[iOS] Web pages shouldn't be able to present a keyboard after the web view resigns...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
4         https://bugs.webkit.org/show_bug.cgi?id=194677
5         <rdar://problem/48112492>
6
7         Reviewed by Mark Lam.
8
9         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
10         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
11         it immediately fails due the large size.
12
13         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
14         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
15         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
16         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
17
18         This patch changes the test to produce 16bit string from String.fromCharCode.
19
20         * stress/regress-178386.js:
21
22 2019-02-26  Mark Lam  <mark.lam@apple.com>
23
24         wasmToJS() should purify incoming NaNs.
25         https://bugs.webkit.org/show_bug.cgi?id=194807
26         <rdar://problem/48189132>
27
28         Reviewed by Saam Barati.
29
30         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
31
32 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
33
34         [JSC] Repeat string created from Array.prototype.join() take too much memory
35         https://bugs.webkit.org/show_bug.cgi?id=193912
36
37         Reviewed by Saam Barati.
38
39         Added a test and a microbenchmark for corner cases of
40         Array.prototype.join() with an uninitialized array.
41
42         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
43         * stress/array-prototype-join-uninitialized.js: Added.
44         (testArray):
45         (testABC):
46         (B):
47         (C):
48
49 2019-02-22  Robin Morisset  <rmorisset@apple.com>
50
51         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
52         https://bugs.webkit.org/show_bug.cgi?id=194953
53         <rdar://problem/47595253>
54
55         Reviewed by Saam Barati.
56
57         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
58
59         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
60
61 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
62
63         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
64         https://bugs.webkit.org/show_bug.cgi?id=172848
65         <rdar://problem/25709212>
66
67         Reviewed by Mark Lam.
68
69         * typeProfiler/inheritance.js:
70         Rewrite the test slightly for clarity. The hoisting was confusing.
71
72         * heapProfiler/class-names.js: Added.
73         (MyES5Class):
74         (MyES6Class):
75         (MyES6Subclass):
76         Test object types and improved class names.
77
78         * heapProfiler/driver/driver.js:
79         (CheapHeapSnapshotNode):
80         (CheapHeapSnapshot):
81         (createCheapHeapSnapshot):
82         (HeapSnapshot):
83         (createHeapSnapshot):
84         Update snapshot parsing from version 1 to version 2.
85
86 2019-02-19  Truitt Savell  <tsavell@apple.com>
87
88         Unreviewed, rolling out r241784.
89
90         Broke all OpenSource builds.
91
92         Reverted changeset:
93
94         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
95         instances view"
96         https://bugs.webkit.org/show_bug.cgi?id=172848
97         https://trac.webkit.org/changeset/241784
98
99 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
100
101         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
102         https://bugs.webkit.org/show_bug.cgi?id=172848
103         <rdar://problem/25709212>
104
105         Reviewed by Mark Lam.
106
107         * typeProfiler/inheritance.js:
108         Rewrite the test slightly for clarity. The hoisting was confusing.
109
110         * heapProfiler/class-names.js: Added.
111         (MyES5Class):
112         (MyES6Class):
113         (MyES6Subclass):
114         Test object types and improved class names.
115
116         * heapProfiler/driver/driver.js:
117         (CheapHeapSnapshotNode):
118         (CheapHeapSnapshot):
119         (createCheapHeapSnapshot):
120         (HeapSnapshot):
121         (createHeapSnapshot):
122         Update snapshot parsing from version 1 to version 2.
123
124 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
125
126         [ARM] Fix crash with sampling profiler
127         https://bugs.webkit.org/show_bug.cgi?id=194772
128
129         Reviewed by Mark Lam.
130
131         Do not skip test since crash with sampling profiler is now fixed.
132
133         * stress/sampling-profiler-richards.js:
134
135 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
136
137         [JSC] Add LazyClassStructure::getInitializedOnMainThread
138         https://bugs.webkit.org/show_bug.cgi?id=194784
139         <rdar://problem/48154820>
140
141         Reviewed by Mark Lam.
142
143         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
144         (getProperties):
145         (getRandomProperty):
146         (i.catch):
147
148 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
149
150         [ARM] Test gardening: Test running out of executable memory
151         https://bugs.webkit.org/show_bug.cgi?id=194771
152
153         Unreviewed. Do not run test without LLInt, test is running out of executable
154         memory on ARM otherwise.
155
156         * stress/tagged-template-object-collect.js:
157
158 2019-02-18  Tomas Popela  <tpopela@redhat.com>
159
160         Unreviewed, skip the test on platforms without sampling profiler
161
162         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
163         (platformSupportsSamplingProfiler.foo):
164         (platformSupportsSamplingProfiler.test):
165         (platformSupportsSamplingProfiler):
166         (foo): Deleted.
167         (test): Deleted.
168
169 2019-02-17  Saam Barati  <sbarati@apple.com>
170
171         Deadlock when adding a Structure property transition and then doing incremental marking
172         https://bugs.webkit.org/show_bug.cgi?id=194767
173
174         Reviewed by Mark Lam.
175
176         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
177
178 2019-02-15  Michael Saboff  <msaboff@apple.com>
179
180         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
181         https://bugs.webkit.org/show_bug.cgi?id=194558
182
183         Reviewed by Saam Barati.
184
185         New regression test.
186
187         * stress/regexp-unicode-within-string.js: Added.
188
189 2019-02-15  Mark Lam  <mark.lam@apple.com>
190
191         SamplingProfiler::stackTracesAsJSON() should escape strings.
192         https://bugs.webkit.org/show_bug.cgi?id=194649
193         <rdar://problem/48072386>
194
195         Reviewed by Saam Barati.
196
197         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
198         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
199         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
200         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
201
202 2019-02-15  Robin Morisset  <rmorisset@apple.com>
203         CodeBlock::jettison should clear related watchpoints
204         https://bugs.webkit.org/show_bug.cgi?id=194544
205
206         Reviewed by Mark Lam.
207
208         * stress/regexp-replace-double-watchpoint.js: Added.
209         (foo):
210
211 2019-02-15  Saam barati  <sbarati@apple.com>
212
213         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
214         https://bugs.webkit.org/show_bug.cgi?id=194036
215
216         Reviewed by Yusuke Suzuki.
217
218         * stress/tail-call-many-arguments.js: Added.
219         (foo):
220         (bar):
221
222 2019-02-14  Saam Barati  <sbarati@apple.com>
223
224         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
225         https://bugs.webkit.org/show_bug.cgi?id=194583
226         <rdar://problem/48028140>
227
228         Reviewed by Yusuke Suzuki.
229
230         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
231
232 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
233
234         [JSC] String.fromCharCode's slow path always generates 16bit string
235         https://bugs.webkit.org/show_bug.cgi?id=194466
236
237         Reviewed by Keith Miller.
238
239         * stress/string-from-char-code-slow-path.js: Added.
240         (shouldBe):
241         (testWithLength):
242
243 2019-02-08  Saam barati  <sbarati@apple.com>
244
245         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
246         https://bugs.webkit.org/show_bug.cgi?id=194334
247         <rdar://problem/47844327>
248
249         Reviewed by Mark Lam.
250
251         * stress/check-in-bounds-should-be-a-child-use.js: Added.
252         (func):
253
254 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
255
256         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
257         https://bugs.webkit.org/show_bug.cgi?id=194369
258         <rdar://problem/47813087>
259
260         Reviewed by Saam Barati.
261
262         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
263         (A):
264
265 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
266
267         [JSC] PrivateName to PublicName hash table is wasteful
268         https://bugs.webkit.org/show_bug.cgi?id=194277
269
270         Reviewed by Michael Saboff.
271
272         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
273
274         * ChakraCore.yaml:
275
276 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
277
278         [ARM] Test running out of executable memory
279         https://bugs.webkit.org/show_bug.cgi?id=194285
280
281         Unreviewed. Do no execute test with LLInt disabled, test runs out of
282         executable memory otherwise.
283
284         * stress/class-subclassing-function.js:
285
286 2019-02-04  Robin Morisset  <rmorisset@apple.com>
287
288         when lowering AssertNotEmpty, create the value before creating the patchpoint
289         https://bugs.webkit.org/show_bug.cgi?id=194231
290
291         Reviewed by Saam Barati.
292
293         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
294         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
295         So even tiny changes to this test can change the path code taken.
296
297         * stress/assert-not-empty.js: Added.
298         (foo):
299
300 2019-02-01  Mark Lam  <mark.lam@apple.com>
301
302         Remove invalid assertion in DFG's compileDoubleRep().
303         https://bugs.webkit.org/show_bug.cgi?id=194130
304         <rdar://problem/47699474>
305
306         Reviewed by Saam Barati.
307
308         * stress/constant-fold-double-rep-into-double-constant.js: Added.
309
310 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
311
312         Import latest Test262 updates.
313
314         Rubber-stamped by Keith Miller.
315
316         * test262.yaml: Deleted.
317         * test262/config.yaml:
318         * test262/expectations.yaml:
319         * test262/latest-changes-summary.txt:
320         * test262/test/:
321         * test262/test262-Revision.txt:
322
323 2019-01-30  Robin Morisset  <rmorisset@apple.com>
324
325         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
326         https://bugs.webkit.org/show_bug.cgi?id=194050
327         <rdar://problem/47595592>
328
329         Reviewed by Yusuke Suzuki.
330
331         * stress/object-keys-osr-exit.js: Added.
332         (foo):
333         (catch):
334
335 2019-01-29  Mark Lam  <mark.lam@apple.com>
336
337         ValueRecovery::recover() should purify NaN values it recovers.
338         https://bugs.webkit.org/show_bug.cgi?id=193978
339         <rdar://problem/47625488>
340
341         Reviewed by Saam Barati.
342
343         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
344
345 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
346
347         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
348         https://bugs.webkit.org/show_bug.cgi?id=193713
349
350         * stress/try-get-by-id-should-spill-registers-dfg.js:
351         (let.f.createBuiltin):
352
353 2019-01-28  Mark Lam  <mark.lam@apple.com>
354
355         ToString node actually does GC.
356         https://bugs.webkit.org/show_bug.cgi?id=193920
357         <rdar://problem/46695900>
358
359         Reviewed by Yusuke Suzuki.
360
361         * stress/dfg-to-string-on-int-does-gc.js: Added.
362         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
363         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
364
365 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
366
367         [JSC] NativeErrorConstructor should not have own IsoSubspace
368         https://bugs.webkit.org/show_bug.cgi?id=193713
369
370         Reviewed by Saam Barati.
371
372         Remove @Error use.
373
374         * stress/try-get-by-id-should-spill-registers-dfg.js:
375         (let.f.createBuiltin):
376
377 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
378
379         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
380         https://bugs.webkit.org/show_bug.cgi?id=190693
381
382         Reviewed by Michael Saboff.
383
384         * stress/regress-190693.js: Added.
385         (truth):
386         (assert):
387         (shouldThrowInvalidConstAssignment):
388         (taz):
389
390 2019-01-24  Saam Barati  <sbarati@apple.com>
391
392         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
393         https://bugs.webkit.org/show_bug.cgi?id=193751
394         <rdar://problem/47280215>
395
396         Reviewed by Michael Saboff.
397
398         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
399         (let.thing):
400         (foo.let.hello):
401         (foo):
402
403 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
404
405         [JSC] Reenable baseline JIT on mips
406         https://bugs.webkit.org/show_bug.cgi?id=192983
407
408         Reviewed by Mark Lam.
409
410         Added a new test for a case that was triggering a RELEASE_ASSERT when
411         testing.
412         Disable some slow tests that were already disabled for arm and x86.
413
414         * stress/json-parse-big-object.js: Added.
415         * stress/new-largeish-contiguous-array-with-size.js:
416         * stress/op_add.js:
417         * stress/op_bitand.js:
418         * stress/op_bitor.js:
419         * stress/op_bitxor.js:
420         * stress/op_lshift-ConstVar.js:
421         * stress/op_lshift-VarConst.js:
422         * stress/op_lshift-VarVar.js:
423         * stress/op_mod-ConstVar.js:
424         * stress/op_mod-VarConst.js:
425         * stress/op_mod-VarVar.js:
426         * stress/op_mul-ConstVar.js:
427         * stress/op_mul-VarConst.js:
428         * stress/op_mul-VarVar.js:
429         * stress/op_rshift-ConstVar.js:
430         * stress/op_rshift-VarConst.js:
431         * stress/op_rshift-VarVar.js:
432         * stress/op_sub-ConstVar.js:
433         * stress/op_sub-VarConst.js:
434         * stress/op_sub-VarVar.js:
435         * stress/op_urshift-ConstVar.js:
436         * stress/op_urshift-VarConst.js:
437         * stress/op_urshift-VarVar.js:
438         * stress/sampling-profiler-richards.js:
439         * stress/spread-forward-call-varargs-stack-overflow.js:
440
441 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
442
443         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
444         https://bugs.webkit.org/show_bug.cgi?id=193711
445         <rdar://problem/47250262>
446
447         Reviewed by Saam Barati.
448
449         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
450         (shouldBe):
451         (foo):
452         (bar):
453         (baz):
454
455 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
456
457         Unreviewed, fix initial global lexical binding epoch
458         https://bugs.webkit.org/show_bug.cgi?id=193603
459         <rdar://problem/47380869>
460
461         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
462         (f1.f2.f3.f4):
463         (f1.f2.f3):
464         (f1.f2):
465         (f1):
466
467 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
468
469         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
470         https://bugs.webkit.org/show_bug.cgi?id=193709
471         <rdar://problem/47363838>
472
473         Unreviewed, rollout to watch the tests.
474
475         * stress/object-tostring-changed-proto.js: Removed.
476         * stress/object-tostring-changed.js: Removed.
477         * stress/object-tostring-misc.js: Removed.
478         * stress/object-tostring-other.js: Removed.
479         * stress/object-tostring-untyped.js: Removed.
480
481 2019-01-22  Saam Barati  <sbarati@apple.com>
482
483         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
484
485         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
486         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
487         (testUncheckedLessThanZero):
488         (testUncheckedLessThanOrEqualZero):
489         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
490         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
491
492 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
493
494         [JSC] Invalidate old scope operations using global lexical binding epoch
495         https://bugs.webkit.org/show_bug.cgi?id=193603
496         <rdar://problem/47380869>
497
498         Reviewed by Saam Barati.
499
500         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
501         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
502         (shouldThrow):
503         (bar):
504         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
505         (shouldBe):
506         (get1):
507         (get2):
508         (get1If):
509         (get2If):
510         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
511         (shouldThrow):
512         (foo):
513
514 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
515
516         Unreviewed, roll out r240220 due to date-format-xparb regression
517         https://bugs.webkit.org/show_bug.cgi?id=193603
518
519         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
520         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
521         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
522         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
523
524 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
525
526         DoesGC rule is wrong for nodes with BigIntUse
527         https://bugs.webkit.org/show_bug.cgi?id=193652
528
529         Reviewed by Saam Barati.
530
531         * stress/big-int-value-op-update-gc-rules.js: Added.
532         (assert):
533         (doesGCAdd):
534         (doesGCSub):
535         (doesGCDiv):
536         (doesGCMul):
537         (doesGCBitAnd):
538         (doesGCBitOr):
539         (doesGCBitXor):
540
541 2019-01-20  Saam Barati  <sbarati@apple.com>
542
543         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
544         https://bugs.webkit.org/show_bug.cgi?id=193644
545         <rdar://problem/46209745>
546
547         Reviewed by Yusuke Suzuki.
548
549         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
550         (foo):
551         * stress/data-view-set-intrinsic-undefined-result.js: Added.
552         (foo):
553         (bar):
554
555 2019-01-20  Saam Barati  <sbarati@apple.com>
556
557         MovHint must merge NodeBytecodeUsesAsValue for its child
558         https://bugs.webkit.org/show_bug.cgi?id=186916
559         <rdar://problem/41396612>
560
561         Reviewed by Yusuke Suzuki.
562
563         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
564         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
565
566 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
567
568         [JSC] Invalidate old scope operations using global lexical binding epoch
569         https://bugs.webkit.org/show_bug.cgi?id=193603
570         <rdar://problem/47380869>
571
572         Reviewed by Saam Barati.
573
574         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
575         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
576         (shouldThrow):
577         (bar):
578         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
579         (shouldBe):
580         (get1):
581         (get2):
582         (get1If):
583         (get2If):
584         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
585         (shouldThrow):
586         (foo):
587
588 2019-01-17  Saam barati  <sbarati@apple.com>
589
590         StringObjectUse should not be a structure check for the original string object structure
591         https://bugs.webkit.org/show_bug.cgi?id=193483
592         <rdar://problem/47280522>
593
594         Reviewed by Yusuke Suzuki.
595
596         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
597         (foo):
598         (a.valueOf.0):
599
600 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
601
602         [JSC] ToThis omission in DFGByteCodeParser is wrong
603         https://bugs.webkit.org/show_bug.cgi?id=193513
604         <rdar://problem/45842236>
605
606         Reviewed by Saam Barati.
607
608         * stress/to-this-omission-with-different-strict-modes.js: Added.
609         (thisA):
610         (thisAStrictWrapper):
611
612 2019-01-15  Mark Lam  <mark.lam@apple.com>
613
614         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
615         https://bugs.webkit.org/show_bug.cgi?id=193423
616         <rdar://problem/46209355>
617
618         Reviewed by Saam Barati.
619
620         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
621         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
622         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
623         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
624
625 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
626
627         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
628         https://bugs.webkit.org/show_bug.cgi?id=193438
629         <rdar://problem/45581249>
630
631         Reviewed by Saam Barati and Keith Miller.
632
633         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
634         Then, GetByVal(String) crashed.
635
636         * stress/string-get-by-val-lowering.js: Added.
637         (shouldBe):
638         (test):
639         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
640         (Hello):
641         (foo):
642
643 2019-01-15  Tomas Popela  <tpopela@redhat.com>
644
645         Unreviewed, skip JIT tests if it's not enabled
646
647         * stress/bit-op-with-object-returning-int32.js:
648
649 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
650
651         DFGByteCodeParser rules for bitwise operations should consider type of their operands
652         https://bugs.webkit.org/show_bug.cgi?id=192966
653
654         Reviewed by Yusuke Suzuki.
655
656         * stress/bit-op-with-object-returning-int32.js: Added.
657
658 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
659
660         Skip a slow test and a flakey test on arm
661
662         Unreviewed gardening.
663
664         * typeProfiler/getter-richards.js:
665         this test always times out, it used to be always skipped on arm and
666         mips, but got accidentally enabled by r237919 now that we have DFG on
667         arm. Also skipping on mips as we plan to soon enable DFG for it too.
668
669 2019-01-14  Keith Miller  <keith_miller@apple.com>
670
671         Skip type-check-hoisting-phase-hoist... with no jit
672         https://bugs.webkit.org/show_bug.cgi?id=193421
673
674         Reviewed by Mark Lam.
675
676         It's timing out the 32-bit bots and takes 330 seconds
677         on my machine when run by itself.
678
679         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
680
681 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
682
683         [JSC] AI should check the given constant's array type when folding GetByVal into constant
684         https://bugs.webkit.org/show_bug.cgi?id=193413
685         <rdar://problem/46092389>
686
687         Reviewed by Keith Miller.
688
689         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
690         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
691         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
692         but GetByVal does not have appropriate ArrayModes, JSC crashes.
693
694         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
695         (compareArray):
696
697 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
698
699         [BigInt] Literal parsing is crashing when used inside a Object Literal
700         https://bugs.webkit.org/show_bug.cgi?id=193404
701
702         Reviewed by Yusuke Suzuki.
703
704         * stress/big-int-literal-inside-literal-object.js: Added.
705
706 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
707
708         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
709         https://bugs.webkit.org/show_bug.cgi?id=193372
710
711         Reviewed by Saam Barati.
712
713         * stress/typed-array-array-modes-profile.js: Added.
714         (foo):
715
716 2019-01-14  Mark Lam  <mark.lam@apple.com>
717
718         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
719         https://bugs.webkit.org/show_bug.cgi?id=193402
720         <rdar://problem/46012309>
721
722         Reviewed by Keith Miller.
723
724         * stress/regexp-compile-oom.js:
725         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
726           is enabled.  As a result, it will fail on cloop builds though there is no bug.
727
728 2019-01-11  Saam barati  <sbarati@apple.com>
729
730         DFG combined liveness can be wrong for terminal basic blocks
731         https://bugs.webkit.org/show_bug.cgi?id=193304
732         <rdar://problem/45268632>
733
734         Reviewed by Yusuke Suzuki.
735
736         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
737
738 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
739
740         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
741         https://bugs.webkit.org/show_bug.cgi?id=193308
742         <rdar://problem/45546542>
743
744         Reviewed by Saam Barati.
745
746         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
747         (shouldThrow):
748         (shouldBe):
749         (foo):
750         (get shouldThrow):
751         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
752         (shouldThrow):
753         (shouldBe):
754         (foo):
755         (get shouldBe):
756         (get shouldThrow):
757         (get return):
758         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
759         (shouldThrow):
760         (shouldBe):
761         (foo):
762         (get shouldBe):
763         (get shouldThrow):
764         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
765         (shouldThrow):
766         (shouldBe):
767         (foo):
768         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
769         (shouldThrow):
770         (shouldBe):
771         (foo):
772         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
773         (shouldThrow):
774         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
775         (shouldThrow):
776         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
777         (shouldThrow):
778         (shouldBe):
779         (foo):
780         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
781         (shouldThrow):
782         (shouldBe):
783         (foo):
784         (get shouldBe):
785         (get shouldThrow):
786         (get return):
787         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
788         (shouldThrow):
789         (shouldBe):
790         (foo):
791         (get shouldBe):
792         (get shouldThrow):
793         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
794         (shouldThrow):
795         (shouldBe):
796         (foo):
797         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
798         (shouldThrow):
799         (shouldBe):
800         (foo):
801
802 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
803
804         Enable DFG on ARM/Linux again
805         https://bugs.webkit.org/show_bug.cgi?id=192496
806
807         Reviewed by Yusuke Suzuki.
808
809         Test wasn't really skipped before moving the line with skip
810         to the top.
811
812         * stress/regress-192717.js:
813
814 2019-01-10  Commit Queue  <commit-queue@webkit.org>
815
816         Unreviewed, rolling out r239825.
817         https://bugs.webkit.org/show_bug.cgi?id=193330
818
819         Broke tests on armv7/linux bots (Requested by guijemont on
820         #webkit).
821
822         Reverted changeset:
823
824         "Enable DFG on ARM/Linux again"
825         https://bugs.webkit.org/show_bug.cgi?id=192496
826         https://trac.webkit.org/changeset/239825
827
828 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
829
830         Enable DFG on ARM/Linux again
831         https://bugs.webkit.org/show_bug.cgi?id=192496
832
833         Reviewed by Yusuke Suzuki.
834
835         Test wasn't really skipped before moving the line with skip
836         to the top.
837
838         * stress/regress-192717.js:
839
840 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
841
842         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
843         https://bugs.webkit.org/show_bug.cgi?id=193127
844
845         Reviewed by Saam Barati.
846
847         * stress/array-species-create-should-handle-masquerader.js: Added.
848         (shouldThrow):
849         * stress/is-undefined-or-null-builtin.js: Added.
850         (shouldBe):
851         (isUndefinedOrNull.vm.createBuiltin):
852
853 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
854
855         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
856         https://bugs.webkit.org/show_bug.cgi?id=193221
857
858         Reviewed by Mark Lam.
859
860         * stress/put-by-id-flags.js: Added.
861         (f):
862         (g):
863         (numberOfDFGCompiles):
864
865 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
866
867         Baseline version of get_by_id may corrupt metadata
868         https://bugs.webkit.org/show_bug.cgi?id=193085
869         <rdar://problem/23453006>
870
871         Reviewed by Saam Barati.
872
873         * stress/get-by-id-change-mode.js: Added.
874         (forEach):
875
876 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
877
878         [JSC] Optimize Object.prototype.toString
879         https://bugs.webkit.org/show_bug.cgi?id=193031
880
881         Reviewed by Saam Barati.
882
883         * stress/object-tostring-changed-proto.js: Added.
884         (shouldBe):
885         (test):
886         * stress/object-tostring-changed.js: Added.
887         (shouldBe):
888         (test):
889         * stress/object-tostring-misc.js: Added.
890         (shouldBe):
891         (test):
892         (i.switch):
893         * stress/object-tostring-other.js: Added.
894         (shouldBe):
895         (test):
896         * stress/object-tostring-untyped.js: Added.
897         (shouldBe):
898         (test):
899         (i.switch):
900
901 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
902
903         test262-runner misbehaves when test file YAML has a trailing space
904         https://bugs.webkit.org/show_bug.cgi?id=193053
905
906         Reviewed by Yusuke Suzuki.
907
908         * test262/expectations.yaml:
909         Mark two dozen tests as passing (and correct the output of another).
910
911 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
912
913         Unreviewed, JSTests gardening with memoryLimited
914
915         * stress/string-overflow-createError.js:
916
917 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
918
919         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
920         https://bugs.webkit.org/show_bug.cgi?id=193050
921
922         Reviewed by Yusuke Suzuki.
923
924         * test262.yaml:
925         * test262/expectations.yaml:
926         Mark 16 tests as passing.
927
928 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
929
930         [BigInt] Support BigInt in JSON.stringify
931         https://bugs.webkit.org/show_bug.cgi?id=192624
932
933         Reviewed by Saam Barati.
934
935         * stress/big-int-json-stringify-to-json.js: Added.
936         (shouldBe):
937         (shouldThrow):
938         (BigInt.prototype.toJSON):
939         (shouldBe.JSON.stringify):
940         * stress/big-int-json-stringify.js: Added.
941         (shouldBe):
942         (shouldThrow):
943
944 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
945
946         [JSC] Implement "well-formed JSON.stringify" proposal
947         https://bugs.webkit.org/show_bug.cgi?id=191677
948
949         Reviewed by Darin Adler.
950
951         * stress/json-surrogate-pair.js: Added.
952         (shouldBe):
953         * test262/expectations.yaml:
954
955 2018-12-20  Keith Miller  <keith_miller@apple.com>
956
957         Add support for globalThis
958         https://bugs.webkit.org/show_bug.cgi?id=165171
959
960         Reviewed by Mark Lam.
961
962         * test262/config.yaml:
963
964 2018-12-19  Keith Miller  <keith_miller@apple.com>
965
966         Update test262 configuration to not run tests dependent on ICU version.
967         https://bugs.webkit.org/show_bug.cgi?id=192920
968
969         Reviewed by Saam Barati.
970
971         * test262/expectations.yaml:
972
973 2018-12-20  Mark Lam  <mark.lam@apple.com>
974
975         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
976         https://bugs.webkit.org/show_bug.cgi?id=192939
977         <rdar://problem/46869516>
978
979         Reviewed by Keith Miller.
980
981         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
982
983 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
984
985         WTF::String and StringImpl overflow MaxLength
986         https://bugs.webkit.org/show_bug.cgi?id=192853
987         <rdar://problem/45726906>
988
989         Reviewed by Mark Lam.
990
991         * stress/string-16bit-repeat-overflow.js: Added.
992         (catch):
993
994 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
995
996         Unreviewed follow-up to r192914.
997
998         * test262/expectations.yaml:
999         Add the last 20 missing expectations.
1000
1001 2018-12-19  Keith Miller  <keith_miller@apple.com>
1002
1003         Fix test262 expectations
1004         https://bugs.webkit.org/show_bug.cgi?id=192914
1005
1006         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1007
1008         * test262/expectations.yaml:
1009
1010 2018-12-19  Keith Miller  <keith_miller@apple.com>
1011
1012         Update test262 tests.
1013         https://bugs.webkit.org/show_bug.cgi?id=192907
1014
1015         Rubber stamped by Mark Lam.
1016
1017         * test262/*: Omitted because prepare-changelog crashes.
1018
1019 2018-12-19  Mark Lam  <mark.lam@apple.com>
1020
1021         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1022         https://bugs.webkit.org/show_bug.cgi?id=192464
1023         <rdar://problem/46519455>
1024
1025         Reviewed by Saam Barati.
1026
1027         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1028         microbenchmark.
1029
1030         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1031         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1032
1033 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1034
1035         String overflow in JSC::createError results in ASSERT in WTF::makeString
1036         https://bugs.webkit.org/show_bug.cgi?id=192833
1037         <rdar://problem/45706868>
1038
1039         Reviewed by Mark Lam.
1040
1041         * stress/string-overflow-createError.js: Added.
1042
1043 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1044
1045         Error message for `-x ** y` contains a typo.
1046         https://bugs.webkit.org/show_bug.cgi?id=192832
1047
1048         Reviewed by Saam Barati.
1049
1050         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1051         (assert.assert.return.throws):
1052         * stress/pow-expects-update-expression-on-lhs.js:
1053         (throw.new.Error):
1054         Update test expectations which match against the exact error message.
1055
1056 2018-12-18  Mark Lam  <mark.lam@apple.com>
1057
1058         Gardening: test options fix.
1059         https://bugs.webkit.org/show_bug.cgi?id=192822
1060
1061         Unreviewed.
1062
1063         * stress/json-stringify-string-builder-overflow.js:
1064
1065 2018-12-18  Mark Lam  <mark.lam@apple.com>
1066
1067         JSON.stringify() should throw OOM on StringBuilder overflows.
1068         https://bugs.webkit.org/show_bug.cgi?id=192822
1069         <rdar://problem/46670577>
1070
1071         Reviewed by Saam Barati.
1072
1073         * stress/json-stringify-string-builder-overflow.js: Added.
1074
1075 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1076
1077         Redeclaration of var over let/const/class should be a syntax error.
1078         https://bugs.webkit.org/show_bug.cgi?id=192298
1079
1080         Reviewed by Keith Miller.
1081
1082         * test262.yaml:
1083         * test262/expectations.yaml:
1084         Mark 46 tests as passing.
1085
1086         * stress/block-scope-redeclarations.js:
1087         Add some new tests.
1088
1089         * stress/for-in-invalidate-context-weird-assignments.js:
1090         * stress/for-in-tests.js:
1091         Replace tests for outdated behavior with tests for SyntaxError.
1092
1093         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1094         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1095         Update expectations.
1096
1097 2018-12-18  Mark Lam  <mark.lam@apple.com>
1098
1099         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1100         https://bugs.webkit.org/show_bug.cgi?id=191374
1101         <rdar://problem/46525447>
1102
1103         Reviewed by Yusuke Suzuki.
1104
1105         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1106
1107         * stress/elidable-new-object-roflcopter-then-exit.js:
1108
1109 2018-12-17  Mark Lam  <mark.lam@apple.com>
1110
1111         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1112         https://bugs.webkit.org/show_bug.cgi?id=192019
1113         <rdar://problem/46525456>
1114
1115         Reviewed by Yusuke Suzuki.
1116
1117         The test runs too slow on 32-bit.
1118
1119         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1120
1121 2018-12-17  Mark Lam  <mark.lam@apple.com>
1122
1123         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1124         https://bugs.webkit.org/show_bug.cgi?id=191373
1125         <rdar://problem/46525458>
1126
1127         Reviewed by Yusuke Suzuki.
1128
1129         The test is already slow running with a JIT on 64-bit.  It will always timeout
1130         on 32-bit without a JIT.
1131
1132         * stress/materialize-regexp-cyclic-regexp.js:
1133
1134 2018-12-17  Mark Lam  <mark.lam@apple.com>
1135
1136         Array unshift/shift should not race against the AI in the compiler thread.
1137         https://bugs.webkit.org/show_bug.cgi?id=192795
1138         <rdar://problem/46724263>
1139
1140         Reviewed by Saam Barati.
1141
1142         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1143
1144 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1145
1146         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1147         https://bugs.webkit.org/show_bug.cgi?id=190047
1148
1149         Reviewed by Saam Barati.
1150
1151         * stress/object-keys-cached-zero.js: Added.
1152         (shouldBe):
1153         (test):
1154         * stress/object-keys-changed-attribute.js: Added.
1155         (shouldBe):
1156         (test):
1157         * stress/object-keys-changed-index.js: Added.
1158         (shouldBe):
1159         (test):
1160         * stress/object-keys-changed.js: Added.
1161         (shouldBe):
1162         (test):
1163         * stress/object-keys-indexed-non-cache.js: Added.
1164         (shouldBe):
1165         (test):
1166         * stress/object-keys-overrides-get-property-names.js: Added.
1167         (shouldBe):
1168         (test):
1169         (noInline):
1170
1171 2018-12-17  Mark Lam  <mark.lam@apple.com>
1172
1173         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1174         https://bugs.webkit.org/show_bug.cgi?id=192779
1175         <rdar://problem/46775869>
1176
1177         Reviewed by Saam Barati.
1178
1179         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1180
1181 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1182
1183         Unreviewed test gardening, address a syntax error in a new test.
1184
1185         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1186
1187 2018-12-17  Mark Lam  <mark.lam@apple.com>
1188
1189         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1190         https://bugs.webkit.org/show_bug.cgi?id=192776
1191         <rdar://problem/46772368>
1192
1193         Reviewed by Keith Miller.
1194
1195         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1196
1197 2018-12-17  Mark Lam  <mark.lam@apple.com>
1198
1199         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1200         https://bugs.webkit.org/show_bug.cgi?id=192770
1201         <rdar://problem/46449037>
1202
1203         Reviewed by Keith Miller.
1204
1205         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1206
1207 2018-12-14  Mark Lam  <mark.lam@apple.com>
1208
1209         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1210         https://bugs.webkit.org/show_bug.cgi?id=192717
1211         <rdar://problem/46660677>
1212
1213         Reviewed by Saam Barati.
1214
1215         * stress/regress-192717.js: Added.
1216
1217 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1218
1219         Unreviewed, rolling out r239153, r239154, and r239155.
1220         https://bugs.webkit.org/show_bug.cgi?id=192715
1221
1222         Caused flaky GC-related crashes seen with layout tests
1223         (Requested by ryanhaddad on #webkit).
1224
1225         Reverted changesets:
1226
1227         "[JSC] Optimize Object.keys by caching own keys results in
1228         StructureRareData"
1229         https://bugs.webkit.org/show_bug.cgi?id=190047
1230         https://trac.webkit.org/changeset/239153
1231
1232         "Unreviewed, build fix after r239153"
1233         https://bugs.webkit.org/show_bug.cgi?id=190047
1234         https://trac.webkit.org/changeset/239154
1235
1236         "Unreviewed, build fix after r239153, part 2"
1237         https://bugs.webkit.org/show_bug.cgi?id=190047
1238         https://trac.webkit.org/changeset/239155
1239
1240 2018-12-14  Keith Miller  <keith_miller@apple.com>
1241
1242         Callers of JSString::getIndex should check for OOM exceptions
1243         https://bugs.webkit.org/show_bug.cgi?id=192709
1244
1245         Reviewed by Mark Lam.
1246
1247         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1248
1249 2018-12-13  Mark Lam  <mark.lam@apple.com>
1250
1251         Add a missing exception check.
1252         https://bugs.webkit.org/show_bug.cgi?id=192626
1253         <rdar://problem/46662163>
1254
1255         Reviewed by Keith Miller.
1256
1257         * stress/regress-192626.js: Added.
1258
1259 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1260
1261         [BigInt] Add ValueDiv into DFG
1262         https://bugs.webkit.org/show_bug.cgi?id=186178
1263
1264         Reviewed by Yusuke Suzuki.
1265
1266         * stress/big-int-div-jit-osr.js: Added.
1267         * stress/big-int-div-jit-untyped.js: Added.
1268         * stress/value-div-fixup-int32-big-int.js: Added.
1269
1270 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1271
1272         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1273         https://bugs.webkit.org/show_bug.cgi?id=190047
1274
1275         Reviewed by Keith Miller.
1276
1277         * stress/object-keys-cached-zero.js: Added.
1278         (shouldBe):
1279         (test):
1280         * stress/object-keys-changed-attribute.js: Added.
1281         (shouldBe):
1282         (test):
1283         * stress/object-keys-changed-index.js: Added.
1284         (shouldBe):
1285         (test):
1286         * stress/object-keys-changed.js: Added.
1287         (shouldBe):
1288         (test):
1289         * stress/object-keys-indexed-non-cache.js: Added.
1290         (shouldBe):
1291         (test):
1292         * stress/object-keys-overrides-get-property-names.js: Added.
1293         (shouldBe):
1294         (test):
1295         (noInline):
1296
1297 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1298
1299         [DFG][FTL] Add NewSymbol
1300         https://bugs.webkit.org/show_bug.cgi?id=192620
1301
1302         Reviewed by Saam Barati.
1303
1304         * microbenchmarks/symbol-creation.js: Added.
1305         (test):
1306         * stress/symbol-description-identity.js: Added.
1307         (shouldBe):
1308         (test):
1309         * stress/symbol-identity.js: Added.
1310         (shouldBe):
1311         (test):
1312         * stress/symbol-with-description-throw-error.js: Added.
1313         (shouldBe):
1314         (shouldThrow):
1315         (test):
1316         (object.toString):
1317
1318 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1319
1320         [BigInt] Implement DFG/FTL typeof for BigInt
1321         https://bugs.webkit.org/show_bug.cgi?id=192619
1322
1323         Reviewed by Keith Miller.
1324
1325         * stress/big-int-boolean-proven-type.js: Added.
1326         (assert):
1327         (bool):
1328         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1329         (assert):
1330         (typeOf):
1331         (i.switch):
1332         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1333         (assert):
1334         (typeOf):
1335         * stress/big-int-type-of.js:
1336         (typeOf):
1337         (func):
1338
1339 2018-12-10  Mark Lam  <mark.lam@apple.com>
1340
1341         PropertyAttribute needs a CustomValue bit.
1342         https://bugs.webkit.org/show_bug.cgi?id=191993
1343         <rdar://problem/46264467>
1344
1345         Reviewed by Saam Barati.
1346
1347         * stress/regress-191993.js: Added.
1348
1349 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1350
1351         [BigInt] Add ValueMul into DFG
1352         https://bugs.webkit.org/show_bug.cgi?id=186175
1353
1354         Reviewed by Yusuke Suzuki.
1355
1356         * stress/big-int-mul-jit-osr.js: Added.
1357         * stress/big-int-mul-jit-untyped.js: Added.
1358         * stress/value-mul-fixup-int32-big-int.js: Added.
1359
1360 2018-12-06  Keith Miller  <keith_miller@apple.com>
1361
1362         stress/big-wasm-memory tests failing on 32-bit JSC bot
1363         https://bugs.webkit.org/show_bug.cgi?id=192020
1364
1365         Reviewed by Saam Barati.
1366
1367         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1368         the wasm stress tests if the WebAssembly object does not exist.
1369
1370         * stress/big-wasm-memory-grow-no-max.js:
1371         (test.foo):
1372         (test):
1373         (foo): Deleted.
1374         (catch): Deleted.
1375         * stress/big-wasm-memory-grow.js:
1376         (test.foo):
1377         (test):
1378         (foo): Deleted.
1379         (catch): Deleted.
1380         * stress/big-wasm-memory.js:
1381         (test.foo):
1382         (test):
1383         (foo): Deleted.
1384         (catch): Deleted.
1385
1386 2018-12-05  Mark Lam  <mark.lam@apple.com>
1387
1388         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1389         https://bugs.webkit.org/show_bug.cgi?id=192441
1390         <rdar://problem/46480355>
1391
1392         Reviewed by Saam Barati.
1393
1394         * stress/regress-192441.js: Added.
1395
1396 2018-12-04  Mark Lam  <mark.lam@apple.com>
1397
1398         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1399         https://bugs.webkit.org/show_bug.cgi?id=192386
1400         <rdar://problem/46445516>
1401
1402         Reviewed by Saam Barati.
1403
1404         * stress/regress-192386.js: Added.
1405
1406 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1407
1408         [ESNext][BigInt] Support logic operations
1409         https://bugs.webkit.org/show_bug.cgi?id=179903
1410
1411         Reviewed by Yusuke Suzuki.
1412
1413         * stress/big-int-branch-usage.js: Added.
1414         * stress/big-int-logical-and.js: Added.
1415         * stress/big-int-logical-not.js: Added.
1416         * stress/big-int-logical-or.js: Added.
1417
1418 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1419
1420         Unreviewed, rolling out r238833.
1421
1422         Breaks macOS and iOS debug builds.
1423
1424         Reverted changeset:
1425
1426         "[ESNext][BigInt] Support logic operations"
1427         https://bugs.webkit.org/show_bug.cgi?id=179903
1428         https://trac.webkit.org/changeset/238833
1429
1430 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1431
1432         [ESNext][BigInt] Support logic operations
1433         https://bugs.webkit.org/show_bug.cgi?id=179903
1434
1435         Reviewed by Yusuke Suzuki.
1436
1437         * stress/big-int-branch-usage.js: Added.
1438         * stress/big-int-logical-and.js: Added.
1439         * stress/big-int-logical-not.js: Added.
1440         * stress/big-int-logical-or.js: Added.
1441
1442 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1443
1444         [ESNext][BigInt] Implement support for "<<" and ">>"
1445         https://bugs.webkit.org/show_bug.cgi?id=186233
1446
1447         Reviewed by Yusuke Suzuki.
1448
1449         * stress/big-int-left-shift-general.js: Added.
1450         * stress/big-int-left-shift-range-error.js: Added.
1451         * stress/big-int-left-shift-type-error.js: Added.
1452         * stress/big-int-left-shift-wrapped-value.js: Added.
1453         * stress/big-int-right-shift-general.js: Added.
1454         * stress/big-int-right-shift-type-error.js: Added.
1455         * stress/big-int-right-shift-wrapped-value.js: Added.
1456         * stress/left-shift-to-primitive-precedence.js: Added.
1457         * stress/right-shift-to-primitive-precedence.js: Added.
1458
1459 2018-11-30  Dean Jackson  <dino@apple.com>
1460
1461         Add first-class support for .mjs files in jsc binary
1462         https://bugs.webkit.org/show_bug.cgi?id=192190
1463         <rdar://problem/46375715>
1464
1465         Reviewed by Keith Miller.
1466
1467         * stress/simple-module.mjs: Added.
1468         * stress/simple-script.js: Added.
1469
1470 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1471
1472         [BigInt] Implement ValueBitXor into DFG
1473         https://bugs.webkit.org/show_bug.cgi?id=190264
1474
1475         Reviewed by Yusuke Suzuki.
1476
1477         * stress/big-int-bitwise-xor-jit.js: Added.
1478         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1479         * stress/big-int-bitwise-xor-untyped.js: Added.
1480
1481 2018-11-27  Saam barati  <sbarati@apple.com>
1482
1483         r238510 broke scopes of size zero
1484         https://bugs.webkit.org/show_bug.cgi?id=192033
1485         <rdar://problem/46281734>
1486
1487         Reviewed by Keith Miller.
1488
1489         * stress/r238510-bad-loop.js: Added.
1490         (foo):
1491
1492 2018-11-27  Mark Lam  <mark.lam@apple.com>
1493
1494         [Re-landing] NaNs read from Wasm code needs to be be purified.
1495         https://bugs.webkit.org/show_bug.cgi?id=191056
1496         <rdar://problem/45660341>
1497
1498         Reviewed by Filip Pizlo.
1499
1500         * wasm/regress/regress-191056.js: Added.
1501
1502 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1503
1504         Unreviewed, rolling out r238509.
1505
1506         Causes JSC tests to fail on iOS.
1507
1508         Reverted changeset:
1509
1510         "NaNs read from Wasm code needs to be be purified."
1511         https://bugs.webkit.org/show_bug.cgi?id=191056
1512         https://trac.webkit.org/changeset/238509
1513
1514 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1515
1516         Re-introduce op_bitnot
1517         https://bugs.webkit.org/show_bug.cgi?id=190923
1518
1519         Reviewed by Yusuke Suzuki.
1520
1521         * stress/bit-not-must-generate.js: Added.
1522         * stress/bitwise-not-no-int32.js: Added.
1523
1524 2018-11-26  Saam barati  <sbarati@apple.com>
1525
1526         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1527         https://bugs.webkit.org/show_bug.cgi?id=191956
1528         <rdar://problem/45665806>
1529
1530         Reviewed by Yusuke Suzuki.
1531
1532         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1533         (bar):
1534         (foo):
1535
1536 2018-11-26  Saam barati  <sbarati@apple.com>
1537
1538         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1539         https://bugs.webkit.org/show_bug.cgi?id=191958
1540         <rdar://problem/46221877>
1541
1542         Reviewed by Yusuke Suzuki.
1543
1544         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1545         (x):
1546         (foo):
1547
1548 2018-11-26  Mark Lam  <mark.lam@apple.com>
1549
1550         NaNs read from Wasm code needs to be be purified.
1551         https://bugs.webkit.org/show_bug.cgi?id=191056
1552         <rdar://problem/45660341>
1553
1554         Reviewed by Filip Pizlo.
1555
1556         * wasm/regress/regress-191056.js: Added.
1557
1558 2018-11-26  Michael Saboff  <msaboff@apple.com>
1559
1560         32-bit JSC test failure: stress/regexp-compile-oom.js
1561         https://bugs.webkit.org/show_bug.cgi?id=191375
1562
1563         Reviewed by Mark Lam.
1564
1565         Disabled the test for 32 bit platforms.
1566
1567         * stress/regexp-compile-oom.js:
1568
1569 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1570
1571         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1572         https://bugs.webkit.org/show_bug.cgi?id=191716
1573         <rdar://problem/45723878>
1574
1575         Reviewed by Saam Barati.
1576
1577         * stress/regress-187373.js: Added.
1578         (async.fn):
1579
1580 2018-11-21  Saam barati  <sbarati@apple.com>
1581
1582         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1583         https://bugs.webkit.org/show_bug.cgi?id=191897
1584         <rdar://problem/45871998>
1585
1586         Reviewed by Mark Lam.
1587
1588         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1589         (bar):
1590         (foo):
1591
1592 2018-11-21  Saam barati  <sbarati@apple.com>
1593
1594         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1595         https://bugs.webkit.org/show_bug.cgi?id=191895
1596         <rdar://problem/46167406>
1597
1598         Reviewed by Mark Lam.
1599
1600         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1601         (foo):
1602         (bar):
1603
1604 2018-11-21  Mark Lam  <mark.lam@apple.com>
1605
1606         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1607         https://bugs.webkit.org/show_bug.cgi?id=191776
1608         <rdar://problem/46152851>
1609
1610         Reviewed by Saam Barati.
1611
1612         * stress/big-wasm-memory-grow-no-max.js:
1613         * stress/big-wasm-memory-grow.js:
1614         * stress/big-wasm-memory.js:
1615         - updated these to expect an OutOfMemoryError.
1616
1617         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1618         (Binary.prototype.emit_u8):
1619         (Binary.prototype.emit_u32v):
1620         (Binary.prototype.emit_header):
1621         (Binary.prototype.emit_section):
1622         (Binary):
1623         (WasmModuleBuilder):
1624         (WasmModuleBuilder.prototype.addMemory):
1625         (WasmModuleBuilder.prototype.toArray):
1626         (WasmModuleBuilder.prototype.toBuffer):
1627         (WasmModuleBuilder.prototype.instantiate):
1628         (catch):
1629         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1630         (catch):
1631
1632 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1633
1634         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1635         https://bugs.webkit.org/show_bug.cgi?id=190836
1636
1637         Reviewed by Saam Barati and Yusuke Suzuki.
1638
1639         * stress/big-int-out-of-memory-tests.js: Added.
1640
1641 2018-11-20  Mark Lam  <mark.lam@apple.com>
1642
1643         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1644         https://bugs.webkit.org/show_bug.cgi?id=191856
1645         <rdar://problem/46089992>
1646
1647         Reviewed by Yusuke Suzuki.
1648
1649         * stress/regress-191856.js: Added.
1650         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1651
1652 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1653
1654         Enable JIT on ARM/Linux
1655         https://bugs.webkit.org/show_bug.cgi?id=191548
1656
1657         Reviewed by Yusuke Suzuki.
1658
1659         Disable test on system with limited memory. Program was killed by
1660         the OS before the exception was thrown.
1661
1662         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1663
1664 2018-11-20  Saam barati  <sbarati@apple.com>
1665
1666         Merging an IC variant may lead to the IC status containing overlapping structure sets
1667         https://bugs.webkit.org/show_bug.cgi?id=191869
1668         <rdar://problem/45403453>
1669
1670         Reviewed by Mark Lam.
1671
1672         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1673
1674 2018-11-19  Mark Lam  <mark.lam@apple.com>
1675
1676         globalFuncImportModule() should return a promise when it clears exceptions.
1677         https://bugs.webkit.org/show_bug.cgi?id=191792
1678         <rdar://problem/46090763>
1679
1680         Reviewed by Michael Saboff.
1681
1682         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1683
1684 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1685
1686         Skip new memory-hungry tests on memory limited devices
1687
1688         Unreviewed gardening.
1689
1690         * stress/big-wasm-memory-grow-no-max.js:
1691         * stress/big-wasm-memory-grow.js:
1692         * stress/big-wasm-memory.js:
1693
1694 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1695
1696         Unreviewed, rolling in the rest of r237254
1697         https://bugs.webkit.org/show_bug.cgi?id=190340
1698
1699         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1700         * stress/function-cache-with-parameters-end-position.js: Added.
1701         (shouldBe):
1702         (shouldThrow):
1703         (i.anonymous):
1704         * stress/function-constructor-name.js: Added.
1705         (shouldBe):
1706         (GeneratorFunction):
1707         (AsyncFunction.async):
1708         (AsyncGeneratorFunction.async):
1709         (anonymous):
1710         (async.anonymous):
1711         * test262/expectations.yaml:
1712
1713 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1714
1715         All users of ArrayBuffer should agree on the same max size
1716         https://bugs.webkit.org/show_bug.cgi?id=191771
1717
1718         Reviewed by Mark Lam.
1719
1720         * stress/big-wasm-memory-grow-no-max.js: Added.
1721         (foo):
1722         (catch):
1723         * stress/big-wasm-memory-grow.js: Added.
1724         (foo):
1725         (catch):
1726         * stress/big-wasm-memory.js: Added.
1727         (foo):
1728         (catch):
1729
1730 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1731
1732         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1733         run for each JSC config since they're regression tests for runtime bugs.
1734
1735         * stress/json-stringified-overflow-2.js:
1736         * stress/json-stringified-overflow.js:
1737
1738 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1739
1740         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1741         config since they're regression tests for runtime bugs.
1742
1743         * stress/large-unshift-splice.js:
1744         * stress/regress-185888.js:
1745
1746 2018-11-16  Saam Barati  <sbarati@apple.com>
1747
1748         KnownCellUse should also have SpecCellCheck as its type filter
1749         https://bugs.webkit.org/show_bug.cgi?id=191729
1750         <rdar://problem/45872852>
1751
1752         Reviewed by Filip Pizlo.
1753
1754         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1755         (C):
1756
1757 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1758
1759         Fix assertion failure on BytecodeGenerator::recordOpcode
1760         https://bugs.webkit.org/show_bug.cgi?id=191724
1761         <rdar://problem/45724395>
1762
1763         Reviewed by Saam Barati.
1764
1765         * stress/regress-187373-2.js: Added.
1766         (foo):
1767
1768 2018-11-15  Mark Lam  <mark.lam@apple.com>
1769
1770         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1771         https://bugs.webkit.org/show_bug.cgi?id=191730
1772         <rdar://problem/46048517>
1773
1774         Reviewed by Saam Barati.
1775
1776         * stress/regress-187006.js: Removed.
1777           - this test is invalid because its sole purpose is to test for the non-spec
1778             compliant behavior that we just fixed.
1779
1780         * stress/regress-191730.js: Added.
1781
1782 2018-11-15  Mark Lam  <mark.lam@apple.com>
1783
1784         RegExp operations should not take fast patch if lastIndex is not numeric.
1785         https://bugs.webkit.org/show_bug.cgi?id=191731
1786         <rdar://problem/46017305>
1787
1788         Reviewed by Saam Barati.
1789
1790         * stress/regress-191731.js: Added.
1791
1792 2018-11-13  Saam Barati  <sbarati@apple.com>
1793
1794         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1795         https://bugs.webkit.org/show_bug.cgi?id=191600
1796
1797         Reviewed by Mark Lam.
1798
1799         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1800         (foo):
1801         (test):
1802         (bar):
1803
1804 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1805
1806         Unreviewed, rolling out r238132.
1807
1808         The test added with this change is timing out on Debug JSC
1809         bots.
1810
1811         Reverted changeset:
1812
1813         "[BigInt] JSBigInt::createWithLength should throw when length
1814         is greater than JSBigInt::maxLength"
1815         https://bugs.webkit.org/show_bug.cgi?id=190836
1816         https://trac.webkit.org/changeset/238132
1817
1818 2018-11-13  Mark Lam  <mark.lam@apple.com>
1819
1820         Add OOM detection to StringPrototype's substituteBackreferences().
1821         https://bugs.webkit.org/show_bug.cgi?id=191563
1822         <rdar://problem/45720428>
1823
1824         Reviewed by Saam Barati.
1825
1826         * stress/regress-191563.js: Added.
1827
1828 2018-11-13  Mark Lam  <mark.lam@apple.com>
1829
1830         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1831         https://bugs.webkit.org/show_bug.cgi?id=191579
1832         <rdar://problem/45942472>
1833
1834         Reviewed by Saam Barati.
1835
1836         * stress/regress-191579.js: Added.
1837
1838 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1839
1840         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1841         https://bugs.webkit.org/show_bug.cgi?id=190836
1842
1843         Reviewed by Saam Barati.
1844
1845         * stress/big-int-out-of-memory-tests.js: Added.
1846
1847 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1848
1849         U+180E is no longer a whitespace character
1850         https://bugs.webkit.org/show_bug.cgi?id=191415
1851
1852         Reviewed by Saam Barati.
1853
1854         * ChakraCore/test/es5/regexSpace.baseline:
1855         * ChakraCore/test/es6/unicode_whitespace.js:
1856         Update tests to latest version.
1857         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1858
1859         * test262.yaml:
1860         * test262/config.yaml:
1861         * test262/expectations.yaml:
1862         Update expectations.
1863
1864 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1865
1866         [BigInt] Add support to BigInt into ValueAdd
1867         https://bugs.webkit.org/show_bug.cgi?id=186177
1868
1869         Reviewed by Keith Miller.
1870
1871         * stress/big-int-negate-jit.js:
1872         * stress/value-add-big-int-and-string.js: Added.
1873         * stress/value-add-big-int-prediction-propagation.js: Added.
1874         * stress/value-add-big-int-untyped.js: Added.
1875
1876 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1877
1878         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1879         https://bugs.webkit.org/show_bug.cgi?id=191184
1880
1881         Reviewed by Saam Barati.
1882
1883         Most tests were failing due to timeouts, since they are too slow to
1884         run on CLoop. The exceptions are:
1885
1886         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1887         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1888         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1889         to change the stack size since CLoop requires it to be page aligned.
1890
1891         * microbenchmarks/array-push-1.js:
1892         * microbenchmarks/array-push-2.js:
1893         * microbenchmarks/elidable-new-object-dag.js:
1894         * microbenchmarks/elidable-new-object-roflcopter.js:
1895         * microbenchmarks/elidable-new-object-tree.js:
1896         * microbenchmarks/getter-richards.js:
1897         * microbenchmarks/sinkable-new-object-dag.js:
1898         * microbenchmarks/string-concat-long-convert.js:
1899         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1900         * slowMicrobenchmarks/array-push-3.js:
1901         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1902         * slowMicrobenchmarks/spread-small-array.js:
1903         * slowMicrobenchmarks/undefined-property-access.js:
1904         * stress/activation-sink-default-value-tdz-error.js:
1905         * stress/activation-sink-default-value.js:
1906         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1907         * stress/activation-sink-osrexit-default-value.js:
1908         * stress/activation-sink-osrexit.js:
1909         * stress/activation-sink.js:
1910         * stress/allow-math-ic-b3-code-duplication.js:
1911         * stress/array-push-multiple-int32.js:
1912         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1913         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1914         * stress/arrowfunction-lexical-this-activation-sink.js:
1915         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1916         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1917         * stress/elide-new-object-dag-then-exit.js:
1918         * stress/materialize-regexp-cyclic.js:
1919         * stress/new-regex-inline.js:
1920         * stress/op_add.js:
1921         * stress/op_bitand.js:
1922         * stress/op_bitor.js:
1923         * stress/op_bitxor.js:
1924         * stress/op_div-ConstVar.js:
1925         * stress/op_div-VarConst.js:
1926         * stress/op_div-VarVar.js:
1927         * stress/op_lshift-ConstVar.js:
1928         * stress/op_lshift-VarConst.js:
1929         * stress/op_lshift-VarVar.js:
1930         * stress/op_mod-ConstVar.js:
1931         * stress/op_mod-VarConst.js:
1932         * stress/op_mod-VarVar.js:
1933         * stress/op_mul-ConstVar.js:
1934         * stress/op_mul-VarConst.js:
1935         * stress/op_mul-VarVar.js:
1936         * stress/op_rshift-ConstVar.js:
1937         * stress/op_rshift-VarConst.js:
1938         * stress/op_rshift-VarVar.js:
1939         * stress/op_sub-ConstVar.js:
1940         * stress/op_sub-VarConst.js:
1941         * stress/op_sub-VarVar.js:
1942         * stress/op_urshift-ConstVar.js:
1943         * stress/op_urshift-VarConst.js:
1944         * stress/op_urshift-VarVar.js:
1945         * stress/proxy-get-set-correct-receiver.js:
1946         * stress/regress-179562.js:
1947         * stress/rest-parameter-many-arguments.js:
1948         * stress/sampling-profiler-richards.js:
1949         * stress/splay-flash-access-1ms.js:
1950         * stress/tailCallForwardArguments.js:
1951         * stress/typed-array-get-by-val-profiling.js:
1952         * typeProfiler/getter-richards.js:
1953
1954 2018-11-06  Michael Saboff  <msaboff@apple.com>
1955
1956         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1957         https://bugs.webkit.org/show_bug.cgi?id=191271
1958
1959         Reviewed by Saam Barati.
1960
1961         Added more test cases and made all test cases run with the same deeply recursive stack
1962         instead of finding that same point for each test case.
1963
1964         * stress/regexp-compile-oom.js:
1965         (prototype.runTest):
1966         (recurseAndTest):
1967         (testList.push.new.TestAndExpectedException):
1968
1969 2018-11-05  Michael Saboff  <msaboff@apple.com>
1970
1971         Unreviewed build fix for linux.
1972
1973         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1974
1975 2018-11-02  Michael Saboff  <msaboff@apple.com>
1976
1977         Rolling in r237753 with unreviewed build fix.
1978
1979         Fixed issues with DECLARE_THROW_SCOPE placement.
1980
1981 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1982
1983         Unreviewed, rolling out r237753.
1984
1985         Introduced JSC test failures
1986
1987         Reverted changeset:
1988
1989         "Running out of stack space not properly handled in
1990         RegExp::compile() and its callers"
1991         https://bugs.webkit.org/show_bug.cgi?id=191206
1992         https://trac.webkit.org/changeset/237753
1993
1994 2018-11-02  Michael Saboff  <msaboff@apple.com>
1995
1996         Running out of stack space not properly handled in RegExp::compile() and its callers
1997         https://bugs.webkit.org/show_bug.cgi?id=191206
1998
1999         Reviewed by Filip Pizlo.
2000
2001         New regression test.
2002
2003         * stress/regexp-compile-oom.js: Added.
2004         (recurseAndTest):
2005
2006 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2007
2008         Skip tests on arm/mips that time out now we're running on CLoop
2009
2010         Unreviewed gardening.
2011
2012         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2013         time out on the bots and need to be disabled. There's more tests
2014         disabled on arm because the timeout is longer on the mips bot (as the
2015         device is slower to start with), so many of the tests don't time out
2016         there.
2017
2018         * microbenchmarks/getter-richards.js: disable on arm and mips.
2019         * stress/op_add.js: disable on arm.
2020         * stress/op_bitand.js: disable on arm.
2021         * stress/op_bitor.js: disable on arm.
2022         * stress/op_bitxor.js: disable on arm.
2023         * stress/op_lshift-ConstVar.js: disable on arm.
2024         * stress/op_lshift-VarConst.js: disable on arm.
2025         * stress/op_lshift-VarVar.js: disable on arm.
2026         * stress/op_mod-ConstVar.js: disable on arm.
2027         * stress/op_mod-VarConst.js: disable on arm.
2028         * stress/op_mod-VarVar.js: disable on arm.
2029         * stress/op_mul-ConstVar.js: disable on arm.
2030         * stress/op_mul-VarConst.js: disable on arm.
2031         * stress/op_mul-VarVar.js: disable on arm.
2032         * stress/op_rshift-ConstVar.js: disable on arm.
2033         * stress/op_rshift-VarConst.js: disable on arm.
2034         * stress/op_rshift-VarVar.js: disable on arm.
2035         * stress/op_sub-ConstVar.js: disable on arm.
2036         * stress/op_sub-VarConst.js: disable on arm.
2037         * stress/op_sub-VarVar.js: disable on arm.
2038         * stress/op_urshift-ConstVar.js: disable on arm.
2039         * stress/op_urshift-VarConst.js: disable on arm.
2040         * stress/op_urshift-VarVar.js: disable on arm.
2041         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2042         * stress/value-to-boolean.js: disable on arm and mips.
2043
2044 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2045
2046         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2047         https://bugs.webkit.org/show_bug.cgi?id=191108
2048         <rdar://problem/45690700>
2049
2050         Reviewed by Saam Barati.
2051
2052         * stress/wide-op_catch.js: Added.
2053         (catch):
2054
2055 2018-10-29  Mark Lam  <mark.lam@apple.com>
2056
2057         Correctly detect string overflow when using the 'Function' constructor.
2058         https://bugs.webkit.org/show_bug.cgi?id=184883
2059         <rdar://problem/36320331>
2060
2061         Reviewed by Saam Barati.
2062
2063         I've verified that this passes on 32-bit as well.
2064
2065         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2066
2067 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2068
2069         Add support for GetStack FlushedDouble
2070         https://bugs.webkit.org/show_bug.cgi?id=191012
2071         <rdar://problem/45265141>
2072
2073         Reviewed by Saam Barati.
2074
2075         * stress/get-stack-double.js: Added.
2076         (bar):
2077         (noInline):
2078
2079 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2080
2081         New bytecode format for JSC
2082         https://bugs.webkit.org/show_bug.cgi?id=187373
2083         <rdar://problem/44186758>
2084
2085         Reviewed by Filip Pizlo.
2086
2087         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2088
2089         * stress/maximum-inline-capacity.js: Added.
2090         (test1):
2091         (test3.Foo):
2092         (test3):
2093
2094 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2095
2096         Unreviewed, rolling out r237479 and r237484.
2097         https://bugs.webkit.org/show_bug.cgi?id=190978
2098
2099         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2100
2101         Reverted changesets:
2102
2103         "New bytecode format for JSC"
2104         https://bugs.webkit.org/show_bug.cgi?id=187373
2105         https://trac.webkit.org/changeset/237479
2106
2107         "Gardening: Build fix after r237479."
2108         https://bugs.webkit.org/show_bug.cgi?id=187373
2109         https://trac.webkit.org/changeset/237484
2110
2111 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2112
2113         New bytecode format for JSC
2114         https://bugs.webkit.org/show_bug.cgi?id=187373
2115         <rdar://problem/44186758>
2116
2117         Reviewed by Filip Pizlo.
2118
2119         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2120
2121         * stress/maximum-inline-capacity.js: Added.
2122         (test1):
2123         (test3.Foo):
2124         (test3):
2125
2126 2018-10-26  Mark Lam  <mark.lam@apple.com>
2127
2128         Fix missing edge cases with JSGlobalObjects having a bad time.
2129         https://bugs.webkit.org/show_bug.cgi?id=189028
2130         <rdar://problem/45204939>
2131
2132         Reviewed by Saam Barati.
2133
2134         * stress/regress-189028.js: Added.
2135
2136 2018-10-22  Mark Lam  <mark.lam@apple.com>
2137
2138         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2139         https://bugs.webkit.org/show_bug.cgi?id=190515
2140         <rdar://problem/45222379>
2141
2142         Rubber-stamped by Saam Barati.
2143
2144         Adding another test.
2145
2146         * stress/regress-190515-2.js: Added.
2147
2148 2018-10-22  Mark Lam  <mark.lam@apple.com>
2149
2150         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2151         https://bugs.webkit.org/show_bug.cgi?id=190515
2152         <rdar://problem/45222379>
2153
2154         Reviewed by Saam Barati.
2155
2156         * stress/regress-190515.js: Added.
2157
2158 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2159
2160         Unreviewed, rolling out r237254.
2161         https://bugs.webkit.org/show_bug.cgi?id=190760
2162
2163         "It regresses JetStream 2 by 5% on some iOS devices"
2164         (Requested by saamyjoon on #webkit).
2165
2166         Reverted changeset:
2167
2168         "[JSC] JSC should have "parseFunction" to optimize Function
2169         constructor"
2170         https://bugs.webkit.org/show_bug.cgi?id=190340
2171         https://trac.webkit.org/changeset/237254
2172
2173 2018-10-19  Saam Barati  <sbarati@apple.com>
2174
2175         vmCall should check if we exit before emitting an OSR exit due to exceptions
2176         https://bugs.webkit.org/show_bug.cgi?id=190740
2177         <rdar://problem/45220139>
2178
2179         Reviewed by Mark Lam.
2180
2181         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2182         (foo):
2183
2184 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2185
2186         [ESNext][BigInt] Implement support for "^"
2187         https://bugs.webkit.org/show_bug.cgi?id=186235
2188
2189         Reviewed by Yusuke Suzuki.
2190
2191         * stress/big-int-bitwise-xor-general.js: Added.
2192         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2193         * stress/big-int-bitwise-xor-type-error.js: Added.
2194         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2195
2196 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2197
2198         [BigInt] Add ValueSub into DFG
2199         https://bugs.webkit.org/show_bug.cgi?id=186176
2200
2201         Reviewed by Yusuke Suzuki.
2202
2203         * stress/big-int-subtraction-jit.js:
2204         * stress/value-sub-big-int-prediction-propagation.js: Added.
2205         * stress/value-sub-big-int-untyped.js: Added.
2206         * stress/value-sub-spec-none-case.js: Added.
2207
2208 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2209
2210         [JSC] JSC should have "parseFunction" to optimize Function constructor
2211         https://bugs.webkit.org/show_bug.cgi?id=190340
2212
2213         Reviewed by Mark Lam.
2214
2215         This patch fixes the line number of syntax errors raised by the Function constructor,
2216         since we now parse the final code only once. And we no longer use block statement
2217         for Function constructor's parsing.
2218
2219         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2220         * stress/function-cache-with-parameters-end-position.js: Added.
2221         (shouldBe):
2222         (shouldThrow):
2223         (i.anonymous):
2224         * stress/function-constructor-name.js: Added.
2225         (shouldBe):
2226         (GeneratorFunction):
2227         (AsyncFunction.async):
2228         (AsyncGeneratorFunction.async):
2229         (anonymous):
2230         (async.anonymous):
2231         * test262/expectations.yaml:
2232
2233 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2234
2235         Unreviewed, rolling out r237242.
2236         https://bugs.webkit.org/show_bug.cgi?id=190701
2237
2238         it breaks "stress/sampling-profiler-basic.js" (Requested by
2239         caiolima on #webkit).
2240
2241         Reverted changeset:
2242
2243         "[BigInt] Add ValueSub into DFG"
2244         https://bugs.webkit.org/show_bug.cgi?id=186176
2245         https://trac.webkit.org/changeset/237242
2246
2247 2018-10-17  Keith Miller  <keith_miller@apple.com>
2248
2249         AI does not clear Phantom allocation nodes.
2250         https://bugs.webkit.org/show_bug.cgi?id=190694
2251
2252         Reviewed by Saam Barati.
2253
2254         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2255         (Day):
2256         (DaysInYear):
2257         (TimeInYear):
2258         (TimeFromYear):
2259         (DayFromYear):
2260         (InLeapYear):
2261         (YearFromTime):
2262         (WeekDay):
2263         (DaylightSavingTA):
2264         (GetSecondSundayInMarch):
2265         (TimeInMonth):
2266
2267 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2268
2269         [BigInt] Add ValueSub into DFG
2270         https://bugs.webkit.org/show_bug.cgi?id=186176
2271
2272         Reviewed by Yusuke Suzuki.
2273
2274         * stress/big-int-subtraction-jit.js:
2275         * stress/value-sub-big-int-prediction-propagation.js: Added.
2276         * stress/value-sub-big-int-untyped.js: Added.
2277
2278 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2279
2280         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2281         https://bugs.webkit.org/show_bug.cgi?id=190611
2282
2283         Reviewed by Saam Barati.
2284
2285         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2286         to improve test runtime. On ARM/MIPS this test even timed out when running all
2287         tests.
2288
2289         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2290         (test):
2291
2292 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2293
2294         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2295
2296         Unreviewed gardening.
2297
2298         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2299
2300 2018-10-15  Saam barati  <sbarati@apple.com>
2301
2302         Emit fjcvtzs on ARM64E on Darwin
2303         https://bugs.webkit.org/show_bug.cgi?id=184023
2304
2305         Reviewed by Yusuke Suzuki and Filip Pizlo.
2306
2307         * stress/double-to-int32-NaN.js: Added.
2308         (assert):
2309         (foo):
2310
2311 2018-10-15  Saam Barati  <sbarati@apple.com>
2312
2313         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2314         https://bugs.webkit.org/show_bug.cgi?id=190262
2315         <rdar://problem/44986241>
2316
2317         Reviewed by Mark Lam.
2318
2319         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2320         (test):
2321         * stress/slice-array-storage-with-holes.js: Added.
2322         (main):
2323
2324 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2325
2326         Unreviewed, rolling out r237054.
2327         https://bugs.webkit.org/show_bug.cgi?id=190593
2328
2329         "this regressed JetStream 2 by 6% on iOS" (Requested by
2330         saamyjoon on #webkit).
2331
2332         Reverted changeset:
2333
2334         "[JSC] JSC should have "parseFunction" to optimize Function
2335         constructor"
2336         https://bugs.webkit.org/show_bug.cgi?id=190340
2337         https://trac.webkit.org/changeset/237054
2338
2339 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2340
2341         [JSC] JSON.stringify can accept call-with-no-arguments
2342         https://bugs.webkit.org/show_bug.cgi?id=190343
2343
2344         Reviewed by Mark Lam.
2345
2346         * stress/json-stringify-no-arguments.js: Added.
2347         (shouldBe):
2348
2349 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2350
2351         [JSC] JSC should have "parseFunction" to optimize Function constructor
2352         https://bugs.webkit.org/show_bug.cgi?id=190340
2353
2354         Reviewed by Mark Lam.
2355
2356         This patch fixes the line number of syntax errors raised by the Function constructor,
2357         since we now parse the final code only once. And we no longer use block statement
2358         for Function constructor's parsing.
2359
2360         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2361         * stress/function-cache-with-parameters-end-position.js: Added.
2362         (shouldBe):
2363         (shouldThrow):
2364         (i.anonymous):
2365         * stress/function-constructor-name.js: Added.
2366         (shouldBe):
2367         (GeneratorFunction):
2368         (AsyncFunction.async):
2369         (AsyncGeneratorFunction.async):
2370         (anonymous):
2371         (async.anonymous):
2372         * test262/expectations.yaml:
2373
2374 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2375
2376         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2377         https://bugs.webkit.org/show_bug.cgi?id=190426
2378
2379         Unreviewed gardening.
2380
2381         * stress/sampling-profiler-richards.js:
2382
2383 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2384
2385         [ESNext][BigInt] Implement support for "|"
2386         https://bugs.webkit.org/show_bug.cgi?id=186229
2387
2388         Reviewed by Yusuke Suzuki.
2389
2390         * stress/big-int-bitwise-and-jit.js:
2391         * stress/big-int-bitwise-or-general.js: Added.
2392         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2393         * stress/big-int-bitwise-or-jit.js: Added.
2394         * stress/big-int-bitwise-or-memory-stress.js: Added.
2395         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2396         * stress/big-int-bitwise-or-type-error.js: Added.
2397         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2398
2399 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2400
2401         Skip test on systems with limited memory
2402         https://bugs.webkit.org/show_bug.cgi?id=190310
2403
2404         Invoking runDefault adds test to runlist, skipping the test in the next
2405         line does not prevent the test from executing. Change order of lines such
2406         that runDefault is only executed if test is not executed.
2407
2408         Reviewed by Mark Lam.
2409
2410         * stress/regress-190187.js:
2411
2412 2018-10-03  Saam barati  <sbarati@apple.com>
2413
2414         lowXYZ in FTLLower should always filter the type of the incoming edge
2415         https://bugs.webkit.org/show_bug.cgi?id=189939
2416         <rdar://problem/44407030>
2417
2418         Reviewed by Michael Saboff.
2419
2420         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2421         (foo):
2422         (test):
2423
2424 2018-10-03  Mark Lam  <mark.lam@apple.com>
2425
2426         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2427         https://bugs.webkit.org/show_bug.cgi?id=190187
2428         <rdar://problem/42512909>
2429
2430         Reviewed by Michael Saboff.
2431
2432         * stress/regress-190187.js: Added.
2433
2434 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2435
2436         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2437         https://bugs.webkit.org/show_bug.cgi?id=190033
2438
2439         Reviewed by Yusuke Suzuki.
2440
2441         * stress/big-int-to-string.js:
2442
2443 2018-10-01  Mark Lam  <mark.lam@apple.com>
2444
2445         Function.toString() should also copy the source code Functions that are class definitions.
2446         https://bugs.webkit.org/show_bug.cgi?id=190186
2447         <rdar://problem/44733360>
2448
2449         Reviewed by Saam Barati.
2450
2451         * stress/regress-190186.js: Added.
2452
2453 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2454
2455         Split NaN-check into separate test
2456         https://bugs.webkit.org/show_bug.cgi?id=190010
2457
2458         Reviewed by Saam Barati.
2459
2460         DataView exposes NaN-representation, which is not necessarily the same on each
2461         architecture. Therefore move the check of the NaN-representation into its own
2462         file such that we can disable this test on MIPS where NaN-representation can be
2463         different on older CPUs.
2464
2465         * stress/dataview-jit-set-nan.js: Added.
2466         (assert):
2467         (test.storeLittleEndian):
2468         (test.storeBigEndian):
2469         (test.store):
2470         (test):
2471         * stress/dataview-jit-set.js:
2472         (test5):
2473
2474 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2475
2476         Unreviewed, rolling out r236647.
2477         https://bugs.webkit.org/show_bug.cgi?id=190124
2478
2479         Breaking test stress/big-int-to-string.js (Requested by
2480         caiolima_ on #webkit).
2481
2482         Reverted changeset:
2483
2484         "[BigInt] BigInt.proptotype.toString is broken when radix is
2485         power of 2"
2486         https://bugs.webkit.org/show_bug.cgi?id=190033
2487         https://trac.webkit.org/changeset/236647
2488
2489 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2490
2491         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2492         https://bugs.webkit.org/show_bug.cgi?id=190033
2493
2494         Reviewed by Yusuke Suzuki.
2495
2496         * stress/big-int-to-string.js:
2497
2498 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2499
2500         [ESNext][BigInt] Implement support for "&"
2501         https://bugs.webkit.org/show_bug.cgi?id=186228
2502
2503         Reviewed by Yusuke Suzuki.
2504
2505         * stress/big-int-bitwise-and-general.js: Added.
2506         (assert):
2507         (assert.sameValue):
2508         * stress/big-int-bitwise-and-jit.js: Added.
2509         (let.assert.sameValue):
2510         (bigIntBitAnd):
2511         * stress/big-int-bitwise-and-memory-stress.js: Added.
2512         (assert):
2513         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2514         (assert.sameValue):
2515         (let.o.Symbol.toPrimitive):
2516         (catch):
2517         * stress/big-int-bitwise-and-type-error.js: Added.
2518         (assert):
2519         (assertThrowTypeError):
2520         (let.o.valueOf):
2521         (o.valueOf):
2522         (o.toString):
2523         (o.Symbol.toPrimitive):
2524         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2525         (assert.sameValue):
2526         (testBitAnd):
2527         (let.o.Symbol.toPrimitive):
2528         (o.valueOf):
2529         (o.toString):
2530
2531 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2532
2533         JSC test stress/jsc-read.js doesn't support CRLF
2534         https://bugs.webkit.org/show_bug.cgi?id=190063
2535
2536         Reviewed by Yusuke Suzuki.
2537
2538         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2539
2540         * stress/jsc-read.js:
2541         (test):
2542
2543 2018-09-27  Saam barati  <sbarati@apple.com>
2544
2545         Verify the contents of AssemblerBuffer on arm64e
2546         https://bugs.webkit.org/show_bug.cgi?id=190057
2547         <rdar://problem/38916630>
2548
2549         Reviewed by Mark Lam.
2550
2551         * stress/regress-189132.js:
2552
2553 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2554
2555         Disable test without LLInt on ARMv7
2556         https://bugs.webkit.org/show_bug.cgi?id=190037
2557
2558         Reviewed by Mark Lam.
2559
2560         Test runs out of executable memory on ARMv7, do not run
2561         this test without LLInt enabled.
2562
2563         * stress/regress-169445.js:
2564
2565 2018-09-26  Keith Miller  <keith_miller@apple.com>
2566
2567         We should zero unused property storage when rebalancing array storage.
2568         https://bugs.webkit.org/show_bug.cgi?id=188151
2569
2570         Reviewed by Michael Saboff.
2571
2572         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2573
2574 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2575
2576         [JSC] Optimize Array#lastIndexOf
2577         https://bugs.webkit.org/show_bug.cgi?id=189780
2578
2579         Reviewed by Saam Barati.
2580
2581         * stress/array-lastindexof-array-prototype-trap.js: Added.
2582         (shouldBe):
2583         (AncestorArray.prototype.get 2):
2584         (AncestorArray):
2585         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2586         (shouldBe):
2587         * stress/array-lastindexof-hole-nan.js: Added.
2588         (shouldBe):
2589         (throw.new.Error):
2590         * stress/array-lastindexof-infinity.js: Added.
2591         (shouldBe):
2592         (throw.new.Error):
2593         * stress/array-lastindexof-negative-zero.js: Added.
2594         (shouldBe):
2595         (throw.new.Error):
2596         * stress/array-lastindexof-own-getter.js: Added.
2597         (shouldBe):
2598         (throw.new.Error.get array):
2599         (get array):
2600         * stress/array-lastindexof-prototype-trap.js: Added.
2601         (shouldBe):
2602         (DerivedArray.prototype.get 2):
2603         (DerivedArray):
2604
2605 2018-09-25  Saam Barati  <sbarati@apple.com>
2606
2607         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2608         https://bugs.webkit.org/show_bug.cgi?id=189940
2609         <rdar://problem/43640987>
2610
2611         Reviewed by Mark Lam.
2612
2613         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2614
2615 2018-09-24  Saam Barati  <sbarati@apple.com>
2616
2617         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2618         https://bugs.webkit.org/show_bug.cgi?id=189922
2619         <rdar://problem/44651275>
2620
2621         Reviewed by Mark Lam.
2622
2623         * stress/array-indexof-fast-path-effects.js: Added.
2624         * stress/array-indexof-cached-length.js: Added.
2625
2626 2018-09-24  Saam barati  <sbarati@apple.com>
2627
2628         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2629         https://bugs.webkit.org/show_bug.cgi?id=189682
2630         <rdar://problem/43557315>
2631
2632         Reviewed by Mark Lam.
2633
2634         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2635         (foo):
2636
2637 2018-09-22  Saam barati  <sbarati@apple.com>
2638
2639         The sampling should not use Strong<CodeBlock> in its machineLocation field
2640         https://bugs.webkit.org/show_bug.cgi?id=189319
2641
2642         Reviewed by Filip Pizlo.
2643
2644         * stress/sampling-profiler-richards.js: Added.
2645
2646 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2647
2648         [JSC] Optimize Array#indexOf in C++ runtime
2649         https://bugs.webkit.org/show_bug.cgi?id=189507
2650
2651         Reviewed by Saam Barati.
2652
2653         * stress/array-indexof-array-prototype-trap.js: Added.
2654         (shouldBe):
2655         (AncestorArray.prototype.get 2):
2656         (AncestorArray):
2657         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2658         (shouldBe):
2659         * stress/array-indexof-hole-nan.js: Added.
2660         (shouldBe):
2661         (throw.new.Error):
2662         * stress/array-indexof-infinity.js: Added.
2663         (shouldBe):
2664         (throw.new.Error):
2665         * stress/array-indexof-negative-zero.js: Added.
2666         (shouldBe):
2667         (throw.new.Error):
2668         * stress/array-indexof-own-getter.js: Added.
2669         (shouldBe):
2670         (throw.new.Error.get array):
2671         (get array):
2672         * stress/array-indexof-prototype-trap.js: Added.
2673         (shouldBe):
2674         (DerivedArray.prototype.get 2):
2675         (DerivedArray):
2676
2677 2018-09-19  Saam barati  <sbarati@apple.com>
2678
2679         AI rule for MultiPutByOffset executes its effects in the wrong order
2680         https://bugs.webkit.org/show_bug.cgi?id=189757
2681         <rdar://problem/43535257>
2682
2683         Reviewed by Michael Saboff.
2684
2685         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2686         (foo):
2687         (Foo):
2688         (g):
2689
2690 2018-09-17  Mark Lam  <mark.lam@apple.com>
2691
2692         Ensure that ForInContexts are invalidated if their loop local is over-written.
2693         https://bugs.webkit.org/show_bug.cgi?id=189571
2694         <rdar://problem/44402277>
2695
2696         Reviewed by Saam Barati.
2697
2698         * stress/regress-189571.js: Added.
2699
2700 2018-09-17  Saam barati  <sbarati@apple.com>
2701
2702         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2703         https://bugs.webkit.org/show_bug.cgi?id=189676
2704         <rdar://problem/39682897>
2705
2706         Reviewed by Michael Saboff.
2707
2708         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2709         (A):
2710         (K):
2711         (i.catch):
2712
2713 2018-09-14  Saam barati  <sbarati@apple.com>
2714
2715         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2716         https://bugs.webkit.org/show_bug.cgi?id=189628
2717         <rdar://problem/39481690>
2718
2719         Reviewed by Mark Lam.
2720
2721         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2722         (foo):
2723
2724 2018-09-11  Mark Lam  <mark.lam@apple.com>
2725
2726         Test for array initialization in arrayProtoFuncSplice.
2727         https://bugs.webkit.org/show_bug.cgi?id=170253
2728         <rdar://problem/31328773>
2729
2730         Rubber-stamped by Saam Barati.
2731
2732         * stress/regress-170253.js: Added.
2733
2734 2018-09-11  Mark Lam  <mark.lam@apple.com>
2735
2736         Test for IntlObject initialization.
2737         https://bugs.webkit.org/show_bug.cgi?id=170251
2738         <rdar://problem/31328419>
2739
2740         Rubber-stamped by Saam Barati.
2741
2742         * stress/regress-170251.js: Added.
2743
2744 2018-09-11  Mark Lam  <mark.lam@apple.com>
2745
2746         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2747         https://bugs.webkit.org/show_bug.cgi?id=169889
2748         <rdar://problem/31155607>
2749
2750         Reviewed by Saam Barati.
2751
2752         * stress/regress-169889-array-concat.js: Added.
2753         * stress/regress-169889-array-concat1.js: Added.
2754         * stress/regress-169889-array-slice.js: Added.
2755
2756 2018-09-11  Mark Lam  <mark.lam@apple.com>
2757
2758         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2759         https://bugs.webkit.org/show_bug.cgi?id=169445
2760         <rdar://problem/30957435>
2761
2762         Reviewed by Saam Barati.
2763
2764         * stress/regress-169445.js: Added.
2765         (let.gun.eval.A):
2766         (let.gun.eval.B.C):
2767         (let.gun.eval.B.C.prototype.trigger):
2768         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2769         (let.gun.eval.B):
2770         (let.gun.eval):
2771
2772 == Rolled over to ChangeLog-2018-09-11 ==