29a741a2c146815bbab6b92cbb6201078042ef41
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
2
3         Unreviewed, rolling out r243948.
4
5         Caused inspector/runtime/parse.html to fail
6
7         Reverted changeset:
8
9         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
10         https://bugs.webkit.org/show_bug.cgi?id=196486
11         https://trac.webkit.org/changeset/243948
12
13 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
14
15         Unreviewed, rolling out r243943.
16
17         Caused test262 failures.
18
19         Reverted changeset:
20
21         "[JSC] Filter DontEnum properties in
22         ProxyObject::getOwnPropertyNames()"
23         https://bugs.webkit.org/show_bug.cgi?id=176810
24         https://trac.webkit.org/changeset/243943
25
26 2019-04-07  Michael Saboff  <msaboff@apple.com>
27
28         REGRESSION (r243642): Crash in reddit.com page
29         https://bugs.webkit.org/show_bug.cgi?id=196684
30
31         Reviewed by Geoffrey Garen.
32
33         New regression test.
34
35         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
36
37 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
38
39         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
40         https://bugs.webkit.org/show_bug.cgi?id=196683
41
42         Reviewed by Saam Barati.
43
44         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
45         (foo):
46
47 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
48
49         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
50         https://bugs.webkit.org/show_bug.cgi?id=196582
51
52         Reviewed by Saam Barati.
53
54         * stress/add-overflow-check-with-three-same-registers.js: Added.
55         (foo):
56         (Number.prototype.valueOf):
57         (runWithNumber):
58
59 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
60
61         Unreviewed, rolling out r243665.
62
63         Caused iOS JSC tests to exit with an exception.
64
65         Reverted changeset:
66
67         "Assertion failed in JSC::createError"
68         https://bugs.webkit.org/show_bug.cgi?id=196305
69         https://trac.webkit.org/changeset/243665
70
71 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
72
73         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
74         https://bugs.webkit.org/show_bug.cgi?id=196486
75
76         Reviewed by Saam Barati.
77
78         * stress/arrow-function-and-use-strict-directive.js: Added.
79         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
80         (checkSyntax):
81         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
82
83 2019-04-05  Caitlin Potter  <caitp@igalia.com>
84
85         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
86         https://bugs.webkit.org/show_bug.cgi?id=176810
87
88         Reviewed by Saam Barati.
89
90         Add tests for the DontEnum filtering, and variations of other tests
91         take the DontEnum-filtering path.
92
93         * stress/proxy-own-keys.js:
94         (i.catch):
95         (set assert):
96         (set add):
97         (let.set new):
98         (get let):
99
100 2019-04-05  Caitlin Potter  <caitp@igalia.com>
101
102         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
103         https://bugs.webkit.org/show_bug.cgi?id=185211
104
105         Reviewed by Saam Barati.
106
107         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
108
109         This changes several assertions to expect a TypeError to be thrown (in some cases,
110         changing thee expected message).
111
112         * es6/Proxy_ownKeys_duplicates.js:
113         (handler):
114         (shouldThrow):
115         (test):
116         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
117         (shouldThrow):
118         * stress/proxy-own-keys.js:
119         (i.catch):
120         (assert):
121
122 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
123
124         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
125         https://bugs.webkit.org/show_bug.cgi?id=196631
126
127         Reviewed by Saam Barati.
128
129         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
130         (assert):
131         (test):
132         (foo):
133
134 2019-04-04  Saam Barati  <sbarati@apple.com>
135
136         Unreviewed. Make the test from r243906 catch the thrown exceptions.
137
138         * stress/inferred-types-regex-matches-array.js:
139
140 2019-04-04  Saam Barati  <sbarati@apple.com>
141
142         createRegExpMatchesArray does not respect inferred types
143         https://bugs.webkit.org/show_bug.cgi?id=193287
144
145         Reviewed by Yusuke Suzuki.
146
147         This checks in the test case for 193287. This issue was discovered by
148         Samuel GroƟ of Google Project Zero.
149
150         * stress/inferred-types-regex-matches-array.js: Added.
151
152 2019-04-04  Saam barati  <sbarati@apple.com>
153
154         Teach Call ICs how to call Wasm
155         https://bugs.webkit.org/show_bug.cgi?id=196387
156
157         Reviewed by Filip Pizlo.
158
159         * wasm/function-tests/stack-trace.js:
160
161 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
162
163         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
164         https://bugs.webkit.org/show_bug.cgi?id=194944
165
166         Reviewed by Keith Miller.
167
168         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
169
170 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
171
172         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
173         https://bugs.webkit.org/show_bug.cgi?id=196409
174
175         Reviewed by Saam Barati.
176
177         * stress/bytecode-cache-cached-string-impl.js: Added.
178         (f):
179         (g):
180         * stress/bytecode-cache-run-string.js: Added.
181
182 2019-04-03  Robin Morisset  <rmorisset@apple.com>
183
184         B3 should use associativity to optimize expression trees
185         https://bugs.webkit.org/show_bug.cgi?id=194081
186
187         Reviewed by Filip Pizlo.
188
189         Added three microbenchmarks:
190         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
191         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
192           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
193         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
194
195         * microbenchmarks/add-tree.js: Added.
196         * microbenchmarks/bit-or-tree.js: Added.
197         * microbenchmarks/bit-xor-tree.js: Added.
198
199 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
200
201         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
202         https://bugs.webkit.org/show_bug.cgi?id=196574
203
204         Reviewed by Saam Barati.
205
206         * stress/string-index-of-exception-check.js: Added.
207         (blurType):
208         (1.forEach):
209
210 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
211
212         Assertion failed in JSC::createError
213         https://bugs.webkit.org/show_bug.cgi?id=196305
214         <rdar://problem/49387382>
215
216         Reviewed by Saam Barati.
217
218         * stress/create-error-out-of-memory-rope-string-2.js: Added.
219         (assert):
220         (catch):
221
222 2019-03-28  Saam Barati  <sbarati@apple.com>
223
224         BackwardsGraph needs to consider back edges as the backward's root successor
225         https://bugs.webkit.org/show_bug.cgi?id=195991
226
227         Reviewed by Filip Pizlo.
228
229         * stress/map-b3-licm-infinite-loop.js: Added.
230
231 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
232
233         CodeBlock::jettison() should disallow repatching its own calls
234         https://bugs.webkit.org/show_bug.cgi?id=196359
235         <rdar://problem/48973663>
236
237         Reviewed by Saam Barati.
238
239         * stress/call-link-info-osrexit-repatch.js: Added.
240         (foo):
241
242 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
243
244         [JSC] imports-oom.js intermittently fails
245         https://bugs.webkit.org/show_bug.cgi?id=196373
246
247         Reviewed by Saam Barati.
248
249         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
250         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
251         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
252         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
253         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
254
255         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
256         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
257
258         * wasm/lowExecutableMemory/imports-oom.js:
259
260 2019-03-27  Saam Barati  <sbarati@apple.com>
261
262         validateOSREntryValue with Int52 should box the value being checked into double format
263         https://bugs.webkit.org/show_bug.cgi?id=196313
264         <rdar://problem/49306703>
265
266         Reviewed by Yusuke Suzuki.
267
268         * stress/validate-int-52-ai-state.js: Added.
269
270 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
271
272         [JSC] Owner of watchpoints should validate at GC finalizing phase
273         https://bugs.webkit.org/show_bug.cgi?id=195827
274
275         Reviewed by Filip Pizlo.
276
277         * stress/gc-should-reap-dead-watchpoints.js: Added.
278         (foo):
279         (A.prototype.y):
280         (A):
281
282 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
283
284         Skip WebAssembly test on 32-bit systems
285         https://bugs.webkit.org/show_bug.cgi?id=196206
286
287         Reviewed by Saam Barati.
288
289         Invoking runDefault executes test immediately even though
290         that test should be skipped due to missing WASM support.
291         Therefore remove runDefault.
292
293         * wasm/regress/web-assembly-link-error-exception-check.js:
294
295 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
296
297         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
298         https://bugs.webkit.org/show_bug.cgi?id=196217
299
300         Reviewed by Saam Barati.
301
302         Re-enable all NaN tests for f32.min, f64.min and f64.max.
303
304         * wasm/spec-tests/f32.wast.js:
305         * wasm/spec-tests/f64.wast.js:
306         * wasm/wasm.json:
307
308 2019-03-25  Keith Miller  <keith_miller@apple.com>
309
310         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
311         https://bugs.webkit.org/show_bug.cgi?id=196176
312
313         Reviewed by Saam Barati.
314
315         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
316         (main.v10):
317         (main):
318
319 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
320
321         WebAssembly: f32.max with NaN generates incorrect result
322         https://bugs.webkit.org/show_bug.cgi?id=175691
323         <rdar://problem/33952228>
324
325         Reviewed by Saam Barati.
326
327         Enable all f32.max NaN tests
328
329         * wasm/spec-tests/f32.wast.js:
330         * wasm/wasm.json:
331
332 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
333
334         [JSC] Move test into directory for WASM tests
335         https://bugs.webkit.org/show_bug.cgi?id=196187
336
337         Reviewed by Mark Lam.
338
339         Move Test into wasm-directory. Otherwise this test
340         is also executed on systems without WASM support.
341
342         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
343
344 2019-03-23  Mark Lam  <mark.lam@apple.com>
345
346         Rolling out r243032 and r243071 because the fix is incorrect.
347         https://bugs.webkit.org/show_bug.cgi?id=195892
348         <rdar://problem/48981239>
349
350         Not reviewed.
351
352         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
353
354 2019-03-22  Mark Lam  <mark.lam@apple.com>
355
356         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
357         https://bugs.webkit.org/show_bug.cgi?id=196154
358         <rdar://problem/49145307>
359
360         Reviewed by Filip Pizlo.
361
362         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
363         There's no need to run this test on more than 1 test configuration.
364
365         * stress/typed-array-lastIndexOf-exception-check.js: Added.
366         * stress/web-assembly-link-error-exception-check.js:
367
368 2019-03-22  Mark Lam  <mark.lam@apple.com>
369
370         Placate exception check validation in constructJSWebAssemblyLinkError().
371         https://bugs.webkit.org/show_bug.cgi?id=196152
372         <rdar://problem/49145257>
373
374         Reviewed by Michael Saboff.
375
376         * stress/web-assembly-link-error-exception-check.js: Added.
377
378 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
379
380         Skip tests running out of memory on ARM/MIPS
381         https://bugs.webkit.org/show_bug.cgi?id=196131
382
383         Unreviewed. Skip test if memory is limited.
384
385         * microbenchmarks/put-by-val-direct-large-index.js:
386
387 2019-03-21  Mark Lam  <mark.lam@apple.com>
388
389         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
390         https://bugs.webkit.org/show_bug.cgi?id=196116
391         <rdar://problem/48976951>
392
393         Reviewed by Filip Pizlo.
394
395         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
396
397 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
398
399         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
400         https://bugs.webkit.org/show_bug.cgi?id=196078
401         <rdar://problem/35925380>
402
403         Reviewed by Mark Lam.
404
405         Add a new benchmark that allocates several objects and invokes put_by_val_direct
406         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
407
408         * microbenchmarks/put-by-val-direct-large-index.js: Added.
409
410 2019-03-21  Mark Lam  <mark.lam@apple.com>
411
412         Placate exception check validation in operationArrayIndexOfString().
413         https://bugs.webkit.org/show_bug.cgi?id=196067
414         <rdar://problem/49056572>
415
416         Reviewed by Michael Saboff.
417
418         * stress/string-equal-exception-check.js: Added.
419
420 2019-03-21  Mark Lam  <mark.lam@apple.com>
421
422         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
423         https://bugs.webkit.org/show_bug.cgi?id=196055
424         <rdar://problem/49067448>
425
426         Reviewed by Yusuke Suzuki.
427
428         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
429
430 2019-03-20  Saam Barati  <sbarati@apple.com>
431
432         typeOfDoubleSum is wrong for when NaN can be produced
433         https://bugs.webkit.org/show_bug.cgi?id=196030
434
435         Reviewed by Filip Pizlo.
436
437         * stress/double-add-sub-mul-can-produce-nan.js: Added.
438         (assert):
439         (noInline.sub):
440         (noInline):
441         (assert.mul):
442         (assert.add):
443
444 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
445
446         Update the test to ensure OutOfMemoryError is thrown as intended
447         https://bugs.webkit.org/show_bug.cgi?id=196032
448         <rdar://problem/46842740>
449
450         Rubber stamped by Saam Barati.
451
452         * stress/create-error-out-of-memory-rope-string.js:
453         (assert):
454         (catch):
455
456 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
457
458         JSC::createError needs to check for OOM in errorDescriptionForValue
459         https://bugs.webkit.org/show_bug.cgi?id=196032
460         <rdar://problem/46842740>
461
462         Reviewed by Mark Lam.
463
464         * stress/create-error-out-of-memory-rope-string.js: Added.
465
466 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
467
468         Unreviewed, reduce # of iterations to avoid timing out after r242991
469         https://bugs.webkit.org/show_bug.cgi?id=195791
470
471         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
472
473         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
474
475 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
476
477         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
478         https://bugs.webkit.org/show_bug.cgi?id=195950
479
480         Unreviewed, reducing the amount of memory used on this test to avoid
481         OOM on devices with memory restrictions.
482
483         * microbenchmarks/generate-multiple-llint-entrypoints.js:
484
485 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
486
487         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
488         https://bugs.webkit.org/show_bug.cgi?id=194648
489
490         Reviewed by Keith Miller.
491
492         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
493
494 2019-03-18  Mark Lam  <mark.lam@apple.com>
495
496         Missing a ThrowScope release in JSObject::toString().
497         https://bugs.webkit.org/show_bug.cgi?id=195893
498         <rdar://problem/48970986>
499
500         Reviewed by Michael Saboff.
501
502         * stress/to-string-exception-check-release.js: Added.
503
504 2019-03-18  Mark Lam  <mark.lam@apple.com>
505
506         Structure::flattenDictionary() should clear unused property slots.
507         https://bugs.webkit.org/show_bug.cgi?id=195871
508         <rdar://problem/48959497>
509
510         Reviewed by Michael Saboff.
511
512         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
513
514 2019-03-15  Mark Lam  <mark.lam@apple.com>
515
516         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
517         https://bugs.webkit.org/show_bug.cgi?id=195827
518         <rdar://problem/48845513>
519
520         Reviewed by Filip Pizlo.
521
522         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
523
524 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
525
526         [ARM,MIPS] Skip slow tests
527         https://bugs.webkit.org/show_bug.cgi?id=195799
528
529         Unreviewed, test does not finish on ARM and MIPS within the
530         timeout limit.
531
532         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
533
534 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
535
536         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
537         https://bugs.webkit.org/show_bug.cgi?id=195791
538         <rdar://problem/48806130>
539
540         Reviewed by Mark Lam.
541
542         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
543         (foo):
544
545 2019-03-14  Saam barati  <sbarati@apple.com>
546
547         We can't remove code after ForceOSRExit until after FixupPhase
548         https://bugs.webkit.org/show_bug.cgi?id=186916
549         <rdar://problem/41396612>
550
551         Reviewed by Yusuke Suzuki.
552
553         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
554         (foo):
555         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
556         (foo):
557
558 2019-03-13  Michael Saboff  <msaboff@apple.com>
559
560         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
561         https://bugs.webkit.org/show_bug.cgi?id=195735
562
563         Reviewed by Mark Lam.
564
565         New regression test.
566
567         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
568         (foo):
569         (bar):
570
571 2019-03-14  Saam barati  <sbarati@apple.com>
572
573         Fixup uses KnownInt32 incorrectly in some nodes
574         https://bugs.webkit.org/show_bug.cgi?id=195279
575         <rdar://problem/47915654>
576
577         Reviewed by Yusuke Suzuki.
578
579         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
580         (foo):
581
582 2019-03-14  Keith Miller  <keith_miller@apple.com>
583
584         DFG liveness can't skip tail caller inline frames
585         https://bugs.webkit.org/show_bug.cgi?id=195715
586
587         Reviewed by Saam Barati.
588
589         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
590         (i.foo):
591
592 2019-03-13  Mark Lam  <mark.lam@apple.com>
593
594         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
595         https://bugs.webkit.org/show_bug.cgi?id=195415
596
597         Not reviewed.
598
599         Changed these tests to only run the default configuration.
600         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
601         There's no strong need to run this test on that variant.
602
603         * stress/dfg-to-string-on-int-does-gc.js:
604         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
605
606 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
607
608         String overflow when using StringBuilder in JSC::createError
609         https://bugs.webkit.org/show_bug.cgi?id=194957
610
611         Reviewed by Mark Lam.
612
613         Add test string-overflow-createError-bulder.js that overflows
614         StringBuilder in notAFunctionSourceAppender. The second new test
615         string-overflow-createError-fit.js has an error message that doesn't
616         overflow, it still failed since the String's capacity can't be doubled.
617         Run test string-overflow-createError.js only in the default
618         configuration to reduce memory consumption when running the test
619         in all configurations on multiple CPUs in parallel.
620
621         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
622         (catch):
623         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
624         (catch):
625         * stress/string-overflow-createError.js:
626
627 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
628
629         [JSC] OSR entry should respect abstract values in addition to flush formats
630         https://bugs.webkit.org/show_bug.cgi?id=195653
631
632         Reviewed by Mark Lam.
633
634         * stress/osr-entry-locals-none.js: Added.
635
636 2019-03-12  Michael Saboff  <msaboff@apple.com>
637
638         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
639         https://bugs.webkit.org/show_bug.cgi?id=195613
640
641         Reviewed by Mark Lam.
642
643         New regression test.
644
645         * stress/regexp-backref-inbounds.js: Added.
646         (testRegExp):
647
648 2019-03-12  Mark Lam  <mark.lam@apple.com>
649
650         The HasIndexedProperty node does GC.
651         https://bugs.webkit.org/show_bug.cgi?id=195559
652         <rdar://problem/48767923>
653
654         Reviewed by Yusuke Suzuki.
655
656         * stress/HasIndexedProperty-does-gc.js: Added.
657
658 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
659
660         [ESNext][BigInt] Implement "~" unary operation
661         https://bugs.webkit.org/show_bug.cgi?id=182216
662
663         Reviewed by Keith Miller.
664
665         * stress/big-int-bit-not-general.js: Added.
666         * stress/big-int-bitwise-not-jit.js: Added.
667         * stress/big-int-bitwise-not-wrapped-value.js: Added.
668         * stress/bit-op-with-object-returning-int32.js:
669         * stress/bitwise-not-fixup-rules.js: Added.
670         * stress/value-bit-not-ai-rule.js: Added.
671
672 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
673
674         Invalid flags in a RegExp literal should be an early SyntaxError
675         https://bugs.webkit.org/show_bug.cgi?id=195514
676
677         Reviewed by Darin Adler.
678
679         * test262/expectations.yaml:
680         Mark 4 test cases as passing.
681
682         * stress/regexp-syntax-error-invalid-flags.js:
683         * stress/regress-161995.js: Removed.
684         Update existing test, merging in an older test for the same behavior.
685
686 2019-03-08  Mark Lam  <mark.lam@apple.com>
687
688         Stack overflow crash in JSC::JSObject::hasInstance.
689         https://bugs.webkit.org/show_bug.cgi?id=195458
690         <rdar://problem/48710195>
691
692         Reviewed by Yusuke Suzuki.
693
694         * stress/stack-overflow-in-custom-hasInstance.js: Added.
695
696 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
697
698         op_check_tdz does not def its argument
699         https://bugs.webkit.org/show_bug.cgi?id=192880
700         <rdar://problem/46221598>
701
702         Reviewed by Saam Barati.
703
704         * microbenchmarks/let-for-in.js: Added.
705         (foo):
706
707 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
708
709         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
710         https://bugs.webkit.org/show_bug.cgi?id=195429
711
712         Reviewed by Saam Barati.
713
714         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
715         (foo):
716         * stress/string-from-char-code-255.js: Added.
717
718 2019-03-06  Mark Lam  <mark.lam@apple.com>
719
720         Fix incorrect handling of try-finally completion values.
721         https://bugs.webkit.org/show_bug.cgi?id=195131
722         <rdar://problem/46222079>
723
724         Reviewed by Saam Barati and Yusuke Suzuki.
725
726         Added many permutations of new test case to test-finally.js.  test-finally.js has
727         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
728         tests passes there as well.
729
730         * stress/test-finally.js:
731
732 2019-03-06  Saam Barati  <sbarati@apple.com>
733
734         Air::reportUsedRegisters must padInterference
735         https://bugs.webkit.org/show_bug.cgi?id=195303
736         <rdar://problem/48270343>
737
738         Reviewed by Keith Miller.
739
740         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
741
742 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
743
744         [JSC] AI should not propagate AbstractValue relying on constant folding phase
745         https://bugs.webkit.org/show_bug.cgi?id=195375
746
747         Reviewed by Saam Barati.
748
749         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
750         (let.array):
751
752 2019-03-05  Saam barati  <sbarati@apple.com>
753
754         op_switch_char broken for rope strings after JSRopeString layout rewrite
755         https://bugs.webkit.org/show_bug.cgi?id=195339
756         <rdar://problem/48592545>
757
758         Reviewed by Yusuke Suzuki.
759
760         * stress/switch-on-char-llint-rope.js: Added.
761
762 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
763
764         [JSC] Store bits for JSRopeString in 3 stores
765         https://bugs.webkit.org/show_bug.cgi?id=195234
766
767         Reviewed by Saam Barati.
768
769         * stress/null-rope-and-collectors.js: Added.
770
771 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
772
773         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
774         https://bugs.webkit.org/show_bug.cgi?id=195207
775
776         Unreviewed. After test runtime was reduced in r242213, test can be
777         run again on ARM/MIPS.
778
779         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
780
781 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
782
783         [JSC] sizeof(JSString) should be 16
784         https://bugs.webkit.org/show_bug.cgi?id=194375
785
786         Reviewed by Saam Barati.
787
788         * microbenchmarks/make-rope.js: Added.
789         (makeRope):
790         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
791         (returnRope.helper): Deleted.
792         (returnRope): Deleted.
793
794 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
795
796         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
797         https://bugs.webkit.org/show_bug.cgi?id=195144
798
799         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
800         Change the number from 1e8 to 1e5.
801
802         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
803         (foo):
804
805 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
806
807         Test times out on ARM/MIPS
808         https://bugs.webkit.org/show_bug.cgi?id=195168
809
810         Unreviewed. Skip test on ARM/MIPS.
811
812         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
813
814 2019-02-27  Mark Lam  <mark.lam@apple.com>
815
816         The parser is failing to record the token location of new in new.target.
817         https://bugs.webkit.org/show_bug.cgi?id=195127
818         <rdar://problem/39645578>
819
820         Reviewed by Yusuke Suzuki.
821
822         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
823
824 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
825
826         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
827         https://bugs.webkit.org/show_bug.cgi?id=195144
828         <rdar://problem/47595961>
829
830         Reviewed by Mark Lam.
831
832         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
833         (bar):
834         (foo):
835         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
836         (bar):
837         (foo):
838
839 2019-02-27  Robin Morisset  <rmorisset@apple.com>
840
841         DFG: Loop-invariant code motion (LICM) should not hoist dead code
842         https://bugs.webkit.org/show_bug.cgi?id=194945
843         <rdar://problem/48311657>
844
845         Reviewed by Mark Lam.
846
847         * stress/licm-dead-code.js: Added.
848
849 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
850
851         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
852         https://bugs.webkit.org/show_bug.cgi?id=194677
853         <rdar://problem/48112492>
854
855         Reviewed by Mark Lam.
856
857         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
858         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
859         it immediately fails due the large size.
860
861         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
862         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
863         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
864         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
865
866         This patch changes the test to produce 16bit string from String.fromCharCode.
867
868         * stress/regress-178386.js:
869
870 2019-02-26  Mark Lam  <mark.lam@apple.com>
871
872         wasmToJS() should purify incoming NaNs.
873         https://bugs.webkit.org/show_bug.cgi?id=194807
874         <rdar://problem/48189132>
875
876         Reviewed by Saam Barati.
877
878         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
879
880 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
881
882         [JSC] Repeat string created from Array.prototype.join() take too much memory
883         https://bugs.webkit.org/show_bug.cgi?id=193912
884
885         Reviewed by Saam Barati.
886
887         Added a test and a microbenchmark for corner cases of
888         Array.prototype.join() with an uninitialized array.
889
890         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
891         * stress/array-prototype-join-uninitialized.js: Added.
892         (testArray):
893         (testABC):
894         (B):
895         (C):
896
897 2019-02-22  Robin Morisset  <rmorisset@apple.com>
898
899         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
900         https://bugs.webkit.org/show_bug.cgi?id=194953
901         <rdar://problem/47595253>
902
903         Reviewed by Saam Barati.
904
905         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
906
907         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
908
909 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
910
911         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
912         https://bugs.webkit.org/show_bug.cgi?id=172848
913         <rdar://problem/25709212>
914
915         Reviewed by Mark Lam.
916
917         * typeProfiler/inheritance.js:
918         Rewrite the test slightly for clarity. The hoisting was confusing.
919
920         * heapProfiler/class-names.js: Added.
921         (MyES5Class):
922         (MyES6Class):
923         (MyES6Subclass):
924         Test object types and improved class names.
925
926         * heapProfiler/driver/driver.js:
927         (CheapHeapSnapshotNode):
928         (CheapHeapSnapshot):
929         (createCheapHeapSnapshot):
930         (HeapSnapshot):
931         (createHeapSnapshot):
932         Update snapshot parsing from version 1 to version 2.
933
934 2019-02-19  Truitt Savell  <tsavell@apple.com>
935
936         Unreviewed, rolling out r241784.
937
938         Broke all OpenSource builds.
939
940         Reverted changeset:
941
942         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
943         instances view"
944         https://bugs.webkit.org/show_bug.cgi?id=172848
945         https://trac.webkit.org/changeset/241784
946
947 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
948
949         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
950         https://bugs.webkit.org/show_bug.cgi?id=172848
951         <rdar://problem/25709212>
952
953         Reviewed by Mark Lam.
954
955         * typeProfiler/inheritance.js:
956         Rewrite the test slightly for clarity. The hoisting was confusing.
957
958         * heapProfiler/class-names.js: Added.
959         (MyES5Class):
960         (MyES6Class):
961         (MyES6Subclass):
962         Test object types and improved class names.
963
964         * heapProfiler/driver/driver.js:
965         (CheapHeapSnapshotNode):
966         (CheapHeapSnapshot):
967         (createCheapHeapSnapshot):
968         (HeapSnapshot):
969         (createHeapSnapshot):
970         Update snapshot parsing from version 1 to version 2.
971
972 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
973
974         [ARM] Fix crash with sampling profiler
975         https://bugs.webkit.org/show_bug.cgi?id=194772
976
977         Reviewed by Mark Lam.
978
979         Do not skip test since crash with sampling profiler is now fixed.
980
981         * stress/sampling-profiler-richards.js:
982
983 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
984
985         [JSC] Add LazyClassStructure::getInitializedOnMainThread
986         https://bugs.webkit.org/show_bug.cgi?id=194784
987         <rdar://problem/48154820>
988
989         Reviewed by Mark Lam.
990
991         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
992         (getProperties):
993         (getRandomProperty):
994         (i.catch):
995
996 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
997
998         [ARM] Test gardening: Test running out of executable memory
999         https://bugs.webkit.org/show_bug.cgi?id=194771
1000
1001         Unreviewed. Do not run test without LLInt, test is running out of executable
1002         memory on ARM otherwise.
1003
1004         * stress/tagged-template-object-collect.js:
1005
1006 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1007
1008         Unreviewed, skip the test on platforms without sampling profiler
1009
1010         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1011         (platformSupportsSamplingProfiler.foo):
1012         (platformSupportsSamplingProfiler.test):
1013         (platformSupportsSamplingProfiler):
1014         (foo): Deleted.
1015         (test): Deleted.
1016
1017 2019-02-17  Saam Barati  <sbarati@apple.com>
1018
1019         Deadlock when adding a Structure property transition and then doing incremental marking
1020         https://bugs.webkit.org/show_bug.cgi?id=194767
1021
1022         Reviewed by Mark Lam.
1023
1024         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1025
1026 2019-02-15  Michael Saboff  <msaboff@apple.com>
1027
1028         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1029         https://bugs.webkit.org/show_bug.cgi?id=194558
1030
1031         Reviewed by Saam Barati.
1032
1033         New regression test.
1034
1035         * stress/regexp-unicode-within-string.js: Added.
1036
1037 2019-02-15  Mark Lam  <mark.lam@apple.com>
1038
1039         SamplingProfiler::stackTracesAsJSON() should escape strings.
1040         https://bugs.webkit.org/show_bug.cgi?id=194649
1041         <rdar://problem/48072386>
1042
1043         Reviewed by Saam Barati.
1044
1045         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1046         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1047         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1048         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1049
1050 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1051         CodeBlock::jettison should clear related watchpoints
1052         https://bugs.webkit.org/show_bug.cgi?id=194544
1053
1054         Reviewed by Mark Lam.
1055
1056         * stress/regexp-replace-double-watchpoint.js: Added.
1057         (foo):
1058
1059 2019-02-15  Saam barati  <sbarati@apple.com>
1060
1061         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1062         https://bugs.webkit.org/show_bug.cgi?id=194036
1063
1064         Reviewed by Yusuke Suzuki.
1065
1066         * stress/tail-call-many-arguments.js: Added.
1067         (foo):
1068         (bar):
1069
1070 2019-02-14  Saam Barati  <sbarati@apple.com>
1071
1072         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1073         https://bugs.webkit.org/show_bug.cgi?id=194583
1074         <rdar://problem/48028140>
1075
1076         Reviewed by Yusuke Suzuki.
1077
1078         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1079
1080 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1081
1082         [JSC] String.fromCharCode's slow path always generates 16bit string
1083         https://bugs.webkit.org/show_bug.cgi?id=194466
1084
1085         Reviewed by Keith Miller.
1086
1087         * stress/string-from-char-code-slow-path.js: Added.
1088         (shouldBe):
1089         (testWithLength):
1090
1091 2019-02-08  Saam barati  <sbarati@apple.com>
1092
1093         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1094         https://bugs.webkit.org/show_bug.cgi?id=194334
1095         <rdar://problem/47844327>
1096
1097         Reviewed by Mark Lam.
1098
1099         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1100         (func):
1101
1102 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1103
1104         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1105         https://bugs.webkit.org/show_bug.cgi?id=194369
1106         <rdar://problem/47813087>
1107
1108         Reviewed by Saam Barati.
1109
1110         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1111         (A):
1112
1113 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1114
1115         [JSC] PrivateName to PublicName hash table is wasteful
1116         https://bugs.webkit.org/show_bug.cgi?id=194277
1117
1118         Reviewed by Michael Saboff.
1119
1120         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1121
1122         * ChakraCore.yaml:
1123
1124 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1125
1126         [ARM] Test running out of executable memory
1127         https://bugs.webkit.org/show_bug.cgi?id=194285
1128
1129         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1130         executable memory otherwise.
1131
1132         * stress/class-subclassing-function.js:
1133
1134 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1135
1136         when lowering AssertNotEmpty, create the value before creating the patchpoint
1137         https://bugs.webkit.org/show_bug.cgi?id=194231
1138
1139         Reviewed by Saam Barati.
1140
1141         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1142         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1143         So even tiny changes to this test can change the path code taken.
1144
1145         * stress/assert-not-empty.js: Added.
1146         (foo):
1147
1148 2019-02-01  Mark Lam  <mark.lam@apple.com>
1149
1150         Remove invalid assertion in DFG's compileDoubleRep().
1151         https://bugs.webkit.org/show_bug.cgi?id=194130
1152         <rdar://problem/47699474>
1153
1154         Reviewed by Saam Barati.
1155
1156         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1157
1158 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1159
1160         Import latest Test262 updates.
1161
1162         Rubber-stamped by Keith Miller.
1163
1164         * test262.yaml: Deleted.
1165         * test262/config.yaml:
1166         * test262/expectations.yaml:
1167         * test262/latest-changes-summary.txt:
1168         * test262/test/:
1169         * test262/test262-Revision.txt:
1170
1171 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1172
1173         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1174         https://bugs.webkit.org/show_bug.cgi?id=194050
1175         <rdar://problem/47595592>
1176
1177         Reviewed by Yusuke Suzuki.
1178
1179         * stress/object-keys-osr-exit.js: Added.
1180         (foo):
1181         (catch):
1182
1183 2019-01-29  Mark Lam  <mark.lam@apple.com>
1184
1185         ValueRecovery::recover() should purify NaN values it recovers.
1186         https://bugs.webkit.org/show_bug.cgi?id=193978
1187         <rdar://problem/47625488>
1188
1189         Reviewed by Saam Barati.
1190
1191         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1192
1193 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1194
1195         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1196         https://bugs.webkit.org/show_bug.cgi?id=193713
1197
1198         * stress/try-get-by-id-should-spill-registers-dfg.js:
1199         (let.f.createBuiltin):
1200
1201 2019-01-28  Mark Lam  <mark.lam@apple.com>
1202
1203         ToString node actually does GC.
1204         https://bugs.webkit.org/show_bug.cgi?id=193920
1205         <rdar://problem/46695900>
1206
1207         Reviewed by Yusuke Suzuki.
1208
1209         * stress/dfg-to-string-on-int-does-gc.js: Added.
1210         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1211         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1212
1213 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1214
1215         [JSC] NativeErrorConstructor should not have own IsoSubspace
1216         https://bugs.webkit.org/show_bug.cgi?id=193713
1217
1218         Reviewed by Saam Barati.
1219
1220         Remove @Error use.
1221
1222         * stress/try-get-by-id-should-spill-registers-dfg.js:
1223         (let.f.createBuiltin):
1224
1225 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1226
1227         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1228         https://bugs.webkit.org/show_bug.cgi?id=190693
1229
1230         Reviewed by Michael Saboff.
1231
1232         * stress/regress-190693.js: Added.
1233         (truth):
1234         (assert):
1235         (shouldThrowInvalidConstAssignment):
1236         (taz):
1237
1238 2019-01-24  Saam Barati  <sbarati@apple.com>
1239
1240         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1241         https://bugs.webkit.org/show_bug.cgi?id=193751
1242         <rdar://problem/47280215>
1243
1244         Reviewed by Michael Saboff.
1245
1246         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1247         (let.thing):
1248         (foo.let.hello):
1249         (foo):
1250
1251 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1252
1253         [JSC] Reenable baseline JIT on mips
1254         https://bugs.webkit.org/show_bug.cgi?id=192983
1255
1256         Reviewed by Mark Lam.
1257
1258         Added a new test for a case that was triggering a RELEASE_ASSERT when
1259         testing.
1260         Disable some slow tests that were already disabled for arm and x86.
1261
1262         * stress/json-parse-big-object.js: Added.
1263         * stress/new-largeish-contiguous-array-with-size.js:
1264         * stress/op_add.js:
1265         * stress/op_bitand.js:
1266         * stress/op_bitor.js:
1267         * stress/op_bitxor.js:
1268         * stress/op_lshift-ConstVar.js:
1269         * stress/op_lshift-VarConst.js:
1270         * stress/op_lshift-VarVar.js:
1271         * stress/op_mod-ConstVar.js:
1272         * stress/op_mod-VarConst.js:
1273         * stress/op_mod-VarVar.js:
1274         * stress/op_mul-ConstVar.js:
1275         * stress/op_mul-VarConst.js:
1276         * stress/op_mul-VarVar.js:
1277         * stress/op_rshift-ConstVar.js:
1278         * stress/op_rshift-VarConst.js:
1279         * stress/op_rshift-VarVar.js:
1280         * stress/op_sub-ConstVar.js:
1281         * stress/op_sub-VarConst.js:
1282         * stress/op_sub-VarVar.js:
1283         * stress/op_urshift-ConstVar.js:
1284         * stress/op_urshift-VarConst.js:
1285         * stress/op_urshift-VarVar.js:
1286         * stress/sampling-profiler-richards.js:
1287         * stress/spread-forward-call-varargs-stack-overflow.js:
1288
1289 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1290
1291         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1292         https://bugs.webkit.org/show_bug.cgi?id=193711
1293         <rdar://problem/47250262>
1294
1295         Reviewed by Saam Barati.
1296
1297         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1298         (shouldBe):
1299         (foo):
1300         (bar):
1301         (baz):
1302
1303 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1304
1305         Unreviewed, fix initial global lexical binding epoch
1306         https://bugs.webkit.org/show_bug.cgi?id=193603
1307         <rdar://problem/47380869>
1308
1309         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1310         (f1.f2.f3.f4):
1311         (f1.f2.f3):
1312         (f1.f2):
1313         (f1):
1314
1315 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1316
1317         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1318         https://bugs.webkit.org/show_bug.cgi?id=193709
1319         <rdar://problem/47363838>
1320
1321         Unreviewed, rollout to watch the tests.
1322
1323         * stress/object-tostring-changed-proto.js: Removed.
1324         * stress/object-tostring-changed.js: Removed.
1325         * stress/object-tostring-misc.js: Removed.
1326         * stress/object-tostring-other.js: Removed.
1327         * stress/object-tostring-untyped.js: Removed.
1328
1329 2019-01-22  Saam Barati  <sbarati@apple.com>
1330
1331         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1332
1333         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1334         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1335         (testUncheckedLessThanZero):
1336         (testUncheckedLessThanOrEqualZero):
1337         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1338         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1339
1340 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1341
1342         [JSC] Invalidate old scope operations using global lexical binding epoch
1343         https://bugs.webkit.org/show_bug.cgi?id=193603
1344         <rdar://problem/47380869>
1345
1346         Reviewed by Saam Barati.
1347
1348         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1349         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1350         (shouldThrow):
1351         (bar):
1352         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1353         (shouldBe):
1354         (get1):
1355         (get2):
1356         (get1If):
1357         (get2If):
1358         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1359         (shouldThrow):
1360         (foo):
1361
1362 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1363
1364         Unreviewed, roll out r240220 due to date-format-xparb regression
1365         https://bugs.webkit.org/show_bug.cgi?id=193603
1366
1367         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1368         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1369         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1370         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1371
1372 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1373
1374         DoesGC rule is wrong for nodes with BigIntUse
1375         https://bugs.webkit.org/show_bug.cgi?id=193652
1376
1377         Reviewed by Saam Barati.
1378
1379         * stress/big-int-value-op-update-gc-rules.js: Added.
1380         (assert):
1381         (doesGCAdd):
1382         (doesGCSub):
1383         (doesGCDiv):
1384         (doesGCMul):
1385         (doesGCBitAnd):
1386         (doesGCBitOr):
1387         (doesGCBitXor):
1388
1389 2019-01-20  Saam Barati  <sbarati@apple.com>
1390
1391         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1392         https://bugs.webkit.org/show_bug.cgi?id=193644
1393         <rdar://problem/46209745>
1394
1395         Reviewed by Yusuke Suzuki.
1396
1397         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1398         (foo):
1399         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1400         (foo):
1401         (bar):
1402
1403 2019-01-20  Saam Barati  <sbarati@apple.com>
1404
1405         MovHint must merge NodeBytecodeUsesAsValue for its child
1406         https://bugs.webkit.org/show_bug.cgi?id=186916
1407         <rdar://problem/41396612>
1408
1409         Reviewed by Yusuke Suzuki.
1410
1411         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1412         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1413
1414 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1415
1416         [JSC] Invalidate old scope operations using global lexical binding epoch
1417         https://bugs.webkit.org/show_bug.cgi?id=193603
1418         <rdar://problem/47380869>
1419
1420         Reviewed by Saam Barati.
1421
1422         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1423         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1424         (shouldThrow):
1425         (bar):
1426         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1427         (shouldBe):
1428         (get1):
1429         (get2):
1430         (get1If):
1431         (get2If):
1432         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1433         (shouldThrow):
1434         (foo):
1435
1436 2019-01-17  Saam barati  <sbarati@apple.com>
1437
1438         StringObjectUse should not be a structure check for the original string object structure
1439         https://bugs.webkit.org/show_bug.cgi?id=193483
1440         <rdar://problem/47280522>
1441
1442         Reviewed by Yusuke Suzuki.
1443
1444         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1445         (foo):
1446         (a.valueOf.0):
1447
1448 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1449
1450         [JSC] ToThis omission in DFGByteCodeParser is wrong
1451         https://bugs.webkit.org/show_bug.cgi?id=193513
1452         <rdar://problem/45842236>
1453
1454         Reviewed by Saam Barati.
1455
1456         * stress/to-this-omission-with-different-strict-modes.js: Added.
1457         (thisA):
1458         (thisAStrictWrapper):
1459
1460 2019-01-15  Mark Lam  <mark.lam@apple.com>
1461
1462         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1463         https://bugs.webkit.org/show_bug.cgi?id=193423
1464         <rdar://problem/46209355>
1465
1466         Reviewed by Saam Barati.
1467
1468         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1469         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1470         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1471         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1472
1473 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1474
1475         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1476         https://bugs.webkit.org/show_bug.cgi?id=193438
1477         <rdar://problem/45581249>
1478
1479         Reviewed by Saam Barati and Keith Miller.
1480
1481         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1482         Then, GetByVal(String) crashed.
1483
1484         * stress/string-get-by-val-lowering.js: Added.
1485         (shouldBe):
1486         (test):
1487         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1488         (Hello):
1489         (foo):
1490
1491 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1492
1493         Unreviewed, skip JIT tests if it's not enabled
1494
1495         * stress/bit-op-with-object-returning-int32.js:
1496
1497 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1498
1499         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1500         https://bugs.webkit.org/show_bug.cgi?id=192966
1501
1502         Reviewed by Yusuke Suzuki.
1503
1504         * stress/bit-op-with-object-returning-int32.js: Added.
1505
1506 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1507
1508         Skip a slow test and a flakey test on arm
1509
1510         Unreviewed gardening.
1511
1512         * typeProfiler/getter-richards.js:
1513         this test always times out, it used to be always skipped on arm and
1514         mips, but got accidentally enabled by r237919 now that we have DFG on
1515         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1516
1517 2019-01-14  Keith Miller  <keith_miller@apple.com>
1518
1519         Skip type-check-hoisting-phase-hoist... with no jit
1520         https://bugs.webkit.org/show_bug.cgi?id=193421
1521
1522         Reviewed by Mark Lam.
1523
1524         It's timing out the 32-bit bots and takes 330 seconds
1525         on my machine when run by itself.
1526
1527         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1528
1529 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1530
1531         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1532         https://bugs.webkit.org/show_bug.cgi?id=193413
1533         <rdar://problem/46092389>
1534
1535         Reviewed by Keith Miller.
1536
1537         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1538         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1539         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1540         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1541
1542         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1543         (compareArray):
1544
1545 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1546
1547         [BigInt] Literal parsing is crashing when used inside a Object Literal
1548         https://bugs.webkit.org/show_bug.cgi?id=193404
1549
1550         Reviewed by Yusuke Suzuki.
1551
1552         * stress/big-int-literal-inside-literal-object.js: Added.
1553
1554 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1555
1556         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1557         https://bugs.webkit.org/show_bug.cgi?id=193372
1558
1559         Reviewed by Saam Barati.
1560
1561         * stress/typed-array-array-modes-profile.js: Added.
1562         (foo):
1563
1564 2019-01-14  Mark Lam  <mark.lam@apple.com>
1565
1566         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1567         https://bugs.webkit.org/show_bug.cgi?id=193402
1568         <rdar://problem/46012309>
1569
1570         Reviewed by Keith Miller.
1571
1572         * stress/regexp-compile-oom.js:
1573         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1574           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1575
1576 2019-01-11  Saam barati  <sbarati@apple.com>
1577
1578         DFG combined liveness can be wrong for terminal basic blocks
1579         https://bugs.webkit.org/show_bug.cgi?id=193304
1580         <rdar://problem/45268632>
1581
1582         Reviewed by Yusuke Suzuki.
1583
1584         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1585
1586 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1587
1588         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1589         https://bugs.webkit.org/show_bug.cgi?id=193308
1590         <rdar://problem/45546542>
1591
1592         Reviewed by Saam Barati.
1593
1594         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1595         (shouldThrow):
1596         (shouldBe):
1597         (foo):
1598         (get shouldThrow):
1599         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1600         (shouldThrow):
1601         (shouldBe):
1602         (foo):
1603         (get shouldBe):
1604         (get shouldThrow):
1605         (get return):
1606         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1607         (shouldThrow):
1608         (shouldBe):
1609         (foo):
1610         (get shouldBe):
1611         (get shouldThrow):
1612         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1613         (shouldThrow):
1614         (shouldBe):
1615         (foo):
1616         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1617         (shouldThrow):
1618         (shouldBe):
1619         (foo):
1620         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1621         (shouldThrow):
1622         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1623         (shouldThrow):
1624         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1625         (shouldThrow):
1626         (shouldBe):
1627         (foo):
1628         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1629         (shouldThrow):
1630         (shouldBe):
1631         (foo):
1632         (get shouldBe):
1633         (get shouldThrow):
1634         (get return):
1635         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1636         (shouldThrow):
1637         (shouldBe):
1638         (foo):
1639         (get shouldBe):
1640         (get shouldThrow):
1641         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1642         (shouldThrow):
1643         (shouldBe):
1644         (foo):
1645         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1646         (shouldThrow):
1647         (shouldBe):
1648         (foo):
1649
1650 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1651
1652         Enable DFG on ARM/Linux again
1653         https://bugs.webkit.org/show_bug.cgi?id=192496
1654
1655         Reviewed by Yusuke Suzuki.
1656
1657         Test wasn't really skipped before moving the line with skip
1658         to the top.
1659
1660         * stress/regress-192717.js:
1661
1662 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1663
1664         Unreviewed, rolling out r239825.
1665         https://bugs.webkit.org/show_bug.cgi?id=193330
1666
1667         Broke tests on armv7/linux bots (Requested by guijemont on
1668         #webkit).
1669
1670         Reverted changeset:
1671
1672         "Enable DFG on ARM/Linux again"
1673         https://bugs.webkit.org/show_bug.cgi?id=192496
1674         https://trac.webkit.org/changeset/239825
1675
1676 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1677
1678         Enable DFG on ARM/Linux again
1679         https://bugs.webkit.org/show_bug.cgi?id=192496
1680
1681         Reviewed by Yusuke Suzuki.
1682
1683         Test wasn't really skipped before moving the line with skip
1684         to the top.
1685
1686         * stress/regress-192717.js:
1687
1688 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1689
1690         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1691         https://bugs.webkit.org/show_bug.cgi?id=193127
1692
1693         Reviewed by Saam Barati.
1694
1695         * stress/array-species-create-should-handle-masquerader.js: Added.
1696         (shouldThrow):
1697         * stress/is-undefined-or-null-builtin.js: Added.
1698         (shouldBe):
1699         (isUndefinedOrNull.vm.createBuiltin):
1700
1701 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1702
1703         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1704         https://bugs.webkit.org/show_bug.cgi?id=193221
1705
1706         Reviewed by Mark Lam.
1707
1708         * stress/put-by-id-flags.js: Added.
1709         (f):
1710         (g):
1711         (numberOfDFGCompiles):
1712
1713 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1714
1715         Baseline version of get_by_id may corrupt metadata
1716         https://bugs.webkit.org/show_bug.cgi?id=193085
1717         <rdar://problem/23453006>
1718
1719         Reviewed by Saam Barati.
1720
1721         * stress/get-by-id-change-mode.js: Added.
1722         (forEach):
1723
1724 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1725
1726         [JSC] Optimize Object.prototype.toString
1727         https://bugs.webkit.org/show_bug.cgi?id=193031
1728
1729         Reviewed by Saam Barati.
1730
1731         * stress/object-tostring-changed-proto.js: Added.
1732         (shouldBe):
1733         (test):
1734         * stress/object-tostring-changed.js: Added.
1735         (shouldBe):
1736         (test):
1737         * stress/object-tostring-misc.js: Added.
1738         (shouldBe):
1739         (test):
1740         (i.switch):
1741         * stress/object-tostring-other.js: Added.
1742         (shouldBe):
1743         (test):
1744         * stress/object-tostring-untyped.js: Added.
1745         (shouldBe):
1746         (test):
1747         (i.switch):
1748
1749 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1750
1751         test262-runner misbehaves when test file YAML has a trailing space
1752         https://bugs.webkit.org/show_bug.cgi?id=193053
1753
1754         Reviewed by Yusuke Suzuki.
1755
1756         * test262/expectations.yaml:
1757         Mark two dozen tests as passing (and correct the output of another).
1758
1759 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1760
1761         Unreviewed, JSTests gardening with memoryLimited
1762
1763         * stress/string-overflow-createError.js:
1764
1765 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1766
1767         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1768         https://bugs.webkit.org/show_bug.cgi?id=193050
1769
1770         Reviewed by Yusuke Suzuki.
1771
1772         * test262.yaml:
1773         * test262/expectations.yaml:
1774         Mark 16 tests as passing.
1775
1776 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1777
1778         [BigInt] Support BigInt in JSON.stringify
1779         https://bugs.webkit.org/show_bug.cgi?id=192624
1780
1781         Reviewed by Saam Barati.
1782
1783         * stress/big-int-json-stringify-to-json.js: Added.
1784         (shouldBe):
1785         (shouldThrow):
1786         (BigInt.prototype.toJSON):
1787         (shouldBe.JSON.stringify):
1788         * stress/big-int-json-stringify.js: Added.
1789         (shouldBe):
1790         (shouldThrow):
1791
1792 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1793
1794         [JSC] Implement "well-formed JSON.stringify" proposal
1795         https://bugs.webkit.org/show_bug.cgi?id=191677
1796
1797         Reviewed by Darin Adler.
1798
1799         * stress/json-surrogate-pair.js: Added.
1800         (shouldBe):
1801         * test262/expectations.yaml:
1802
1803 2018-12-20  Keith Miller  <keith_miller@apple.com>
1804
1805         Add support for globalThis
1806         https://bugs.webkit.org/show_bug.cgi?id=165171
1807
1808         Reviewed by Mark Lam.
1809
1810         * test262/config.yaml:
1811
1812 2018-12-19  Keith Miller  <keith_miller@apple.com>
1813
1814         Update test262 configuration to not run tests dependent on ICU version.
1815         https://bugs.webkit.org/show_bug.cgi?id=192920
1816
1817         Reviewed by Saam Barati.
1818
1819         * test262/expectations.yaml:
1820
1821 2018-12-20  Mark Lam  <mark.lam@apple.com>
1822
1823         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1824         https://bugs.webkit.org/show_bug.cgi?id=192939
1825         <rdar://problem/46869516>
1826
1827         Reviewed by Keith Miller.
1828
1829         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1830
1831 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1832
1833         WTF::String and StringImpl overflow MaxLength
1834         https://bugs.webkit.org/show_bug.cgi?id=192853
1835         <rdar://problem/45726906>
1836
1837         Reviewed by Mark Lam.
1838
1839         * stress/string-16bit-repeat-overflow.js: Added.
1840         (catch):
1841
1842 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1843
1844         Unreviewed follow-up to r192914.
1845
1846         * test262/expectations.yaml:
1847         Add the last 20 missing expectations.
1848
1849 2018-12-19  Keith Miller  <keith_miller@apple.com>
1850
1851         Fix test262 expectations
1852         https://bugs.webkit.org/show_bug.cgi?id=192914
1853
1854         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1855
1856         * test262/expectations.yaml:
1857
1858 2018-12-19  Keith Miller  <keith_miller@apple.com>
1859
1860         Update test262 tests.
1861         https://bugs.webkit.org/show_bug.cgi?id=192907
1862
1863         Rubber stamped by Mark Lam.
1864
1865         * test262/*: Omitted because prepare-changelog crashes.
1866
1867 2018-12-19  Mark Lam  <mark.lam@apple.com>
1868
1869         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1870         https://bugs.webkit.org/show_bug.cgi?id=192464
1871         <rdar://problem/46519455>
1872
1873         Reviewed by Saam Barati.
1874
1875         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1876         microbenchmark.
1877
1878         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1879         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1880
1881 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1882
1883         String overflow in JSC::createError results in ASSERT in WTF::makeString
1884         https://bugs.webkit.org/show_bug.cgi?id=192833
1885         <rdar://problem/45706868>
1886
1887         Reviewed by Mark Lam.
1888
1889         * stress/string-overflow-createError.js: Added.
1890
1891 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1892
1893         Error message for `-x ** y` contains a typo.
1894         https://bugs.webkit.org/show_bug.cgi?id=192832
1895
1896         Reviewed by Saam Barati.
1897
1898         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1899         (assert.assert.return.throws):
1900         * stress/pow-expects-update-expression-on-lhs.js:
1901         (throw.new.Error):
1902         Update test expectations which match against the exact error message.
1903
1904 2018-12-18  Mark Lam  <mark.lam@apple.com>
1905
1906         Gardening: test options fix.
1907         https://bugs.webkit.org/show_bug.cgi?id=192822
1908
1909         Unreviewed.
1910
1911         * stress/json-stringify-string-builder-overflow.js:
1912
1913 2018-12-18  Mark Lam  <mark.lam@apple.com>
1914
1915         JSON.stringify() should throw OOM on StringBuilder overflows.
1916         https://bugs.webkit.org/show_bug.cgi?id=192822
1917         <rdar://problem/46670577>
1918
1919         Reviewed by Saam Barati.
1920
1921         * stress/json-stringify-string-builder-overflow.js: Added.
1922
1923 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1924
1925         Redeclaration of var over let/const/class should be a syntax error.
1926         https://bugs.webkit.org/show_bug.cgi?id=192298
1927
1928         Reviewed by Keith Miller.
1929
1930         * test262.yaml:
1931         * test262/expectations.yaml:
1932         Mark 46 tests as passing.
1933
1934         * stress/block-scope-redeclarations.js:
1935         Add some new tests.
1936
1937         * stress/for-in-invalidate-context-weird-assignments.js:
1938         * stress/for-in-tests.js:
1939         Replace tests for outdated behavior with tests for SyntaxError.
1940
1941         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1942         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1943         Update expectations.
1944
1945 2018-12-18  Mark Lam  <mark.lam@apple.com>
1946
1947         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1948         https://bugs.webkit.org/show_bug.cgi?id=191374
1949         <rdar://problem/46525447>
1950
1951         Reviewed by Yusuke Suzuki.
1952
1953         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1954
1955         * stress/elidable-new-object-roflcopter-then-exit.js:
1956
1957 2018-12-17  Mark Lam  <mark.lam@apple.com>
1958
1959         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1960         https://bugs.webkit.org/show_bug.cgi?id=192019
1961         <rdar://problem/46525456>
1962
1963         Reviewed by Yusuke Suzuki.
1964
1965         The test runs too slow on 32-bit.
1966
1967         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1968
1969 2018-12-17  Mark Lam  <mark.lam@apple.com>
1970
1971         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1972         https://bugs.webkit.org/show_bug.cgi?id=191373
1973         <rdar://problem/46525458>
1974
1975         Reviewed by Yusuke Suzuki.
1976
1977         The test is already slow running with a JIT on 64-bit.  It will always timeout
1978         on 32-bit without a JIT.
1979
1980         * stress/materialize-regexp-cyclic-regexp.js:
1981
1982 2018-12-17  Mark Lam  <mark.lam@apple.com>
1983
1984         Array unshift/shift should not race against the AI in the compiler thread.
1985         https://bugs.webkit.org/show_bug.cgi?id=192795
1986         <rdar://problem/46724263>
1987
1988         Reviewed by Saam Barati.
1989
1990         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1991
1992 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1993
1994         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1995         https://bugs.webkit.org/show_bug.cgi?id=190047
1996
1997         Reviewed by Saam Barati.
1998
1999         * stress/object-keys-cached-zero.js: Added.
2000         (shouldBe):
2001         (test):
2002         * stress/object-keys-changed-attribute.js: Added.
2003         (shouldBe):
2004         (test):
2005         * stress/object-keys-changed-index.js: Added.
2006         (shouldBe):
2007         (test):
2008         * stress/object-keys-changed.js: Added.
2009         (shouldBe):
2010         (test):
2011         * stress/object-keys-indexed-non-cache.js: Added.
2012         (shouldBe):
2013         (test):
2014         * stress/object-keys-overrides-get-property-names.js: Added.
2015         (shouldBe):
2016         (test):
2017         (noInline):
2018
2019 2018-12-17  Mark Lam  <mark.lam@apple.com>
2020
2021         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2022         https://bugs.webkit.org/show_bug.cgi?id=192779
2023         <rdar://problem/46775869>
2024
2025         Reviewed by Saam Barati.
2026
2027         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2028
2029 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2030
2031         Unreviewed test gardening, address a syntax error in a new test.
2032
2033         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2034
2035 2018-12-17  Mark Lam  <mark.lam@apple.com>
2036
2037         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2038         https://bugs.webkit.org/show_bug.cgi?id=192776
2039         <rdar://problem/46772368>
2040
2041         Reviewed by Keith Miller.
2042
2043         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2044
2045 2018-12-17  Mark Lam  <mark.lam@apple.com>
2046
2047         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2048         https://bugs.webkit.org/show_bug.cgi?id=192770
2049         <rdar://problem/46449037>
2050
2051         Reviewed by Keith Miller.
2052
2053         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2054
2055 2018-12-14  Mark Lam  <mark.lam@apple.com>
2056
2057         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2058         https://bugs.webkit.org/show_bug.cgi?id=192717
2059         <rdar://problem/46660677>
2060
2061         Reviewed by Saam Barati.
2062
2063         * stress/regress-192717.js: Added.
2064
2065 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2066
2067         Unreviewed, rolling out r239153, r239154, and r239155.
2068         https://bugs.webkit.org/show_bug.cgi?id=192715
2069
2070         Caused flaky GC-related crashes seen with layout tests
2071         (Requested by ryanhaddad on #webkit).
2072
2073         Reverted changesets:
2074
2075         "[JSC] Optimize Object.keys by caching own keys results in
2076         StructureRareData"
2077         https://bugs.webkit.org/show_bug.cgi?id=190047
2078         https://trac.webkit.org/changeset/239153
2079
2080         "Unreviewed, build fix after r239153"
2081         https://bugs.webkit.org/show_bug.cgi?id=190047
2082         https://trac.webkit.org/changeset/239154
2083
2084         "Unreviewed, build fix after r239153, part 2"
2085         https://bugs.webkit.org/show_bug.cgi?id=190047
2086         https://trac.webkit.org/changeset/239155
2087
2088 2018-12-14  Keith Miller  <keith_miller@apple.com>
2089
2090         Callers of JSString::getIndex should check for OOM exceptions
2091         https://bugs.webkit.org/show_bug.cgi?id=192709
2092
2093         Reviewed by Mark Lam.
2094
2095         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2096
2097 2018-12-13  Mark Lam  <mark.lam@apple.com>
2098
2099         Add a missing exception check.
2100         https://bugs.webkit.org/show_bug.cgi?id=192626
2101         <rdar://problem/46662163>
2102
2103         Reviewed by Keith Miller.
2104
2105         * stress/regress-192626.js: Added.
2106
2107 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2108
2109         [BigInt] Add ValueDiv into DFG
2110         https://bugs.webkit.org/show_bug.cgi?id=186178
2111
2112         Reviewed by Yusuke Suzuki.
2113
2114         * stress/big-int-div-jit-osr.js: Added.
2115         * stress/big-int-div-jit-untyped.js: Added.
2116         * stress/value-div-fixup-int32-big-int.js: Added.
2117
2118 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2119
2120         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2121         https://bugs.webkit.org/show_bug.cgi?id=190047
2122
2123         Reviewed by Keith Miller.
2124
2125         * stress/object-keys-cached-zero.js: Added.
2126         (shouldBe):
2127         (test):
2128         * stress/object-keys-changed-attribute.js: Added.
2129         (shouldBe):
2130         (test):
2131         * stress/object-keys-changed-index.js: Added.
2132         (shouldBe):
2133         (test):
2134         * stress/object-keys-changed.js: Added.
2135         (shouldBe):
2136         (test):
2137         * stress/object-keys-indexed-non-cache.js: Added.
2138         (shouldBe):
2139         (test):
2140         * stress/object-keys-overrides-get-property-names.js: Added.
2141         (shouldBe):
2142         (test):
2143         (noInline):
2144
2145 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2146
2147         [DFG][FTL] Add NewSymbol
2148         https://bugs.webkit.org/show_bug.cgi?id=192620
2149
2150         Reviewed by Saam Barati.
2151
2152         * microbenchmarks/symbol-creation.js: Added.
2153         (test):
2154         * stress/symbol-description-identity.js: Added.
2155         (shouldBe):
2156         (test):
2157         * stress/symbol-identity.js: Added.
2158         (shouldBe):
2159         (test):
2160         * stress/symbol-with-description-throw-error.js: Added.
2161         (shouldBe):
2162         (shouldThrow):
2163         (test):
2164         (object.toString):
2165
2166 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2167
2168         [BigInt] Implement DFG/FTL typeof for BigInt
2169         https://bugs.webkit.org/show_bug.cgi?id=192619
2170
2171         Reviewed by Keith Miller.
2172
2173         * stress/big-int-boolean-proven-type.js: Added.
2174         (assert):
2175         (bool):
2176         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2177         (assert):
2178         (typeOf):
2179         (i.switch):
2180         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2181         (assert):
2182         (typeOf):
2183         * stress/big-int-type-of.js:
2184         (typeOf):
2185         (func):
2186
2187 2018-12-10  Mark Lam  <mark.lam@apple.com>
2188
2189         PropertyAttribute needs a CustomValue bit.
2190         https://bugs.webkit.org/show_bug.cgi?id=191993
2191         <rdar://problem/46264467>
2192
2193         Reviewed by Saam Barati.
2194
2195         * stress/regress-191993.js: Added.
2196
2197 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2198
2199         [BigInt] Add ValueMul into DFG
2200         https://bugs.webkit.org/show_bug.cgi?id=186175
2201
2202         Reviewed by Yusuke Suzuki.
2203
2204         * stress/big-int-mul-jit-osr.js: Added.
2205         * stress/big-int-mul-jit-untyped.js: Added.
2206         * stress/value-mul-fixup-int32-big-int.js: Added.
2207
2208 2018-12-06  Keith Miller  <keith_miller@apple.com>
2209
2210         stress/big-wasm-memory tests failing on 32-bit JSC bot
2211         https://bugs.webkit.org/show_bug.cgi?id=192020
2212
2213         Reviewed by Saam Barati.
2214
2215         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2216         the wasm stress tests if the WebAssembly object does not exist.
2217
2218         * stress/big-wasm-memory-grow-no-max.js:
2219         (test.foo):
2220         (test):
2221         (foo): Deleted.
2222         (catch): Deleted.
2223         * stress/big-wasm-memory-grow.js:
2224         (test.foo):
2225         (test):
2226         (foo): Deleted.
2227         (catch): Deleted.
2228         * stress/big-wasm-memory.js:
2229         (test.foo):
2230         (test):
2231         (foo): Deleted.
2232         (catch): Deleted.
2233
2234 2018-12-05  Mark Lam  <mark.lam@apple.com>
2235
2236         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2237         https://bugs.webkit.org/show_bug.cgi?id=192441
2238         <rdar://problem/46480355>
2239
2240         Reviewed by Saam Barati.
2241
2242         * stress/regress-192441.js: Added.
2243
2244 2018-12-04  Mark Lam  <mark.lam@apple.com>
2245
2246         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2247         https://bugs.webkit.org/show_bug.cgi?id=192386
2248         <rdar://problem/46445516>
2249
2250         Reviewed by Saam Barati.
2251
2252         * stress/regress-192386.js: Added.
2253
2254 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2255
2256         [ESNext][BigInt] Support logic operations
2257         https://bugs.webkit.org/show_bug.cgi?id=179903
2258
2259         Reviewed by Yusuke Suzuki.
2260
2261         * stress/big-int-branch-usage.js: Added.
2262         * stress/big-int-logical-and.js: Added.
2263         * stress/big-int-logical-not.js: Added.
2264         * stress/big-int-logical-or.js: Added.
2265
2266 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2267
2268         Unreviewed, rolling out r238833.
2269
2270         Breaks macOS and iOS debug builds.
2271
2272         Reverted changeset:
2273
2274         "[ESNext][BigInt] Support logic operations"
2275         https://bugs.webkit.org/show_bug.cgi?id=179903
2276         https://trac.webkit.org/changeset/238833
2277
2278 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2279
2280         [ESNext][BigInt] Support logic operations
2281         https://bugs.webkit.org/show_bug.cgi?id=179903
2282
2283         Reviewed by Yusuke Suzuki.
2284
2285         * stress/big-int-branch-usage.js: Added.
2286         * stress/big-int-logical-and.js: Added.
2287         * stress/big-int-logical-not.js: Added.
2288         * stress/big-int-logical-or.js: Added.
2289
2290 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2291
2292         [ESNext][BigInt] Implement support for "<<" and ">>"
2293         https://bugs.webkit.org/show_bug.cgi?id=186233
2294
2295         Reviewed by Yusuke Suzuki.
2296
2297         * stress/big-int-left-shift-general.js: Added.
2298         * stress/big-int-left-shift-range-error.js: Added.
2299         * stress/big-int-left-shift-type-error.js: Added.
2300         * stress/big-int-left-shift-wrapped-value.js: Added.
2301         * stress/big-int-right-shift-general.js: Added.
2302         * stress/big-int-right-shift-type-error.js: Added.
2303         * stress/big-int-right-shift-wrapped-value.js: Added.
2304         * stress/left-shift-to-primitive-precedence.js: Added.
2305         * stress/right-shift-to-primitive-precedence.js: Added.
2306
2307 2018-11-30  Dean Jackson  <dino@apple.com>
2308
2309         Add first-class support for .mjs files in jsc binary
2310         https://bugs.webkit.org/show_bug.cgi?id=192190
2311         <rdar://problem/46375715>
2312
2313         Reviewed by Keith Miller.
2314
2315         * stress/simple-module.mjs: Added.
2316         * stress/simple-script.js: Added.
2317
2318 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2319
2320         [BigInt] Implement ValueBitXor into DFG
2321         https://bugs.webkit.org/show_bug.cgi?id=190264
2322
2323         Reviewed by Yusuke Suzuki.
2324
2325         * stress/big-int-bitwise-xor-jit.js: Added.
2326         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2327         * stress/big-int-bitwise-xor-untyped.js: Added.
2328
2329 2018-11-27  Saam barati  <sbarati@apple.com>
2330
2331         r238510 broke scopes of size zero
2332         https://bugs.webkit.org/show_bug.cgi?id=192033
2333         <rdar://problem/46281734>
2334
2335         Reviewed by Keith Miller.
2336
2337         * stress/r238510-bad-loop.js: Added.
2338         (foo):
2339
2340 2018-11-27  Mark Lam  <mark.lam@apple.com>
2341
2342         [Re-landing] NaNs read from Wasm code needs to be be purified.
2343         https://bugs.webkit.org/show_bug.cgi?id=191056
2344         <rdar://problem/45660341>
2345
2346         Reviewed by Filip Pizlo.
2347
2348         * wasm/regress/regress-191056.js: Added.
2349
2350 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2351
2352         Unreviewed, rolling out r238509.
2353
2354         Causes JSC tests to fail on iOS.
2355
2356         Reverted changeset:
2357
2358         "NaNs read from Wasm code needs to be be purified."
2359         https://bugs.webkit.org/show_bug.cgi?id=191056
2360         https://trac.webkit.org/changeset/238509
2361
2362 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2363
2364         Re-introduce op_bitnot
2365         https://bugs.webkit.org/show_bug.cgi?id=190923
2366
2367         Reviewed by Yusuke Suzuki.
2368
2369         * stress/bit-not-must-generate.js: Added.
2370         * stress/bitwise-not-no-int32.js: Added.
2371
2372 2018-11-26  Saam barati  <sbarati@apple.com>
2373
2374         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2375         https://bugs.webkit.org/show_bug.cgi?id=191956
2376         <rdar://problem/45665806>
2377
2378         Reviewed by Yusuke Suzuki.
2379
2380         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2381         (bar):
2382         (foo):
2383
2384 2018-11-26  Saam barati  <sbarati@apple.com>
2385
2386         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2387         https://bugs.webkit.org/show_bug.cgi?id=191958
2388         <rdar://problem/46221877>
2389
2390         Reviewed by Yusuke Suzuki.
2391
2392         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2393         (x):
2394         (foo):
2395
2396 2018-11-26  Mark Lam  <mark.lam@apple.com>
2397
2398         NaNs read from Wasm code needs to be be purified.
2399         https://bugs.webkit.org/show_bug.cgi?id=191056
2400         <rdar://problem/45660341>
2401
2402         Reviewed by Filip Pizlo.
2403
2404         * wasm/regress/regress-191056.js: Added.
2405
2406 2018-11-26  Michael Saboff  <msaboff@apple.com>
2407
2408         32-bit JSC test failure: stress/regexp-compile-oom.js
2409         https://bugs.webkit.org/show_bug.cgi?id=191375
2410
2411         Reviewed by Mark Lam.
2412
2413         Disabled the test for 32 bit platforms.
2414
2415         * stress/regexp-compile-oom.js:
2416
2417 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2418
2419         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2420         https://bugs.webkit.org/show_bug.cgi?id=191716
2421         <rdar://problem/45723878>
2422
2423         Reviewed by Saam Barati.
2424
2425         * stress/regress-187373.js: Added.
2426         (async.fn):
2427
2428 2018-11-21  Saam barati  <sbarati@apple.com>
2429
2430         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2431         https://bugs.webkit.org/show_bug.cgi?id=191897
2432         <rdar://problem/45871998>
2433
2434         Reviewed by Mark Lam.
2435
2436         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2437         (bar):
2438         (foo):
2439
2440 2018-11-21  Saam barati  <sbarati@apple.com>
2441
2442         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2443         https://bugs.webkit.org/show_bug.cgi?id=191895
2444         <rdar://problem/46167406>
2445
2446         Reviewed by Mark Lam.
2447
2448         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2449         (foo):
2450         (bar):
2451
2452 2018-11-21  Mark Lam  <mark.lam@apple.com>
2453
2454         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2455         https://bugs.webkit.org/show_bug.cgi?id=191776
2456         <rdar://problem/46152851>
2457
2458         Reviewed by Saam Barati.
2459
2460         * stress/big-wasm-memory-grow-no-max.js:
2461         * stress/big-wasm-memory-grow.js:
2462         * stress/big-wasm-memory.js:
2463         - updated these to expect an OutOfMemoryError.
2464
2465         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2466         (Binary.prototype.emit_u8):
2467         (Binary.prototype.emit_u32v):
2468         (Binary.prototype.emit_header):
2469         (Binary.prototype.emit_section):
2470         (Binary):
2471         (WasmModuleBuilder):
2472         (WasmModuleBuilder.prototype.addMemory):
2473         (WasmModuleBuilder.prototype.toArray):
2474         (WasmModuleBuilder.prototype.toBuffer):
2475         (WasmModuleBuilder.prototype.instantiate):
2476         (catch):
2477         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2478         (catch):
2479
2480 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2481
2482         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2483         https://bugs.webkit.org/show_bug.cgi?id=190836
2484
2485         Reviewed by Saam Barati and Yusuke Suzuki.
2486
2487         * stress/big-int-out-of-memory-tests.js: Added.
2488
2489 2018-11-20  Mark Lam  <mark.lam@apple.com>
2490
2491         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2492         https://bugs.webkit.org/show_bug.cgi?id=191856
2493         <rdar://problem/46089992>
2494
2495         Reviewed by Yusuke Suzuki.
2496
2497         * stress/regress-191856.js: Added.
2498         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2499
2500 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2501
2502         Enable JIT on ARM/Linux
2503         https://bugs.webkit.org/show_bug.cgi?id=191548
2504
2505         Reviewed by Yusuke Suzuki.
2506
2507         Disable test on system with limited memory. Program was killed by
2508         the OS before the exception was thrown.
2509
2510         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2511
2512 2018-11-20  Saam barati  <sbarati@apple.com>
2513
2514         Merging an IC variant may lead to the IC status containing overlapping structure sets
2515         https://bugs.webkit.org/show_bug.cgi?id=191869
2516         <rdar://problem/45403453>
2517
2518         Reviewed by Mark Lam.
2519
2520         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2521
2522 2018-11-19  Mark Lam  <mark.lam@apple.com>
2523
2524         globalFuncImportModule() should return a promise when it clears exceptions.
2525         https://bugs.webkit.org/show_bug.cgi?id=191792
2526         <rdar://problem/46090763>
2527
2528         Reviewed by Michael Saboff.
2529
2530         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2531
2532 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2533
2534         Skip new memory-hungry tests on memory limited devices
2535
2536         Unreviewed gardening.
2537
2538         * stress/big-wasm-memory-grow-no-max.js:
2539         * stress/big-wasm-memory-grow.js:
2540         * stress/big-wasm-memory.js:
2541
2542 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2543
2544         Unreviewed, rolling in the rest of r237254
2545         https://bugs.webkit.org/show_bug.cgi?id=190340
2546
2547         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2548         * stress/function-cache-with-parameters-end-position.js: Added.
2549         (shouldBe):
2550         (shouldThrow):
2551         (i.anonymous):
2552         * stress/function-constructor-name.js: Added.
2553         (shouldBe):
2554         (GeneratorFunction):
2555         (AsyncFunction.async):
2556         (AsyncGeneratorFunction.async):
2557         (anonymous):
2558         (async.anonymous):
2559         * test262/expectations.yaml:
2560
2561 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2562
2563         All users of ArrayBuffer should agree on the same max size
2564         https://bugs.webkit.org/show_bug.cgi?id=191771
2565
2566         Reviewed by Mark Lam.
2567
2568         * stress/big-wasm-memory-grow-no-max.js: Added.
2569         (foo):
2570         (catch):
2571         * stress/big-wasm-memory-grow.js: Added.
2572         (foo):
2573         (catch):
2574         * stress/big-wasm-memory.js: Added.
2575         (foo):
2576         (catch):
2577
2578 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2579
2580         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2581         run for each JSC config since they're regression tests for runtime bugs.
2582
2583         * stress/json-stringified-overflow-2.js:
2584         * stress/json-stringified-overflow.js:
2585
2586 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2587
2588         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2589         config since they're regression tests for runtime bugs.
2590
2591         * stress/large-unshift-splice.js:
2592         * stress/regress-185888.js:
2593
2594 2018-11-16  Saam Barati  <sbarati@apple.com>
2595
2596         KnownCellUse should also have SpecCellCheck as its type filter
2597         https://bugs.webkit.org/show_bug.cgi?id=191729
2598         <rdar://problem/45872852>
2599
2600         Reviewed by Filip Pizlo.
2601
2602         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2603         (C):
2604
2605 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2606
2607         Fix assertion failure on BytecodeGenerator::recordOpcode
2608         https://bugs.webkit.org/show_bug.cgi?id=191724
2609         <rdar://problem/45724395>
2610
2611         Reviewed by Saam Barati.
2612
2613         * stress/regress-187373-2.js: Added.
2614         (foo):
2615
2616 2018-11-15  Mark Lam  <mark.lam@apple.com>
2617
2618         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2619         https://bugs.webkit.org/show_bug.cgi?id=191730
2620         <rdar://problem/46048517>
2621
2622         Reviewed by Saam Barati.
2623
2624         * stress/regress-187006.js: Removed.
2625           - this test is invalid because its sole purpose is to test for the non-spec
2626             compliant behavior that we just fixed.
2627
2628         * stress/regress-191730.js: Added.
2629
2630 2018-11-15  Mark Lam  <mark.lam@apple.com>
2631
2632         RegExp operations should not take fast patch if lastIndex is not numeric.
2633         https://bugs.webkit.org/show_bug.cgi?id=191731
2634         <rdar://problem/46017305>
2635
2636         Reviewed by Saam Barati.
2637
2638         * stress/regress-191731.js: Added.
2639
2640 2018-11-13  Saam Barati  <sbarati@apple.com>
2641
2642         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2643         https://bugs.webkit.org/show_bug.cgi?id=191600
2644
2645         Reviewed by Mark Lam.
2646
2647         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2648         (foo):
2649         (test):
2650         (bar):
2651
2652 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2653
2654         Unreviewed, rolling out r238132.
2655
2656         The test added with this change is timing out on Debug JSC
2657         bots.
2658
2659         Reverted changeset:
2660
2661         "[BigInt] JSBigInt::createWithLength should throw when length
2662         is greater than JSBigInt::maxLength"
2663         https://bugs.webkit.org/show_bug.cgi?id=190836
2664         https://trac.webkit.org/changeset/238132
2665
2666 2018-11-13  Mark Lam  <mark.lam@apple.com>
2667
2668         Add OOM detection to StringPrototype's substituteBackreferences().
2669         https://bugs.webkit.org/show_bug.cgi?id=191563
2670         <rdar://problem/45720428>
2671
2672         Reviewed by Saam Barati.
2673
2674         * stress/regress-191563.js: Added.
2675
2676 2018-11-13  Mark Lam  <mark.lam@apple.com>
2677
2678         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2679         https://bugs.webkit.org/show_bug.cgi?id=191579
2680         <rdar://problem/45942472>
2681
2682         Reviewed by Saam Barati.
2683
2684         * stress/regress-191579.js: Added.
2685
2686 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2687
2688         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2689         https://bugs.webkit.org/show_bug.cgi?id=190836
2690
2691         Reviewed by Saam Barati.
2692
2693         * stress/big-int-out-of-memory-tests.js: Added.
2694
2695 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2696
2697         U+180E is no longer a whitespace character
2698         https://bugs.webkit.org/show_bug.cgi?id=191415
2699
2700         Reviewed by Saam Barati.
2701
2702         * ChakraCore/test/es5/regexSpace.baseline:
2703         * ChakraCore/test/es6/unicode_whitespace.js:
2704         Update tests to latest version.
2705         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2706
2707         * test262.yaml:
2708         * test262/config.yaml:
2709         * test262/expectations.yaml:
2710         Update expectations.
2711
2712 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2713
2714         [BigInt] Add support to BigInt into ValueAdd
2715         https://bugs.webkit.org/show_bug.cgi?id=186177
2716
2717         Reviewed by Keith Miller.
2718
2719         * stress/big-int-negate-jit.js:
2720         * stress/value-add-big-int-and-string.js: Added.
2721         * stress/value-add-big-int-prediction-propagation.js: Added.
2722         * stress/value-add-big-int-untyped.js: Added.
2723
2724 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2725
2726         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2727         https://bugs.webkit.org/show_bug.cgi?id=191184
2728
2729         Reviewed by Saam Barati.
2730
2731         Most tests were failing due to timeouts, since they are too slow to
2732         run on CLoop. The exceptions are:
2733
2734         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2735         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2736         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2737         to change the stack size since CLoop requires it to be page aligned.
2738
2739         * microbenchmarks/array-push-1.js:
2740         * microbenchmarks/array-push-2.js:
2741         * microbenchmarks/elidable-new-object-dag.js:
2742         * microbenchmarks/elidable-new-object-roflcopter.js:
2743         * microbenchmarks/elidable-new-object-tree.js:
2744         * microbenchmarks/getter-richards.js:
2745         * microbenchmarks/sinkable-new-object-dag.js:
2746         * microbenchmarks/string-concat-long-convert.js:
2747         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2748         * slowMicrobenchmarks/array-push-3.js:
2749         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2750         * slowMicrobenchmarks/spread-small-array.js:
2751         * slowMicrobenchmarks/undefined-property-access.js:
2752         * stress/activation-sink-default-value-tdz-error.js:
2753         * stress/activation-sink-default-value.js:
2754         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2755         * stress/activation-sink-osrexit-default-value.js:
2756         * stress/activation-sink-osrexit.js:
2757         * stress/activation-sink.js:
2758         * stress/allow-math-ic-b3-code-duplication.js:
2759         * stress/array-push-multiple-int32.js:
2760         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2761         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2762         * stress/arrowfunction-lexical-this-activation-sink.js:
2763         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2764         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2765         * stress/elide-new-object-dag-then-exit.js:
2766         * stress/materialize-regexp-cyclic.js:
2767         * stress/new-regex-inline.js:
2768         * stress/op_add.js:
2769         * stress/op_bitand.js:
2770         * stress/op_bitor.js:
2771         * stress/op_bitxor.js:
2772         * stress/op_div-ConstVar.js:
2773         * stress/op_div-VarConst.js:
2774         * stress/op_div-VarVar.js:
2775         * stress/op_lshift-ConstVar.js:
2776         * stress/op_lshift-VarConst.js:
2777         * stress/op_lshift-VarVar.js:
2778         * stress/op_mod-ConstVar.js:
2779         * stress/op_mod-VarConst.js:
2780         * stress/op_mod-VarVar.js:
2781         * stress/op_mul-ConstVar.js:
2782         * stress/op_mul-VarConst.js:
2783         * stress/op_mul-VarVar.js:
2784         * stress/op_rshift-ConstVar.js:
2785         * stress/op_rshift-VarConst.js:
2786         * stress/op_rshift-VarVar.js:
2787         * stress/op_sub-ConstVar.js:
2788         * stress/op_sub-VarConst.js:
2789         * stress/op_sub-VarVar.js:
2790         * stress/op_urshift-ConstVar.js:
2791         * stress/op_urshift-VarConst.js:
2792         * stress/op_urshift-VarVar.js:
2793         * stress/proxy-get-set-correct-receiver.js:
2794         * stress/regress-179562.js:
2795         * stress/rest-parameter-many-arguments.js:
2796         * stress/sampling-profiler-richards.js:
2797         * stress/splay-flash-access-1ms.js:
2798         * stress/tailCallForwardArguments.js:
2799         * stress/typed-array-get-by-val-profiling.js:
2800         * typeProfiler/getter-richards.js:
2801
2802 2018-11-06  Michael Saboff  <msaboff@apple.com>
2803
2804         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2805         https://bugs.webkit.org/show_bug.cgi?id=191271
2806
2807         Reviewed by Saam Barati.
2808
2809         Added more test cases and made all test cases run with the same deeply recursive stack
2810         instead of finding that same point for each test case.
2811
2812         * stress/regexp-compile-oom.js:
2813         (prototype.runTest):
2814         (recurseAndTest):
2815         (testList.push.new.TestAndExpectedException):
2816
2817 2018-11-05  Michael Saboff  <msaboff@apple.com>
2818
2819         Unreviewed build fix for linux.
2820
2821         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2822
2823 2018-11-02  Michael Saboff  <msaboff@apple.com>
2824
2825         Rolling in r237753 with unreviewed build fix.
2826
2827         Fixed issues with DECLARE_THROW_SCOPE placement.
2828
2829 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2830
2831         Unreviewed, rolling out r237753.
2832
2833         Introduced JSC test failures
2834
2835         Reverted changeset:
2836
2837         "Running out of stack space not properly handled in
2838         RegExp::compile() and its callers"
2839         https://bugs.webkit.org/show_bug.cgi?id=191206
2840         https://trac.webkit.org/changeset/237753
2841
2842 2018-11-02  Michael Saboff  <msaboff@apple.com>
2843
2844         Running out of stack space not properly handled in RegExp::compile() and its callers
2845         https://bugs.webkit.org/show_bug.cgi?id=191206
2846
2847         Reviewed by Filip Pizlo.
2848
2849         New regression test.
2850
2851         * stress/regexp-compile-oom.js: Added.
2852         (recurseAndTest):
2853
2854 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2855
2856         Skip tests on arm/mips that time out now we're running on CLoop
2857
2858         Unreviewed gardening.
2859
2860         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2861         time out on the bots and need to be disabled. There's more tests
2862         disabled on arm because the timeout is longer on the mips bot (as the
2863         device is slower to start with), so many of the tests don't time out
2864         there.
2865
2866         * microbenchmarks/getter-richards.js: disable on arm and mips.
2867         * stress/op_add.js: disable on arm.
2868         * stress/op_bitand.js: disable on arm.
2869         * stress/op_bitor.js: disable on arm.
2870         * stress/op_bitxor.js: disable on arm.
2871         * stress/op_lshift-ConstVar.js: disable on arm.
2872         * stress/op_lshift-VarConst.js: disable on arm.
2873         * stress/op_lshift-VarVar.js: disable on arm.
2874         * stress/op_mod-ConstVar.js: disable on arm.
2875         * stress/op_mod-VarConst.js: disable on arm.
2876         * stress/op_mod-VarVar.js: disable on arm.
2877         * stress/op_mul-ConstVar.js: disable on arm.
2878         * stress/op_mul-VarConst.js: disable on arm.
2879         * stress/op_mul-VarVar.js: disable on arm.
2880         * stress/op_rshift-ConstVar.js: disable on arm.
2881         * stress/op_rshift-VarConst.js: disable on arm.
2882         * stress/op_rshift-VarVar.js: disable on arm.
2883         * stress/op_sub-ConstVar.js: disable on arm.
2884         * stress/op_sub-VarConst.js: disable on arm.
2885         * stress/op_sub-VarVar.js: disable on arm.
2886         * stress/op_urshift-ConstVar.js: disable on arm.
2887         * stress/op_urshift-VarConst.js: disable on arm.
2888         * stress/op_urshift-VarVar.js: disable on arm.
2889         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2890         * stress/value-to-boolean.js: disable on arm and mips.
2891
2892 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2893
2894         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2895         https://bugs.webkit.org/show_bug.cgi?id=191108
2896         <rdar://problem/45690700>
2897
2898         Reviewed by Saam Barati.
2899
2900         * stress/wide-op_catch.js: Added.
2901         (catch):
2902
2903 2018-10-29  Mark Lam  <mark.lam@apple.com>
2904
2905         Correctly detect string overflow when using the 'Function' constructor.
2906         https://bugs.webkit.org/show_bug.cgi?id=184883
2907         <rdar://problem/36320331>
2908
2909         Reviewed by Saam Barati.
2910
2911         I've verified that this passes on 32-bit as well.
2912
2913         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2914
2915 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2916
2917         Add support for GetStack FlushedDouble
2918         https://bugs.webkit.org/show_bug.cgi?id=191012
2919         <rdar://problem/45265141>
2920
2921         Reviewed by Saam Barati.
2922
2923         * stress/get-stack-double.js: Added.
2924         (bar):
2925         (noInline):
2926
2927 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2928
2929         New bytecode format for JSC
2930         https://bugs.webkit.org/show_bug.cgi?id=187373
2931         <rdar://problem/44186758>
2932
2933         Reviewed by Filip Pizlo.
2934
2935         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2936
2937         * stress/maximum-inline-capacity.js: Added.
2938         (test1):
2939         (test3.Foo):
2940         (test3):
2941
2942 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2943
2944         Unreviewed, rolling out r237479 and r237484.
2945         https://bugs.webkit.org/show_bug.cgi?id=190978
2946
2947         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2948
2949         Reverted changesets:
2950
2951         "New bytecode format for JSC"
2952         https://bugs.webkit.org/show_bug.cgi?id=187373
2953         https://trac.webkit.org/changeset/237479
2954
2955         "Gardening: Build fix after r237479."
2956         https://bugs.webkit.org/show_bug.cgi?id=187373
2957         https://trac.webkit.org/changeset/237484
2958
2959 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2960
2961         New bytecode format for JSC
2962         https://bugs.webkit.org/show_bug.cgi?id=187373
2963         <rdar://problem/44186758>
2964
2965         Reviewed by Filip Pizlo.
2966
2967         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2968
2969         * stress/maximum-inline-capacity.js: Added.
2970         (test1):
2971         (test3.Foo):
2972         (test3):
2973
2974 2018-10-26  Mark Lam  <mark.lam@apple.com>
2975
2976         Fix missing edge cases with JSGlobalObjects having a bad time.
2977         https://bugs.webkit.org/show_bug.cgi?id=189028
2978         <rdar://problem/45204939>
2979
2980         Reviewed by Saam Barati.
2981
2982         * stress/regress-189028.js: Added.
2983
2984 2018-10-22  Mark Lam  <mark.lam@apple.com>
2985
2986         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2987         https://bugs.webkit.org/show_bug.cgi?id=190515
2988         <rdar://problem/45222379>
2989
2990         Rubber-stamped by Saam Barati.
2991
2992         Adding another test.
2993
2994         * stress/regress-190515-2.js: Added.
2995
2996 2018-10-22  Mark Lam  <mark.lam@apple.com>
2997
2998         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2999         https://bugs.webkit.org/show_bug.cgi?id=190515
3000         <rdar://problem/45222379>
3001
3002         Reviewed by Saam Barati.
3003
3004         * stress/regress-190515.js: Added.
3005
3006 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3007
3008         Unreviewed, rolling out r237254.
3009         https://bugs.webkit.org/show_bug.cgi?id=190760
3010
3011         "It regresses JetStream 2 by 5% on some iOS devices"
3012         (Requested by saamyjoon on #webkit).
3013
3014         Reverted changeset:
3015
3016         "[JSC] JSC should have "parseFunction" to optimize Function
3017         constructor"
3018         https://bugs.webkit.org/show_bug.cgi?id=190340
3019         https://trac.webkit.org/changeset/237254
3020
3021 2018-10-19  Saam Barati  <sbarati@apple.com>
3022
3023         vmCall should check if we exit before emitting an OSR exit due to exceptions
3024         https://bugs.webkit.org/show_bug.cgi?id=190740
3025         <rdar://problem/45220139>
3026
3027         Reviewed by Mark Lam.
3028
3029         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3030         (foo):
3031
3032 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3033
3034         [ESNext][BigInt] Implement support for "^"
3035         https://bugs.webkit.org/show_bug.cgi?id=186235
3036
3037         Reviewed by Yusuke Suzuki.
3038
3039         * stress/big-int-bitwise-xor-general.js: Added.
3040         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3041         * stress/big-int-bitwise-xor-type-error.js: Added.
3042         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3043
3044 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3045
3046         [BigInt] Add ValueSub into DFG
3047         https://bugs.webkit.org/show_bug.cgi?id=186176
3048
3049         Reviewed by Yusuke Suzuki.
3050
3051         * stress/big-int-subtraction-jit.js:
3052         * stress/value-sub-big-int-prediction-propagation.js: Added.
3053         * stress/value-sub-big-int-untyped.js: Added.
3054         * stress/value-sub-spec-none-case.js: Added.
3055
3056 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3057
3058         [JSC] JSC should have "parseFunction" to optimize Function constructor
3059         https://bugs.webkit.org/show_bug.cgi?id=190340
3060
3061         Reviewed by Mark Lam.
3062
3063         This patch fixes the line number of syntax errors raised by the Function constructor,
3064         since we now parse the final code only once. And we no longer use block statement
3065         for Function constructor's parsing.
3066
3067         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3068         * stress/function-cache-with-parameters-end-position.js: Added.
3069         (shouldBe):
3070         (shouldThrow):
3071         (i.anonymous):
3072         * stress/function-constructor-name.js: Added.
3073         (shouldBe):
3074         (GeneratorFunction):
3075         (AsyncFunction.async):
3076         (AsyncGeneratorFunction.async):
3077         (anonymous):
3078         (async.anonymous):
3079         * test262/expectations.yaml:
3080
3081 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3082
3083         Unreviewed, rolling out r237242.
3084         https://bugs.webkit.org/show_bug.cgi?id=190701
3085
3086         it breaks "stress/sampling-profiler-basic.js" (Requested by
3087         caiolima on #webkit).
3088
3089         Reverted changeset:
3090
3091         "[BigInt] Add ValueSub into DFG"
3092         https://bugs.webkit.org/show_bug.cgi?id=186176
3093         https://trac.webkit.org/changeset/237242
3094
3095 2018-10-17  Keith Miller  <keith_miller@apple.com>
3096
3097         AI does not clear Phantom allocation nodes.
3098         https://bugs.webkit.org/show_bug.cgi?id=190694
3099
3100         Reviewed by Saam Barati.
3101
3102         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3103         (Day):
3104         (DaysInYear):
3105         (TimeInYear):
3106         (TimeFromYear):
3107         (DayFromYear):
3108         (InLeapYear):
3109         (YearFromTime):
3110         (WeekDay):
3111         (DaylightSavingTA):
3112         (GetSecondSundayInMarch):
3113         (TimeInMonth):
3114
3115 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3116
3117         [BigInt] Add ValueSub into DFG
3118         https://bugs.webkit.org/show_bug.cgi?id=186176
3119
3120         Reviewed by Yusuke Suzuki.
3121
3122         * stress/big-int-subtraction-jit.js:
3123         * stress/value-sub-big-int-prediction-propagation.js: Added.
3124         * stress/value-sub-big-int-untyped.js: Added.
3125
3126 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3127
3128         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3129         https://bugs.webkit.org/show_bug.cgi?id=190611
3130
3131         Reviewed by Saam Barati.
3132
3133         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3134         to improve test runtime. On ARM/MIPS this test even timed out when running all
3135         tests.
3136
3137         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3138         (test):
3139
3140 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3141
3142         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3143
3144         Unreviewed gardening.
3145
3146         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3147
3148 2018-10-15  Saam barati  <sbarati@apple.com>
3149
3150         Emit fjcvtzs on ARM64E on Darwin
3151         https://bugs.webkit.org/show_bug.cgi?id=184023
3152
3153         Reviewed by Yusuke Suzuki and Filip Pizlo.
3154
3155         * stress/double-to-int32-NaN.js: Added.
3156         (assert):
3157         (foo):
3158
3159 2018-10-15  Saam Barati  <sbarati@apple.com>
3160
3161         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3162         https://bugs.webkit.org/show_bug.cgi?id=190262
3163         <rdar://problem/44986241>
3164
3165         Reviewed by Mark Lam.
3166
3167         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3168         (test):
3169         * stress/slice-array-storage-with-holes.js: Added.
3170         (main):
3171
3172 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3173
3174         Unreviewed, rolling out r237054.
3175         https://bugs.webkit.org/show_bug.cgi?id=190593
3176
3177         "this regressed JetStream 2 by 6% on iOS" (Requested by
3178         saamyjoon on #webkit).
3179
3180         Reverted changeset:
3181
3182         "[JSC] JSC should have "parseFunction" to optimize Function
3183         constructor"
3184         https://bugs.webkit.org/show_bug.cgi?id=190340
3185         https://trac.webkit.org/changeset/237054
3186
3187 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3188
3189         [JSC] JSON.stringify can accept call-with-no-arguments
3190         https://bugs.webkit.org/show_bug.cgi?id=190343
3191
3192         Reviewed by Mark Lam.
3193
3194         * stress/json-stringify-no-arguments.js: Added.
3195         (shouldBe):
3196
3197 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3198
3199         [JSC] JSC should have "parseFunction" to optimize Function constructor
3200         https://bugs.webkit.org/show_bug.cgi?id=190340
3201
3202         Reviewed by Mark Lam.
3203
3204         This patch fixes the line number of syntax errors raised by the Function constructor,
3205         since we now parse the final code only once. And we no longer use block statement
3206         for Function constructor's parsing.
3207
3208         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3209         * stress/function-cache-with-parameters-end-position.js: Added.
3210         (shouldBe):
3211         (shouldThrow):
3212         (i.anonymous):
3213         * stress/function-constructor-name.js: Added.
3214         (shouldBe):
3215         (GeneratorFunction):
3216         (AsyncFunction.async):
3217         (AsyncGeneratorFunction.async):
3218         (anonymous):
3219         (async.anonymous):
3220         * test262/expectations.yaml:
3221
3222 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3223
3224         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3225         https://bugs.webkit.org/show_bug.cgi?id=190426
3226
3227         Unreviewed gardening.
3228
3229         * stress/sampling-profiler-richards.js:
3230
3231 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3232
3233         [ESNext][BigInt] Implement support for "|"
3234         https://bugs.webkit.org/show_bug.cgi?id=186229
3235
3236         Reviewed by Yusuke Suzuki.
3237
3238         * stress/big-int-bitwise-and-jit.js:
3239         * stress/big-int-bitwise-or-general.js: Added.
3240         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3241         * stress/big-int-bitwise-or-jit.js: Added.
3242         * stress/big-int-bitwise-or-memory-stress.js: Added.
3243         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3244         * stress/big-int-bitwise-or-type-error.js: Added.
3245         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3246
3247 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3248
3249         Skip test on systems with limited memory
3250         https://bugs.webkit.org/show_bug.cgi?id=190310
3251
3252         Invoking runDefault adds test to runlist, skipping the test in the next
3253         line does not prevent the test from executing. Change order of lines such
3254         that runDefault is only executed if test is not executed.
3255
3256         Reviewed by Mark Lam.
3257
3258         * stress/regress-190187.js:
3259
3260 2018-10-03  Saam barati  <sbarati@apple.com>
3261
3262         lowXYZ in FTLLower should always filter the type of the incoming edge
3263         https://bugs.webkit.org/show_bug.cgi?id=189939
3264         <rdar://problem/44407030>
3265
3266         Reviewed by Michael Saboff.
3267
3268         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3269         (foo):
3270         (test):
3271
3272 2018-10-03  Mark Lam  <mark.lam@apple.com>
3273
3274         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3275         https://bugs.webkit.org/show_bug.cgi?id=190187
3276         <rdar://problem/42512909>
3277
3278         Reviewed by Michael Saboff.
3279
3280         * stress/regress-190187.js: Added.
3281
3282 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3283
3284         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3285         https://bugs.webkit.org/show_bug.cgi?id=190033
3286
3287         Reviewed by Yusuke Suzuki.
3288
3289         * stress/big-int-to-string.js:
3290
3291 2018-10-01  Mark Lam  <mark.lam@apple.com>
3292
3293         Function.toString() should also copy the source code Functions that are class definitions.
3294         https://bugs.webkit.org/show_bug.cgi?id=190186
3295         <rdar://problem/44733360>
3296
3297         Reviewed by Saam Barati.
3298
3299         * stress/regress-190186.js: Added.
3300
3301 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3302
3303         Split NaN-check into separate test
3304         https://bugs.webkit.org/show_bug.cgi?id=190010
3305
3306         Reviewed by Saam Barati.
3307
3308         DataView exposes NaN-representation, which is not necessarily the same on each
3309         architecture. Therefore move the check of the NaN-representation into its own
3310         file such that we can disable this test on MIPS where NaN-representation can be
3311         different on older CPUs.
3312
3313         * stress/dataview-jit-set-nan.js: Added.
3314         (assert):
3315         (test.storeLittleEndian):
3316         (test.storeBigEndian):
3317         (test.store):
3318         (test):
3319         * stress/dataview-jit-set.js:
3320         (test5):
3321
3322 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3323
3324         Unreviewed, rolling out r236647.
3325         https://bugs.webkit.org/show_bug.cgi?id=190124
3326
3327         Breaking test stress/big-int-to-string.js (Requested by
3328         caiolima_ on #webkit).
3329
3330         Reverted changeset:
3331
3332         "[BigInt] BigInt.proptotype.toString is broken when radix is
3333         power of 2"
3334         https://bugs.webkit.org/show_bug.cgi?id=190033
3335         https://trac.webkit.org/changeset/236647
3336
3337 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3338
3339         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3340         https://bugs.webkit.org/show_bug.cgi?id=190033
3341
3342         Reviewed by Yusuke Suzuki.
3343
3344         * stress/big-int-to-string.js:
3345
3346 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3347
3348         [ESNext][BigInt] Implement support for "&"
3349         https://bugs.webkit.org/show_bug.cgi?id=186228
3350
3351         Reviewed by Yusuke Suzuki.
3352
3353         * stress/big-int-bitwise-and-general.js: Added.
3354         (assert):
3355         (assert.sameValue):
3356         * stress/big-int-bitwise-and-jit.js: Added.
3357         (let.assert.sameValue):
3358         (bigIntBitAnd):
3359         * stress/big-int-bitwise-and-memory-stress.js: Added.
3360         (assert):
3361         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3362         (assert.sameValue):
3363         (let.o.Symbol.toPrimitive):
3364         (catch):
3365         * stress/big-int-bitwise-and-type-error.js: Added.
3366         (assert):
3367         (assertThrowTypeError):
3368         (let.o.valueOf):
3369         (o.valueOf):
3370         (o.toString):
3371         (o.Symbol.toPrimitive):
3372         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3373         (assert.sameValue):
3374         (testBitAnd):
3375         (let.o.Symbol.toPrimitive):
3376         (o.valueOf):
3377         (o.toString):
3378
3379 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3380
3381         JSC test stress/jsc-read.js doesn't support CRLF
3382         https://bugs.webkit.org/show_bug.cgi?id=190063
3383
3384         Reviewed by Yusuke Suzuki.
3385
3386         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3387
3388         * stress/jsc-read.js:
3389         (test):
3390
3391 2018-09-27  Saam barati  <sbarati@apple.com>
3392
3393         Verify the contents of AssemblerBuffer on arm64e
3394         https://bugs.webkit.org/show_bug.cgi?id=190057
3395         <rdar://problem/38916630>
3396
3397         Reviewed by Mark Lam.
3398
3399         * stress/regress-189132.js:
3400
3401 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3402
3403         Disable test without LLInt on ARMv7
3404         https://bugs.webkit.org/show_bug.cgi?id=190037
3405
3406         Reviewed by Mark Lam.
3407
3408         Test runs out of executable memory on ARMv7, do not run
3409         this test without LLInt enabled.
3410
3411         * stress/regress-169445.js:
3412
3413 2018-09-26  Keith Miller  <keith_miller@apple.com>
3414
3415         We should zero unused property storage when rebalancing array storage.
3416         https://bugs.webkit.org/show_bug.cgi?id=188151
3417
3418         Reviewed by Michael Saboff.
3419
3420         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3421
3422 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3423
3424         [JSC] Optimize Array#lastIndexOf
3425         https://bugs.webkit.org/show_bug.cgi?id=189780
3426
3427         Reviewed by Saam Barati.
3428
3429         * stress/array-lastindexof-array-prototype-trap.js: Added.
3430         (shouldBe):
3431         (AncestorArray.prototype.get 2):
3432         (AncestorArray):
3433         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3434         (shouldBe):
3435         * stress/array-lastindexof-hole-nan.js: Added.
3436         (shouldBe):
3437         (throw.new.Error):
3438         * stress/array-lastindexof-infinity.js: Added.
3439         (shouldBe):
3440         (throw.new.Error):
3441         * stress/array-lastindexof-negative-zero.js: Added.
3442         (shouldBe):
3443         (throw.new.Error):
3444         * stress/array-lastindexof-own-getter.js: Added.
3445         (shouldBe):
3446         (throw.new.Error.get array):
3447         (get array):
3448         * stress/array-lastindexof-prototype-trap.js: Added.
3449         (shouldBe):
3450         (DerivedArray.prototype.get 2):
3451         (DerivedArray):
3452
3453 2018-09-25  Saam Barati  <sbarati@apple.com>
3454
3455         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3456         https://bugs.webkit.org/show_bug.cgi?id=189940
3457         <rdar://problem/43640987>
3458
3459         Reviewed by Mark Lam.
3460
3461         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3462
3463 2018-09-24  Saam Barati  <sbarati@apple.com>
3464
3465         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3466         https://bugs.webkit.org/show_bug.cgi?id=189922
3467         <rdar://problem/44651275>
3468
3469         Reviewed by Mark Lam.
3470
3471         * stress/array-indexof-fast-path-effects.js: Added.
3472         * stress/array-indexof-cached-length.js: Added.
3473
3474 2018-09-24  Saam barati  <sbarati@apple.com>
3475
3476         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3477         https://bugs.webkit.org/show_bug.cgi?id=189682
3478         <rdar://problem/43557315>
3479
3480         Reviewed by Mark Lam.
3481
3482         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3483         (foo):
3484
3485 2018-09-22  Saam barati  <sbarati@apple.com>
3486
3487         The sampling should not use Strong<CodeBlock> in its machineLocation field
3488         https://bugs.webkit.org/show_bug.cgi?id=189319
3489
3490         Reviewed by Filip Pizlo.
3491
3492         * stress/sampling-profiler-richards.js: Added.
3493
3494 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3495
3496         [JSC] Optimize Array#indexOf in C++ runtime
3497         https://bugs.webkit.org/show_bug.cgi?id=189507
3498
3499         Reviewed by Saam Barati.
3500
3501         * stress/array-indexof-array-prototype-trap.js: Added.
3502         (shouldBe):
3503         (AncestorArray.prototype.get 2):
3504         (AncestorArray):
3505         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3506         (shouldBe):
3507         * stress/array-indexof-hole-nan.js: Added.
3508         (shouldBe):
3509         (throw.new.Error):
3510         * stress/array-indexof-infinity.js: Added.
3511         (shouldBe):
3512         (throw.new.Error):
3513         * stress/array-indexof-negative-zero.js: Added.
3514         (shouldBe):
3515         (throw.new.Error):
3516         * stress/array-indexof-own-getter.js: Added.
3517         (shouldBe):
3518         (throw.new.Error.get array):
3519         (get array):
3520         * stress/array-indexof-prototype-trap.js: Added.
3521         (shouldBe):
3522         (DerivedArray.prototype.get 2):
3523         (DerivedArray):
3524
3525 2018-09-19  Saam barati  <sbarati@apple.com>
3526
3527         AI rule for MultiPutByOffset executes its effects in the wrong order
3528         https://bugs.webkit.org/show_bug.cgi?id=189757
3529         <rdar://problem/43535257>
3530
3531         Reviewed by Michael Saboff.
3532
3533         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3534         (foo):
3535         (Foo):
3536         (g):
3537
3538 2018-09-17  Mark Lam  <mark.lam@apple.com>
3539
3540         Ensure that ForInContexts are invalidated if their loop local is over-written.
3541         https://bugs.webkit.org/show_bug.cgi?id=189571
3542         <rdar://problem/44402277>
3543
3544         Reviewed by Saam Barati.
3545
3546         * stress/regress-189571.js: Added.
3547
3548 2018-09-17  Saam barati  <sbarati@apple.com>
3549
3550         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3551         https://bugs.webkit.org/show_bug.cgi?id=189676
3552         <rdar://problem/39682897>
3553
3554         Reviewed by Michael Saboff.
3555
3556         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3557         (A):
3558         (K):
3559         (i.catch):
3560
3561 2018-09-14  Saam barati  <sbarati@apple.com>
3562
3563         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3564         https://bugs.webkit.org/show_bug.cgi?id=189628
3565         <rdar://problem/39481690>
3566
3567         Reviewed by Mark Lam.
3568
3569         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3570         (foo):
3571
3572 2018-09-11  Mark Lam  <mark.lam@apple.com>
3573
3574         Test for array initialization in arrayProtoFuncSplice.
3575         https://bugs.webkit.org/show_bug.cgi?id=170253
3576         <rdar://problem/31328773>
3577
3578         Rubber-stamped by Saam Barati.
3579
3580         * stress/regress-170253.js: Added.
3581
3582 2018-09-11  Mark Lam  <mark.lam@apple.com>
3583
3584         Test for IntlObject initialization.
3585         https://bugs.webkit.org/show_bug.cgi?id=170251
3586         <rdar://problem/31328419>
3587
3588         Rubber-stamped by Saam Barati.
3589
3590         * stress/regress-170251.js: Added.
3591
3592 2018-09-11  Mark Lam  <mark.lam@apple.com>
3593
3594         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3595         https://bugs.webkit.org/show_bug.cgi?id=169889
3596         <rdar://problem/31155607>
3597
3598         Reviewed by Saam Barati.
3599
3600         * stress/regress-169889-array-concat.js: Added.
3601         * stress/regress-169889-array-concat1.js: Added.
3602         * stress/regress-169889-array-slice.js: Added.
3603
3604 2018-09-11  Mark Lam  <mark.lam@apple.com>
3605
3606         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3607         https://bugs.webkit.org/show_bug.cgi?id=169445
3608         <rdar://problem/30957435>
3609
3610         Reviewed by Saam Barati.
3611
3612         * stress/regress-169445.js: Added.
3613         (let.gun.eval.A):
3614         (let.gun.eval.B.C):
3615         (let.gun.eval.B.C.prototype.trigger):
3616         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3617         (let.gun.eval.B):
3618         (let.gun.eval):
3619
3620 == Rolled over to ChangeLog-2018-09-11 ==