Flaky crash under WebCore::AXObjectCache::stopCachingComputedObjectAttributes()
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-23  Saam Barati  <sbarati@apple.com>
2
3         LICM incorrectly assumes it'll never insert a node which provably OSR exits
4         https://bugs.webkit.org/show_bug.cgi?id=196721
5         <rdar://problem/49556479> 
6
7         Reviewed by Filip Pizlo.
8
9         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
10         (foo):
11
12 2019-04-19  Saam Barati  <sbarati@apple.com>
13
14         AbstractValue can represent more than int52
15         https://bugs.webkit.org/show_bug.cgi?id=197118
16         <rdar://problem/49969960>
17
18         Reviewed by Michael Saboff.
19
20         * stress/abstract-value-can-include-int52.js: Added.
21         (foo):
22         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
23
24 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
25
26         [WTF] StringBuilder should set correct m_is8Bit flag when merging
27         https://bugs.webkit.org/show_bug.cgi?id=197053
28
29         Reviewed by Saam Barati.
30
31         * stress/merge-string-builder-in-dfg.js: Added.
32         (foo):
33
34 2019-04-16  Caitlin Potter  <caitp@igalia.com>
35
36         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
37         https://bugs.webkit.org/show_bug.cgi?id=176810
38
39         Reviewed by Saam Barati.
40
41         Add tests for the DontEnum filtering, and variations of other tests
42         take the DontEnum-filtering path.
43
44         * stress/proxy-own-keys.js:
45         (i.catch):
46         (set assert):
47         (set add):
48         (let.set new):
49         (get let):
50
51 2019-04-15  Saam barati  <sbarati@apple.com>
52
53         Modify how we do SetArgument when we inline varargs calls
54         https://bugs.webkit.org/show_bug.cgi?id=196712
55         <rdar://problem/49605012>
56
57         Reviewed by Michael Saboff.
58
59         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
60         (foo):
61
62 2019-04-15  Saam barati  <sbarati@apple.com>
63
64         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
65         https://bugs.webkit.org/show_bug.cgi?id=196945
66         <rdar://problem/49802750>
67
68         Reviewed by Filip Pizlo.
69
70         * stress/get-by-offset-should-use-correct-child.js: Added.
71         (foo.bar):
72         (foo):
73
74 2019-04-15  Robin Morisset  <rmorisset@apple.com>
75
76         DFG should be able to constant fold Object.create() with a constant prototype operand
77         https://bugs.webkit.org/show_bug.cgi?id=196886
78
79         Reviewed by Yusuke Suzuki.
80
81         Note that this new benchmark does not currently see a speedup with inlining removed.
82         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
83
84         * microbenchmarks/object-create-constant-prototype.js: Added.
85         (test):
86
87 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
88
89         Incremental bytecode cache should not append function updates when loaded from memory
90         https://bugs.webkit.org/show_bug.cgi?id=196865
91
92         Reviewed by Filip Pizlo.
93
94         * stress/bytecode-cache-shared-code-block.js: Added.
95         (b):
96         (program):
97
98 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
99
100         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
101         https://bugs.webkit.org/show_bug.cgi?id=196880
102
103         Reviewed by Yusuke Suzuki.
104
105         * stress/bytecode-cache-syntax-error.js: Added.
106         (catch):
107
108 2019-04-12  Saam barati  <sbarati@apple.com>
109
110         r244079 logically broke shouldSpeculateInt52
111         https://bugs.webkit.org/show_bug.cgi?id=196884
112
113         Reviewed by Yusuke Suzuki.
114
115         * microbenchmarks/int52-rand-function.js: Added.
116         (Math.random):
117
118 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
119
120         [JSC] op_has_indexed_property should not assume subscript part is Uint32
121         https://bugs.webkit.org/show_bug.cgi?id=196850
122
123         Reviewed by Saam Barati.
124
125         * stress/has-indexed-property-should-accept-non-int32.js: Added.
126         (foo):
127
128 2019-04-11  Saam barati  <sbarati@apple.com>
129
130         Remove invalid assertion in operationInstanceOfCustom
131         https://bugs.webkit.org/show_bug.cgi?id=196842
132         <rdar://problem/49725493>
133
134         Reviewed by Michael Saboff.
135
136         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
137
138 2019-04-10  Saam Barati  <sbarati@apple.com>
139
140         AbstractValue::validateOSREntryValue is wrong for Int52 constants
141         https://bugs.webkit.org/show_bug.cgi?id=196801
142         <rdar://problem/49771122>
143
144         Reviewed by Yusuke Suzuki.
145
146         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
147
148 2019-04-10  Robin Morisset  <rmorisset@apple.com>
149
150         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
151         https://bugs.webkit.org/show_bug.cgi?id=196746
152
153         Reviewed by Yusuke Suzuki.
154
155         * stress/cyclic-define-properties.js: Added.
156         (foo):
157
158 2019-04-09  Saam barati  <sbarati@apple.com>
159
160         Clean up Int52 code and some bugs in it
161         https://bugs.webkit.org/show_bug.cgi?id=196639
162         <rdar://problem/49515757>
163
164         Reviewed by Yusuke Suzuki.
165
166         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
167
168 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
169
170         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
171         https://bugs.webkit.org/show_bug.cgi?id=196708
172         <rdar://problem/49556803>
173
174         Reviewed by Yusuke Suzuki.
175
176         * stress/proxy-getter-stack-overflow.js: Added.
177         (const.handler.get target):
178         (const.handler.has):
179         (try.with):
180         (catch):
181
182 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
183
184         [JSC] DFG should respect node's strict flag
185         https://bugs.webkit.org/show_bug.cgi?id=196617
186
187         Reviewed by Saam Barati.
188
189         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
190         (shouldEqual):
191         (makeUnwriteableUnconfigurableObject):
192         (runTest):
193         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
194         (shouldBe):
195         (shouldThrow):
196         (with.result):
197         (with.putValueStrict):
198         (with.putValueSloppy):
199
200 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
201
202         [JSC] isRope jump in StringSlice should not jump over register allocations
203         https://bugs.webkit.org/show_bug.cgi?id=196716
204
205         Reviewed by Saam Barati.
206
207         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
208         (foo.bar):
209         (foo):
210
211 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
212
213         [JSC] to_index_string should not assume incoming value is Uint32
214         https://bugs.webkit.org/show_bug.cgi?id=196713
215
216         Reviewed by Saam Barati.
217
218         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
219         (foo):
220
221 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
222
223         [JSC] Add more tests for r243966
224         https://bugs.webkit.org/show_bug.cgi?id=196711
225
226         Reviewed by Saam Barati.
227
228         Adding one more test for r243966 fix. The added test will not crash after r243966.
229
230         * stress/stress-cleared-calllinkinfo.js: Added.
231         (runNearStackLimit.t):
232         (runNearStackLimit):
233         (repeat):
234         (cls):
235         (let.item.of.array.runNearStackLimit):
236
237 2019-04-08  Saam Barati  <sbarati@apple.com>
238
239         WebAssembly.RuntimeError missing exception check
240         https://bugs.webkit.org/show_bug.cgi?id=196700
241         <rdar://problem/49693932>
242
243         Reviewed by Yusuke Suzuki.
244
245         * wasm/js-api/runtime-error-should-exception-check.js: Added.
246
247 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
248
249         Unreviewed, rolling in r243948 with test fix
250         https://bugs.webkit.org/show_bug.cgi?id=196486
251
252         * stress/arrow-function-and-use-strict-directive.js: Added.
253         * stress/arrow-function-syntax.js: Added.
254         (checkSyntax):
255         (checkSyntaxError):
256
257 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
258
259         Unreviewed, rolling out r243948.
260
261         Caused inspector/runtime/parse.html to fail
262
263         Reverted changeset:
264
265         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
266         https://bugs.webkit.org/show_bug.cgi?id=196486
267         https://trac.webkit.org/changeset/243948
268
269 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
270
271         Unreviewed, rolling out r243943.
272
273         Caused test262 failures.
274
275         Reverted changeset:
276
277         "[JSC] Filter DontEnum properties in
278         ProxyObject::getOwnPropertyNames()"
279         https://bugs.webkit.org/show_bug.cgi?id=176810
280         https://trac.webkit.org/changeset/243943
281
282 2019-04-07  Michael Saboff  <msaboff@apple.com>
283
284         REGRESSION (r243642): Crash in reddit.com page
285         https://bugs.webkit.org/show_bug.cgi?id=196684
286
287         Reviewed by Geoffrey Garen.
288
289         New regression test.
290
291         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
292
293 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
294
295         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
296         https://bugs.webkit.org/show_bug.cgi?id=196683
297
298         Reviewed by Saam Barati.
299
300         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
301         (foo):
302
303 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
304
305         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
306         https://bugs.webkit.org/show_bug.cgi?id=196582
307
308         Reviewed by Saam Barati.
309
310         * stress/add-overflow-check-with-three-same-registers.js: Added.
311         (foo):
312         (Number.prototype.valueOf):
313         (runWithNumber):
314
315 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
316
317         Unreviewed, rolling out r243665.
318
319         Caused iOS JSC tests to exit with an exception.
320
321         Reverted changeset:
322
323         "Assertion failed in JSC::createError"
324         https://bugs.webkit.org/show_bug.cgi?id=196305
325         https://trac.webkit.org/changeset/243665
326
327 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
328
329         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
330         https://bugs.webkit.org/show_bug.cgi?id=196486
331
332         Reviewed by Saam Barati.
333
334         * stress/arrow-function-and-use-strict-directive.js: Added.
335         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
336         (checkSyntax):
337         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
338
339 2019-04-05  Caitlin Potter  <caitp@igalia.com>
340
341         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
342         https://bugs.webkit.org/show_bug.cgi?id=176810
343
344         Reviewed by Saam Barati.
345
346         Add tests for the DontEnum filtering, and variations of other tests
347         take the DontEnum-filtering path.
348
349         * stress/proxy-own-keys.js:
350         (i.catch):
351         (set assert):
352         (set add):
353         (let.set new):
354         (get let):
355
356 2019-04-05  Caitlin Potter  <caitp@igalia.com>
357
358         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
359         https://bugs.webkit.org/show_bug.cgi?id=185211
360
361         Reviewed by Saam Barati.
362
363         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
364
365         This changes several assertions to expect a TypeError to be thrown (in some cases,
366         changing thee expected message).
367
368         * es6/Proxy_ownKeys_duplicates.js:
369         (handler):
370         (shouldThrow):
371         (test):
372         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
373         (shouldThrow):
374         * stress/proxy-own-keys.js:
375         (i.catch):
376         (assert):
377
378 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
379
380         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
381         https://bugs.webkit.org/show_bug.cgi?id=196631
382
383         Reviewed by Saam Barati.
384
385         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
386         (assert):
387         (test):
388         (foo):
389
390 2019-04-04  Saam Barati  <sbarati@apple.com>
391
392         Unreviewed. Make the test from r243906 catch the thrown exceptions.
393
394         * stress/inferred-types-regex-matches-array.js:
395
396 2019-04-04  Saam Barati  <sbarati@apple.com>
397
398         createRegExpMatchesArray does not respect inferred types
399         https://bugs.webkit.org/show_bug.cgi?id=193287
400
401         Reviewed by Yusuke Suzuki.
402
403         This checks in the test case for 193287. This issue was discovered by
404         Samuel GroƟ of Google Project Zero.
405
406         * stress/inferred-types-regex-matches-array.js: Added.
407
408 2019-04-04  Saam barati  <sbarati@apple.com>
409
410         Teach Call ICs how to call Wasm
411         https://bugs.webkit.org/show_bug.cgi?id=196387
412
413         Reviewed by Filip Pizlo.
414
415         * wasm/function-tests/stack-trace.js:
416
417 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
418
419         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
420         https://bugs.webkit.org/show_bug.cgi?id=194944
421
422         Reviewed by Keith Miller.
423
424         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
425
426 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
427
428         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
429         https://bugs.webkit.org/show_bug.cgi?id=196409
430
431         Reviewed by Saam Barati.
432
433         * stress/bytecode-cache-cached-string-impl.js: Added.
434         (f):
435         (g):
436         * stress/bytecode-cache-run-string.js: Added.
437
438 2019-04-03  Robin Morisset  <rmorisset@apple.com>
439
440         B3 should use associativity to optimize expression trees
441         https://bugs.webkit.org/show_bug.cgi?id=194081
442
443         Reviewed by Filip Pizlo.
444
445         Added three microbenchmarks:
446         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
447         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
448           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
449         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
450
451         * microbenchmarks/add-tree.js: Added.
452         * microbenchmarks/bit-or-tree.js: Added.
453         * microbenchmarks/bit-xor-tree.js: Added.
454
455 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
456
457         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
458         https://bugs.webkit.org/show_bug.cgi?id=196574
459
460         Reviewed by Saam Barati.
461
462         * stress/string-index-of-exception-check.js: Added.
463         (blurType):
464         (1.forEach):
465
466 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
467
468         Assertion failed in JSC::createError
469         https://bugs.webkit.org/show_bug.cgi?id=196305
470         <rdar://problem/49387382>
471
472         Reviewed by Saam Barati.
473
474         * stress/create-error-out-of-memory-rope-string-2.js: Added.
475         (assert):
476         (catch):
477
478 2019-03-28  Saam Barati  <sbarati@apple.com>
479
480         BackwardsGraph needs to consider back edges as the backward's root successor
481         https://bugs.webkit.org/show_bug.cgi?id=195991
482
483         Reviewed by Filip Pizlo.
484
485         * stress/map-b3-licm-infinite-loop.js: Added.
486
487 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
488
489         CodeBlock::jettison() should disallow repatching its own calls
490         https://bugs.webkit.org/show_bug.cgi?id=196359
491         <rdar://problem/48973663>
492
493         Reviewed by Saam Barati.
494
495         * stress/call-link-info-osrexit-repatch.js: Added.
496         (foo):
497
498 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
499
500         [JSC] imports-oom.js intermittently fails
501         https://bugs.webkit.org/show_bug.cgi?id=196373
502
503         Reviewed by Saam Barati.
504
505         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
506         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
507         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
508         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
509         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
510
511         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
512         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
513
514         * wasm/lowExecutableMemory/imports-oom.js:
515
516 2019-03-27  Saam Barati  <sbarati@apple.com>
517
518         validateOSREntryValue with Int52 should box the value being checked into double format
519         https://bugs.webkit.org/show_bug.cgi?id=196313
520         <rdar://problem/49306703>
521
522         Reviewed by Yusuke Suzuki.
523
524         * stress/validate-int-52-ai-state.js: Added.
525
526 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
527
528         [JSC] Owner of watchpoints should validate at GC finalizing phase
529         https://bugs.webkit.org/show_bug.cgi?id=195827
530
531         Reviewed by Filip Pizlo.
532
533         * stress/gc-should-reap-dead-watchpoints.js: Added.
534         (foo):
535         (A.prototype.y):
536         (A):
537
538 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
539
540         Skip WebAssembly test on 32-bit systems
541         https://bugs.webkit.org/show_bug.cgi?id=196206
542
543         Reviewed by Saam Barati.
544
545         Invoking runDefault executes test immediately even though
546         that test should be skipped due to missing WASM support.
547         Therefore remove runDefault.
548
549         * wasm/regress/web-assembly-link-error-exception-check.js:
550
551 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
552
553         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
554         https://bugs.webkit.org/show_bug.cgi?id=196217
555
556         Reviewed by Saam Barati.
557
558         Re-enable all NaN tests for f32.min, f64.min and f64.max.
559
560         * wasm/spec-tests/f32.wast.js:
561         * wasm/spec-tests/f64.wast.js:
562         * wasm/wasm.json:
563
564 2019-03-25  Keith Miller  <keith_miller@apple.com>
565
566         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
567         https://bugs.webkit.org/show_bug.cgi?id=196176
568
569         Reviewed by Saam Barati.
570
571         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
572         (main.v10):
573         (main):
574
575 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
576
577         WebAssembly: f32.max with NaN generates incorrect result
578         https://bugs.webkit.org/show_bug.cgi?id=175691
579         <rdar://problem/33952228>
580
581         Reviewed by Saam Barati.
582
583         Enable all f32.max NaN tests
584
585         * wasm/spec-tests/f32.wast.js:
586         * wasm/wasm.json:
587
588 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
589
590         [JSC] Move test into directory for WASM tests
591         https://bugs.webkit.org/show_bug.cgi?id=196187
592
593         Reviewed by Mark Lam.
594
595         Move Test into wasm-directory. Otherwise this test
596         is also executed on systems without WASM support.
597
598         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
599
600 2019-03-23  Mark Lam  <mark.lam@apple.com>
601
602         Rolling out r243032 and r243071 because the fix is incorrect.
603         https://bugs.webkit.org/show_bug.cgi?id=195892
604         <rdar://problem/48981239>
605
606         Not reviewed.
607
608         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
609
610 2019-03-22  Mark Lam  <mark.lam@apple.com>
611
612         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
613         https://bugs.webkit.org/show_bug.cgi?id=196154
614         <rdar://problem/49145307>
615
616         Reviewed by Filip Pizlo.
617
618         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
619         There's no need to run this test on more than 1 test configuration.
620
621         * stress/typed-array-lastIndexOf-exception-check.js: Added.
622         * stress/web-assembly-link-error-exception-check.js:
623
624 2019-03-22  Mark Lam  <mark.lam@apple.com>
625
626         Placate exception check validation in constructJSWebAssemblyLinkError().
627         https://bugs.webkit.org/show_bug.cgi?id=196152
628         <rdar://problem/49145257>
629
630         Reviewed by Michael Saboff.
631
632         * stress/web-assembly-link-error-exception-check.js: Added.
633
634 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
635
636         Skip tests running out of memory on ARM/MIPS
637         https://bugs.webkit.org/show_bug.cgi?id=196131
638
639         Unreviewed. Skip test if memory is limited.
640
641         * microbenchmarks/put-by-val-direct-large-index.js:
642
643 2019-03-21  Mark Lam  <mark.lam@apple.com>
644
645         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
646         https://bugs.webkit.org/show_bug.cgi?id=196116
647         <rdar://problem/48976951>
648
649         Reviewed by Filip Pizlo.
650
651         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
652
653 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
654
655         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
656         https://bugs.webkit.org/show_bug.cgi?id=196078
657         <rdar://problem/35925380>
658
659         Reviewed by Mark Lam.
660
661         Add a new benchmark that allocates several objects and invokes put_by_val_direct
662         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
663
664         * microbenchmarks/put-by-val-direct-large-index.js: Added.
665
666 2019-03-21  Mark Lam  <mark.lam@apple.com>
667
668         Placate exception check validation in operationArrayIndexOfString().
669         https://bugs.webkit.org/show_bug.cgi?id=196067
670         <rdar://problem/49056572>
671
672         Reviewed by Michael Saboff.
673
674         * stress/string-equal-exception-check.js: Added.
675
676 2019-03-21  Mark Lam  <mark.lam@apple.com>
677
678         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
679         https://bugs.webkit.org/show_bug.cgi?id=196055
680         <rdar://problem/49067448>
681
682         Reviewed by Yusuke Suzuki.
683
684         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
685
686 2019-03-20  Saam Barati  <sbarati@apple.com>
687
688         typeOfDoubleSum is wrong for when NaN can be produced
689         https://bugs.webkit.org/show_bug.cgi?id=196030
690
691         Reviewed by Filip Pizlo.
692
693         * stress/double-add-sub-mul-can-produce-nan.js: Added.
694         (assert):
695         (noInline.sub):
696         (noInline):
697         (assert.mul):
698         (assert.add):
699
700 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
701
702         Update the test to ensure OutOfMemoryError is thrown as intended
703         https://bugs.webkit.org/show_bug.cgi?id=196032
704         <rdar://problem/46842740>
705
706         Rubber stamped by Saam Barati.
707
708         * stress/create-error-out-of-memory-rope-string.js:
709         (assert):
710         (catch):
711
712 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
713
714         JSC::createError needs to check for OOM in errorDescriptionForValue
715         https://bugs.webkit.org/show_bug.cgi?id=196032
716         <rdar://problem/46842740>
717
718         Reviewed by Mark Lam.
719
720         * stress/create-error-out-of-memory-rope-string.js: Added.
721
722 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
723
724         Unreviewed, reduce # of iterations to avoid timing out after r242991
725         https://bugs.webkit.org/show_bug.cgi?id=195791
726
727         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
728
729         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
730
731 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
732
733         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
734         https://bugs.webkit.org/show_bug.cgi?id=195950
735
736         Unreviewed, reducing the amount of memory used on this test to avoid
737         OOM on devices with memory restrictions.
738
739         * microbenchmarks/generate-multiple-llint-entrypoints.js:
740
741 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
742
743         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
744         https://bugs.webkit.org/show_bug.cgi?id=194648
745
746         Reviewed by Keith Miller.
747
748         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
749
750 2019-03-18  Mark Lam  <mark.lam@apple.com>
751
752         Missing a ThrowScope release in JSObject::toString().
753         https://bugs.webkit.org/show_bug.cgi?id=195893
754         <rdar://problem/48970986>
755
756         Reviewed by Michael Saboff.
757
758         * stress/to-string-exception-check-release.js: Added.
759
760 2019-03-18  Mark Lam  <mark.lam@apple.com>
761
762         Structure::flattenDictionary() should clear unused property slots.
763         https://bugs.webkit.org/show_bug.cgi?id=195871
764         <rdar://problem/48959497>
765
766         Reviewed by Michael Saboff.
767
768         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
769
770 2019-03-15  Mark Lam  <mark.lam@apple.com>
771
772         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
773         https://bugs.webkit.org/show_bug.cgi?id=195827
774         <rdar://problem/48845513>
775
776         Reviewed by Filip Pizlo.
777
778         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
779
780 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
781
782         [ARM,MIPS] Skip slow tests
783         https://bugs.webkit.org/show_bug.cgi?id=195799
784
785         Unreviewed, test does not finish on ARM and MIPS within the
786         timeout limit.
787
788         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
789
790 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
791
792         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
793         https://bugs.webkit.org/show_bug.cgi?id=195791
794         <rdar://problem/48806130>
795
796         Reviewed by Mark Lam.
797
798         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
799         (foo):
800
801 2019-03-14  Saam barati  <sbarati@apple.com>
802
803         We can't remove code after ForceOSRExit until after FixupPhase
804         https://bugs.webkit.org/show_bug.cgi?id=186916
805         <rdar://problem/41396612>
806
807         Reviewed by Yusuke Suzuki.
808
809         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
810         (foo):
811         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
812         (foo):
813
814 2019-03-13  Michael Saboff  <msaboff@apple.com>
815
816         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
817         https://bugs.webkit.org/show_bug.cgi?id=195735
818
819         Reviewed by Mark Lam.
820
821         New regression test.
822
823         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
824         (foo):
825         (bar):
826
827 2019-03-14  Saam barati  <sbarati@apple.com>
828
829         Fixup uses KnownInt32 incorrectly in some nodes
830         https://bugs.webkit.org/show_bug.cgi?id=195279
831         <rdar://problem/47915654>
832
833         Reviewed by Yusuke Suzuki.
834
835         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
836         (foo):
837
838 2019-03-14  Keith Miller  <keith_miller@apple.com>
839
840         DFG liveness can't skip tail caller inline frames
841         https://bugs.webkit.org/show_bug.cgi?id=195715
842
843         Reviewed by Saam Barati.
844
845         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
846         (i.foo):
847
848 2019-03-13  Mark Lam  <mark.lam@apple.com>
849
850         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
851         https://bugs.webkit.org/show_bug.cgi?id=195415
852
853         Not reviewed.
854
855         Changed these tests to only run the default configuration.
856         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
857         There's no strong need to run this test on that variant.
858
859         * stress/dfg-to-string-on-int-does-gc.js:
860         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
861
862 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
863
864         String overflow when using StringBuilder in JSC::createError
865         https://bugs.webkit.org/show_bug.cgi?id=194957
866
867         Reviewed by Mark Lam.
868
869         Add test string-overflow-createError-bulder.js that overflows
870         StringBuilder in notAFunctionSourceAppender. The second new test
871         string-overflow-createError-fit.js has an error message that doesn't
872         overflow, it still failed since the String's capacity can't be doubled.
873         Run test string-overflow-createError.js only in the default
874         configuration to reduce memory consumption when running the test
875         in all configurations on multiple CPUs in parallel.
876
877         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
878         (catch):
879         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
880         (catch):
881         * stress/string-overflow-createError.js:
882
883 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
884
885         [JSC] OSR entry should respect abstract values in addition to flush formats
886         https://bugs.webkit.org/show_bug.cgi?id=195653
887
888         Reviewed by Mark Lam.
889
890         * stress/osr-entry-locals-none.js: Added.
891
892 2019-03-12  Michael Saboff  <msaboff@apple.com>
893
894         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
895         https://bugs.webkit.org/show_bug.cgi?id=195613
896
897         Reviewed by Mark Lam.
898
899         New regression test.
900
901         * stress/regexp-backref-inbounds.js: Added.
902         (testRegExp):
903
904 2019-03-12  Mark Lam  <mark.lam@apple.com>
905
906         The HasIndexedProperty node does GC.
907         https://bugs.webkit.org/show_bug.cgi?id=195559
908         <rdar://problem/48767923>
909
910         Reviewed by Yusuke Suzuki.
911
912         * stress/HasIndexedProperty-does-gc.js: Added.
913
914 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
915
916         [ESNext][BigInt] Implement "~" unary operation
917         https://bugs.webkit.org/show_bug.cgi?id=182216
918
919         Reviewed by Keith Miller.
920
921         * stress/big-int-bit-not-general.js: Added.
922         * stress/big-int-bitwise-not-jit.js: Added.
923         * stress/big-int-bitwise-not-wrapped-value.js: Added.
924         * stress/bit-op-with-object-returning-int32.js:
925         * stress/bitwise-not-fixup-rules.js: Added.
926         * stress/value-bit-not-ai-rule.js: Added.
927
928 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
929
930         Invalid flags in a RegExp literal should be an early SyntaxError
931         https://bugs.webkit.org/show_bug.cgi?id=195514
932
933         Reviewed by Darin Adler.
934
935         * test262/expectations.yaml:
936         Mark 4 test cases as passing.
937
938         * stress/regexp-syntax-error-invalid-flags.js:
939         * stress/regress-161995.js: Removed.
940         Update existing test, merging in an older test for the same behavior.
941
942 2019-03-08  Mark Lam  <mark.lam@apple.com>
943
944         Stack overflow crash in JSC::JSObject::hasInstance.
945         https://bugs.webkit.org/show_bug.cgi?id=195458
946         <rdar://problem/48710195>
947
948         Reviewed by Yusuke Suzuki.
949
950         * stress/stack-overflow-in-custom-hasInstance.js: Added.
951
952 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
953
954         op_check_tdz does not def its argument
955         https://bugs.webkit.org/show_bug.cgi?id=192880
956         <rdar://problem/46221598>
957
958         Reviewed by Saam Barati.
959
960         * microbenchmarks/let-for-in.js: Added.
961         (foo):
962
963 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
964
965         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
966         https://bugs.webkit.org/show_bug.cgi?id=195429
967
968         Reviewed by Saam Barati.
969
970         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
971         (foo):
972         * stress/string-from-char-code-255.js: Added.
973
974 2019-03-06  Mark Lam  <mark.lam@apple.com>
975
976         Fix incorrect handling of try-finally completion values.
977         https://bugs.webkit.org/show_bug.cgi?id=195131
978         <rdar://problem/46222079>
979
980         Reviewed by Saam Barati and Yusuke Suzuki.
981
982         Added many permutations of new test case to test-finally.js.  test-finally.js has
983         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
984         tests passes there as well.
985
986         * stress/test-finally.js:
987
988 2019-03-06  Saam Barati  <sbarati@apple.com>
989
990         Air::reportUsedRegisters must padInterference
991         https://bugs.webkit.org/show_bug.cgi?id=195303
992         <rdar://problem/48270343>
993
994         Reviewed by Keith Miller.
995
996         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
997
998 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
999
1000         [JSC] AI should not propagate AbstractValue relying on constant folding phase
1001         https://bugs.webkit.org/show_bug.cgi?id=195375
1002
1003         Reviewed by Saam Barati.
1004
1005         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
1006         (let.array):
1007
1008 2019-03-05  Saam barati  <sbarati@apple.com>
1009
1010         op_switch_char broken for rope strings after JSRopeString layout rewrite
1011         https://bugs.webkit.org/show_bug.cgi?id=195339
1012         <rdar://problem/48592545>
1013
1014         Reviewed by Yusuke Suzuki.
1015
1016         * stress/switch-on-char-llint-rope.js: Added.
1017
1018 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
1019
1020         [JSC] Store bits for JSRopeString in 3 stores
1021         https://bugs.webkit.org/show_bug.cgi?id=195234
1022
1023         Reviewed by Saam Barati.
1024
1025         * stress/null-rope-and-collectors.js: Added.
1026
1027 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
1028
1029         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
1030         https://bugs.webkit.org/show_bug.cgi?id=195207
1031
1032         Unreviewed. After test runtime was reduced in r242213, test can be
1033         run again on ARM/MIPS.
1034
1035         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1036
1037 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1038
1039         [JSC] sizeof(JSString) should be 16
1040         https://bugs.webkit.org/show_bug.cgi?id=194375
1041
1042         Reviewed by Saam Barati.
1043
1044         * microbenchmarks/make-rope.js: Added.
1045         (makeRope):
1046         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
1047         (returnRope.helper): Deleted.
1048         (returnRope): Deleted.
1049
1050 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1051
1052         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
1053         https://bugs.webkit.org/show_bug.cgi?id=195144
1054
1055         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
1056         Change the number from 1e8 to 1e5.
1057
1058         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1059         (foo):
1060
1061 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
1062
1063         Test times out on ARM/MIPS
1064         https://bugs.webkit.org/show_bug.cgi?id=195168
1065
1066         Unreviewed. Skip test on ARM/MIPS.
1067
1068         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1069
1070 2019-02-27  Mark Lam  <mark.lam@apple.com>
1071
1072         The parser is failing to record the token location of new in new.target.
1073         https://bugs.webkit.org/show_bug.cgi?id=195127
1074         <rdar://problem/39645578>
1075
1076         Reviewed by Yusuke Suzuki.
1077
1078         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
1079
1080 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
1081
1082         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
1083         https://bugs.webkit.org/show_bug.cgi?id=195144
1084         <rdar://problem/47595961>
1085
1086         Reviewed by Mark Lam.
1087
1088         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
1089         (bar):
1090         (foo):
1091         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
1092         (bar):
1093         (foo):
1094
1095 2019-02-27  Robin Morisset  <rmorisset@apple.com>
1096
1097         DFG: Loop-invariant code motion (LICM) should not hoist dead code
1098         https://bugs.webkit.org/show_bug.cgi?id=194945
1099         <rdar://problem/48311657>
1100
1101         Reviewed by Mark Lam.
1102
1103         * stress/licm-dead-code.js: Added.
1104
1105 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
1106
1107         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
1108         https://bugs.webkit.org/show_bug.cgi?id=194677
1109         <rdar://problem/48112492>
1110
1111         Reviewed by Mark Lam.
1112
1113         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
1114         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
1115         it immediately fails due the large size.
1116
1117         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
1118         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
1119         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
1120         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
1121
1122         This patch changes the test to produce 16bit string from String.fromCharCode.
1123
1124         * stress/regress-178386.js:
1125
1126 2019-02-26  Mark Lam  <mark.lam@apple.com>
1127
1128         wasmToJS() should purify incoming NaNs.
1129         https://bugs.webkit.org/show_bug.cgi?id=194807
1130         <rdar://problem/48189132>
1131
1132         Reviewed by Saam Barati.
1133
1134         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
1135
1136 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
1137
1138         [JSC] Repeat string created from Array.prototype.join() take too much memory
1139         https://bugs.webkit.org/show_bug.cgi?id=193912
1140
1141         Reviewed by Saam Barati.
1142
1143         Added a test and a microbenchmark for corner cases of
1144         Array.prototype.join() with an uninitialized array.
1145
1146         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1147         * stress/array-prototype-join-uninitialized.js: Added.
1148         (testArray):
1149         (testABC):
1150         (B):
1151         (C):
1152
1153 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1154
1155         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1156         https://bugs.webkit.org/show_bug.cgi?id=194953
1157         <rdar://problem/47595253>
1158
1159         Reviewed by Saam Barati.
1160
1161         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1162
1163         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1164
1165 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1166
1167         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1168         https://bugs.webkit.org/show_bug.cgi?id=172848
1169         <rdar://problem/25709212>
1170
1171         Reviewed by Mark Lam.
1172
1173         * typeProfiler/inheritance.js:
1174         Rewrite the test slightly for clarity. The hoisting was confusing.
1175
1176         * heapProfiler/class-names.js: Added.
1177         (MyES5Class):
1178         (MyES6Class):
1179         (MyES6Subclass):
1180         Test object types and improved class names.
1181
1182         * heapProfiler/driver/driver.js:
1183         (CheapHeapSnapshotNode):
1184         (CheapHeapSnapshot):
1185         (createCheapHeapSnapshot):
1186         (HeapSnapshot):
1187         (createHeapSnapshot):
1188         Update snapshot parsing from version 1 to version 2.
1189
1190 2019-02-19  Truitt Savell  <tsavell@apple.com>
1191
1192         Unreviewed, rolling out r241784.
1193
1194         Broke all OpenSource builds.
1195
1196         Reverted changeset:
1197
1198         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1199         instances view"
1200         https://bugs.webkit.org/show_bug.cgi?id=172848
1201         https://trac.webkit.org/changeset/241784
1202
1203 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1204
1205         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1206         https://bugs.webkit.org/show_bug.cgi?id=172848
1207         <rdar://problem/25709212>
1208
1209         Reviewed by Mark Lam.
1210
1211         * typeProfiler/inheritance.js:
1212         Rewrite the test slightly for clarity. The hoisting was confusing.
1213
1214         * heapProfiler/class-names.js: Added.
1215         (MyES5Class):
1216         (MyES6Class):
1217         (MyES6Subclass):
1218         Test object types and improved class names.
1219
1220         * heapProfiler/driver/driver.js:
1221         (CheapHeapSnapshotNode):
1222         (CheapHeapSnapshot):
1223         (createCheapHeapSnapshot):
1224         (HeapSnapshot):
1225         (createHeapSnapshot):
1226         Update snapshot parsing from version 1 to version 2.
1227
1228 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1229
1230         [ARM] Fix crash with sampling profiler
1231         https://bugs.webkit.org/show_bug.cgi?id=194772
1232
1233         Reviewed by Mark Lam.
1234
1235         Do not skip test since crash with sampling profiler is now fixed.
1236
1237         * stress/sampling-profiler-richards.js:
1238
1239 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1240
1241         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1242         https://bugs.webkit.org/show_bug.cgi?id=194784
1243         <rdar://problem/48154820>
1244
1245         Reviewed by Mark Lam.
1246
1247         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1248         (getProperties):
1249         (getRandomProperty):
1250         (i.catch):
1251
1252 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1253
1254         [ARM] Test gardening: Test running out of executable memory
1255         https://bugs.webkit.org/show_bug.cgi?id=194771
1256
1257         Unreviewed. Do not run test without LLInt, test is running out of executable
1258         memory on ARM otherwise.
1259
1260         * stress/tagged-template-object-collect.js:
1261
1262 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1263
1264         Unreviewed, skip the test on platforms without sampling profiler
1265
1266         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1267         (platformSupportsSamplingProfiler.foo):
1268         (platformSupportsSamplingProfiler.test):
1269         (platformSupportsSamplingProfiler):
1270         (foo): Deleted.
1271         (test): Deleted.
1272
1273 2019-02-17  Saam Barati  <sbarati@apple.com>
1274
1275         Deadlock when adding a Structure property transition and then doing incremental marking
1276         https://bugs.webkit.org/show_bug.cgi?id=194767
1277
1278         Reviewed by Mark Lam.
1279
1280         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1281
1282 2019-02-15  Michael Saboff  <msaboff@apple.com>
1283
1284         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1285         https://bugs.webkit.org/show_bug.cgi?id=194558
1286
1287         Reviewed by Saam Barati.
1288
1289         New regression test.
1290
1291         * stress/regexp-unicode-within-string.js: Added.
1292
1293 2019-02-15  Mark Lam  <mark.lam@apple.com>
1294
1295         SamplingProfiler::stackTracesAsJSON() should escape strings.
1296         https://bugs.webkit.org/show_bug.cgi?id=194649
1297         <rdar://problem/48072386>
1298
1299         Reviewed by Saam Barati.
1300
1301         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1302         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1303         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1304         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1305
1306 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1307         CodeBlock::jettison should clear related watchpoints
1308         https://bugs.webkit.org/show_bug.cgi?id=194544
1309
1310         Reviewed by Mark Lam.
1311
1312         * stress/regexp-replace-double-watchpoint.js: Added.
1313         (foo):
1314
1315 2019-02-15  Saam barati  <sbarati@apple.com>
1316
1317         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1318         https://bugs.webkit.org/show_bug.cgi?id=194036
1319
1320         Reviewed by Yusuke Suzuki.
1321
1322         * stress/tail-call-many-arguments.js: Added.
1323         (foo):
1324         (bar):
1325
1326 2019-02-14  Saam Barati  <sbarati@apple.com>
1327
1328         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1329         https://bugs.webkit.org/show_bug.cgi?id=194583
1330         <rdar://problem/48028140>
1331
1332         Reviewed by Yusuke Suzuki.
1333
1334         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1335
1336 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1337
1338         [JSC] String.fromCharCode's slow path always generates 16bit string
1339         https://bugs.webkit.org/show_bug.cgi?id=194466
1340
1341         Reviewed by Keith Miller.
1342
1343         * stress/string-from-char-code-slow-path.js: Added.
1344         (shouldBe):
1345         (testWithLength):
1346
1347 2019-02-08  Saam barati  <sbarati@apple.com>
1348
1349         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1350         https://bugs.webkit.org/show_bug.cgi?id=194334
1351         <rdar://problem/47844327>
1352
1353         Reviewed by Mark Lam.
1354
1355         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1356         (func):
1357
1358 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1359
1360         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1361         https://bugs.webkit.org/show_bug.cgi?id=194369
1362         <rdar://problem/47813087>
1363
1364         Reviewed by Saam Barati.
1365
1366         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1367         (A):
1368
1369 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1370
1371         [JSC] PrivateName to PublicName hash table is wasteful
1372         https://bugs.webkit.org/show_bug.cgi?id=194277
1373
1374         Reviewed by Michael Saboff.
1375
1376         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1377
1378         * ChakraCore.yaml:
1379
1380 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1381
1382         [ARM] Test running out of executable memory
1383         https://bugs.webkit.org/show_bug.cgi?id=194285
1384
1385         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1386         executable memory otherwise.
1387
1388         * stress/class-subclassing-function.js:
1389
1390 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1391
1392         when lowering AssertNotEmpty, create the value before creating the patchpoint
1393         https://bugs.webkit.org/show_bug.cgi?id=194231
1394
1395         Reviewed by Saam Barati.
1396
1397         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1398         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1399         So even tiny changes to this test can change the path code taken.
1400
1401         * stress/assert-not-empty.js: Added.
1402         (foo):
1403
1404 2019-02-01  Mark Lam  <mark.lam@apple.com>
1405
1406         Remove invalid assertion in DFG's compileDoubleRep().
1407         https://bugs.webkit.org/show_bug.cgi?id=194130
1408         <rdar://problem/47699474>
1409
1410         Reviewed by Saam Barati.
1411
1412         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1413
1414 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1415
1416         Import latest Test262 updates.
1417
1418         Rubber-stamped by Keith Miller.
1419
1420         * test262.yaml: Deleted.
1421         * test262/config.yaml:
1422         * test262/expectations.yaml:
1423         * test262/latest-changes-summary.txt:
1424         * test262/test/:
1425         * test262/test262-Revision.txt:
1426
1427 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1428
1429         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1430         https://bugs.webkit.org/show_bug.cgi?id=194050
1431         <rdar://problem/47595592>
1432
1433         Reviewed by Yusuke Suzuki.
1434
1435         * stress/object-keys-osr-exit.js: Added.
1436         (foo):
1437         (catch):
1438
1439 2019-01-29  Mark Lam  <mark.lam@apple.com>
1440
1441         ValueRecovery::recover() should purify NaN values it recovers.
1442         https://bugs.webkit.org/show_bug.cgi?id=193978
1443         <rdar://problem/47625488>
1444
1445         Reviewed by Saam Barati.
1446
1447         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1448
1449 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1450
1451         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1452         https://bugs.webkit.org/show_bug.cgi?id=193713
1453
1454         * stress/try-get-by-id-should-spill-registers-dfg.js:
1455         (let.f.createBuiltin):
1456
1457 2019-01-28  Mark Lam  <mark.lam@apple.com>
1458
1459         ToString node actually does GC.
1460         https://bugs.webkit.org/show_bug.cgi?id=193920
1461         <rdar://problem/46695900>
1462
1463         Reviewed by Yusuke Suzuki.
1464
1465         * stress/dfg-to-string-on-int-does-gc.js: Added.
1466         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1467         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1468
1469 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1470
1471         [JSC] NativeErrorConstructor should not have own IsoSubspace
1472         https://bugs.webkit.org/show_bug.cgi?id=193713
1473
1474         Reviewed by Saam Barati.
1475
1476         Remove @Error use.
1477
1478         * stress/try-get-by-id-should-spill-registers-dfg.js:
1479         (let.f.createBuiltin):
1480
1481 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1482
1483         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1484         https://bugs.webkit.org/show_bug.cgi?id=190693
1485
1486         Reviewed by Michael Saboff.
1487
1488         * stress/regress-190693.js: Added.
1489         (truth):
1490         (assert):
1491         (shouldThrowInvalidConstAssignment):
1492         (taz):
1493
1494 2019-01-24  Saam Barati  <sbarati@apple.com>
1495
1496         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1497         https://bugs.webkit.org/show_bug.cgi?id=193751
1498         <rdar://problem/47280215>
1499
1500         Reviewed by Michael Saboff.
1501
1502         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1503         (let.thing):
1504         (foo.let.hello):
1505         (foo):
1506
1507 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1508
1509         [JSC] Reenable baseline JIT on mips
1510         https://bugs.webkit.org/show_bug.cgi?id=192983
1511
1512         Reviewed by Mark Lam.
1513
1514         Added a new test for a case that was triggering a RELEASE_ASSERT when
1515         testing.
1516         Disable some slow tests that were already disabled for arm and x86.
1517
1518         * stress/json-parse-big-object.js: Added.
1519         * stress/new-largeish-contiguous-array-with-size.js:
1520         * stress/op_add.js:
1521         * stress/op_bitand.js:
1522         * stress/op_bitor.js:
1523         * stress/op_bitxor.js:
1524         * stress/op_lshift-ConstVar.js:
1525         * stress/op_lshift-VarConst.js:
1526         * stress/op_lshift-VarVar.js:
1527         * stress/op_mod-ConstVar.js:
1528         * stress/op_mod-VarConst.js:
1529         * stress/op_mod-VarVar.js:
1530         * stress/op_mul-ConstVar.js:
1531         * stress/op_mul-VarConst.js:
1532         * stress/op_mul-VarVar.js:
1533         * stress/op_rshift-ConstVar.js:
1534         * stress/op_rshift-VarConst.js:
1535         * stress/op_rshift-VarVar.js:
1536         * stress/op_sub-ConstVar.js:
1537         * stress/op_sub-VarConst.js:
1538         * stress/op_sub-VarVar.js:
1539         * stress/op_urshift-ConstVar.js:
1540         * stress/op_urshift-VarConst.js:
1541         * stress/op_urshift-VarVar.js:
1542         * stress/sampling-profiler-richards.js:
1543         * stress/spread-forward-call-varargs-stack-overflow.js:
1544
1545 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1546
1547         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1548         https://bugs.webkit.org/show_bug.cgi?id=193711
1549         <rdar://problem/47250262>
1550
1551         Reviewed by Saam Barati.
1552
1553         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1554         (shouldBe):
1555         (foo):
1556         (bar):
1557         (baz):
1558
1559 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1560
1561         Unreviewed, fix initial global lexical binding epoch
1562         https://bugs.webkit.org/show_bug.cgi?id=193603
1563         <rdar://problem/47380869>
1564
1565         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1566         (f1.f2.f3.f4):
1567         (f1.f2.f3):
1568         (f1.f2):
1569         (f1):
1570
1571 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1572
1573         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1574         https://bugs.webkit.org/show_bug.cgi?id=193709
1575         <rdar://problem/47363838>
1576
1577         Unreviewed, rollout to watch the tests.
1578
1579         * stress/object-tostring-changed-proto.js: Removed.
1580         * stress/object-tostring-changed.js: Removed.
1581         * stress/object-tostring-misc.js: Removed.
1582         * stress/object-tostring-other.js: Removed.
1583         * stress/object-tostring-untyped.js: Removed.
1584
1585 2019-01-22  Saam Barati  <sbarati@apple.com>
1586
1587         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1588
1589         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1590         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1591         (testUncheckedLessThanZero):
1592         (testUncheckedLessThanOrEqualZero):
1593         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1594         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1595
1596 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1597
1598         [JSC] Invalidate old scope operations using global lexical binding epoch
1599         https://bugs.webkit.org/show_bug.cgi?id=193603
1600         <rdar://problem/47380869>
1601
1602         Reviewed by Saam Barati.
1603
1604         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1605         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1606         (shouldThrow):
1607         (bar):
1608         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1609         (shouldBe):
1610         (get1):
1611         (get2):
1612         (get1If):
1613         (get2If):
1614         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1615         (shouldThrow):
1616         (foo):
1617
1618 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1619
1620         Unreviewed, roll out r240220 due to date-format-xparb regression
1621         https://bugs.webkit.org/show_bug.cgi?id=193603
1622
1623         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1624         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1625         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1626         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1627
1628 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1629
1630         DoesGC rule is wrong for nodes with BigIntUse
1631         https://bugs.webkit.org/show_bug.cgi?id=193652
1632
1633         Reviewed by Saam Barati.
1634
1635         * stress/big-int-value-op-update-gc-rules.js: Added.
1636         (assert):
1637         (doesGCAdd):
1638         (doesGCSub):
1639         (doesGCDiv):
1640         (doesGCMul):
1641         (doesGCBitAnd):
1642         (doesGCBitOr):
1643         (doesGCBitXor):
1644
1645 2019-01-20  Saam Barati  <sbarati@apple.com>
1646
1647         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1648         https://bugs.webkit.org/show_bug.cgi?id=193644
1649         <rdar://problem/46209745>
1650
1651         Reviewed by Yusuke Suzuki.
1652
1653         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1654         (foo):
1655         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1656         (foo):
1657         (bar):
1658
1659 2019-01-20  Saam Barati  <sbarati@apple.com>
1660
1661         MovHint must merge NodeBytecodeUsesAsValue for its child
1662         https://bugs.webkit.org/show_bug.cgi?id=186916
1663         <rdar://problem/41396612>
1664
1665         Reviewed by Yusuke Suzuki.
1666
1667         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1668         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1669
1670 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1671
1672         [JSC] Invalidate old scope operations using global lexical binding epoch
1673         https://bugs.webkit.org/show_bug.cgi?id=193603
1674         <rdar://problem/47380869>
1675
1676         Reviewed by Saam Barati.
1677
1678         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1679         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1680         (shouldThrow):
1681         (bar):
1682         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1683         (shouldBe):
1684         (get1):
1685         (get2):
1686         (get1If):
1687         (get2If):
1688         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1689         (shouldThrow):
1690         (foo):
1691
1692 2019-01-17  Saam barati  <sbarati@apple.com>
1693
1694         StringObjectUse should not be a structure check for the original string object structure
1695         https://bugs.webkit.org/show_bug.cgi?id=193483
1696         <rdar://problem/47280522>
1697
1698         Reviewed by Yusuke Suzuki.
1699
1700         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1701         (foo):
1702         (a.valueOf.0):
1703
1704 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1705
1706         [JSC] ToThis omission in DFGByteCodeParser is wrong
1707         https://bugs.webkit.org/show_bug.cgi?id=193513
1708         <rdar://problem/45842236>
1709
1710         Reviewed by Saam Barati.
1711
1712         * stress/to-this-omission-with-different-strict-modes.js: Added.
1713         (thisA):
1714         (thisAStrictWrapper):
1715
1716 2019-01-15  Mark Lam  <mark.lam@apple.com>
1717
1718         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1719         https://bugs.webkit.org/show_bug.cgi?id=193423
1720         <rdar://problem/46209355>
1721
1722         Reviewed by Saam Barati.
1723
1724         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1725         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1726         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1727         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1728
1729 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1730
1731         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1732         https://bugs.webkit.org/show_bug.cgi?id=193438
1733         <rdar://problem/45581249>
1734
1735         Reviewed by Saam Barati and Keith Miller.
1736
1737         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1738         Then, GetByVal(String) crashed.
1739
1740         * stress/string-get-by-val-lowering.js: Added.
1741         (shouldBe):
1742         (test):
1743         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1744         (Hello):
1745         (foo):
1746
1747 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1748
1749         Unreviewed, skip JIT tests if it's not enabled
1750
1751         * stress/bit-op-with-object-returning-int32.js:
1752
1753 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1754
1755         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1756         https://bugs.webkit.org/show_bug.cgi?id=192966
1757
1758         Reviewed by Yusuke Suzuki.
1759
1760         * stress/bit-op-with-object-returning-int32.js: Added.
1761
1762 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1763
1764         Skip a slow test and a flakey test on arm
1765
1766         Unreviewed gardening.
1767
1768         * typeProfiler/getter-richards.js:
1769         this test always times out, it used to be always skipped on arm and
1770         mips, but got accidentally enabled by r237919 now that we have DFG on
1771         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1772
1773 2019-01-14  Keith Miller  <keith_miller@apple.com>
1774
1775         Skip type-check-hoisting-phase-hoist... with no jit
1776         https://bugs.webkit.org/show_bug.cgi?id=193421
1777
1778         Reviewed by Mark Lam.
1779
1780         It's timing out the 32-bit bots and takes 330 seconds
1781         on my machine when run by itself.
1782
1783         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1784
1785 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1786
1787         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1788         https://bugs.webkit.org/show_bug.cgi?id=193413
1789         <rdar://problem/46092389>
1790
1791         Reviewed by Keith Miller.
1792
1793         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1794         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1795         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1796         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1797
1798         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1799         (compareArray):
1800
1801 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1802
1803         [BigInt] Literal parsing is crashing when used inside a Object Literal
1804         https://bugs.webkit.org/show_bug.cgi?id=193404
1805
1806         Reviewed by Yusuke Suzuki.
1807
1808         * stress/big-int-literal-inside-literal-object.js: Added.
1809
1810 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1811
1812         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1813         https://bugs.webkit.org/show_bug.cgi?id=193372
1814
1815         Reviewed by Saam Barati.
1816
1817         * stress/typed-array-array-modes-profile.js: Added.
1818         (foo):
1819
1820 2019-01-14  Mark Lam  <mark.lam@apple.com>
1821
1822         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1823         https://bugs.webkit.org/show_bug.cgi?id=193402
1824         <rdar://problem/46012309>
1825
1826         Reviewed by Keith Miller.
1827
1828         * stress/regexp-compile-oom.js:
1829         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1830           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1831
1832 2019-01-11  Saam barati  <sbarati@apple.com>
1833
1834         DFG combined liveness can be wrong for terminal basic blocks
1835         https://bugs.webkit.org/show_bug.cgi?id=193304
1836         <rdar://problem/45268632>
1837
1838         Reviewed by Yusuke Suzuki.
1839
1840         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1841
1842 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1843
1844         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1845         https://bugs.webkit.org/show_bug.cgi?id=193308
1846         <rdar://problem/45546542>
1847
1848         Reviewed by Saam Barati.
1849
1850         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1851         (shouldThrow):
1852         (shouldBe):
1853         (foo):
1854         (get shouldThrow):
1855         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1856         (shouldThrow):
1857         (shouldBe):
1858         (foo):
1859         (get shouldBe):
1860         (get shouldThrow):
1861         (get return):
1862         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1863         (shouldThrow):
1864         (shouldBe):
1865         (foo):
1866         (get shouldBe):
1867         (get shouldThrow):
1868         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1869         (shouldThrow):
1870         (shouldBe):
1871         (foo):
1872         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1873         (shouldThrow):
1874         (shouldBe):
1875         (foo):
1876         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1877         (shouldThrow):
1878         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1879         (shouldThrow):
1880         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1881         (shouldThrow):
1882         (shouldBe):
1883         (foo):
1884         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1885         (shouldThrow):
1886         (shouldBe):
1887         (foo):
1888         (get shouldBe):
1889         (get shouldThrow):
1890         (get return):
1891         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1892         (shouldThrow):
1893         (shouldBe):
1894         (foo):
1895         (get shouldBe):
1896         (get shouldThrow):
1897         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1898         (shouldThrow):
1899         (shouldBe):
1900         (foo):
1901         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1902         (shouldThrow):
1903         (shouldBe):
1904         (foo):
1905
1906 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1907
1908         Enable DFG on ARM/Linux again
1909         https://bugs.webkit.org/show_bug.cgi?id=192496
1910
1911         Reviewed by Yusuke Suzuki.
1912
1913         Test wasn't really skipped before moving the line with skip
1914         to the top.
1915
1916         * stress/regress-192717.js:
1917
1918 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1919
1920         Unreviewed, rolling out r239825.
1921         https://bugs.webkit.org/show_bug.cgi?id=193330
1922
1923         Broke tests on armv7/linux bots (Requested by guijemont on
1924         #webkit).
1925
1926         Reverted changeset:
1927
1928         "Enable DFG on ARM/Linux again"
1929         https://bugs.webkit.org/show_bug.cgi?id=192496
1930         https://trac.webkit.org/changeset/239825
1931
1932 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1933
1934         Enable DFG on ARM/Linux again
1935         https://bugs.webkit.org/show_bug.cgi?id=192496
1936
1937         Reviewed by Yusuke Suzuki.
1938
1939         Test wasn't really skipped before moving the line with skip
1940         to the top.
1941
1942         * stress/regress-192717.js:
1943
1944 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1945
1946         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1947         https://bugs.webkit.org/show_bug.cgi?id=193127
1948
1949         Reviewed by Saam Barati.
1950
1951         * stress/array-species-create-should-handle-masquerader.js: Added.
1952         (shouldThrow):
1953         * stress/is-undefined-or-null-builtin.js: Added.
1954         (shouldBe):
1955         (isUndefinedOrNull.vm.createBuiltin):
1956
1957 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1958
1959         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1960         https://bugs.webkit.org/show_bug.cgi?id=193221
1961
1962         Reviewed by Mark Lam.
1963
1964         * stress/put-by-id-flags.js: Added.
1965         (f):
1966         (g):
1967         (numberOfDFGCompiles):
1968
1969 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1970
1971         Baseline version of get_by_id may corrupt metadata
1972         https://bugs.webkit.org/show_bug.cgi?id=193085
1973         <rdar://problem/23453006>
1974
1975         Reviewed by Saam Barati.
1976
1977         * stress/get-by-id-change-mode.js: Added.
1978         (forEach):
1979
1980 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1981
1982         [JSC] Optimize Object.prototype.toString
1983         https://bugs.webkit.org/show_bug.cgi?id=193031
1984
1985         Reviewed by Saam Barati.
1986
1987         * stress/object-tostring-changed-proto.js: Added.
1988         (shouldBe):
1989         (test):
1990         * stress/object-tostring-changed.js: Added.
1991         (shouldBe):
1992         (test):
1993         * stress/object-tostring-misc.js: Added.
1994         (shouldBe):
1995         (test):
1996         (i.switch):
1997         * stress/object-tostring-other.js: Added.
1998         (shouldBe):
1999         (test):
2000         * stress/object-tostring-untyped.js: Added.
2001         (shouldBe):
2002         (test):
2003         (i.switch):
2004
2005 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
2006
2007         test262-runner misbehaves when test file YAML has a trailing space
2008         https://bugs.webkit.org/show_bug.cgi?id=193053
2009
2010         Reviewed by Yusuke Suzuki.
2011
2012         * test262/expectations.yaml:
2013         Mark two dozen tests as passing (and correct the output of another).
2014
2015 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2016
2017         Unreviewed, JSTests gardening with memoryLimited
2018
2019         * stress/string-overflow-createError.js:
2020
2021 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
2022
2023         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
2024         https://bugs.webkit.org/show_bug.cgi?id=193050
2025
2026         Reviewed by Yusuke Suzuki.
2027
2028         * test262.yaml:
2029         * test262/expectations.yaml:
2030         Mark 16 tests as passing.
2031
2032 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2033
2034         [BigInt] Support BigInt in JSON.stringify
2035         https://bugs.webkit.org/show_bug.cgi?id=192624
2036
2037         Reviewed by Saam Barati.
2038
2039         * stress/big-int-json-stringify-to-json.js: Added.
2040         (shouldBe):
2041         (shouldThrow):
2042         (BigInt.prototype.toJSON):
2043         (shouldBe.JSON.stringify):
2044         * stress/big-int-json-stringify.js: Added.
2045         (shouldBe):
2046         (shouldThrow):
2047
2048 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2049
2050         [JSC] Implement "well-formed JSON.stringify" proposal
2051         https://bugs.webkit.org/show_bug.cgi?id=191677
2052
2053         Reviewed by Darin Adler.
2054
2055         * stress/json-surrogate-pair.js: Added.
2056         (shouldBe):
2057         * test262/expectations.yaml:
2058
2059 2018-12-20  Keith Miller  <keith_miller@apple.com>
2060
2061         Add support for globalThis
2062         https://bugs.webkit.org/show_bug.cgi?id=165171
2063
2064         Reviewed by Mark Lam.
2065
2066         * test262/config.yaml:
2067
2068 2018-12-19  Keith Miller  <keith_miller@apple.com>
2069
2070         Update test262 configuration to not run tests dependent on ICU version.
2071         https://bugs.webkit.org/show_bug.cgi?id=192920
2072
2073         Reviewed by Saam Barati.
2074
2075         * test262/expectations.yaml:
2076
2077 2018-12-20  Mark Lam  <mark.lam@apple.com>
2078
2079         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
2080         https://bugs.webkit.org/show_bug.cgi?id=192939
2081         <rdar://problem/46869516>
2082
2083         Reviewed by Keith Miller.
2084
2085         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
2086
2087 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
2088
2089         WTF::String and StringImpl overflow MaxLength
2090         https://bugs.webkit.org/show_bug.cgi?id=192853
2091         <rdar://problem/45726906>
2092
2093         Reviewed by Mark Lam.
2094
2095         * stress/string-16bit-repeat-overflow.js: Added.
2096         (catch):
2097
2098 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
2099
2100         Unreviewed follow-up to r192914.
2101
2102         * test262/expectations.yaml:
2103         Add the last 20 missing expectations.
2104
2105 2018-12-19  Keith Miller  <keith_miller@apple.com>
2106
2107         Fix test262 expectations
2108         https://bugs.webkit.org/show_bug.cgi?id=192914
2109
2110         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
2111
2112         * test262/expectations.yaml:
2113
2114 2018-12-19  Keith Miller  <keith_miller@apple.com>
2115
2116         Update test262 tests.
2117         https://bugs.webkit.org/show_bug.cgi?id=192907
2118
2119         Rubber stamped by Mark Lam.
2120
2121         * test262/*: Omitted because prepare-changelog crashes.
2122
2123 2018-12-19  Mark Lam  <mark.lam@apple.com>
2124
2125         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
2126         https://bugs.webkit.org/show_bug.cgi?id=192464
2127         <rdar://problem/46519455>
2128
2129         Reviewed by Saam Barati.
2130
2131         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
2132         microbenchmark.
2133
2134         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
2135         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
2136
2137 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
2138
2139         String overflow in JSC::createError results in ASSERT in WTF::makeString
2140         https://bugs.webkit.org/show_bug.cgi?id=192833
2141         <rdar://problem/45706868>
2142
2143         Reviewed by Mark Lam.
2144
2145         * stress/string-overflow-createError.js: Added.
2146
2147 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2148
2149         Error message for `-x ** y` contains a typo.
2150         https://bugs.webkit.org/show_bug.cgi?id=192832
2151
2152         Reviewed by Saam Barati.
2153
2154         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2155         (assert.assert.return.throws):
2156         * stress/pow-expects-update-expression-on-lhs.js:
2157         (throw.new.Error):
2158         Update test expectations which match against the exact error message.
2159
2160 2018-12-18  Mark Lam  <mark.lam@apple.com>
2161
2162         Gardening: test options fix.
2163         https://bugs.webkit.org/show_bug.cgi?id=192822
2164
2165         Unreviewed.
2166
2167         * stress/json-stringify-string-builder-overflow.js:
2168
2169 2018-12-18  Mark Lam  <mark.lam@apple.com>
2170
2171         JSON.stringify() should throw OOM on StringBuilder overflows.
2172         https://bugs.webkit.org/show_bug.cgi?id=192822
2173         <rdar://problem/46670577>
2174
2175         Reviewed by Saam Barati.
2176
2177         * stress/json-stringify-string-builder-overflow.js: Added.
2178
2179 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2180
2181         Redeclaration of var over let/const/class should be a syntax error.
2182         https://bugs.webkit.org/show_bug.cgi?id=192298
2183
2184         Reviewed by Keith Miller.
2185
2186         * test262.yaml:
2187         * test262/expectations.yaml:
2188         Mark 46 tests as passing.
2189
2190         * stress/block-scope-redeclarations.js:
2191         Add some new tests.
2192
2193         * stress/for-in-invalidate-context-weird-assignments.js:
2194         * stress/for-in-tests.js:
2195         Replace tests for outdated behavior with tests for SyntaxError.
2196
2197         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2198         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2199         Update expectations.
2200
2201 2018-12-18  Mark Lam  <mark.lam@apple.com>
2202
2203         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2204         https://bugs.webkit.org/show_bug.cgi?id=191374
2205         <rdar://problem/46525447>
2206
2207         Reviewed by Yusuke Suzuki.
2208
2209         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2210
2211         * stress/elidable-new-object-roflcopter-then-exit.js:
2212
2213 2018-12-17  Mark Lam  <mark.lam@apple.com>
2214
2215         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2216         https://bugs.webkit.org/show_bug.cgi?id=192019
2217         <rdar://problem/46525456>
2218
2219         Reviewed by Yusuke Suzuki.
2220
2221         The test runs too slow on 32-bit.
2222
2223         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2224
2225 2018-12-17  Mark Lam  <mark.lam@apple.com>
2226
2227         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2228         https://bugs.webkit.org/show_bug.cgi?id=191373
2229         <rdar://problem/46525458>
2230
2231         Reviewed by Yusuke Suzuki.
2232
2233         The test is already slow running with a JIT on 64-bit.  It will always timeout
2234         on 32-bit without a JIT.
2235
2236         * stress/materialize-regexp-cyclic-regexp.js:
2237
2238 2018-12-17  Mark Lam  <mark.lam@apple.com>
2239
2240         Array unshift/shift should not race against the AI in the compiler thread.
2241         https://bugs.webkit.org/show_bug.cgi?id=192795
2242         <rdar://problem/46724263>
2243
2244         Reviewed by Saam Barati.
2245
2246         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2247
2248 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2249
2250         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2251         https://bugs.webkit.org/show_bug.cgi?id=190047
2252
2253         Reviewed by Saam Barati.
2254
2255         * stress/object-keys-cached-zero.js: Added.
2256         (shouldBe):
2257         (test):
2258         * stress/object-keys-changed-attribute.js: Added.
2259         (shouldBe):
2260         (test):
2261         * stress/object-keys-changed-index.js: Added.
2262         (shouldBe):
2263         (test):
2264         * stress/object-keys-changed.js: Added.
2265         (shouldBe):
2266         (test):
2267         * stress/object-keys-indexed-non-cache.js: Added.
2268         (shouldBe):
2269         (test):
2270         * stress/object-keys-overrides-get-property-names.js: Added.
2271         (shouldBe):
2272         (test):
2273         (noInline):
2274
2275 2018-12-17  Mark Lam  <mark.lam@apple.com>
2276
2277         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2278         https://bugs.webkit.org/show_bug.cgi?id=192779
2279         <rdar://problem/46775869>
2280
2281         Reviewed by Saam Barati.
2282
2283         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2284
2285 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2286
2287         Unreviewed test gardening, address a syntax error in a new test.
2288
2289         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2290
2291 2018-12-17  Mark Lam  <mark.lam@apple.com>
2292
2293         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2294         https://bugs.webkit.org/show_bug.cgi?id=192776
2295         <rdar://problem/46772368>
2296
2297         Reviewed by Keith Miller.
2298
2299         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2300
2301 2018-12-17  Mark Lam  <mark.lam@apple.com>
2302
2303         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2304         https://bugs.webkit.org/show_bug.cgi?id=192770
2305         <rdar://problem/46449037>
2306
2307         Reviewed by Keith Miller.
2308
2309         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2310
2311 2018-12-14  Mark Lam  <mark.lam@apple.com>
2312
2313         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2314         https://bugs.webkit.org/show_bug.cgi?id=192717
2315         <rdar://problem/46660677>
2316
2317         Reviewed by Saam Barati.
2318
2319         * stress/regress-192717.js: Added.
2320
2321 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2322
2323         Unreviewed, rolling out r239153, r239154, and r239155.
2324         https://bugs.webkit.org/show_bug.cgi?id=192715
2325
2326         Caused flaky GC-related crashes seen with layout tests
2327         (Requested by ryanhaddad on #webkit).
2328
2329         Reverted changesets:
2330
2331         "[JSC] Optimize Object.keys by caching own keys results in
2332         StructureRareData"
2333         https://bugs.webkit.org/show_bug.cgi?id=190047
2334         https://trac.webkit.org/changeset/239153
2335
2336         "Unreviewed, build fix after r239153"
2337         https://bugs.webkit.org/show_bug.cgi?id=190047
2338         https://trac.webkit.org/changeset/239154
2339
2340         "Unreviewed, build fix after r239153, part 2"
2341         https://bugs.webkit.org/show_bug.cgi?id=190047
2342         https://trac.webkit.org/changeset/239155
2343
2344 2018-12-14  Keith Miller  <keith_miller@apple.com>
2345
2346         Callers of JSString::getIndex should check for OOM exceptions
2347         https://bugs.webkit.org/show_bug.cgi?id=192709
2348
2349         Reviewed by Mark Lam.
2350
2351         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2352
2353 2018-12-13  Mark Lam  <mark.lam@apple.com>
2354
2355         Add a missing exception check.
2356         https://bugs.webkit.org/show_bug.cgi?id=192626
2357         <rdar://problem/46662163>
2358
2359         Reviewed by Keith Miller.
2360
2361         * stress/regress-192626.js: Added.
2362
2363 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2364
2365         [BigInt] Add ValueDiv into DFG
2366         https://bugs.webkit.org/show_bug.cgi?id=186178
2367
2368         Reviewed by Yusuke Suzuki.
2369
2370         * stress/big-int-div-jit-osr.js: Added.
2371         * stress/big-int-div-jit-untyped.js: Added.
2372         * stress/value-div-fixup-int32-big-int.js: Added.
2373
2374 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2375
2376         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2377         https://bugs.webkit.org/show_bug.cgi?id=190047
2378
2379         Reviewed by Keith Miller.
2380
2381         * stress/object-keys-cached-zero.js: Added.
2382         (shouldBe):
2383         (test):
2384         * stress/object-keys-changed-attribute.js: Added.
2385         (shouldBe):
2386         (test):
2387         * stress/object-keys-changed-index.js: Added.
2388         (shouldBe):
2389         (test):
2390         * stress/object-keys-changed.js: Added.
2391         (shouldBe):
2392         (test):
2393         * stress/object-keys-indexed-non-cache.js: Added.
2394         (shouldBe):
2395         (test):
2396         * stress/object-keys-overrides-get-property-names.js: Added.
2397         (shouldBe):
2398         (test):
2399         (noInline):
2400
2401 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2402
2403         [DFG][FTL] Add NewSymbol
2404         https://bugs.webkit.org/show_bug.cgi?id=192620
2405
2406         Reviewed by Saam Barati.
2407
2408         * microbenchmarks/symbol-creation.js: Added.
2409         (test):
2410         * stress/symbol-description-identity.js: Added.
2411         (shouldBe):
2412         (test):
2413         * stress/symbol-identity.js: Added.
2414         (shouldBe):
2415         (test):
2416         * stress/symbol-with-description-throw-error.js: Added.
2417         (shouldBe):
2418         (shouldThrow):
2419         (test):
2420         (object.toString):
2421
2422 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2423
2424         [BigInt] Implement DFG/FTL typeof for BigInt
2425         https://bugs.webkit.org/show_bug.cgi?id=192619
2426
2427         Reviewed by Keith Miller.
2428
2429         * stress/big-int-boolean-proven-type.js: Added.
2430         (assert):
2431         (bool):
2432         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2433         (assert):
2434         (typeOf):
2435         (i.switch):
2436         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2437         (assert):
2438         (typeOf):
2439         * stress/big-int-type-of.js:
2440         (typeOf):
2441         (func):
2442
2443 2018-12-10  Mark Lam  <mark.lam@apple.com>
2444
2445         PropertyAttribute needs a CustomValue bit.
2446         https://bugs.webkit.org/show_bug.cgi?id=191993
2447         <rdar://problem/46264467>
2448
2449         Reviewed by Saam Barati.
2450
2451         * stress/regress-191993.js: Added.
2452
2453 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2454
2455         [BigInt] Add ValueMul into DFG
2456         https://bugs.webkit.org/show_bug.cgi?id=186175
2457
2458         Reviewed by Yusuke Suzuki.
2459
2460         * stress/big-int-mul-jit-osr.js: Added.
2461         * stress/big-int-mul-jit-untyped.js: Added.
2462         * stress/value-mul-fixup-int32-big-int.js: Added.
2463
2464 2018-12-06  Keith Miller  <keith_miller@apple.com>
2465
2466         stress/big-wasm-memory tests failing on 32-bit JSC bot
2467         https://bugs.webkit.org/show_bug.cgi?id=192020
2468
2469         Reviewed by Saam Barati.
2470
2471         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2472         the wasm stress tests if the WebAssembly object does not exist.
2473
2474         * stress/big-wasm-memory-grow-no-max.js:
2475         (test.foo):
2476         (test):
2477         (foo): Deleted.
2478         (catch): Deleted.
2479         * stress/big-wasm-memory-grow.js:
2480         (test.foo):
2481         (test):
2482         (foo): Deleted.
2483         (catch): Deleted.
2484         * stress/big-wasm-memory.js:
2485         (test.foo):
2486         (test):
2487         (foo): Deleted.
2488         (catch): Deleted.
2489
2490 2018-12-05  Mark Lam  <mark.lam@apple.com>
2491
2492         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2493         https://bugs.webkit.org/show_bug.cgi?id=192441
2494         <rdar://problem/46480355>
2495
2496         Reviewed by Saam Barati.
2497
2498         * stress/regress-192441.js: Added.
2499
2500 2018-12-04  Mark Lam  <mark.lam@apple.com>
2501
2502         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2503         https://bugs.webkit.org/show_bug.cgi?id=192386
2504         <rdar://problem/46445516>
2505
2506         Reviewed by Saam Barati.
2507
2508         * stress/regress-192386.js: Added.
2509
2510 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2511
2512         [ESNext][BigInt] Support logic operations
2513         https://bugs.webkit.org/show_bug.cgi?id=179903
2514
2515         Reviewed by Yusuke Suzuki.
2516
2517         * stress/big-int-branch-usage.js: Added.
2518         * stress/big-int-logical-and.js: Added.
2519         * stress/big-int-logical-not.js: Added.
2520         * stress/big-int-logical-or.js: Added.
2521
2522 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2523
2524         Unreviewed, rolling out r238833.
2525
2526         Breaks macOS and iOS debug builds.
2527
2528         Reverted changeset:
2529
2530         "[ESNext][BigInt] Support logic operations"
2531         https://bugs.webkit.org/show_bug.cgi?id=179903
2532         https://trac.webkit.org/changeset/238833
2533
2534 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2535
2536         [ESNext][BigInt] Support logic operations
2537         https://bugs.webkit.org/show_bug.cgi?id=179903
2538
2539         Reviewed by Yusuke Suzuki.
2540
2541         * stress/big-int-branch-usage.js: Added.
2542         * stress/big-int-logical-and.js: Added.
2543         * stress/big-int-logical-not.js: Added.
2544         * stress/big-int-logical-or.js: Added.
2545
2546 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2547
2548         [ESNext][BigInt] Implement support for "<<" and ">>"
2549         https://bugs.webkit.org/show_bug.cgi?id=186233
2550
2551         Reviewed by Yusuke Suzuki.
2552
2553         * stress/big-int-left-shift-general.js: Added.
2554         * stress/big-int-left-shift-range-error.js: Added.
2555         * stress/big-int-left-shift-type-error.js: Added.
2556         * stress/big-int-left-shift-wrapped-value.js: Added.
2557         * stress/big-int-right-shift-general.js: Added.
2558         * stress/big-int-right-shift-type-error.js: Added.
2559         * stress/big-int-right-shift-wrapped-value.js: Added.
2560         * stress/left-shift-to-primitive-precedence.js: Added.
2561         * stress/right-shift-to-primitive-precedence.js: Added.
2562
2563 2018-11-30  Dean Jackson  <dino@apple.com>
2564
2565         Add first-class support for .mjs files in jsc binary
2566         https://bugs.webkit.org/show_bug.cgi?id=192190
2567         <rdar://problem/46375715>
2568
2569         Reviewed by Keith Miller.
2570
2571         * stress/simple-module.mjs: Added.
2572         * stress/simple-script.js: Added.
2573
2574 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2575
2576         [BigInt] Implement ValueBitXor into DFG
2577         https://bugs.webkit.org/show_bug.cgi?id=190264
2578
2579         Reviewed by Yusuke Suzuki.
2580
2581         * stress/big-int-bitwise-xor-jit.js: Added.
2582         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2583         * stress/big-int-bitwise-xor-untyped.js: Added.
2584
2585 2018-11-27  Saam barati  <sbarati@apple.com>
2586
2587         r238510 broke scopes of size zero
2588         https://bugs.webkit.org/show_bug.cgi?id=192033
2589         <rdar://problem/46281734>
2590
2591         Reviewed by Keith Miller.
2592
2593         * stress/r238510-bad-loop.js: Added.
2594         (foo):
2595
2596 2018-11-27  Mark Lam  <mark.lam@apple.com>
2597
2598         [Re-landing] NaNs read from Wasm code needs to be be purified.
2599         https://bugs.webkit.org/show_bug.cgi?id=191056
2600         <rdar://problem/45660341>
2601
2602         Reviewed by Filip Pizlo.
2603
2604         * wasm/regress/regress-191056.js: Added.
2605
2606 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2607
2608         Unreviewed, rolling out r238509.
2609
2610         Causes JSC tests to fail on iOS.
2611
2612         Reverted changeset:
2613
2614         "NaNs read from Wasm code needs to be be purified."
2615         https://bugs.webkit.org/show_bug.cgi?id=191056
2616         https://trac.webkit.org/changeset/238509
2617
2618 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2619
2620         Re-introduce op_bitnot
2621         https://bugs.webkit.org/show_bug.cgi?id=190923
2622
2623         Reviewed by Yusuke Suzuki.
2624
2625         * stress/bit-not-must-generate.js: Added.
2626         * stress/bitwise-not-no-int32.js: Added.
2627
2628 2018-11-26  Saam barati  <sbarati@apple.com>
2629
2630         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2631         https://bugs.webkit.org/show_bug.cgi?id=191956
2632         <rdar://problem/45665806>
2633
2634         Reviewed by Yusuke Suzuki.
2635
2636         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2637         (bar):
2638         (foo):
2639
2640 2018-11-26  Saam barati  <sbarati@apple.com>
2641
2642         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2643         https://bugs.webkit.org/show_bug.cgi?id=191958
2644         <rdar://problem/46221877>
2645
2646         Reviewed by Yusuke Suzuki.
2647
2648         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2649         (x):
2650         (foo):
2651
2652 2018-11-26  Mark Lam  <mark.lam@apple.com>
2653
2654         NaNs read from Wasm code needs to be be purified.
2655         https://bugs.webkit.org/show_bug.cgi?id=191056
2656         <rdar://problem/45660341>
2657
2658         Reviewed by Filip Pizlo.
2659
2660         * wasm/regress/regress-191056.js: Added.
2661
2662 2018-11-26  Michael Saboff  <msaboff@apple.com>
2663
2664         32-bit JSC test failure: stress/regexp-compile-oom.js
2665         https://bugs.webkit.org/show_bug.cgi?id=191375
2666
2667         Reviewed by Mark Lam.
2668
2669         Disabled the test for 32 bit platforms.
2670
2671         * stress/regexp-compile-oom.js:
2672
2673 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2674
2675         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2676         https://bugs.webkit.org/show_bug.cgi?id=191716
2677         <rdar://problem/45723878>
2678
2679         Reviewed by Saam Barati.
2680
2681         * stress/regress-187373.js: Added.
2682         (async.fn):
2683
2684 2018-11-21  Saam barati  <sbarati@apple.com>
2685
2686         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2687         https://bugs.webkit.org/show_bug.cgi?id=191897
2688         <rdar://problem/45871998>
2689
2690         Reviewed by Mark Lam.
2691
2692         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2693         (bar):
2694         (foo):
2695
2696 2018-11-21  Saam barati  <sbarati@apple.com>
2697
2698         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2699         https://bugs.webkit.org/show_bug.cgi?id=191895
2700         <rdar://problem/46167406>
2701
2702         Reviewed by Mark Lam.
2703
2704         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2705         (foo):
2706         (bar):
2707
2708 2018-11-21  Mark Lam  <mark.lam@apple.com>
2709
2710         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2711         https://bugs.webkit.org/show_bug.cgi?id=191776
2712         <rdar://problem/46152851>
2713
2714         Reviewed by Saam Barati.
2715
2716         * stress/big-wasm-memory-grow-no-max.js:
2717         * stress/big-wasm-memory-grow.js:
2718         * stress/big-wasm-memory.js:
2719         - updated these to expect an OutOfMemoryError.
2720
2721         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2722         (Binary.prototype.emit_u8):
2723         (Binary.prototype.emit_u32v):
2724         (Binary.prototype.emit_header):
2725         (Binary.prototype.emit_section):
2726         (Binary):
2727         (WasmModuleBuilder):
2728         (WasmModuleBuilder.prototype.addMemory):
2729         (WasmModuleBuilder.prototype.toArray):
2730         (WasmModuleBuilder.prototype.toBuffer):
2731         (WasmModuleBuilder.prototype.instantiate):
2732         (catch):
2733         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2734         (catch):
2735
2736 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2737
2738         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2739         https://bugs.webkit.org/show_bug.cgi?id=190836
2740
2741         Reviewed by Saam Barati and Yusuke Suzuki.
2742
2743         * stress/big-int-out-of-memory-tests.js: Added.
2744
2745 2018-11-20  Mark Lam  <mark.lam@apple.com>
2746
2747         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2748         https://bugs.webkit.org/show_bug.cgi?id=191856
2749         <rdar://problem/46089992>
2750
2751         Reviewed by Yusuke Suzuki.
2752
2753         * stress/regress-191856.js: Added.
2754         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2755
2756 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2757
2758         Enable JIT on ARM/Linux
2759         https://bugs.webkit.org/show_bug.cgi?id=191548
2760
2761         Reviewed by Yusuke Suzuki.
2762
2763         Disable test on system with limited memory. Program was killed by
2764         the OS before the exception was thrown.
2765
2766         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2767
2768 2018-11-20  Saam barati  <sbarati@apple.com>
2769
2770         Merging an IC variant may lead to the IC status containing overlapping structure sets
2771         https://bugs.webkit.org/show_bug.cgi?id=191869
2772         <rdar://problem/45403453>
2773
2774         Reviewed by Mark Lam.
2775
2776         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2777
2778 2018-11-19  Mark Lam  <mark.lam@apple.com>
2779
2780         globalFuncImportModule() should return a promise when it clears exceptions.
2781         https://bugs.webkit.org/show_bug.cgi?id=191792
2782         <rdar://problem/46090763>
2783
2784         Reviewed by Michael Saboff.
2785
2786         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2787
2788 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2789
2790         Skip new memory-hungry tests on memory limited devices
2791
2792         Unreviewed gardening.
2793
2794         * stress/big-wasm-memory-grow-no-max.js:
2795         * stress/big-wasm-memory-grow.js:
2796         * stress/big-wasm-memory.js:
2797
2798 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2799
2800         Unreviewed, rolling in the rest of r237254
2801         https://bugs.webkit.org/show_bug.cgi?id=190340
2802
2803         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2804         * stress/function-cache-with-parameters-end-position.js: Added.
2805         (shouldBe):
2806         (shouldThrow):
2807         (i.anonymous):
2808         * stress/function-constructor-name.js: Added.
2809         (shouldBe):
2810         (GeneratorFunction):
2811         (AsyncFunction.async):
2812         (AsyncGeneratorFunction.async):
2813         (anonymous):
2814         (async.anonymous):
2815         * test262/expectations.yaml:
2816
2817 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2818
2819         All users of ArrayBuffer should agree on the same max size
2820         https://bugs.webkit.org/show_bug.cgi?id=191771
2821
2822         Reviewed by Mark Lam.
2823
2824         * stress/big-wasm-memory-grow-no-max.js: Added.
2825         (foo):
2826         (catch):
2827         * stress/big-wasm-memory-grow.js: Added.
2828         (foo):
2829         (catch):
2830         * stress/big-wasm-memory.js: Added.
2831         (foo):
2832         (catch):
2833
2834 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2835
2836         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2837         run for each JSC config since they're regression tests for runtime bugs.
2838
2839         * stress/json-stringified-overflow-2.js:
2840         * stress/json-stringified-overflow.js:
2841
2842 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2843
2844         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2845         config since they're regression tests for runtime bugs.
2846
2847         * stress/large-unshift-splice.js:
2848         * stress/regress-185888.js:
2849
2850 2018-11-16  Saam Barati  <sbarati@apple.com>
2851
2852         KnownCellUse should also have SpecCellCheck as its type filter
2853         https://bugs.webkit.org/show_bug.cgi?id=191729
2854         <rdar://problem/45872852>
2855
2856         Reviewed by Filip Pizlo.
2857
2858         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2859         (C):
2860
2861 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2862
2863         Fix assertion failure on BytecodeGenerator::recordOpcode
2864         https://bugs.webkit.org/show_bug.cgi?id=191724
2865         <rdar://problem/45724395>
2866
2867         Reviewed by Saam Barati.
2868
2869         * stress/regress-187373-2.js: Added.
2870         (foo):
2871
2872 2018-11-15  Mark Lam  <mark.lam@apple.com>
2873
2874         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2875         https://bugs.webkit.org/show_bug.cgi?id=191730
2876         <rdar://problem/46048517>
2877
2878         Reviewed by Saam Barati.
2879
2880         * stress/regress-187006.js: Removed.
2881           - this test is invalid because its sole purpose is to test for the non-spec
2882             compliant behavior that we just fixed.
2883
2884         * stress/regress-191730.js: Added.
2885
2886 2018-11-15  Mark Lam  <mark.lam@apple.com>
2887
2888         RegExp operations should not take fast patch if lastIndex is not numeric.
2889         https://bugs.webkit.org/show_bug.cgi?id=191731
2890         <rdar://problem/46017305>
2891
2892         Reviewed by Saam Barati.
2893
2894         * stress/regress-191731.js: Added.
2895
2896 2018-11-13  Saam Barati  <sbarati@apple.com>
2897
2898         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2899         https://bugs.webkit.org/show_bug.cgi?id=191600
2900
2901         Reviewed by Mark Lam.
2902
2903         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2904         (foo):
2905         (test):
2906         (bar):
2907
2908 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2909
2910         Unreviewed, rolling out r238132.
2911
2912         The test added with this change is timing out on Debug JSC
2913         bots.
2914
2915         Reverted changeset:
2916
2917         "[BigInt] JSBigInt::createWithLength should throw when length
2918         is greater than JSBigInt::maxLength"
2919         https://bugs.webkit.org/show_bug.cgi?id=190836
2920         https://trac.webkit.org/changeset/238132
2921
2922 2018-11-13  Mark Lam  <mark.lam@apple.com>
2923
2924         Add OOM detection to StringPrototype's substituteBackreferences().
2925         https://bugs.webkit.org/show_bug.cgi?id=191563
2926         <rdar://problem/45720428>
2927
2928         Reviewed by Saam Barati.
2929
2930         * stress/regress-191563.js: Added.
2931
2932 2018-11-13  Mark Lam  <mark.lam@apple.com>
2933
2934         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2935         https://bugs.webkit.org/show_bug.cgi?id=191579
2936         <rdar://problem/45942472>
2937
2938         Reviewed by Saam Barati.
2939
2940         * stress/regress-191579.js: Added.
2941
2942 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2943
2944         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2945         https://bugs.webkit.org/show_bug.cgi?id=190836
2946
2947         Reviewed by Saam Barati.
2948
2949         * stress/big-int-out-of-memory-tests.js: Added.
2950
2951 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2952
2953         U+180E is no longer a whitespace character
2954         https://bugs.webkit.org/show_bug.cgi?id=191415
2955
2956         Reviewed by Saam Barati.
2957
2958         * ChakraCore/test/es5/regexSpace.baseline:
2959         * ChakraCore/test/es6/unicode_whitespace.js:
2960         Update tests to latest version.
2961         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2962
2963         * test262.yaml:
2964         * test262/config.yaml:
2965         * test262/expectations.yaml:
2966         Update expectations.
2967
2968 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2969
2970         [BigInt] Add support to BigInt into ValueAdd
2971         https://bugs.webkit.org/show_bug.cgi?id=186177
2972
2973         Reviewed by Keith Miller.
2974
2975         * stress/big-int-negate-jit.js:
2976         * stress/value-add-big-int-and-string.js: Added.
2977         * stress/value-add-big-int-prediction-propagation.js: Added.
2978         * stress/value-add-big-int-untyped.js: Added.
2979
2980 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2981
2982         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2983         https://bugs.webkit.org/show_bug.cgi?id=191184
2984
2985         Reviewed by Saam Barati.
2986
2987         Most tests were failing due to timeouts, since they are too slow to
2988         run on CLoop. The exceptions are:
2989
2990         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2991         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2992         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2993         to change the stack size since CLoop requires it to be page aligned.
2994
2995         * microbenchmarks/array-push-1.js:
2996         * microbenchmarks/array-push-2.js:
2997         * microbenchmarks/elidable-new-object-dag.js:
2998         * microbenchmarks/elidable-new-object-roflcopter.js:
2999         * microbenchmarks/elidable-new-object-tree.js:
3000         * microbenchmarks/getter-richards.js:
3001         * microbenchmarks/sinkable-new-object-dag.js:
3002         * microbenchmarks/string-concat-long-convert.js:
3003         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
3004         * slowMicrobenchmarks/array-push-3.js:
3005         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
3006         * slowMicrobenchmarks/spread-small-array.js:
3007         * slowMicrobenchmarks/undefined-property-access.js:
3008         * stress/activation-sink-default-value-tdz-error.js:
3009         * stress/activation-sink-default-value.js:
3010         * stress/activation-sink-osrexit-default-value-tdz-error.js:
3011         * stress/activation-sink-osrexit-default-value.js:
3012         * stress/activation-sink-osrexit.js:
3013         * stress/activation-sink.js:
3014         * stress/allow-math-ic-b3-code-duplication.js:
3015         * stress/array-push-multiple-int32.js:
3016         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
3017         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
3018         * stress/arrowfunction-lexical-this-activation-sink.js:
3019         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
3020         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
3021         * stress/elide-new-object-dag-then-exit.js:
3022         * stress/materialize-regexp-cyclic.js:
3023         * stress/new-regex-inline.js:
3024         * stress/op_add.js:
3025         * stress/op_bitand.js:
3026         * stress/op_bitor.js:
3027         * stress/op_bitxor.js:
3028         * stress/op_div-ConstVar.js:
3029         * stress/op_div-VarConst.js:
3030         * stress/op_div-VarVar.js:
3031         * stress/op_lshift-ConstVar.js:
3032         * stress/op_lshift-VarConst.js:
3033         * stress/op_lshift-VarVar.js:
3034         * stress/op_mod-ConstVar.js:
3035         * stress/op_mod-VarConst.js:
3036         * stress/op_mod-VarVar.js:
3037         * stress/op_mul-ConstVar.js:
3038         * stress/op_mul-VarConst.js:
3039         * stress/op_mul-VarVar.js:
3040         * stress/op_rshift-ConstVar.js:
3041         * stress/op_rshift-VarConst.js:
3042         * stress/op_rshift-VarVar.js:
3043         * stress/op_sub-ConstVar.js:
3044         * stress/op_sub-VarConst.js:
3045         * stress/op_sub-VarVar.js:
3046         * stress/op_urshift-ConstVar.js:
3047         * stress/op_urshift-VarConst.js:
3048         * stress/op_urshift-VarVar.js:
3049         * stress/proxy-get-set-correct-receiver.js:
3050         * stress/regress-179562.js:
3051         * stress/rest-parameter-many-arguments.js:
3052         * stress/sampling-profiler-richards.js:
3053         * stress/splay-flash-access-1ms.js:
3054         * stress/tailCallForwardArguments.js:
3055         * stress/typed-array-get-by-val-profiling.js:
3056         * typeProfiler/getter-richards.js:
3057
3058 2018-11-06  Michael Saboff  <msaboff@apple.com>
3059
3060         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
3061         https://bugs.webkit.org/show_bug.cgi?id=191271
3062
3063         Reviewed by Saam Barati.
3064
3065         Added more test cases and made all test cases run with the same deeply recursive stack
3066         instead of finding that same point for each test case.
3067
3068         * stress/regexp-compile-oom.js:
3069         (prototype.runTest):
3070         (recurseAndTest):
3071         (testList.push.new.TestAndExpectedException):
3072
3073 2018-11-05  Michael Saboff  <msaboff@apple.com>
3074
3075         Unreviewed build fix for linux.
3076
3077         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
3078
3079 2018-11-02  Michael Saboff  <msaboff@apple.com>
3080
3081         Rolling in r237753 with unreviewed build fix.
3082
3083         Fixed issues with DECLARE_THROW_SCOPE placement.
3084
3085 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
3086
3087         Unreviewed, rolling out r237753.
3088
3089         Introduced JSC test failures
3090
3091         Reverted changeset:
3092
3093         "Running out of stack space not properly handled in
3094         RegExp::compile() and its callers"
3095         https://bugs.webkit.org/show_bug.cgi?id=191206
3096         https://trac.webkit.org/changeset/237753
3097
3098 2018-11-02  Michael Saboff  <msaboff@apple.com>
3099
3100         Running out of stack space not properly handled in RegExp::compile() and its callers
3101         https://bugs.webkit.org/show_bug.cgi?id=191206
3102
3103         Reviewed by Filip Pizlo.
3104
3105         New regression test.
3106
3107         * stress/regexp-compile-oom.js: Added.
3108         (recurseAndTest):
3109
3110 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
3111
3112         Skip tests on arm/mips that time out now we're running on CLoop
3113
3114         Unreviewed gardening.
3115
3116         Since the JIT is temporarily disabled on 32-bit platforms, these tests
3117         time out on the bots and need to be disabled. There's more tests
3118         disabled on arm because the timeout is longer on the mips bot (as the
3119         device is slower to start with), so many of the tests don't time out
3120         there.
3121
3122         * microbenchmarks/getter-richards.js: disable on arm and mips.
3123         * stress/op_add.js: disable on arm.
3124         * stress/op_bitand.js: disable on arm.
3125         * stress/op_bitor.js: disable on arm.
3126         * stress/op_bitxor.js: disable on arm.
3127         * stress/op_lshift-ConstVar.js: disable on arm.
3128         * stress/op_lshift-VarConst.js: disable on arm.
3129         * stress/op_lshift-VarVar.js: disable on arm.
3130         * stress/op_mod-ConstVar.js: disable on arm.
3131         * stress/op_mod-VarConst.js: disable on arm.
3132         * stress/op_mod-VarVar.js: disable on arm.
3133         * stress/op_mul-ConstVar.js: disable on arm.
3134         * stress/op_mul-VarConst.js: disable on arm.
3135         * stress/op_mul-VarVar.js: disable on arm.
3136         * stress/op_rshift-ConstVar.js: disable on arm.
3137         * stress/op_rshift-VarConst.js: disable on arm.
3138         * stress/op_rshift-VarVar.js: disable on arm.
3139         * stress/op_sub-ConstVar.js: disable on arm.
3140         * stress/op_sub-VarConst.js: disable on arm.
3141         * stress/op_sub-VarVar.js: disable on arm.
3142         * stress/op_urshift-ConstVar.js: disable on arm.
3143         * stress/op_urshift-VarConst.js: disable on arm.
3144         * stress/op_urshift-VarVar.js: disable on arm.
3145         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
3146         * stress/value-to-boolean.js: disable on arm and mips.
3147
3148 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3149
3150         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3151         https://bugs.webkit.org/show_bug.cgi?id=191108
3152         <rdar://problem/45690700>
3153
3154         Reviewed by Saam Barati.
3155
3156         * stress/wide-op_catch.js: Added.
3157         (catch):
3158
3159 2018-10-29  Mark Lam  <mark.lam@apple.com>
3160
3161         Correctly detect string overflow when using the 'Function' constructor.
3162         https://bugs.webkit.org/show_bug.cgi?id=184883
3163         <rdar://problem/36320331>
3164
3165         Reviewed by Saam Barati.
3166
3167         I've verified that this passes on 32-bit as well.
3168
3169         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3170
3171 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3172
3173         Add support for GetStack FlushedDouble
3174         https://bugs.webkit.org/show_bug.cgi?id=191012
3175         <rdar://problem/45265141>
3176
3177         Reviewed by Saam Barati.
3178
3179         * stress/get-stack-double.js: Added.
3180         (bar):
3181         (noInline):
3182
3183 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3184
3185         New bytecode format for JSC
3186         https://bugs.webkit.org/show_bug.cgi?id=187373
3187         <rdar://problem/44186758>
3188
3189         Reviewed by Filip Pizlo.
3190
3191         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3192
3193         * stress/maximum-inline-capacity.js: Added.
3194         (test1):
3195         (test3.Foo):
3196         (test3):
3197
3198 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3199
3200         Unreviewed, rolling out r237479 and r237484.
3201         https://bugs.webkit.org/show_bug.cgi?id=190978
3202
3203         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3204
3205         Reverted changesets:
3206
3207         "New bytecode format for JSC"
3208         https://bugs.webkit.org/show_bug.cgi?id=187373
3209         https://trac.webkit.org/changeset/237479
3210
3211         "Gardening: Build fix after r237479."
3212         https://bugs.webkit.org/show_bug.cgi?id=187373
3213         https://trac.webkit.org/changeset/237484
3214
3215 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3216
3217         New bytecode format for JSC
3218         https://bugs.webkit.org/show_bug.cgi?id=187373
3219         <rdar://problem/44186758>
3220
3221         Reviewed by Filip Pizlo.
3222
3223         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3224
3225         * stress/maximum-inline-capacity.js: Added.
3226         (test1):
3227         (test3.Foo):
3228         (test3):
3229
3230 2018-10-26  Mark Lam  <mark.lam@apple.com>
3231
3232         Fix missing edge cases with JSGlobalObjects having a bad time.
3233         https://bugs.webkit.org/show_bug.cgi?id=189028
3234         <rdar://problem/45204939>
3235
3236         Reviewed by Saam Barati.
3237
3238         * stress/regress-189028.js: Added.
3239
3240 2018-10-22  Mark Lam  <mark.lam@apple.com>
3241
3242         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3243         https://bugs.webkit.org/show_bug.cgi?id=190515
3244         <rdar://problem/45222379>
3245
3246         Rubber-stamped by Saam Barati.
3247
3248         Adding another test.
3249
3250         * stress/regress-190515-2.js: Added.
3251
3252 2018-10-22  Mark Lam  <mark.lam@apple.com>
3253
3254         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3255         https://bugs.webkit.org/show_bug.cgi?id=190515
3256         <rdar://problem/45222379>
3257
3258         Reviewed by Saam Barati.
3259
3260         * stress/regress-190515.js: Added.
3261
3262 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3263
3264         Unreviewed, rolling out r237254.
3265         https://bugs.webkit.org/show_bug.cgi?id=190760
3266
3267         "It regresses JetStream 2 by 5% on some iOS devices"
3268         (Requested by saamyjoon on #webkit).
3269
3270         Reverted changeset:
3271
3272         "[JSC] JSC should have "parseFunction" to optimize Function
3273         constructor"
3274         https://bugs.webkit.org/show_bug.cgi?id=190340
3275         https://trac.webkit.org/changeset/237254
3276
3277 2018-10-19  Saam Barati  <sbarati@apple.com>
3278
3279         vmCall should check if we exit before emitting an OSR exit due to exceptions
3280         https://bugs.webkit.org/show_bug.cgi?id=190740
3281         <rdar://problem/45220139>
3282
3283         Reviewed by Mark Lam.
3284
3285         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3286         (foo):
3287
3288 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3289
3290         [ESNext][BigInt] Implement support for "^"
3291         https://bugs.webkit.org/show_bug.cgi?id=186235
3292
3293         Reviewed by Yusuke Suzuki.
3294
3295         * stress/big-int-bitwise-xor-general.js: Added.
3296         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3297         * stress/big-int-bitwise-xor-type-error.js: Added.
3298         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3299
3300 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3301
3302         [BigInt] Add ValueSub into DFG
3303         https://bugs.webkit.org/show_bug.cgi?id=186176
3304
3305         Reviewed by Yusuke Suzuki.
3306
3307         * stress/big-int-subtraction-jit.js:
3308         * stress/value-sub-big-int-prediction-propagation.js: Added.
3309         * stress/value-sub-big-int-untyped.js: Added.
3310         * stress/value-sub-spec-none-case.js: Added.
3311
3312 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3313
3314         [JSC] JSC should have "parseFunction" to optimize Function constructor
3315         https://bugs.webkit.org/show_bug.cgi?id=190340
3316
3317         Reviewed by Mark Lam.
3318
3319         This patch fixes the line number of syntax errors raised by the Function constructor,
3320         since we now parse the final code only once. And we no longer use block statement
3321         for Function constructor's parsing.
3322
3323         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3324         * stress/function-cache-with-parameters-end-position.js: Added.
3325         (shouldBe):
3326         (shouldThrow):
3327         (i.anonymous):
3328         * stress/function-constructor-name.js: Added.
3329         (shouldBe):
3330         (GeneratorFunction):
3331         (AsyncFunction.async):
3332         (AsyncGeneratorFunction.async):
3333         (anonymous):
3334         (async.anonymous):
3335         * test262/expectations.yaml:
3336
3337 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3338
3339         Unreviewed, rolling out r237242.
3340         https://bugs.webkit.org/show_bug.cgi?id=190701
3341
3342         it breaks "stress/sampling-profiler-basic.js" (Requested by
3343         caiolima on #webkit).
3344
3345         Reverted changeset:
3346
3347         "[BigInt] Add ValueSub into DFG"
3348         https://bugs.webkit.org/show_bug.cgi?id=186176
3349         https://trac.webkit.org/changeset/237242
3350
3351 2018-10-17  Keith Miller  <keith_miller@apple.com>
3352
3353         AI does not clear Phantom allocation nodes.
3354         https://bugs.webkit.org/show_bug.cgi?id=190694
3355
3356         Reviewed by Saam Barati.
3357
3358         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3359         (Day):
3360         (DaysInYear):
3361         (TimeInYear):
3362         (TimeFromYear):
3363         (DayFromYear):
3364         (InLeapYear):
3365         (YearFromTime):
3366         (WeekDay):
3367         (DaylightSavingTA):
3368         (GetSecondSundayInMarch):
3369         (TimeInMonth):
3370
3371 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3372
3373         [BigInt] Add ValueSub into DFG
3374         https://bugs.webkit.org/show_bug.cgi?id=186176
3375
3376         Reviewed by Yusuke Suzuki.
3377
3378         * stress/big-int-subtraction-jit.js:
3379         * stress/value-sub-big-int-prediction-propagation.js: Added.
3380         * stress/value-sub-big-int-untyped.js: Added.
3381
3382 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3383
3384         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3385         https://bugs.webkit.org/show_bug.cgi?id=190611
3386
3387         Reviewed by Saam Barati.
3388
3389         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3390         to improve test runtime. On ARM/MIPS this test even timed out when running all
3391         tests.
3392
3393         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3394         (test):
3395
3396 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3397
3398         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3399
3400         Unreviewed gardening.
3401
3402         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3403
3404 2018-10-15  Saam barati  <sbarati@apple.com>
3405
3406         Emit fjcvtzs on ARM64E on Darwin
3407         https://bugs.webkit.org/show_bug.cgi?id=184023
3408
3409         Reviewed by Yusuke Suzuki and Filip Pizlo.
3410
3411         * stress/double-to-int32-NaN.js: Added.
3412         (assert):
3413         (foo):
3414
3415 2018-10-15  Saam Barati  <sbarati@apple.com>
3416
3417         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3418         https://bugs.webkit.org/show_bug.cgi?id=190262
3419         <rdar://problem/44986241>
3420
3421         Reviewed by Mark Lam.
3422
3423         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3424         (test):
3425         * stress/slice-array-storage-with-holes.js: Added.
3426         (main):
3427
3428 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3429
3430         Unreviewed, rolling out r237054.
3431         https://bugs.webkit.org/show_bug.cgi?id=190593
3432
3433         "this regressed JetStream 2 by 6% on iOS" (Requested by
3434         saamyjoon on #webkit).
3435
3436         Reverted changeset:
3437
3438         "[JSC] JSC should have "parseFunction" to optimize Function
3439         constructor"
3440         https://bugs.webkit.org/show_bug.cgi?id=190340
3441         https://trac.webkit.org/changeset/237054
3442
3443 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3444
3445         [JSC] JSON.stringify can accept call-with-no-arguments
3446         https://bugs.webkit.org/show_bug.cgi?id=190343
3447
3448         Reviewed by Mark Lam.
3449
3450         * stress/json-stringify-no-arguments.js: Added.
3451         (shouldBe):
3452
3453 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3454
3455         [JSC] JSC should have "parseFunction" to optimize Function constructor
3456         https://bugs.webkit.org/show_bug.cgi?id=190340
3457
3458         Reviewed by Mark Lam.
3459
3460         This patch fixes the line number of syntax errors raised by the Function constructor,
3461         since we now parse the final code only once. And we no longer use block statement
3462         for Function constructor's parsing.
3463
3464         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3465         * stress/function-cache-with-parameters-end-position.js: Added.
3466         (shouldBe):
3467         (shouldThrow):
3468         (i.anonymous):
3469         * stress/function-constructor-name.js: Added.
3470         (shouldBe):
3471         (GeneratorFunction):
3472         (AsyncFunction.async):
3473         (AsyncGeneratorFunction.async):
3474         (anonymous):
3475         (async.anonymous):
3476         * test262/expectations.yaml:
3477
3478 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3479
3480         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3481         https://bugs.webkit.org/show_bug.cgi?id=190426
3482
3483         Unreviewed gardening.
3484
3485         * stress/sampling-profiler-richards.js:
3486
3487 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3488
3489         [ESNext][BigInt] Implement support for "|"
3490         https://bugs.webkit.org/show_bug.cgi?id=186229
3491
3492         Reviewed by Yusuke Suzuki.
3493
3494         * stress/big-int-bitwise-and-jit.js:
3495         * stress/big-int-bitwise-or-general.js: Added.
3496         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3497         * stress/big-int-bitwise-or-jit.js: Added.
3498         * stress/big-int-bitwise-or-memory-stress.js: Added.
3499         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3500         * stress/big-int-bitwise-or-type-error.js: Added.
3501         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3502
3503 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3504
3505         Skip test on systems with limited memory
3506         https://bugs.webkit.org/show_bug.cgi?id=190310
3507
3508         Invoking runDefault adds test to runlist, skipping the test in the next
3509         line does not prevent the test from executing. Change order of lines such
3510         that runDefault is only executed if test is not executed.
3511
3512         Reviewed by Mark Lam.
3513
3514         * stress/regress-190187.js:
3515
3516 2018-10-03  Saam barati  <sbarati@apple.com>
3517
3518         lowXYZ in FTLLower should always filter the type of the incoming edge
3519         https://bugs.webkit.org/show_bug.cgi?id=189939
3520         <rdar://problem/44407030>
3521
3522         Reviewed by Michael Saboff.
3523
3524         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3525         (foo):
3526         (test):
3527
3528 2018-10-03  Mark Lam  <mark.lam@apple.com>
3529
3530         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3531         https://bugs.webkit.org/show_bug.cgi?id=190187
3532         <rdar://problem/42512909>
3533
3534         Reviewed by Michael Saboff.
3535
3536         * stress/regress-190187.js: Added.
3537
3538 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3539
3540         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3541         https://bugs.webkit.org/show_bug.cgi?id=190033
3542
3543         Reviewed by Yusuke Suzuki.
3544
3545         * stress/big-int-to-string.js:
3546
3547 2018-10-01  Mark Lam  <mark.lam@apple.com>
3548
3549         Function.toString() should also copy the source code Functions that are class definitions.
3550         https://bugs.webkit.org/show_bug.cgi?id=190186
3551         <rdar://problem/44733360>
3552
3553         Reviewed by Saam Barati.
3554
3555         * stress/regress-190186.js: Added.
3556
3557 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3558
3559         Split NaN-check into separate test
3560         https://bugs.webkit.org/show_bug.cgi?id=190010
3561
3562         Reviewed by Saam Barati.
3563
3564         DataView exposes NaN-representation, which is not necessarily the same on each
3565         architecture. Therefore move the check of the NaN-representation into its own
3566         file such that we can disable this test on MIPS where NaN-representation can be
3567         different on older CPUs.
3568
3569         * stress/dataview-jit-set-nan.js: Added.
3570         (assert):
3571         (test.storeLittleEndian):
3572         (test.storeBigEndian):
3573         (test.store):
3574         (test):
3575         * stress/dataview-jit-set.js:
3576         (test5):
3577
3578 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3579
3580         Unreviewed, rolling out r236647.
3581         https://bugs.webkit.org/show_bug.cgi?id=190124
3582
3583         Breaking test stress/big-int-to-string.js (Requested by
3584         caiolima_ on #webkit).
3585
3586         Reverted changeset:
3587
3588         "[BigInt] BigInt.proptotype.toString is broken when radix is
3589         power of 2"
3590         https://bugs.webkit.org/show_bug.cgi?id=190033
3591         https://trac.webkit.org/changeset/236647
3592
3593 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3594
3595         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3596         https://bugs.webkit.org/show_bug.cgi?id=190033
3597
3598         Reviewed by Yusuke Suzuki.
3599
3600         * stress/big-int-to-string.js:
3601
3602 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3603
3604         [ESNext][BigInt] Implement support for "&"
3605         https://bugs.webkit.org/show_bug.cgi?id=186228
3606
3607         Reviewed by Yusuke Suzuki.
3608
3609         * stress/big-int-bitwise-and-general.js: Added.
3610         (assert):
3611         (assert.sameValue):
3612         * stress/big-int-bitwise-and-jit.js: Added.
3613         (let.assert.sameValue):
3614         (bigIntBitAnd):
3615         * stress/big-int-bitwise-and-memory-stress.js: Added.
3616         (assert):
3617         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3618         (assert.sameValue):
3619         (let.o.Symbol.toPrimitive):
3620         (catch):
3621         * stress/big-int-bitwise-and-type-error.js: Added.
3622         (assert):
3623         (assertThrowTypeError):
3624         (let.o.valueOf):
3625         (o.valueOf):
3626         (o.toString):
3627         (o.Symbol.toPrimitive):
3628         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3629         (assert.sameValue):
3630         (testBitAnd):
3631         (let.o.Symbol.toPrimitive):
3632         (o.valueOf):
3633         (o.toString):
3634
3635 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3636
3637         JSC test stress/jsc-read.js doesn't support CRLF
3638         https://bugs.webkit.org/show_bug.cgi?id=190063
3639
3640         Reviewed by Yusuke Suzuki.
3641
3642         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3643
3644         * stress/jsc-read.js:
3645         (test):
3646
3647 2018-09-27  Saam barati  <sbarati@apple.com>
3648
3649         Verify the contents of AssemblerBuffer on arm64e
3650         https://bugs.webkit.org/show_bug.cgi?id=190057
3651         <rdar://problem/38916630>
3652
3653         Reviewed by Mark Lam.
3654
3655         * stress/regress-189132.js:
3656
3657 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3658
3659         Disable test without LLInt on ARMv7
3660         https://bugs.webkit.org/show_bug.cgi?id=190037
3661
3662         Reviewed by Mark Lam.
3663
3664         Test runs out of executable memory on ARMv7, do not run
3665         this test without LLInt enabled.
3666
3667         * stress/regress-169445.js:
3668
3669 2018-09-26  Keith Miller  <keith_miller@apple.com>
3670
3671         We should zero unused property storage when rebalancing array storage.
3672         https://bugs.webkit.org/show_bug.cgi?id=188151
3673
3674         Reviewed by Michael Saboff.
3675
3676         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3677
3678 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3679
3680         [JSC] Optimize Array#lastIndexOf
3681         https://bugs.webkit.org/show_bug.cgi?id=189780
3682
3683         Reviewed by Saam Barati.
3684
3685         * stress/array-lastindexof-array-prototype-trap.js: Added.
3686         (shouldBe):
3687         (AncestorArray.prototype.get 2):
3688         (AncestorArray):
3689         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3690         (shouldBe):
3691         * stress/array-lastindexof-hole-nan.js: Added.
3692         (shouldBe):
3693         (throw.new.Error):
3694         * stress/array-lastindexof-infinity.js: Added.
3695         (shouldBe):
3696         (throw.new.Error):
3697         * stress/array-lastindexof-negative-zero.js: Added.
3698         (shouldBe):
3699         (throw.new.Error):
3700         * stress/array-lastindexof-own-getter.js: Added.
3701         (shouldBe):
3702         (throw.new.Error.get array):
3703         (get array):
3704         * stress/array-lastindexof-prototype-trap.js: Added.
3705         (shouldBe):
3706         (DerivedArray.prototype.get 2):
3707         (DerivedArray):
3708
3709 2018-09-25  Saam Barati  <sbarati@apple.com>
3710
3711         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3712         https://bugs.webkit.org/show_bug.cgi?id=189940
3713         <rdar://problem/43640987>
3714
3715         Reviewed by Mark Lam.
3716
3717         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3718
3719 2018-09-24  Saam Barati  <sbarati@apple.com>
3720
3721         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3722         https://bugs.webkit.org/show_bug.cgi?id=189922
3723         <rdar://problem/44651275>
3724
3725         Reviewed by Mark Lam.
3726
3727         * stress/array-indexof-fast-path-effects.js: Added.
3728         * stress/array-indexof-cached-length.js: Added.
3729
3730 2018-09-24  Saam barati  <sbarati@apple.com>
3731
3732         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3733         https://bugs.webkit.org/show_bug.cgi?id=189682
3734         <rdar://problem/43557315>
3735
3736         Reviewed by Mark Lam.
3737
3738         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3739         (foo):
3740
3741 2018-09-22  Saam barati  <sbarati@apple.com>
3742
3743         The sampling should not use Strong<CodeBlock> in its machineLocation field
3744         https://bugs.webkit.org/show_bug.cgi?id=189319
3745
3746         Reviewed by Filip Pizlo.
3747
3748         * stress/sampling-profiler-richards.js: Added.
3749
3750 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3751
3752         [JSC] Optimize Array#indexOf in C++ runtime
3753         https://bugs.webkit.org/show_bug.cgi?id=189507
3754
3755         Reviewed by Saam Barati.
3756
3757         * stress/array-indexof-array-prototype-trap.js: Added.
3758         (shouldBe):
3759         (AncestorArray.prototype.get 2):
3760         (AncestorArray):
3761         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3762         (shouldBe):
3763         * stress/array-indexof-hole-nan.js: Added.
3764         (shouldBe):
3765         (throw.new.Error):
3766         * stress/array-indexof-infinity.js: Added.
3767         (shouldBe):
3768         (throw.new.Error):
3769         * stress/array-indexof-negative-zero.js: Added.
3770         (shouldBe):
3771         (throw.new.Error):
3772         * stress/array-indexof-own-getter.js: Added.
3773         (shouldBe):
3774         (throw.new.Error.get array):
3775         (get array):
3776         * stress/array-indexof-prototype-trap.js: Added.
3777         (shouldBe):
3778         (DerivedArray.prototype.get 2):
3779         (DerivedArray):
3780
3781 2018-09-19  Saam barati  <sbarati@apple.com>
3782
3783         AI rule for MultiPutByOffset executes its effects in the wrong order
3784         https://bugs.webkit.org/show_bug.cgi?id=189757
3785         <rdar://problem/43535257>