1669
1670         Reviewed by Mark Lam.
1671
1672         Disabled the test for 32 bit platforms.
1673
1674         * stress/regexp-compile-oom.js:
1675
1676 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1677
1678         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1679         https://bugs.webkit.org/show_bug.cgi?id=191716
1680         <rdar://problem/45723878>
1681
1682         Reviewed by Saam Barati.
1683
1684         * stress/regress-187373.js: Added.
1685         (async.fn):
1686
1687 2018-11-21  Saam barati  <sbarati@apple.com>
1688
1689         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1690         https://bugs.webkit.org/show_bug.cgi?id=191897
1691         <rdar://problem/45871998>
1692
1693         Reviewed by Mark Lam.
1694
1695         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1696         (bar):
1697         (foo):
1698
1699 2018-11-21  Saam barati  <sbarati@apple.com>
1700
1701         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1702         https://bugs.webkit.org/show_bug.cgi?id=191895
1703         <rdar://problem/46167406>
1704
1705         Reviewed by Mark Lam.
1706
1707         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1708         (foo):
1709         (bar):
1710
1711 2018-11-21  Mark Lam  <mark.lam@apple.com>
1712
1713         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1714         https://bugs.webkit.org/show_bug.cgi?id=191776
1715         <rdar://problem/46152851>
1716
1717         Reviewed by Saam Barati.
1718
1719         * stress/big-wasm-memory-grow-no-max.js:
1720         * stress/big-wasm-memory-grow.js:
1721         * stress/big-wasm-memory.js:
1722         - updated these to expect an OutOfMemoryError.
1723
1724         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1725         (Binary.prototype.emit_u8):
1726         (Binary.prototype.emit_u32v):
1727         (Binary.prototype.emit_header):
1728         (Binary.prototype.emit_section):
1729         (Binary):
1730         (WasmModuleBuilder):
1731         (WasmModuleBuilder.prototype.addMemory):
1732         (WasmModuleBuilder.prototype.toArray):
1733         (WasmModuleBuilder.prototype.toBuffer):
1734         (WasmModuleBuilder.prototype.instantiate):
1735         (catch):
1736         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1737         (catch):
1738
1739 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1740
1741         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1742         https://bugs.webkit.org/show_bug.cgi?id=190836
1743
1744         Reviewed by Saam Barati and Yusuke Suzuki.
1745
1746         * stress/big-int-out-of-memory-tests.js: Added.
1747
1748 2018-11-20  Mark Lam  <mark.lam@apple.com>
1749
1750         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1751         https://bugs.webkit.org/show_bug.cgi?id=191856
1752         <rdar://problem/46089992>
1753
1754         Reviewed by Yusuke Suzuki.
1755
1756         * stress/regress-191856.js: Added.
1757         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1758
1759 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1760
1761         Enable JIT on ARM/Linux
1762         https://bugs.webkit.org/show_bug.cgi?id=191548
1763
1764         Reviewed by Yusuke Suzuki.
1765
1766         Disable test on system with limited memory. Program was killed by
1767         the OS before the exception was thrown.
1768
1769         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1770
1771 2018-11-20  Saam barati  <sbarati@apple.com>
1772
1773         Merging an IC variant may lead to the IC status containing overlapping structure sets
1774         https://bugs.webkit.org/show_bug.cgi?id=191869
1775         <rdar://problem/45403453>
1776
1777         Reviewed by Mark Lam.
1778
1779         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1780
1781 2018-11-19  Mark Lam  <mark.lam@apple.com>
1782
1783         globalFuncImportModule() should return a promise when it clears exceptions.
1784         https://bugs.webkit.org/show_bug.cgi?id=191792
1785         <rdar://problem/46090763>
1786
1787         Reviewed by Michael Saboff.
1788
1789         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1790
1791 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1792
1793         Skip new memory-hungry tests on memory limited devices
1794
1795         Unreviewed gardening.
1796
1797         * stress/big-wasm-memory-grow-no-max.js:
1798         * stress/big-wasm-memory-grow.js:
1799         * stress/big-wasm-memory.js:
1800
1801 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1802
1803         Unreviewed, rolling in the rest of r237254
1804         https://bugs.webkit.org/show_bug.cgi?id=190340
1805
1806         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1807         * stress/function-cache-with-parameters-end-position.js: Added.
1808         (shouldBe):
1809         (shouldThrow):
1810         (i.anonymous):
1811         * stress/function-constructor-name.js: Added.
1812         (shouldBe):
1813         (GeneratorFunction):
1814         (AsyncFunction.async):
1815         (AsyncGeneratorFunction.async):
1816         (anonymous):
1817         (async.anonymous):
1818         * test262/expectations.yaml:
1819
1820 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1821
1822         All users of ArrayBuffer should agree on the same max size
1823         https://bugs.webkit.org/show_bug.cgi?id=191771
1824
1825         Reviewed by Mark Lam.
1826
1827         * stress/big-wasm-memory-grow-no-max.js: Added.
1828         (foo):
1829         (catch):
1830         * stress/big-wasm-memory-grow.js: Added.
1831         (foo):
1832         (catch):
1833         * stress/big-wasm-memory.js: Added.
1834         (foo):
1835         (catch):
1836
1837 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1838
1839         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1840         run for each JSC config since they're regression tests for runtime bugs.
1841
1842         * stress/json-stringified-overflow-2.js:
1843         * stress/json-stringified-overflow.js:
1844
1845 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1846
1847         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1848         config since they're regression tests for runtime bugs.
1849
1850         * stress/large-unshift-splice.js:
1851         * stress/regress-185888.js:
1852
1853 2018-11-16  Saam Barati  <sbarati@apple.com>
1854
1855         KnownCellUse should also have SpecCellCheck as its type filter
1856         https://bugs.webkit.org/show_bug.cgi?id=191729
1857         <rdar://problem/45872852>
1858
1859         Reviewed by Filip Pizlo.
1860
1861         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1862         (C):
1863
1864 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1865
1866         Fix assertion failure on BytecodeGenerator::recordOpcode
1867         https://bugs.webkit.org/show_bug.cgi?id=191724
1868         <rdar://problem/45724395>
1869
1870         Reviewed by Saam Barati.
1871
1872         * stress/regress-187373-2.js: Added.
1873         (foo):
1874
1875 2018-11-15  Mark Lam  <mark.lam@apple.com>
1876
1877         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1878         https://bugs.webkit.org/show_bug.cgi?id=191730
1879         <rdar://problem/46048517>
1880
1881         Reviewed by Saam Barati.
1882
1883         * stress/regress-187006.js: Removed.
1884           - this test is invalid because its sole purpose is to test for the non-spec
1885             compliant behavior that we just fixed.
1886
1887         * stress/regress-191730.js: Added.
1888
1889 2018-11-15  Mark Lam  <mark.lam@apple.com>
1890
1891         RegExp operations should not take fast patch if lastIndex is not numeric.
1892         https://bugs.webkit.org/show_bug.cgi?id=191731
1893         <rdar://problem/46017305>
1894
1895         Reviewed by Saam Barati.
1896
1897         * stress/regress-191731.js: Added.
1898
1899 2018-11-13  Saam Barati  <sbarati@apple.com>
1900
1901         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1902         https://bugs.webkit.org/show_bug.cgi?id=191600
1903
1904         Reviewed by Mark Lam.
1905
1906         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1907         (foo):
1908         (test):
1909         (bar):
1910
1911 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1912
1913         Unreviewed, rolling out r238132.
1914
1915         The test added with this change is timing out on Debug JSC
1916         bots.
1917
1918         Reverted changeset:
1919
1920         "[BigInt] JSBigInt::createWithLength should throw when length
1921         is greater than JSBigInt::maxLength"
1922         https://bugs.webkit.org/show_bug.cgi?id=190836
1923         https://trac.webkit.org/changeset/238132
1924
1925 2018-11-13  Mark Lam  <mark.lam@apple.com>
1926
1927         Add OOM detection to StringPrototype's substituteBackreferences().
1928         https://bugs.webkit.org/show_bug.cgi?id=191563
1929         <rdar://problem/45720428>
1930
1931         Reviewed by Saam Barati.
1932
1933         * stress/regress-191563.js: Added.
1934
1935 2018-11-13  Mark Lam  <mark.lam@apple.com>
1936
1937         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1938         https://bugs.webkit.org/show_bug.cgi?id=191579
1939         <rdar://problem/45942472>
1940
1941         Reviewed by Saam Barati.
1942
1943         * stress/regress-191579.js: Added.
1944
1945 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1946
1947         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1948         https://bugs.webkit.org/show_bug.cgi?id=190836
1949
1950         Reviewed by Saam Barati.
1951
1952         * stress/big-int-out-of-memory-tests.js: Added.
1953
1954 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1955
1956         U+180E is no longer a whitespace character
1957         https://bugs.webkit.org/show_bug.cgi?id=191415
1958
1959         Reviewed by Saam Barati.
1960
1961         * ChakraCore/test/es5/regexSpace.baseline:
1962         * ChakraCore/test/es6/unicode_whitespace.js:
1963         Update tests to latest version.
1964         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1965
1966         * test262.yaml:
1967         * test262/config.yaml:
1968         * test262/expectations.yaml:
1969         Update expectations.
1970
1971 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1972
1973         [BigInt] Add support to BigInt into ValueAdd
1974         https://bugs.webkit.org/show_bug.cgi?id=186177
1975
1976         Reviewed by Keith Miller.
1977
1978         * stress/big-int-negate-jit.js:
1979         * stress/value-add-big-int-and-string.js: Added.
1980         * stress/value-add-big-int-prediction-propagation.js: Added.
1981         * stress/value-add-big-int-untyped.js: Added.
1982
1983 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1984
1985         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1986         https://bugs.webkit.org/show_bug.cgi?id=191184
1987
1988         Reviewed by Saam Barati.
1989
1990         Most tests were failing due to timeouts, since they are too slow to
1991         run on CLoop. The exceptions are:
1992
1993         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1994         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1995         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1996         to change the stack size since CLoop requires it to be page aligned.
1997
1998         * microbenchmarks/array-push-1.js:
1999         * microbenchmarks/array-push-2.js:
2000         * microbenchmarks/elidable-new-object-dag.js:
2001         * microbenchmarks/elidable-new-object-roflcopter.js:
2002         * microbenchmarks/elidable-new-object-tree.js:
2003         * microbenchmarks/getter-richards.js:
2004         * microbenchmarks/sinkable-new-object-dag.js:
2005         * microbenchmarks/string-concat-long-convert.js:
2006         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2007         * slowMicrobenchmarks/array-push-3.js:
2008         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2009         * slowMicrobenchmarks/spread-small-array.js:
2010         * slowMicrobenchmarks/undefined-property-access.js:
2011         * stress/activation-sink-default-value-tdz-error.js:
2012         * stress/activation-sink-default-value.js:
2013         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2014         * stress/activation-sink-osrexit-default-value.js:
2015         * stress/activation-sink-osrexit.js:
2016         * stress/activation-sink.js:
2017         * stress/allow-math-ic-b3-code-duplication.js:
2018         * stress/array-push-multiple-int32.js:
2019         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2020         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2021         * stress/arrowfunction-lexical-this-activation-sink.js:
2022         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2023         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2024         * stress/elide-new-object-dag-then-exit.js:
2025         * stress/materialize-regexp-cyclic.js:
2026         * stress/new-regex-inline.js:
2027         * stress/op_add.js:
2028         * stress/op_bitand.js:
2029         * stress/op_bitor.js:
2030         * stress/op_bitxor.js:
2031         * stress/op_div-ConstVar.js:
2032         * stress/op_div-VarConst.js:
2033         * stress/op_div-VarVar.js:
2034         * stress/op_lshift-ConstVar.js:
2035         * stress/op_lshift-VarConst.js:
2036         * stress/op_lshift-VarVar.js:
2037         * stress/op_mod-ConstVar.js:
2038         * stress/op_mod-VarConst.js:
2039         * stress/op_mod-VarVar.js:
2040         * stress/op_mul-ConstVar.js:
2041         * stress/op_mul-VarConst.js:
2042         * stress/op_mul-VarVar.js:
2043         * stress/op_rshift-ConstVar.js:
2044         * stress/op_rshift-VarConst.js:
2045         * stress/op_rshift-VarVar.js:
2046         * stress/op_sub-ConstVar.js:
2047         * stress/op_sub-VarConst.js:
2048         * stress/op_sub-VarVar.js:
2049         * stress/op_urshift-ConstVar.js:
2050         * stress/op_urshift-VarConst.js:
2051         * stress/op_urshift-VarVar.js:
2052         * stress/proxy-get-set-correct-receiver.js:
2053         * stress/regress-179562.js:
2054         * stress/rest-parameter-many-arguments.js:
2055         * stress/sampling-profiler-richards.js:
2056         * stress/splay-flash-access-1ms.js:
2057         * stress/tailCallForwardArguments.js:
2058         * stress/typed-array-get-by-val-profiling.js:
2059         * typeProfiler/getter-richards.js:
2060
2061 2018-11-06  Michael Saboff  <msaboff@apple.com>
2062
2063         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2064         https://bugs.webkit.org/show_bug.cgi?id=191271
2065
2066         Reviewed by Saam Barati.
2067
2068         Added more test cases and made all test cases run with the same deeply recursive stack
2069         instead of finding that same point for each test case.
2070
2071         * stress/regexp-compile-oom.js:
2072         (prototype.runTest):
2073         (recurseAndTest):
2074         (testList.push.new.TestAndExpectedException):
2075
2076 2018-11-05  Michael Saboff  <msaboff@apple.com>
2077
2078         Unreviewed build fix for linux.
2079
2080         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2081
2082 2018-11-02  Michael Saboff  <msaboff@apple.com>
2083
2084         Rolling in r237753 with unreviewed build fix.
2085
2086         Fixed issues with DECLARE_THROW_SCOPE placement.
2087
2088 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2089
2090         Unreviewed, rolling out r237753.
2091
2092         Introduced JSC test failures
2093
2094         Reverted changeset:
2095
2096         "Running out of stack space not properly handled in
2097         RegExp::compile() and its callers"
2098         https://bugs.webkit.org/show_bug.cgi?id=191206
2099         https://trac.webkit.org/changeset/237753
2100
2101 2018-11-02  Michael Saboff  <msaboff@apple.com>
2102
2103         Running out of stack space not properly handled in RegExp::compile() and its callers
2104         https://bugs.webkit.org/show_bug.cgi?id=191206
2105
2106         Reviewed by Filip Pizlo.
2107
2108         New regression test.
2109
2110         * stress/regexp-compile-oom.js: Added.
2111         (recurseAndTest):
2112
2113 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2114
2115         Skip tests on arm/mips that time out now we're running on CLoop
2116
2117         Unreviewed gardening.
2118
2119         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2120         time out on the bots and need to be disabled. There's more tests
2121         disabled on arm because the timeout is longer on the mips bot (as the
2122         device is slower to start with), so many of the tests don't time out
2123         there.
2124
2125         * microbenchmarks/getter-richards.js: disable on arm and mips.
2126         * stress/op_add.js: disable on arm.
2127         * stress/op_bitand.js: disable on arm.
2128         * stress/op_bitor.js: disable on arm.
2129         * stress/op_bitxor.js: disable on arm.
2130         * stress/op_lshift-ConstVar.js: disable on arm.
2131         * stress/op_lshift-VarConst.js: disable on arm.
2132         * stress/op_lshift-VarVar.js: disable on arm.
2133         * stress/op_mod-ConstVar.js: disable on arm.
2134         * stress/op_mod-VarConst.js: disable on arm.
2135         * stress/op_mod-VarVar.js: disable on arm.
2136         * stress/op_mul-ConstVar.js: disable on arm.
2137         * stress/op_mul-VarConst.js: disable on arm.
2138         * stress/op_mul-VarVar.js: disable on arm.
2139         * stress/op_rshift-ConstVar.js: disable on arm.
2140         * stress/op_rshift-VarConst.js: disable on arm.
2141         * stress/op_rshift-VarVar.js: disable on arm.
2142         * stress/op_sub-ConstVar.js: disable on arm.
2143         * stress/op_sub-VarConst.js: disable on arm.
2144         * stress/op_sub-VarVar.js: disable on arm.
2145         * stress/op_urshift-ConstVar.js: disable on arm.
2146         * stress/op_urshift-VarConst.js: disable on arm.
2147         * stress/op_urshift-VarVar.js: disable on arm.
2148         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2149         * stress/value-to-boolean.js: disable on arm and mips.
2150
2151 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2152
2153         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2154         https://bugs.webkit.org/show_bug.cgi?id=191108
2155         <rdar://problem/45690700>
2156
2157         Reviewed by Saam Barati.
2158
2159         * stress/wide-op_catch.js: Added.
2160         (catch):
2161
2162 2018-10-29  Mark Lam  <mark.lam@apple.com>
2163
2164         Correctly detect string overflow when using the 'Function' constructor.
2165         https://bugs.webkit.org/show_bug.cgi?id=184883
2166         <rdar://problem/36320331>
2167
2168         Reviewed by Saam Barati.
2169
2170         I've verified that this passes on 32-bit as well.
2171
2172         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2173
2174 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2175
2176         Add support for GetStack FlushedDouble
2177         https://bugs.webkit.org/show_bug.cgi?id=191012
2178         <rdar://problem/45265141>
2179
2180         Reviewed by Saam Barati.
2181
2182         * stress/get-stack-double.js: Added.
2183         (bar):
2184         (noInline):
2185
2186 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2187
2188         New bytecode format for JSC
2189         https://bugs.webkit.org/show_bug.cgi?id=187373
2190         <rdar://problem/44186758>
2191
2192         Reviewed by Filip Pizlo.
2193
2194         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2195
2196         * stress/maximum-inline-capacity.js: Added.
2197         (test1):
2198         (test3.Foo):
2199         (test3):
2200
2201 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2202
2203         Unreviewed, rolling out r237479 and r237484.
2204         https://bugs.webkit.org/show_bug.cgi?id=190978
2205
2206         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2207
2208         Reverted changesets:
2209
2210         "New bytecode format for JSC"
2211         https://bugs.webkit.org/show_bug.cgi?id=187373
2212         https://trac.webkit.org/changeset/237479
2213
2214         "Gardening: Build fix after r237479."
2215         https://bugs.webkit.org/show_bug.cgi?id=187373
2216         https://trac.webkit.org/changeset/237484
2217
2218 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2219
2220         New bytecode format for JSC
2221         https://bugs.webkit.org/show_bug.cgi?id=187373
2222         <rdar://problem/44186758>
2223
2224         Reviewed by Filip Pizlo.
2225
2226         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2227
2228         * stress/maximum-inline-capacity.js: Added.
2229         (test1):
2230         (test3.Foo):
2231         (test3):
2232
2233 2018-10-26  Mark Lam  <mark.lam@apple.com>
2234
2235         Fix missing edge cases with JSGlobalObjects having a bad time.
2236         https://bugs.webkit.org/show_bug.cgi?id=189028
2237         <rdar://problem/45204939>
2238
2239         Reviewed by Saam Barati.
2240
2241         * stress/regress-189028.js: Added.
2242
2243 2018-10-22  Mark Lam  <mark.lam@apple.com>
2244
2245         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2246         https://bugs.webkit.org/show_bug.cgi?id=190515
2247         <rdar://problem/45222379>
2248
2249         Rubber-stamped by Saam Barati.
2250
2251         Adding another test.
2252
2253         * stress/regress-190515-2.js: Added.
2254
2255 2018-10-22  Mark Lam  <mark.lam@apple.com>
2256
2257         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2258         https://bugs.webkit.org/show_bug.cgi?id=190515
2259         <rdar://problem/45222379>
2260
2261         Reviewed by Saam Barati.
2262
2263         * stress/regress-190515.js: Added.
2264
2265 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2266
2267         Unreviewed, rolling out r237254.
2268         https://bugs.webkit.org/show_bug.cgi?id=190760
2269
2270         "It regresses JetStream 2 by 5% on some iOS devices"
2271         (Requested by saamyjoon on #webkit).
2272
2273         Reverted changeset:
2274
2275         "[JSC] JSC should have "parseFunction" to optimize Function
2276         constructor"
2277         https://bugs.webkit.org/show_bug.cgi?id=190340
2278         https://trac.webkit.org/changeset/237254
2279
2280 2018-10-19  Saam Barati  <sbarati@apple.com>
2281
2282         vmCall should check if we exit before emitting an OSR exit due to exceptions
2283         https://bugs.webkit.org/show_bug.cgi?id=190740
2284         <rdar://problem/45220139>
2285
2286         Reviewed by Mark Lam.
2287
2288         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2289         (foo):
2290
2291 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2292
2293         [ESNext][BigInt] Implement support for "^"
2294         https://bugs.webkit.org/show_bug.cgi?id=186235
2295
2296         Reviewed by Yusuke Suzuki.
2297
2298         * stress/big-int-bitwise-xor-general.js: Added.
2299         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2300         * stress/big-int-bitwise-xor-type-error.js: Added.
2301         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2302
2303 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2304
2305         [BigInt] Add ValueSub into DFG
2306         https://bugs.webkit.org/show_bug.cgi?id=186176
2307
2308         Reviewed by Yusuke Suzuki.
2309
2310         * stress/big-int-subtraction-jit.js:
2311         * stress/value-sub-big-int-prediction-propagation.js: Added.
2312         * stress/value-sub-big-int-untyped.js: Added.
2313         * stress/value-sub-spec-none-case.js: Added.
2314
2315 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2316
2317         [JSC] JSC should have "parseFunction" to optimize Function constructor
2318         https://bugs.webkit.org/show_bug.cgi?id=190340
2319
2320         Reviewed by Mark Lam.
2321
2322         This patch fixes the line number of syntax errors raised by the Function constructor,
2323         since we now parse the final code only once. And we no longer use block statement
2324         for Function constructor's parsing.
2325
2326         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2327         * stress/function-cache-with-parameters-end-position.js: Added.
2328         (shouldBe):
2329         (shouldThrow):
2330         (i.anonymous):
2331         * stress/function-constructor-name.js: Added.
2332         (shouldBe):
2333         (GeneratorFunction):
2334         (AsyncFunction.async):
2335         (AsyncGeneratorFunction.async):
2336         (anonymous):
2337         (async.anonymous):
2338         * test262/expectations.yaml:
2339
2340 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2341
2342         Unreviewed, rolling out r237242.
2343         https://bugs.webkit.org/show_bug.cgi?id=190701
2344
2345         it breaks "stress/sampling-profiler-basic.js" (Requested by
2346         caiolima on #webkit).
2347
2348         Reverted changeset:
2349
2350         "[BigInt] Add ValueSub into DFG"
2351         https://bugs.webkit.org/show_bug.cgi?id=186176
2352         https://trac.webkit.org/changeset/237242
2353
2354 2018-10-17  Keith Miller  <keith_miller@apple.com>
2355
2356         AI does not clear Phantom allocation nodes.
2357         https://bugs.webkit.org/show_bug.cgi?id=190694
2358
2359         Reviewed by Saam Barati.
2360
2361         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2362         (Day):
2363         (DaysInYear):
2364         (TimeInYear):
2365         (TimeFromYear):
2366         (DayFromYear):
2367         (InLeapYear):
2368         (YearFromTime):
2369         (WeekDay):
2370         (DaylightSavingTA):
2371         (GetSecondSundayInMarch):
2372         (TimeInMonth):
2373
2374 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2375
2376         [BigInt] Add ValueSub into DFG
2377         https://bugs.webkit.org/show_bug.cgi?id=186176
2378
2379         Reviewed by Yusuke Suzuki.
2380
2381         * stress/big-int-subtraction-jit.js:
2382         * stress/value-sub-big-int-prediction-propagation.js: Added.
2383         * stress/value-sub-big-int-untyped.js: Added.
2384
2385 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2386
2387         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2388         https://bugs.webkit.org/show_bug.cgi?id=190611
2389
2390         Reviewed by Saam Barati.
2391
2392         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2393         to improve test runtime. On ARM/MIPS this test even timed out when running all
2394         tests.
2395
2396         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2397         (test):
2398
2399 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2400
2401         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2402
2403         Unreviewed gardening.
2404
2405         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2406
2407 2018-10-15  Saam barati  <sbarati@apple.com>
2408
2409         Emit fjcvtzs on ARM64E on Darwin
2410         https://bugs.webkit.org/show_bug.cgi?id=184023
2411
2412         Reviewed by Yusuke Suzuki and Filip Pizlo.
2413
2414         * stress/double-to-int32-NaN.js: Added.
2415         (assert):
2416         (foo):
2417
2418 2018-10-15  Saam Barati  <sbarati@apple.com>
2419
2420         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2421         https://bugs.webkit.org/show_bug.cgi?id=190262
2422         <rdar://problem/44986241>
2423
2424         Reviewed by Mark Lam.
2425
2426         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2427         (test):
2428         * stress/slice-array-storage-with-holes.js: Added.
2429         (main):
2430
2431 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2432
2433         Unreviewed, rolling out r237054.
2434         https://bugs.webkit.org/show_bug.cgi?id=190593
2435
2436         "this regressed JetStream 2 by 6% on iOS" (Requested by
2437         saamyjoon on #webkit).
2438
2439         Reverted changeset:
2440
2441         "[JSC] JSC should have "parseFunction" to optimize Function
2442         constructor"
2443         https://bugs.webkit.org/show_bug.cgi?id=190340
2444         https://trac.webkit.org/changeset/237054
2445
2446 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2447
2448         [JSC] JSON.stringify can accept call-with-no-arguments
2449         https://bugs.webkit.org/show_bug.cgi?id=190343
2450
2451         Reviewed by Mark Lam.
2452
2453         * stress/json-stringify-no-arguments.js: Added.
2454         (shouldBe):
2455
2456 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2457
2458         [JSC] JSC should have "parseFunction" to optimize Function constructor
2459         https://bugs.webkit.org/show_bug.cgi?id=190340
2460
2461         Reviewed by Mark Lam.
2462
2463         This patch fixes the line number of syntax errors raised by the Function constructor,
2464         since we now parse the final code only once. And we no longer use block statement
2465         for Function constructor's parsing.
2466
2467         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2468         * stress/function-cache-with-parameters-end-position.js: Added.
2469         (shouldBe):
2470         (shouldThrow):
2471         (i.anonymous):
2472         * stress/function-constructor-name.js: Added.
2473         (shouldBe):
2474         (GeneratorFunction):
2475         (AsyncFunction.async):
2476         (AsyncGeneratorFunction.async):
2477         (anonymous):
2478         (async.anonymous):
2479         * test262/expectations.yaml:
2480
2481 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2482
2483         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2484         https://bugs.webkit.org/show_bug.cgi?id=190426
2485
2486         Unreviewed gardening.
2487
2488         * stress/sampling-profiler-richards.js:
2489
2490 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2491
2492         [ESNext][BigInt] Implement support for "|"
2493         https://bugs.webkit.org/show_bug.cgi?id=186229
2494
2495         Reviewed by Yusuke Suzuki.
2496
2497         * stress/big-int-bitwise-and-jit.js:
2498         * stress/big-int-bitwise-or-general.js: Added.
2499         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2500         * stress/big-int-bitwise-or-jit.js: Added.
2501         * stress/big-int-bitwise-or-memory-stress.js: Added.
2502         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2503         * stress/big-int-bitwise-or-type-error.js: Added.
2504         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2505
2506 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2507
2508         Skip test on systems with limited memory
2509         https://bugs.webkit.org/show_bug.cgi?id=190310
2510
2511         Invoking runDefault adds test to runlist, skipping the test in the next
2512         line does not prevent the test from executing. Change order of lines such
2513         that runDefault is only executed if test is not executed.
2514
2515         Reviewed by Mark Lam.
2516
2517         * stress/regress-190187.js:
2518
2519 2018-10-03  Saam barati  <sbarati@apple.com>
2520
2521         lowXYZ in FTLLower should always filter the type of the incoming edge
2522         https://bugs.webkit.org/show_bug.cgi?id=189939
2523         <rdar://problem/44407030>
2524
2525         Reviewed by Michael Saboff.
2526
2527         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2528         (foo):
2529         (test):
2530
2531 2018-10-03  Mark Lam  <mark.lam@apple.com>
2532
2533         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2534         https://bugs.webkit.org/show_bug.cgi?id=190187
2535         <rdar://problem/42512909>
2536
2537         Reviewed by Michael Saboff.
2538
2539         * stress/regress-190187.js: Added.
2540
2541 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2542
2543         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2544         https://bugs.webkit.org/show_bug.cgi?id=190033
2545
2546         Reviewed by Yusuke Suzuki.
2547
2548         * stress/big-int-to-string.js:
2549
2550 2018-10-01  Mark Lam  <mark.lam@apple.com>
2551
2552         Function.toString() should also copy the source code Functions that are class definitions.
2553         https://bugs.webkit.org/show_bug.cgi?id=190186
2554         <rdar://problem/44733360>
2555
2556         Reviewed by Saam Barati.
2557
2558         * stress/regress-190186.js: Added.
2559
2560 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2561
2562         Split NaN-check into separate test
2563         https://bugs.webkit.org/show_bug.cgi?id=190010
2564
2565         Reviewed by Saam Barati.
2566
2567         DataView exposes NaN-representation, which is not necessarily the same on each
2568         architecture. Therefore move the check of the NaN-representation into its own
2569         file such that we can disable this test on MIPS where NaN-representation can be
2570         different on older CPUs.
2571
2572         * stress/dataview-jit-set-nan.js: Added.
2573         (assert):
2574         (test.storeLittleEndian):
2575         (test.storeBigEndian):
2576         (test.store):
2577         (test):
2578         * stress/dataview-jit-set.js:
2579         (test5):
2580
2581 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2582
2583         Unreviewed, rolling out r236647.
2584         https://bugs.webkit.org/show_bug.cgi?id=190124
2585
2586         Breaking test stress/big-int-to-string.js (Requested by
2587         caiolima_ on #webkit).
2588
2589         Reverted changeset:
2590
2591         "[BigInt] BigInt.proptotype.toString is broken when radix is
2592         power of 2"
2593         https://bugs.webkit.org/show_bug.cgi?id=190033
2594         https://trac.webkit.org/changeset/236647
2595
2596 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2597
2598         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2599         https://bugs.webkit.org/show_bug.cgi?id=190033
2600
2601         Reviewed by Yusuke Suzuki.
2602
2603         * stress/big-int-to-string.js:
2604
2605 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2606
2607         [ESNext][BigInt] Implement support for "&"
2608         https://bugs.webkit.org/show_bug.cgi?id=186228
2609
2610         Reviewed by Yusuke Suzuki.
2611
2612         * stress/big-int-bitwise-and-general.js: Added.
2613         (assert):
2614         (assert.sameValue):
2615         * stress/big-int-bitwise-and-jit.js: Added.
2616         (let.assert.sameValue):
2617         (bigIntBitAnd):
2618         * stress/big-int-bitwise-and-memory-stress.js: Added.
2619         (assert):
2620         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2621         (assert.sameValue):
2622         (let.o.Symbol.toPrimitive):
2623         (catch):
2624         * stress/big-int-bitwise-and-type-error.js: Added.
2625         (assert):
2626         (assertThrowTypeError):
2627         (let.o.valueOf):
2628         (o.valueOf):
2629         (o.toString):
2630         (o.Symbol.toPrimitive):
2631         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2632         (assert.sameValue):
2633         (testBitAnd):
2634         (let.o.Symbol.toPrimitive):
2635         (o.valueOf):
2636         (o.toString):
2637
2638 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2639
2640         JSC test stress/jsc-read.js doesn't support CRLF
2641         https://bugs.webkit.org/show_bug.cgi?id=190063
2642
2643         Reviewed by Yusuke Suzuki.
2644
2645         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2646
2647         * stress/jsc-read.js:
2648         (test):
2649
2650 2018-09-27  Saam barati  <sbarati@apple.com>
2651
2652         Verify the contents of AssemblerBuffer on arm64e
2653         https://bugs.webkit.org/show_bug.cgi?id=190057
2654         <rdar://problem/38916630>
2655
2656         Reviewed by Mark Lam.
2657
2658         * stress/regress-189132.js:
2659
2660 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2661
2662         Disable test without LLInt on ARMv7
2663         https://bugs.webkit.org/show_bug.cgi?id=190037
2664
2665         Reviewed by Mark Lam.
2666
2667         Test runs out of executable memory on ARMv7, do not run
2668         this test without LLInt enabled.
2669
2670         * stress/regress-169445.js:
2671
2672 2018-09-26  Keith Miller  <keith_miller@apple.com>
2673
2674         We should zero unused property storage when rebalancing array storage.
2675         https://bugs.webkit.org/show_bug.cgi?id=188151
2676
2677         Reviewed by Michael Saboff.
2678
2679         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2680
2681 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2682
2683         [JSC] Optimize Array#lastIndexOf
2684         https://bugs.webkit.org/show_bug.cgi?id=189780
2685
2686         Reviewed by Saam Barati.
2687
2688         * stress/array-lastindexof-array-prototype-trap.js: Added.
2689         (shouldBe):
2690         (AncestorArray.prototype.get 2):
2691         (AncestorArray):
2692         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2693         (shouldBe):
2694         * stress/array-lastindexof-hole-nan.js: Added.
2695         (shouldBe):
2696         (throw.new.Error):
2697         * stress/array-lastindexof-infinity.js: Added.
2698         (shouldBe):
2699         (throw.new.Error):
2700         * stress/array-lastindexof-negative-zero.js: Added.
2701         (shouldBe):
2702         (throw.new.Error):
2703         * stress/array-lastindexof-own-getter.js: Added.
2704         (shouldBe):
2705         (throw.new.Error.get array):
2706         (get array):
2707         * stress/array-lastindexof-prototype-trap.js: Added.
2708         (shouldBe):
2709         (DerivedArray.prototype.get 2):
2710         (DerivedArray):
2711
2712 2018-09-25  Saam Barati  <sbarati@apple.com>
2713
2714         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2715         https://bugs.webkit.org/show_bug.cgi?id=189940
2716         <rdar://problem/43640987>
2717
2718         Reviewed by Mark Lam.
2719
2720         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2721
2722 2018-09-24  Saam Barati  <sbarati@apple.com>
2723
2724         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2725         https://bugs.webkit.org/show_bug.cgi?id=189922
2726         <rdar://problem/44651275>
2727
2728         Reviewed by Mark Lam.
2729
2730         * stress/array-indexof-fast-path-effects.js: Added.
2731         * stress/array-indexof-cached-length.js: Added.
2732
2733 2018-09-24  Saam barati  <sbarati@apple.com>
2734
2735         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2736         https://bugs.webkit.org/show_bug.cgi?id=189682
2737         <rdar://problem/43557315>
2738
2739         Reviewed by Mark Lam.
2740
2741         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2742         (foo):
2743
2744 2018-09-22  Saam barati  <sbarati@apple.com>
2745
2746         The sampling should not use Strong<CodeBlock> in its machineLocation field
2747         https://bugs.webkit.org/show_bug.cgi?id=189319
2748
2749         Reviewed by Filip Pizlo.
2750
2751         * stress/sampling-profiler-richards.js: Added.
2752
2753 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2754
2755         [JSC] Optimize Array#indexOf in C++ runtime
2756         https://bugs.webkit.org/show_bug.cgi?id=189507
2757
2758         Reviewed by Saam Barati.
2759
2760         * stress/array-indexof-array-prototype-trap.js: Added.
2761         (shouldBe):
2762         (AncestorArray.prototype.get 2):
2763         (AncestorArray):
2764         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2765         (shouldBe):
2766         * stress/array-indexof-hole-nan.js: Added.
2767         (shouldBe):
2768         (throw.new.Error):
2769         * stress/array-indexof-infinity.js: Added.
2770         (shouldBe):
2771         (throw.new.Error):
2772         * stress/array-indexof-negative-zero.js: Added.
2773         (shouldBe):
2774         (throw.new.Error):
2775         * stress/array-indexof-own-getter.js: Added.
2776         (shouldBe):
2777         (throw.new.Error.get array):
2778         (get array):
2779         * stress/array-indexof-prototype-trap.js: Added.
2780         (shouldBe):
2781         (DerivedArray.prototype.get 2):
2782         (DerivedArray):
2783
2784 2018-09-19  Saam barati  <sbarati@apple.com>
2785
2786         AI rule for MultiPutByOffset executes its effects in the wrong order
2787         https://bugs.webkit.org/show_bug.cgi?id=189757
2788         <rdar://problem/43535257>
2789
2790         Reviewed by Michael Saboff.
2791
2792         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2793         (foo):
2794         (Foo):
2795         (g):
2796
2797 2018-09-17  Mark Lam  <mark.lam@apple.com>
2798
2799         Ensure that ForInContexts are invalidated if their loop local is over-written.
2800         https://bugs.webkit.org/show_bug.cgi?id=189571
2801         <rdar://problem/44402277>
2802
2803         Reviewed by Saam Barati.
2804
2805         * stress/regress-189571.js: Added.
2806
2807 2018-09-17  Saam barati  <sbarati@apple.com>
2808
2809         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2810         https://bugs.webkit.org/show_bug.cgi?id=189676
2811         <rdar://problem/39682897>
2812
2813         Reviewed by Michael Saboff.
2814
2815         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2816         (A):
2817         (K):
2818         (i.catch):
2819
2820 2018-09-14  Saam barati  <sbarati@apple.com>
2821
2822         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2823         https://bugs.webkit.org/show_bug.cgi?id=189628
2824         <rdar://problem/39481690>
2825
2826         Reviewed by Mark Lam.
2827
2828         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2829         (foo):
2830
2831 2018-09-11  Mark Lam  <mark.lam@apple.com>
2832
2833         Test for array initialization in arrayProtoFuncSplice.
2834         https://bugs.webkit.org/show_bug.cgi?id=170253
2835         <rdar://problem/31328773>
2836
2837         Rubber-stamped by Saam Barati.
2838
2839         * stress/regress-170253.js: Added.
2840
2841 2018-09-11  Mark Lam  <mark.lam@apple.com>
2842
2843         Test for IntlObject initialization.
2844         https://bugs.webkit.org/show_bug.cgi?id=170251
2845         <rdar://problem/31328419>
2846
2847         Rubber-stamped by Saam Barati.
2848
2849         * stress/regress-170251.js: Added.
2850
2851 2018-09-11  Mark Lam  <mark.lam@apple.com>
2852
2853         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2854         https://bugs.webkit.org/show_bug.cgi?id=169889
2855         <rdar://problem/31155607>
2856
2857         Reviewed by Saam Barati.
2858
2859         * stress/regress-169889-array-concat.js: Added.
2860         * stress/regress-169889-array-concat1.js: Added.
2861         * stress/regress-169889-array-slice.js: Added.
2862
2863 2018-09-11  Mark Lam  <mark.lam@apple.com>
2864
2865         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2866         https://bugs.webkit.org/show_bug.cgi?id=169445
2867         <rdar://problem/30957435>
2868
2869         Reviewed by Saam Barati.
2870
2871         * stress/regress-169445.js: Added.
2872         (let.gun.eval.A):
2873         (let.gun.eval.B.C):
2874         (let.gun.eval.B.C.prototype.trigger):
2875         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2876         (let.gun.eval.B):
2877         (let.gun.eval):
2878
2879 == Rolled over to ChangeLog-2018-09-11 ==