24e315628ffcc7c49a38089340925c19b73351d0
[WebKit-https.git] / JSTests / ChangeLog
1 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2
3         All prototypes should call didBecomePrototype()
4         https://bugs.webkit.org/show_bug.cgi?id=196315
5
6         Reviewed by Saam Barati.
7
8         * stress/function-prototype-indexed-accessor.js: Added.
9
10 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
11
12         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
13         https://bugs.webkit.org/show_bug.cgi?id=197631
14
15         Reviewed by Saam Barati.
16
17         * stress/has-own-property-arguments.js: Added.
18         (shouldBe):
19         (A):
20
21 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
22
23         [JSC] ClassExpr should not store result in the middle of evaluation
24         https://bugs.webkit.org/show_bug.cgi?id=199106
25
26         Reviewed by Tadeu Zagallo.
27
28         * stress/class-expression-should-store-result-at-last.js: Added.
29         (shouldThrow):
30         (shouldThrow.let.a):
31
32 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
33
34         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
35         https://bugs.webkit.org/show_bug.cgi?id=199044
36
37         Reviewed by Saam Barati.
38
39         Add wasm references spec tests as well as a worker test.
40
41         * wasm.yaml:
42         * wasm/Builder_WebAssemblyBinary.js:
43         (const.emitters.Element):
44         * wasm/js-api/element.js:
45         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
46         * wasm/references-spec-tests/ref_is_null.js: Added.
47         (hostref):
48         (is_hostref):
49         (is_funcref):
50         (eq_ref):
51         (let.handler.get target):
52         (register):
53         (module):
54         (instance):
55         (call):
56         (get instance):
57         (exports):
58         (run):
59         (assert_malformed):
60         (assert_invalid):
61         (assert_unlinkable):
62         (assert_uninstantiable):
63         (assert_trap):
64         (try.f):
65         (catch):
66         (assert_exhaustion):
67         (assert_return):
68         (assert_return_canonical_nan):
69         (assert_return_arithmetic_nan):
70         (assert_return_ref):
71         (assert_return_func):
72         * wasm/references-spec-tests/ref_null.js: Added.
73         (hostref):
74         (is_hostref):
75         (is_funcref):
76         (eq_ref):
77         (let.handler.get target):
78         (register):
79         (module):
80         (instance):
81         (call):
82         (get instance):
83         (exports):
84         (run):
85         (assert_malformed):
86         (assert_invalid):
87         (assert_unlinkable):
88         (assert_uninstantiable):
89         (assert_trap):
90         (try.f):
91         (catch):
92         (assert_exhaustion):
93         (assert_return):
94         (assert_return_canonical_nan):
95         (assert_return_arithmetic_nan):
96         (assert_return_ref):
97         (assert_return_func):
98         * wasm/references/element_parsing.js: Added.
99         (module):
100         * wasm/references/func_ref.js:
101         * wasm/references/multitable.js:
102         * wasm/references/table_misc.js:
103         (TableSize.0.End.End.WebAssembly):
104         * wasm/references/validation.js:
105         (assert.throws):
106
107 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
108
109         Optimize `resolve` method lookup in Promise static methods
110         https://bugs.webkit.org/show_bug.cgi?id=198864
111
112         Reviewed by Yusuke Suzuki.
113
114         * test262/expectations.yaml: Mark 18 test cases as passing.
115
116 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
117
118         [WASM-References] Rename anyfunc to funcref
119         https://bugs.webkit.org/show_bug.cgi?id=198983
120
121         Reviewed by Yusuke Suzuki.
122
123         * wasm/function-tests/basic-element.js:
124         * wasm/function-tests/context-switch.js:
125         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
126         (makeInstance):
127         (assert.eq.makeInstance):
128         * wasm/function-tests/exceptions.js:
129         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
130         * wasm/function-tests/grow-memory-2.js:
131         (assert.eq.instance.exports.foo):
132         * wasm/function-tests/nameSection.js:
133         (const.compile):
134         * wasm/function-tests/stack-overflow.js:
135         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
136         (assertOverflows.makeInstance):
137         * wasm/function-tests/table-basic-2.js:
138         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
139         * wasm/function-tests/table-basic.js:
140         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
141         * wasm/function-tests/trap-from-start-async.js:
142         * wasm/function-tests/trap-from-start.js:
143         * wasm/js-api/Module.exports.js:
144         (assert.truthy):
145         * wasm/js-api/Module.imports.js:
146         (assert.truthy):
147         * wasm/js-api/call-indirect.js:
148         (const.oneTable):
149         (const.multiTable):
150         (multiTable.const.makeTable):
151         (multiTable):
152         (multiTable.Polyphic2Import):
153         (multiTable.VirtualImport):
154         * wasm/js-api/element-data.js:
155         * wasm/js-api/element.js:
156         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
157         (assert.throws):
158         (badInstantiation.makeModule):
159         (badInstantiation.test):
160         (badInstantiation):
161         * wasm/js-api/extension-MemoryMode.js:
162         * wasm/js-api/table.js:
163         (new.WebAssembly.Module):
164         (assert.throws):
165         (assertBadTableImport):
166         (assert.throws.WebAssembly.Table.prototype.grow):
167         (new.WebAssembly.Table):
168         (assertBadTable):
169         (assert.truthy):
170         * wasm/js-api/test_basic_api.js:
171         (const.c.in.constructorProperties.switch):
172         * wasm/js-api/unique-signature.js:
173         (CallIndirectWithDuplicateSignatures):
174         * wasm/js-api/wrapper-function.js:
175         * wasm/modules/table.wat:
176         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
177         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
178         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
179         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
180         * wasm/references/anyref_table.js:
181         * wasm/references/anyref_table_import.js:
182         (doSet):
183         (assert.throws):
184         * wasm/references/func_ref.js:
185         (makeFuncrefIdent):
186         (assert.eq.instance.exports.fix):
187         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
188         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
189         (let.importedFun.of):
190         (makeAnyfuncIdent): Deleted.
191         (makeAnyfuncIdent.fun): Deleted.
192         * wasm/references/multitable.js:
193         (assert.eq):
194         (assert.throws):
195         * wasm/references/table_misc.js:
196         (GetLocal.0.TableFill.0.End.End.WebAssembly):
197         * wasm/references/validation.js:
198         (assert.throws.new.WebAssembly.Module.bin):
199         (assert.throws):
200         * wasm/spec-harness/index.js:
201         * wasm/spec-harness/wasm-constants.js:
202         * wasm/spec-harness/wasm-module-builder.js:
203         (WasmModuleBuilder.prototype.toArray):
204         * wasm/spec-harness/wast.js:
205         (elem_type):
206         (string_of_elem_type):
207         (string_of_table_type):
208         * wasm/spec-tests/jsapi.js:
209         * wasm/stress/wasm-table-grow-initialize.js:
210         * wasm/wasm.json:
211
212 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
213
214         [WASM-References] Add support for Table.size, grow and fill instructions
215         https://bugs.webkit.org/show_bug.cgi?id=198761
216
217         Reviewed by Yusuke Suzuki.
218
219         * wasm/Builder_WebAssemblyBinary.js:
220         (const.putOp):
221         * wasm/references/table_misc.js: Added.
222         (TableSize.End.End.WebAssembly):
223         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
224         * wasm/wasm.json:
225
226 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
227
228         [WASM-References] Add support for multiple tables
229         https://bugs.webkit.org/show_bug.cgi?id=198760
230
231         Reviewed by Saam Barati.
232
233         * wasm/Builder.js:
234         * wasm/js-api/call-indirect.js:
235         (const.oneTable):
236         (const.multiTable):
237         (multiTable):
238         (multiTable.Polyphic2Import):
239         (multiTable.VirtualImport):
240         (const.wasmModuleWhichImportJS): Deleted.
241         (const.makeTable): Deleted.
242         (): Deleted.
243         (Polyphic2Import): Deleted.
244         (VirtualImport): Deleted.
245         * wasm/js-api/table.js:
246         (new.WebAssembly.Module):
247         (assert.throws):
248         (assertBadTableImport):
249         (assert.truthy):
250         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
251         * wasm/references/anyref_table.js:
252         * wasm/references/anyref_table_import.js:
253         (makeImport):
254         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
255         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
256         * wasm/references/multitable.js: Added.
257         (assert.throws.1.exports.set_tbl0):
258         (assert.throws):
259         (assert.eq):
260         * wasm/references/validation.js:
261         (assert.throws.new.WebAssembly.Module.bin):
262         (assert.throws):
263         * wasm/spec-tests/imports.wast.js:
264         * wasm/wasm.json:
265
266         * wasm/Builder.js:
267         * wasm/js-api/call-indirect.js:
268         (const.oneTable):
269         (const.multiTable):
270         (multiTable):
271         (multiTable.Polyphic2Import):
272         (multiTable.VirtualImport):
273         (const.wasmModuleWhichImportJS): Deleted.
274         (const.makeTable): Deleted.
275         (): Deleted.
276         (Polyphic2Import): Deleted.
277         (VirtualImport): Deleted.
278         * wasm/js-api/table.js:
279         (new.WebAssembly.Module):
280         (assert.throws):
281         (assertBadTableImport):
282         (assert.truthy):
283         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
284         * wasm/references/anyref_table.js:
285         * wasm/references/anyref_table_import.js:
286         (makeImport):
287         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
288         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
289         * wasm/references/func_ref.js:
290         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
291         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
292         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
293         * wasm/references/multitable.js: Added.
294         (assert.throws.1.exports.set_tbl0):
295         (assert.throws):
296         (assert.eq):
297         (string_appeared_here.tableInsanity):
298         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
299         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
300         * wasm/references/validation.js:
301         (assert.throws.new.WebAssembly.Module.bin):
302         (assert.throws):
303         * wasm/spec-tests/imports.wast.js:
304         * wasm/wasm.json:
305
306 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
307
308         [ESNExt] String.prototype.matchAll
309         https://bugs.webkit.org/show_bug.cgi?id=186694
310
311         Reviewed by Yusuke Suzuki.
312
313         Implement String.prototype.matchAll.
314         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
315
316         * test262/config.yaml:
317
318 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
319
320         DFG code should not reify the names of builtin functions with private names
321         https://bugs.webkit.org/show_bug.cgi?id=198849
322         <rdar://problem/51733890>
323
324         Reviewed by Filip Pizlo.
325
326         * stress/builtin-private-function-name.js: Added.
327         (then):
328         (PromiseLike):
329
330 2019-06-18  Keith Miller  <keith_miller@apple.com>
331
332         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
333         https://bugs.webkit.org/show_bug.cgi?id=198969
334         <rdar://problem/51620714>
335
336         Reviewed by Tadeu Zagallo.
337
338         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
339         (catch):
340
341 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
342
343         Validate that table element type is funcref if using an element section
344         https://bugs.webkit.org/show_bug.cgi?id=198910
345
346         Reviewed by Yusuke Suzuki.
347
348         * wasm/references/anyref_table.js:
349
350 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
351
352         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
353         https://bugs.webkit.org/show_bug.cgi?id=197378
354
355         Reviewed by Saam Barati.
356
357         * stress/disposable-call-site-index-with-call-and-this.js: Added.
358         (foo):
359         (bar):
360         * stress/disposable-call-site-index.js: Added.
361         (foo):
362         (bar):
363
364 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
365
366         [WASM-References] Add support for Funcref in parameters and return types
367         https://bugs.webkit.org/show_bug.cgi?id=198157
368
369         Reviewed by Yusuke Suzuki.
370
371         * wasm/Builder.js:
372         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
373         * wasm/references/anyref_globals.js:
374         * wasm/references/func_ref.js: Added.
375         (fullGC.gc.makeExportedFunction):
376         (makeExportedIdent):
377         (makeAnyfuncIdent):
378         (fun):
379         (assert.eq.instance.exports.fix.fun):
380         (assert.eq.instance.exports.fix):
381         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
382         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
383         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
384         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
385         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
386         (assert.throws):
387         (assert.throws.doTest):
388         (let.importedFun.of):
389         (makeAnyfuncIdent.fun):
390         * wasm/references/validation.js:
391         (assert.throws):
392         * wasm/wasm.json:
393
394 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
395
396         Update test262 tests (2019.06.13)
397         https://bugs.webkit.org/show_bug.cgi?id=198821
398
399         Reviewed by Konstantin Tokarev.
400
401         * test262/expectations.yaml:
402         * test262/harness/:
403         * test262/latest-changes-summary.txt:
404         * test262/test/:
405         * test262/test262-Revision.txt:
406
407 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
408
409         [JSC] Grown region of WasmTable should be initialized with null
410         https://bugs.webkit.org/show_bug.cgi?id=198903
411
412         Reviewed by Saam Barati.
413
414         * wasm/stress/wasm-table-grow-initialize.js: Added.
415         (shouldBe):
416
417 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
418
419         Yarr bytecode compilation failure should be gracefully handled
420         https://bugs.webkit.org/show_bug.cgi?id=198700
421
422         Reviewed by Michael Saboff.
423
424         * stress/regexp-bytecode-compilation-fail.js: Added.
425         (shouldThrow):
426
427 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
428
429         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
430         https://bugs.webkit.org/show_bug.cgi?id=198770
431
432         Reviewed by Saam Barati.
433
434         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
435         (test):
436
437 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
438
439         JSC should throw if proxy set returns falsish in strict mode context
440         https://bugs.webkit.org/show_bug.cgi?id=177398
441
442         Reviewed by Yusuke Suzuki.
443
444         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
445         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
446
447         * stress/proxy-set.js: Add 2 test cases.
448         * stress/regexp-match-proxy.js: Fix test.
449         * stress/regexp-replace-proxy.js: Fix test.
450
451 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
452
453         Error message for non-callable Proxy `construct` trap is misleading
454         https://bugs.webkit.org/show_bug.cgi?id=198637
455
456         Reviewed by Saam Barati.
457
458         * stress/proxy-construct.js:
459
460 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
461
462         AI BitURShift's result should not be unsigned
463         https://bugs.webkit.org/show_bug.cgi?id=198689
464         <rdar://problem/51550063>
465
466         Reviewed by Saam Barati.
467
468         * stress/urshift-int32-overflow.js: Added.
469         (foo.):
470         (foo):
471
472 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
473
474         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
475
476         Unreviewed gardening.
477
478         * stress/ftl-gettypedarrayoffset-wasteful.js:
479         Skipped on arm/linux as it always times out on the bot since a change
480         between r246270 and r246278 inclusive.
481
482 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
483
484         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
485         https://bugs.webkit.org/show_bug.cgi?id=198023
486
487         Reviewed by Saam Barati.
488
489         * stress/reparsing-unlinked-codeblock.js: Added.
490         (shouldBe):
491         (hello):
492
493 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
494
495         [JSC] Use mergePrediction in ValuePow prediction propagation
496         https://bugs.webkit.org/show_bug.cgi?id=198648
497
498         Reviewed by Saam Barati.
499
500         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
501
502 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
503
504         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
505         https://bugs.webkit.org/show_bug.cgi?id=198581
506         <rdar://problem/51099753>
507
508         Reviewed by Saam Barati.
509
510         * stress/global-object-proto-getter.js: Added.
511         (f):
512         (test):
513
514 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
515
516         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
517         https://bugs.webkit.org/show_bug.cgi?id=198398
518
519         Reviewed by Saam Barati.
520
521         * wasm/references/anyref_table.js: Added.
522         (string_appeared_here.doGCSet):
523         (doGCTest):
524         (doGCSet.doGCTest.let.count.0.doBarrierSet):
525         * wasm/references/anyref_table_import.js: Added.
526         (makeImport):
527         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
528         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
529         * wasm/references/is_null_error.js: Removed.
530         * wasm/references/validation.js: Added.
531         (assert.throws.new.WebAssembly.Module.bin):
532         (assert.throws):
533         * wasm/wasm.json:
534
535 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
536
537         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
538         https://bugs.webkit.org/show_bug.cgi?id=198106
539
540         Reviewed by Saam Barati.
541
542         * wasm/regress/selectf64.js: Added.
543         * wasm/regress/selectf64.wasm: Added.
544         * wasm/regress/selectf64.wat: Added.
545
546 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
547
548         Argument elimination should check transitive dependents for interference
549         https://bugs.webkit.org/show_bug.cgi?id=198520
550         <rdar://problem/50863343>
551
552         Reviewed by Filip Pizlo.
553
554         * stress/argument-elimination-inline-rest-past-kill.js: Added.
555         (f2):
556         (f3):
557
558 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
559
560         Argument elimination should check for negative indices in GetByVal
561         https://bugs.webkit.org/show_bug.cgi?id=198302
562         <rdar://problem/51188095>
563
564         Reviewed by Filip Pizlo.
565
566         * stress/eliminate-arguments-negative-rest-access.js: Added.
567         (inlinee):
568         (opt):
569
570 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
571
572         [ESNext][BigInt] Implement support for "**"
573         https://bugs.webkit.org/show_bug.cgi?id=190799
574
575         Reviewed by Saam Barati.
576
577         * stress/big-int-exp-basic.js: Added.
578         * stress/big-int-exp-jit-osr.js: Added.
579         * stress/big-int-exp-jit-untyped.js: Added.
580         * stress/big-int-exp-jit.js: Added.
581         * stress/big-int-exp-negative-exponent.js: Added.
582         * stress/big-int-exp-to-primitive.js: Added.
583         * stress/big-int-exp-type-error.js: Added.
584         * stress/big-int-exp-wrapped-value.js: Added.
585         * stress/value-pow-ai-rule.js: Added.
586
587 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
588
589         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
590         https://bugs.webkit.org/show_bug.cgi?id=197979
591
592         Reviewed by Filip Pizlo.
593
594         * stress/16bit-code.js: Added.
595         (shouldBe):
596         * stress/32bit-code.js: Added.
597         (shouldBe):
598
599 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
600
601         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
602         https://bugs.webkit.org/show_bug.cgi?id=198355
603
604         Reviewed by Saam Barati.
605
606         * wasm/references/is_null.js:
607
608 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
609
610         [PlayStation] Skip additional tests on PlayStation
611         https://bugs.webkit.org/show_bug.cgi?id=198352
612
613         Reviewed by Don Olmstead.
614
615         Skip pow test on PlayStation due to behavior difference in standard library.
616         Skip incremental marking test due to OOM on PlayStation systems.
617
618         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
619         * stress/math-pow-with-constants.js:
620         * stress/pow-with-constants.js:
621
622 2019-05-28  Dean Jackson  <dino@apple.com>
623
624         Implement Promise.allSettled
625         https://bugs.webkit.org/show_bug.cgi?id=197600
626         <rdar://problem/50483885>
627
628         Reviewed by Keith Miller.
629
630         Start testing Promise.allSettled. We pass most of the tests.
631         The ones that fail are similar to the Promise.all tests we already fail.
632
633         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
634         * test262/expectations.yaml: Add new expectations for allSettled tests.
635
636 2019-05-28  Michael Saboff  <msaboff@apple.com>
637
638         [YARR] Properly handle RegExp's that require large ParenContext space
639         https://bugs.webkit.org/show_bug.cgi?id=198065
640
641         Reviewed by Keith Miller.
642
643         New test.
644
645         * stress/regexp-large-paren-context.js: Added.
646         (testLargeRegExp):
647
648 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
649
650         JITOperations putByVal should mark negative array indices as out-of-bounds
651         https://bugs.webkit.org/show_bug.cgi?id=198271
652
653         Reviewed by Saam Barati.
654
655         * microbenchmarks/get-by-val-negative-array-index.js:
656         (foo):
657         Update the getByVal microbenchmark added in r245769. This now shows that r245769
658         is 4.2x faster than the previous commit.
659
660         * microbenchmarks/put-by-val-negative-array-index.js: Added.
661         (foo):
662
663 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
664
665         JITOperations getByVal should mark negative array indices as out-of-bounds
666         https://bugs.webkit.org/show_bug.cgi?id=198229
667
668         Reviewed by Saam Barati.
669
670         * microbenchmarks/get-by-val-negative-array-index.js: Added.
671         (foo):
672
673 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
674
675         [WASM-References] Support Anyref in globals
676         https://bugs.webkit.org/show_bug.cgi?id=198102
677
678         Reviewed by Saam Barati.
679
680         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
681
682         * wasm/Builder.js:
683         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
684         * wasm/Builder_WebAssemblyBinary.js:
685         (const.putInitExpr):
686         * wasm/references/anyref_globals.js: Added.
687         (GetGlobal.0.End.End.WebAssembly):
688         (5.doGCSet):
689         (doGCTest):
690         (doGCSet.doGCTest.let.count.0.doBarrierSet):
691
692 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
693
694         DFG::OSREntry should not perform arity check
695         https://bugs.webkit.org/show_bug.cgi?id=198189
696
697         Reviewed by Saam Barati.
698
699         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
700         (foo):
701
702 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
703
704         [PlayStation] Skip additional tests on PlayStation
705         https://bugs.webkit.org/show_bug.cgi?id=198145
706
707         Reviewed by Ross Kirsling.
708
709         * exceptionFuzz.yaml:
710         Add skip on hostOS playstation
711         * executableAllocationFuzz.yaml:
712         Add skip on hostOS playstation
713
714 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
715
716         createListFromArrayLike should throw if value is not an object
717         https://bugs.webkit.org/show_bug.cgi?id=198138
718
719         Reviewed by Yusuke Suzuki.
720
721         * stress/create-list-from-array-like-not-object.js: Added.
722         (testValid):
723         (testInvalid):
724         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
725         (opt):
726         * stress/proxy-proto-enumerator.js: Added.
727         (main):
728         * stress/proxy-proto-own-keys.js: Added.
729         (assert):
730         (ownKeys):
731
732 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
733
734         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
735         https://bugs.webkit.org/show_bug.cgi?id=197809
736
737         Reviewed by Michael Saboff.
738
739         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
740         (foo):
741
742 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
743
744         [ESNext] Implement support for Numeric Separators
745         https://bugs.webkit.org/show_bug.cgi?id=196351
746
747         Reviewed by Keith Miller.
748
749         * stress/numeric-literal-separators.js: Added.
750         Add tests for feature.
751
752         * test262/expectations.yaml:
753         Mark 60 test cases as passing.
754
755 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
756
757         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
758         https://bugs.webkit.org/show_bug.cgi?id=198120
759         <rdar://problem/49668795>
760
761         Reviewed by Michael Saboff.
762
763         * stress/get-array-length-concurrently-change-mode.js: Added.
764         (main):
765
766 2019-05-22  Commit Queue  <commit-queue@webkit.org>
767
768         Unreviewed, rolling out r245634.
769         https://bugs.webkit.org/show_bug.cgi?id=198140
770
771         'This patch makes JSC crash on launch in debug builds'
772         (Requested by tadeuzagallo on #webkit).
773
774         Reverted changeset:
775
776         "[ESNext] Implement support for Numeric Separators"
777         https://bugs.webkit.org/show_bug.cgi?id=196351
778         https://trac.webkit.org/changeset/245634
779
780 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
781
782         Stack-buffer-overflow in decodeURIComponent
783         https://bugs.webkit.org/show_bug.cgi?id=198109
784         <rdar://problem/50397550>
785
786         Reviewed by Michael Saboff.
787
788         * stress/decode-uri-icu-count-trail-bytes.js: Added.
789         (i.j.try.i.toString):
790         (i.j.catch):
791
792 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
793
794         Don't clear PropertyNameArray in Proxy code
795         https://bugs.webkit.org/show_bug.cgi?id=197691
796
797         Reviewed by Saam Barati.
798
799         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
800         (shouldBe):
801         (opt):
802
803 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
804
805         [ESNext] Implement support for Numeric Separators
806         https://bugs.webkit.org/show_bug.cgi?id=196351
807
808         Reviewed by Keith Miller.
809
810         * stress/numeric-literal-separators.js: Added.
811         Add tests for feature.
812
813         * test262/expectations.yaml:
814         Mark 60 test cases as passing.
815
816 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
817
818         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
819         https://bugs.webkit.org/show_bug.cgi?id=198101
820
821         Reviewed by Michael Saboff.
822
823         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
824         (shouldBe):
825
826 2019-05-20  Keith Miller  <keith_miller@apple.com>
827
828         Cleanup Yarr regexp code around paren contexts.
829         https://bugs.webkit.org/show_bug.cgi?id=198063
830
831         Reviewed by Yusuke Suzuki.
832
833         * stress/regexp-many-named-sequential-capture-groups.js: Added.
834         (i.s):
835         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
836
837 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
838
839         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
840         https://bugs.webkit.org/show_bug.cgi?id=197969
841
842         Reviewed by Keith Miller.
843
844         Support the anyref type in Builder.js, plus add some extra error logging.
845         Add new folder for wasm references tests.
846
847         * wasm.yaml:
848         * wasm/Builder.js:
849         (const._isValidValue):
850         * wasm/references/anyref_modules.js: Added.
851         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
852         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
853         (Call.3.RefIsNull.End.End.WebAssembly):
854         (undefined):
855         * wasm/references/is_null.js: Added.
856         * wasm/references/is_null_error.js: Added.
857         * wasm/spec-harness/index.js:
858         * wasm/wasm.json:
859
860 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
861
862         [JSC] Invalid AssignmentTargetType should be an early error.
863         https://bugs.webkit.org/show_bug.cgi?id=197603
864
865         Reviewed by Keith Miller.
866
867         * test262/expectations.yaml:
868         Update expectations to reflect new SyntaxErrors.
869         (Ideally, these should all be viewed as passing in the near future.)
870
871         * stress/async-await-basic.js:
872         * stress/big-int-literals.js:
873         Update tests to reflect new SyntaxErrors.
874
875         * ChakraCore.yaml:
876         * ChakraCore/test/EH/try6.baseline-jsc:
877         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
878         Update baselines to reflect new SyntaxErrors.
879
880 2019-05-15  Saam Barati  <sbarati@apple.com>
881
882         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
883         https://bugs.webkit.org/show_bug.cgi?id=197855
884         <rdar://problem/50236506>
885
886         Reviewed by Michael Saboff.
887
888         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
889         (f0):
890         (bar):
891         (foo):
892         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
893         (f1):
894         (f2):
895         (foo):
896
897 2019-05-14  Keith Miller  <keith_miller@apple.com>
898
899         Fix issue with byteOffset on ARM64E
900         https://bugs.webkit.org/show_bug.cgi?id=197884
901
902         Reviewed by Saam Barati.
903
904         We didn't have any tests that run with non-byte/non-zero offset
905         typed arrays.
906
907         * stress/ftl-gettypedarrayoffset-wasteful.js:
908
909 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
910
911         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
912         https://bugs.webkit.org/show_bug.cgi?id=197833
913
914         Reviewed by Darin Adler.
915
916         * stress/generator-name.js: Added.
917         (shouldBe):
918         (gen):
919         (catch):
920
921 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
922
923         JSObject::getOwnPropertyDescriptor is missing an exception check
924         https://bugs.webkit.org/show_bug.cgi?id=197693
925         <rdar://problem/50441784>
926
927         Reviewed by Saam Barati.
928
929         * stress/proxy-spread.js: Added.
930         (foo):
931
932 2019-05-10  Saam barati  <sbarati@apple.com>
933
934         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
935         https://bugs.webkit.org/show_bug.cgi?id=197807
936         <rdar://problem/50530400>
937
938         Reviewed by Yusuke Suzuki.
939
940         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
941         (test.getInstance):
942         (test):
943
944 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
945
946         [Test262] Unreviewed expectations update following r245188.
947
948         * test262/config.yaml:
949         * test262/expectations.yaml:
950
951         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
952         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
953         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
954         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
955         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
956         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
957         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
958         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
959         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
960         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
961         These files have invalid YAML comments. Will also submit corrections back to Test262.
962
963 2019-05-10  Keith Miller  <keith_miller@apple.com>
964
965         Update test262 tests.
966
967         Rubber-stamped by Yusuke Suzuki.
968
969         * test262/*: mega-patch too many things to list individually.
970
971 2019-05-09  Keith Miller  <keith_miller@apple.com>
972
973         Unreview, fix test to have a try-catch.
974
975         * stress/many-nested-functions-parser-stack-overflow.js:
976         (catch):
977
978 2019-05-09  Keith Miller  <keith_miller@apple.com>
979
980         parseStatementListItem needs a stack overflow check
981         https://bugs.webkit.org/show_bug.cgi?id=197749
982
983         Reviewed by Saam Barati.
984
985         * stress/many-nested-functions-parser-stack-overflow.js: Added.
986
987 2019-05-08  Saam barati  <sbarati@apple.com>
988
989         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
990         https://bugs.webkit.org/show_bug.cgi?id=197715
991         <rdar://problem/50399252>
992
993         Reviewed by Filip Pizlo.
994
995         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
996         (foo):
997         (bar):
998
999 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
1000
1001         Unreviewed, rolling out r245068.
1002
1003         Caused debug layout tests to exit early due to an assertion
1004         failure.
1005
1006         Reverted changeset:
1007
1008         "All prototypes should call didBecomePrototype()"
1009         https://bugs.webkit.org/show_bug.cgi?id=196315
1010         https://trac.webkit.org/changeset/245068
1011
1012 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
1013
1014         Invalid DFG JIT genereation in high CPU usage state
1015         https://bugs.webkit.org/show_bug.cgi?id=197453
1016
1017         Reviewed by Saam Barati.
1018
1019         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
1020         (trigger):
1021         (main):
1022
1023 2019-05-08  Robin Morisset  <rmorisset@apple.com>
1024
1025         All prototypes should call didBecomePrototype()
1026         https://bugs.webkit.org/show_bug.cgi?id=196315
1027
1028         Reviewed by Saam Barati.
1029
1030         This changelog already landed, but the commit was missing the actual changes.
1031
1032         * stress/function-prototype-indexed-accessor.js: Added.
1033
1034 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
1035
1036         [BigInt] Add ValueMod into DFG
1037         https://bugs.webkit.org/show_bug.cgi?id=186174
1038
1039         Reviewed by Saam Barati.
1040
1041         * microbenchmarks/mod-untyped.js: Added.
1042         * stress/big-int-mod-osr.js: Added.
1043         * stress/value-div-ai-rule.js: Added.
1044         * stress/value-mod-ai-rule.js: Added.
1045
1046 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
1047
1048         [JSC] DFG_ASSERT failed in lowInt52
1049         https://bugs.webkit.org/show_bug.cgi?id=197569
1050
1051         Reviewed by Saam Barati.
1052
1053         * stress/getstack-int52.js: Added.
1054         (opt):
1055         (main):
1056
1057 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
1058
1059         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
1060         https://bugs.webkit.org/show_bug.cgi?id=197479
1061
1062         Reviewed by Saam Barati.
1063
1064         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
1065         (shouldBe):
1066
1067 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
1068
1069         TemplateObject passed to template literal tags are not always identical for the same source location.
1070         https://bugs.webkit.org/show_bug.cgi?id=190756
1071
1072         Reviewed by Saam Barati.
1073
1074         * complex.yaml:
1075         * complex/tagged-template-regeneration-after.js: Added.
1076         (shouldBe):
1077         * complex/tagged-template-regeneration.js: Added.
1078         (call):
1079         (test):
1080         * modules/tagged-template-inside-module.js: Added.
1081         (from.string_appeared_here.call):
1082         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
1083         (call):
1084         (export.otherTaggedTemplates):
1085         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
1086         (shouldBe):
1087         (call):
1088         (poly):
1089         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
1090         (shouldBe):
1091         (call):
1092         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
1093         (shouldBe):
1094         (call):
1095         (test):
1096         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
1097         (shouldBe):
1098         (call):
1099         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
1100         (shouldBe):
1101         (call):
1102         * stress/tagged-templates-in-multiple-functions.js: Added.
1103         (shouldBe):
1104         (call):
1105         (a):
1106         (b):
1107         (c):
1108         * stress/tagged-templates-with-same-start-offset.js: Added.
1109         (shouldBe):
1110
1111 2019-05-07  Robin Morisset  <rmorisset@apple.com>
1112
1113         All prototypes should call didBecomePrototype()
1114         https://bugs.webkit.org/show_bug.cgi?id=196315
1115
1116         Reviewed by Saam Barati.
1117
1118         * stress/function-prototype-indexed-accessor.js: Added.
1119
1120 2019-05-07  Commit Queue  <commit-queue@webkit.org>
1121
1122         Unreviewed, rolling out r244978.
1123         https://bugs.webkit.org/show_bug.cgi?id=197671
1124
1125         TemplateObject map should use start/end offsets (Requested by
1126         yusukesuzuki on #webkit).
1127
1128         Reverted changeset:
1129
1130         "TemplateObject passed to template literal tags are not always
1131         identical for the same source location."
1132         https://bugs.webkit.org/show_bug.cgi?id=190756
1133         https://trac.webkit.org/changeset/244978
1134
1135 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
1136
1137         tryCachePutByID should not crash if target offset changes
1138         https://bugs.webkit.org/show_bug.cgi?id=197311
1139         <rdar://problem/48033612>
1140
1141         Reviewed by Filip Pizlo.
1142
1143         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
1144         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
1145
1146         * stress/cache-put-by-id-delete-prototype.js: Added.
1147         (A.prototype.set y):
1148         (A):
1149         (B.prototype.set y):
1150         (B):
1151         (C):
1152         * stress/cache-put-by-id-different-__proto__.js: Added.
1153         (A.prototype.set y):
1154         (A):
1155         (B1):
1156         (B2.prototype.set y):
1157         (B2):
1158         (C):
1159         (D):
1160         * stress/cache-put-by-id-different-attributes.js: Added.
1161         (Foo):
1162         (set x):
1163         * stress/cache-put-by-id-different-offset.js: Added.
1164         (Foo):
1165         (set x):
1166         * stress/cache-put-by-id-insert-prototype.js: Added.
1167         (A.prototype.set y):
1168         (A):
1169         (C):
1170         * stress/cache-put-by-id-poly-proto.js: Added.
1171         (Foo):
1172         (set _):
1173         (createBar.Bar):
1174         (createBar):
1175
1176 2019-05-07  Saam Barati  <sbarati@apple.com>
1177
1178         Don't OSR enter into an FTL CodeBlock that has been jettisoned
1179         https://bugs.webkit.org/show_bug.cgi?id=197531
1180         <rdar://problem/50162379>
1181
1182         Reviewed by Yusuke Suzuki.
1183
1184         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
1185
1186 2019-05-06  Dean Jackson  <dino@apple.com>
1187
1188         Update test262 expectations for Proxy passes
1189         https://bugs.webkit.org/show_bug.cgi?id=197628
1190
1191         Reviewed by Yusuke Suzuki.
1192
1193         There are two consistent passes in Proxy.ownKeys.
1194
1195         * test262/expectations.yaml:
1196
1197 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
1198
1199         [JSC] We should check OOM for description string of Symbol
1200         https://bugs.webkit.org/show_bug.cgi?id=197634
1201
1202         Reviewed by Keith Miller.
1203
1204         * stress/check-symbol-description-oom.js: Added.
1205         (shouldThrow):
1206
1207 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
1208
1209         Unreviewed, land one more test
1210         https://bugs.webkit.org/show_bug.cgi?id=197587
1211
1212         * stress/setter-frame-flush.js: Added.
1213         (setter):
1214         (foo):
1215         (bar):
1216
1217 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
1218
1219         TemplateObject passed to template literal tags are not always identical for the same source location.
1220         https://bugs.webkit.org/show_bug.cgi?id=190756
1221
1222         Reviewed by Saam Barati.
1223
1224         * complex.yaml:
1225         * complex/tagged-template-regeneration-after.js: Added.
1226         (shouldBe):
1227         * complex/tagged-template-regeneration.js: Added.
1228         (call):
1229         (test):
1230         * modules/tagged-template-inside-module.js: Added.
1231         (from.string_appeared_here.call):
1232         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
1233         (call):
1234         (export.otherTaggedTemplates):
1235         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
1236         (shouldBe):
1237         (call):
1238         (poly):
1239         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
1240         (shouldBe):
1241         (call):
1242         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
1243         (shouldBe):
1244         (call):
1245         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
1246         (shouldBe):
1247         (call):
1248         * stress/tagged-templates-in-multiple-functions.js: Added.
1249         (shouldBe):
1250         (call):
1251         (a):
1252         (b):
1253         (c):
1254
1255 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
1256
1257         [PlayStation] JSC Stress tests failing due to timezone printing
1258         https://bugs.webkit.org/show_bug.cgi?id=197615
1259
1260         PlayStation's strftime does not give timezone strings, which
1261         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
1262         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
1263         which causes diff failures with the expectations. Add expectations
1264         without the timezone string and use those on playstation.
1265
1266         Reviewed by Ross Kirsling.
1267
1268         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
1269         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
1270         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
1271         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
1272
1273 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
1274
1275         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
1276         https://bugs.webkit.org/show_bug.cgi?id=197587
1277
1278         Reviewed by Sam Weinig.
1279
1280         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
1281
1282         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
1283
1284 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
1285
1286         TypedArrays should not store properties that are canonical numeric indices
1287         https://bugs.webkit.org/show_bug.cgi?id=197228
1288         <rdar://problem/49557381>
1289
1290         Reviewed by Saam Barati.
1291
1292         * stress/array-species-config-array-constructor.js:
1293         (test):
1294         * stress/put-direct-index-broken-2.js:
1295         * stress/typed-array-canonical-numeric-index-string.js: Added.
1296         (makeTest.assert):
1297         (makeTest):
1298         (const.testInvalidIndices.makeTest.set assert):
1299         (const.testInvalidIndices.makeTest):
1300         (const.makeTestValidIndex.configurable.set assert):
1301         (const.makeTestValidIndex.configurable):
1302         * stress/typedarray-access-monomorphic-neutered.js:
1303         (checkNoException):
1304         (testNoException):
1305         (testFTLNoException):
1306         * stress/typedarray-access-neutered.js:
1307         (testNoException):
1308         * stress/typedarray-getownproperty-not-configurable.js:
1309         (foo):
1310         * test262/expectations.yaml:
1311
1312 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
1313
1314         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
1315         https://bugs.webkit.org/show_bug.cgi?id=197584
1316
1317         Reviewed by Saam Barati.
1318
1319         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
1320         (X):
1321         (foo):
1322
1323 2019-05-03  Michael Saboff  <msaboff@apple.com>
1324
1325         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
1326         https://bugs.webkit.org/show_bug.cgi?id=197586
1327
1328         Reviewed by Keith Miller.
1329
1330         We should only run one config of this test and only when we think we'll have the memory.
1331
1332         * stress/json-stringify-string-builder-overflow.js:
1333
1334 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
1335
1336         [JSC] Generator CodeBlock generation should be idempotent
1337         https://bugs.webkit.org/show_bug.cgi?id=197552
1338
1339         Reviewed by Keith Miller.
1340
1341         Add complex.yaml, which controls how to run JSC shell more.
1342         We split test files into two to run macro task between them which allows debugger to be attached to VM.
1343
1344         * complex.yaml: Added.
1345         * complex/generator-regeneration-after.js: Added.
1346         * complex/generator-regeneration.js: Added.
1347         (gen):
1348
1349 2019-05-02  Michael Saboff  <msaboff@apple.com>
1350
1351         Unreviewed rollout of r244862.
1352
1353         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
1354
1355 2019-05-01  Saam barati  <sbarati@apple.com>
1356
1357         Baseline JIT should do argument value profiling after checking for stack overflow
1358         https://bugs.webkit.org/show_bug.cgi?id=197052
1359         <rdar://problem/50009602>
1360
1361         Reviewed by Yusuke Suzuki.
1362
1363         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
1364
1365 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
1366
1367         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
1368         https://bugs.webkit.org/show_bug.cgi?id=197405
1369
1370         Reviewed by Saam Barati.
1371
1372         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
1373         (foo):
1374         (test):
1375         (i.o.get f):
1376         (i.o.set f):
1377
1378 2019-05-01  Michael Saboff  <msaboff@apple.com>
1379
1380         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
1381         https://bugs.webkit.org/show_bug.cgi?id=197485
1382
1383         Reviewed by Saam Barati.
1384
1385         New test.
1386
1387         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
1388         (foo):
1389
1390 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
1391
1392         Unreviewed correction to Test262 expectations following r244828.
1393
1394         * test262/expectations.yaml:
1395
1396 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
1397
1398         Add memory-limited skipping to some tests generating very large strings
1399         https://bugs.webkit.org/show_bug.cgi?id=197437
1400
1401         Reviewed by Ross Kirsling.
1402
1403         * stress/StringObject-define-length-getter-rope-string-oom.js:
1404         * stress/create-error-out-of-memory-rope-string.js:
1405         * stress/string-16bit-repeat-overflow.js:
1406
1407 2019-04-30  Commit Queue  <commit-queue@webkit.org>
1408
1409         Unreviewed, rolling out r244806.
1410         https://bugs.webkit.org/show_bug.cgi?id=197446
1411
1412         Causing Test262 and JSC test failures on multiple builds
1413         (Requested by ShawnRoberts on #webkit).
1414
1415         Reverted changeset:
1416
1417         "TypeArrays should not store properties that are canonical
1418         numeric indices"
1419         https://bugs.webkit.org/show_bug.cgi?id=197228
1420         https://trac.webkit.org/changeset/244806
1421
1422 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
1423
1424         TypeArrays should not store properties that are canonical numeric indices
1425         https://bugs.webkit.org/show_bug.cgi?id=197228
1426         <rdar://problem/49557381>
1427
1428         Reviewed by Darin Adler.
1429
1430         * stress/typed-array-canonical-numeric-index-string.js: Added.
1431         (makeTest.assert):
1432         (makeTest):
1433         (const.testInvalidIndices.makeTest.set assert):
1434         (const.testInvalidIndices.makeTest):
1435         (const.testValidIndices.makeTest.set assert):
1436         (const.testValidIndices.makeTest):
1437
1438 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
1439
1440         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
1441         https://bugs.webkit.org/show_bug.cgi?id=197362
1442
1443         Reviewed by Saam Barati.
1444
1445         * stress/map-with-nan.js: Added.
1446         (shouldBe):
1447         (div):
1448         (NaN1):
1449         (NaN2):
1450         (NaN3):
1451         (NaN4):
1452         (NaN1NoInline):
1453         (NaN2NoInline):
1454         (NaN3NoInline):
1455         (NaN4NoInline):
1456         (test1):
1457         (test2):
1458         (test3):
1459         (test4):
1460         * stress/set-with-nan.js: Added.
1461         (shouldBe):
1462         (div):
1463         (NaN1):
1464         (NaN2):
1465         (NaN3):
1466         (NaN4):
1467         (NaN1NoInline):
1468         (NaN2NoInline):
1469         (NaN3NoInline):
1470         (NaN4NoInline):
1471         (test2):
1472         (test4):
1473
1474 2019-04-26  Commit Queue  <commit-queue@webkit.org>
1475
1476         Unreviewed, rolling out r244708.
1477         https://bugs.webkit.org/show_bug.cgi?id=197334
1478
1479         "Broke the debug build" (Requested by rmorisset on #webkit).
1480
1481         Reverted changeset:
1482
1483         "All prototypes should call didBecomePrototype()"
1484         https://bugs.webkit.org/show_bug.cgi?id=196315
1485         https://trac.webkit.org/changeset/244708
1486
1487 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
1488
1489         [JSC] linkPolymorphicCall now does GC
1490         https://bugs.webkit.org/show_bug.cgi?id=197306
1491
1492         Reviewed by Saam Barati.
1493
1494         * stress/link-polymorphic-call-can-gc.js: Added.
1495         (module):
1496         (instance):
1497
1498 2019-04-26  Robin Morisset  <rmorisset@apple.com>
1499
1500         All prototypes should call didBecomePrototype()
1501         https://bugs.webkit.org/show_bug.cgi?id=196315
1502
1503         Reviewed by Saam Barati.
1504
1505         * stress/function-prototype-indexed-accessor.js: Added.
1506
1507 2019-04-23  Saam Barati  <sbarati@apple.com>
1508
1509         LICM incorrectly assumes it'll never insert a node which provably OSR exits
1510         https://bugs.webkit.org/show_bug.cgi?id=196721
1511         <rdar://problem/49556479> 
1512
1513         Reviewed by Filip Pizlo.
1514
1515         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
1516         (foo):
1517
1518 2019-04-19  Saam Barati  <sbarati@apple.com>
1519
1520         AbstractValue can represent more than int52
1521         https://bugs.webkit.org/show_bug.cgi?id=197118
1522         <rdar://problem/49969960>
1523
1524         Reviewed by Michael Saboff.
1525
1526         * stress/abstract-value-can-include-int52.js: Added.
1527         (foo):
1528         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
1529
1530 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
1531
1532         [WTF] StringBuilder should set correct m_is8Bit flag when merging
1533         https://bugs.webkit.org/show_bug.cgi?id=197053
1534
1535         Reviewed by Saam Barati.
1536
1537         * stress/merge-string-builder-in-dfg.js: Added.
1538         (foo):
1539
1540 2019-04-16  Caitlin Potter  <caitp@igalia.com>
1541
1542         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
1543         https://bugs.webkit.org/show_bug.cgi?id=176810
1544
1545         Reviewed by Saam Barati.
1546
1547         Add tests for the DontEnum filtering, and variations of other tests
1548         take the DontEnum-filtering path.
1549
1550         * stress/proxy-own-keys.js:
1551         (i.catch):
1552         (set assert):
1553         (set add):
1554         (let.set new):
1555         (get let):
1556
1557 2019-04-15  Saam barati  <sbarati@apple.com>
1558
1559         Modify how we do SetArgument when we inline varargs calls
1560         https://bugs.webkit.org/show_bug.cgi?id=196712
1561         <rdar://problem/49605012>
1562
1563         Reviewed by Michael Saboff.
1564
1565         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
1566         (foo):
1567
1568 2019-04-15  Saam barati  <sbarati@apple.com>
1569
1570         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
1571         https://bugs.webkit.org/show_bug.cgi?id=196945
1572         <rdar://problem/49802750>
1573
1574         Reviewed by Filip Pizlo.
1575
1576         * stress/get-by-offset-should-use-correct-child.js: Added.
1577         (foo.bar):
1578         (foo):
1579
1580 2019-04-15  Robin Morisset  <rmorisset@apple.com>
1581
1582         DFG should be able to constant fold Object.create() with a constant prototype operand
1583         https://bugs.webkit.org/show_bug.cgi?id=196886
1584
1585         Reviewed by Yusuke Suzuki.
1586
1587         Note that this new benchmark does not currently see a speedup with inlining removed.
1588         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
1589
1590         * microbenchmarks/object-create-constant-prototype.js: Added.
1591         (test):
1592
1593 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
1594
1595         Incremental bytecode cache should not append function updates when loaded from memory
1596         https://bugs.webkit.org/show_bug.cgi?id=196865
1597
1598         Reviewed by Filip Pizlo.
1599
1600         * stress/bytecode-cache-shared-code-block.js: Added.
1601         (b):
1602         (program):
1603
1604 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
1605
1606         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
1607         https://bugs.webkit.org/show_bug.cgi?id=196880
1608
1609         Reviewed by Yusuke Suzuki.
1610
1611         * stress/bytecode-cache-syntax-error.js: Added.
1612         (catch):
1613
1614 2019-04-12  Saam barati  <sbarati@apple.com>
1615
1616         r244079 logically broke shouldSpeculateInt52
1617         https://bugs.webkit.org/show_bug.cgi?id=196884
1618
1619         Reviewed by Yusuke Suzuki.
1620
1621         * microbenchmarks/int52-rand-function.js: Added.
1622         (Math.random):
1623
1624 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
1625
1626         [JSC] op_has_indexed_property should not assume subscript part is Uint32
1627         https://bugs.webkit.org/show_bug.cgi?id=196850
1628
1629         Reviewed by Saam Barati.
1630
1631         * stress/has-indexed-property-should-accept-non-int32.js: Added.
1632         (foo):
1633
1634 2019-04-11  Saam barati  <sbarati@apple.com>
1635
1636         Remove invalid assertion in operationInstanceOfCustom
1637         https://bugs.webkit.org/show_bug.cgi?id=196842
1638         <rdar://problem/49725493>
1639
1640         Reviewed by Michael Saboff.
1641
1642         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
1643
1644 2019-04-10  Saam Barati  <sbarati@apple.com>
1645
1646         AbstractValue::validateOSREntryValue is wrong for Int52 constants
1647         https://bugs.webkit.org/show_bug.cgi?id=196801
1648         <rdar://problem/49771122>
1649
1650         Reviewed by Yusuke Suzuki.
1651
1652         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
1653
1654 2019-04-10  Robin Morisset  <rmorisset@apple.com>
1655
1656         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
1657         https://bugs.webkit.org/show_bug.cgi?id=196746
1658
1659         Reviewed by Yusuke Suzuki.
1660
1661         * stress/cyclic-define-properties.js: Added.
1662         (foo):
1663
1664 2019-04-09  Saam barati  <sbarati@apple.com>
1665
1666         Clean up Int52 code and some bugs in it
1667         https://bugs.webkit.org/show_bug.cgi?id=196639
1668         <rdar://problem/49515757>
1669
1670         Reviewed by Yusuke Suzuki.
1671
1672         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
1673
1674 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
1675
1676         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
1677         https://bugs.webkit.org/show_bug.cgi?id=196708
1678         <rdar://problem/49556803>
1679
1680         Reviewed by Yusuke Suzuki.
1681
1682         * stress/proxy-getter-stack-overflow.js: Added.
1683         (const.handler.get target):
1684         (const.handler.has):
1685         (try.with):
1686         (catch):
1687
1688 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1689
1690         [JSC] DFG should respect node's strict flag
1691         https://bugs.webkit.org/show_bug.cgi?id=196617
1692
1693         Reviewed by Saam Barati.
1694
1695         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
1696         (shouldEqual):
1697         (makeUnwriteableUnconfigurableObject):
1698         (runTest):
1699         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
1700         (shouldBe):
1701         (shouldThrow):
1702         (with.result):
1703         (with.putValueStrict):
1704         (with.putValueSloppy):
1705
1706 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1707
1708         [JSC] isRope jump in StringSlice should not jump over register allocations
1709         https://bugs.webkit.org/show_bug.cgi?id=196716
1710
1711         Reviewed by Saam Barati.
1712
1713         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
1714         (foo.bar):
1715         (foo):
1716
1717 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1718
1719         [JSC] to_index_string should not assume incoming value is Uint32
1720         https://bugs.webkit.org/show_bug.cgi?id=196713
1721
1722         Reviewed by Saam Barati.
1723
1724         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
1725         (foo):
1726
1727 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1728
1729         [JSC] Add more tests for r243966
1730         https://bugs.webkit.org/show_bug.cgi?id=196711
1731
1732         Reviewed by Saam Barati.
1733
1734         Adding one more test for r243966 fix. The added test will not crash after r243966.
1735
1736         * stress/stress-cleared-calllinkinfo.js: Added.
1737         (runNearStackLimit.t):
1738         (runNearStackLimit):
1739         (repeat):
1740         (cls):
1741         (let.item.of.array.runNearStackLimit):
1742
1743 2019-04-08  Saam Barati  <sbarati@apple.com>
1744
1745         WebAssembly.RuntimeError missing exception check
1746         https://bugs.webkit.org/show_bug.cgi?id=196700
1747         <rdar://problem/49693932>
1748
1749         Reviewed by Yusuke Suzuki.
1750
1751         * wasm/js-api/runtime-error-should-exception-check.js: Added.
1752
1753 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1754
1755         Unreviewed, rolling in r243948 with test fix
1756         https://bugs.webkit.org/show_bug.cgi?id=196486
1757
1758         * stress/arrow-function-and-use-strict-directive.js: Added.
1759         * stress/arrow-function-syntax.js: Added.
1760         (checkSyntax):
1761         (checkSyntaxError):
1762
1763 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
1764
1765         Unreviewed, rolling out r243948.
1766
1767         Caused inspector/runtime/parse.html to fail
1768
1769         Reverted changeset:
1770
1771         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
1772         https://bugs.webkit.org/show_bug.cgi?id=196486
1773         https://trac.webkit.org/changeset/243948
1774
1775 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
1776
1777         Unreviewed, rolling out r243943.
1778
1779         Caused test262 failures.
1780
1781         Reverted changeset:
1782
1783         "[JSC] Filter DontEnum properties in
1784         ProxyObject::getOwnPropertyNames()"
1785         https://bugs.webkit.org/show_bug.cgi?id=176810
1786         https://trac.webkit.org/changeset/243943
1787
1788 2019-04-07  Michael Saboff  <msaboff@apple.com>
1789
1790         REGRESSION (r243642): Crash in reddit.com page
1791         https://bugs.webkit.org/show_bug.cgi?id=196684
1792
1793         Reviewed by Geoffrey Garen.
1794
1795         New regression test.
1796
1797         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
1798
1799 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
1800
1801         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
1802         https://bugs.webkit.org/show_bug.cgi?id=196683
1803
1804         Reviewed by Saam Barati.
1805
1806         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
1807         (foo):
1808
1809 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
1810
1811         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
1812         https://bugs.webkit.org/show_bug.cgi?id=196582
1813
1814         Reviewed by Saam Barati.
1815
1816         * stress/add-overflow-check-with-three-same-registers.js: Added.
1817         (foo):
1818         (Number.prototype.valueOf):
1819         (runWithNumber):
1820
1821 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
1822
1823         Unreviewed, rolling out r243665.
1824
1825         Caused iOS JSC tests to exit with an exception.
1826
1827         Reverted changeset:
1828
1829         "Assertion failed in JSC::createError"
1830         https://bugs.webkit.org/show_bug.cgi?id=196305
1831         https://trac.webkit.org/changeset/243665
1832
1833 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
1834
1835         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
1836         https://bugs.webkit.org/show_bug.cgi?id=196486
1837
1838         Reviewed by Saam Barati.
1839
1840         * stress/arrow-function-and-use-strict-directive.js: Added.
1841         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
1842         (checkSyntax):
1843         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
1844
1845 2019-04-05  Caitlin Potter  <caitp@igalia.com>
1846
1847         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
1848         https://bugs.webkit.org/show_bug.cgi?id=176810
1849
1850         Reviewed by Saam Barati.
1851
1852         Add tests for the DontEnum filtering, and variations of other tests
1853         take the DontEnum-filtering path.
1854
1855         * stress/proxy-own-keys.js:
1856         (i.catch):
1857         (set assert):
1858         (set add):
1859         (let.set new):
1860         (get let):
1861
1862 2019-04-05  Caitlin Potter  <caitp@igalia.com>
1863
1864         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
1865         https://bugs.webkit.org/show_bug.cgi?id=185211
1866
1867         Reviewed by Saam Barati.
1868
1869         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
1870
1871         This changes several assertions to expect a TypeError to be thrown (in some cases,
1872         changing thee expected message).
1873
1874         * es6/Proxy_ownKeys_duplicates.js:
1875         (handler):
1876         (shouldThrow):
1877         (test):
1878         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
1879         (shouldThrow):
1880         * stress/proxy-own-keys.js:
1881         (i.catch):
1882         (assert):
1883
1884 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1885
1886         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
1887         https://bugs.webkit.org/show_bug.cgi?id=196631
1888
1889         Reviewed by Saam Barati.
1890
1891         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
1892         (assert):
1893         (test):
1894         (foo):
1895
1896 2019-04-04  Saam Barati  <sbarati@apple.com>
1897
1898         Unreviewed. Make the test from r243906 catch the thrown exceptions.
1899
1900         * stress/inferred-types-regex-matches-array.js:
1901
1902 2019-04-04  Saam Barati  <sbarati@apple.com>
1903
1904         createRegExpMatchesArray does not respect inferred types
1905         https://bugs.webkit.org/show_bug.cgi?id=193287
1906
1907         Reviewed by Yusuke Suzuki.
1908
1909         This checks in the test case for 193287. This issue was discovered by
1910         Samuel GroƟ of Google Project Zero.
1911
1912         * stress/inferred-types-regex-matches-array.js: Added.
1913
1914 2019-04-04  Saam barati  <sbarati@apple.com>
1915
1916         Teach Call ICs how to call Wasm
1917         https://bugs.webkit.org/show_bug.cgi?id=196387
1918
1919         Reviewed by Filip Pizlo.
1920
1921         * wasm/function-tests/stack-trace.js:
1922
1923 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
1924
1925         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
1926         https://bugs.webkit.org/show_bug.cgi?id=194944
1927
1928         Reviewed by Keith Miller.
1929
1930         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
1931
1932 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1933
1934         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
1935         https://bugs.webkit.org/show_bug.cgi?id=196409
1936
1937         Reviewed by Saam Barati.
1938
1939         * stress/bytecode-cache-cached-string-impl.js: Added.
1940         (f):
1941         (g):
1942         * stress/bytecode-cache-run-string.js: Added.
1943
1944 2019-04-03  Robin Morisset  <rmorisset@apple.com>
1945
1946         B3 should use associativity to optimize expression trees
1947         https://bugs.webkit.org/show_bug.cgi?id=194081
1948
1949         Reviewed by Filip Pizlo.
1950
1951         Added three microbenchmarks:
1952         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
1953         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
1954           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
1955         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
1956
1957         * microbenchmarks/add-tree.js: Added.
1958         * microbenchmarks/bit-or-tree.js: Added.
1959         * microbenchmarks/bit-xor-tree.js: Added.
1960
1961 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1962
1963         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
1964         https://bugs.webkit.org/show_bug.cgi?id=196574
1965
1966         Reviewed by Saam Barati.
1967
1968         * stress/string-index-of-exception-check.js: Added.
1969         (blurType):
1970         (1.forEach):
1971
1972 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
1973
1974         Assertion failed in JSC::createError
1975         https://bugs.webkit.org/show_bug.cgi?id=196305
1976         <rdar://problem/49387382>
1977
1978         Reviewed by Saam Barati.
1979
1980         * stress/create-error-out-of-memory-rope-string-2.js: Added.
1981         (assert):
1982         (catch):
1983
1984 2019-03-28  Saam Barati  <sbarati@apple.com>
1985
1986         BackwardsGraph needs to consider back edges as the backward's root successor
1987         https://bugs.webkit.org/show_bug.cgi?id=195991
1988
1989         Reviewed by Filip Pizlo.
1990
1991         * stress/map-b3-licm-infinite-loop.js: Added.
1992
1993 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
1994
1995         CodeBlock::jettison() should disallow repatching its own calls
1996         https://bugs.webkit.org/show_bug.cgi?id=196359
1997         <rdar://problem/48973663>
1998
1999         Reviewed by Saam Barati.
2000
2001         * stress/call-link-info-osrexit-repatch.js: Added.
2002         (foo):
2003
2004 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
2005
2006         [JSC] imports-oom.js intermittently fails
2007         https://bugs.webkit.org/show_bug.cgi?id=196373
2008
2009         Reviewed by Saam Barati.
2010
2011         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
2012         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
2013         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
2014         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
2015         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
2016
2017         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
2018         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
2019
2020         * wasm/lowExecutableMemory/imports-oom.js:
2021
2022 2019-03-27  Saam Barati  <sbarati@apple.com>
2023
2024         validateOSREntryValue with Int52 should box the value being checked into double format
2025         https://bugs.webkit.org/show_bug.cgi?id=196313
2026         <rdar://problem/49306703>
2027
2028         Reviewed by Yusuke Suzuki.
2029
2030         * stress/validate-int-52-ai-state.js: Added.
2031
2032 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
2033
2034         [JSC] Owner of watchpoints should validate at GC finalizing phase
2035         https://bugs.webkit.org/show_bug.cgi?id=195827
2036
2037         Reviewed by Filip Pizlo.
2038
2039         * stress/gc-should-reap-dead-watchpoints.js: Added.
2040         (foo):
2041         (A.prototype.y):
2042         (A):
2043
2044 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
2045
2046         Skip WebAssembly test on 32-bit systems
2047         https://bugs.webkit.org/show_bug.cgi?id=196206
2048
2049         Reviewed by Saam Barati.
2050
2051         Invoking runDefault executes test immediately even though
2052         that test should be skipped due to missing WASM support.
2053         Therefore remove runDefault.
2054
2055         * wasm/regress/web-assembly-link-error-exception-check.js:
2056
2057 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
2058
2059         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
2060         https://bugs.webkit.org/show_bug.cgi?id=196217
2061
2062         Reviewed by Saam Barati.
2063
2064         Re-enable all NaN tests for f32.min, f64.min and f64.max.
2065
2066         * wasm/spec-tests/f32.wast.js:
2067         * wasm/spec-tests/f64.wast.js:
2068         * wasm/wasm.json:
2069
2070 2019-03-25  Keith Miller  <keith_miller@apple.com>
2071
2072         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
2073         https://bugs.webkit.org/show_bug.cgi?id=196176
2074
2075         Reviewed by Saam Barati.
2076
2077         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
2078         (main.v10):
2079         (main):
2080
2081 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
2082
2083         WebAssembly: f32.max with NaN generates incorrect result
2084         https://bugs.webkit.org/show_bug.cgi?id=175691
2085         <rdar://problem/33952228>
2086
2087         Reviewed by Saam Barati.
2088
2089         Enable all f32.max NaN tests
2090
2091         * wasm/spec-tests/f32.wast.js:
2092         * wasm/wasm.json:
2093
2094 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
2095
2096         [JSC] Move test into directory for WASM tests
2097         https://bugs.webkit.org/show_bug.cgi?id=196187
2098
2099         Reviewed by Mark Lam.
2100
2101         Move Test into wasm-directory. Otherwise this test
2102         is also executed on systems without WASM support.
2103
2104         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
2105
2106 2019-03-23  Mark Lam  <mark.lam@apple.com>
2107
2108         Rolling out r243032 and r243071 because the fix is incorrect.
2109         https://bugs.webkit.org/show_bug.cgi?id=195892
2110         <rdar://problem/48981239>
2111
2112         Not reviewed.
2113
2114         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
2115
2116 2019-03-22  Mark Lam  <mark.lam@apple.com>
2117
2118         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
2119         https://bugs.webkit.org/show_bug.cgi?id=196154
2120         <rdar://problem/49145307>
2121
2122         Reviewed by Filip Pizlo.
2123
2124         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
2125         There's no need to run this test on more than 1 test configuration.
2126
2127         * stress/typed-array-lastIndexOf-exception-check.js: Added.
2128         * stress/web-assembly-link-error-exception-check.js:
2129
2130 2019-03-22  Mark Lam  <mark.lam@apple.com>
2131
2132         Placate exception check validation in constructJSWebAssemblyLinkError().
2133         https://bugs.webkit.org/show_bug.cgi?id=196152
2134         <rdar://problem/49145257>
2135
2136         Reviewed by Michael Saboff.
2137
2138         * stress/web-assembly-link-error-exception-check.js: Added.
2139
2140 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
2141
2142         Skip tests running out of memory on ARM/MIPS
2143         https://bugs.webkit.org/show_bug.cgi?id=196131
2144
2145         Unreviewed. Skip test if memory is limited.
2146
2147         * microbenchmarks/put-by-val-direct-large-index.js:
2148
2149 2019-03-21  Mark Lam  <mark.lam@apple.com>
2150
2151         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
2152         https://bugs.webkit.org/show_bug.cgi?id=196116
2153         <rdar://problem/48976951>
2154
2155         Reviewed by Filip Pizlo.
2156
2157         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
2158
2159 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
2160
2161         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
2162         https://bugs.webkit.org/show_bug.cgi?id=196078
2163         <rdar://problem/35925380>
2164
2165         Reviewed by Mark Lam.
2166
2167         Add a new benchmark that allocates several objects and invokes put_by_val_direct
2168         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
2169
2170         * microbenchmarks/put-by-val-direct-large-index.js: Added.
2171
2172 2019-03-21  Mark Lam  <mark.lam@apple.com>
2173
2174         Placate exception check validation in operationArrayIndexOfString().
2175         https://bugs.webkit.org/show_bug.cgi?id=196067
2176         <rdar://problem/49056572>
2177
2178         Reviewed by Michael Saboff.
2179
2180         * stress/string-equal-exception-check.js: Added.
2181
2182 2019-03-21  Mark Lam  <mark.lam@apple.com>
2183
2184         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
2185         https://bugs.webkit.org/show_bug.cgi?id=196055
2186         <rdar://problem/49067448>
2187
2188         Reviewed by Yusuke Suzuki.
2189
2190         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
2191
2192 2019-03-20  Saam Barati  <sbarati@apple.com>
2193
2194         typeOfDoubleSum is wrong for when NaN can be produced
2195         https://bugs.webkit.org/show_bug.cgi?id=196030
2196
2197         Reviewed by Filip Pizlo.
2198
2199         * stress/double-add-sub-mul-can-produce-nan.js: Added.
2200         (assert):
2201         (noInline.sub):
2202         (noInline):
2203         (assert.mul):
2204         (assert.add):
2205
2206 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
2207
2208         Update the test to ensure OutOfMemoryError is thrown as intended
2209         https://bugs.webkit.org/show_bug.cgi?id=196032
2210         <rdar://problem/46842740>
2211
2212         Rubber stamped by Saam Barati.
2213
2214         * stress/create-error-out-of-memory-rope-string.js:
2215         (assert):
2216         (catch):
2217
2218 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
2219
2220         JSC::createError needs to check for OOM in errorDescriptionForValue
2221         https://bugs.webkit.org/show_bug.cgi?id=196032
2222         <rdar://problem/46842740>
2223
2224         Reviewed by Mark Lam.
2225
2226         * stress/create-error-out-of-memory-rope-string.js: Added.
2227
2228 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
2229
2230         Unreviewed, reduce # of iterations to avoid timing out after r242991
2231         https://bugs.webkit.org/show_bug.cgi?id=195791
2232
2233         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
2234
2235         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
2236
2237 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
2238
2239         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
2240         https://bugs.webkit.org/show_bug.cgi?id=195950
2241
2242         Unreviewed, reducing the amount of memory used on this test to avoid
2243         OOM on devices with memory restrictions.
2244
2245         * microbenchmarks/generate-multiple-llint-entrypoints.js:
2246
2247 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
2248
2249         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
2250         https://bugs.webkit.org/show_bug.cgi?id=194648
2251
2252         Reviewed by Keith Miller.
2253
2254         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
2255
2256 2019-03-18  Mark Lam  <mark.lam@apple.com>
2257
2258         Missing a ThrowScope release in JSObject::toString().
2259         https://bugs.webkit.org/show_bug.cgi?id=195893
2260         <rdar://problem/48970986>
2261
2262         Reviewed by Michael Saboff.
2263
2264         * stress/to-string-exception-check-release.js: Added.
2265
2266 2019-03-18  Mark Lam  <mark.lam@apple.com>
2267
2268         Structure::flattenDictionary() should clear unused property slots.
2269         https://bugs.webkit.org/show_bug.cgi?id=195871
2270         <rdar://problem/48959497>
2271
2272         Reviewed by Michael Saboff.
2273
2274         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
2275
2276 2019-03-15  Mark Lam  <mark.lam@apple.com>
2277
2278         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
2279         https://bugs.webkit.org/show_bug.cgi?id=195827
2280         <rdar://problem/48845513>
2281
2282         Reviewed by Filip Pizlo.
2283
2284         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
2285
2286 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
2287
2288         [ARM,MIPS] Skip slow tests
2289         https://bugs.webkit.org/show_bug.cgi?id=195799
2290
2291         Unreviewed, test does not finish on ARM and MIPS within the
2292         timeout limit.
2293
2294         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
2295
2296 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
2297
2298         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
2299         https://bugs.webkit.org/show_bug.cgi?id=195791
2300         <rdar://problem/48806130>
2301
2302         Reviewed by Mark Lam.
2303
2304         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
2305         (foo):
2306
2307 2019-03-14  Saam barati  <sbarati@apple.com>
2308
2309         We can't remove code after ForceOSRExit until after FixupPhase
2310         https://bugs.webkit.org/show_bug.cgi?id=186916
2311         <rdar://problem/41396612>
2312
2313         Reviewed by Yusuke Suzuki.
2314
2315         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
2316         (foo):
2317         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
2318         (foo):
2319
2320 2019-03-13  Michael Saboff  <msaboff@apple.com>
2321
2322         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
2323         https://bugs.webkit.org/show_bug.cgi?id=195735
2324
2325         Reviewed by Mark Lam.
2326
2327         New regression test.
2328
2329         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
2330         (foo):
2331         (bar):
2332
2333 2019-03-14  Saam barati  <sbarati@apple.com>
2334
2335         Fixup uses KnownInt32 incorrectly in some nodes
2336         https://bugs.webkit.org/show_bug.cgi?id=195279
2337         <rdar://problem/47915654>
2338
2339         Reviewed by Yusuke Suzuki.
2340
2341         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
2342         (foo):
2343
2344 2019-03-14  Keith Miller  <keith_miller@apple.com>
2345
2346         DFG liveness can't skip tail caller inline frames
2347         https://bugs.webkit.org/show_bug.cgi?id=195715
2348
2349         Reviewed by Saam Barati.
2350
2351         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
2352         (i.foo):
2353
2354 2019-03-13  Mark Lam  <mark.lam@apple.com>
2355
2356         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
2357         https://bugs.webkit.org/show_bug.cgi?id=195415
2358
2359         Not reviewed.
2360
2361         Changed these tests to only run the default configuration.
2362         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
2363         There's no strong need to run this test on that variant.
2364
2365         * stress/dfg-to-string-on-int-does-gc.js:
2366         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
2367
2368 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
2369
2370         String overflow when using StringBuilder in JSC::createError
2371         https://bugs.webkit.org/show_bug.cgi?id=194957
2372
2373         Reviewed by Mark Lam.
2374
2375         Add test string-overflow-createError-bulder.js that overflows
2376         StringBuilder in notAFunctionSourceAppender. The second new test
2377         string-overflow-createError-fit.js has an error message that doesn't
2378         overflow, it still failed since the String's capacity can't be doubled.
2379         Run test string-overflow-createError.js only in the default
2380         configuration to reduce memory consumption when running the test
2381         in all configurations on multiple CPUs in parallel.
2382
2383         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
2384         (catch):
2385         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
2386         (catch):
2387         * stress/string-overflow-createError.js:
2388
2389 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
2390
2391         [JSC] OSR entry should respect abstract values in addition to flush formats
2392         https://bugs.webkit.org/show_bug.cgi?id=195653
2393
2394         Reviewed by Mark Lam.
2395
2396         * stress/osr-entry-locals-none.js: Added.
2397
2398 2019-03-12  Michael Saboff  <msaboff@apple.com>
2399
2400         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
2401         https://bugs.webkit.org/show_bug.cgi?id=195613
2402
2403         Reviewed by Mark Lam.
2404
2405         New regression test.
2406
2407         * stress/regexp-backref-inbounds.js: Added.
2408         (testRegExp):
2409
2410 2019-03-12  Mark Lam  <mark.lam@apple.com>
2411
2412         The HasIndexedProperty node does GC.
2413         https://bugs.webkit.org/show_bug.cgi?id=195559
2414         <rdar://problem/48767923>
2415
2416         Reviewed by Yusuke Suzuki.
2417
2418         * stress/HasIndexedProperty-does-gc.js: Added.
2419
2420 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
2421
2422         [ESNext][BigInt] Implement "~" unary operation
2423         https://bugs.webkit.org/show_bug.cgi?id=182216
2424
2425         Reviewed by Keith Miller.
2426
2427         * stress/big-int-bit-not-general.js: Added.
2428         * stress/big-int-bitwise-not-jit.js: Added.
2429         * stress/big-int-bitwise-not-wrapped-value.js: Added.
2430         * stress/bit-op-with-object-returning-int32.js:
2431         * stress/bitwise-not-fixup-rules.js: Added.
2432         * stress/value-bit-not-ai-rule.js: Added.
2433
2434 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
2435
2436         Invalid flags in a RegExp literal should be an early SyntaxError
2437         https://bugs.webkit.org/show_bug.cgi?id=195514
2438
2439         Reviewed by Darin Adler.
2440
2441         * test262/expectations.yaml:
2442         Mark 4 test cases as passing.
2443
2444         * stress/regexp-syntax-error-invalid-flags.js:
2445         * stress/regress-161995.js: Removed.
2446         Update existing test, merging in an older test for the same behavior.
2447
2448 2019-03-08  Mark Lam  <mark.lam@apple.com>
2449
2450         Stack overflow crash in JSC::JSObject::hasInstance.
2451         https://bugs.webkit.org/show_bug.cgi?id=195458
2452         <rdar://problem/48710195>
2453
2454         Reviewed by Yusuke Suzuki.
2455
2456         * stress/stack-overflow-in-custom-hasInstance.js: Added.
2457
2458 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
2459
2460         op_check_tdz does not def its argument
2461         https://bugs.webkit.org/show_bug.cgi?id=192880
2462         <rdar://problem/46221598>
2463
2464         Reviewed by Saam Barati.
2465
2466         * microbenchmarks/let-for-in.js: Added.
2467         (foo):
2468
2469 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
2470
2471         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
2472         https://bugs.webkit.org/show_bug.cgi?id=195429
2473
2474         Reviewed by Saam Barati.
2475
2476         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
2477         (foo):
2478         * stress/string-from-char-code-255.js: Added.
2479
2480 2019-03-06  Mark Lam  <mark.lam@apple.com>
2481
2482         Fix incorrect handling of try-finally completion values.
2483         https://bugs.webkit.org/show_bug.cgi?id=195131
2484         <rdar://problem/46222079>
2485
2486         Reviewed by Saam Barati and Yusuke Suzuki.
2487
2488         Added many permutations of new test case to test-finally.js.  test-finally.js has
2489         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
2490         tests passes there as well.
2491
2492         * stress/test-finally.js:
2493
2494 2019-03-06  Saam Barati  <sbarati@apple.com>
2495
2496         Air::reportUsedRegisters must padInterference
2497         https://bugs.webkit.org/show_bug.cgi?id=195303
2498         <rdar://problem/48270343>
2499
2500         Reviewed by Keith Miller.
2501
2502         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
2503
2504 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
2505
2506         [JSC] AI should not propagate AbstractValue relying on constant folding phase
2507         https://bugs.webkit.org/show_bug.cgi?id=195375
2508
2509         Reviewed by Saam Barati.
2510
2511         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
2512         (let.array):
2513
2514 2019-03-05  Saam barati  <sbarati@apple.com>
2515
2516         op_switch_char broken for rope strings after JSRopeString layout rewrite
2517         https://bugs.webkit.org/show_bug.cgi?id=195339
2518         <rdar://problem/48592545>
2519
2520         Reviewed by Yusuke Suzuki.
2521
2522         * stress/switch-on-char-llint-rope.js: Added.
2523
2524 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
2525
2526         [JSC] Store bits for JSRopeString in 3 stores
2527         https://bugs.webkit.org/show_bug.cgi?id=195234
2528
2529         Reviewed by Saam Barati.
2530
2531         * stress/null-rope-and-collectors.js: Added.
2532
2533 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
2534
2535         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
2536         https://bugs.webkit.org/show_bug.cgi?id=195207
2537
2538         Unreviewed. After test runtime was reduced in r242213, test can be
2539         run again on ARM/MIPS.
2540
2541         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
2542
2543 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
2544
2545         [JSC] sizeof(JSString) should be 16
2546         https://bugs.webkit.org/show_bug.cgi?id=194375
2547
2548         Reviewed by Saam Barati.
2549
2550         * microbenchmarks/make-rope.js: Added.
2551         (makeRope):
2552         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
2553         (returnRope.helper): Deleted.
2554         (returnRope): Deleted.
2555
2556 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
2557
2558         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
2559         https://bugs.webkit.org/show_bug.cgi?id=195144
2560
2561         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
2562         Change the number from 1e8 to 1e5.
2563
2564         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
2565         (foo):
2566
2567 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
2568
2569         Test times out on ARM/MIPS
2570         https://bugs.webkit.org/show_bug.cgi?id=195168
2571
2572         Unreviewed. Skip test on ARM/MIPS.
2573
2574         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
2575
2576 2019-02-27  Mark Lam  <mark.lam@apple.com>
2577
2578         The parser is failing to record the token location of new in new.target.
2579         https://bugs.webkit.org/show_bug.cgi?id=195127
2580         <rdar://problem/39645578>
2581
2582         Reviewed by Yusuke Suzuki.
2583
2584         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
2585
2586 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
2587
2588         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
2589         https://bugs.webkit.org/show_bug.cgi?id=195144
2590         <rdar://problem/47595961>
2591
2592         Reviewed by Mark Lam.
2593
2594         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
2595         (bar):
2596         (foo):
2597         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
2598         (bar):
2599         (foo):
2600
2601 2019-02-27  Robin Morisset  <rmorisset@apple.com>
2602
2603         DFG: Loop-invariant code motion (LICM) should not hoist dead code
2604         https://bugs.webkit.org/show_bug.cgi?id=194945
2605         <rdar://problem/48311657>
2606
2607         Reviewed by Mark Lam.
2608
2609         * stress/licm-dead-code.js: Added.
2610
2611 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
2612
2613         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
2614         https://bugs.webkit.org/show_bug.cgi?id=194677
2615         <rdar://problem/48112492>
2616
2617         Reviewed by Mark Lam.
2618
2619         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
2620         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
2621         it immediately fails due the large size.
2622
2623         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
2624         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
2625         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
2626         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
2627
2628         This patch changes the test to produce 16bit string from String.fromCharCode.
2629
2630         * stress/regress-178386.js:
2631
2632 2019-02-26  Mark Lam  <mark.lam@apple.com>
2633
2634         wasmToJS() should purify incoming NaNs.
2635         https://bugs.webkit.org/show_bug.cgi?id=194807
2636         <rdar://problem/48189132>
2637
2638         Reviewed by Saam Barati.
2639
2640         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
2641
2642 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
2643
2644         [JSC] Repeat string created from Array.prototype.join() take too much memory
2645         https://bugs.webkit.org/show_bug.cgi?id=193912
2646
2647         Reviewed by Saam Barati.
2648
2649         Added a test and a microbenchmark for corner cases of
2650         Array.prototype.join() with an uninitialized array.
2651
2652         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
2653         * stress/array-prototype-join-uninitialized.js: Added.
2654         (testArray):
2655         (testABC):
2656         (B):
2657         (C):
2658
2659 2019-02-22  Robin Morisset  <rmorisset@apple.com>
2660
2661         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
2662         https://bugs.webkit.org/show_bug.cgi?id=194953
2663         <rdar://problem/47595253>
2664
2665         Reviewed by Saam Barati.
2666
2667         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
2668
2669         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
2670
2671 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2672
2673         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
2674         https://bugs.webkit.org/show_bug.cgi?id=172848
2675         <rdar://problem/25709212>
2676
2677         Reviewed by Mark Lam.
2678
2679         * typeProfiler/inheritance.js:
2680         Rewrite the test slightly for clarity. The hoisting was confusing.
2681
2682         * heapProfiler/class-names.js: Added.
2683         (MyES5Class):
2684         (MyES6Class):
2685         (MyES6Subclass):
2686         Test object types and improved class names.
2687
2688         * heapProfiler/driver/driver.js:
2689         (CheapHeapSnapshotNode):
2690         (CheapHeapSnapshot):
2691         (createCheapHeapSnapshot):
2692         (HeapSnapshot):
2693         (createHeapSnapshot):
2694         Update snapshot parsing from version 1 to version 2.
2695
2696 2019-02-19  Truitt Savell  <tsavell@apple.com>
2697
2698         Unreviewed, rolling out r241784.
2699
2700         Broke all OpenSource builds.
2701
2702         Reverted changeset:
2703
2704         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
2705         instances view"
2706         https://bugs.webkit.org/show_bug.cgi?id=172848
2707         https://trac.webkit.org/changeset/241784
2708
2709 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2710
2711         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
2712         https://bugs.webkit.org/show_bug.cgi?id=172848
2713         <rdar://problem/25709212>
2714
2715         Reviewed by Mark Lam.
2716
2717         * typeProfiler/inheritance.js:
2718         Rewrite the test slightly for clarity. The hoisting was confusing.
2719
2720         * heapProfiler/class-names.js: Added.
2721         (MyES5Class):
2722         (MyES6Class):
2723         (MyES6Subclass):
2724         Test object types and improved class names.
2725
2726         * heapProfiler/driver/driver.js:
2727         (CheapHeapSnapshotNode):
2728         (CheapHeapSnapshot):
2729         (createCheapHeapSnapshot):
2730         (HeapSnapshot):
2731         (createHeapSnapshot):
2732         Update snapshot parsing from version 1 to version 2.
2733
2734 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
2735
2736         [ARM] Fix crash with sampling profiler
2737         https://bugs.webkit.org/show_bug.cgi?id=194772
2738
2739         Reviewed by Mark Lam.
2740
2741         Do not skip test since crash with sampling profiler is now fixed.
2742
2743         * stress/sampling-profiler-richards.js:
2744
2745 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
2746
2747         [JSC] Add LazyClassStructure::getInitializedOnMainThread
2748         https://bugs.webkit.org/show_bug.cgi?id=194784
2749         <rdar://problem/48154820>
2750
2751         Reviewed by Mark Lam.
2752
2753         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
2754         (getProperties):
2755         (getRandomProperty):
2756         (i.catch):
2757
2758 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
2759
2760         [ARM] Test gardening: Test running out of executable memory
2761         https://bugs.webkit.org/show_bug.cgi?id=194771
2762
2763         Unreviewed. Do not run test without LLInt, test is running out of executable
2764         memory on ARM otherwise.
2765
2766         * stress/tagged-template-object-collect.js:
2767
2768 2019-02-18  Tomas Popela  <tpopela@redhat.com>
2769
2770         Unreviewed, skip the test on platforms without sampling profiler
2771
2772         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
2773         (platformSupportsSamplingProfiler.foo):
2774         (platformSupportsSamplingProfiler.test):
2775         (platformSupportsSamplingProfiler):
2776         (foo): Deleted.
2777         (test): Deleted.
2778
2779 2019-02-17  Saam Barati  <sbarati@apple.com>
2780
2781         Deadlock when adding a Structure property transition and then doing incremental marking
2782         https://bugs.webkit.org/show_bug.cgi?id=194767
2783
2784         Reviewed by Mark Lam.
2785
2786         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
2787
2788 2019-02-15  Michael Saboff  <msaboff@apple.com>
2789
2790         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
2791         https://bugs.webkit.org/show_bug.cgi?id=194558
2792
2793         Reviewed by Saam Barati.
2794
2795         New regression test.
2796
2797         * stress/regexp-unicode-within-string.js: Added.
2798
2799 2019-02-15  Mark Lam  <mark.lam@apple.com>
2800
2801         SamplingProfiler::stackTracesAsJSON() should escape strings.
2802         https://bugs.webkit.org/show_bug.cgi?id=194649
2803         <rdar://problem/48072386>
2804
2805         Reviewed by Saam Barati.
2806
2807         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
2808         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
2809         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
2810         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
2811
2812 2019-02-15  Robin Morisset  <rmorisset@apple.com>
2813         CodeBlock::jettison should clear related watchpoints
2814         https://bugs.webkit.org/show_bug.cgi?id=194544
2815
2816         Reviewed by Mark Lam.
2817
2818         * stress/regexp-replace-double-watchpoint.js: Added.
2819         (foo):
2820
2821 2019-02-15  Saam barati  <sbarati@apple.com>
2822
2823         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
2824         https://bugs.webkit.org/show_bug.cgi?id=194036
2825
2826         Reviewed by Yusuke Suzuki.
2827
2828         * stress/tail-call-many-arguments.js: Added.
2829         (foo):
2830         (bar):
2831
2832 2019-02-14  Saam Barati  <sbarati@apple.com>
2833
2834         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
2835         https://bugs.webkit.org/show_bug.cgi?id=194583
2836         <rdar://problem/48028140>
2837
2838         Reviewed by Yusuke Suzuki.
2839
2840         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
2841
2842 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
2843
2844         [JSC] String.fromCharCode's slow path always generates 16bit string
2845         https://bugs.webkit.org/show_bug.cgi?id=194466
2846
2847         Reviewed by Keith Miller.
2848
2849         * stress/string-from-char-code-slow-path.js: Added.
2850         (shouldBe):
2851         (testWithLength):
2852
2853 2019-02-08  Saam barati  <sbarati@apple.com>
2854
2855         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
2856         https://bugs.webkit.org/show_bug.cgi?id=194334
2857         <rdar://problem/47844327>
2858
2859         Reviewed by Mark Lam.
2860
2861         * stress/check-in-bounds-should-be-a-child-use.js: Added.
2862         (func):
2863
2864 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
2865
2866         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
2867         https://bugs.webkit.org/show_bug.cgi?id=194369
2868         <rdar://problem/47813087>
2869
2870         Reviewed by Saam Barati.
2871
2872         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
2873         (A):
2874
2875 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
2876
2877         [JSC] PrivateName to PublicName hash table is wasteful
2878         https://bugs.webkit.org/show_bug.cgi?id=194277
2879
2880         Reviewed by Michael Saboff.
2881
2882         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
2883
2884         * ChakraCore.yaml:
2885
2886 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
2887
2888         [ARM] Test running out of executable memory
2889         https://bugs.webkit.org/show_bug.cgi?id=194285
2890
2891         Unreviewed. Do no execute test with LLInt disabled, test runs out of
2892         executable memory otherwise.
2893
2894         * stress/class-subclassing-function.js:
2895
2896 2019-02-04  Robin Morisset  <rmorisset@apple.com>
2897
2898         when lowering AssertNotEmpty, create the value before creating the patchpoint
2899         https://bugs.webkit.org/show_bug.cgi?id=194231
2900
2901         Reviewed by Saam Barati.
2902
2903         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
2904         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
2905         So even tiny changes to this test can change the path code taken.
2906
2907         * stress/assert-not-empty.js: Added.
2908         (foo):
2909
2910 2019-02-01  Mark Lam  <mark.lam@apple.com>
2911
2912         Remove invalid assertion in DFG's compileDoubleRep().
2913         https://bugs.webkit.org/show_bug.cgi?id=194130
2914         <rdar://problem/47699474>
2915
2916         Reviewed by Saam Barati.
2917
2918         * stress/constant-fold-double-rep-into-double-constant.js: Added.
2919
2920 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
2921
2922         Import latest Test262 updates.
2923
2924         Rubber-stamped by Keith Miller.
2925
2926         * test262.yaml: Deleted.
2927         * test262/config.yaml:
2928         * test262/expectations.yaml:
2929         * test262/latest-changes-summary.txt:
2930         * test262/test/:
2931         * test262/test262-Revision.txt:
2932
2933 2019-01-30  Robin Morisset  <rmorisset@apple.com>
2934
2935         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
2936         https://bugs.webkit.org/show_bug.cgi?id=194050
2937         <rdar://problem/47595592>
2938
2939         Reviewed by Yusuke Suzuki.
2940
2941         * stress/object-keys-osr-exit.js: Added.
2942         (foo):
2943         (catch):
2944
2945 2019-01-29  Mark Lam  <mark.lam@apple.com>
2946
2947         ValueRecovery::recover() should purify NaN values it recovers.
2948         https://bugs.webkit.org/show_bug.cgi?id=193978
2949         <rdar://problem/47625488>
2950
2951         Reviewed by Saam Barati.
2952
2953         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
2954
2955 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
2956
2957         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
2958         https://bugs.webkit.org/show_bug.cgi?id=193713
2959
2960         * stress/try-get-by-id-should-spill-registers-dfg.js:
2961         (let.f.createBuiltin):
2962
2963 2019-01-28  Mark Lam  <mark.lam@apple.com>
2964
2965         ToString node actually does GC.
2966         https://bugs.webkit.org/show_bug.cgi?id=193920
2967         <rdar://problem/46695900>
2968
2969         Reviewed by Yusuke Suzuki.
2970
2971         * stress/dfg-to-string-on-int-does-gc.js: Added.
2972         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
2973         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
2974
2975 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
2976
2977         [JSC] NativeErrorConstructor should not have own IsoSubspace
2978         https://bugs.webkit.org/show_bug.cgi?id=193713
2979
2980         Reviewed by Saam Barati.
2981
2982         Remove @Error use.
2983
2984         * stress/try-get-by-id-should-spill-registers-dfg.js:
2985         (let.f.createBuiltin):
2986
2987 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
2988
2989         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
2990         https://bugs.webkit.org/show_bug.cgi?id=190693
2991
2992         Reviewed by Michael Saboff.
2993
2994         * stress/regress-190693.js: Added.
2995         (truth):
2996         (assert):
2997         (shouldThrowInvalidConstAssignment):
2998         (taz):
2999
3000 2019-01-24  Saam Barati  <sbarati@apple.com>
3001
3002         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
3003         https://bugs.webkit.org/show_bug.cgi?id=193751
3004         <rdar://problem/47280215>
3005
3006         Reviewed by Michael Saboff.
3007
3008         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
3009         (let.thing):
3010         (foo.let.hello):
3011         (foo):
3012
3013 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
3014
3015         [JSC] Reenable baseline JIT on mips
3016         https://bugs.webkit.org/show_bug.cgi?id=192983
3017
3018         Reviewed by Mark Lam.
3019
3020         Added a new test for a case that was triggering a RELEASE_ASSERT when
3021         testing.
3022         Disable some slow tests that were already disabled for arm and x86.
3023
3024         * stress/json-parse-big-object.js: Added.
3025         * stress/new-largeish-contiguous-array-with-size.js:
3026         * stress/op_add.js:
3027         * stress/op_bitand.js:
3028         * stress/op_bitor.js:
3029         * stress/op_bitxor.js:
3030         * stress/op_lshift-ConstVar.js:
3031         * stress/op_lshift-VarConst.js:
3032         * stress/op_lshift-VarVar.js:
3033         * stress/op_mod-ConstVar.js:
3034         * stress/op_mod-VarConst.js:
3035         * stress/op_mod-VarVar.js:
3036         * stress/op_mul-ConstVar.js:
3037         * stress/op_mul-VarConst.js:
3038         * stress/op_mul-VarVar.js:
3039         * stress/op_rshift-ConstVar.js:
3040         * stress/op_rshift-VarConst.js:
3041         * stress/op_rshift-VarVar.js:
3042         * stress/op_sub-ConstVar.js:
3043         * stress/op_sub-VarConst.js:
3044         * stress/op_sub-VarVar.js:
3045         * stress/op_urshift-ConstVar.js:
3046         * stress/op_urshift-VarConst.js:
3047         * stress/op_urshift-VarVar.js:
3048         * stress/sampling-profiler-richards.js:
3049         * stress/spread-forward-call-varargs-stack-overflow.js:
3050
3051 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
3052
3053         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
3054         https://bugs.webkit.org/show_bug.cgi?id=193711
3055         <rdar://problem/47250262>
3056
3057         Reviewed by Saam Barati.
3058
3059         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
3060         (shouldBe):
3061         (foo):
3062         (bar):
3063         (baz):
3064
3065 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
3066
3067         Unreviewed, fix initial global lexical binding epoch
3068         https://bugs.webkit.org/show_bug.cgi?id=193603
3069         <rdar://problem/47380869>
3070
3071         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
3072         (f1.f2.f3.f4):
3073         (f1.f2.f3):
3074         (f1.f2):
3075         (f1):
3076
3077 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
3078
3079         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
3080         https://bugs.webkit.org/show_bug.cgi?id=193709
3081         <rdar://problem/47363838>
3082
3083         Unreviewed, rollout to watch the tests.
3084
3085         * stress/object-tostring-changed-proto.js: Removed.
3086         * stress/object-tostring-changed.js: Removed.
3087         * stress/object-tostring-misc.js: Removed.
3088         * stress/object-tostring-other.js: Removed.
3089         * stress/object-tostring-untyped.js: Removed.
3090
3091 2019-01-22  Saam Barati  <sbarati@apple.com>
3092
3093         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
3094
3095         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
3096         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
3097         (testUncheckedLessThanZero):
3098         (testUncheckedLessThanOrEqualZero):
3099         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
3100         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
3101
3102 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
3103
3104         [JSC] Invalidate old scope operations using global lexical binding epoch
3105         https://bugs.webkit.org/show_bug.cgi?id=193603
3106         <rdar://problem/47380869>
3107
3108         Reviewed by Saam Barati.
3109
3110         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
3111         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
3112         (shouldThrow):
3113         (bar):
3114         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
3115         (shouldBe):
3116         (get1):
3117         (get2):
3118         (get1If):
3119         (get2If):
3120         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
3121         (shouldThrow):
3122         (foo):
3123
3124 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
3125
3126         Unreviewed, roll out r240220 due to date-format-xparb regression
3127         https://bugs.webkit.org/show_bug.cgi?id=193603
3128
3129         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
3130         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
3131         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
3132         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
3133
3134 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
3135
3136         DoesGC rule is wrong for nodes with BigIntUse
3137         https://bugs.webkit.org/show_bug.cgi?id=193652
3138
3139         Reviewed by Saam Barati.
3140
3141         * stress/big-int-value-op-update-gc-rules.js: Added.
3142         (assert):
3143         (doesGCAdd):
3144         (doesGCSub):
3145         (doesGCDiv):
3146         (doesGCMul):
3147         (doesGCBitAnd):
3148         (doesGCBitOr):
3149         (doesGCBitXor):
3150
3151 2019-01-20  Saam Barati  <sbarati@apple.com>
3152
3153         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
3154         https://bugs.webkit.org/show_bug.cgi?id=193644
3155         <rdar://problem/46209745>
3156
3157         Reviewed by Yusuke Suzuki.
3158
3159         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
3160         (foo):
3161         * stress/data-view-set-intrinsic-undefined-result.js: Added.
3162         (foo):
3163         (bar):
3164
3165 2019-01-20  Saam Barati  <sbarati@apple.com>
3166
3167         MovHint must merge NodeBytecodeUsesAsValue for its child
3168         https://bugs.webkit.org/show_bug.cgi?id=186916
3169         <rdar://problem/41396612>
3170
3171         Reviewed by Yusuke Suzuki.
3172
3173         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
3174         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
3175
3176 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
3177
3178         [JSC] Invalidate old scope operations using global lexical binding epoch
3179         https://bugs.webkit.org/show_bug.cgi?id=193603
3180         <rdar://problem/47380869>
3181
3182         Reviewed by Saam Barati.
3183
3184         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
3185         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
3186         (shouldThrow):
3187         (bar):
3188         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
3189         (shouldBe):
3190         (get1):
3191         (get2):
3192         (get1If):
3193         (get2If):
3194         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
3195         (shouldThrow):
3196         (foo):
3197
3198 2019-01-17  Saam barati  <sbarati@apple.com>
3199
3200         StringObjectUse should not be a structure check for the original string object structure
3201         https://bugs.webkit.org/show_bug.cgi?id=193483
3202         <rdar://problem/47280522>
3203
3204         Reviewed by Yusuke Suzuki.
3205
3206         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
3207         (foo):
3208         (a.valueOf.0):
3209
3210 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3211
3212         [JSC] ToThis omission in DFGByteCodeParser is wrong
3213         https://bugs.webkit.org/show_bug.cgi?id=193513
3214         <rdar://problem/45842236>
3215
3216         Reviewed by Saam Barati.
3217
3218         * stress/to-this-omission-with-different-strict-modes.js: Added.
3219         (thisA):
3220         (thisAStrictWrapper):
3221
3222 2019-01-15  Mark Lam  <mark.lam@apple.com>
3223
3224         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
3225         https://bugs.webkit.org/show_bug.cgi?id=193423
3226         <rdar://problem/46209355>
3227
3228         Reviewed by Saam Barati.
3229
3230         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
3231         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
3232         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
3233         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
3234
3235 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3236
3237         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
3238         https://bugs.webkit.org/show_bug.cgi?id=193438
3239         <rdar://problem/45581249>
3240
3241         Reviewed by Saam Barati and Keith Miller.
3242
3243         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
3244         Then, GetByVal(String) crashed.
3245
3246         * stress/string-get-by-val-lowering.js: Added.
3247         (shouldBe):
3248         (test):
3249         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
3250         (Hello):
3251         (foo):
3252
3253 2019-01-15  Tomas Popela  <tpopela@redhat.com>
3254
3255         Unreviewed, skip JIT tests if it's not enabled
3256
3257         * stress/bit-op-with-object-returning-int32.js:
3258
3259 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
3260
3261         DFGByteCodeParser rules for bitwise operations should consider type of their operands
3262         https://bugs.webkit.org/show_bug.cgi?id=192966
3263
3264         Reviewed by Yusuke Suzuki.
3265
3266         * stress/bit-op-with-object-returning-int32.js: Added.
3267
3268 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
3269
3270         Skip a slow test and a flakey test on arm
3271
3272         Unreviewed gardening.
3273
3274         * typeProfiler/getter-richards.js:
3275         this test always times out, it used to be always skipped on arm and
3276         mips, but got accidentally enabled by r237919 now that we have DFG on
3277         arm. Also skipping on mips as we plan to soon enable DFG for it too.
3278
3279 2019-01-14  Keith Miller  <keith_miller@apple.com>
3280
3281         Skip type-check-hoisting-phase-hoist... with no jit
3282         https://bugs.webkit.org/show_bug.cgi?id=193421
3283
3284         Reviewed by Mark Lam.
3285
3286         It's timing out the 32-bit bots and takes 330 seconds
3287         on my machine when run by itself.
3288
3289         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
3290
3291 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3292
3293         [JSC] AI should check the given constant's array type when folding GetByVal into constant
3294         https://bugs.webkit.org/show_bug.cgi?id=193413
3295         <rdar://problem/46092389>
3296
3297         Reviewed by Keith Miller.
3298
3299         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
3300         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
3301         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
3302         but GetByVal does not have appropriate ArrayModes, JSC crashes.
3303
3304         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
3305         (compareArray):
3306
3307 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
3308
3309         [BigInt] Literal parsing is crashing when used inside a Object Literal
3310         https://bugs.webkit.org/show_bug.cgi?id=193404
3311
3312         Reviewed by Yusuke Suzuki.
3313
3314         * stress/big-int-literal-inside-literal-object.js: Added.
3315
3316 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3317
3318         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
3319         https://bugs.webkit.org/show_bug.cgi?id=193372
3320
3321         Reviewed by Saam Barati.
3322
3323         * stress/typed-array-array-modes-profile.js: Added.
3324         (foo):
3325
3326 2019-01-14  Mark Lam  <mark.lam@apple.com>
3327
3328         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
3329         https://bugs.webkit.org/show_bug.cgi?id=193402
3330         <rdar://problem/46012309>
3331
3332         Reviewed by Keith Miller.
3333
3334         * stress/regexp-compile-oom.js:
3335         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
3336           is enabled.  As a result, it will fail on cloop builds though there is no bug.
3337
3338 2019-01-11  Saam barati  <sbarati@apple.com>
3339
3340         DFG combined liveness can be wrong for terminal basic blocks
3341         https://bugs.webkit.org/show_bug.cgi?id=193304
3342         <rdar://problem/45268632>
3343
3344         Reviewed by Yusuke Suzuki.
3345
3346         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
3347
3348 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3349
3350         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
3351         https://bugs.webkit.org/show_bug.cgi?id=193308
3352         <rdar://problem/45546542>
3353
3354         Reviewed by Saam Barati.
3355
3356         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
3357         (shouldThrow):
3358         (shouldBe):
3359         (foo):
3360         (get shouldThrow):
3361         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
3362         (shouldThrow):
3363         (shouldBe):
3364         (foo):
3365         (get shouldBe):
3366         (get shouldThrow):
3367         (get return):
3368         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
3369         (shouldThrow):
3370         (shouldBe):
3371         (foo):
3372         (get shouldBe):
3373         (get shouldThrow):
3374         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
3375         (shouldThrow):
3376         (shouldBe):
3377         (foo):
3378         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
3379         (shouldThrow):
3380         (shouldBe):
3381         (foo):
3382         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
3383         (shouldThrow):
3384         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
3385         (shouldThrow):
3386         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
3387         (shouldThrow):
3388         (shouldBe):
3389         (foo):
3390         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
3391         (shouldThrow):
3392         (shouldBe):
3393         (foo):
3394         (get shouldBe):
3395         (get shouldThrow):
3396         (get return):
3397         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
3398         (shouldThrow):
3399         (shouldBe):
3400         (foo):
3401         (get shouldBe):
3402         (get shouldThrow):
3403         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
3404         (shouldThrow):
3405         (shouldBe):
3406         (foo):
3407         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
3408         (shouldThrow):
3409         (shouldBe):
3410         (foo):
3411
3412 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
3413
3414         Enable DFG on ARM/Linux again
3415         https://bugs.webkit.org/show_bug.cgi?id=192496
3416
3417         Reviewed by Yusuke Suzuki.
3418
3419         Test wasn't really skipped before moving the line with skip
3420         to the top.
3421
3422         * stress/regress-192717.js:
3423
3424 2019-01-10  Commit Queue  <commit-queue@webkit.org>
3425
3426         Unreviewed, rolling out r239825.
3427         https://bugs.webkit.org/show_bug.cgi?id=193330
3428
3429         Broke tests on armv7/linux bots (Requested by guijemont on
3430         #webkit).
3431
3432         Reverted changeset:
3433
3434         "Enable DFG on ARM/Linux again"
3435         https://bugs.webkit.org/show_bug.cgi?id=192496
3436         https://trac.webkit.org/changeset/239825
3437
3438 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
3439
3440         Enable DFG on ARM/Linux again
3441         https://bugs.webkit.org/show_bug.cgi?id=192496
3442
3443         Reviewed by Yusuke Suzuki.
3444
3445         Test wasn't really skipped before moving the line with skip
3446         to the top.
3447
3448         * stress/regress-192717.js:
3449
3450 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3451
3452         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
3453         https://bugs.webkit.org/show_bug.cgi?id=193127
3454
3455         Reviewed by Saam Barati.
3456
3457         * stress/array-species-create-should-handle-masquerader.js: Added.
3458         (shouldThrow):
3459         * stress/is-undefined-or-null-builtin.js: Added.
3460         (shouldBe):
3461         (isUndefinedOrNull.vm.createBuiltin):
3462
3463 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
3464
3465         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
3466         https://bugs.webkit.org/show_bug.cgi?id=193221
3467
3468         Reviewed by Mark Lam.
3469
3470         * stress/put-by-id-flags.js: Added.
3471         (f):
3472         (g):
3473         (numberOfDFGCompiles):
3474
3475 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
3476
3477         Baseline version of get_by_id may corrupt metadata
3478         https://bugs.webkit.org/show_bug.cgi?id=193085
3479         <rdar://problem/23453006>
3480
3481         Reviewed by Saam Barati.
3482
3483         * stress/get-by-id-change-mode.js: Added.
3484         (forEach):
3485
3486 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3487
3488         [JSC] Optimize Object.prototype.toString
3489         https://bugs.webkit.org/show_bug.cgi?id=193031
3490
3491         Reviewed by Saam Barati.
3492
3493         * stress/object-tostring-changed-proto.js: Added.
3494         (shouldBe):
3495         (test):
3496         * stress/object-tostring-changed.js: Added.
3497         (shouldBe):
3498         (test):
3499         * stress/object-tostring-misc.js: Added.
3500         (shouldBe):
3501         (test):
3502         (i.switch):
3503         * stress/object-tostring-other.js: Added.
3504         (shouldBe):
3505         (test):
3506         * stress/object-tostring-untyped.js: Added.
3507         (shouldBe):
3508         (test):
3509         (i.switch):
3510
3511 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
3512
3513         test262-runner misbehaves when test file YAML has a trailing space
3514         https://bugs.webkit.org/show_bug.cgi?id=193053
3515
3516         Reviewed by Yusuke Suzuki.
3517
3518         * test262/expectations.yaml:
3519         Mark two dozen tests as passing (and correct the output of another).
3520
3521 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3522
3523         Unreviewed, JSTests gardening with memoryLimited
3524
3525         * stress/string-overflow-createError.js:
3526
3527 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
3528
3529         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
3530         https://bugs.webkit.org/show_bug.cgi?id=193050
3531
3532         Reviewed by Yusuke Suzuki.
3533
3534         * test262.yaml:
3535         * test262/expectations.yaml:
3536         Mark 16 tests as passing.
3537
3538 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3539
3540         [BigInt] Support BigInt in JSON.stringify
3541         https://bugs.webkit.org/show_bug.cgi?id=192624
3542
3543         Reviewed by Saam Barati.
3544
3545         * stress/big-int-json-stringify-to-json.js: Added.
3546         (shouldBe):
3547         (shouldThrow):
3548         (BigInt.prototype.toJSON):
3549         (shouldBe.JSON.stringify):
3550         * stress/big-int-json-stringify.js: Added.
3551         (shouldBe):
3552         (shouldThrow):
3553
3554 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3555
3556         [JSC] Implement "well-formed JSON.stringify" proposal
3557         https://bugs.webkit.org/show_bug.cgi?id=191677
3558
3559         Reviewed by Darin Adler.
3560
3561         * stress/json-surrogate-pair.js: Added.
3562         (shouldBe):
3563         * test262/expectations.yaml:
3564
3565 2018-12-20  Keith Miller  <keith_miller@apple.com>
3566
3567         Add support for globalThis
3568         https://bugs.webkit.org/show_bug.cgi?id=165171
3569
3570         Reviewed by Mark Lam.
3571
3572         * test262/config.yaml:
3573
3574 2018-12-19  Keith Miller  <keith_miller@apple.com>
3575
3576         Update test262 configuration to not run tests dependent on ICU version.
3577         https://bugs.webkit.org/show_bug.cgi?id=192920
3578
3579         Reviewed by Saam Barati.
3580
3581         * test262/expectations.yaml:
3582
3583 2018-12-20  Mark Lam  <mark.lam@apple.com>
3584
3585         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
3586         https://bugs.webkit.org/show_bug.cgi?id=192939
3587         <rdar://problem/46869516>
3588
3589         Reviewed by Keith Miller.
3590
3591         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
3592
3593 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
3594
3595         WTF::String and StringImpl overflow MaxLength
3596         https://bugs.webkit.org/show_bug.cgi?id=192853
3597         <rdar://problem/45726906>
3598
3599         Reviewed by Mark Lam.
3600
3601         * stress/string-16bit-repeat-overflow.js: Added.
3602         (catch):
3603
3604 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
3605
3606         Unreviewed follow-up to r192914.
3607
3608         * test262/expectations.yaml:
3609         Add the last 20 missing expectations.
3610
3611 2018-12-19  Keith Miller  <keith_miller@apple.com>
3612
3613         Fix test262 expectations
3614         https://bugs.webkit.org/show_bug.cgi?id=192914
3615
3616         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
3617
3618         * test262/expectations.yaml:
3619
3620 2018-12-19  Keith Miller  <keith_miller@apple.com>
3621
3622         Update test262 tests.
3623         https://bugs.webkit.org/show_bug.cgi?id=192907
3624
3625         Rubber stamped by Mark Lam.
3626
3627         * test262/*: Omitted because prepare-changelog crashes.
3628
3629 2018-12-19  Mark Lam  <mark.lam@apple.com>
3630
3631         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
3632         https://bugs.webkit.org/show_bug.cgi?id=192464
3633         <rdar://problem/46519455>
3634
3635         Reviewed by Saam Barati.
3636
3637         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
3638         microbenchmark.
3639
3640         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
3641         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
3642
3643 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
3644
3645         String overflow in JSC::createError results in ASSERT in WTF::makeString
3646         https://bugs.webkit.org/show_bug.cgi?id=192833
3647         <rdar://problem/45706868>
3648
3649         Reviewed by Mark Lam.
3650
3651         * stress/string-overflow-createError.js: Added.
3652
3653 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
3654
3655         Error message for `-x ** y` contains a typo.
3656         https://bugs.webkit.org/show_bug.cgi?id=192832
3657
3658         Reviewed by Saam Barati.
3659
3660         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
3661         (assert.assert.return.throws):
3662         * stress/pow-expects-update-expression-on-lhs.js:
3663         (throw.new.Error):
3664         Update test expectations which match against the exact error message.
3665
3666 2018-12-18  Mark Lam  <mark.lam@apple.com>
3667
3668         Gardening: test options fix.
3669         https://bugs.webkit.org/show_bug.cgi?id=192822
3670
3671         Unreviewed.
3672
3673         * stress/json-stringify-string-builder-overflow.js:
3674
3675 2018-12-18  Mark Lam  <mark.lam@apple.com>
3676
3677         JSON.stringify() should throw OOM on StringBuilder overflows.
3678         https://bugs.webkit.org/show_bug.cgi?id=192822
3679         <rdar://problem/46670577>
3680
3681         Reviewed by Saam Barati.
3682
3683         * stress/json-stringify-string-builder-overflow.js: Added.
3684
3685 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
3686
3687         Redeclaration of var over let/const/class should be a syntax error.
3688         https://bugs.webkit.org/show_bug.cgi?id=192298
3689
3690         Reviewed by Keith Miller.
3691
3692         * test262.yaml:
3693         * test262/expectations.yaml:
3694         Mark 46 tests as passing.
3695
3696         * stress/block-scope-redeclarations.js:
3697         Add some new tests.
3698
3699         * stress/for-in-invalidate-context-weird-assignments.js:
3700         * stress/for-in-tests.js:
3701         Replace tests for outdated behavior with tests for SyntaxError.
3702
3703         * ChakraCore/test/LetConst/defer3.baseline-jsc:
3704         * ChakraCore/test/LetConst/letvar.baseline-jsc:
3705         Update expectations.
3706
3707 2018-12-18  Mark Lam  <mark.lam@apple.com>
3708
3709         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
3710         https://bugs.webkit.org/show_bug.cgi?id=191374
3711         <rdar://problem/46525447>
3712
3713         Reviewed by Yusuke Suzuki.
3714
3715         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
3716
3717         * stress/elidable-new-object-roflcopter-then-exit.js:
3718
3719 2018-12-17  Mark Lam  <mark.lam@apple.com>
3720
3721         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
3722         https://bugs.webkit.org/show_bug.cgi?id=192019
3723         <rdar://problem/46525456>
3724
3725         Reviewed by Yusuke Suzuki.
3726
3727         The test runs too slow on 32-bit.
3728
3729         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
3730
3731 2018-12-17  Mark Lam  <mark.lam@apple.com>
3732
3733         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
3734         https://bugs.webkit.org/show_bug.cgi?id=191373
3735         <rdar://problem/46525458>
3736
3737         Reviewed by Yusuke Suzuki.
3738
3739         The test is already slow running with a JIT on 64-bit.  It will always timeout
3740         on 32-bit without a JIT.
3741
3742         * stress/materialize-regexp-cyclic-regexp.js:
3743
3744 2018-12-17  Mark Lam  <mark.lam@apple.com>
3745
3746         Array unshift/shift should not race against the AI in the compiler thread.
3747         https://bugs.webkit.org/show_bug.cgi?id=192795
3748         <rdar://problem/46724263>
3749
3750         Reviewed by Saam Barati.
3751
3752         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
3753
3754 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3755
3756         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
3757         https://bugs.webkit.org/show_bug.cgi?id=190047
3758
3759         Reviewed by Saam Barati.
3760
3761         * stress/object-keys-cached-zero.js: Added.
3762         (shouldBe):
3763         (test):
3764         * stress/object-keys-changed-attribute.js: Added.
3765         (shouldBe):
3766         (test):
3767         * stress/object-keys-changed-index.js: Added.
3768         (shouldBe):
3769         (test):
3770         * stress/object-keys-changed.js: Added.
3771         (shouldBe):
3772         (test):
3773         * stress/object-keys-indexed-non-cache.js: Added.
3774         (shouldBe):
3775         (test):
3776         * stress/object-keys-overrides-get-property-names.js: Added.
3777         (shouldBe):
3778         (test):
3779         (noInline):
3780
3781 2018-12-17  Mark Lam  <mark.lam@apple.com>
3782
3783         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
3784         https://bugs.webkit.org/show_bug.cgi?id=192779
3785         <rdar://problem/46775869>
3786
3787         Reviewed by Saam Barati.
3788
3789         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
3790
3791 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
3792
3793         Unreviewed test gardening, address a syntax error in a new test.
3794
3795         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
3796
3797 2018-12-17  Mark Lam  <mark.lam@apple.com>
3798
3799         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
3800         https://bugs.webkit.org/show_bug.cgi?id=192776
3801         <rdar://problem/46772368>
3802
3803         Reviewed by Keith Miller.
3804
3805         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
3806
3807 2018-12-17  Mark Lam  <mark.lam@apple.com>
3808
3809         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
3810         https://bugs.webkit.org/show_bug.cgi?id=192770
3811         <rdar://problem/46449037>
3812
3813         Reviewed by Keith Miller.
3814
3815         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
3816
3817 2018-12-14  Mark Lam  <mark.lam@apple.com>
3818
3819         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
3820         https://bugs.webkit.org/show_bug.cgi?id=192717
3821         <rdar://problem/46660677>
3822
3823         Reviewed by Saam Barati.
3824
3825         * stress/regress-192717.js: Added.
3826
3827 2018-12-14  Commit Queue  <commit-queue@webkit.org>
3828
3829         Unreviewed, rolling out r239153, r239154, and r239155.
3830         https://bugs.webkit.org/show_bug.cgi?id=192715
3831
3832         Caused flaky GC-related crashes seen with layout tests
3833         (Requested by ryanhaddad on #webkit).
3834
3835         Reverted changesets:
3836
3837         "[JSC] Optimize Object.keys by caching own keys results in
3838         StructureRareData"
3839         https://bugs.webkit.org/show_bug.cgi?id=190047
3840         https://trac.webkit.org/changeset/239153
3841
3842         "Unreviewed, build fix after r239153"
3843         https://bugs.webkit.org/show_bug.cgi?id=190047
3844         https://trac.webkit.org/changeset/239154
3845
3846         "Unreviewed, build fix after r239153, part 2"
3847         https://bugs.webkit.org/show_bug.cgi?id=190047
3848         https://trac.webkit.org/changeset/239155
3849
3850 2018-12-14  Keith Miller  <keith_miller@apple.com>
3851
3852         Callers of JSString::getIndex should check for OOM exceptions
3853         https://bugs.webkit.org/show_bug.cgi?id=192709
3854
3855         Reviewed by Mark Lam.
3856
3857         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
3858
3859 2018-12-13  Mark Lam  <mark.lam@apple.com>
3860
3861         Add a missing exception check.
3862         https://bugs.webkit.org/show_bug.cgi?id=192626
3863         <rdar://problem/46662163>
3864
3865         Reviewed by Keith Miller.
3866
3867         * stress/regress-192626.js: Added.
3868
3869 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
3870
3871         [BigInt] Add ValueDiv into DFG
3872         https://bugs.webkit.org/show_bug.cgi?id=186178
3873
3874         Reviewed by Yusuke Suzuki.
3875
3876         * stress/big-int-div-jit-osr.js: Added.
3877         * stress/big-int-div-jit-untyped.js: Added.
3878         * stress/value-div-fixup-int32-big-int.js: Added.
3879
3880 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3881
3882         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
3883         https://bugs.webkit.org/show_bug.cgi?id=190047
3884
3885         Reviewed by Keith Miller.
3886
3887         * stress/object-keys-cached-zero.js: Added.
3888         (shouldBe):
3889         (test):
3890         * stress/object-keys-changed-attribute.js: Added.
3891         (shouldBe):
3892         (test):
3893         * stress/object-keys-changed-index.js: Added.
3894         (shouldBe):
3895         (test):
3896         * stress/object-keys-changed.js: Added.
3897         (shouldBe):
3898         (test):
3899         * stress/object-keys-indexed-non-cache.js: Added.
3900         (shouldBe):
3901         (test):
3902         * stress/object-keys-overrides-get-property-names.js: Added.
3903         (shouldBe):
3904         (test):
3905         (noInline):
3906
3907 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3908
3909         [DFG][FTL] Add NewSymbol
3910         https://bugs.webkit.org/show_bug.cgi?id=192620
3911
3912         Reviewed by Saam Barati.
3913
3914         * microbenchmarks/symbol-creation.js: Added.
3915         (test):
3916         * stress/symbol-description-identity.js: Added.
3917         (shouldBe):
3918         (test):
3919         * stress/symbol-identity.js: Added.
3920         (shouldBe):
3921         (test):
3922         * stress/symbol-with-description-throw-error.js: Added.
3923         (shouldBe):
3924         (shouldThrow):
3925         (test):
3926         (object.toString):
3927
3928 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3929
3930         [BigInt] Implement DFG/FTL typeof for BigInt
3931         https://bugs.webkit.org/show_bug.cgi?id=192619
3932
3933         Reviewed by Keith Miller.
3934
3935         * stress/big-int-boolean-proven-type.js: Added.
3936         (assert):
3937         (bool):
3938         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
3939         (assert):
3940         (typeOf):
3941         (i.switch):
3942         * stress/big-int-type-of-proven-type-non-constant.js: Added.
3943         (assert):
3944         (typeOf):
3945         * stress/big-int-type-of.js:
3946         (typeOf):
3947         (func):
3948
3949 2018-12-10  Mark Lam  <mark.lam@apple.com>
3950
3951         PropertyAttribute needs a CustomValue bit.
3952         https://bugs.webkit.org/show_bug.cgi?id=191993
3953         <rdar://problem/46264467>
3954
3955         Reviewed by Saam Barati.
3956
3957         * stress/regress-191993.js: Added.
3958
3959 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
3960
3961         [BigInt] Add ValueMul into DFG
3962         https://bugs.webkit.org/show_bug.cgi?id=186175
3963
3964         Reviewed by Yusuke Suzuki.
3965
3966         * stress/big-int-mul-jit-osr.js: Added.
3967         * stress/big-int-mul-jit-untyped.js: Added.
3968         * stress/value-mul-fixup-int32-big-int.js: Added.
3969
3970 2018-12-06  Keith Miller  <keith_miller@apple.com>
3971
3972         stress/big-wasm-memory tests failing on 32-bit JSC bot
3973         https://bugs.webkit.org/show_bug.cgi?id=192020
3974
3975         Reviewed by Saam Barati.
3976
3977         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
3978         the wasm stress tests if the WebAssembly object does not exist.
3979
3980         * stress/big-wasm-memory-grow-no-max.js:
3981         (test.foo):
3982         (test):
3983         (foo): Deleted.
3984         (catch): Deleted.
3985         * stress/big-wasm-memory-grow.js:
3986         (test.foo):
3987         (test):
3988         (foo): Deleted.
3989         (catch): Deleted.
3990         * stress/big-wasm-memory.js:
3991         (test.foo):
3992         (test):
3993         (foo): Deleted.
3994         (catch): Deleted.
3995
3996 2018-12-05  Mark Lam  <mark.lam@apple.com>
3997
3998         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
3999         https://bugs.webkit.org/show_bug.cgi?id=192441
4000         <rdar://problem/46480355>
4001
4002         Reviewed by Saam Barati.
4003
4004         * stress/regress-192441.js: Added.
4005
4006 2018-12-04  Mark Lam  <mark.lam@apple.com>
4007
4008         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
4009         https://bugs.webkit.org/show_bug.cgi?id=192386
4010         <rdar://problem/46445516>
4011
4012         Reviewed by Saam Barati.
4013
4014         * stress/regress-192386.js: Added.
4015
4016 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
4017
4018         [ESNext][BigInt] Support logic operations
4019         https://bugs.webkit.org/show_bug.cgi?id=179903
4020
4021         Reviewed by Yusuke Suzuki.
4022
4023         * stress/big-int-branch-usage.js: Added.
4024         * stress/big-int-logical-and.js: Added.
4025         * stress/big-int-logical-not.js: Added.
4026         * stress/big-int-logical-or.js: Added.
4027
4028 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
4029
4030         Unreviewed, rolling out r238833.
4031
4032         Breaks macOS and iOS debug builds.
4033
4034         Reverted changeset:
4035
4036         "[ESNext][BigInt] Support logic operations"
4037         https://bugs.webkit.org/show_bug.cgi?id=179903
4038         https://trac.webkit.org/changeset/238833
4039
4040 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
4041
4042         [ESNext][BigInt] Support logic operations
4043         https://bugs.webkit.org/show_bug.cgi?id=179903
4044
4045         Reviewed by Yusuke Suzuki.
4046
4047         * stress/big-int-branch-usage.js: Added.
4048         * stress/big-int-logical-and.js: Added.
4049         * stress/big-int-logical-not.js: Added.
4050         * stress/big-int-logical-or.js: Added.
4051
4052 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
4053
4054         [ESNext][BigInt] Implement support for "<<" and ">>"
4055         https://bugs.webkit.org/show_bug.cgi?id=186233
4056
4057         Reviewed by Yusuke Suzuki.
4058
4059         * stress/big-int-left-shift-general.js: Added.
4060         * stress/big-int-left-shift-range-error.js: Added.
4061         * stress/big-int-left-shift-type-error.js: Added.
4062         * stress/big-int-left-shift-wrapped-value.js: Added.
4063         * stress/big-int-right-shift-general.js: Added.
4064         * stress/big-int-right-shift-type-error.js: Added.
4065         * stress/big-int-right-shift-wrapped-value.js: Added.
4066         * stress/left-shift-to-primitive-precedence.js: Added.
4067         * stress/right-shift-to-primitive-precedence.js: Added.
4068
4069 2018-11-30  Dean Jackson  <dino@apple.com>
4070
4071         Add first-class support for .mjs files in jsc binary
4072         https://bugs.webkit.org/show_bug.cgi?id=192190
4073         <rdar://problem/46375715>
4074
4075         Reviewed by Keith Miller.
4076
4077         * stress/simple-module.mjs: Added.
4078         * stress/simple-script.js: Added.
4079
4080 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
4081
4082         [BigInt] Implement ValueBitXor into DFG
4083         https://bugs.webkit.org/show_bug.cgi?id=190264
4084
4085         Reviewed by Yusuke Suzuki.
4086
4087         * stress/big-int-bitwise-xor-jit.js: Added.
4088         * stress/big-int-bitwise-xor-memory-stress.js: Added.
4089         * stress/big-int-bitwise-xor-untyped.js: Added.
4090
4091 2018-11-27  Saam barati  <sbarati@apple.com>
4092
4093         r238510 broke scopes of size zero
4094         https://bugs.webkit.org/show_bug.cgi?id=192033
4095         <rdar://problem/46281734>
4096
4097         Reviewed by Keith Miller.
4098
4099         * stress/r238510-bad-loop.js: Added.
4100         (foo):
4101
4102 2018-11-27  Mark Lam  <mark.lam@apple.com>
4103
4104         [Re-landing] NaNs read from Wasm code needs to be be purified.
4105         https://bugs.webkit.org/show_bug.cgi?id=191056
4106         <rdar://problem/45660341>
4107
4108         Reviewed by Filip Pizlo.
4109
4110         * wasm/regress/regress-191056.js: Added.
4111
4112 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
4113
4114         Unreviewed, rolling out r238509.
4115
4116         Causes JSC tests to fail on iOS.
4117
4118         Reverted changeset:
4119
4120         "NaNs read from Wasm code needs to be be purified."
4121         https://bugs.webkit.org/show_bug.cgi?id=191056
4122         https://trac.webkit.org/changeset/238509
4123
4124 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
4125
4126         Re-introduce op_bitnot
4127         https://bugs.webkit.org/show_bug.cgi?id=190923
4128
4129         Reviewed by Yusuke Suzuki.
4130
4131         * stress/bit-not-must-generate.js: Added.
4132         * stress/bitwise-not-no-int32.js: Added.
4133
4134 2018-11-26  Saam barati  <sbarati@apple.com>
4135
4136         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
4137         https://bugs.webkit.org/show_bug.cgi?id=191956
4138         <rdar://problem/45665806>
4139
4140         Reviewed by Yusuke Suzuki.
4141
4142         * stress/end-basic-block-set-local-should-filter-type.js: Added.
4143         (bar):
4144         (foo):
4145
4146 2018-11-26  Saam barati  <sbarati@apple.com>
4147
4148         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
4149         https://bugs.webkit.org/show_bug.cgi?id=191958
4150         <rdar://problem/46221877>
4151
4152         Reviewed by Yusuke Suzuki.
4153
4154         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
4155         (x):
4156         (foo):
4157
4158 2018-11-26  Mark Lam  <mark.lam@apple.com>
4159
4160         NaNs read from Wasm code needs to be be purified.
4161         https://bugs.webkit.org/show_bug.cgi?id=191056
4162         <rdar://problem/45660341>
4163
4164         Reviewed by Filip Pizlo.
4165
4166         * wasm/regress/regress-191056.js: Added.
4167
4168 2018-11-26  Michael Saboff  <msaboff@apple.com>
4169
4170         32-bit JSC test failure: stress/regexp-compile-oom.js
4171         https://bugs.webkit.org/show_bug.cgi?id=191375
4172
4173         Reviewed by Mark Lam.
4174
4175         Disabled the test for 32 bit platforms.
4176
4177         * stress/regexp-compile-oom.js:
4178
4179 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
4180
4181         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
4182         https://bugs.webkit.org/show_bug.cgi?id=191716
4183         <rdar://problem/45723878>
4184
4185         Reviewed by Saam Barati.
4186
4187         * stress/regress-187373.js: Added.
4188         (async.fn):
4189
4190 2018-11-21  Saam barati  <sbarati@apple.com>
4191
4192         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
4193         https://bugs.webkit.org/show_bug.cgi?id=191897
4194         <rdar://problem/45871998>
4195
4196         Reviewed by Mark Lam.
4197
4198         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
4199         (bar):
4200         (foo):
4201
4202 2018-11-21  Saam barati  <sbarati@apple.com>
4203
4204         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
4205         https://bugs.webkit.org/show_bug.cgi?id=191895
4206         <rdar://problem/46167406>
4207
4208         Reviewed by Mark Lam.
4209
4210         * stress/known-cell-use-needs-type-check-assertion.js: Added.
4211         (foo):
4212         (bar):
4213
4214 2018-11-21  Mark Lam  <mark.lam@apple.com>
4215
4216         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
4217         https://bugs.webkit.org/show_bug.cgi?id=191776
4218         <rdar://problem/46152851>
4219
4220         Reviewed by Saam Barati.
4221
4222         * stress/big-wasm-memory-grow-no-max.js:
4223         * stress/big-wasm-memory-grow.js:
4224         * stress/big-wasm-memory.js:
4225         - updated these to expect an OutOfMemoryError.
4226
4227         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
4228         (Binary.prototype.emit_u8):
4229         (Binary.prototype.emit_u32v):
4230         (Binary.prototype.emit_header):
4231         (Binary.prototype.emit_section):
4232         (Binary):
4233         (WasmModuleBuilder):
4234         (WasmModuleBuilder.prototype.addMemory):
4235         (WasmModuleBuilder.prototype.toArray):
4236         (WasmModuleBuilder.prototype.toBuffer):
4237         (WasmModuleBuilder.prototype.instantiate):
4238         (catch):
4239         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
4240         (catch):
4241
4242 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
4243
4244         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
4245         https://bugs.webkit.org/show_bug.cgi?id=190836
4246
4247         Reviewed by Saam Barati and Yusuke Suzuki.
4248
4249         * stress/big-int-out-of-memory-tests.js: Added.
4250
4251 2018-11-20  Mark Lam  <mark.lam@apple.com>
4252
4253         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
4254         https://bugs.webkit.org/show_bug.cgi?id=191856
4255         <rdar://problem/46089992>
4256
4257         Reviewed by Yusuke Suzuki.
4258
4259         * stress/regress-191856.js: Added.
4260         - this test is skipped for now until we have a fix for webkit.org/b/191855.
4261
4262 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
4263
4264         Enable JIT on ARM/Linux
4265         https://bugs.webkit.org/show_bug.cgi?id=191548
4266
4267         Reviewed by Yusuke Suzuki.
4268
4269         Disable test on system with limited memory. Program was killed by
4270         the OS before the exception was thrown.
4271
4272         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
4273
4274 2018-11-20  Saam barati  <sbarati@apple.com>
4275
4276         Merging an IC variant may lead to the IC status containing overlapping structure sets
4277         https://bugs.webkit.org/show_bug.cgi?id=191869
4278         <rdar://problem/45403453>
4279
4280         Reviewed by Mark Lam.
4281
4282         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
4283
4284 2018-11-19  Mark Lam  <mark.lam@apple.com>
4285
4286         globalFuncImportModule() should return a promise when it clears exceptions.
4287         https://bugs.webkit.org/show_bug.cgi?id=191792
4288         <rdar://problem/46090763>
4289
4290         Reviewed by Michael Saboff.
4291
4292         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
4293
4294 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
4295
4296         Skip new memory-hungry tests on memory limited devices
4297
4298         Unreviewed gardening.
4299
4300         * stress/big-wasm-memory-grow-no-max.js:
4301         * stress/big-wasm-memory-grow.js:
4302         * stress/big-wasm-memory.js:
4303
4304 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
4305
4306         Unreviewed, rolling in the rest of r237254
4307         https://bugs.webkit.org/show_bug.cgi?id=190340
4308
4309         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
4310         * stress/function-cache-with-parameters-end-position.js: Added.
4311         (shouldBe):
4312         (shouldThrow):
4313         (i.anonymous):
4314         * stress/function-constructor-name.js: Added.
4315         (shouldBe):
4316         (GeneratorFunction):
4317         (AsyncFunction.async):
4318         (AsyncGeneratorFunction.async):
4319         (anonymous):
4320         (async.anonymous):
4321         * test262/expectations.yaml:
4322
4323 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
4324
4325         All users of ArrayBuffer should agree on the same max size
4326         https://bugs.webkit.org/show_bug.cgi?id=191771
4327
4328         Reviewed by Mark Lam.
4329
4330         * stress/big-wasm-memory-grow-no-max.js: Added.
4331         (foo):
4332         (catch):
4333         * stress/big-wasm-memory-grow.js: Added.
4334         (foo):
4335         (catch):
4336         * stress/big-wasm-memory.js: Added.
4337         (foo):
4338         (catch):
4339
4340 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
4341
4342         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
4343         run for each JSC config since they're regression tests for runtime bugs.
4344
4345         * stress/json-stringified-overflow-2.js:
4346         * stress/json-stringified-overflow.js:
4347
4348 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
4349
4350         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
4351         config since they're regression tests for runtime bugs.
4352
4353         * stress/large-unshift-splice.js:
4354         * stress/regress-185888.js:
4355
4356 2018-11-16  Saam Barati  <sbarati@apple.com>
4357
4358         KnownCellUse should also have SpecCellCheck as its type filter
4359         https://bugs.webkit.org/show_bug.cgi?id=191729
4360         <rdar://problem/45872852>
4361
4362         Reviewed by Filip Pizlo.
4363
4364         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
4365         (C):
4366
4367 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
4368
4369         Fix assertion failure on BytecodeGenerator::recordOpcode
4370         https://bugs.webkit.org/show_bug.cgi?id=191724
4371         <rdar://problem/45724395>
4372
4373         Reviewed by Saam Barati.
4374
4375         * stress/regress-187373-2.js: Added.
4376         (foo):
4377
4378 2018-11-15  Mark Lam  <mark.lam@apple.com>
4379
4380         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
4381         https://bugs.webkit.org/show_bug.cgi?id=191730
4382         <rdar://problem/46048517>
4383
4384         Reviewed by Saam Barati.
4385
4386         * stress/regress-187006.js: Removed.
4387           - this test is invalid because its sole purpose is to test for the non-spec
4388             compliant behavior that we just fixed.
4389
4390         * stress/regress-191730.js: Added.
4391
4392 2018-11-15  Mark Lam  <mark.lam@apple.com>
4393
4394         RegExp operations should not take fast patch if lastIndex is not numeric.
4395         https://bugs.webkit.org/show_bug.cgi?id=191731
4396         <rdar://problem/46017305>
4397
4398         Reviewed by Saam Barati.
4399
4400         * stress/regress-191731.js: Added.
4401
4402 2018-11-13  Saam Barati  <sbarati@apple.com>
4403
4404         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
4405         https://bugs.webkit.org/show_bug.cgi?id=191600
4406
4407         Reviewed by Mark Lam.
4408
4409         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
4410         (foo):
4411         (test):
4412         (bar):
4413
4414 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
4415
4416         Unreviewed, rolling out r238132.
4417
4418         The test added with this change is timing out on Debug JSC
4419         bots.
4420
4421         Reverted changeset:
4422
4423         "[BigInt] JSBigInt::createWithLength should throw when length
4424         is greater than JSBigInt::maxLength"
4425         https://bugs.webkit.org/show_bug.cgi?id=190836
4426         https://trac.webkit.org/changeset/238132
4427
4428 2018-11-13  Mark Lam  <mark.lam@apple.com>
4429
4430         Add OOM detection to StringPrototype's substituteBackreferences().
4431         https://bugs.webkit.org/show_bug.cgi?id=191563
4432         <rdar://problem/45720428>
4433
4434         Reviewed by Saam Barati.
4435
4436         * stress/regress-191563.js: Added.
4437
4438 2018-11-13  Mark Lam  <mark.lam@apple.com>
4439
4440         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
4441         https://bugs.webkit.org/show_bug.cgi?id=191579
4442         <rdar://problem/45942472>
4443
4444         Reviewed by Saam Barati.
4445
4446         * stress/regress-191579.js: Added.
4447
4448 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
4449
4450         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
4451         https://bugs.webkit.org/show_bug.cgi?id=190836
4452
4453         Reviewed by Saam Barati.
4454
4455         * stress/big-int-out-of-memory-tests.js: Added.
4456
4457 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
4458
4459         U+180E is no longer a whitespace character
4460         https://bugs.webkit.org/show_bug.cgi?id=191415
4461
4462         Reviewed by Saam Barati.
4463
4464         * ChakraCore/test/es5/regexSpace.baseline:
4465         * ChakraCore/test/es6/unicode_whitespace.js:
4466         Update tests to latest version.
4467         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
4468
4469         * test262.yaml:
4470         * test262/config.yaml:
4471         * test262/expectations.yaml:
4472         Update expectations.
4473
4474 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
4475
4476         [BigInt] Add support to BigInt into ValueAdd
4477         https://bugs.webkit.org/show_bug.cgi?id=186177
4478
4479         Reviewed by Keith Miller.
4480
4481         * stress/big-int-negate-jit.js:
4482         * stress/value-add-big-int-and-string.js: Added.
4483         * stress/value-add-big-int-prediction-propagation.js: Added.
4484         * stress/value-add-big-int-untyped.js: Added.
4485
4486 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
4487
4488         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
4489         https://bugs.webkit.org/show_bug.cgi?id=191184
4490
4491         Reviewed by Saam Barati.
4492
4493         Most tests were failing due to timeouts, since they are too slow to
4494         run on CLoop. The exceptions are:
4495
4496         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
4497         dont-crash-on-stack-overflow-when-parsing-builtin.js and
4498         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
4499         to change the stack size since CLoop requires it to be page aligned.
4500
4501         * microbenchmarks/array-push-1.js:
4502         * microbenchmarks/array-push-2.js:
4503         * microbenchmarks/elidable-new-object-dag.js:
4504         * microbenchmarks/elidable-new-object-roflcopter.js:
4505         * microbenchmarks/elidable-new-object-tree.js:
4506         * microbenchmarks/getter-richards.js: