[JSC] Store bits for JSRopeString in 3 stores
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Store bits for JSRopeString in 3 stores
4         https://bugs.webkit.org/show_bug.cgi?id=195234
5
6         Reviewed by Saam Barati.
7
8         * stress/null-rope-and-collectors.js: Added.
9
10 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
11
12         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
13         https://bugs.webkit.org/show_bug.cgi?id=195207
14
15         Unreviewed. After test runtime was reduced in r242213, test can be
16         run again on ARM/MIPS.
17
18         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
19
20 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
21
22         [JSC] sizeof(JSString) should be 16
23         https://bugs.webkit.org/show_bug.cgi?id=194375
24
25         Reviewed by Saam Barati.
26
27         * microbenchmarks/make-rope.js: Added.
28         (makeRope):
29         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
30         (returnRope.helper): Deleted.
31         (returnRope): Deleted.
32
33 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
34
35         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
36         https://bugs.webkit.org/show_bug.cgi?id=195144
37
38         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
39         Change the number from 1e8 to 1e5.
40
41         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
42         (foo):
43
44 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
45
46         Test times out on ARM/MIPS
47         https://bugs.webkit.org/show_bug.cgi?id=195168
48
49         Unreviewed. Skip test on ARM/MIPS.
50
51         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
52
53 2019-02-27  Mark Lam  <mark.lam@apple.com>
54
55         The parser is failing to record the token location of new in new.target.
56         https://bugs.webkit.org/show_bug.cgi?id=195127
57         <rdar://problem/39645578>
58
59         Reviewed by Yusuke Suzuki.
60
61         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
62
63 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
64
65         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
66         https://bugs.webkit.org/show_bug.cgi?id=195144
67         <rdar://problem/47595961>
68
69         Reviewed by Mark Lam.
70
71         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
72         (bar):
73         (foo):
74         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
75         (bar):
76         (foo):
77
78 2019-02-27  Robin Morisset  <rmorisset@apple.com>
79
80         DFG: Loop-invariant code motion (LICM) should not hoist dead code
81         https://bugs.webkit.org/show_bug.cgi?id=194945
82         <rdar://problem/48311657>
83
84         Reviewed by Mark Lam.
85
86         * stress/licm-dead-code.js: Added.
87
88 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
89
90         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
91         https://bugs.webkit.org/show_bug.cgi?id=194677
92         <rdar://problem/48112492>
93
94         Reviewed by Mark Lam.
95
96         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
97         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
98         it immediately fails due the large size.
99
100         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
101         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
102         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
103         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
104
105         This patch changes the test to produce 16bit string from String.fromCharCode.
106
107         * stress/regress-178386.js:
108
109 2019-02-26  Mark Lam  <mark.lam@apple.com>
110
111         wasmToJS() should purify incoming NaNs.
112         https://bugs.webkit.org/show_bug.cgi?id=194807
113         <rdar://problem/48189132>
114
115         Reviewed by Saam Barati.
116
117         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
118
119 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
120
121         [JSC] Repeat string created from Array.prototype.join() take too much memory
122         https://bugs.webkit.org/show_bug.cgi?id=193912
123
124         Reviewed by Saam Barati.
125
126         Added a test and a microbenchmark for corner cases of
127         Array.prototype.join() with an uninitialized array.
128
129         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
130         * stress/array-prototype-join-uninitialized.js: Added.
131         (testArray):
132         (testABC):
133         (B):
134         (C):
135
136 2019-02-22  Robin Morisset  <rmorisset@apple.com>
137
138         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
139         https://bugs.webkit.org/show_bug.cgi?id=194953
140         <rdar://problem/47595253>
141
142         Reviewed by Saam Barati.
143
144         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
145
146         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
147
148 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
149
150         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
151         https://bugs.webkit.org/show_bug.cgi?id=172848
152         <rdar://problem/25709212>
153
154         Reviewed by Mark Lam.
155
156         * typeProfiler/inheritance.js:
157         Rewrite the test slightly for clarity. The hoisting was confusing.
158
159         * heapProfiler/class-names.js: Added.
160         (MyES5Class):
161         (MyES6Class):
162         (MyES6Subclass):
163         Test object types and improved class names.
164
165         * heapProfiler/driver/driver.js:
166         (CheapHeapSnapshotNode):
167         (CheapHeapSnapshot):
168         (createCheapHeapSnapshot):
169         (HeapSnapshot):
170         (createHeapSnapshot):
171         Update snapshot parsing from version 1 to version 2.
172
173 2019-02-19  Truitt Savell  <tsavell@apple.com>
174
175         Unreviewed, rolling out r241784.
176
177         Broke all OpenSource builds.
178
179         Reverted changeset:
180
181         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
182         instances view"
183         https://bugs.webkit.org/show_bug.cgi?id=172848
184         https://trac.webkit.org/changeset/241784
185
186 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
187
188         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
189         https://bugs.webkit.org/show_bug.cgi?id=172848
190         <rdar://problem/25709212>
191
192         Reviewed by Mark Lam.
193
194         * typeProfiler/inheritance.js:
195         Rewrite the test slightly for clarity. The hoisting was confusing.
196
197         * heapProfiler/class-names.js: Added.
198         (MyES5Class):
199         (MyES6Class):
200         (MyES6Subclass):
201         Test object types and improved class names.
202
203         * heapProfiler/driver/driver.js:
204         (CheapHeapSnapshotNode):
205         (CheapHeapSnapshot):
206         (createCheapHeapSnapshot):
207         (HeapSnapshot):
208         (createHeapSnapshot):
209         Update snapshot parsing from version 1 to version 2.
210
211 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
212
213         [ARM] Fix crash with sampling profiler
214         https://bugs.webkit.org/show_bug.cgi?id=194772
215
216         Reviewed by Mark Lam.
217
218         Do not skip test since crash with sampling profiler is now fixed.
219
220         * stress/sampling-profiler-richards.js:
221
222 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
223
224         [JSC] Add LazyClassStructure::getInitializedOnMainThread
225         https://bugs.webkit.org/show_bug.cgi?id=194784
226         <rdar://problem/48154820>
227
228         Reviewed by Mark Lam.
229
230         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
231         (getProperties):
232         (getRandomProperty):
233         (i.catch):
234
235 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
236
237         [ARM] Test gardening: Test running out of executable memory
238         https://bugs.webkit.org/show_bug.cgi?id=194771
239
240         Unreviewed. Do not run test without LLInt, test is running out of executable
241         memory on ARM otherwise.
242
243         * stress/tagged-template-object-collect.js:
244
245 2019-02-18  Tomas Popela  <tpopela@redhat.com>
246
247         Unreviewed, skip the test on platforms without sampling profiler
248
249         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
250         (platformSupportsSamplingProfiler.foo):
251         (platformSupportsSamplingProfiler.test):
252         (platformSupportsSamplingProfiler):
253         (foo): Deleted.
254         (test): Deleted.
255
256 2019-02-17  Saam Barati  <sbarati@apple.com>
257
258         Deadlock when adding a Structure property transition and then doing incremental marking
259         https://bugs.webkit.org/show_bug.cgi?id=194767
260
261         Reviewed by Mark Lam.
262
263         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
264
265 2019-02-15  Michael Saboff  <msaboff@apple.com>
266
267         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
268         https://bugs.webkit.org/show_bug.cgi?id=194558
269
270         Reviewed by Saam Barati.
271
272         New regression test.
273
274         * stress/regexp-unicode-within-string.js: Added.
275
276 2019-02-15  Mark Lam  <mark.lam@apple.com>
277
278         SamplingProfiler::stackTracesAsJSON() should escape strings.
279         https://bugs.webkit.org/show_bug.cgi?id=194649
280         <rdar://problem/48072386>
281
282         Reviewed by Saam Barati.
283
284         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
285         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
286         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
287         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
288
289 2019-02-15  Robin Morisset  <rmorisset@apple.com>
290         CodeBlock::jettison should clear related watchpoints
291         https://bugs.webkit.org/show_bug.cgi?id=194544
292
293         Reviewed by Mark Lam.
294
295         * stress/regexp-replace-double-watchpoint.js: Added.
296         (foo):
297
298 2019-02-15  Saam barati  <sbarati@apple.com>
299
300         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
301         https://bugs.webkit.org/show_bug.cgi?id=194036
302
303         Reviewed by Yusuke Suzuki.
304
305         * stress/tail-call-many-arguments.js: Added.
306         (foo):
307         (bar):
308
309 2019-02-14  Saam Barati  <sbarati@apple.com>
310
311         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
312         https://bugs.webkit.org/show_bug.cgi?id=194583
313         <rdar://problem/48028140>
314
315         Reviewed by Yusuke Suzuki.
316
317         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
318
319 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
320
321         [JSC] String.fromCharCode's slow path always generates 16bit string
322         https://bugs.webkit.org/show_bug.cgi?id=194466
323
324         Reviewed by Keith Miller.
325
326         * stress/string-from-char-code-slow-path.js: Added.
327         (shouldBe):
328         (testWithLength):
329
330 2019-02-08  Saam barati  <sbarati@apple.com>
331
332         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
333         https://bugs.webkit.org/show_bug.cgi?id=194334
334         <rdar://problem/47844327>
335
336         Reviewed by Mark Lam.
337
338         * stress/check-in-bounds-should-be-a-child-use.js: Added.
339         (func):
340
341 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
342
343         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
344         https://bugs.webkit.org/show_bug.cgi?id=194369
345         <rdar://problem/47813087>
346
347         Reviewed by Saam Barati.
348
349         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
350         (A):
351
352 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
353
354         [JSC] PrivateName to PublicName hash table is wasteful
355         https://bugs.webkit.org/show_bug.cgi?id=194277
356
357         Reviewed by Michael Saboff.
358
359         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
360
361         * ChakraCore.yaml:
362
363 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
364
365         [ARM] Test running out of executable memory
366         https://bugs.webkit.org/show_bug.cgi?id=194285
367
368         Unreviewed. Do no execute test with LLInt disabled, test runs out of
369         executable memory otherwise.
370
371         * stress/class-subclassing-function.js:
372
373 2019-02-04  Robin Morisset  <rmorisset@apple.com>
374
375         when lowering AssertNotEmpty, create the value before creating the patchpoint
376         https://bugs.webkit.org/show_bug.cgi?id=194231
377
378         Reviewed by Saam Barati.
379
380         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
381         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
382         So even tiny changes to this test can change the path code taken.
383
384         * stress/assert-not-empty.js: Added.
385         (foo):
386
387 2019-02-01  Mark Lam  <mark.lam@apple.com>
388
389         Remove invalid assertion in DFG's compileDoubleRep().
390         https://bugs.webkit.org/show_bug.cgi?id=194130
391         <rdar://problem/47699474>
392
393         Reviewed by Saam Barati.
394
395         * stress/constant-fold-double-rep-into-double-constant.js: Added.
396
397 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
398
399         Import latest Test262 updates.
400
401         Rubber-stamped by Keith Miller.
402
403         * test262.yaml: Deleted.
404         * test262/config.yaml:
405         * test262/expectations.yaml:
406         * test262/latest-changes-summary.txt:
407         * test262/test/:
408         * test262/test262-Revision.txt:
409
410 2019-01-30  Robin Morisset  <rmorisset@apple.com>
411
412         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
413         https://bugs.webkit.org/show_bug.cgi?id=194050
414         <rdar://problem/47595592>
415
416         Reviewed by Yusuke Suzuki.
417
418         * stress/object-keys-osr-exit.js: Added.
419         (foo):
420         (catch):
421
422 2019-01-29  Mark Lam  <mark.lam@apple.com>
423
424         ValueRecovery::recover() should purify NaN values it recovers.
425         https://bugs.webkit.org/show_bug.cgi?id=193978
426         <rdar://problem/47625488>
427
428         Reviewed by Saam Barati.
429
430         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
431
432 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
433
434         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
435         https://bugs.webkit.org/show_bug.cgi?id=193713
436
437         * stress/try-get-by-id-should-spill-registers-dfg.js:
438         (let.f.createBuiltin):
439
440 2019-01-28  Mark Lam  <mark.lam@apple.com>
441
442         ToString node actually does GC.
443         https://bugs.webkit.org/show_bug.cgi?id=193920
444         <rdar://problem/46695900>
445
446         Reviewed by Yusuke Suzuki.
447
448         * stress/dfg-to-string-on-int-does-gc.js: Added.
449         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
450         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
451
452 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
453
454         [JSC] NativeErrorConstructor should not have own IsoSubspace
455         https://bugs.webkit.org/show_bug.cgi?id=193713
456
457         Reviewed by Saam Barati.
458
459         Remove @Error use.
460
461         * stress/try-get-by-id-should-spill-registers-dfg.js:
462         (let.f.createBuiltin):
463
464 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
465
466         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
467         https://bugs.webkit.org/show_bug.cgi?id=190693
468
469         Reviewed by Michael Saboff.
470
471         * stress/regress-190693.js: Added.
472         (truth):
473         (assert):
474         (shouldThrowInvalidConstAssignment):
475         (taz):
476
477 2019-01-24  Saam Barati  <sbarati@apple.com>
478
479         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
480         https://bugs.webkit.org/show_bug.cgi?id=193751
481         <rdar://problem/47280215>
482
483         Reviewed by Michael Saboff.
484
485         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
486         (let.thing):
487         (foo.let.hello):
488         (foo):
489
490 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
491
492         [JSC] Reenable baseline JIT on mips
493         https://bugs.webkit.org/show_bug.cgi?id=192983
494
495         Reviewed by Mark Lam.
496
497         Added a new test for a case that was triggering a RELEASE_ASSERT when
498         testing.
499         Disable some slow tests that were already disabled for arm and x86.
500
501         * stress/json-parse-big-object.js: Added.
502         * stress/new-largeish-contiguous-array-with-size.js:
503         * stress/op_add.js:
504         * stress/op_bitand.js:
505         * stress/op_bitor.js:
506         * stress/op_bitxor.js:
507         * stress/op_lshift-ConstVar.js:
508         * stress/op_lshift-VarConst.js:
509         * stress/op_lshift-VarVar.js:
510         * stress/op_mod-ConstVar.js:
511         * stress/op_mod-VarConst.js:
512         * stress/op_mod-VarVar.js:
513         * stress/op_mul-ConstVar.js:
514         * stress/op_mul-VarConst.js:
515         * stress/op_mul-VarVar.js:
516         * stress/op_rshift-ConstVar.js:
517         * stress/op_rshift-VarConst.js:
518         * stress/op_rshift-VarVar.js:
519         * stress/op_sub-ConstVar.js:
520         * stress/op_sub-VarConst.js:
521         * stress/op_sub-VarVar.js:
522         * stress/op_urshift-ConstVar.js:
523         * stress/op_urshift-VarConst.js:
524         * stress/op_urshift-VarVar.js:
525         * stress/sampling-profiler-richards.js:
526         * stress/spread-forward-call-varargs-stack-overflow.js:
527
528 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
529
530         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
531         https://bugs.webkit.org/show_bug.cgi?id=193711
532         <rdar://problem/47250262>
533
534         Reviewed by Saam Barati.
535
536         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
537         (shouldBe):
538         (foo):
539         (bar):
540         (baz):
541
542 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
543
544         Unreviewed, fix initial global lexical binding epoch
545         https://bugs.webkit.org/show_bug.cgi?id=193603
546         <rdar://problem/47380869>
547
548         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
549         (f1.f2.f3.f4):
550         (f1.f2.f3):
551         (f1.f2):
552         (f1):
553
554 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
555
556         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
557         https://bugs.webkit.org/show_bug.cgi?id=193709
558         <rdar://problem/47363838>
559
560         Unreviewed, rollout to watch the tests.
561
562         * stress/object-tostring-changed-proto.js: Removed.
563         * stress/object-tostring-changed.js: Removed.
564         * stress/object-tostring-misc.js: Removed.
565         * stress/object-tostring-other.js: Removed.
566         * stress/object-tostring-untyped.js: Removed.
567
568 2019-01-22  Saam Barati  <sbarati@apple.com>
569
570         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
571
572         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
573         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
574         (testUncheckedLessThanZero):
575         (testUncheckedLessThanOrEqualZero):
576         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
577         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
578
579 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
580
581         [JSC] Invalidate old scope operations using global lexical binding epoch
582         https://bugs.webkit.org/show_bug.cgi?id=193603
583         <rdar://problem/47380869>
584
585         Reviewed by Saam Barati.
586
587         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
588         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
589         (shouldThrow):
590         (bar):
591         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
592         (shouldBe):
593         (get1):
594         (get2):
595         (get1If):
596         (get2If):
597         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
598         (shouldThrow):
599         (foo):
600
601 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
602
603         Unreviewed, roll out r240220 due to date-format-xparb regression
604         https://bugs.webkit.org/show_bug.cgi?id=193603
605
606         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
607         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
608         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
609         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
610
611 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
612
613         DoesGC rule is wrong for nodes with BigIntUse
614         https://bugs.webkit.org/show_bug.cgi?id=193652
615
616         Reviewed by Saam Barati.
617
618         * stress/big-int-value-op-update-gc-rules.js: Added.
619         (assert):
620         (doesGCAdd):
621         (doesGCSub):
622         (doesGCDiv):
623         (doesGCMul):
624         (doesGCBitAnd):
625         (doesGCBitOr):
626         (doesGCBitXor):
627
628 2019-01-20  Saam Barati  <sbarati@apple.com>
629
630         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
631         https://bugs.webkit.org/show_bug.cgi?id=193644
632         <rdar://problem/46209745>
633
634         Reviewed by Yusuke Suzuki.
635
636         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
637         (foo):
638         * stress/data-view-set-intrinsic-undefined-result.js: Added.
639         (foo):
640         (bar):
641
642 2019-01-20  Saam Barati  <sbarati@apple.com>
643
644         MovHint must merge NodeBytecodeUsesAsValue for its child
645         https://bugs.webkit.org/show_bug.cgi?id=186916
646         <rdar://problem/41396612>
647
648         Reviewed by Yusuke Suzuki.
649
650         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
651         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
652
653 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
654
655         [JSC] Invalidate old scope operations using global lexical binding epoch
656         https://bugs.webkit.org/show_bug.cgi?id=193603
657         <rdar://problem/47380869>
658
659         Reviewed by Saam Barati.
660
661         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
662         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
663         (shouldThrow):
664         (bar):
665         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
666         (shouldBe):
667         (get1):
668         (get2):
669         (get1If):
670         (get2If):
671         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
672         (shouldThrow):
673         (foo):
674
675 2019-01-17  Saam barati  <sbarati@apple.com>
676
677         StringObjectUse should not be a structure check for the original string object structure
678         https://bugs.webkit.org/show_bug.cgi?id=193483
679         <rdar://problem/47280522>
680
681         Reviewed by Yusuke Suzuki.
682
683         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
684         (foo):
685         (a.valueOf.0):
686
687 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
688
689         [JSC] ToThis omission in DFGByteCodeParser is wrong
690         https://bugs.webkit.org/show_bug.cgi?id=193513
691         <rdar://problem/45842236>
692
693         Reviewed by Saam Barati.
694
695         * stress/to-this-omission-with-different-strict-modes.js: Added.
696         (thisA):
697         (thisAStrictWrapper):
698
699 2019-01-15  Mark Lam  <mark.lam@apple.com>
700
701         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
702         https://bugs.webkit.org/show_bug.cgi?id=193423
703         <rdar://problem/46209355>
704
705         Reviewed by Saam Barati.
706
707         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
708         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
709         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
710         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
711
712 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
713
714         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
715         https://bugs.webkit.org/show_bug.cgi?id=193438
716         <rdar://problem/45581249>
717
718         Reviewed by Saam Barati and Keith Miller.
719
720         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
721         Then, GetByVal(String) crashed.
722
723         * stress/string-get-by-val-lowering.js: Added.
724         (shouldBe):
725         (test):
726         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
727         (Hello):
728         (foo):
729
730 2019-01-15  Tomas Popela  <tpopela@redhat.com>
731
732         Unreviewed, skip JIT tests if it's not enabled
733
734         * stress/bit-op-with-object-returning-int32.js:
735
736 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
737
738         DFGByteCodeParser rules for bitwise operations should consider type of their operands
739         https://bugs.webkit.org/show_bug.cgi?id=192966
740
741         Reviewed by Yusuke Suzuki.
742
743         * stress/bit-op-with-object-returning-int32.js: Added.
744
745 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
746
747         Skip a slow test and a flakey test on arm
748
749         Unreviewed gardening.
750
751         * typeProfiler/getter-richards.js:
752         this test always times out, it used to be always skipped on arm and
753         mips, but got accidentally enabled by r237919 now that we have DFG on
754         arm. Also skipping on mips as we plan to soon enable DFG for it too.
755
756 2019-01-14  Keith Miller  <keith_miller@apple.com>
757
758         Skip type-check-hoisting-phase-hoist... with no jit
759         https://bugs.webkit.org/show_bug.cgi?id=193421
760
761         Reviewed by Mark Lam.
762
763         It's timing out the 32-bit bots and takes 330 seconds
764         on my machine when run by itself.
765
766         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
767
768 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
769
770         [JSC] AI should check the given constant's array type when folding GetByVal into constant
771         https://bugs.webkit.org/show_bug.cgi?id=193413
772         <rdar://problem/46092389>
773
774         Reviewed by Keith Miller.
775
776         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
777         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
778         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
779         but GetByVal does not have appropriate ArrayModes, JSC crashes.
780
781         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
782         (compareArray):
783
784 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
785
786         [BigInt] Literal parsing is crashing when used inside a Object Literal
787         https://bugs.webkit.org/show_bug.cgi?id=193404
788
789         Reviewed by Yusuke Suzuki.
790
791         * stress/big-int-literal-inside-literal-object.js: Added.
792
793 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
794
795         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
796         https://bugs.webkit.org/show_bug.cgi?id=193372
797
798         Reviewed by Saam Barati.
799
800         * stress/typed-array-array-modes-profile.js: Added.
801         (foo):
802
803 2019-01-14  Mark Lam  <mark.lam@apple.com>
804
805         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
806         https://bugs.webkit.org/show_bug.cgi?id=193402
807         <rdar://problem/46012309>
808
809         Reviewed by Keith Miller.
810
811         * stress/regexp-compile-oom.js:
812         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
813           is enabled.  As a result, it will fail on cloop builds though there is no bug.
814
815 2019-01-11  Saam barati  <sbarati@apple.com>
816
817         DFG combined liveness can be wrong for terminal basic blocks
818         https://bugs.webkit.org/show_bug.cgi?id=193304
819         <rdar://problem/45268632>
820
821         Reviewed by Yusuke Suzuki.
822
823         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
824
825 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
826
827         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
828         https://bugs.webkit.org/show_bug.cgi?id=193308
829         <rdar://problem/45546542>
830
831         Reviewed by Saam Barati.
832
833         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
834         (shouldThrow):
835         (shouldBe):
836         (foo):
837         (get shouldThrow):
838         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
839         (shouldThrow):
840         (shouldBe):
841         (foo):
842         (get shouldBe):
843         (get shouldThrow):
844         (get return):
845         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
846         (shouldThrow):
847         (shouldBe):
848         (foo):
849         (get shouldBe):
850         (get shouldThrow):
851         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
852         (shouldThrow):
853         (shouldBe):
854         (foo):
855         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
856         (shouldThrow):
857         (shouldBe):
858         (foo):
859         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
860         (shouldThrow):
861         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
862         (shouldThrow):
863         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
864         (shouldThrow):
865         (shouldBe):
866         (foo):
867         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
868         (shouldThrow):
869         (shouldBe):
870         (foo):
871         (get shouldBe):
872         (get shouldThrow):
873         (get return):
874         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
875         (shouldThrow):
876         (shouldBe):
877         (foo):
878         (get shouldBe):
879         (get shouldThrow):
880         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
881         (shouldThrow):
882         (shouldBe):
883         (foo):
884         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
885         (shouldThrow):
886         (shouldBe):
887         (foo):
888
889 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
890
891         Enable DFG on ARM/Linux again
892         https://bugs.webkit.org/show_bug.cgi?id=192496
893
894         Reviewed by Yusuke Suzuki.
895
896         Test wasn't really skipped before moving the line with skip
897         to the top.
898
899         * stress/regress-192717.js:
900
901 2019-01-10  Commit Queue  <commit-queue@webkit.org>
902
903         Unreviewed, rolling out r239825.
904         https://bugs.webkit.org/show_bug.cgi?id=193330
905
906         Broke tests on armv7/linux bots (Requested by guijemont on
907         #webkit).
908
909         Reverted changeset:
910
911         "Enable DFG on ARM/Linux again"
912         https://bugs.webkit.org/show_bug.cgi?id=192496
913         https://trac.webkit.org/changeset/239825
914
915 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
916
917         Enable DFG on ARM/Linux again
918         https://bugs.webkit.org/show_bug.cgi?id=192496
919
920         Reviewed by Yusuke Suzuki.
921
922         Test wasn't really skipped before moving the line with skip
923         to the top.
924
925         * stress/regress-192717.js:
926
927 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
928
929         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
930         https://bugs.webkit.org/show_bug.cgi?id=193127
931
932         Reviewed by Saam Barati.
933
934         * stress/array-species-create-should-handle-masquerader.js: Added.
935         (shouldThrow):
936         * stress/is-undefined-or-null-builtin.js: Added.
937         (shouldBe):
938         (isUndefinedOrNull.vm.createBuiltin):
939
940 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
941
942         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
943         https://bugs.webkit.org/show_bug.cgi?id=193221
944
945         Reviewed by Mark Lam.
946
947         * stress/put-by-id-flags.js: Added.
948         (f):
949         (g):
950         (numberOfDFGCompiles):
951
952 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
953
954         Baseline version of get_by_id may corrupt metadata
955         https://bugs.webkit.org/show_bug.cgi?id=193085
956         <rdar://problem/23453006>
957
958         Reviewed by Saam Barati.
959
960         * stress/get-by-id-change-mode.js: Added.
961         (forEach):
962
963 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
964
965         [JSC] Optimize Object.prototype.toString
966         https://bugs.webkit.org/show_bug.cgi?id=193031
967
968         Reviewed by Saam Barati.
969
970         * stress/object-tostring-changed-proto.js: Added.
971         (shouldBe):
972         (test):
973         * stress/object-tostring-changed.js: Added.
974         (shouldBe):
975         (test):
976         * stress/object-tostring-misc.js: Added.
977         (shouldBe):
978         (test):
979         (i.switch):
980         * stress/object-tostring-other.js: Added.
981         (shouldBe):
982         (test):
983         * stress/object-tostring-untyped.js: Added.
984         (shouldBe):
985         (test):
986         (i.switch):
987
988 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
989
990         test262-runner misbehaves when test file YAML has a trailing space
991         https://bugs.webkit.org/show_bug.cgi?id=193053
992
993         Reviewed by Yusuke Suzuki.
994
995         * test262/expectations.yaml:
996         Mark two dozen tests as passing (and correct the output of another).
997
998 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
999
1000         Unreviewed, JSTests gardening with memoryLimited
1001
1002         * stress/string-overflow-createError.js:
1003
1004 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1005
1006         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1007         https://bugs.webkit.org/show_bug.cgi?id=193050
1008
1009         Reviewed by Yusuke Suzuki.
1010
1011         * test262.yaml:
1012         * test262/expectations.yaml:
1013         Mark 16 tests as passing.
1014
1015 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1016
1017         [BigInt] Support BigInt in JSON.stringify
1018         https://bugs.webkit.org/show_bug.cgi?id=192624
1019
1020         Reviewed by Saam Barati.
1021
1022         * stress/big-int-json-stringify-to-json.js: Added.
1023         (shouldBe):
1024         (shouldThrow):
1025         (BigInt.prototype.toJSON):
1026         (shouldBe.JSON.stringify):
1027         * stress/big-int-json-stringify.js: Added.
1028         (shouldBe):
1029         (shouldThrow):
1030
1031 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1032
1033         [JSC] Implement "well-formed JSON.stringify" proposal
1034         https://bugs.webkit.org/show_bug.cgi?id=191677
1035
1036         Reviewed by Darin Adler.
1037
1038         * stress/json-surrogate-pair.js: Added.
1039         (shouldBe):
1040         * test262/expectations.yaml:
1041
1042 2018-12-20  Keith Miller  <keith_miller@apple.com>
1043
1044         Add support for globalThis
1045         https://bugs.webkit.org/show_bug.cgi?id=165171
1046
1047         Reviewed by Mark Lam.
1048
1049         * test262/config.yaml:
1050
1051 2018-12-19  Keith Miller  <keith_miller@apple.com>
1052
1053         Update test262 configuration to not run tests dependent on ICU version.
1054         https://bugs.webkit.org/show_bug.cgi?id=192920
1055
1056         Reviewed by Saam Barati.
1057
1058         * test262/expectations.yaml:
1059
1060 2018-12-20  Mark Lam  <mark.lam@apple.com>
1061
1062         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1063         https://bugs.webkit.org/show_bug.cgi?id=192939
1064         <rdar://problem/46869516>
1065
1066         Reviewed by Keith Miller.
1067
1068         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1069
1070 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1071
1072         WTF::String and StringImpl overflow MaxLength
1073         https://bugs.webkit.org/show_bug.cgi?id=192853
1074         <rdar://problem/45726906>
1075
1076         Reviewed by Mark Lam.
1077
1078         * stress/string-16bit-repeat-overflow.js: Added.
1079         (catch):
1080
1081 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1082
1083         Unreviewed follow-up to r192914.
1084
1085         * test262/expectations.yaml:
1086         Add the last 20 missing expectations.
1087
1088 2018-12-19  Keith Miller  <keith_miller@apple.com>
1089
1090         Fix test262 expectations
1091         https://bugs.webkit.org/show_bug.cgi?id=192914
1092
1093         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1094
1095         * test262/expectations.yaml:
1096
1097 2018-12-19  Keith Miller  <keith_miller@apple.com>
1098
1099         Update test262 tests.
1100         https://bugs.webkit.org/show_bug.cgi?id=192907
1101
1102         Rubber stamped by Mark Lam.
1103
1104         * test262/*: Omitted because prepare-changelog crashes.
1105
1106 2018-12-19  Mark Lam  <mark.lam@apple.com>
1107
1108         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1109         https://bugs.webkit.org/show_bug.cgi?id=192464
1110         <rdar://problem/46519455>
1111
1112         Reviewed by Saam Barati.
1113
1114         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1115         microbenchmark.
1116
1117         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1118         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1119
1120 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1121
1122         String overflow in JSC::createError results in ASSERT in WTF::makeString
1123         https://bugs.webkit.org/show_bug.cgi?id=192833
1124         <rdar://problem/45706868>
1125
1126         Reviewed by Mark Lam.
1127
1128         * stress/string-overflow-createError.js: Added.
1129
1130 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1131
1132         Error message for `-x ** y` contains a typo.
1133         https://bugs.webkit.org/show_bug.cgi?id=192832
1134
1135         Reviewed by Saam Barati.
1136
1137         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1138         (assert.assert.return.throws):
1139         * stress/pow-expects-update-expression-on-lhs.js:
1140         (throw.new.Error):
1141         Update test expectations which match against the exact error message.
1142
1143 2018-12-18  Mark Lam  <mark.lam@apple.com>
1144
1145         Gardening: test options fix.
1146         https://bugs.webkit.org/show_bug.cgi?id=192822
1147
1148         Unreviewed.
1149
1150         * stress/json-stringify-string-builder-overflow.js:
1151
1152 2018-12-18  Mark Lam  <mark.lam@apple.com>
1153
1154         JSON.stringify() should throw OOM on StringBuilder overflows.
1155         https://bugs.webkit.org/show_bug.cgi?id=192822
1156         <rdar://problem/46670577>
1157
1158         Reviewed by Saam Barati.
1159
1160         * stress/json-stringify-string-builder-overflow.js: Added.
1161
1162 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1163
1164         Redeclaration of var over let/const/class should be a syntax error.
1165         https://bugs.webkit.org/show_bug.cgi?id=192298
1166
1167         Reviewed by Keith Miller.
1168
1169         * test262.yaml:
1170         * test262/expectations.yaml:
1171         Mark 46 tests as passing.
1172
1173         * stress/block-scope-redeclarations.js:
1174         Add some new tests.
1175
1176         * stress/for-in-invalidate-context-weird-assignments.js:
1177         * stress/for-in-tests.js:
1178         Replace tests for outdated behavior with tests for SyntaxError.
1179
1180         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1181         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1182         Update expectations.
1183
1184 2018-12-18  Mark Lam  <mark.lam@apple.com>
1185
1186         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1187         https://bugs.webkit.org/show_bug.cgi?id=191374
1188         <rdar://problem/46525447>
1189
1190         Reviewed by Yusuke Suzuki.
1191
1192         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1193
1194         * stress/elidable-new-object-roflcopter-then-exit.js:
1195
1196 2018-12-17  Mark Lam  <mark.lam@apple.com>
1197
1198         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1199         https://bugs.webkit.org/show_bug.cgi?id=192019
1200         <rdar://problem/46525456>
1201
1202         Reviewed by Yusuke Suzuki.
1203
1204         The test runs too slow on 32-bit.
1205
1206         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1207
1208 2018-12-17  Mark Lam  <mark.lam@apple.com>
1209
1210         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1211         https://bugs.webkit.org/show_bug.cgi?id=191373
1212         <rdar://problem/46525458>
1213
1214         Reviewed by Yusuke Suzuki.
1215
1216         The test is already slow running with a JIT on 64-bit.  It will always timeout
1217         on 32-bit without a JIT.
1218
1219         * stress/materialize-regexp-cyclic-regexp.js:
1220
1221 2018-12-17  Mark Lam  <mark.lam@apple.com>
1222
1223         Array unshift/shift should not race against the AI in the compiler thread.
1224         https://bugs.webkit.org/show_bug.cgi?id=192795
1225         <rdar://problem/46724263>
1226
1227         Reviewed by Saam Barati.
1228
1229         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1230
1231 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1232
1233         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1234         https://bugs.webkit.org/show_bug.cgi?id=190047
1235
1236         Reviewed by Saam Barati.
1237
1238         * stress/object-keys-cached-zero.js: Added.
1239         (shouldBe):
1240         (test):
1241         * stress/object-keys-changed-attribute.js: Added.
1242         (shouldBe):
1243         (test):
1244         * stress/object-keys-changed-index.js: Added.
1245         (shouldBe):
1246         (test):
1247         * stress/object-keys-changed.js: Added.
1248         (shouldBe):
1249         (test):
1250         * stress/object-keys-indexed-non-cache.js: Added.
1251         (shouldBe):
1252         (test):
1253         * stress/object-keys-overrides-get-property-names.js: Added.
1254         (shouldBe):
1255         (test):
1256         (noInline):
1257
1258 2018-12-17  Mark Lam  <mark.lam@apple.com>
1259
1260         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1261         https://bugs.webkit.org/show_bug.cgi?id=192779
1262         <rdar://problem/46775869>
1263
1264         Reviewed by Saam Barati.
1265
1266         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1267
1268 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1269
1270         Unreviewed test gardening, address a syntax error in a new test.
1271
1272         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1273
1274 2018-12-17  Mark Lam  <mark.lam@apple.com>
1275
1276         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1277         https://bugs.webkit.org/show_bug.cgi?id=192776
1278         <rdar://problem/46772368>
1279
1280         Reviewed by Keith Miller.
1281
1282         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1283
1284 2018-12-17  Mark Lam  <mark.lam@apple.com>
1285
1286         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1287         https://bugs.webkit.org/show_bug.cgi?id=192770
1288         <rdar://problem/46449037>
1289
1290         Reviewed by Keith Miller.
1291
1292         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1293
1294 2018-12-14  Mark Lam  <mark.lam@apple.com>
1295
1296         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1297         https://bugs.webkit.org/show_bug.cgi?id=192717
1298         <rdar://problem/46660677>
1299
1300         Reviewed by Saam Barati.
1301
1302         * stress/regress-192717.js: Added.
1303
1304 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1305
1306         Unreviewed, rolling out r239153, r239154, and r239155.
1307         https://bugs.webkit.org/show_bug.cgi?id=192715
1308
1309         Caused flaky GC-related crashes seen with layout tests
1310         (Requested by ryanhaddad on #webkit).
1311
1312         Reverted changesets:
1313
1314         "[JSC] Optimize Object.keys by caching own keys results in
1315         StructureRareData"
1316         https://bugs.webkit.org/show_bug.cgi?id=190047
1317         https://trac.webkit.org/changeset/239153
1318
1319         "Unreviewed, build fix after r239153"
1320         https://bugs.webkit.org/show_bug.cgi?id=190047
1321         https://trac.webkit.org/changeset/239154
1322
1323         "Unreviewed, build fix after r239153, part 2"
1324         https://bugs.webkit.org/show_bug.cgi?id=190047
1325         https://trac.webkit.org/changeset/239155
1326
1327 2018-12-14  Keith Miller  <keith_miller@apple.com>
1328
1329         Callers of JSString::getIndex should check for OOM exceptions
1330         https://bugs.webkit.org/show_bug.cgi?id=192709
1331
1332         Reviewed by Mark Lam.
1333
1334         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1335
1336 2018-12-13  Mark Lam  <mark.lam@apple.com>
1337
1338         Add a missing exception check.
1339         https://bugs.webkit.org/show_bug.cgi?id=192626
1340         <rdar://problem/46662163>
1341
1342         Reviewed by Keith Miller.
1343
1344         * stress/regress-192626.js: Added.
1345
1346 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1347
1348         [BigInt] Add ValueDiv into DFG
1349         https://bugs.webkit.org/show_bug.cgi?id=186178
1350
1351         Reviewed by Yusuke Suzuki.
1352
1353         * stress/big-int-div-jit-osr.js: Added.
1354         * stress/big-int-div-jit-untyped.js: Added.
1355         * stress/value-div-fixup-int32-big-int.js: Added.
1356
1357 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1358
1359         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1360         https://bugs.webkit.org/show_bug.cgi?id=190047
1361
1362         Reviewed by Keith Miller.
1363
1364         * stress/object-keys-cached-zero.js: Added.
1365         (shouldBe):
1366         (test):
1367         * stress/object-keys-changed-attribute.js: Added.
1368         (shouldBe):
1369         (test):
1370         * stress/object-keys-changed-index.js: Added.
1371         (shouldBe):
1372         (test):
1373         * stress/object-keys-changed.js: Added.
1374         (shouldBe):
1375         (test):
1376         * stress/object-keys-indexed-non-cache.js: Added.
1377         (shouldBe):
1378         (test):
1379         * stress/object-keys-overrides-get-property-names.js: Added.
1380         (shouldBe):
1381         (test):
1382         (noInline):
1383
1384 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1385
1386         [DFG][FTL] Add NewSymbol
1387         https://bugs.webkit.org/show_bug.cgi?id=192620
1388
1389         Reviewed by Saam Barati.
1390
1391         * microbenchmarks/symbol-creation.js: Added.
1392         (test):
1393         * stress/symbol-description-identity.js: Added.
1394         (shouldBe):
1395         (test):
1396         * stress/symbol-identity.js: Added.
1397         (shouldBe):
1398         (test):
1399         * stress/symbol-with-description-throw-error.js: Added.
1400         (shouldBe):
1401         (shouldThrow):
1402         (test):
1403         (object.toString):
1404
1405 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1406
1407         [BigInt] Implement DFG/FTL typeof for BigInt
1408         https://bugs.webkit.org/show_bug.cgi?id=192619
1409
1410         Reviewed by Keith Miller.
1411
1412         * stress/big-int-boolean-proven-type.js: Added.
1413         (assert):
1414         (bool):
1415         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1416         (assert):
1417         (typeOf):
1418         (i.switch):
1419         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1420         (assert):
1421         (typeOf):
1422         * stress/big-int-type-of.js:
1423         (typeOf):
1424         (func):
1425
1426 2018-12-10  Mark Lam  <mark.lam@apple.com>
1427
1428         PropertyAttribute needs a CustomValue bit.
1429         https://bugs.webkit.org/show_bug.cgi?id=191993
1430         <rdar://problem/46264467>
1431
1432         Reviewed by Saam Barati.
1433
1434         * stress/regress-191993.js: Added.
1435
1436 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1437
1438         [BigInt] Add ValueMul into DFG
1439         https://bugs.webkit.org/show_bug.cgi?id=186175
1440
1441         Reviewed by Yusuke Suzuki.
1442
1443         * stress/big-int-mul-jit-osr.js: Added.
1444         * stress/big-int-mul-jit-untyped.js: Added.
1445         * stress/value-mul-fixup-int32-big-int.js: Added.
1446
1447 2018-12-06  Keith Miller  <keith_miller@apple.com>
1448
1449         stress/big-wasm-memory tests failing on 32-bit JSC bot
1450         https://bugs.webkit.org/show_bug.cgi?id=192020
1451
1452         Reviewed by Saam Barati.
1453
1454         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1455         the wasm stress tests if the WebAssembly object does not exist.
1456
1457         * stress/big-wasm-memory-grow-no-max.js:
1458         (test.foo):
1459         (test):
1460         (foo): Deleted.
1461         (catch): Deleted.
1462         * stress/big-wasm-memory-grow.js:
1463         (test.foo):
1464         (test):
1465         (foo): Deleted.
1466         (catch): Deleted.
1467         * stress/big-wasm-memory.js:
1468         (test.foo):
1469         (test):
1470         (foo): Deleted.
1471         (catch): Deleted.
1472
1473 2018-12-05  Mark Lam  <mark.lam@apple.com>
1474
1475         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1476         https://bugs.webkit.org/show_bug.cgi?id=192441
1477         <rdar://problem/46480355>
1478
1479         Reviewed by Saam Barati.
1480
1481         * stress/regress-192441.js: Added.
1482
1483 2018-12-04  Mark Lam  <mark.lam@apple.com>
1484
1485         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1486         https://bugs.webkit.org/show_bug.cgi?id=192386
1487         <rdar://problem/46445516>
1488
1489         Reviewed by Saam Barati.
1490
1491         * stress/regress-192386.js: Added.
1492
1493 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1494
1495         [ESNext][BigInt] Support logic operations
1496         https://bugs.webkit.org/show_bug.cgi?id=179903
1497
1498         Reviewed by Yusuke Suzuki.
1499
1500         * stress/big-int-branch-usage.js: Added.
1501         * stress/big-int-logical-and.js: Added.
1502         * stress/big-int-logical-not.js: Added.
1503         * stress/big-int-logical-or.js: Added.
1504
1505 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1506
1507         Unreviewed, rolling out r238833.
1508
1509         Breaks macOS and iOS debug builds.
1510
1511         Reverted changeset:
1512
1513         "[ESNext][BigInt] Support logic operations"
1514         https://bugs.webkit.org/show_bug.cgi?id=179903
1515         https://trac.webkit.org/changeset/238833
1516
1517 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1518
1519         [ESNext][BigInt] Support logic operations
1520         https://bugs.webkit.org/show_bug.cgi?id=179903
1521
1522         Reviewed by Yusuke Suzuki.
1523
1524         * stress/big-int-branch-usage.js: Added.
1525         * stress/big-int-logical-and.js: Added.
1526         * stress/big-int-logical-not.js: Added.
1527         * stress/big-int-logical-or.js: Added.
1528
1529 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1530
1531         [ESNext][BigInt] Implement support for "<<" and ">>"
1532         https://bugs.webkit.org/show_bug.cgi?id=186233
1533
1534         Reviewed by Yusuke Suzuki.
1535
1536         * stress/big-int-left-shift-general.js: Added.
1537         * stress/big-int-left-shift-range-error.js: Added.
1538         * stress/big-int-left-shift-type-error.js: Added.
1539         * stress/big-int-left-shift-wrapped-value.js: Added.
1540         * stress/big-int-right-shift-general.js: Added.
1541         * stress/big-int-right-shift-type-error.js: Added.
1542         * stress/big-int-right-shift-wrapped-value.js: Added.
1543         * stress/left-shift-to-primitive-precedence.js: Added.
1544         * stress/right-shift-to-primitive-precedence.js: Added.
1545
1546 2018-11-30  Dean Jackson  <dino@apple.com>
1547
1548         Add first-class support for .mjs files in jsc binary
1549         https://bugs.webkit.org/show_bug.cgi?id=192190
1550         <rdar://problem/46375715>
1551
1552         Reviewed by Keith Miller.
1553
1554         * stress/simple-module.mjs: Added.
1555         * stress/simple-script.js: Added.
1556
1557 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1558
1559         [BigInt] Implement ValueBitXor into DFG
1560         https://bugs.webkit.org/show_bug.cgi?id=190264
1561
1562         Reviewed by Yusuke Suzuki.
1563
1564         * stress/big-int-bitwise-xor-jit.js: Added.
1565         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1566         * stress/big-int-bitwise-xor-untyped.js: Added.
1567
1568 2018-11-27  Saam barati  <sbarati@apple.com>
1569
1570         r238510 broke scopes of size zero
1571         https://bugs.webkit.org/show_bug.cgi?id=192033
1572         <rdar://problem/46281734>
1573
1574         Reviewed by Keith Miller.
1575
1576         * stress/r238510-bad-loop.js: Added.
1577         (foo):
1578
1579 2018-11-27  Mark Lam  <mark.lam@apple.com>
1580
1581         [Re-landing] NaNs read from Wasm code needs to be be purified.
1582         https://bugs.webkit.org/show_bug.cgi?id=191056
1583         <rdar://problem/45660341>
1584
1585         Reviewed by Filip Pizlo.
1586
1587         * wasm/regress/regress-191056.js: Added.
1588
1589 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1590
1591         Unreviewed, rolling out r238509.
1592
1593         Causes JSC tests to fail on iOS.
1594
1595         Reverted changeset:
1596
1597         "NaNs read from Wasm code needs to be be purified."
1598         https://bugs.webkit.org/show_bug.cgi?id=191056
1599         https://trac.webkit.org/changeset/238509
1600
1601 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1602
1603         Re-introduce op_bitnot
1604         https://bugs.webkit.org/show_bug.cgi?id=190923
1605
1606         Reviewed by Yusuke Suzuki.
1607
1608         * stress/bit-not-must-generate.js: Added.
1609         * stress/bitwise-not-no-int32.js: Added.
1610
1611 2018-11-26  Saam barati  <sbarati@apple.com>
1612
1613         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1614         https://bugs.webkit.org/show_bug.cgi?id=191956
1615         <rdar://problem/45665806>
1616
1617         Reviewed by Yusuke Suzuki.
1618
1619         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1620         (bar):
1621         (foo):
1622
1623 2018-11-26  Saam barati  <sbarati@apple.com>
1624
1625         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1626         https://bugs.webkit.org/show_bug.cgi?id=191958
1627         <rdar://problem/46221877>
1628
1629         Reviewed by Yusuke Suzuki.
1630
1631         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1632         (x):
1633         (foo):
1634
1635 2018-11-26  Mark Lam  <mark.lam@apple.com>
1636
1637         NaNs read from Wasm code needs to be be purified.
1638         https://bugs.webkit.org/show_bug.cgi?id=191056
1639         <rdar://problem/45660341>
1640
1641         Reviewed by Filip Pizlo.
1642
1643         * wasm/regress/regress-191056.js: Added.
1644
1645 2018-11-26  Michael Saboff  <msaboff@apple.com>
1646
1647         32-bit JSC test failure: stress/regexp-compile-oom.js
1648         https://bugs.webkit.org/show_bug.cgi?id=191375
1649
1650         Reviewed by Mark Lam.
1651
1652         Disabled the test for 32 bit platforms.
1653
1654         * stress/regexp-compile-oom.js:
1655
1656 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1657
1658         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1659         https://bugs.webkit.org/show_bug.cgi?id=191716
1660         <rdar://problem/45723878>
1661
1662         Reviewed by Saam Barati.
1663
1664         * stress/regress-187373.js: Added.
1665         (async.fn):
1666
1667 2018-11-21  Saam barati  <sbarati@apple.com>
1668
1669         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1670         https://bugs.webkit.org/show_bug.cgi?id=191897
1671         <rdar://problem/45871998>
1672
1673         Reviewed by Mark Lam.
1674
1675         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1676         (bar):
1677         (foo):
1678
1679 2018-11-21  Saam barati  <sbarati@apple.com>
1680
1681         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1682         https://bugs.webkit.org/show_bug.cgi?id=191895
1683         <rdar://problem/46167406>
1684
1685         Reviewed by Mark Lam.
1686
1687         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1688         (foo):
1689         (bar):
1690
1691 2018-11-21  Mark Lam  <mark.lam@apple.com>
1692
1693         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1694         https://bugs.webkit.org/show_bug.cgi?id=191776
1695         <rdar://problem/46152851>
1696
1697         Reviewed by Saam Barati.
1698
1699         * stress/big-wasm-memory-grow-no-max.js:
1700         * stress/big-wasm-memory-grow.js:
1701         * stress/big-wasm-memory.js:
1702         - updated these to expect an OutOfMemoryError.
1703
1704         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1705         (Binary.prototype.emit_u8):
1706         (Binary.prototype.emit_u32v):
1707         (Binary.prototype.emit_header):
1708         (Binary.prototype.emit_section):
1709         (Binary):
1710         (WasmModuleBuilder):
1711         (WasmModuleBuilder.prototype.addMemory):
1712         (WasmModuleBuilder.prototype.toArray):
1713         (WasmModuleBuilder.prototype.toBuffer):
1714         (WasmModuleBuilder.prototype.instantiate):
1715         (catch):
1716         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1717         (catch):
1718
1719 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1720
1721         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1722         https://bugs.webkit.org/show_bug.cgi?id=190836
1723
1724         Reviewed by Saam Barati and Yusuke Suzuki.
1725
1726         * stress/big-int-out-of-memory-tests.js: Added.
1727
1728 2018-11-20  Mark Lam  <mark.lam@apple.com>
1729
1730         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1731         https://bugs.webkit.org/show_bug.cgi?id=191856
1732         <rdar://problem/46089992>
1733
1734         Reviewed by Yusuke Suzuki.
1735
1736         * stress/regress-191856.js: Added.
1737         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1738
1739 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1740
1741         Enable JIT on ARM/Linux
1742         https://bugs.webkit.org/show_bug.cgi?id=191548
1743
1744         Reviewed by Yusuke Suzuki.
1745
1746         Disable test on system with limited memory. Program was killed by
1747         the OS before the exception was thrown.
1748
1749         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1750
1751 2018-11-20  Saam barati  <sbarati@apple.com>
1752
1753         Merging an IC variant may lead to the IC status containing overlapping structure sets
1754         https://bugs.webkit.org/show_bug.cgi?id=191869
1755         <rdar://problem/45403453>
1756
1757         Reviewed by Mark Lam.
1758
1759         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1760
1761 2018-11-19  Mark Lam  <mark.lam@apple.com>
1762
1763         globalFuncImportModule() should return a promise when it clears exceptions.
1764         https://bugs.webkit.org/show_bug.cgi?id=191792
1765         <rdar://problem/46090763>
1766
1767         Reviewed by Michael Saboff.
1768
1769         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1770
1771 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1772
1773         Skip new memory-hungry tests on memory limited devices
1774
1775         Unreviewed gardening.
1776
1777         * stress/big-wasm-memory-grow-no-max.js:
1778         * stress/big-wasm-memory-grow.js:
1779         * stress/big-wasm-memory.js:
1780
1781 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1782
1783         Unreviewed, rolling in the rest of r237254
1784         https://bugs.webkit.org/show_bug.cgi?id=190340
1785
1786         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1787         * stress/function-cache-with-parameters-end-position.js: Added.
1788         (shouldBe):
1789         (shouldThrow):
1790         (i.anonymous):
1791         * stress/function-constructor-name.js: Added.
1792         (shouldBe):
1793         (GeneratorFunction):
1794         (AsyncFunction.async):
1795         (AsyncGeneratorFunction.async):
1796         (anonymous):
1797         (async.anonymous):
1798         * test262/expectations.yaml:
1799
1800 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1801
1802         All users of ArrayBuffer should agree on the same max size
1803         https://bugs.webkit.org/show_bug.cgi?id=191771
1804
1805         Reviewed by Mark Lam.
1806
1807         * stress/big-wasm-memory-grow-no-max.js: Added.
1808         (foo):
1809         (catch):
1810         * stress/big-wasm-memory-grow.js: Added.
1811         (foo):
1812         (catch):
1813         * stress/big-wasm-memory.js: Added.
1814         (foo):
1815         (catch):
1816
1817 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1818
1819         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1820         run for each JSC config since they're regression tests for runtime bugs.
1821
1822         * stress/json-stringified-overflow-2.js:
1823         * stress/json-stringified-overflow.js:
1824
1825 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1826
1827         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1828         config since they're regression tests for runtime bugs.
1829
1830         * stress/large-unshift-splice.js:
1831         * stress/regress-185888.js:
1832
1833 2018-11-16  Saam Barati  <sbarati@apple.com>
1834
1835         KnownCellUse should also have SpecCellCheck as its type filter
1836         https://bugs.webkit.org/show_bug.cgi?id=191729
1837         <rdar://problem/45872852>
1838
1839         Reviewed by Filip Pizlo.
1840
1841         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1842         (C):
1843
1844 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1845
1846         Fix assertion failure on BytecodeGenerator::recordOpcode
1847         https://bugs.webkit.org/show_bug.cgi?id=191724
1848         <rdar://problem/45724395>
1849
1850         Reviewed by Saam Barati.
1851
1852         * stress/regress-187373-2.js: Added.
1853         (foo):
1854
1855 2018-11-15  Mark Lam  <mark.lam@apple.com>
1856
1857         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1858         https://bugs.webkit.org/show_bug.cgi?id=191730
1859         <rdar://problem/46048517>
1860
1861         Reviewed by Saam Barati.
1862
1863         * stress/regress-187006.js: Removed.
1864           - this test is invalid because its sole purpose is to test for the non-spec
1865             compliant behavior that we just fixed.
1866
1867         * stress/regress-191730.js: Added.
1868
1869 2018-11-15  Mark Lam  <mark.lam@apple.com>
1870
1871         RegExp operations should not take fast patch if lastIndex is not numeric.
1872         https://bugs.webkit.org/show_bug.cgi?id=191731
1873         <rdar://problem/46017305>
1874
1875         Reviewed by Saam Barati.
1876
1877         * stress/regress-191731.js: Added.
1878
1879 2018-11-13  Saam Barati  <sbarati@apple.com>
1880
1881         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1882         https://bugs.webkit.org/show_bug.cgi?id=191600
1883
1884         Reviewed by Mark Lam.
1885
1886         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1887         (foo):
1888         (test):
1889         (bar):
1890
1891 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1892
1893         Unreviewed, rolling out r238132.
1894
1895         The test added with this change is timing out on Debug JSC
1896         bots.
1897
1898         Reverted changeset:
1899
1900         "[BigInt] JSBigInt::createWithLength should throw when length
1901         is greater than JSBigInt::maxLength"
1902         https://bugs.webkit.org/show_bug.cgi?id=190836
1903         https://trac.webkit.org/changeset/238132
1904
1905 2018-11-13  Mark Lam  <mark.lam@apple.com>
1906
1907         Add OOM detection to StringPrototype's substituteBackreferences().
1908         https://bugs.webkit.org/show_bug.cgi?id=191563
1909         <rdar://problem/45720428>
1910
1911         Reviewed by Saam Barati.
1912
1913         * stress/regress-191563.js: Added.
1914
1915 2018-11-13  Mark Lam  <mark.lam@apple.com>
1916
1917         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1918         https://bugs.webkit.org/show_bug.cgi?id=191579
1919         <rdar://problem/45942472>
1920
1921         Reviewed by Saam Barati.
1922
1923         * stress/regress-191579.js: Added.
1924
1925 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1926
1927         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1928         https://bugs.webkit.org/show_bug.cgi?id=190836
1929
1930         Reviewed by Saam Barati.
1931
1932         * stress/big-int-out-of-memory-tests.js: Added.
1933
1934 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1935
1936         U+180E is no longer a whitespace character
1937         https://bugs.webkit.org/show_bug.cgi?id=191415
1938
1939         Reviewed by Saam Barati.
1940
1941         * ChakraCore/test/es5/regexSpace.baseline:
1942         * ChakraCore/test/es6/unicode_whitespace.js:
1943         Update tests to latest version.
1944         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1945
1946         * test262.yaml:
1947         * test262/config.yaml:
1948         * test262/expectations.yaml:
1949         Update expectations.
1950
1951 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1952
1953         [BigInt] Add support to BigInt into ValueAdd
1954         https://bugs.webkit.org/show_bug.cgi?id=186177
1955
1956         Reviewed by Keith Miller.
1957
1958         * stress/big-int-negate-jit.js:
1959         * stress/value-add-big-int-and-string.js: Added.
1960         * stress/value-add-big-int-prediction-propagation.js: Added.
1961         * stress/value-add-big-int-untyped.js: Added.
1962
1963 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1964
1965         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1966         https://bugs.webkit.org/show_bug.cgi?id=191184
1967
1968         Reviewed by Saam Barati.
1969
1970         Most tests were failing due to timeouts, since they are too slow to
1971         run on CLoop. The exceptions are:
1972
1973         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1974         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1975         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1976         to change the stack size since CLoop requires it to be page aligned.
1977
1978         * microbenchmarks/array-push-1.js:
1979         * microbenchmarks/array-push-2.js:
1980         * microbenchmarks/elidable-new-object-dag.js:
1981         * microbenchmarks/elidable-new-object-roflcopter.js:
1982         * microbenchmarks/elidable-new-object-tree.js:
1983         * microbenchmarks/getter-richards.js:
1984         * microbenchmarks/sinkable-new-object-dag.js:
1985         * microbenchmarks/string-concat-long-convert.js:
1986         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1987         * slowMicrobenchmarks/array-push-3.js:
1988         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1989         * slowMicrobenchmarks/spread-small-array.js:
1990         * slowMicrobenchmarks/undefined-property-access.js:
1991         * stress/activation-sink-default-value-tdz-error.js:
1992         * stress/activation-sink-default-value.js:
1993         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1994         * stress/activation-sink-osrexit-default-value.js:
1995         * stress/activation-sink-osrexit.js:
1996         * stress/activation-sink.js:
1997         * stress/allow-math-ic-b3-code-duplication.js:
1998         * stress/array-push-multiple-int32.js:
1999         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2000         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2001         * stress/arrowfunction-lexical-this-activation-sink.js:
2002         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2003         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2004         * stress/elide-new-object-dag-then-exit.js:
2005         * stress/materialize-regexp-cyclic.js:
2006         * stress/new-regex-inline.js:
2007         * stress/op_add.js:
2008         * stress/op_bitand.js:
2009         * stress/op_bitor.js:
2010         * stress/op_bitxor.js:
2011         * stress/op_div-ConstVar.js:
2012         * stress/op_div-VarConst.js:
2013         * stress/op_div-VarVar.js:
2014         * stress/op_lshift-ConstVar.js:
2015         * stress/op_lshift-VarConst.js:
2016         * stress/op_lshift-VarVar.js:
2017         * stress/op_mod-ConstVar.js:
2018         * stress/op_mod-VarConst.js:
2019         * stress/op_mod-VarVar.js:
2020         * stress/op_mul-ConstVar.js:
2021         * stress/op_mul-VarConst.js:
2022         * stress/op_mul-VarVar.js:
2023         * stress/op_rshift-ConstVar.js:
2024         * stress/op_rshift-VarConst.js:
2025         * stress/op_rshift-VarVar.js:
2026         * stress/op_sub-ConstVar.js:
2027         * stress/op_sub-VarConst.js:
2028         * stress/op_sub-VarVar.js:
2029         * stress/op_urshift-ConstVar.js:
2030         * stress/op_urshift-VarConst.js:
2031         * stress/op_urshift-VarVar.js:
2032         * stress/proxy-get-set-correct-receiver.js:
2033         * stress/regress-179562.js:
2034         * stress/rest-parameter-many-arguments.js:
2035         * stress/sampling-profiler-richards.js:
2036         * stress/splay-flash-access-1ms.js:
2037         * stress/tailCallForwardArguments.js:
2038         * stress/typed-array-get-by-val-profiling.js:
2039         * typeProfiler/getter-richards.js:
2040
2041 2018-11-06  Michael Saboff  <msaboff@apple.com>
2042
2043         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2044         https://bugs.webkit.org/show_bug.cgi?id=191271
2045
2046         Reviewed by Saam Barati.
2047
2048         Added more test cases and made all test cases run with the same deeply recursive stack
2049         instead of finding that same point for each test case.
2050
2051         * stress/regexp-compile-oom.js:
2052         (prototype.runTest):
2053         (recurseAndTest):
2054         (testList.push.new.TestAndExpectedException):
2055
2056 2018-11-05  Michael Saboff  <msaboff@apple.com>
2057
2058         Unreviewed build fix for linux.
2059
2060         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2061
2062 2018-11-02  Michael Saboff  <msaboff@apple.com>
2063
2064         Rolling in r237753 with unreviewed build fix.
2065
2066         Fixed issues with DECLARE_THROW_SCOPE placement.
2067
2068 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2069
2070         Unreviewed, rolling out r237753.
2071
2072         Introduced JSC test failures
2073
2074         Reverted changeset:
2075
2076         "Running out of stack space not properly handled in
2077         RegExp::compile() and its callers"
2078         https://bugs.webkit.org/show_bug.cgi?id=191206
2079         https://trac.webkit.org/changeset/237753
2080
2081 2018-11-02  Michael Saboff  <msaboff@apple.com>
2082
2083         Running out of stack space not properly handled in RegExp::compile() and its callers
2084         https://bugs.webkit.org/show_bug.cgi?id=191206
2085
2086         Reviewed by Filip Pizlo.
2087
2088         New regression test.
2089
2090         * stress/regexp-compile-oom.js: Added.
2091         (recurseAndTest):
2092
2093 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2094
2095         Skip tests on arm/mips that time out now we're running on CLoop
2096
2097         Unreviewed gardening.
2098
2099         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2100         time out on the bots and need to be disabled. There's more tests
2101         disabled on arm because the timeout is longer on the mips bot (as the
2102         device is slower to start with), so many of the tests don't time out
2103         there.
2104
2105         * microbenchmarks/getter-richards.js: disable on arm and mips.
2106         * stress/op_add.js: disable on arm.
2107         * stress/op_bitand.js: disable on arm.
2108         * stress/op_bitor.js: disable on arm.
2109         * stress/op_bitxor.js: disable on arm.
2110         * stress/op_lshift-ConstVar.js: disable on arm.
2111         * stress/op_lshift-VarConst.js: disable on arm.
2112         * stress/op_lshift-VarVar.js: disable on arm.
2113         * stress/op_mod-ConstVar.js: disable on arm.
2114         * stress/op_mod-VarConst.js: disable on arm.
2115         * stress/op_mod-VarVar.js: disable on arm.
2116         * stress/op_mul-ConstVar.js: disable on arm.
2117         * stress/op_mul-VarConst.js: disable on arm.
2118         * stress/op_mul-VarVar.js: disable on arm.
2119         * stress/op_rshift-ConstVar.js: disable on arm.
2120         * stress/op_rshift-VarConst.js: disable on arm.
2121         * stress/op_rshift-VarVar.js: disable on arm.
2122         * stress/op_sub-ConstVar.js: disable on arm.
2123         * stress/op_sub-VarConst.js: disable on arm.
2124         * stress/op_sub-VarVar.js: disable on arm.
2125         * stress/op_urshift-ConstVar.js: disable on arm.
2126         * stress/op_urshift-VarConst.js: disable on arm.
2127         * stress/op_urshift-VarVar.js: disable on arm.
2128         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2129         * stress/value-to-boolean.js: disable on arm and mips.
2130
2131 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2132
2133         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2134         https://bugs.webkit.org/show_bug.cgi?id=191108
2135         <rdar://problem/45690700>
2136
2137         Reviewed by Saam Barati.
2138
2139         * stress/wide-op_catch.js: Added.
2140         (catch):
2141
2142 2018-10-29  Mark Lam  <mark.lam@apple.com>
2143
2144         Correctly detect string overflow when using the 'Function' constructor.
2145         https://bugs.webkit.org/show_bug.cgi?id=184883
2146         <rdar://problem/36320331>
2147
2148         Reviewed by Saam Barati.
2149
2150         I've verified that this passes on 32-bit as well.
2151
2152         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2153
2154 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2155
2156         Add support for GetStack FlushedDouble
2157         https://bugs.webkit.org/show_bug.cgi?id=191012
2158         <rdar://problem/45265141>
2159
2160         Reviewed by Saam Barati.
2161
2162         * stress/get-stack-double.js: Added.
2163         (bar):
2164         (noInline):
2165
2166 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2167
2168         New bytecode format for JSC
2169         https://bugs.webkit.org/show_bug.cgi?id=187373
2170         <rdar://problem/44186758>
2171
2172         Reviewed by Filip Pizlo.
2173
2174         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2175
2176         * stress/maximum-inline-capacity.js: Added.
2177         (test1):
2178         (test3.Foo):
2179         (test3):
2180
2181 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2182
2183         Unreviewed, rolling out r237479 and r237484.
2184         https://bugs.webkit.org/show_bug.cgi?id=190978
2185
2186         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2187
2188         Reverted changesets:
2189
2190         "New bytecode format for JSC"
2191         https://bugs.webkit.org/show_bug.cgi?id=187373
2192         https://trac.webkit.org/changeset/237479
2193
2194         "Gardening: Build fix after r237479."
2195         https://bugs.webkit.org/show_bug.cgi?id=187373
2196         https://trac.webkit.org/changeset/237484
2197
2198 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2199
2200         New bytecode format for JSC
2201         https://bugs.webkit.org/show_bug.cgi?id=187373
2202         <rdar://problem/44186758>
2203
2204         Reviewed by Filip Pizlo.
2205
2206         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2207
2208         * stress/maximum-inline-capacity.js: Added.
2209         (test1):
2210         (test3.Foo):
2211         (test3):
2212
2213 2018-10-26  Mark Lam  <mark.lam@apple.com>
2214
2215         Fix missing edge cases with JSGlobalObjects having a bad time.
2216         https://bugs.webkit.org/show_bug.cgi?id=189028
2217         <rdar://problem/45204939>
2218
2219         Reviewed by Saam Barati.
2220
2221         * stress/regress-189028.js: Added.
2222
2223 2018-10-22  Mark Lam  <mark.lam@apple.com>
2224
2225         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2226         https://bugs.webkit.org/show_bug.cgi?id=190515
2227         <rdar://problem/45222379>
2228
2229         Rubber-stamped by Saam Barati.
2230
2231         Adding another test.
2232
2233         * stress/regress-190515-2.js: Added.
2234
2235 2018-10-22  Mark Lam  <mark.lam@apple.com>
2236
2237         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2238         https://bugs.webkit.org/show_bug.cgi?id=190515
2239         <rdar://problem/45222379>
2240
2241         Reviewed by Saam Barati.
2242
2243         * stress/regress-190515.js: Added.
2244
2245 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2246
2247         Unreviewed, rolling out r237254.
2248         https://bugs.webkit.org/show_bug.cgi?id=190760
2249
2250         "It regresses JetStream 2 by 5% on some iOS devices"
2251         (Requested by saamyjoon on #webkit).
2252
2253         Reverted changeset:
2254
2255         "[JSC] JSC should have "parseFunction" to optimize Function
2256         constructor"
2257         https://bugs.webkit.org/show_bug.cgi?id=190340
2258         https://trac.webkit.org/changeset/237254
2259
2260 2018-10-19  Saam Barati  <sbarati@apple.com>
2261
2262         vmCall should check if we exit before emitting an OSR exit due to exceptions
2263         https://bugs.webkit.org/show_bug.cgi?id=190740
2264         <rdar://problem/45220139>
2265
2266         Reviewed by Mark Lam.
2267
2268         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2269         (foo):
2270
2271 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2272
2273         [ESNext][BigInt] Implement support for "^"
2274         https://bugs.webkit.org/show_bug.cgi?id=186235
2275
2276         Reviewed by Yusuke Suzuki.
2277
2278         * stress/big-int-bitwise-xor-general.js: Added.
2279         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2280         * stress/big-int-bitwise-xor-type-error.js: Added.
2281         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2282
2283 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2284
2285         [BigInt] Add ValueSub into DFG
2286         https://bugs.webkit.org/show_bug.cgi?id=186176
2287
2288         Reviewed by Yusuke Suzuki.
2289
2290         * stress/big-int-subtraction-jit.js:
2291         * stress/value-sub-big-int-prediction-propagation.js: Added.
2292         * stress/value-sub-big-int-untyped.js: Added.
2293         * stress/value-sub-spec-none-case.js: Added.
2294
2295 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2296
2297         [JSC] JSC should have "parseFunction" to optimize Function constructor
2298         https://bugs.webkit.org/show_bug.cgi?id=190340
2299
2300         Reviewed by Mark Lam.
2301
2302         This patch fixes the line number of syntax errors raised by the Function constructor,
2303         since we now parse the final code only once. And we no longer use block statement
2304         for Function constructor's parsing.
2305
2306         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2307         * stress/function-cache-with-parameters-end-position.js: Added.
2308         (shouldBe):
2309         (shouldThrow):
2310         (i.anonymous):
2311         * stress/function-constructor-name.js: Added.
2312         (shouldBe):
2313         (GeneratorFunction):
2314         (AsyncFunction.async):
2315         (AsyncGeneratorFunction.async):
2316         (anonymous):
2317         (async.anonymous):
2318         * test262/expectations.yaml:
2319
2320 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2321
2322         Unreviewed, rolling out r237242.
2323         https://bugs.webkit.org/show_bug.cgi?id=190701
2324
2325         it breaks "stress/sampling-profiler-basic.js" (Requested by
2326         caiolima on #webkit).
2327
2328         Reverted changeset:
2329
2330         "[BigInt] Add ValueSub into DFG"
2331         https://bugs.webkit.org/show_bug.cgi?id=186176
2332         https://trac.webkit.org/changeset/237242
2333
2334 2018-10-17  Keith Miller  <keith_miller@apple.com>
2335
2336         AI does not clear Phantom allocation nodes.
2337         https://bugs.webkit.org/show_bug.cgi?id=190694
2338
2339         Reviewed by Saam Barati.
2340
2341         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2342         (Day):
2343         (DaysInYear):
2344         (TimeInYear):
2345         (TimeFromYear):
2346         (DayFromYear):
2347         (InLeapYear):
2348         (YearFromTime):
2349         (WeekDay):
2350         (DaylightSavingTA):
2351         (GetSecondSundayInMarch):
2352         (TimeInMonth):
2353
2354 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2355
2356         [BigInt] Add ValueSub into DFG
2357         https://bugs.webkit.org/show_bug.cgi?id=186176
2358
2359         Reviewed by Yusuke Suzuki.
2360
2361         * stress/big-int-subtraction-jit.js:
2362         * stress/value-sub-big-int-prediction-propagation.js: Added.
2363         * stress/value-sub-big-int-untyped.js: Added.
2364
2365 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2366
2367         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2368         https://bugs.webkit.org/show_bug.cgi?id=190611
2369
2370         Reviewed by Saam Barati.
2371
2372         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2373         to improve test runtime. On ARM/MIPS this test even timed out when running all
2374         tests.
2375
2376         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2377         (test):
2378
2379 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2380
2381         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2382
2383         Unreviewed gardening.
2384
2385         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2386
2387 2018-10-15  Saam barati  <sbarati@apple.com>
2388
2389         Emit fjcvtzs on ARM64E on Darwin
2390         https://bugs.webkit.org/show_bug.cgi?id=184023
2391
2392         Reviewed by Yusuke Suzuki and Filip Pizlo.
2393
2394         * stress/double-to-int32-NaN.js: Added.
2395         (assert):
2396         (foo):
2397
2398 2018-10-15  Saam Barati  <sbarati@apple.com>
2399
2400         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2401         https://bugs.webkit.org/show_bug.cgi?id=190262
2402         <rdar://problem/44986241>
2403
2404         Reviewed by Mark Lam.
2405
2406         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2407         (test):
2408         * stress/slice-array-storage-with-holes.js: Added.
2409         (main):
2410
2411 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2412
2413         Unreviewed, rolling out r237054.
2414         https://bugs.webkit.org/show_bug.cgi?id=190593
2415
2416         "this regressed JetStream 2 by 6% on iOS" (Requested by
2417         saamyjoon on #webkit).
2418
2419         Reverted changeset:
2420
2421         "[JSC] JSC should have "parseFunction" to optimize Function
2422         constructor"
2423         https://bugs.webkit.org/show_bug.cgi?id=190340
2424         https://trac.webkit.org/changeset/237054
2425
2426 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2427
2428         [JSC] JSON.stringify can accept call-with-no-arguments
2429         https://bugs.webkit.org/show_bug.cgi?id=190343
2430
2431         Reviewed by Mark Lam.
2432
2433         * stress/json-stringify-no-arguments.js: Added.
2434         (shouldBe):
2435
2436 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2437
2438         [JSC] JSC should have "parseFunction" to optimize Function constructor
2439         https://bugs.webkit.org/show_bug.cgi?id=190340
2440
2441         Reviewed by Mark Lam.
2442
2443         This patch fixes the line number of syntax errors raised by the Function constructor,
2444         since we now parse the final code only once. And we no longer use block statement
2445         for Function constructor's parsing.
2446
2447         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2448         * stress/function-cache-with-parameters-end-position.js: Added.
2449         (shouldBe):
2450         (shouldThrow):
2451         (i.anonymous):
2452         * stress/function-constructor-name.js: Added.
2453         (shouldBe):
2454         (GeneratorFunction):
2455         (AsyncFunction.async):
2456         (AsyncGeneratorFunction.async):
2457         (anonymous):
2458         (async.anonymous):
2459         * test262/expectations.yaml:
2460
2461 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2462
2463         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2464         https://bugs.webkit.org/show_bug.cgi?id=190426
2465
2466         Unreviewed gardening.
2467
2468         * stress/sampling-profiler-richards.js:
2469
2470 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2471
2472         [ESNext][BigInt] Implement support for "|"
2473         https://bugs.webkit.org/show_bug.cgi?id=186229
2474
2475         Reviewed by Yusuke Suzuki.
2476
2477         * stress/big-int-bitwise-and-jit.js:
2478         * stress/big-int-bitwise-or-general.js: Added.
2479         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2480         * stress/big-int-bitwise-or-jit.js: Added.
2481         * stress/big-int-bitwise-or-memory-stress.js: Added.
2482         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2483         * stress/big-int-bitwise-or-type-error.js: Added.
2484         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2485
2486 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2487
2488         Skip test on systems with limited memory
2489         https://bugs.webkit.org/show_bug.cgi?id=190310
2490
2491         Invoking runDefault adds test to runlist, skipping the test in the next
2492         line does not prevent the test from executing. Change order of lines such
2493         that runDefault is only executed if test is not executed.
2494
2495         Reviewed by Mark Lam.
2496
2497         * stress/regress-190187.js:
2498
2499 2018-10-03  Saam barati  <sbarati@apple.com>
2500
2501         lowXYZ in FTLLower should always filter the type of the incoming edge
2502         https://bugs.webkit.org/show_bug.cgi?id=189939
2503         <rdar://problem/44407030>
2504
2505         Reviewed by Michael Saboff.
2506
2507         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2508         (foo):
2509         (test):
2510
2511 2018-10-03  Mark Lam  <mark.lam@apple.com>
2512
2513         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2514         https://bugs.webkit.org/show_bug.cgi?id=190187
2515         <rdar://problem/42512909>
2516
2517         Reviewed by Michael Saboff.
2518
2519         * stress/regress-190187.js: Added.
2520
2521 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2522
2523         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2524         https://bugs.webkit.org/show_bug.cgi?id=190033
2525
2526         Reviewed by Yusuke Suzuki.
2527
2528         * stress/big-int-to-string.js:
2529
2530 2018-10-01  Mark Lam  <mark.lam@apple.com>
2531
2532         Function.toString() should also copy the source code Functions that are class definitions.
2533         https://bugs.webkit.org/show_bug.cgi?id=190186
2534         <rdar://problem/44733360>
2535
2536         Reviewed by Saam Barati.
2537
2538         * stress/regress-190186.js: Added.
2539
2540 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2541
2542         Split NaN-check into separate test
2543         https://bugs.webkit.org/show_bug.cgi?id=190010
2544
2545         Reviewed by Saam Barati.
2546
2547         DataView exposes NaN-representation, which is not necessarily the same on each
2548         architecture. Therefore move the check of the NaN-representation into its own
2549         file such that we can disable this test on MIPS where NaN-representation can be
2550         different on older CPUs.
2551
2552         * stress/dataview-jit-set-nan.js: Added.
2553         (assert):
2554         (test.storeLittleEndian):
2555         (test.storeBigEndian):
2556         (test.store):
2557         (test):
2558         * stress/dataview-jit-set.js:
2559         (test5):
2560
2561 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2562
2563         Unreviewed, rolling out r236647.
2564         https://bugs.webkit.org/show_bug.cgi?id=190124
2565
2566         Breaking test stress/big-int-to-string.js (Requested by
2567         caiolima_ on #webkit).
2568
2569         Reverted changeset:
2570
2571         "[BigInt] BigInt.proptotype.toString is broken when radix is
2572         power of 2"
2573         https://bugs.webkit.org/show_bug.cgi?id=190033
2574         https://trac.webkit.org/changeset/236647
2575
2576 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2577
2578         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2579         https://bugs.webkit.org/show_bug.cgi?id=190033
2580
2581         Reviewed by Yusuke Suzuki.
2582
2583         * stress/big-int-to-string.js:
2584
2585 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2586
2587         [ESNext][BigInt] Implement support for "&"
2588         https://bugs.webkit.org/show_bug.cgi?id=186228
2589
2590         Reviewed by Yusuke Suzuki.
2591
2592         * stress/big-int-bitwise-and-general.js: Added.
2593         (assert):
2594         (assert.sameValue):
2595         * stress/big-int-bitwise-and-jit.js: Added.
2596         (let.assert.sameValue):
2597         (bigIntBitAnd):
2598         * stress/big-int-bitwise-and-memory-stress.js: Added.
2599         (assert):
2600         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2601         (assert.sameValue):
2602         (let.o.Symbol.toPrimitive):
2603         (catch):
2604         * stress/big-int-bitwise-and-type-error.js: Added.
2605         (assert):
2606         (assertThrowTypeError):
2607         (let.o.valueOf):
2608         (o.valueOf):
2609         (o.toString):
2610         (o.Symbol.toPrimitive):
2611         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2612         (assert.sameValue):
2613         (testBitAnd):
2614         (let.o.Symbol.toPrimitive):
2615         (o.valueOf):
2616         (o.toString):
2617
2618 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2619
2620         JSC test stress/jsc-read.js doesn't support CRLF
2621         https://bugs.webkit.org/show_bug.cgi?id=190063
2622
2623         Reviewed by Yusuke Suzuki.
2624
2625         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2626
2627         * stress/jsc-read.js:
2628         (test):
2629
2630 2018-09-27  Saam barati  <sbarati@apple.com>
2631
2632         Verify the contents of AssemblerBuffer on arm64e
2633         https://bugs.webkit.org/show_bug.cgi?id=190057
2634         <rdar://problem/38916630>
2635
2636         Reviewed by Mark Lam.
2637
2638         * stress/regress-189132.js:
2639
2640 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2641
2642         Disable test without LLInt on ARMv7
2643         https://bugs.webkit.org/show_bug.cgi?id=190037
2644
2645         Reviewed by Mark Lam.
2646
2647         Test runs out of executable memory on ARMv7, do not run
2648         this test without LLInt enabled.
2649
2650         * stress/regress-169445.js:
2651
2652 2018-09-26  Keith Miller  <keith_miller@apple.com>
2653
2654         We should zero unused property storage when rebalancing array storage.
2655         https://bugs.webkit.org/show_bug.cgi?id=188151
2656
2657         Reviewed by Michael Saboff.
2658
2659         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2660
2661 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2662
2663         [JSC] Optimize Array#lastIndexOf
2664         https://bugs.webkit.org/show_bug.cgi?id=189780
2665
2666         Reviewed by Saam Barati.
2667
2668         * stress/array-lastindexof-array-prototype-trap.js: Added.
2669         (shouldBe):
2670         (AncestorArray.prototype.get 2):
2671         (AncestorArray):
2672         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2673         (shouldBe):
2674         * stress/array-lastindexof-hole-nan.js: Added.
2675         (shouldBe):
2676         (throw.new.Error):
2677         * stress/array-lastindexof-infinity.js: Added.
2678         (shouldBe):
2679         (throw.new.Error):
2680         * stress/array-lastindexof-negative-zero.js: Added.
2681         (shouldBe):
2682         (throw.new.Error):
2683         * stress/array-lastindexof-own-getter.js: Added.
2684         (shouldBe):
2685         (throw.new.Error.get array):
2686         (get array):
2687         * stress/array-lastindexof-prototype-trap.js: Added.
2688         (shouldBe):
2689         (DerivedArray.prototype.get 2):
2690         (DerivedArray):
2691
2692 2018-09-25  Saam Barati  <sbarati@apple.com>
2693
2694         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2695         https://bugs.webkit.org/show_bug.cgi?id=189940
2696         <rdar://problem/43640987>
2697
2698         Reviewed by Mark Lam.
2699
2700         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2701
2702 2018-09-24  Saam Barati  <sbarati@apple.com>
2703
2704         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2705         https://bugs.webkit.org/show_bug.cgi?id=189922
2706         <rdar://problem/44651275>
2707
2708         Reviewed by Mark Lam.
2709
2710         * stress/array-indexof-fast-path-effects.js: Added.
2711         * stress/array-indexof-cached-length.js: Added.
2712
2713 2018-09-24  Saam barati  <sbarati@apple.com>
2714
2715         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2716         https://bugs.webkit.org/show_bug.cgi?id=189682
2717         <rdar://problem/43557315>
2718
2719         Reviewed by Mark Lam.
2720
2721         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2722         (foo):
2723
2724 2018-09-22  Saam barati  <sbarati@apple.com>
2725
2726         The sampling should not use Strong<CodeBlock> in its machineLocation field
2727         https://bugs.webkit.org/show_bug.cgi?id=189319
2728
2729         Reviewed by Filip Pizlo.
2730
2731         * stress/sampling-profiler-richards.js: Added.
2732
2733 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2734
2735         [JSC] Optimize Array#indexOf in C++ runtime
2736         https://bugs.webkit.org/show_bug.cgi?id=189507
2737
2738         Reviewed by Saam Barati.
2739
2740         * stress/array-indexof-array-prototype-trap.js: Added.
2741         (shouldBe):
2742         (AncestorArray.prototype.get 2):
2743         (AncestorArray):
2744         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2745         (shouldBe):
2746         * stress/array-indexof-hole-nan.js: Added.
2747         (shouldBe):
2748         (throw.new.Error):
2749         * stress/array-indexof-infinity.js: Added.
2750         (shouldBe):
2751         (throw.new.Error):
2752         * stress/array-indexof-negative-zero.js: Added.
2753         (shouldBe):
2754         (throw.new.Error):
2755         * stress/array-indexof-own-getter.js: Added.
2756         (shouldBe):
2757         (throw.new.Error.get array):
2758         (get array):
2759         * stress/array-indexof-prototype-trap.js: Added.
2760         (shouldBe):
2761         (DerivedArray.prototype.get 2):
2762         (DerivedArray):
2763
2764 2018-09-19  Saam barati  <sbarati@apple.com>
2765
2766         AI rule for MultiPutByOffset executes its effects in the wrong order
2767         https://bugs.webkit.org/show_bug.cgi?id=189757
2768         <rdar://problem/43535257>
2769
2770         Reviewed by Michael Saboff.
2771
2772         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2773         (foo):
2774         (Foo):
2775         (g):
2776
2777 2018-09-17  Mark Lam  <mark.lam@apple.com>
2778
2779         Ensure that ForInContexts are invalidated if their loop local is over-written.
2780         https://bugs.webkit.org/show_bug.cgi?id=189571
2781         <rdar://problem/44402277>
2782
2783         Reviewed by Saam Barati.
2784
2785         * stress/regress-189571.js: Added.
2786
2787 2018-09-17  Saam barati  <sbarati@apple.com>
2788
2789         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2790         https://bugs.webkit.org/show_bug.cgi?id=189676
2791         <rdar://problem/39682897>
2792
2793         Reviewed by Michael Saboff.
2794
2795         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2796         (A):
2797         (K):
2798         (i.catch):
2799
2800 2018-09-14  Saam barati  <sbarati@apple.com>
2801
2802         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2803         https://bugs.webkit.org/show_bug.cgi?id=189628
2804         <rdar://problem/39481690>
2805
2806         Reviewed by Mark Lam.
2807
2808         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2809         (foo):
2810
2811 2018-09-11  Mark Lam  <mark.lam@apple.com>
2812
2813         Test for array initialization in arrayProtoFuncSplice.
2814         https://bugs.webkit.org/show_bug.cgi?id=170253
2815         <rdar://problem/31328773>
2816
2817         Rubber-stamped by Saam Barati.
2818
2819         * stress/regress-170253.js: Added.
2820
2821 2018-09-11  Mark Lam  <mark.lam@apple.com>
2822
2823         Test for IntlObject initialization.
2824         https://bugs.webkit.org/show_bug.cgi?id=170251
2825         <rdar://problem/31328419>
2826
2827         Rubber-stamped by Saam Barati.
2828
2829         * stress/regress-170251.js: Added.
2830
2831 2018-09-11  Mark Lam  <mark.lam@apple.com>
2832
2833         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2834         https://bugs.webkit.org/show_bug.cgi?id=169889
2835         <rdar://problem/31155607>
2836
2837         Reviewed by Saam Barati.
2838
2839         * stress/regress-169889-array-concat.js: Added.
2840         * stress/regress-169889-array-concat1.js: Added.
2841         * stress/regress-169889-array-slice.js: Added.
2842
2843 2018-09-11  Mark Lam  <mark.lam@apple.com>
2844
2845         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2846         https://bugs.webkit.org/show_bug.cgi?id=169445
2847         <rdar://problem/30957435>
2848
2849         Reviewed by Saam Barati.
2850
2851         * stress/regress-169445.js: Added.
2852         (let.gun.eval.A):
2853         (let.gun.eval.B.C):
2854         (let.gun.eval.B.C.prototype.trigger):
2855         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2856         (let.gun.eval.B):
2857         (let.gun.eval):
2858
2859 == Rolled over to ChangeLog-2018-09-11 ==