26fe3cd04148fa8c726e783a2bff42ae6bd913a2
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-08  Saam Barati  <sbarati@apple.com>
2
3         WebAssembly.RuntimeError missing exception check
4         https://bugs.webkit.org/show_bug.cgi?id=196700
5         <rdar://problem/49693932>
6
7         Reviewed by Yusuke Suzuki.
8
9         * wasm/js-api/runtime-error-should-exception-check.js: Added.
10
11 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
12
13         Unreviewed, rolling in r243948 with test fix
14         https://bugs.webkit.org/show_bug.cgi?id=196486
15
16         * stress/arrow-function-and-use-strict-directive.js: Added.
17         * stress/arrow-function-syntax.js: Added.
18         (checkSyntax):
19         (checkSyntaxError):
20
21 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
22
23         Unreviewed, rolling out r243948.
24
25         Caused inspector/runtime/parse.html to fail
26
27         Reverted changeset:
28
29         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
30         https://bugs.webkit.org/show_bug.cgi?id=196486
31         https://trac.webkit.org/changeset/243948
32
33 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
34
35         Unreviewed, rolling out r243943.
36
37         Caused test262 failures.
38
39         Reverted changeset:
40
41         "[JSC] Filter DontEnum properties in
42         ProxyObject::getOwnPropertyNames()"
43         https://bugs.webkit.org/show_bug.cgi?id=176810
44         https://trac.webkit.org/changeset/243943
45
46 2019-04-07  Michael Saboff  <msaboff@apple.com>
47
48         REGRESSION (r243642): Crash in reddit.com page
49         https://bugs.webkit.org/show_bug.cgi?id=196684
50
51         Reviewed by Geoffrey Garen.
52
53         New regression test.
54
55         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
56
57 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
58
59         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
60         https://bugs.webkit.org/show_bug.cgi?id=196683
61
62         Reviewed by Saam Barati.
63
64         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
65         (foo):
66
67 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
68
69         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
70         https://bugs.webkit.org/show_bug.cgi?id=196582
71
72         Reviewed by Saam Barati.
73
74         * stress/add-overflow-check-with-three-same-registers.js: Added.
75         (foo):
76         (Number.prototype.valueOf):
77         (runWithNumber):
78
79 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
80
81         Unreviewed, rolling out r243665.
82
83         Caused iOS JSC tests to exit with an exception.
84
85         Reverted changeset:
86
87         "Assertion failed in JSC::createError"
88         https://bugs.webkit.org/show_bug.cgi?id=196305
89         https://trac.webkit.org/changeset/243665
90
91 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
92
93         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
94         https://bugs.webkit.org/show_bug.cgi?id=196486
95
96         Reviewed by Saam Barati.
97
98         * stress/arrow-function-and-use-strict-directive.js: Added.
99         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
100         (checkSyntax):
101         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
102
103 2019-04-05  Caitlin Potter  <caitp@igalia.com>
104
105         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
106         https://bugs.webkit.org/show_bug.cgi?id=176810
107
108         Reviewed by Saam Barati.
109
110         Add tests for the DontEnum filtering, and variations of other tests
111         take the DontEnum-filtering path.
112
113         * stress/proxy-own-keys.js:
114         (i.catch):
115         (set assert):
116         (set add):
117         (let.set new):
118         (get let):
119
120 2019-04-05  Caitlin Potter  <caitp@igalia.com>
121
122         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
123         https://bugs.webkit.org/show_bug.cgi?id=185211
124
125         Reviewed by Saam Barati.
126
127         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
128
129         This changes several assertions to expect a TypeError to be thrown (in some cases,
130         changing thee expected message).
131
132         * es6/Proxy_ownKeys_duplicates.js:
133         (handler):
134         (shouldThrow):
135         (test):
136         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
137         (shouldThrow):
138         * stress/proxy-own-keys.js:
139         (i.catch):
140         (assert):
141
142 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
143
144         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
145         https://bugs.webkit.org/show_bug.cgi?id=196631
146
147         Reviewed by Saam Barati.
148
149         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
150         (assert):
151         (test):
152         (foo):
153
154 2019-04-04  Saam Barati  <sbarati@apple.com>
155
156         Unreviewed. Make the test from r243906 catch the thrown exceptions.
157
158         * stress/inferred-types-regex-matches-array.js:
159
160 2019-04-04  Saam Barati  <sbarati@apple.com>
161
162         createRegExpMatchesArray does not respect inferred types
163         https://bugs.webkit.org/show_bug.cgi?id=193287
164
165         Reviewed by Yusuke Suzuki.
166
167         This checks in the test case for 193287. This issue was discovered by
168         Samuel GroƟ of Google Project Zero.
169
170         * stress/inferred-types-regex-matches-array.js: Added.
171
172 2019-04-04  Saam barati  <sbarati@apple.com>
173
174         Teach Call ICs how to call Wasm
175         https://bugs.webkit.org/show_bug.cgi?id=196387
176
177         Reviewed by Filip Pizlo.
178
179         * wasm/function-tests/stack-trace.js:
180
181 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
182
183         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
184         https://bugs.webkit.org/show_bug.cgi?id=194944
185
186         Reviewed by Keith Miller.
187
188         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
189
190 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
191
192         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
193         https://bugs.webkit.org/show_bug.cgi?id=196409
194
195         Reviewed by Saam Barati.
196
197         * stress/bytecode-cache-cached-string-impl.js: Added.
198         (f):
199         (g):
200         * stress/bytecode-cache-run-string.js: Added.
201
202 2019-04-03  Robin Morisset  <rmorisset@apple.com>
203
204         B3 should use associativity to optimize expression trees
205         https://bugs.webkit.org/show_bug.cgi?id=194081
206
207         Reviewed by Filip Pizlo.
208
209         Added three microbenchmarks:
210         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
211         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
212           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
213         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
214
215         * microbenchmarks/add-tree.js: Added.
216         * microbenchmarks/bit-or-tree.js: Added.
217         * microbenchmarks/bit-xor-tree.js: Added.
218
219 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
220
221         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
222         https://bugs.webkit.org/show_bug.cgi?id=196574
223
224         Reviewed by Saam Barati.
225
226         * stress/string-index-of-exception-check.js: Added.
227         (blurType):
228         (1.forEach):
229
230 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
231
232         Assertion failed in JSC::createError
233         https://bugs.webkit.org/show_bug.cgi?id=196305
234         <rdar://problem/49387382>
235
236         Reviewed by Saam Barati.
237
238         * stress/create-error-out-of-memory-rope-string-2.js: Added.
239         (assert):
240         (catch):
241
242 2019-03-28  Saam Barati  <sbarati@apple.com>
243
244         BackwardsGraph needs to consider back edges as the backward's root successor
245         https://bugs.webkit.org/show_bug.cgi?id=195991
246
247         Reviewed by Filip Pizlo.
248
249         * stress/map-b3-licm-infinite-loop.js: Added.
250
251 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
252
253         CodeBlock::jettison() should disallow repatching its own calls
254         https://bugs.webkit.org/show_bug.cgi?id=196359
255         <rdar://problem/48973663>
256
257         Reviewed by Saam Barati.
258
259         * stress/call-link-info-osrexit-repatch.js: Added.
260         (foo):
261
262 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
263
264         [JSC] imports-oom.js intermittently fails
265         https://bugs.webkit.org/show_bug.cgi?id=196373
266
267         Reviewed by Saam Barati.
268
269         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
270         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
271         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
272         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
273         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
274
275         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
276         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
277
278         * wasm/lowExecutableMemory/imports-oom.js:
279
280 2019-03-27  Saam Barati  <sbarati@apple.com>
281
282         validateOSREntryValue with Int52 should box the value being checked into double format
283         https://bugs.webkit.org/show_bug.cgi?id=196313
284         <rdar://problem/49306703>
285
286         Reviewed by Yusuke Suzuki.
287
288         * stress/validate-int-52-ai-state.js: Added.
289
290 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
291
292         [JSC] Owner of watchpoints should validate at GC finalizing phase
293         https://bugs.webkit.org/show_bug.cgi?id=195827
294
295         Reviewed by Filip Pizlo.
296
297         * stress/gc-should-reap-dead-watchpoints.js: Added.
298         (foo):
299         (A.prototype.y):
300         (A):
301
302 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
303
304         Skip WebAssembly test on 32-bit systems
305         https://bugs.webkit.org/show_bug.cgi?id=196206
306
307         Reviewed by Saam Barati.
308
309         Invoking runDefault executes test immediately even though
310         that test should be skipped due to missing WASM support.
311         Therefore remove runDefault.
312
313         * wasm/regress/web-assembly-link-error-exception-check.js:
314
315 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
316
317         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
318         https://bugs.webkit.org/show_bug.cgi?id=196217
319
320         Reviewed by Saam Barati.
321
322         Re-enable all NaN tests for f32.min, f64.min and f64.max.
323
324         * wasm/spec-tests/f32.wast.js:
325         * wasm/spec-tests/f64.wast.js:
326         * wasm/wasm.json:
327
328 2019-03-25  Keith Miller  <keith_miller@apple.com>
329
330         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
331         https://bugs.webkit.org/show_bug.cgi?id=196176
332
333         Reviewed by Saam Barati.
334
335         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
336         (main.v10):
337         (main):
338
339 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
340
341         WebAssembly: f32.max with NaN generates incorrect result
342         https://bugs.webkit.org/show_bug.cgi?id=175691
343         <rdar://problem/33952228>
344
345         Reviewed by Saam Barati.
346
347         Enable all f32.max NaN tests
348
349         * wasm/spec-tests/f32.wast.js:
350         * wasm/wasm.json:
351
352 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
353
354         [JSC] Move test into directory for WASM tests
355         https://bugs.webkit.org/show_bug.cgi?id=196187
356
357         Reviewed by Mark Lam.
358
359         Move Test into wasm-directory. Otherwise this test
360         is also executed on systems without WASM support.
361
362         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
363
364 2019-03-23  Mark Lam  <mark.lam@apple.com>
365
366         Rolling out r243032 and r243071 because the fix is incorrect.
367         https://bugs.webkit.org/show_bug.cgi?id=195892
368         <rdar://problem/48981239>
369
370         Not reviewed.
371
372         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
373
374 2019-03-22  Mark Lam  <mark.lam@apple.com>
375
376         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
377         https://bugs.webkit.org/show_bug.cgi?id=196154
378         <rdar://problem/49145307>
379
380         Reviewed by Filip Pizlo.
381
382         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
383         There's no need to run this test on more than 1 test configuration.
384
385         * stress/typed-array-lastIndexOf-exception-check.js: Added.
386         * stress/web-assembly-link-error-exception-check.js:
387
388 2019-03-22  Mark Lam  <mark.lam@apple.com>
389
390         Placate exception check validation in constructJSWebAssemblyLinkError().
391         https://bugs.webkit.org/show_bug.cgi?id=196152
392         <rdar://problem/49145257>
393
394         Reviewed by Michael Saboff.
395
396         * stress/web-assembly-link-error-exception-check.js: Added.
397
398 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
399
400         Skip tests running out of memory on ARM/MIPS
401         https://bugs.webkit.org/show_bug.cgi?id=196131
402
403         Unreviewed. Skip test if memory is limited.
404
405         * microbenchmarks/put-by-val-direct-large-index.js:
406
407 2019-03-21  Mark Lam  <mark.lam@apple.com>
408
409         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
410         https://bugs.webkit.org/show_bug.cgi?id=196116
411         <rdar://problem/48976951>
412
413         Reviewed by Filip Pizlo.
414
415         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
416
417 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
418
419         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
420         https://bugs.webkit.org/show_bug.cgi?id=196078
421         <rdar://problem/35925380>
422
423         Reviewed by Mark Lam.
424
425         Add a new benchmark that allocates several objects and invokes put_by_val_direct
426         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
427
428         * microbenchmarks/put-by-val-direct-large-index.js: Added.
429
430 2019-03-21  Mark Lam  <mark.lam@apple.com>
431
432         Placate exception check validation in operationArrayIndexOfString().
433         https://bugs.webkit.org/show_bug.cgi?id=196067
434         <rdar://problem/49056572>
435
436         Reviewed by Michael Saboff.
437
438         * stress/string-equal-exception-check.js: Added.
439
440 2019-03-21  Mark Lam  <mark.lam@apple.com>
441
442         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
443         https://bugs.webkit.org/show_bug.cgi?id=196055
444         <rdar://problem/49067448>
445
446         Reviewed by Yusuke Suzuki.
447
448         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
449
450 2019-03-20  Saam Barati  <sbarati@apple.com>
451
452         typeOfDoubleSum is wrong for when NaN can be produced
453         https://bugs.webkit.org/show_bug.cgi?id=196030
454
455         Reviewed by Filip Pizlo.
456
457         * stress/double-add-sub-mul-can-produce-nan.js: Added.
458         (assert):
459         (noInline.sub):
460         (noInline):
461         (assert.mul):
462         (assert.add):
463
464 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
465
466         Update the test to ensure OutOfMemoryError is thrown as intended
467         https://bugs.webkit.org/show_bug.cgi?id=196032
468         <rdar://problem/46842740>
469
470         Rubber stamped by Saam Barati.
471
472         * stress/create-error-out-of-memory-rope-string.js:
473         (assert):
474         (catch):
475
476 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
477
478         JSC::createError needs to check for OOM in errorDescriptionForValue
479         https://bugs.webkit.org/show_bug.cgi?id=196032
480         <rdar://problem/46842740>
481
482         Reviewed by Mark Lam.
483
484         * stress/create-error-out-of-memory-rope-string.js: Added.
485
486 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
487
488         Unreviewed, reduce # of iterations to avoid timing out after r242991
489         https://bugs.webkit.org/show_bug.cgi?id=195791
490
491         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
492
493         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
494
495 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
496
497         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
498         https://bugs.webkit.org/show_bug.cgi?id=195950
499
500         Unreviewed, reducing the amount of memory used on this test to avoid
501         OOM on devices with memory restrictions.
502
503         * microbenchmarks/generate-multiple-llint-entrypoints.js:
504
505 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
506
507         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
508         https://bugs.webkit.org/show_bug.cgi?id=194648
509
510         Reviewed by Keith Miller.
511
512         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
513
514 2019-03-18  Mark Lam  <mark.lam@apple.com>
515
516         Missing a ThrowScope release in JSObject::toString().
517         https://bugs.webkit.org/show_bug.cgi?id=195893
518         <rdar://problem/48970986>
519
520         Reviewed by Michael Saboff.
521
522         * stress/to-string-exception-check-release.js: Added.
523
524 2019-03-18  Mark Lam  <mark.lam@apple.com>
525
526         Structure::flattenDictionary() should clear unused property slots.
527         https://bugs.webkit.org/show_bug.cgi?id=195871
528         <rdar://problem/48959497>
529
530         Reviewed by Michael Saboff.
531
532         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
533
534 2019-03-15  Mark Lam  <mark.lam@apple.com>
535
536         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
537         https://bugs.webkit.org/show_bug.cgi?id=195827
538         <rdar://problem/48845513>
539
540         Reviewed by Filip Pizlo.
541
542         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
543
544 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
545
546         [ARM,MIPS] Skip slow tests
547         https://bugs.webkit.org/show_bug.cgi?id=195799
548
549         Unreviewed, test does not finish on ARM and MIPS within the
550         timeout limit.
551
552         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
553
554 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
555
556         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
557         https://bugs.webkit.org/show_bug.cgi?id=195791
558         <rdar://problem/48806130>
559
560         Reviewed by Mark Lam.
561
562         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
563         (foo):
564
565 2019-03-14  Saam barati  <sbarati@apple.com>
566
567         We can't remove code after ForceOSRExit until after FixupPhase
568         https://bugs.webkit.org/show_bug.cgi?id=186916
569         <rdar://problem/41396612>
570
571         Reviewed by Yusuke Suzuki.
572
573         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
574         (foo):
575         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
576         (foo):
577
578 2019-03-13  Michael Saboff  <msaboff@apple.com>
579
580         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
581         https://bugs.webkit.org/show_bug.cgi?id=195735
582
583         Reviewed by Mark Lam.
584
585         New regression test.
586
587         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
588         (foo):
589         (bar):
590
591 2019-03-14  Saam barati  <sbarati@apple.com>
592
593         Fixup uses KnownInt32 incorrectly in some nodes
594         https://bugs.webkit.org/show_bug.cgi?id=195279
595         <rdar://problem/47915654>
596
597         Reviewed by Yusuke Suzuki.
598
599         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
600         (foo):
601
602 2019-03-14  Keith Miller  <keith_miller@apple.com>
603
604         DFG liveness can't skip tail caller inline frames
605         https://bugs.webkit.org/show_bug.cgi?id=195715
606
607         Reviewed by Saam Barati.
608
609         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
610         (i.foo):
611
612 2019-03-13  Mark Lam  <mark.lam@apple.com>
613
614         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
615         https://bugs.webkit.org/show_bug.cgi?id=195415
616
617         Not reviewed.
618
619         Changed these tests to only run the default configuration.
620         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
621         There's no strong need to run this test on that variant.
622
623         * stress/dfg-to-string-on-int-does-gc.js:
624         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
625
626 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
627
628         String overflow when using StringBuilder in JSC::createError
629         https://bugs.webkit.org/show_bug.cgi?id=194957
630
631         Reviewed by Mark Lam.
632
633         Add test string-overflow-createError-bulder.js that overflows
634         StringBuilder in notAFunctionSourceAppender. The second new test
635         string-overflow-createError-fit.js has an error message that doesn't
636         overflow, it still failed since the String's capacity can't be doubled.
637         Run test string-overflow-createError.js only in the default
638         configuration to reduce memory consumption when running the test
639         in all configurations on multiple CPUs in parallel.
640
641         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
642         (catch):
643         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
644         (catch):
645         * stress/string-overflow-createError.js:
646
647 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
648
649         [JSC] OSR entry should respect abstract values in addition to flush formats
650         https://bugs.webkit.org/show_bug.cgi?id=195653
651
652         Reviewed by Mark Lam.
653
654         * stress/osr-entry-locals-none.js: Added.
655
656 2019-03-12  Michael Saboff  <msaboff@apple.com>
657
658         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
659         https://bugs.webkit.org/show_bug.cgi?id=195613
660
661         Reviewed by Mark Lam.
662
663         New regression test.
664
665         * stress/regexp-backref-inbounds.js: Added.
666         (testRegExp):
667
668 2019-03-12  Mark Lam  <mark.lam@apple.com>
669
670         The HasIndexedProperty node does GC.
671         https://bugs.webkit.org/show_bug.cgi?id=195559
672         <rdar://problem/48767923>
673
674         Reviewed by Yusuke Suzuki.
675
676         * stress/HasIndexedProperty-does-gc.js: Added.
677
678 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
679
680         [ESNext][BigInt] Implement "~" unary operation
681         https://bugs.webkit.org/show_bug.cgi?id=182216
682
683         Reviewed by Keith Miller.
684
685         * stress/big-int-bit-not-general.js: Added.
686         * stress/big-int-bitwise-not-jit.js: Added.
687         * stress/big-int-bitwise-not-wrapped-value.js: Added.
688         * stress/bit-op-with-object-returning-int32.js:
689         * stress/bitwise-not-fixup-rules.js: Added.
690         * stress/value-bit-not-ai-rule.js: Added.
691
692 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
693
694         Invalid flags in a RegExp literal should be an early SyntaxError
695         https://bugs.webkit.org/show_bug.cgi?id=195514
696
697         Reviewed by Darin Adler.
698
699         * test262/expectations.yaml:
700         Mark 4 test cases as passing.
701
702         * stress/regexp-syntax-error-invalid-flags.js:
703         * stress/regress-161995.js: Removed.
704         Update existing test, merging in an older test for the same behavior.
705
706 2019-03-08  Mark Lam  <mark.lam@apple.com>
707
708         Stack overflow crash in JSC::JSObject::hasInstance.
709         https://bugs.webkit.org/show_bug.cgi?id=195458
710         <rdar://problem/48710195>
711
712         Reviewed by Yusuke Suzuki.
713
714         * stress/stack-overflow-in-custom-hasInstance.js: Added.
715
716 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
717
718         op_check_tdz does not def its argument
719         https://bugs.webkit.org/show_bug.cgi?id=192880
720         <rdar://problem/46221598>
721
722         Reviewed by Saam Barati.
723
724         * microbenchmarks/let-for-in.js: Added.
725         (foo):
726
727 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
728
729         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
730         https://bugs.webkit.org/show_bug.cgi?id=195429
731
732         Reviewed by Saam Barati.
733
734         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
735         (foo):
736         * stress/string-from-char-code-255.js: Added.
737
738 2019-03-06  Mark Lam  <mark.lam@apple.com>
739
740         Fix incorrect handling of try-finally completion values.
741         https://bugs.webkit.org/show_bug.cgi?id=195131
742         <rdar://problem/46222079>
743
744         Reviewed by Saam Barati and Yusuke Suzuki.
745
746         Added many permutations of new test case to test-finally.js.  test-finally.js has
747         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
748         tests passes there as well.
749
750         * stress/test-finally.js:
751
752 2019-03-06  Saam Barati  <sbarati@apple.com>
753
754         Air::reportUsedRegisters must padInterference
755         https://bugs.webkit.org/show_bug.cgi?id=195303
756         <rdar://problem/48270343>
757
758         Reviewed by Keith Miller.
759
760         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
761
762 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
763
764         [JSC] AI should not propagate AbstractValue relying on constant folding phase
765         https://bugs.webkit.org/show_bug.cgi?id=195375
766
767         Reviewed by Saam Barati.
768
769         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
770         (let.array):
771
772 2019-03-05  Saam barati  <sbarati@apple.com>
773
774         op_switch_char broken for rope strings after JSRopeString layout rewrite
775         https://bugs.webkit.org/show_bug.cgi?id=195339
776         <rdar://problem/48592545>
777
778         Reviewed by Yusuke Suzuki.
779
780         * stress/switch-on-char-llint-rope.js: Added.
781
782 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
783
784         [JSC] Store bits for JSRopeString in 3 stores
785         https://bugs.webkit.org/show_bug.cgi?id=195234
786
787         Reviewed by Saam Barati.
788
789         * stress/null-rope-and-collectors.js: Added.
790
791 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
792
793         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
794         https://bugs.webkit.org/show_bug.cgi?id=195207
795
796         Unreviewed. After test runtime was reduced in r242213, test can be
797         run again on ARM/MIPS.
798
799         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
800
801 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
802
803         [JSC] sizeof(JSString) should be 16
804         https://bugs.webkit.org/show_bug.cgi?id=194375
805
806         Reviewed by Saam Barati.
807
808         * microbenchmarks/make-rope.js: Added.
809         (makeRope):
810         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
811         (returnRope.helper): Deleted.
812         (returnRope): Deleted.
813
814 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
815
816         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
817         https://bugs.webkit.org/show_bug.cgi?id=195144
818
819         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
820         Change the number from 1e8 to 1e5.
821
822         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
823         (foo):
824
825 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
826
827         Test times out on ARM/MIPS
828         https://bugs.webkit.org/show_bug.cgi?id=195168
829
830         Unreviewed. Skip test on ARM/MIPS.
831
832         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
833
834 2019-02-27  Mark Lam  <mark.lam@apple.com>
835
836         The parser is failing to record the token location of new in new.target.
837         https://bugs.webkit.org/show_bug.cgi?id=195127
838         <rdar://problem/39645578>
839
840         Reviewed by Yusuke Suzuki.
841
842         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
843
844 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
845
846         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
847         https://bugs.webkit.org/show_bug.cgi?id=195144
848         <rdar://problem/47595961>
849
850         Reviewed by Mark Lam.
851
852         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
853         (bar):
854         (foo):
855         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
856         (bar):
857         (foo):
858
859 2019-02-27  Robin Morisset  <rmorisset@apple.com>
860
861         DFG: Loop-invariant code motion (LICM) should not hoist dead code
862         https://bugs.webkit.org/show_bug.cgi?id=194945
863         <rdar://problem/48311657>
864
865         Reviewed by Mark Lam.
866
867         * stress/licm-dead-code.js: Added.
868
869 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
870
871         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
872         https://bugs.webkit.org/show_bug.cgi?id=194677
873         <rdar://problem/48112492>
874
875         Reviewed by Mark Lam.
876
877         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
878         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
879         it immediately fails due the large size.
880
881         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
882         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
883         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
884         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
885
886         This patch changes the test to produce 16bit string from String.fromCharCode.
887
888         * stress/regress-178386.js:
889
890 2019-02-26  Mark Lam  <mark.lam@apple.com>
891
892         wasmToJS() should purify incoming NaNs.
893         https://bugs.webkit.org/show_bug.cgi?id=194807
894         <rdar://problem/48189132>
895
896         Reviewed by Saam Barati.
897
898         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
899
900 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
901
902         [JSC] Repeat string created from Array.prototype.join() take too much memory
903         https://bugs.webkit.org/show_bug.cgi?id=193912
904
905         Reviewed by Saam Barati.
906
907         Added a test and a microbenchmark for corner cases of
908         Array.prototype.join() with an uninitialized array.
909
910         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
911         * stress/array-prototype-join-uninitialized.js: Added.
912         (testArray):
913         (testABC):
914         (B):
915         (C):
916
917 2019-02-22  Robin Morisset  <rmorisset@apple.com>
918
919         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
920         https://bugs.webkit.org/show_bug.cgi?id=194953
921         <rdar://problem/47595253>
922
923         Reviewed by Saam Barati.
924
925         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
926
927         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
928
929 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
930
931         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
932         https://bugs.webkit.org/show_bug.cgi?id=172848
933         <rdar://problem/25709212>
934
935         Reviewed by Mark Lam.
936
937         * typeProfiler/inheritance.js:
938         Rewrite the test slightly for clarity. The hoisting was confusing.
939
940         * heapProfiler/class-names.js: Added.
941         (MyES5Class):
942         (MyES6Class):
943         (MyES6Subclass):
944         Test object types and improved class names.
945
946         * heapProfiler/driver/driver.js:
947         (CheapHeapSnapshotNode):
948         (CheapHeapSnapshot):
949         (createCheapHeapSnapshot):
950         (HeapSnapshot):
951         (createHeapSnapshot):
952         Update snapshot parsing from version 1 to version 2.
953
954 2019-02-19  Truitt Savell  <tsavell@apple.com>
955
956         Unreviewed, rolling out r241784.
957
958         Broke all OpenSource builds.
959
960         Reverted changeset:
961
962         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
963         instances view"
964         https://bugs.webkit.org/show_bug.cgi?id=172848
965         https://trac.webkit.org/changeset/241784
966
967 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
968
969         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
970         https://bugs.webkit.org/show_bug.cgi?id=172848
971         <rdar://problem/25709212>
972
973         Reviewed by Mark Lam.
974
975         * typeProfiler/inheritance.js:
976         Rewrite the test slightly for clarity. The hoisting was confusing.
977
978         * heapProfiler/class-names.js: Added.
979         (MyES5Class):
980         (MyES6Class):
981         (MyES6Subclass):
982         Test object types and improved class names.
983
984         * heapProfiler/driver/driver.js:
985         (CheapHeapSnapshotNode):
986         (CheapHeapSnapshot):
987         (createCheapHeapSnapshot):
988         (HeapSnapshot):
989         (createHeapSnapshot):
990         Update snapshot parsing from version 1 to version 2.
991
992 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
993
994         [ARM] Fix crash with sampling profiler
995         https://bugs.webkit.org/show_bug.cgi?id=194772
996
997         Reviewed by Mark Lam.
998
999         Do not skip test since crash with sampling profiler is now fixed.
1000
1001         * stress/sampling-profiler-richards.js:
1002
1003 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1004
1005         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1006         https://bugs.webkit.org/show_bug.cgi?id=194784
1007         <rdar://problem/48154820>
1008
1009         Reviewed by Mark Lam.
1010
1011         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1012         (getProperties):
1013         (getRandomProperty):
1014         (i.catch):
1015
1016 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1017
1018         [ARM] Test gardening: Test running out of executable memory
1019         https://bugs.webkit.org/show_bug.cgi?id=194771
1020
1021         Unreviewed. Do not run test without LLInt, test is running out of executable
1022         memory on ARM otherwise.
1023
1024         * stress/tagged-template-object-collect.js:
1025
1026 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1027
1028         Unreviewed, skip the test on platforms without sampling profiler
1029
1030         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1031         (platformSupportsSamplingProfiler.foo):
1032         (platformSupportsSamplingProfiler.test):
1033         (platformSupportsSamplingProfiler):
1034         (foo): Deleted.
1035         (test): Deleted.
1036
1037 2019-02-17  Saam Barati  <sbarati@apple.com>
1038
1039         Deadlock when adding a Structure property transition and then doing incremental marking
1040         https://bugs.webkit.org/show_bug.cgi?id=194767
1041
1042         Reviewed by Mark Lam.
1043
1044         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1045
1046 2019-02-15  Michael Saboff  <msaboff@apple.com>
1047
1048         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1049         https://bugs.webkit.org/show_bug.cgi?id=194558
1050
1051         Reviewed by Saam Barati.
1052
1053         New regression test.
1054
1055         * stress/regexp-unicode-within-string.js: Added.
1056
1057 2019-02-15  Mark Lam  <mark.lam@apple.com>
1058
1059         SamplingProfiler::stackTracesAsJSON() should escape strings.
1060         https://bugs.webkit.org/show_bug.cgi?id=194649
1061         <rdar://problem/48072386>
1062
1063         Reviewed by Saam Barati.
1064
1065         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1066         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1067         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1068         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1069
1070 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1071         CodeBlock::jettison should clear related watchpoints
1072         https://bugs.webkit.org/show_bug.cgi?id=194544
1073
1074         Reviewed by Mark Lam.
1075
1076         * stress/regexp-replace-double-watchpoint.js: Added.
1077         (foo):
1078
1079 2019-02-15  Saam barati  <sbarati@apple.com>
1080
1081         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1082         https://bugs.webkit.org/show_bug.cgi?id=194036
1083
1084         Reviewed by Yusuke Suzuki.
1085
1086         * stress/tail-call-many-arguments.js: Added.
1087         (foo):
1088         (bar):
1089
1090 2019-02-14  Saam Barati  <sbarati@apple.com>
1091
1092         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1093         https://bugs.webkit.org/show_bug.cgi?id=194583
1094         <rdar://problem/48028140>
1095
1096         Reviewed by Yusuke Suzuki.
1097
1098         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1099
1100 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1101
1102         [JSC] String.fromCharCode's slow path always generates 16bit string
1103         https://bugs.webkit.org/show_bug.cgi?id=194466
1104
1105         Reviewed by Keith Miller.
1106
1107         * stress/string-from-char-code-slow-path.js: Added.
1108         (shouldBe):
1109         (testWithLength):
1110
1111 2019-02-08  Saam barati  <sbarati@apple.com>
1112
1113         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1114         https://bugs.webkit.org/show_bug.cgi?id=194334
1115         <rdar://problem/47844327>
1116
1117         Reviewed by Mark Lam.
1118
1119         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1120         (func):
1121
1122 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1123
1124         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1125         https://bugs.webkit.org/show_bug.cgi?id=194369
1126         <rdar://problem/47813087>
1127
1128         Reviewed by Saam Barati.
1129
1130         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1131         (A):
1132
1133 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1134
1135         [JSC] PrivateName to PublicName hash table is wasteful
1136         https://bugs.webkit.org/show_bug.cgi?id=194277
1137
1138         Reviewed by Michael Saboff.
1139
1140         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1141
1142         * ChakraCore.yaml:
1143
1144 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1145
1146         [ARM] Test running out of executable memory
1147         https://bugs.webkit.org/show_bug.cgi?id=194285
1148
1149         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1150         executable memory otherwise.
1151
1152         * stress/class-subclassing-function.js:
1153
1154 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1155
1156         when lowering AssertNotEmpty, create the value before creating the patchpoint
1157         https://bugs.webkit.org/show_bug.cgi?id=194231
1158
1159         Reviewed by Saam Barati.
1160
1161         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1162         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1163         So even tiny changes to this test can change the path code taken.
1164
1165         * stress/assert-not-empty.js: Added.
1166         (foo):
1167
1168 2019-02-01  Mark Lam  <mark.lam@apple.com>
1169
1170         Remove invalid assertion in DFG's compileDoubleRep().
1171         https://bugs.webkit.org/show_bug.cgi?id=194130
1172         <rdar://problem/47699474>
1173
1174         Reviewed by Saam Barati.
1175
1176         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1177
1178 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1179
1180         Import latest Test262 updates.
1181
1182         Rubber-stamped by Keith Miller.
1183
1184         * test262.yaml: Deleted.
1185         * test262/config.yaml:
1186         * test262/expectations.yaml:
1187         * test262/latest-changes-summary.txt:
1188         * test262/test/:
1189         * test262/test262-Revision.txt:
1190
1191 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1192
1193         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1194         https://bugs.webkit.org/show_bug.cgi?id=194050
1195         <rdar://problem/47595592>
1196
1197         Reviewed by Yusuke Suzuki.
1198
1199         * stress/object-keys-osr-exit.js: Added.
1200         (foo):
1201         (catch):
1202
1203 2019-01-29  Mark Lam  <mark.lam@apple.com>
1204
1205         ValueRecovery::recover() should purify NaN values it recovers.
1206         https://bugs.webkit.org/show_bug.cgi?id=193978
1207         <rdar://problem/47625488>
1208
1209         Reviewed by Saam Barati.
1210
1211         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1212
1213 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1214
1215         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1216         https://bugs.webkit.org/show_bug.cgi?id=193713
1217
1218         * stress/try-get-by-id-should-spill-registers-dfg.js:
1219         (let.f.createBuiltin):
1220
1221 2019-01-28  Mark Lam  <mark.lam@apple.com>
1222
1223         ToString node actually does GC.
1224         https://bugs.webkit.org/show_bug.cgi?id=193920
1225         <rdar://problem/46695900>
1226
1227         Reviewed by Yusuke Suzuki.
1228
1229         * stress/dfg-to-string-on-int-does-gc.js: Added.
1230         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1231         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1232
1233 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1234
1235         [JSC] NativeErrorConstructor should not have own IsoSubspace
1236         https://bugs.webkit.org/show_bug.cgi?id=193713
1237
1238         Reviewed by Saam Barati.
1239
1240         Remove @Error use.
1241
1242         * stress/try-get-by-id-should-spill-registers-dfg.js:
1243         (let.f.createBuiltin):
1244
1245 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1246
1247         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1248         https://bugs.webkit.org/show_bug.cgi?id=190693
1249
1250         Reviewed by Michael Saboff.
1251
1252         * stress/regress-190693.js: Added.
1253         (truth):
1254         (assert):
1255         (shouldThrowInvalidConstAssignment):
1256         (taz):
1257
1258 2019-01-24  Saam Barati  <sbarati@apple.com>
1259
1260         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1261         https://bugs.webkit.org/show_bug.cgi?id=193751
1262         <rdar://problem/47280215>
1263
1264         Reviewed by Michael Saboff.
1265
1266         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1267         (let.thing):
1268         (foo.let.hello):
1269         (foo):
1270
1271 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1272
1273         [JSC] Reenable baseline JIT on mips
1274         https://bugs.webkit.org/show_bug.cgi?id=192983
1275
1276         Reviewed by Mark Lam.
1277
1278         Added a new test for a case that was triggering a RELEASE_ASSERT when
1279         testing.
1280         Disable some slow tests that were already disabled for arm and x86.
1281
1282         * stress/json-parse-big-object.js: Added.
1283         * stress/new-largeish-contiguous-array-with-size.js:
1284         * stress/op_add.js:
1285         * stress/op_bitand.js:
1286         * stress/op_bitor.js:
1287         * stress/op_bitxor.js:
1288         * stress/op_lshift-ConstVar.js:
1289         * stress/op_lshift-VarConst.js:
1290         * stress/op_lshift-VarVar.js:
1291         * stress/op_mod-ConstVar.js:
1292         * stress/op_mod-VarConst.js:
1293         * stress/op_mod-VarVar.js:
1294         * stress/op_mul-ConstVar.js:
1295         * stress/op_mul-VarConst.js:
1296         * stress/op_mul-VarVar.js:
1297         * stress/op_rshift-ConstVar.js:
1298         * stress/op_rshift-VarConst.js:
1299         * stress/op_rshift-VarVar.js:
1300         * stress/op_sub-ConstVar.js:
1301         * stress/op_sub-VarConst.js:
1302         * stress/op_sub-VarVar.js:
1303         * stress/op_urshift-ConstVar.js:
1304         * stress/op_urshift-VarConst.js:
1305         * stress/op_urshift-VarVar.js:
1306         * stress/sampling-profiler-richards.js:
1307         * stress/spread-forward-call-varargs-stack-overflow.js:
1308
1309 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1310
1311         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1312         https://bugs.webkit.org/show_bug.cgi?id=193711
1313         <rdar://problem/47250262>
1314
1315         Reviewed by Saam Barati.
1316
1317         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1318         (shouldBe):
1319         (foo):
1320         (bar):
1321         (baz):
1322
1323 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1324
1325         Unreviewed, fix initial global lexical binding epoch
1326         https://bugs.webkit.org/show_bug.cgi?id=193603
1327         <rdar://problem/47380869>
1328
1329         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1330         (f1.f2.f3.f4):
1331         (f1.f2.f3):
1332         (f1.f2):
1333         (f1):
1334
1335 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1336
1337         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1338         https://bugs.webkit.org/show_bug.cgi?id=193709
1339         <rdar://problem/47363838>
1340
1341         Unreviewed, rollout to watch the tests.
1342
1343         * stress/object-tostring-changed-proto.js: Removed.
1344         * stress/object-tostring-changed.js: Removed.
1345         * stress/object-tostring-misc.js: Removed.
1346         * stress/object-tostring-other.js: Removed.
1347         * stress/object-tostring-untyped.js: Removed.
1348
1349 2019-01-22  Saam Barati  <sbarati@apple.com>
1350
1351         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1352
1353         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1354         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1355         (testUncheckedLessThanZero):
1356         (testUncheckedLessThanOrEqualZero):
1357         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1358         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1359
1360 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1361
1362         [JSC] Invalidate old scope operations using global lexical binding epoch
1363         https://bugs.webkit.org/show_bug.cgi?id=193603
1364         <rdar://problem/47380869>
1365
1366         Reviewed by Saam Barati.
1367
1368         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1369         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1370         (shouldThrow):
1371         (bar):
1372         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1373         (shouldBe):
1374         (get1):
1375         (get2):
1376         (get1If):
1377         (get2If):
1378         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1379         (shouldThrow):
1380         (foo):
1381
1382 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1383
1384         Unreviewed, roll out r240220 due to date-format-xparb regression
1385         https://bugs.webkit.org/show_bug.cgi?id=193603
1386
1387         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1388         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1389         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1390         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1391
1392 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1393
1394         DoesGC rule is wrong for nodes with BigIntUse
1395         https://bugs.webkit.org/show_bug.cgi?id=193652
1396
1397         Reviewed by Saam Barati.
1398
1399         * stress/big-int-value-op-update-gc-rules.js: Added.
1400         (assert):
1401         (doesGCAdd):
1402         (doesGCSub):
1403         (doesGCDiv):
1404         (doesGCMul):
1405         (doesGCBitAnd):
1406         (doesGCBitOr):
1407         (doesGCBitXor):
1408
1409 2019-01-20  Saam Barati  <sbarati@apple.com>
1410
1411         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1412         https://bugs.webkit.org/show_bug.cgi?id=193644
1413         <rdar://problem/46209745>
1414
1415         Reviewed by Yusuke Suzuki.
1416
1417         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1418         (foo):
1419         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1420         (foo):
1421         (bar):
1422
1423 2019-01-20  Saam Barati  <sbarati@apple.com>
1424
1425         MovHint must merge NodeBytecodeUsesAsValue for its child
1426         https://bugs.webkit.org/show_bug.cgi?id=186916
1427         <rdar://problem/41396612>
1428
1429         Reviewed by Yusuke Suzuki.
1430
1431         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1432         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1433
1434 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1435
1436         [JSC] Invalidate old scope operations using global lexical binding epoch
1437         https://bugs.webkit.org/show_bug.cgi?id=193603
1438         <rdar://problem/47380869>
1439
1440         Reviewed by Saam Barati.
1441
1442         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1443         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1444         (shouldThrow):
1445         (bar):
1446         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1447         (shouldBe):
1448         (get1):
1449         (get2):
1450         (get1If):
1451         (get2If):
1452         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1453         (shouldThrow):
1454         (foo):
1455
1456 2019-01-17  Saam barati  <sbarati@apple.com>
1457
1458         StringObjectUse should not be a structure check for the original string object structure
1459         https://bugs.webkit.org/show_bug.cgi?id=193483
1460         <rdar://problem/47280522>
1461
1462         Reviewed by Yusuke Suzuki.
1463
1464         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1465         (foo):
1466         (a.valueOf.0):
1467
1468 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1469
1470         [JSC] ToThis omission in DFGByteCodeParser is wrong
1471         https://bugs.webkit.org/show_bug.cgi?id=193513
1472         <rdar://problem/45842236>
1473
1474         Reviewed by Saam Barati.
1475
1476         * stress/to-this-omission-with-different-strict-modes.js: Added.
1477         (thisA):
1478         (thisAStrictWrapper):
1479
1480 2019-01-15  Mark Lam  <mark.lam@apple.com>
1481
1482         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1483         https://bugs.webkit.org/show_bug.cgi?id=193423
1484         <rdar://problem/46209355>
1485
1486         Reviewed by Saam Barati.
1487
1488         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1489         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1490         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1491         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1492
1493 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1494
1495         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1496         https://bugs.webkit.org/show_bug.cgi?id=193438
1497         <rdar://problem/45581249>
1498
1499         Reviewed by Saam Barati and Keith Miller.
1500
1501         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1502         Then, GetByVal(String) crashed.
1503
1504         * stress/string-get-by-val-lowering.js: Added.
1505         (shouldBe):
1506         (test):
1507         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1508         (Hello):
1509         (foo):
1510
1511 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1512
1513         Unreviewed, skip JIT tests if it's not enabled
1514
1515         * stress/bit-op-with-object-returning-int32.js:
1516
1517 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1518
1519         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1520         https://bugs.webkit.org/show_bug.cgi?id=192966
1521
1522         Reviewed by Yusuke Suzuki.
1523
1524         * stress/bit-op-with-object-returning-int32.js: Added.
1525
1526 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1527
1528         Skip a slow test and a flakey test on arm
1529
1530         Unreviewed gardening.
1531
1532         * typeProfiler/getter-richards.js:
1533         this test always times out, it used to be always skipped on arm and
1534         mips, but got accidentally enabled by r237919 now that we have DFG on
1535         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1536
1537 2019-01-14  Keith Miller  <keith_miller@apple.com>
1538
1539         Skip type-check-hoisting-phase-hoist... with no jit
1540         https://bugs.webkit.org/show_bug.cgi?id=193421
1541
1542         Reviewed by Mark Lam.
1543
1544         It's timing out the 32-bit bots and takes 330 seconds
1545         on my machine when run by itself.
1546
1547         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1548
1549 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1550
1551         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1552         https://bugs.webkit.org/show_bug.cgi?id=193413
1553         <rdar://problem/46092389>
1554
1555         Reviewed by Keith Miller.
1556
1557         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1558         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1559         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1560         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1561
1562         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1563         (compareArray):
1564
1565 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1566
1567         [BigInt] Literal parsing is crashing when used inside a Object Literal
1568         https://bugs.webkit.org/show_bug.cgi?id=193404
1569
1570         Reviewed by Yusuke Suzuki.
1571
1572         * stress/big-int-literal-inside-literal-object.js: Added.
1573
1574 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1575
1576         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1577         https://bugs.webkit.org/show_bug.cgi?id=193372
1578
1579         Reviewed by Saam Barati.
1580
1581         * stress/typed-array-array-modes-profile.js: Added.
1582         (foo):
1583
1584 2019-01-14  Mark Lam  <mark.lam@apple.com>
1585
1586         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1587         https://bugs.webkit.org/show_bug.cgi?id=193402
1588         <rdar://problem/46012309>
1589
1590         Reviewed by Keith Miller.
1591
1592         * stress/regexp-compile-oom.js:
1593         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1594           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1595
1596 2019-01-11  Saam barati  <sbarati@apple.com>
1597
1598         DFG combined liveness can be wrong for terminal basic blocks
1599         https://bugs.webkit.org/show_bug.cgi?id=193304
1600         <rdar://problem/45268632>
1601
1602         Reviewed by Yusuke Suzuki.
1603
1604         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1605
1606 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1607
1608         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1609         https://bugs.webkit.org/show_bug.cgi?id=193308
1610         <rdar://problem/45546542>
1611
1612         Reviewed by Saam Barati.
1613
1614         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1615         (shouldThrow):
1616         (shouldBe):
1617         (foo):
1618         (get shouldThrow):
1619         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1620         (shouldThrow):
1621         (shouldBe):
1622         (foo):
1623         (get shouldBe):
1624         (get shouldThrow):
1625         (get return):
1626         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1627         (shouldThrow):
1628         (shouldBe):
1629         (foo):
1630         (get shouldBe):
1631         (get shouldThrow):
1632         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1633         (shouldThrow):
1634         (shouldBe):
1635         (foo):
1636         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1637         (shouldThrow):
1638         (shouldBe):
1639         (foo):
1640         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1641         (shouldThrow):
1642         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1643         (shouldThrow):
1644         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1645         (shouldThrow):
1646         (shouldBe):
1647         (foo):
1648         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1649         (shouldThrow):
1650         (shouldBe):
1651         (foo):
1652         (get shouldBe):
1653         (get shouldThrow):
1654         (get return):
1655         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1656         (shouldThrow):
1657         (shouldBe):
1658         (foo):
1659         (get shouldBe):
1660         (get shouldThrow):
1661         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1662         (shouldThrow):
1663         (shouldBe):
1664         (foo):
1665         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1666         (shouldThrow):
1667         (shouldBe):
1668         (foo):
1669
1670 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1671
1672         Enable DFG on ARM/Linux again
1673         https://bugs.webkit.org/show_bug.cgi?id=192496
1674
1675         Reviewed by Yusuke Suzuki.
1676
1677         Test wasn't really skipped before moving the line with skip
1678         to the top.
1679
1680         * stress/regress-192717.js:
1681
1682 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1683
1684         Unreviewed, rolling out r239825.
1685         https://bugs.webkit.org/show_bug.cgi?id=193330
1686
1687         Broke tests on armv7/linux bots (Requested by guijemont on
1688         #webkit).
1689
1690         Reverted changeset:
1691
1692         "Enable DFG on ARM/Linux again"
1693         https://bugs.webkit.org/show_bug.cgi?id=192496
1694         https://trac.webkit.org/changeset/239825
1695
1696 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1697
1698         Enable DFG on ARM/Linux again
1699         https://bugs.webkit.org/show_bug.cgi?id=192496
1700
1701         Reviewed by Yusuke Suzuki.
1702
1703         Test wasn't really skipped before moving the line with skip
1704         to the top.
1705
1706         * stress/regress-192717.js:
1707
1708 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1709
1710         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1711         https://bugs.webkit.org/show_bug.cgi?id=193127
1712
1713         Reviewed by Saam Barati.
1714
1715         * stress/array-species-create-should-handle-masquerader.js: Added.
1716         (shouldThrow):
1717         * stress/is-undefined-or-null-builtin.js: Added.
1718         (shouldBe):
1719         (isUndefinedOrNull.vm.createBuiltin):
1720
1721 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1722
1723         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1724         https://bugs.webkit.org/show_bug.cgi?id=193221
1725
1726         Reviewed by Mark Lam.
1727
1728         * stress/put-by-id-flags.js: Added.
1729         (f):
1730         (g):
1731         (numberOfDFGCompiles):
1732
1733 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1734
1735         Baseline version of get_by_id may corrupt metadata
1736         https://bugs.webkit.org/show_bug.cgi?id=193085
1737         <rdar://problem/23453006>
1738
1739         Reviewed by Saam Barati.
1740
1741         * stress/get-by-id-change-mode.js: Added.
1742         (forEach):
1743
1744 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1745
1746         [JSC] Optimize Object.prototype.toString
1747         https://bugs.webkit.org/show_bug.cgi?id=193031
1748
1749         Reviewed by Saam Barati.
1750
1751         * stress/object-tostring-changed-proto.js: Added.
1752         (shouldBe):
1753         (test):
1754         * stress/object-tostring-changed.js: Added.
1755         (shouldBe):
1756         (test):
1757         * stress/object-tostring-misc.js: Added.
1758         (shouldBe):
1759         (test):
1760         (i.switch):
1761         * stress/object-tostring-other.js: Added.
1762         (shouldBe):
1763         (test):
1764         * stress/object-tostring-untyped.js: Added.
1765         (shouldBe):
1766         (test):
1767         (i.switch):
1768
1769 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1770
1771         test262-runner misbehaves when test file YAML has a trailing space
1772         https://bugs.webkit.org/show_bug.cgi?id=193053
1773
1774         Reviewed by Yusuke Suzuki.
1775
1776         * test262/expectations.yaml:
1777         Mark two dozen tests as passing (and correct the output of another).
1778
1779 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1780
1781         Unreviewed, JSTests gardening with memoryLimited
1782
1783         * stress/string-overflow-createError.js:
1784
1785 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1786
1787         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1788         https://bugs.webkit.org/show_bug.cgi?id=193050
1789
1790         Reviewed by Yusuke Suzuki.
1791
1792         * test262.yaml:
1793         * test262/expectations.yaml:
1794         Mark 16 tests as passing.
1795
1796 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1797
1798         [BigInt] Support BigInt in JSON.stringify
1799         https://bugs.webkit.org/show_bug.cgi?id=192624
1800
1801         Reviewed by Saam Barati.
1802
1803         * stress/big-int-json-stringify-to-json.js: Added.
1804         (shouldBe):
1805         (shouldThrow):
1806         (BigInt.prototype.toJSON):
1807         (shouldBe.JSON.stringify):
1808         * stress/big-int-json-stringify.js: Added.
1809         (shouldBe):
1810         (shouldThrow):
1811
1812 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1813
1814         [JSC] Implement "well-formed JSON.stringify" proposal
1815         https://bugs.webkit.org/show_bug.cgi?id=191677
1816
1817         Reviewed by Darin Adler.
1818
1819         * stress/json-surrogate-pair.js: Added.
1820         (shouldBe):
1821         * test262/expectations.yaml:
1822
1823 2018-12-20  Keith Miller  <keith_miller@apple.com>
1824
1825         Add support for globalThis
1826         https://bugs.webkit.org/show_bug.cgi?id=165171
1827
1828         Reviewed by Mark Lam.
1829
1830         * test262/config.yaml:
1831
1832 2018-12-19  Keith Miller  <keith_miller@apple.com>
1833
1834         Update test262 configuration to not run tests dependent on ICU version.
1835         https://bugs.webkit.org/show_bug.cgi?id=192920
1836
1837         Reviewed by Saam Barati.
1838
1839         * test262/expectations.yaml:
1840
1841 2018-12-20  Mark Lam  <mark.lam@apple.com>
1842
1843         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1844         https://bugs.webkit.org/show_bug.cgi?id=192939
1845         <rdar://problem/46869516>
1846
1847         Reviewed by Keith Miller.
1848
1849         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1850
1851 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1852
1853         WTF::String and StringImpl overflow MaxLength
1854         https://bugs.webkit.org/show_bug.cgi?id=192853
1855         <rdar://problem/45726906>
1856
1857         Reviewed by Mark Lam.
1858
1859         * stress/string-16bit-repeat-overflow.js: Added.
1860         (catch):
1861
1862 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1863
1864         Unreviewed follow-up to r192914.
1865
1866         * test262/expectations.yaml:
1867         Add the last 20 missing expectations.
1868
1869 2018-12-19  Keith Miller  <keith_miller@apple.com>
1870
1871         Fix test262 expectations
1872         https://bugs.webkit.org/show_bug.cgi?id=192914
1873
1874         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1875
1876         * test262/expectations.yaml:
1877
1878 2018-12-19  Keith Miller  <keith_miller@apple.com>
1879
1880         Update test262 tests.
1881         https://bugs.webkit.org/show_bug.cgi?id=192907
1882
1883         Rubber stamped by Mark Lam.
1884
1885         * test262/*: Omitted because prepare-changelog crashes.
1886
1887 2018-12-19  Mark Lam  <mark.lam@apple.com>
1888
1889         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1890         https://bugs.webkit.org/show_bug.cgi?id=192464
1891         <rdar://problem/46519455>
1892
1893         Reviewed by Saam Barati.
1894
1895         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1896         microbenchmark.
1897
1898         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1899         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1900
1901 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1902
1903         String overflow in JSC::createError results in ASSERT in WTF::makeString
1904         https://bugs.webkit.org/show_bug.cgi?id=192833
1905         <rdar://problem/45706868>
1906
1907         Reviewed by Mark Lam.
1908
1909         * stress/string-overflow-createError.js: Added.
1910
1911 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1912
1913         Error message for `-x ** y` contains a typo.
1914         https://bugs.webkit.org/show_bug.cgi?id=192832
1915
1916         Reviewed by Saam Barati.
1917
1918         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1919         (assert.assert.return.throws):
1920         * stress/pow-expects-update-expression-on-lhs.js:
1921         (throw.new.Error):
1922         Update test expectations which match against the exact error message.
1923
1924 2018-12-18  Mark Lam  <mark.lam@apple.com>
1925
1926         Gardening: test options fix.
1927         https://bugs.webkit.org/show_bug.cgi?id=192822
1928
1929         Unreviewed.
1930
1931         * stress/json-stringify-string-builder-overflow.js:
1932
1933 2018-12-18  Mark Lam  <mark.lam@apple.com>
1934
1935         JSON.stringify() should throw OOM on StringBuilder overflows.
1936         https://bugs.webkit.org/show_bug.cgi?id=192822
1937         <rdar://problem/46670577>
1938
1939         Reviewed by Saam Barati.
1940
1941         * stress/json-stringify-string-builder-overflow.js: Added.
1942
1943 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1944
1945         Redeclaration of var over let/const/class should be a syntax error.
1946         https://bugs.webkit.org/show_bug.cgi?id=192298
1947
1948         Reviewed by Keith Miller.
1949
1950         * test262.yaml:
1951         * test262/expectations.yaml:
1952         Mark 46 tests as passing.
1953
1954         * stress/block-scope-redeclarations.js:
1955         Add some new tests.
1956
1957         * stress/for-in-invalidate-context-weird-assignments.js:
1958         * stress/for-in-tests.js:
1959         Replace tests for outdated behavior with tests for SyntaxError.
1960
1961         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1962         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1963         Update expectations.
1964
1965 2018-12-18  Mark Lam  <mark.lam@apple.com>
1966
1967         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1968         https://bugs.webkit.org/show_bug.cgi?id=191374
1969         <rdar://problem/46525447>
1970
1971         Reviewed by Yusuke Suzuki.
1972
1973         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1974
1975         * stress/elidable-new-object-roflcopter-then-exit.js:
1976
1977 2018-12-17  Mark Lam  <mark.lam@apple.com>
1978
1979         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1980         https://bugs.webkit.org/show_bug.cgi?id=192019
1981         <rdar://problem/46525456>
1982
1983         Reviewed by Yusuke Suzuki.
1984
1985         The test runs too slow on 32-bit.
1986
1987         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1988
1989 2018-12-17  Mark Lam  <mark.lam@apple.com>
1990
1991         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1992         https://bugs.webkit.org/show_bug.cgi?id=191373
1993         <rdar://problem/46525458>
1994
1995         Reviewed by Yusuke Suzuki.
1996
1997         The test is already slow running with a JIT on 64-bit.  It will always timeout
1998         on 32-bit without a JIT.
1999
2000         * stress/materialize-regexp-cyclic-regexp.js:
2001
2002 2018-12-17  Mark Lam  <mark.lam@apple.com>
2003
2004         Array unshift/shift should not race against the AI in the compiler thread.
2005         https://bugs.webkit.org/show_bug.cgi?id=192795
2006         <rdar://problem/46724263>
2007
2008         Reviewed by Saam Barati.
2009
2010         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2011
2012 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2013
2014         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2015         https://bugs.webkit.org/show_bug.cgi?id=190047
2016
2017         Reviewed by Saam Barati.
2018
2019         * stress/object-keys-cached-zero.js: Added.
2020         (shouldBe):
2021         (test):
2022         * stress/object-keys-changed-attribute.js: Added.
2023         (shouldBe):
2024         (test):
2025         * stress/object-keys-changed-index.js: Added.
2026         (shouldBe):
2027         (test):
2028         * stress/object-keys-changed.js: Added.
2029         (shouldBe):
2030         (test):
2031         * stress/object-keys-indexed-non-cache.js: Added.
2032         (shouldBe):
2033         (test):
2034         * stress/object-keys-overrides-get-property-names.js: Added.
2035         (shouldBe):
2036         (test):
2037         (noInline):
2038
2039 2018-12-17  Mark Lam  <mark.lam@apple.com>
2040
2041         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2042         https://bugs.webkit.org/show_bug.cgi?id=192779
2043         <rdar://problem/46775869>
2044
2045         Reviewed by Saam Barati.
2046
2047         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2048
2049 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2050
2051         Unreviewed test gardening, address a syntax error in a new test.
2052
2053         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2054
2055 2018-12-17  Mark Lam  <mark.lam@apple.com>
2056
2057         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2058         https://bugs.webkit.org/show_bug.cgi?id=192776
2059         <rdar://problem/46772368>
2060
2061         Reviewed by Keith Miller.
2062
2063         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2064
2065 2018-12-17  Mark Lam  <mark.lam@apple.com>
2066
2067         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2068         https://bugs.webkit.org/show_bug.cgi?id=192770
2069         <rdar://problem/46449037>
2070
2071         Reviewed by Keith Miller.
2072
2073         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2074
2075 2018-12-14  Mark Lam  <mark.lam@apple.com>
2076
2077         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2078         https://bugs.webkit.org/show_bug.cgi?id=192717
2079         <rdar://problem/46660677>
2080
2081         Reviewed by Saam Barati.
2082
2083         * stress/regress-192717.js: Added.
2084
2085 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2086
2087         Unreviewed, rolling out r239153, r239154, and r239155.
2088         https://bugs.webkit.org/show_bug.cgi?id=192715
2089
2090         Caused flaky GC-related crashes seen with layout tests
2091         (Requested by ryanhaddad on #webkit).
2092
2093         Reverted changesets:
2094
2095         "[JSC] Optimize Object.keys by caching own keys results in
2096         StructureRareData"
2097         https://bugs.webkit.org/show_bug.cgi?id=190047
2098         https://trac.webkit.org/changeset/239153
2099
2100         "Unreviewed, build fix after r239153"
2101         https://bugs.webkit.org/show_bug.cgi?id=190047
2102         https://trac.webkit.org/changeset/239154
2103
2104         "Unreviewed, build fix after r239153, part 2"
2105         https://bugs.webkit.org/show_bug.cgi?id=190047
2106         https://trac.webkit.org/changeset/239155
2107
2108 2018-12-14  Keith Miller  <keith_miller@apple.com>
2109
2110         Callers of JSString::getIndex should check for OOM exceptions
2111         https://bugs.webkit.org/show_bug.cgi?id=192709
2112
2113         Reviewed by Mark Lam.
2114
2115         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2116
2117 2018-12-13  Mark Lam  <mark.lam@apple.com>
2118
2119         Add a missing exception check.
2120         https://bugs.webkit.org/show_bug.cgi?id=192626
2121         <rdar://problem/46662163>
2122
2123         Reviewed by Keith Miller.
2124
2125         * stress/regress-192626.js: Added.
2126
2127 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2128
2129         [BigInt] Add ValueDiv into DFG
2130         https://bugs.webkit.org/show_bug.cgi?id=186178
2131
2132         Reviewed by Yusuke Suzuki.
2133
2134         * stress/big-int-div-jit-osr.js: Added.
2135         * stress/big-int-div-jit-untyped.js: Added.
2136         * stress/value-div-fixup-int32-big-int.js: Added.
2137
2138 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2139
2140         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2141         https://bugs.webkit.org/show_bug.cgi?id=190047
2142
2143         Reviewed by Keith Miller.
2144
2145         * stress/object-keys-cached-zero.js: Added.
2146         (shouldBe):
2147         (test):
2148         * stress/object-keys-changed-attribute.js: Added.
2149         (shouldBe):
2150         (test):
2151         * stress/object-keys-changed-index.js: Added.
2152         (shouldBe):
2153         (test):
2154         * stress/object-keys-changed.js: Added.
2155         (shouldBe):
2156         (test):
2157         * stress/object-keys-indexed-non-cache.js: Added.
2158         (shouldBe):
2159         (test):
2160         * stress/object-keys-overrides-get-property-names.js: Added.
2161         (shouldBe):
2162         (test):
2163         (noInline):
2164
2165 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2166
2167         [DFG][FTL] Add NewSymbol
2168         https://bugs.webkit.org/show_bug.cgi?id=192620
2169
2170         Reviewed by Saam Barati.
2171
2172         * microbenchmarks/symbol-creation.js: Added.
2173         (test):
2174         * stress/symbol-description-identity.js: Added.
2175         (shouldBe):
2176         (test):
2177         * stress/symbol-identity.js: Added.
2178         (shouldBe):
2179         (test):
2180         * stress/symbol-with-description-throw-error.js: Added.
2181         (shouldBe):
2182         (shouldThrow):
2183         (test):
2184         (object.toString):
2185
2186 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2187
2188         [BigInt] Implement DFG/FTL typeof for BigInt
2189         https://bugs.webkit.org/show_bug.cgi?id=192619
2190
2191         Reviewed by Keith Miller.
2192
2193         * stress/big-int-boolean-proven-type.js: Added.
2194         (assert):
2195         (bool):
2196         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2197         (assert):
2198         (typeOf):
2199         (i.switch):
2200         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2201         (assert):
2202         (typeOf):
2203         * stress/big-int-type-of.js:
2204         (typeOf):
2205         (func):
2206
2207 2018-12-10  Mark Lam  <mark.lam@apple.com>
2208
2209         PropertyAttribute needs a CustomValue bit.
2210         https://bugs.webkit.org/show_bug.cgi?id=191993
2211         <rdar://problem/46264467>
2212
2213         Reviewed by Saam Barati.
2214
2215         * stress/regress-191993.js: Added.
2216
2217 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2218
2219         [BigInt] Add ValueMul into DFG
2220         https://bugs.webkit.org/show_bug.cgi?id=186175
2221
2222         Reviewed by Yusuke Suzuki.
2223
2224         * stress/big-int-mul-jit-osr.js: Added.
2225         * stress/big-int-mul-jit-untyped.js: Added.
2226         * stress/value-mul-fixup-int32-big-int.js: Added.
2227
2228 2018-12-06  Keith Miller  <keith_miller@apple.com>
2229
2230         stress/big-wasm-memory tests failing on 32-bit JSC bot
2231         https://bugs.webkit.org/show_bug.cgi?id=192020
2232
2233         Reviewed by Saam Barati.
2234
2235         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2236         the wasm stress tests if the WebAssembly object does not exist.
2237
2238         * stress/big-wasm-memory-grow-no-max.js:
2239         (test.foo):
2240         (test):
2241         (foo): Deleted.
2242         (catch): Deleted.
2243         * stress/big-wasm-memory-grow.js:
2244         (test.foo):
2245         (test):
2246         (foo): Deleted.
2247         (catch): Deleted.
2248         * stress/big-wasm-memory.js:
2249         (test.foo):
2250         (test):
2251         (foo): Deleted.
2252         (catch): Deleted.
2253
2254 2018-12-05  Mark Lam  <mark.lam@apple.com>
2255
2256         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2257         https://bugs.webkit.org/show_bug.cgi?id=192441
2258         <rdar://problem/46480355>
2259
2260         Reviewed by Saam Barati.
2261
2262         * stress/regress-192441.js: Added.
2263
2264 2018-12-04  Mark Lam  <mark.lam@apple.com>
2265
2266         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2267         https://bugs.webkit.org/show_bug.cgi?id=192386
2268         <rdar://problem/46445516>
2269
2270         Reviewed by Saam Barati.
2271
2272         * stress/regress-192386.js: Added.
2273
2274 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2275
2276         [ESNext][BigInt] Support logic operations
2277         https://bugs.webkit.org/show_bug.cgi?id=179903
2278
2279         Reviewed by Yusuke Suzuki.
2280
2281         * stress/big-int-branch-usage.js: Added.
2282         * stress/big-int-logical-and.js: Added.
2283         * stress/big-int-logical-not.js: Added.
2284         * stress/big-int-logical-or.js: Added.
2285
2286 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2287
2288         Unreviewed, rolling out r238833.
2289
2290         Breaks macOS and iOS debug builds.
2291
2292         Reverted changeset:
2293
2294         "[ESNext][BigInt] Support logic operations"
2295         https://bugs.webkit.org/show_bug.cgi?id=179903
2296         https://trac.webkit.org/changeset/238833
2297
2298 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2299
2300         [ESNext][BigInt] Support logic operations
2301         https://bugs.webkit.org/show_bug.cgi?id=179903
2302
2303         Reviewed by Yusuke Suzuki.
2304
2305         * stress/big-int-branch-usage.js: Added.
2306         * stress/big-int-logical-and.js: Added.
2307         * stress/big-int-logical-not.js: Added.
2308         * stress/big-int-logical-or.js: Added.
2309
2310 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2311
2312         [ESNext][BigInt] Implement support for "<<" and ">>"
2313         https://bugs.webkit.org/show_bug.cgi?id=186233
2314
2315         Reviewed by Yusuke Suzuki.
2316
2317         * stress/big-int-left-shift-general.js: Added.
2318         * stress/big-int-left-shift-range-error.js: Added.
2319         * stress/big-int-left-shift-type-error.js: Added.
2320         * stress/big-int-left-shift-wrapped-value.js: Added.
2321         * stress/big-int-right-shift-general.js: Added.
2322         * stress/big-int-right-shift-type-error.js: Added.
2323         * stress/big-int-right-shift-wrapped-value.js: Added.
2324         * stress/left-shift-to-primitive-precedence.js: Added.
2325         * stress/right-shift-to-primitive-precedence.js: Added.
2326
2327 2018-11-30  Dean Jackson  <dino@apple.com>
2328
2329         Add first-class support for .mjs files in jsc binary
2330         https://bugs.webkit.org/show_bug.cgi?id=192190
2331         <rdar://problem/46375715>
2332
2333         Reviewed by Keith Miller.
2334
2335         * stress/simple-module.mjs: Added.
2336         * stress/simple-script.js: Added.
2337
2338 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2339
2340         [BigInt] Implement ValueBitXor into DFG
2341         https://bugs.webkit.org/show_bug.cgi?id=190264
2342
2343         Reviewed by Yusuke Suzuki.
2344
2345         * stress/big-int-bitwise-xor-jit.js: Added.
2346         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2347         * stress/big-int-bitwise-xor-untyped.js: Added.
2348
2349 2018-11-27  Saam barati  <sbarati@apple.com>
2350
2351         r238510 broke scopes of size zero
2352         https://bugs.webkit.org/show_bug.cgi?id=192033
2353         <rdar://problem/46281734>
2354
2355         Reviewed by Keith Miller.
2356
2357         * stress/r238510-bad-loop.js: Added.
2358         (foo):
2359
2360 2018-11-27  Mark Lam  <mark.lam@apple.com>
2361
2362         [Re-landing] NaNs read from Wasm code needs to be be purified.
2363         https://bugs.webkit.org/show_bug.cgi?id=191056
2364         <rdar://problem/45660341>
2365
2366         Reviewed by Filip Pizlo.
2367
2368         * wasm/regress/regress-191056.js: Added.
2369
2370 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2371
2372         Unreviewed, rolling out r238509.
2373
2374         Causes JSC tests to fail on iOS.
2375
2376         Reverted changeset:
2377
2378         "NaNs read from Wasm code needs to be be purified."
2379         https://bugs.webkit.org/show_bug.cgi?id=191056
2380         https://trac.webkit.org/changeset/238509
2381
2382 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2383
2384         Re-introduce op_bitnot
2385         https://bugs.webkit.org/show_bug.cgi?id=190923
2386
2387         Reviewed by Yusuke Suzuki.
2388
2389         * stress/bit-not-must-generate.js: Added.
2390         * stress/bitwise-not-no-int32.js: Added.
2391
2392 2018-11-26  Saam barati  <sbarati@apple.com>
2393
2394         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2395         https://bugs.webkit.org/show_bug.cgi?id=191956
2396         <rdar://problem/45665806>
2397
2398         Reviewed by Yusuke Suzuki.
2399
2400         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2401         (bar):
2402         (foo):
2403
2404 2018-11-26  Saam barati  <sbarati@apple.com>
2405
2406         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2407         https://bugs.webkit.org/show_bug.cgi?id=191958
2408         <rdar://problem/46221877>
2409
2410         Reviewed by Yusuke Suzuki.
2411
2412         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2413         (x):
2414         (foo):
2415
2416 2018-11-26  Mark Lam  <mark.lam@apple.com>
2417
2418         NaNs read from Wasm code needs to be be purified.
2419         https://bugs.webkit.org/show_bug.cgi?id=191056
2420         <rdar://problem/45660341>
2421
2422         Reviewed by Filip Pizlo.
2423
2424         * wasm/regress/regress-191056.js: Added.
2425
2426 2018-11-26  Michael Saboff  <msaboff@apple.com>
2427
2428         32-bit JSC test failure: stress/regexp-compile-oom.js
2429         https://bugs.webkit.org/show_bug.cgi?id=191375
2430
2431         Reviewed by Mark Lam.
2432
2433         Disabled the test for 32 bit platforms.
2434
2435         * stress/regexp-compile-oom.js:
2436
2437 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2438
2439         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2440         https://bugs.webkit.org/show_bug.cgi?id=191716
2441         <rdar://problem/45723878>
2442
2443         Reviewed by Saam Barati.
2444
2445         * stress/regress-187373.js: Added.
2446         (async.fn):
2447
2448 2018-11-21  Saam barati  <sbarati@apple.com>
2449
2450         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2451         https://bugs.webkit.org/show_bug.cgi?id=191897
2452         <rdar://problem/45871998>
2453
2454         Reviewed by Mark Lam.
2455
2456         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2457         (bar):
2458         (foo):
2459
2460 2018-11-21  Saam barati  <sbarati@apple.com>
2461
2462         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2463         https://bugs.webkit.org/show_bug.cgi?id=191895
2464         <rdar://problem/46167406>
2465
2466         Reviewed by Mark Lam.
2467
2468         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2469         (foo):
2470         (bar):
2471
2472 2018-11-21  Mark Lam  <mark.lam@apple.com>
2473
2474         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2475         https://bugs.webkit.org/show_bug.cgi?id=191776
2476         <rdar://problem/46152851>
2477
2478         Reviewed by Saam Barati.
2479
2480         * stress/big-wasm-memory-grow-no-max.js:
2481         * stress/big-wasm-memory-grow.js:
2482         * stress/big-wasm-memory.js:
2483         - updated these to expect an OutOfMemoryError.
2484
2485         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2486         (Binary.prototype.emit_u8):
2487         (Binary.prototype.emit_u32v):
2488         (Binary.prototype.emit_header):
2489         (Binary.prototype.emit_section):
2490         (Binary):
2491         (WasmModuleBuilder):
2492         (WasmModuleBuilder.prototype.addMemory):
2493         (WasmModuleBuilder.prototype.toArray):
2494         (WasmModuleBuilder.prototype.toBuffer):
2495         (WasmModuleBuilder.prototype.instantiate):
2496         (catch):
2497         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2498         (catch):
2499
2500 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2501
2502         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2503         https://bugs.webkit.org/show_bug.cgi?id=190836
2504
2505         Reviewed by Saam Barati and Yusuke Suzuki.
2506
2507         * stress/big-int-out-of-memory-tests.js: Added.
2508
2509 2018-11-20  Mark Lam  <mark.lam@apple.com>
2510
2511         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2512         https://bugs.webkit.org/show_bug.cgi?id=191856
2513         <rdar://problem/46089992>
2514
2515         Reviewed by Yusuke Suzuki.
2516
2517         * stress/regress-191856.js: Added.
2518         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2519
2520 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2521
2522         Enable JIT on ARM/Linux
2523         https://bugs.webkit.org/show_bug.cgi?id=191548
2524
2525         Reviewed by Yusuke Suzuki.
2526
2527         Disable test on system with limited memory. Program was killed by
2528         the OS before the exception was thrown.
2529
2530         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2531
2532 2018-11-20  Saam barati  <sbarati@apple.com>
2533
2534         Merging an IC variant may lead to the IC status containing overlapping structure sets
2535         https://bugs.webkit.org/show_bug.cgi?id=191869
2536         <rdar://problem/45403453>
2537
2538         Reviewed by Mark Lam.
2539
2540         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2541
2542 2018-11-19  Mark Lam  <mark.lam@apple.com>
2543
2544         globalFuncImportModule() should return a promise when it clears exceptions.
2545         https://bugs.webkit.org/show_bug.cgi?id=191792
2546         <rdar://problem/46090763>
2547
2548         Reviewed by Michael Saboff.
2549
2550         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2551
2552 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2553
2554         Skip new memory-hungry tests on memory limited devices
2555
2556         Unreviewed gardening.
2557
2558         * stress/big-wasm-memory-grow-no-max.js:
2559         * stress/big-wasm-memory-grow.js:
2560         * stress/big-wasm-memory.js:
2561
2562 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2563
2564         Unreviewed, rolling in the rest of r237254
2565         https://bugs.webkit.org/show_bug.cgi?id=190340
2566
2567         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2568         * stress/function-cache-with-parameters-end-position.js: Added.
2569         (shouldBe):
2570         (shouldThrow):
2571         (i.anonymous):
2572         * stress/function-constructor-name.js: Added.
2573         (shouldBe):
2574         (GeneratorFunction):
2575         (AsyncFunction.async):
2576         (AsyncGeneratorFunction.async):
2577         (anonymous):
2578         (async.anonymous):
2579         * test262/expectations.yaml:
2580
2581 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2582
2583         All users of ArrayBuffer should agree on the same max size
2584         https://bugs.webkit.org/show_bug.cgi?id=191771
2585
2586         Reviewed by Mark Lam.
2587
2588         * stress/big-wasm-memory-grow-no-max.js: Added.
2589         (foo):
2590         (catch):
2591         * stress/big-wasm-memory-grow.js: Added.
2592         (foo):
2593         (catch):
2594         * stress/big-wasm-memory.js: Added.
2595         (foo):
2596         (catch):
2597
2598 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2599
2600         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2601         run for each JSC config since they're regression tests for runtime bugs.
2602
2603         * stress/json-stringified-overflow-2.js:
2604         * stress/json-stringified-overflow.js:
2605
2606 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2607
2608         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2609         config since they're regression tests for runtime bugs.
2610
2611         * stress/large-unshift-splice.js:
2612         * stress/regress-185888.js:
2613
2614 2018-11-16  Saam Barati  <sbarati@apple.com>
2615
2616         KnownCellUse should also have SpecCellCheck as its type filter
2617         https://bugs.webkit.org/show_bug.cgi?id=191729
2618         <rdar://problem/45872852>
2619
2620         Reviewed by Filip Pizlo.
2621
2622         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2623         (C):
2624
2625 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2626
2627         Fix assertion failure on BytecodeGenerator::recordOpcode
2628         https://bugs.webkit.org/show_bug.cgi?id=191724
2629         <rdar://problem/45724395>
2630
2631         Reviewed by Saam Barati.
2632
2633         * stress/regress-187373-2.js: Added.
2634         (foo):
2635
2636 2018-11-15  Mark Lam  <mark.lam@apple.com>
2637
2638         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2639         https://bugs.webkit.org/show_bug.cgi?id=191730
2640         <rdar://problem/46048517>
2641
2642         Reviewed by Saam Barati.
2643
2644         * stress/regress-187006.js: Removed.
2645           - this test is invalid because its sole purpose is to test for the non-spec
2646             compliant behavior that we just fixed.
2647
2648         * stress/regress-191730.js: Added.
2649
2650 2018-11-15  Mark Lam  <mark.lam@apple.com>
2651
2652         RegExp operations should not take fast patch if lastIndex is not numeric.
2653         https://bugs.webkit.org/show_bug.cgi?id=191731
2654         <rdar://problem/46017305>
2655
2656         Reviewed by Saam Barati.
2657
2658         * stress/regress-191731.js: Added.
2659
2660 2018-11-13  Saam Barati  <sbarati@apple.com>
2661
2662         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2663         https://bugs.webkit.org/show_bug.cgi?id=191600
2664
2665         Reviewed by Mark Lam.
2666
2667         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2668         (foo):
2669         (test):
2670         (bar):
2671
2672 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2673
2674         Unreviewed, rolling out r238132.
2675
2676         The test added with this change is timing out on Debug JSC
2677         bots.
2678
2679         Reverted changeset:
2680
2681         "[BigInt] JSBigInt::createWithLength should throw when length
2682         is greater than JSBigInt::maxLength"
2683         https://bugs.webkit.org/show_bug.cgi?id=190836
2684         https://trac.webkit.org/changeset/238132
2685
2686 2018-11-13  Mark Lam  <mark.lam@apple.com>
2687
2688         Add OOM detection to StringPrototype's substituteBackreferences().
2689         https://bugs.webkit.org/show_bug.cgi?id=191563
2690         <rdar://problem/45720428>
2691
2692         Reviewed by Saam Barati.
2693
2694         * stress/regress-191563.js: Added.
2695
2696 2018-11-13  Mark Lam  <mark.lam@apple.com>
2697
2698         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2699         https://bugs.webkit.org/show_bug.cgi?id=191579
2700         <rdar://problem/45942472>
2701
2702         Reviewed by Saam Barati.
2703
2704         * stress/regress-191579.js: Added.
2705
2706 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2707
2708         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2709         https://bugs.webkit.org/show_bug.cgi?id=190836
2710
2711         Reviewed by Saam Barati.
2712
2713         * stress/big-int-out-of-memory-tests.js: Added.
2714
2715 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2716
2717         U+180E is no longer a whitespace character
2718         https://bugs.webkit.org/show_bug.cgi?id=191415
2719
2720         Reviewed by Saam Barati.
2721
2722         * ChakraCore/test/es5/regexSpace.baseline:
2723         * ChakraCore/test/es6/unicode_whitespace.js:
2724         Update tests to latest version.
2725         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2726
2727         * test262.yaml:
2728         * test262/config.yaml:
2729         * test262/expectations.yaml:
2730         Update expectations.
2731
2732 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2733
2734         [BigInt] Add support to BigInt into ValueAdd
2735         https://bugs.webkit.org/show_bug.cgi?id=186177
2736
2737         Reviewed by Keith Miller.
2738
2739         * stress/big-int-negate-jit.js:
2740         * stress/value-add-big-int-and-string.js: Added.
2741         * stress/value-add-big-int-prediction-propagation.js: Added.
2742         * stress/value-add-big-int-untyped.js: Added.
2743
2744 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2745
2746         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2747         https://bugs.webkit.org/show_bug.cgi?id=191184
2748
2749         Reviewed by Saam Barati.
2750
2751         Most tests were failing due to timeouts, since they are too slow to
2752         run on CLoop. The exceptions are:
2753
2754         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2755         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2756         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2757         to change the stack size since CLoop requires it to be page aligned.
2758
2759         * microbenchmarks/array-push-1.js:
2760         * microbenchmarks/array-push-2.js:
2761         * microbenchmarks/elidable-new-object-dag.js:
2762         * microbenchmarks/elidable-new-object-roflcopter.js:
2763         * microbenchmarks/elidable-new-object-tree.js:
2764         * microbenchmarks/getter-richards.js:
2765         * microbenchmarks/sinkable-new-object-dag.js:
2766         * microbenchmarks/string-concat-long-convert.js:
2767         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2768         * slowMicrobenchmarks/array-push-3.js:
2769         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2770         * slowMicrobenchmarks/spread-small-array.js:
2771         * slowMicrobenchmarks/undefined-property-access.js:
2772         * stress/activation-sink-default-value-tdz-error.js:
2773         * stress/activation-sink-default-value.js:
2774         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2775         * stress/activation-sink-osrexit-default-value.js:
2776         * stress/activation-sink-osrexit.js:
2777         * stress/activation-sink.js:
2778         * stress/allow-math-ic-b3-code-duplication.js:
2779         * stress/array-push-multiple-int32.js:
2780         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2781         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2782         * stress/arrowfunction-lexical-this-activation-sink.js:
2783         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2784         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2785         * stress/elide-new-object-dag-then-exit.js:
2786         * stress/materialize-regexp-cyclic.js:
2787         * stress/new-regex-inline.js:
2788         * stress/op_add.js:
2789         * stress/op_bitand.js:
2790         * stress/op_bitor.js:
2791         * stress/op_bitxor.js:
2792         * stress/op_div-ConstVar.js:
2793         * stress/op_div-VarConst.js:
2794         * stress/op_div-VarVar.js:
2795         * stress/op_lshift-ConstVar.js:
2796         * stress/op_lshift-VarConst.js:
2797         * stress/op_lshift-VarVar.js:
2798         * stress/op_mod-ConstVar.js:
2799         * stress/op_mod-VarConst.js:
2800         * stress/op_mod-VarVar.js:
2801         * stress/op_mul-ConstVar.js:
2802         * stress/op_mul-VarConst.js:
2803         * stress/op_mul-VarVar.js:
2804         * stress/op_rshift-ConstVar.js:
2805         * stress/op_rshift-VarConst.js:
2806         * stress/op_rshift-VarVar.js:
2807         * stress/op_sub-ConstVar.js:
2808         * stress/op_sub-VarConst.js:
2809         * stress/op_sub-VarVar.js:
2810         * stress/op_urshift-ConstVar.js:
2811         * stress/op_urshift-VarConst.js:
2812         * stress/op_urshift-VarVar.js:
2813         * stress/proxy-get-set-correct-receiver.js:
2814         * stress/regress-179562.js:
2815         * stress/rest-parameter-many-arguments.js:
2816         * stress/sampling-profiler-richards.js:
2817         * stress/splay-flash-access-1ms.js:
2818         * stress/tailCallForwardArguments.js:
2819         * stress/typed-array-get-by-val-profiling.js:
2820         * typeProfiler/getter-richards.js:
2821
2822 2018-11-06  Michael Saboff  <msaboff@apple.com>
2823
2824         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2825         https://bugs.webkit.org/show_bug.cgi?id=191271
2826
2827         Reviewed by Saam Barati.
2828
2829         Added more test cases and made all test cases run with the same deeply recursive stack
2830         instead of finding that same point for each test case.
2831
2832         * stress/regexp-compile-oom.js:
2833         (prototype.runTest):
2834         (recurseAndTest):
2835         (testList.push.new.TestAndExpectedException):
2836
2837 2018-11-05  Michael Saboff  <msaboff@apple.com>
2838
2839         Unreviewed build fix for linux.
2840
2841         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2842
2843 2018-11-02  Michael Saboff  <msaboff@apple.com>
2844
2845         Rolling in r237753 with unreviewed build fix.
2846
2847         Fixed issues with DECLARE_THROW_SCOPE placement.
2848
2849 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2850
2851         Unreviewed, rolling out r237753.
2852
2853         Introduced JSC test failures
2854
2855         Reverted changeset:
2856
2857         "Running out of stack space not properly handled in
2858         RegExp::compile() and its callers"
2859         https://bugs.webkit.org/show_bug.cgi?id=191206
2860         https://trac.webkit.org/changeset/237753
2861
2862 2018-11-02  Michael Saboff  <msaboff@apple.com>
2863
2864         Running out of stack space not properly handled in RegExp::compile() and its callers
2865         https://bugs.webkit.org/show_bug.cgi?id=191206
2866
2867         Reviewed by Filip Pizlo.
2868
2869         New regression test.
2870
2871         * stress/regexp-compile-oom.js: Added.
2872         (recurseAndTest):
2873
2874 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2875
2876         Skip tests on arm/mips that time out now we're running on CLoop
2877
2878         Unreviewed gardening.
2879
2880         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2881         time out on the bots and need to be disabled. There's more tests
2882         disabled on arm because the timeout is longer on the mips bot (as the
2883         device is slower to start with), so many of the tests don't time out
2884         there.
2885
2886         * microbenchmarks/getter-richards.js: disable on arm and mips.
2887         * stress/op_add.js: disable on arm.
2888         * stress/op_bitand.js: disable on arm.
2889         * stress/op_bitor.js: disable on arm.
2890         * stress/op_bitxor.js: disable on arm.
2891         * stress/op_lshift-ConstVar.js: disable on arm.
2892         * stress/op_lshift-VarConst.js: disable on arm.
2893         * stress/op_lshift-VarVar.js: disable on arm.
2894         * stress/op_mod-ConstVar.js: disable on arm.
2895         * stress/op_mod-VarConst.js: disable on arm.
2896         * stress/op_mod-VarVar.js: disable on arm.
2897         * stress/op_mul-ConstVar.js: disable on arm.
2898         * stress/op_mul-VarConst.js: disable on arm.
2899         * stress/op_mul-VarVar.js: disable on arm.
2900         * stress/op_rshift-ConstVar.js: disable on arm.
2901         * stress/op_rshift-VarConst.js: disable on arm.
2902         * stress/op_rshift-VarVar.js: disable on arm.
2903         * stress/op_sub-ConstVar.js: disable on arm.
2904         * stress/op_sub-VarConst.js: disable on arm.
2905         * stress/op_sub-VarVar.js: disable on arm.
2906         * stress/op_urshift-ConstVar.js: disable on arm.
2907         * stress/op_urshift-VarConst.js: disable on arm.
2908         * stress/op_urshift-VarVar.js: disable on arm.
2909         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2910         * stress/value-to-boolean.js: disable on arm and mips.
2911
2912 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2913
2914         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2915         https://bugs.webkit.org/show_bug.cgi?id=191108
2916         <rdar://problem/45690700>
2917
2918         Reviewed by Saam Barati.
2919
2920         * stress/wide-op_catch.js: Added.
2921         (catch):
2922
2923 2018-10-29  Mark Lam  <mark.lam@apple.com>
2924
2925         Correctly detect string overflow when using the 'Function' constructor.
2926         https://bugs.webkit.org/show_bug.cgi?id=184883
2927         <rdar://problem/36320331>
2928
2929         Reviewed by Saam Barati.
2930
2931         I've verified that this passes on 32-bit as well.
2932
2933         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2934
2935 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2936
2937         Add support for GetStack FlushedDouble
2938         https://bugs.webkit.org/show_bug.cgi?id=191012
2939         <rdar://problem/45265141>
2940
2941         Reviewed by Saam Barati.
2942
2943         * stress/get-stack-double.js: Added.
2944         (bar):
2945         (noInline):
2946
2947 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2948
2949         New bytecode format for JSC
2950         https://bugs.webkit.org/show_bug.cgi?id=187373
2951         <rdar://problem/44186758>
2952
2953         Reviewed by Filip Pizlo.
2954
2955         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2956
2957         * stress/maximum-inline-capacity.js: Added.
2958         (test1):
2959         (test3.Foo):
2960         (test3):
2961
2962 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2963
2964         Unreviewed, rolling out r237479 and r237484.
2965         https://bugs.webkit.org/show_bug.cgi?id=190978
2966
2967         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2968
2969         Reverted changesets:
2970
2971         "New bytecode format for JSC"
2972         https://bugs.webkit.org/show_bug.cgi?id=187373
2973         https://trac.webkit.org/changeset/237479
2974
2975         "Gardening: Build fix after r237479."
2976         https://bugs.webkit.org/show_bug.cgi?id=187373
2977         https://trac.webkit.org/changeset/237484
2978
2979 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2980
2981         New bytecode format for JSC
2982         https://bugs.webkit.org/show_bug.cgi?id=187373
2983         <rdar://problem/44186758>
2984
2985         Reviewed by Filip Pizlo.
2986
2987         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2988
2989         * stress/maximum-inline-capacity.js: Added.
2990         (test1):
2991         (test3.Foo):
2992         (test3):
2993
2994 2018-10-26  Mark Lam  <mark.lam@apple.com>
2995
2996         Fix missing edge cases with JSGlobalObjects having a bad time.
2997         https://bugs.webkit.org/show_bug.cgi?id=189028
2998         <rdar://problem/45204939>
2999
3000         Reviewed by Saam Barati.
3001
3002         * stress/regress-189028.js: Added.
3003
3004 2018-10-22  Mark Lam  <mark.lam@apple.com>
3005
3006         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3007         https://bugs.webkit.org/show_bug.cgi?id=190515
3008         <rdar://problem/45222379>
3009
3010         Rubber-stamped by Saam Barati.
3011
3012         Adding another test.
3013
3014         * stress/regress-190515-2.js: Added.
3015
3016 2018-10-22  Mark Lam  <mark.lam@apple.com>
3017
3018         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3019         https://bugs.webkit.org/show_bug.cgi?id=190515
3020         <rdar://problem/45222379>
3021
3022         Reviewed by Saam Barati.
3023
3024         * stress/regress-190515.js: Added.
3025
3026 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3027
3028         Unreviewed, rolling out r237254.
3029         https://bugs.webkit.org/show_bug.cgi?id=190760
3030
3031         "It regresses JetStream 2 by 5% on some iOS devices"
3032         (Requested by saamyjoon on #webkit).
3033
3034         Reverted changeset:
3035
3036         "[JSC] JSC should have "parseFunction" to optimize Function
3037         constructor"
3038         https://bugs.webkit.org/show_bug.cgi?id=190340
3039         https://trac.webkit.org/changeset/237254
3040
3041 2018-10-19  Saam Barati  <sbarati@apple.com>
3042
3043         vmCall should check if we exit before emitting an OSR exit due to exceptions
3044         https://bugs.webkit.org/show_bug.cgi?id=190740
3045         <rdar://problem/45220139>
3046
3047         Reviewed by Mark Lam.
3048
3049         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3050         (foo):
3051
3052 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3053
3054         [ESNext][BigInt] Implement support for "^"
3055         https://bugs.webkit.org/show_bug.cgi?id=186235
3056
3057         Reviewed by Yusuke Suzuki.
3058
3059         * stress/big-int-bitwise-xor-general.js: Added.
3060         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3061         * stress/big-int-bitwise-xor-type-error.js: Added.
3062         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3063
3064 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3065
3066         [BigInt] Add ValueSub into DFG
3067         https://bugs.webkit.org/show_bug.cgi?id=186176
3068
3069         Reviewed by Yusuke Suzuki.
3070
3071         * stress/big-int-subtraction-jit.js:
3072         * stress/value-sub-big-int-prediction-propagation.js: Added.
3073         * stress/value-sub-big-int-untyped.js: Added.
3074         * stress/value-sub-spec-none-case.js: Added.
3075
3076 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3077
3078         [JSC] JSC should have "parseFunction" to optimize Function constructor
3079         https://bugs.webkit.org/show_bug.cgi?id=190340
3080
3081         Reviewed by Mark Lam.
3082
3083         This patch fixes the line number of syntax errors raised by the Function constructor,
3084         since we now parse the final code only once. And we no longer use block statement
3085         for Function constructor's parsing.
3086
3087         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3088         * stress/function-cache-with-parameters-end-position.js: Added.
3089         (shouldBe):
3090         (shouldThrow):
3091         (i.anonymous):
3092         * stress/function-constructor-name.js: Added.
3093         (shouldBe):
3094         (GeneratorFunction):
3095         (AsyncFunction.async):
3096         (AsyncGeneratorFunction.async):
3097         (anonymous):
3098         (async.anonymous):
3099         * test262/expectations.yaml:
3100
3101 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3102
3103         Unreviewed, rolling out r237242.
3104         https://bugs.webkit.org/show_bug.cgi?id=190701
3105
3106         it breaks "stress/sampling-profiler-basic.js" (Requested by
3107         caiolima on #webkit).
3108
3109         Reverted changeset:
3110
3111         "[BigInt] Add ValueSub into DFG"
3112         https://bugs.webkit.org/show_bug.cgi?id=186176
3113         https://trac.webkit.org/changeset/237242
3114
3115 2018-10-17  Keith Miller  <keith_miller@apple.com>
3116
3117         AI does not clear Phantom allocation nodes.
3118         https://bugs.webkit.org/show_bug.cgi?id=190694
3119
3120         Reviewed by Saam Barati.
3121
3122         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3123         (Day):
3124         (DaysInYear):
3125         (TimeInYear):
3126         (TimeFromYear):
3127         (DayFromYear):
3128         (InLeapYear):
3129         (YearFromTime):
3130         (WeekDay):
3131         (DaylightSavingTA):
3132         (GetSecondSundayInMarch):
3133         (TimeInMonth):
3134
3135 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3136
3137         [BigInt] Add ValueSub into DFG
3138         https://bugs.webkit.org/show_bug.cgi?id=186176
3139
3140         Reviewed by Yusuke Suzuki.
3141
3142         * stress/big-int-subtraction-jit.js:
3143         * stress/value-sub-big-int-prediction-propagation.js: Added.
3144         * stress/value-sub-big-int-untyped.js: Added.
3145
3146 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3147
3148         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3149         https://bugs.webkit.org/show_bug.cgi?id=190611
3150
3151         Reviewed by Saam Barati.
3152
3153         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3154         to improve test runtime. On ARM/MIPS this test even timed out when running all
3155         tests.
3156
3157         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3158         (test):
3159
3160 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3161
3162         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3163
3164         Unreviewed gardening.
3165
3166         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3167
3168 2018-10-15  Saam barati  <sbarati@apple.com>
3169
3170         Emit fjcvtzs on ARM64E on Darwin
3171         https://bugs.webkit.org/show_bug.cgi?id=184023
3172
3173         Reviewed by Yusuke Suzuki and Filip Pizlo.
3174
3175         * stress/double-to-int32-NaN.js: Added.
3176         (assert):
3177         (foo):
3178
3179 2018-10-15  Saam Barati  <sbarati@apple.com>
3180
3181         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3182         https://bugs.webkit.org/show_bug.cgi?id=190262
3183         <rdar://problem/44986241>
3184
3185         Reviewed by Mark Lam.
3186
3187         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3188         (test):
3189         * stress/slice-array-storage-with-holes.js: Added.
3190         (main):
3191
3192 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3193
3194         Unreviewed, rolling out r237054.
3195         https://bugs.webkit.org/show_bug.cgi?id=190593
3196
3197         "this regressed JetStream 2 by 6% on iOS" (Requested by
3198         saamyjoon on #webkit).
3199
3200         Reverted changeset:
3201
3202         "[JSC] JSC should have "parseFunction" to optimize Function
3203         constructor"
3204         https://bugs.webkit.org/show_bug.cgi?id=190340
3205         https://trac.webkit.org/changeset/237054
3206
3207 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3208
3209         [JSC] JSON.stringify can accept call-with-no-arguments
3210         https://bugs.webkit.org/show_bug.cgi?id=190343
3211
3212         Reviewed by Mark Lam.
3213
3214         * stress/json-stringify-no-arguments.js: Added.
3215         (shouldBe):
3216
3217 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3218
3219         [JSC] JSC should have "parseFunction" to optimize Function constructor
3220         https://bugs.webkit.org/show_bug.cgi?id=190340
3221
3222         Reviewed by Mark Lam.
3223
3224         This patch fixes the line number of syntax errors raised by the Function constructor,
3225         since we now parse the final code only once. And we no longer use block statement
3226         for Function constructor's parsing.
3227
3228         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3229         * stress/function-cache-with-parameters-end-position.js: Added.
3230         (shouldBe):
3231         (shouldThrow):
3232         (i.anonymous):
3233         * stress/function-constructor-name.js: Added.
3234         (shouldBe):
3235         (GeneratorFunction):
3236         (AsyncFunction.async):
3237         (AsyncGeneratorFunction.async):
3238         (anonymous):
3239         (async.anonymous):
3240         * test262/expectations.yaml:
3241
3242 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3243
3244         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3245         https://bugs.webkit.org/show_bug.cgi?id=190426
3246
3247         Unreviewed gardening.
3248
3249         * stress/sampling-profiler-richards.js:
3250
3251 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3252
3253         [ESNext][BigInt] Implement support for "|"
3254         https://bugs.webkit.org/show_bug.cgi?id=186229
3255
3256         Reviewed by Yusuke Suzuki.
3257
3258         * stress/big-int-bitwise-and-jit.js:
3259         * stress/big-int-bitwise-or-general.js: Added.
3260         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3261         * stress/big-int-bitwise-or-jit.js: Added.
3262         * stress/big-int-bitwise-or-memory-stress.js: Added.
3263         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3264         * stress/big-int-bitwise-or-type-error.js: Added.
3265         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3266
3267 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3268
3269         Skip test on systems with limited memory
3270         https://bugs.webkit.org/show_bug.cgi?id=190310
3271
3272         Invoking runDefault adds test to runlist, skipping the test in the next
3273         line does not prevent the test from executing. Change order of lines such
3274         that runDefault is only executed if test is not executed.
3275
3276         Reviewed by Mark Lam.
3277
3278         * stress/regress-190187.js:
3279
3280 2018-10-03  Saam barati  <sbarati@apple.com>
3281
3282         lowXYZ in FTLLower should always filter the type of the incoming edge
3283         https://bugs.webkit.org/show_bug.cgi?id=189939
3284         <rdar://problem/44407030>
3285
3286         Reviewed by Michael Saboff.
3287
3288         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3289         (foo):
3290         (test):
3291
3292 2018-10-03  Mark Lam  <mark.lam@apple.com>
3293
3294         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3295         https://bugs.webkit.org/show_bug.cgi?id=190187
3296         <rdar://problem/42512909>
3297
3298         Reviewed by Michael Saboff.
3299
3300         * stress/regress-190187.js: Added.
3301
3302 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3303
3304         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3305         https://bugs.webkit.org/show_bug.cgi?id=190033
3306
3307         Reviewed by Yusuke Suzuki.
3308
3309         * stress/big-int-to-string.js:
3310
3311 2018-10-01  Mark Lam  <mark.lam@apple.com>
3312
3313         Function.toString() should also copy the source code Functions that are class definitions.
3314         https://bugs.webkit.org/show_bug.cgi?id=190186
3315         <rdar://problem/44733360>
3316
3317         Reviewed by Saam Barati.
3318
3319         * stress/regress-190186.js: Added.
3320
3321 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3322
3323         Split NaN-check into separate test
3324         https://bugs.webkit.org/show_bug.cgi?id=190010
3325
3326         Reviewed by Saam Barati.
3327
3328         DataView exposes NaN-representation, which is not necessarily the same on each
3329         architecture. Therefore move the check of the NaN-representation into its own
3330         file such that we can disable this test on MIPS where NaN-representation can be
3331         different on older CPUs.
3332
3333         * stress/dataview-jit-set-nan.js: Added.
3334         (assert):
3335         (test.storeLittleEndian):
3336         (test.storeBigEndian):
3337         (test.store):
3338         (test):
3339         * stress/dataview-jit-set.js:
3340         (test5):
3341
3342 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3343
3344         Unreviewed, rolling out r236647.
3345         https://bugs.webkit.org/show_bug.cgi?id=190124
3346
3347         Breaking test stress/big-int-to-string.js (Requested by
3348         caiolima_ on #webkit).
3349
3350         Reverted changeset:
3351
3352         "[BigInt] BigInt.proptotype.toString is broken when radix is
3353         power of 2"
3354         https://bugs.webkit.org/show_bug.cgi?id=190033
3355         https://trac.webkit.org/changeset/236647
3356
3357 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3358
3359         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3360         https://bugs.webkit.org/show_bug.cgi?id=190033
3361
3362         Reviewed by Yusuke Suzuki.
3363
3364         * stress/big-int-to-string.js:
3365
3366 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3367
3368         [ESNext][BigInt] Implement support for "&"
3369         https://bugs.webkit.org/show_bug.cgi?id=186228
3370
3371         Reviewed by Yusuke Suzuki.
3372
3373         * stress/big-int-bitwise-and-general.js: Added.
3374         (assert):
3375         (assert.sameValue):
3376         * stress/big-int-bitwise-and-jit.js: Added.
3377         (let.assert.sameValue):
3378         (bigIntBitAnd):
3379         * stress/big-int-bitwise-and-memory-stress.js: Added.
3380         (assert):
3381         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3382         (assert.sameValue):
3383         (let.o.Symbol.toPrimitive):
3384         (catch):
3385         * stress/big-int-bitwise-and-type-error.js: Added.
3386         (assert):
3387         (assertThrowTypeError):
3388         (let.o.valueOf):
3389         (o.valueOf):
3390         (o.toString):
3391         (o.Symbol.toPrimitive):
3392         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3393         (assert.sameValue):
3394         (testBitAnd):
3395         (let.o.Symbol.toPrimitive):
3396         (o.valueOf):
3397         (o.toString):
3398
3399 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3400
3401         JSC test stress/jsc-read.js doesn't support CRLF
3402         https://bugs.webkit.org/show_bug.cgi?id=190063
3403
3404         Reviewed by Yusuke Suzuki.
3405
3406         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3407
3408         * stress/jsc-read.js:
3409         (test):
3410
3411 2018-09-27  Saam barati  <sbarati@apple.com>
3412
3413         Verify the contents of AssemblerBuffer on arm64e
3414         https://bugs.webkit.org/show_bug.cgi?id=190057
3415         <rdar://problem/38916630>
3416
3417         Reviewed by Mark Lam.
3418
3419         * stress/regress-189132.js:
3420
3421 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3422
3423         Disable test without LLInt on ARMv7
3424         https://bugs.webkit.org/show_bug.cgi?id=190037
3425
3426         Reviewed by Mark Lam.
3427
3428         Test runs out of executable memory on ARMv7, do not run
3429         this test without LLInt enabled.
3430
3431         * stress/regress-169445.js:
3432
3433 2018-09-26  Keith Miller  <keith_miller@apple.com>
3434
3435         We should zero unused property storage when rebalancing array storage.
3436         https://bugs.webkit.org/show_bug.cgi?id=188151
3437
3438         Reviewed by Michael Saboff.
3439
3440         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3441
3442 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3443
3444         [JSC] Optimize Array#lastIndexOf
3445         https://bugs.webkit.org/show_bug.cgi?id=189780
3446
3447         Reviewed by Saam Barati.
3448
3449         * stress/array-lastindexof-array-prototype-trap.js: Added.
3450         (shouldBe):
3451         (AncestorArray.prototype.get 2):
3452         (AncestorArray):
3453         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3454         (shouldBe):
3455         * stress/array-lastindexof-hole-nan.js: Added.
3456         (shouldBe):
3457         (throw.new.Error):
3458         * stress/array-lastindexof-infinity.js: Added.
3459         (shouldBe):
3460         (throw.new.Error):
3461         * stress/array-lastindexof-negative-zero.js: Added.
3462         (shouldBe):
3463         (throw.new.Error):
3464         * stress/array-lastindexof-own-getter.js: Added.
3465         (shouldBe):
3466         (throw.new.Error.get array):
3467         (get array):
3468         * stress/array-lastindexof-prototype-trap.js: Added.
3469         (shouldBe):
3470         (DerivedArray.prototype.get 2):
3471         (DerivedArray):
3472
3473 2018-09-25  Saam Barati  <sbarati@apple.com>
3474
3475         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3476         https://bugs.webkit.org/show_bug.cgi?id=189940
3477         <rdar://problem/43640987>
3478
3479         Reviewed by Mark Lam.
3480
3481         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3482
3483 2018-09-24  Saam Barati  <sbarati@apple.com>
3484
3485         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3486         https://bugs.webkit.org/show_bug.cgi?id=189922
3487         <rdar://problem/44651275>
3488
3489         Reviewed by Mark Lam.
3490
3491         * stress/array-indexof-fast-path-effects.js: Added.
3492         * stress/array-indexof-cached-length.js: Added.
3493
3494 2018-09-24  Saam barati  <sbarati@apple.com>
3495
3496         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3497         https://bugs.webkit.org/show_bug.cgi?id=189682
3498         <rdar://problem/43557315>
3499
3500         Reviewed by Mark Lam.
3501
3502         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3503         (foo):
3504
3505 2018-09-22  Saam barati  <sbarati@apple.com>
3506
3507         The sampling should not use Strong<CodeBlock> in its machineLocation field
3508         https://bugs.webkit.org/show_bug.cgi?id=189319
3509
3510         Reviewed by Filip Pizlo.
3511
3512         * stress/sampling-profiler-richards.js: Added.
3513
3514 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3515
3516         [JSC] Optimize Array#indexOf in C++ runtime
3517         https://bugs.webkit.org/show_bug.cgi?id=189507
3518
3519         Reviewed by Saam Barati.
3520
3521         * stress/array-indexof-array-prototype-trap.js: Added.
3522         (shouldBe):
3523         (AncestorArray.prototype.get 2):
3524         (AncestorArray):
3525         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3526         (shouldBe):
3527         * stress/array-indexof-hole-nan.js: Added.
3528         (shouldBe):
3529         (throw.new.Error):
3530         * stress/array-indexof-infinity.js: Added.
3531         (shouldBe):
3532         (throw.new.Error):
3533         * stress/array-indexof-negative-zero.js: Added.
3534         (shouldBe):
3535         (throw.new.Error):
3536         * stress/array-indexof-own-getter.js: Added.
3537         (shouldBe):
3538         (throw.new.Error.get array):
3539         (get array):
3540         * stress/array-indexof-prototype-trap.js: Added.
3541         (shouldBe):
3542         (DerivedArray.prototype.get 2):
3543         (DerivedArray):
3544
3545 2018-09-19  Saam barati  <sbarati@apple.com>
3546
3547         AI rule for MultiPutByOffset executes its effects in the wrong order
3548         https://bugs.webkit.org/show_bug.cgi?id=189757
3549         <rdar://problem/43535257>
3550
3551         Reviewed by Michael Saboff.
3552
3553         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3554         (foo):
3555         (Foo):
3556         (g):
3557
3558 2018-09-17  Mark Lam  <mark.lam@apple.com>
3559
3560         Ensure that ForInContexts are invalidated if their loop local is over-written.
3561         https://bugs.webkit.org/show_bug.cgi?id=189571
3562         <rdar://problem/44402277>
3563
3564         Reviewed by Saam Barati.
3565
3566         * stress/regress-189571.js: Added.
3567
3568 2018-09-17  Saam barati  <sbarati@apple.com>
3569
3570         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3571         https://bugs.webkit.org/show_bug.cgi?id=189676
3572         <rdar://problem/39682897>
3573
3574         Reviewed by Michael Saboff.
3575
3576         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3577         (A):
3578         (K):
3579         (i.catch):
3580
3581 2018-09-14  Saam barati  <sbarati@apple.com>
3582
3583         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3584         https://bugs.webkit.org/show_bug.cgi?id=189628
3585         <rdar://problem/39481690>
3586
3587         Reviewed by Mark Lam.
3588
3589         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3590         (foo):
3591
3592 2018-09-11  Mark Lam  <mark.lam@apple.com>
3593
3594         Test for array initialization in arrayProtoFuncSplice.
3595         https://bugs.webkit.org/show_bug.cgi?id=170253
3596         <rdar://problem/31328773>
3597
3598         Rubber-stamped by Saam Barati.
3599
3600         * stress/regress-170253.js: Added.
3601
3602 2018-09-11  Mark Lam  <mark.lam@apple.com>
3603
3604         Test for IntlObject initialization.
3605         https://bugs.webkit.org/show_bug.cgi?id=170251
3606         <rdar://problem/31328419>
3607
3608         Rubber-stamped by Saam Barati.
3609
3610         * stress/regress-170251.js: Added.
3611
3612 2018-09-11  Mark Lam  <mark.lam@apple.com>
3613
3614         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3615         https://bugs.webkit.org/show_bug.cgi?id=169889
3616         <rdar://problem/31155607>
3617
3618         Reviewed by Saam Barati.
3619
3620         * stress/regress-169889-array-concat.js: Added.
3621         * stress/regress-169889-array-concat1.js: Added.
3622         * stress/regress-169889-array-slice.js: Added.
3623
3624 2018-09-11  Mark Lam  <mark.lam@apple.com>
3625
3626         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3627         https://bugs.webkit.org/show_bug.cgi?id=169445
3628         <rdar://problem/30957435>
3629
3630         Reviewed by Saam Barati.
3631
3632         * stress/regress-169445.js: Added.
3633         (let.gun.eval.A):
3634         (let.gun.eval.B.C):
3635         (let.gun.eval.B.C.prototype.trigger):
3636         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3637         (let.gun.eval.B):
3638         (let.gun.eval):
3639
3640 == Rolled over to ChangeLog-2018-09-11 ==