Web Inspector: Debugger: deleting a special breakpoint should disable it
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
2
3         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
4         https://bugs.webkit.org/show_bug.cgi?id=196880
5
6         Reviewed by Yusuke Suzuki.
7
8         * stress/bytecode-cache-syntax-error.js: Added.
9         (catch):
10
11 2019-04-12  Saam barati  <sbarati@apple.com>
12
13         r244079 logically broke shouldSpeculateInt52
14         https://bugs.webkit.org/show_bug.cgi?id=196884
15
16         Reviewed by Yusuke Suzuki.
17
18         * microbenchmarks/int52-rand-function.js: Added.
19         (Math.random):
20
21 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
22
23         [JSC] op_has_indexed_property should not assume subscript part is Uint32
24         https://bugs.webkit.org/show_bug.cgi?id=196850
25
26         Reviewed by Saam Barati.
27
28         * stress/has-indexed-property-should-accept-non-int32.js: Added.
29         (foo):
30
31 2019-04-11  Saam barati  <sbarati@apple.com>
32
33         Remove invalid assertion in operationInstanceOfCustom
34         https://bugs.webkit.org/show_bug.cgi?id=196842
35         <rdar://problem/49725493>
36
37         Reviewed by Michael Saboff.
38
39         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
40
41 2019-04-10  Saam Barati  <sbarati@apple.com>
42
43         AbstractValue::validateOSREntryValue is wrong for Int52 constants
44         https://bugs.webkit.org/show_bug.cgi?id=196801
45         <rdar://problem/49771122>
46
47         Reviewed by Yusuke Suzuki.
48
49         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
50
51 2019-04-10  Robin Morisset  <rmorisset@apple.com>
52
53         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
54         https://bugs.webkit.org/show_bug.cgi?id=196746
55
56         Reviewed by Yusuke Suzuki.
57
58         * stress/cyclic-define-properties.js: Added.
59         (foo):
60
61 2019-04-09  Saam barati  <sbarati@apple.com>
62
63         Clean up Int52 code and some bugs in it
64         https://bugs.webkit.org/show_bug.cgi?id=196639
65         <rdar://problem/49515757>
66
67         Reviewed by Yusuke Suzuki.
68
69         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
70
71 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
72
73         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
74         https://bugs.webkit.org/show_bug.cgi?id=196708
75         <rdar://problem/49556803>
76
77         Reviewed by Yusuke Suzuki.
78
79         * stress/proxy-getter-stack-overflow.js: Added.
80         (const.handler.get target):
81         (const.handler.has):
82         (try.with):
83         (catch):
84
85 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
86
87         [JSC] DFG should respect node's strict flag
88         https://bugs.webkit.org/show_bug.cgi?id=196617
89
90         Reviewed by Saam Barati.
91
92         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
93         (shouldEqual):
94         (makeUnwriteableUnconfigurableObject):
95         (runTest):
96         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
97         (shouldBe):
98         (shouldThrow):
99         (with.result):
100         (with.putValueStrict):
101         (with.putValueSloppy):
102
103 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
104
105         [JSC] isRope jump in StringSlice should not jump over register allocations
106         https://bugs.webkit.org/show_bug.cgi?id=196716
107
108         Reviewed by Saam Barati.
109
110         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
111         (foo.bar):
112         (foo):
113
114 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
115
116         [JSC] to_index_string should not assume incoming value is Uint32
117         https://bugs.webkit.org/show_bug.cgi?id=196713
118
119         Reviewed by Saam Barati.
120
121         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
122         (foo):
123
124 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
125
126         [JSC] Add more tests for r243966
127         https://bugs.webkit.org/show_bug.cgi?id=196711
128
129         Reviewed by Saam Barati.
130
131         Adding one more test for r243966 fix. The added test will not crash after r243966.
132
133         * stress/stress-cleared-calllinkinfo.js: Added.
134         (runNearStackLimit.t):
135         (runNearStackLimit):
136         (repeat):
137         (cls):
138         (let.item.of.array.runNearStackLimit):
139
140 2019-04-08  Saam Barati  <sbarati@apple.com>
141
142         WebAssembly.RuntimeError missing exception check
143         https://bugs.webkit.org/show_bug.cgi?id=196700
144         <rdar://problem/49693932>
145
146         Reviewed by Yusuke Suzuki.
147
148         * wasm/js-api/runtime-error-should-exception-check.js: Added.
149
150 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
151
152         Unreviewed, rolling in r243948 with test fix
153         https://bugs.webkit.org/show_bug.cgi?id=196486
154
155         * stress/arrow-function-and-use-strict-directive.js: Added.
156         * stress/arrow-function-syntax.js: Added.
157         (checkSyntax):
158         (checkSyntaxError):
159
160 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
161
162         Unreviewed, rolling out r243948.
163
164         Caused inspector/runtime/parse.html to fail
165
166         Reverted changeset:
167
168         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
169         https://bugs.webkit.org/show_bug.cgi?id=196486
170         https://trac.webkit.org/changeset/243948
171
172 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
173
174         Unreviewed, rolling out r243943.
175
176         Caused test262 failures.
177
178         Reverted changeset:
179
180         "[JSC] Filter DontEnum properties in
181         ProxyObject::getOwnPropertyNames()"
182         https://bugs.webkit.org/show_bug.cgi?id=176810
183         https://trac.webkit.org/changeset/243943
184
185 2019-04-07  Michael Saboff  <msaboff@apple.com>
186
187         REGRESSION (r243642): Crash in reddit.com page
188         https://bugs.webkit.org/show_bug.cgi?id=196684
189
190         Reviewed by Geoffrey Garen.
191
192         New regression test.
193
194         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
195
196 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
197
198         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
199         https://bugs.webkit.org/show_bug.cgi?id=196683
200
201         Reviewed by Saam Barati.
202
203         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
204         (foo):
205
206 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
207
208         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
209         https://bugs.webkit.org/show_bug.cgi?id=196582
210
211         Reviewed by Saam Barati.
212
213         * stress/add-overflow-check-with-three-same-registers.js: Added.
214         (foo):
215         (Number.prototype.valueOf):
216         (runWithNumber):
217
218 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
219
220         Unreviewed, rolling out r243665.
221
222         Caused iOS JSC tests to exit with an exception.
223
224         Reverted changeset:
225
226         "Assertion failed in JSC::createError"
227         https://bugs.webkit.org/show_bug.cgi?id=196305
228         https://trac.webkit.org/changeset/243665
229
230 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
231
232         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
233         https://bugs.webkit.org/show_bug.cgi?id=196486
234
235         Reviewed by Saam Barati.
236
237         * stress/arrow-function-and-use-strict-directive.js: Added.
238         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
239         (checkSyntax):
240         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
241
242 2019-04-05  Caitlin Potter  <caitp@igalia.com>
243
244         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
245         https://bugs.webkit.org/show_bug.cgi?id=176810
246
247         Reviewed by Saam Barati.
248
249         Add tests for the DontEnum filtering, and variations of other tests
250         take the DontEnum-filtering path.
251
252         * stress/proxy-own-keys.js:
253         (i.catch):
254         (set assert):
255         (set add):
256         (let.set new):
257         (get let):
258
259 2019-04-05  Caitlin Potter  <caitp@igalia.com>
260
261         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
262         https://bugs.webkit.org/show_bug.cgi?id=185211
263
264         Reviewed by Saam Barati.
265
266         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
267
268         This changes several assertions to expect a TypeError to be thrown (in some cases,
269         changing thee expected message).
270
271         * es6/Proxy_ownKeys_duplicates.js:
272         (handler):
273         (shouldThrow):
274         (test):
275         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
276         (shouldThrow):
277         * stress/proxy-own-keys.js:
278         (i.catch):
279         (assert):
280
281 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
282
283         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
284         https://bugs.webkit.org/show_bug.cgi?id=196631
285
286         Reviewed by Saam Barati.
287
288         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
289         (assert):
290         (test):
291         (foo):
292
293 2019-04-04  Saam Barati  <sbarati@apple.com>
294
295         Unreviewed. Make the test from r243906 catch the thrown exceptions.
296
297         * stress/inferred-types-regex-matches-array.js:
298
299 2019-04-04  Saam Barati  <sbarati@apple.com>
300
301         createRegExpMatchesArray does not respect inferred types
302         https://bugs.webkit.org/show_bug.cgi?id=193287
303
304         Reviewed by Yusuke Suzuki.
305
306         This checks in the test case for 193287. This issue was discovered by
307         Samuel GroƟ of Google Project Zero.
308
309         * stress/inferred-types-regex-matches-array.js: Added.
310
311 2019-04-04  Saam barati  <sbarati@apple.com>
312
313         Teach Call ICs how to call Wasm
314         https://bugs.webkit.org/show_bug.cgi?id=196387
315
316         Reviewed by Filip Pizlo.
317
318         * wasm/function-tests/stack-trace.js:
319
320 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
321
322         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
323         https://bugs.webkit.org/show_bug.cgi?id=194944
324
325         Reviewed by Keith Miller.
326
327         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
328
329 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
330
331         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
332         https://bugs.webkit.org/show_bug.cgi?id=196409
333
334         Reviewed by Saam Barati.
335
336         * stress/bytecode-cache-cached-string-impl.js: Added.
337         (f):
338         (g):
339         * stress/bytecode-cache-run-string.js: Added.
340
341 2019-04-03  Robin Morisset  <rmorisset@apple.com>
342
343         B3 should use associativity to optimize expression trees
344         https://bugs.webkit.org/show_bug.cgi?id=194081
345
346         Reviewed by Filip Pizlo.
347
348         Added three microbenchmarks:
349         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
350         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
351           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
352         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
353
354         * microbenchmarks/add-tree.js: Added.
355         * microbenchmarks/bit-or-tree.js: Added.
356         * microbenchmarks/bit-xor-tree.js: Added.
357
358 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
359
360         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
361         https://bugs.webkit.org/show_bug.cgi?id=196574
362
363         Reviewed by Saam Barati.
364
365         * stress/string-index-of-exception-check.js: Added.
366         (blurType):
367         (1.forEach):
368
369 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
370
371         Assertion failed in JSC::createError
372         https://bugs.webkit.org/show_bug.cgi?id=196305
373         <rdar://problem/49387382>
374
375         Reviewed by Saam Barati.
376
377         * stress/create-error-out-of-memory-rope-string-2.js: Added.
378         (assert):
379         (catch):
380
381 2019-03-28  Saam Barati  <sbarati@apple.com>
382
383         BackwardsGraph needs to consider back edges as the backward's root successor
384         https://bugs.webkit.org/show_bug.cgi?id=195991
385
386         Reviewed by Filip Pizlo.
387
388         * stress/map-b3-licm-infinite-loop.js: Added.
389
390 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
391
392         CodeBlock::jettison() should disallow repatching its own calls
393         https://bugs.webkit.org/show_bug.cgi?id=196359
394         <rdar://problem/48973663>
395
396         Reviewed by Saam Barati.
397
398         * stress/call-link-info-osrexit-repatch.js: Added.
399         (foo):
400
401 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
402
403         [JSC] imports-oom.js intermittently fails
404         https://bugs.webkit.org/show_bug.cgi?id=196373
405
406         Reviewed by Saam Barati.
407
408         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
409         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
410         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
411         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
412         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
413
414         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
415         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
416
417         * wasm/lowExecutableMemory/imports-oom.js:
418
419 2019-03-27  Saam Barati  <sbarati@apple.com>
420
421         validateOSREntryValue with Int52 should box the value being checked into double format
422         https://bugs.webkit.org/show_bug.cgi?id=196313
423         <rdar://problem/49306703>
424
425         Reviewed by Yusuke Suzuki.
426
427         * stress/validate-int-52-ai-state.js: Added.
428
429 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
430
431         [JSC] Owner of watchpoints should validate at GC finalizing phase
432         https://bugs.webkit.org/show_bug.cgi?id=195827
433
434         Reviewed by Filip Pizlo.
435
436         * stress/gc-should-reap-dead-watchpoints.js: Added.
437         (foo):
438         (A.prototype.y):
439         (A):
440
441 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
442
443         Skip WebAssembly test on 32-bit systems
444         https://bugs.webkit.org/show_bug.cgi?id=196206
445
446         Reviewed by Saam Barati.
447
448         Invoking runDefault executes test immediately even though
449         that test should be skipped due to missing WASM support.
450         Therefore remove runDefault.
451
452         * wasm/regress/web-assembly-link-error-exception-check.js:
453
454 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
455
456         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
457         https://bugs.webkit.org/show_bug.cgi?id=196217
458
459         Reviewed by Saam Barati.
460
461         Re-enable all NaN tests for f32.min, f64.min and f64.max.
462
463         * wasm/spec-tests/f32.wast.js:
464         * wasm/spec-tests/f64.wast.js:
465         * wasm/wasm.json:
466
467 2019-03-25  Keith Miller  <keith_miller@apple.com>
468
469         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
470         https://bugs.webkit.org/show_bug.cgi?id=196176
471
472         Reviewed by Saam Barati.
473
474         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
475         (main.v10):
476         (main):
477
478 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
479
480         WebAssembly: f32.max with NaN generates incorrect result
481         https://bugs.webkit.org/show_bug.cgi?id=175691
482         <rdar://problem/33952228>
483
484         Reviewed by Saam Barati.
485
486         Enable all f32.max NaN tests
487
488         * wasm/spec-tests/f32.wast.js:
489         * wasm/wasm.json:
490
491 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
492
493         [JSC] Move test into directory for WASM tests
494         https://bugs.webkit.org/show_bug.cgi?id=196187
495
496         Reviewed by Mark Lam.
497
498         Move Test into wasm-directory. Otherwise this test
499         is also executed on systems without WASM support.
500
501         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
502
503 2019-03-23  Mark Lam  <mark.lam@apple.com>
504
505         Rolling out r243032 and r243071 because the fix is incorrect.
506         https://bugs.webkit.org/show_bug.cgi?id=195892
507         <rdar://problem/48981239>
508
509         Not reviewed.
510
511         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
512
513 2019-03-22  Mark Lam  <mark.lam@apple.com>
514
515         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
516         https://bugs.webkit.org/show_bug.cgi?id=196154
517         <rdar://problem/49145307>
518
519         Reviewed by Filip Pizlo.
520
521         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
522         There's no need to run this test on more than 1 test configuration.
523
524         * stress/typed-array-lastIndexOf-exception-check.js: Added.
525         * stress/web-assembly-link-error-exception-check.js:
526
527 2019-03-22  Mark Lam  <mark.lam@apple.com>
528
529         Placate exception check validation in constructJSWebAssemblyLinkError().
530         https://bugs.webkit.org/show_bug.cgi?id=196152
531         <rdar://problem/49145257>
532
533         Reviewed by Michael Saboff.
534
535         * stress/web-assembly-link-error-exception-check.js: Added.
536
537 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
538
539         Skip tests running out of memory on ARM/MIPS
540         https://bugs.webkit.org/show_bug.cgi?id=196131
541
542         Unreviewed. Skip test if memory is limited.
543
544         * microbenchmarks/put-by-val-direct-large-index.js:
545
546 2019-03-21  Mark Lam  <mark.lam@apple.com>
547
548         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
549         https://bugs.webkit.org/show_bug.cgi?id=196116
550         <rdar://problem/48976951>
551
552         Reviewed by Filip Pizlo.
553
554         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
555
556 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
557
558         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
559         https://bugs.webkit.org/show_bug.cgi?id=196078
560         <rdar://problem/35925380>
561
562         Reviewed by Mark Lam.
563
564         Add a new benchmark that allocates several objects and invokes put_by_val_direct
565         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
566
567         * microbenchmarks/put-by-val-direct-large-index.js: Added.
568
569 2019-03-21  Mark Lam  <mark.lam@apple.com>
570
571         Placate exception check validation in operationArrayIndexOfString().
572         https://bugs.webkit.org/show_bug.cgi?id=196067
573         <rdar://problem/49056572>
574
575         Reviewed by Michael Saboff.
576
577         * stress/string-equal-exception-check.js: Added.
578
579 2019-03-21  Mark Lam  <mark.lam@apple.com>
580
581         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
582         https://bugs.webkit.org/show_bug.cgi?id=196055
583         <rdar://problem/49067448>
584
585         Reviewed by Yusuke Suzuki.
586
587         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
588
589 2019-03-20  Saam Barati  <sbarati@apple.com>
590
591         typeOfDoubleSum is wrong for when NaN can be produced
592         https://bugs.webkit.org/show_bug.cgi?id=196030
593
594         Reviewed by Filip Pizlo.
595
596         * stress/double-add-sub-mul-can-produce-nan.js: Added.
597         (assert):
598         (noInline.sub):
599         (noInline):
600         (assert.mul):
601         (assert.add):
602
603 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
604
605         Update the test to ensure OutOfMemoryError is thrown as intended
606         https://bugs.webkit.org/show_bug.cgi?id=196032
607         <rdar://problem/46842740>
608
609         Rubber stamped by Saam Barati.
610
611         * stress/create-error-out-of-memory-rope-string.js:
612         (assert):
613         (catch):
614
615 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
616
617         JSC::createError needs to check for OOM in errorDescriptionForValue
618         https://bugs.webkit.org/show_bug.cgi?id=196032
619         <rdar://problem/46842740>
620
621         Reviewed by Mark Lam.
622
623         * stress/create-error-out-of-memory-rope-string.js: Added.
624
625 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
626
627         Unreviewed, reduce # of iterations to avoid timing out after r242991
628         https://bugs.webkit.org/show_bug.cgi?id=195791
629
630         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
631
632         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
633
634 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
635
636         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
637         https://bugs.webkit.org/show_bug.cgi?id=195950
638
639         Unreviewed, reducing the amount of memory used on this test to avoid
640         OOM on devices with memory restrictions.
641
642         * microbenchmarks/generate-multiple-llint-entrypoints.js:
643
644 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
645
646         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
647         https://bugs.webkit.org/show_bug.cgi?id=194648
648
649         Reviewed by Keith Miller.
650
651         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
652
653 2019-03-18  Mark Lam  <mark.lam@apple.com>
654
655         Missing a ThrowScope release in JSObject::toString().
656         https://bugs.webkit.org/show_bug.cgi?id=195893
657         <rdar://problem/48970986>
658
659         Reviewed by Michael Saboff.
660
661         * stress/to-string-exception-check-release.js: Added.
662
663 2019-03-18  Mark Lam  <mark.lam@apple.com>
664
665         Structure::flattenDictionary() should clear unused property slots.
666         https://bugs.webkit.org/show_bug.cgi?id=195871
667         <rdar://problem/48959497>
668
669         Reviewed by Michael Saboff.
670
671         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
672
673 2019-03-15  Mark Lam  <mark.lam@apple.com>
674
675         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
676         https://bugs.webkit.org/show_bug.cgi?id=195827
677         <rdar://problem/48845513>
678
679         Reviewed by Filip Pizlo.
680
681         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
682
683 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
684
685         [ARM,MIPS] Skip slow tests
686         https://bugs.webkit.org/show_bug.cgi?id=195799
687
688         Unreviewed, test does not finish on ARM and MIPS within the
689         timeout limit.
690
691         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
692
693 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
694
695         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
696         https://bugs.webkit.org/show_bug.cgi?id=195791
697         <rdar://problem/48806130>
698
699         Reviewed by Mark Lam.
700
701         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
702         (foo):
703
704 2019-03-14  Saam barati  <sbarati@apple.com>
705
706         We can't remove code after ForceOSRExit until after FixupPhase
707         https://bugs.webkit.org/show_bug.cgi?id=186916
708         <rdar://problem/41396612>
709
710         Reviewed by Yusuke Suzuki.
711
712         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
713         (foo):
714         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
715         (foo):
716
717 2019-03-13  Michael Saboff  <msaboff@apple.com>
718
719         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
720         https://bugs.webkit.org/show_bug.cgi?id=195735
721
722         Reviewed by Mark Lam.
723
724         New regression test.
725
726         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
727         (foo):
728         (bar):
729
730 2019-03-14  Saam barati  <sbarati@apple.com>
731
732         Fixup uses KnownInt32 incorrectly in some nodes
733         https://bugs.webkit.org/show_bug.cgi?id=195279
734         <rdar://problem/47915654>
735
736         Reviewed by Yusuke Suzuki.
737
738         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
739         (foo):
740
741 2019-03-14  Keith Miller  <keith_miller@apple.com>
742
743         DFG liveness can't skip tail caller inline frames
744         https://bugs.webkit.org/show_bug.cgi?id=195715
745
746         Reviewed by Saam Barati.
747
748         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
749         (i.foo):
750
751 2019-03-13  Mark Lam  <mark.lam@apple.com>
752
753         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
754         https://bugs.webkit.org/show_bug.cgi?id=195415
755
756         Not reviewed.
757
758         Changed these tests to only run the default configuration.
759         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
760         There's no strong need to run this test on that variant.
761
762         * stress/dfg-to-string-on-int-does-gc.js:
763         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
764
765 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
766
767         String overflow when using StringBuilder in JSC::createError
768         https://bugs.webkit.org/show_bug.cgi?id=194957
769
770         Reviewed by Mark Lam.
771
772         Add test string-overflow-createError-bulder.js that overflows
773         StringBuilder in notAFunctionSourceAppender. The second new test
774         string-overflow-createError-fit.js has an error message that doesn't
775         overflow, it still failed since the String's capacity can't be doubled.
776         Run test string-overflow-createError.js only in the default
777         configuration to reduce memory consumption when running the test
778         in all configurations on multiple CPUs in parallel.
779
780         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
781         (catch):
782         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
783         (catch):
784         * stress/string-overflow-createError.js:
785
786 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
787
788         [JSC] OSR entry should respect abstract values in addition to flush formats
789         https://bugs.webkit.org/show_bug.cgi?id=195653
790
791         Reviewed by Mark Lam.
792
793         * stress/osr-entry-locals-none.js: Added.
794
795 2019-03-12  Michael Saboff  <msaboff@apple.com>
796
797         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
798         https://bugs.webkit.org/show_bug.cgi?id=195613
799
800         Reviewed by Mark Lam.
801
802         New regression test.
803
804         * stress/regexp-backref-inbounds.js: Added.
805         (testRegExp):
806
807 2019-03-12  Mark Lam  <mark.lam@apple.com>
808
809         The HasIndexedProperty node does GC.
810         https://bugs.webkit.org/show_bug.cgi?id=195559
811         <rdar://problem/48767923>
812
813         Reviewed by Yusuke Suzuki.
814
815         * stress/HasIndexedProperty-does-gc.js: Added.
816
817 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
818
819         [ESNext][BigInt] Implement "~" unary operation
820         https://bugs.webkit.org/show_bug.cgi?id=182216
821
822         Reviewed by Keith Miller.
823
824         * stress/big-int-bit-not-general.js: Added.
825         * stress/big-int-bitwise-not-jit.js: Added.
826         * stress/big-int-bitwise-not-wrapped-value.js: Added.
827         * stress/bit-op-with-object-returning-int32.js:
828         * stress/bitwise-not-fixup-rules.js: Added.
829         * stress/value-bit-not-ai-rule.js: Added.
830
831 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
832
833         Invalid flags in a RegExp literal should be an early SyntaxError
834         https://bugs.webkit.org/show_bug.cgi?id=195514
835
836         Reviewed by Darin Adler.
837
838         * test262/expectations.yaml:
839         Mark 4 test cases as passing.
840
841         * stress/regexp-syntax-error-invalid-flags.js:
842         * stress/regress-161995.js: Removed.
843         Update existing test, merging in an older test for the same behavior.
844
845 2019-03-08  Mark Lam  <mark.lam@apple.com>
846
847         Stack overflow crash in JSC::JSObject::hasInstance.
848         https://bugs.webkit.org/show_bug.cgi?id=195458
849         <rdar://problem/48710195>
850
851         Reviewed by Yusuke Suzuki.
852
853         * stress/stack-overflow-in-custom-hasInstance.js: Added.
854
855 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
856
857         op_check_tdz does not def its argument
858         https://bugs.webkit.org/show_bug.cgi?id=192880
859         <rdar://problem/46221598>
860
861         Reviewed by Saam Barati.
862
863         * microbenchmarks/let-for-in.js: Added.
864         (foo):
865
866 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
867
868         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
869         https://bugs.webkit.org/show_bug.cgi?id=195429
870
871         Reviewed by Saam Barati.
872
873         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
874         (foo):
875         * stress/string-from-char-code-255.js: Added.
876
877 2019-03-06  Mark Lam  <mark.lam@apple.com>
878
879         Fix incorrect handling of try-finally completion values.
880         https://bugs.webkit.org/show_bug.cgi?id=195131
881         <rdar://problem/46222079>
882
883         Reviewed by Saam Barati and Yusuke Suzuki.
884
885         Added many permutations of new test case to test-finally.js.  test-finally.js has
886         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
887         tests passes there as well.
888
889         * stress/test-finally.js:
890
891 2019-03-06  Saam Barati  <sbarati@apple.com>
892
893         Air::reportUsedRegisters must padInterference
894         https://bugs.webkit.org/show_bug.cgi?id=195303
895         <rdar://problem/48270343>
896
897         Reviewed by Keith Miller.
898
899         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
900
901 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
902
903         [JSC] AI should not propagate AbstractValue relying on constant folding phase
904         https://bugs.webkit.org/show_bug.cgi?id=195375
905
906         Reviewed by Saam Barati.
907
908         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
909         (let.array):
910
911 2019-03-05  Saam barati  <sbarati@apple.com>
912
913         op_switch_char broken for rope strings after JSRopeString layout rewrite
914         https://bugs.webkit.org/show_bug.cgi?id=195339
915         <rdar://problem/48592545>
916
917         Reviewed by Yusuke Suzuki.
918
919         * stress/switch-on-char-llint-rope.js: Added.
920
921 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
922
923         [JSC] Store bits for JSRopeString in 3 stores
924         https://bugs.webkit.org/show_bug.cgi?id=195234
925
926         Reviewed by Saam Barati.
927
928         * stress/null-rope-and-collectors.js: Added.
929
930 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
931
932         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
933         https://bugs.webkit.org/show_bug.cgi?id=195207
934
935         Unreviewed. After test runtime was reduced in r242213, test can be
936         run again on ARM/MIPS.
937
938         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
939
940 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
941
942         [JSC] sizeof(JSString) should be 16
943         https://bugs.webkit.org/show_bug.cgi?id=194375
944
945         Reviewed by Saam Barati.
946
947         * microbenchmarks/make-rope.js: Added.
948         (makeRope):
949         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
950         (returnRope.helper): Deleted.
951         (returnRope): Deleted.
952
953 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
954
955         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
956         https://bugs.webkit.org/show_bug.cgi?id=195144
957
958         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
959         Change the number from 1e8 to 1e5.
960
961         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
962         (foo):
963
964 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
965
966         Test times out on ARM/MIPS
967         https://bugs.webkit.org/show_bug.cgi?id=195168
968
969         Unreviewed. Skip test on ARM/MIPS.
970
971         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
972
973 2019-02-27  Mark Lam  <mark.lam@apple.com>
974
975         The parser is failing to record the token location of new in new.target.
976         https://bugs.webkit.org/show_bug.cgi?id=195127
977         <rdar://problem/39645578>
978
979         Reviewed by Yusuke Suzuki.
980
981         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
982
983 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
984
985         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
986         https://bugs.webkit.org/show_bug.cgi?id=195144
987         <rdar://problem/47595961>
988
989         Reviewed by Mark Lam.
990
991         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
992         (bar):
993         (foo):
994         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
995         (bar):
996         (foo):
997
998 2019-02-27  Robin Morisset  <rmorisset@apple.com>
999
1000         DFG: Loop-invariant code motion (LICM) should not hoist dead code
1001         https://bugs.webkit.org/show_bug.cgi?id=194945
1002         <rdar://problem/48311657>
1003
1004         Reviewed by Mark Lam.
1005
1006         * stress/licm-dead-code.js: Added.
1007
1008 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
1009
1010         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
1011         https://bugs.webkit.org/show_bug.cgi?id=194677
1012         <rdar://problem/48112492>
1013
1014         Reviewed by Mark Lam.
1015
1016         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
1017         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
1018         it immediately fails due the large size.
1019
1020         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
1021         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
1022         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
1023         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
1024
1025         This patch changes the test to produce 16bit string from String.fromCharCode.
1026
1027         * stress/regress-178386.js:
1028
1029 2019-02-26  Mark Lam  <mark.lam@apple.com>
1030
1031         wasmToJS() should purify incoming NaNs.
1032         https://bugs.webkit.org/show_bug.cgi?id=194807
1033         <rdar://problem/48189132>
1034
1035         Reviewed by Saam Barati.
1036
1037         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
1038
1039 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
1040
1041         [JSC] Repeat string created from Array.prototype.join() take too much memory
1042         https://bugs.webkit.org/show_bug.cgi?id=193912
1043
1044         Reviewed by Saam Barati.
1045
1046         Added a test and a microbenchmark for corner cases of
1047         Array.prototype.join() with an uninitialized array.
1048
1049         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1050         * stress/array-prototype-join-uninitialized.js: Added.
1051         (testArray):
1052         (testABC):
1053         (B):
1054         (C):
1055
1056 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1057
1058         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1059         https://bugs.webkit.org/show_bug.cgi?id=194953
1060         <rdar://problem/47595253>
1061
1062         Reviewed by Saam Barati.
1063
1064         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1065
1066         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1067
1068 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1069
1070         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1071         https://bugs.webkit.org/show_bug.cgi?id=172848
1072         <rdar://problem/25709212>
1073
1074         Reviewed by Mark Lam.
1075
1076         * typeProfiler/inheritance.js:
1077         Rewrite the test slightly for clarity. The hoisting was confusing.
1078
1079         * heapProfiler/class-names.js: Added.
1080         (MyES5Class):
1081         (MyES6Class):
1082         (MyES6Subclass):
1083         Test object types and improved class names.
1084
1085         * heapProfiler/driver/driver.js:
1086         (CheapHeapSnapshotNode):
1087         (CheapHeapSnapshot):
1088         (createCheapHeapSnapshot):
1089         (HeapSnapshot):
1090         (createHeapSnapshot):
1091         Update snapshot parsing from version 1 to version 2.
1092
1093 2019-02-19  Truitt Savell  <tsavell@apple.com>
1094
1095         Unreviewed, rolling out r241784.
1096
1097         Broke all OpenSource builds.
1098
1099         Reverted changeset:
1100
1101         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1102         instances view"
1103         https://bugs.webkit.org/show_bug.cgi?id=172848
1104         https://trac.webkit.org/changeset/241784
1105
1106 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1107
1108         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1109         https://bugs.webkit.org/show_bug.cgi?id=172848
1110         <rdar://problem/25709212>
1111
1112         Reviewed by Mark Lam.
1113
1114         * typeProfiler/inheritance.js:
1115         Rewrite the test slightly for clarity. The hoisting was confusing.
1116
1117         * heapProfiler/class-names.js: Added.
1118         (MyES5Class):
1119         (MyES6Class):
1120         (MyES6Subclass):
1121         Test object types and improved class names.
1122
1123         * heapProfiler/driver/driver.js:
1124         (CheapHeapSnapshotNode):
1125         (CheapHeapSnapshot):
1126         (createCheapHeapSnapshot):
1127         (HeapSnapshot):
1128         (createHeapSnapshot):
1129         Update snapshot parsing from version 1 to version 2.
1130
1131 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1132
1133         [ARM] Fix crash with sampling profiler
1134         https://bugs.webkit.org/show_bug.cgi?id=194772
1135
1136         Reviewed by Mark Lam.
1137
1138         Do not skip test since crash with sampling profiler is now fixed.
1139
1140         * stress/sampling-profiler-richards.js:
1141
1142 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1143
1144         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1145         https://bugs.webkit.org/show_bug.cgi?id=194784
1146         <rdar://problem/48154820>
1147
1148         Reviewed by Mark Lam.
1149
1150         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1151         (getProperties):
1152         (getRandomProperty):
1153         (i.catch):
1154
1155 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1156
1157         [ARM] Test gardening: Test running out of executable memory
1158         https://bugs.webkit.org/show_bug.cgi?id=194771
1159
1160         Unreviewed. Do not run test without LLInt, test is running out of executable
1161         memory on ARM otherwise.
1162
1163         * stress/tagged-template-object-collect.js:
1164
1165 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1166
1167         Unreviewed, skip the test on platforms without sampling profiler
1168
1169         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1170         (platformSupportsSamplingProfiler.foo):
1171         (platformSupportsSamplingProfiler.test):
1172         (platformSupportsSamplingProfiler):
1173         (foo): Deleted.
1174         (test): Deleted.
1175
1176 2019-02-17  Saam Barati  <sbarati@apple.com>
1177
1178         Deadlock when adding a Structure property transition and then doing incremental marking
1179         https://bugs.webkit.org/show_bug.cgi?id=194767
1180
1181         Reviewed by Mark Lam.
1182
1183         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1184
1185 2019-02-15  Michael Saboff  <msaboff@apple.com>
1186
1187         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1188         https://bugs.webkit.org/show_bug.cgi?id=194558
1189
1190         Reviewed by Saam Barati.
1191
1192         New regression test.
1193
1194         * stress/regexp-unicode-within-string.js: Added.
1195
1196 2019-02-15  Mark Lam  <mark.lam@apple.com>
1197
1198         SamplingProfiler::stackTracesAsJSON() should escape strings.
1199         https://bugs.webkit.org/show_bug.cgi?id=194649
1200         <rdar://problem/48072386>
1201
1202         Reviewed by Saam Barati.
1203
1204         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1205         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1206         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1207         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1208
1209 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1210         CodeBlock::jettison should clear related watchpoints
1211         https://bugs.webkit.org/show_bug.cgi?id=194544
1212
1213         Reviewed by Mark Lam.
1214
1215         * stress/regexp-replace-double-watchpoint.js: Added.
1216         (foo):
1217
1218 2019-02-15  Saam barati  <sbarati@apple.com>
1219
1220         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1221         https://bugs.webkit.org/show_bug.cgi?id=194036
1222
1223         Reviewed by Yusuke Suzuki.
1224
1225         * stress/tail-call-many-arguments.js: Added.
1226         (foo):
1227         (bar):
1228
1229 2019-02-14  Saam Barati  <sbarati@apple.com>
1230
1231         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1232         https://bugs.webkit.org/show_bug.cgi?id=194583
1233         <rdar://problem/48028140>
1234
1235         Reviewed by Yusuke Suzuki.
1236
1237         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1238
1239 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1240
1241         [JSC] String.fromCharCode's slow path always generates 16bit string
1242         https://bugs.webkit.org/show_bug.cgi?id=194466
1243
1244         Reviewed by Keith Miller.
1245
1246         * stress/string-from-char-code-slow-path.js: Added.
1247         (shouldBe):
1248         (testWithLength):
1249
1250 2019-02-08  Saam barati  <sbarati@apple.com>
1251
1252         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1253         https://bugs.webkit.org/show_bug.cgi?id=194334
1254         <rdar://problem/47844327>
1255
1256         Reviewed by Mark Lam.
1257
1258         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1259         (func):
1260
1261 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1262
1263         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1264         https://bugs.webkit.org/show_bug.cgi?id=194369
1265         <rdar://problem/47813087>
1266
1267         Reviewed by Saam Barati.
1268
1269         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1270         (A):
1271
1272 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1273
1274         [JSC] PrivateName to PublicName hash table is wasteful
1275         https://bugs.webkit.org/show_bug.cgi?id=194277
1276
1277         Reviewed by Michael Saboff.
1278
1279         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1280
1281         * ChakraCore.yaml:
1282
1283 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1284
1285         [ARM] Test running out of executable memory
1286         https://bugs.webkit.org/show_bug.cgi?id=194285
1287
1288         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1289         executable memory otherwise.
1290
1291         * stress/class-subclassing-function.js:
1292
1293 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1294
1295         when lowering AssertNotEmpty, create the value before creating the patchpoint
1296         https://bugs.webkit.org/show_bug.cgi?id=194231
1297
1298         Reviewed by Saam Barati.
1299
1300         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1301         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1302         So even tiny changes to this test can change the path code taken.
1303
1304         * stress/assert-not-empty.js: Added.
1305         (foo):
1306
1307 2019-02-01  Mark Lam  <mark.lam@apple.com>
1308
1309         Remove invalid assertion in DFG's compileDoubleRep().
1310         https://bugs.webkit.org/show_bug.cgi?id=194130
1311         <rdar://problem/47699474>
1312
1313         Reviewed by Saam Barati.
1314
1315         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1316
1317 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1318
1319         Import latest Test262 updates.
1320
1321         Rubber-stamped by Keith Miller.
1322
1323         * test262.yaml: Deleted.
1324         * test262/config.yaml:
1325         * test262/expectations.yaml:
1326         * test262/latest-changes-summary.txt:
1327         * test262/test/:
1328         * test262/test262-Revision.txt:
1329
1330 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1331
1332         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1333         https://bugs.webkit.org/show_bug.cgi?id=194050
1334         <rdar://problem/47595592>
1335
1336         Reviewed by Yusuke Suzuki.
1337
1338         * stress/object-keys-osr-exit.js: Added.
1339         (foo):
1340         (catch):
1341
1342 2019-01-29  Mark Lam  <mark.lam@apple.com>
1343
1344         ValueRecovery::recover() should purify NaN values it recovers.
1345         https://bugs.webkit.org/show_bug.cgi?id=193978
1346         <rdar://problem/47625488>
1347
1348         Reviewed by Saam Barati.
1349
1350         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1351
1352 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1353
1354         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1355         https://bugs.webkit.org/show_bug.cgi?id=193713
1356
1357         * stress/try-get-by-id-should-spill-registers-dfg.js:
1358         (let.f.createBuiltin):
1359
1360 2019-01-28  Mark Lam  <mark.lam@apple.com>
1361
1362         ToString node actually does GC.
1363         https://bugs.webkit.org/show_bug.cgi?id=193920
1364         <rdar://problem/46695900>
1365
1366         Reviewed by Yusuke Suzuki.
1367
1368         * stress/dfg-to-string-on-int-does-gc.js: Added.
1369         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1370         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1371
1372 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1373
1374         [JSC] NativeErrorConstructor should not have own IsoSubspace
1375         https://bugs.webkit.org/show_bug.cgi?id=193713
1376
1377         Reviewed by Saam Barati.
1378
1379         Remove @Error use.
1380
1381         * stress/try-get-by-id-should-spill-registers-dfg.js:
1382         (let.f.createBuiltin):
1383
1384 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1385
1386         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1387         https://bugs.webkit.org/show_bug.cgi?id=190693
1388
1389         Reviewed by Michael Saboff.
1390
1391         * stress/regress-190693.js: Added.
1392         (truth):
1393         (assert):
1394         (shouldThrowInvalidConstAssignment):
1395         (taz):
1396
1397 2019-01-24  Saam Barati  <sbarati@apple.com>
1398
1399         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1400         https://bugs.webkit.org/show_bug.cgi?id=193751
1401         <rdar://problem/47280215>
1402
1403         Reviewed by Michael Saboff.
1404
1405         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1406         (let.thing):
1407         (foo.let.hello):
1408         (foo):
1409
1410 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1411
1412         [JSC] Reenable baseline JIT on mips
1413         https://bugs.webkit.org/show_bug.cgi?id=192983
1414
1415         Reviewed by Mark Lam.
1416
1417         Added a new test for a case that was triggering a RELEASE_ASSERT when
1418         testing.
1419         Disable some slow tests that were already disabled for arm and x86.
1420
1421         * stress/json-parse-big-object.js: Added.
1422         * stress/new-largeish-contiguous-array-with-size.js:
1423         * stress/op_add.js:
1424         * stress/op_bitand.js:
1425         * stress/op_bitor.js:
1426         * stress/op_bitxor.js:
1427         * stress/op_lshift-ConstVar.js:
1428         * stress/op_lshift-VarConst.js:
1429         * stress/op_lshift-VarVar.js:
1430         * stress/op_mod-ConstVar.js:
1431         * stress/op_mod-VarConst.js:
1432         * stress/op_mod-VarVar.js:
1433         * stress/op_mul-ConstVar.js:
1434         * stress/op_mul-VarConst.js:
1435         * stress/op_mul-VarVar.js:
1436         * stress/op_rshift-ConstVar.js:
1437         * stress/op_rshift-VarConst.js:
1438         * stress/op_rshift-VarVar.js:
1439         * stress/op_sub-ConstVar.js:
1440         * stress/op_sub-VarConst.js:
1441         * stress/op_sub-VarVar.js:
1442         * stress/op_urshift-ConstVar.js:
1443         * stress/op_urshift-VarConst.js:
1444         * stress/op_urshift-VarVar.js:
1445         * stress/sampling-profiler-richards.js:
1446         * stress/spread-forward-call-varargs-stack-overflow.js:
1447
1448 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1449
1450         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1451         https://bugs.webkit.org/show_bug.cgi?id=193711
1452         <rdar://problem/47250262>
1453
1454         Reviewed by Saam Barati.
1455
1456         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1457         (shouldBe):
1458         (foo):
1459         (bar):
1460         (baz):
1461
1462 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1463
1464         Unreviewed, fix initial global lexical binding epoch
1465         https://bugs.webkit.org/show_bug.cgi?id=193603
1466         <rdar://problem/47380869>
1467
1468         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1469         (f1.f2.f3.f4):
1470         (f1.f2.f3):
1471         (f1.f2):
1472         (f1):
1473
1474 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1475
1476         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1477         https://bugs.webkit.org/show_bug.cgi?id=193709
1478         <rdar://problem/47363838>
1479
1480         Unreviewed, rollout to watch the tests.
1481
1482         * stress/object-tostring-changed-proto.js: Removed.
1483         * stress/object-tostring-changed.js: Removed.
1484         * stress/object-tostring-misc.js: Removed.
1485         * stress/object-tostring-other.js: Removed.
1486         * stress/object-tostring-untyped.js: Removed.
1487
1488 2019-01-22  Saam Barati  <sbarati@apple.com>
1489
1490         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1491
1492         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1493         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1494         (testUncheckedLessThanZero):
1495         (testUncheckedLessThanOrEqualZero):
1496         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1497         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1498
1499 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1500
1501         [JSC] Invalidate old scope operations using global lexical binding epoch
1502         https://bugs.webkit.org/show_bug.cgi?id=193603
1503         <rdar://problem/47380869>
1504
1505         Reviewed by Saam Barati.
1506
1507         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1508         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1509         (shouldThrow):
1510         (bar):
1511         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1512         (shouldBe):
1513         (get1):
1514         (get2):
1515         (get1If):
1516         (get2If):
1517         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1518         (shouldThrow):
1519         (foo):
1520
1521 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1522
1523         Unreviewed, roll out r240220 due to date-format-xparb regression
1524         https://bugs.webkit.org/show_bug.cgi?id=193603
1525
1526         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1527         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1528         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1529         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1530
1531 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1532
1533         DoesGC rule is wrong for nodes with BigIntUse
1534         https://bugs.webkit.org/show_bug.cgi?id=193652
1535
1536         Reviewed by Saam Barati.
1537
1538         * stress/big-int-value-op-update-gc-rules.js: Added.
1539         (assert):
1540         (doesGCAdd):
1541         (doesGCSub):
1542         (doesGCDiv):
1543         (doesGCMul):
1544         (doesGCBitAnd):
1545         (doesGCBitOr):
1546         (doesGCBitXor):
1547
1548 2019-01-20  Saam Barati  <sbarati@apple.com>
1549
1550         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1551         https://bugs.webkit.org/show_bug.cgi?id=193644
1552         <rdar://problem/46209745>
1553
1554         Reviewed by Yusuke Suzuki.
1555
1556         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1557         (foo):
1558         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1559         (foo):
1560         (bar):
1561
1562 2019-01-20  Saam Barati  <sbarati@apple.com>
1563
1564         MovHint must merge NodeBytecodeUsesAsValue for its child
1565         https://bugs.webkit.org/show_bug.cgi?id=186916
1566         <rdar://problem/41396612>
1567
1568         Reviewed by Yusuke Suzuki.
1569
1570         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1571         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1572
1573 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1574
1575         [JSC] Invalidate old scope operations using global lexical binding epoch
1576         https://bugs.webkit.org/show_bug.cgi?id=193603
1577         <rdar://problem/47380869>
1578
1579         Reviewed by Saam Barati.
1580
1581         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1582         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1583         (shouldThrow):
1584         (bar):
1585         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1586         (shouldBe):
1587         (get1):
1588         (get2):
1589         (get1If):
1590         (get2If):
1591         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1592         (shouldThrow):
1593         (foo):
1594
1595 2019-01-17  Saam barati  <sbarati@apple.com>
1596
1597         StringObjectUse should not be a structure check for the original string object structure
1598         https://bugs.webkit.org/show_bug.cgi?id=193483
1599         <rdar://problem/47280522>
1600
1601         Reviewed by Yusuke Suzuki.
1602
1603         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1604         (foo):
1605         (a.valueOf.0):
1606
1607 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1608
1609         [JSC] ToThis omission in DFGByteCodeParser is wrong
1610         https://bugs.webkit.org/show_bug.cgi?id=193513
1611         <rdar://problem/45842236>
1612
1613         Reviewed by Saam Barati.
1614
1615         * stress/to-this-omission-with-different-strict-modes.js: Added.
1616         (thisA):
1617         (thisAStrictWrapper):
1618
1619 2019-01-15  Mark Lam  <mark.lam@apple.com>
1620
1621         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1622         https://bugs.webkit.org/show_bug.cgi?id=193423
1623         <rdar://problem/46209355>
1624
1625         Reviewed by Saam Barati.
1626
1627         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1628         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1629         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1630         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1631
1632 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1633
1634         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1635         https://bugs.webkit.org/show_bug.cgi?id=193438
1636         <rdar://problem/45581249>
1637
1638         Reviewed by Saam Barati and Keith Miller.
1639
1640         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1641         Then, GetByVal(String) crashed.
1642
1643         * stress/string-get-by-val-lowering.js: Added.
1644         (shouldBe):
1645         (test):
1646         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1647         (Hello):
1648         (foo):
1649
1650 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1651
1652         Unreviewed, skip JIT tests if it's not enabled
1653
1654         * stress/bit-op-with-object-returning-int32.js:
1655
1656 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1657
1658         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1659         https://bugs.webkit.org/show_bug.cgi?id=192966
1660
1661         Reviewed by Yusuke Suzuki.
1662
1663         * stress/bit-op-with-object-returning-int32.js: Added.
1664
1665 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1666
1667         Skip a slow test and a flakey test on arm
1668
1669         Unreviewed gardening.
1670
1671         * typeProfiler/getter-richards.js:
1672         this test always times out, it used to be always skipped on arm and
1673         mips, but got accidentally enabled by r237919 now that we have DFG on
1674         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1675
1676 2019-01-14  Keith Miller  <keith_miller@apple.com>
1677
1678         Skip type-check-hoisting-phase-hoist... with no jit
1679         https://bugs.webkit.org/show_bug.cgi?id=193421
1680
1681         Reviewed by Mark Lam.
1682
1683         It's timing out the 32-bit bots and takes 330 seconds
1684         on my machine when run by itself.
1685
1686         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1687
1688 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1689
1690         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1691         https://bugs.webkit.org/show_bug.cgi?id=193413
1692         <rdar://problem/46092389>
1693
1694         Reviewed by Keith Miller.
1695
1696         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1697         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1698         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1699         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1700
1701         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1702         (compareArray):
1703
1704 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1705
1706         [BigInt] Literal parsing is crashing when used inside a Object Literal
1707         https://bugs.webkit.org/show_bug.cgi?id=193404
1708
1709         Reviewed by Yusuke Suzuki.
1710
1711         * stress/big-int-literal-inside-literal-object.js: Added.
1712
1713 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1714
1715         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1716         https://bugs.webkit.org/show_bug.cgi?id=193372
1717
1718         Reviewed by Saam Barati.
1719
1720         * stress/typed-array-array-modes-profile.js: Added.
1721         (foo):
1722
1723 2019-01-14  Mark Lam  <mark.lam@apple.com>
1724
1725         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1726         https://bugs.webkit.org/show_bug.cgi?id=193402
1727         <rdar://problem/46012309>
1728
1729         Reviewed by Keith Miller.
1730
1731         * stress/regexp-compile-oom.js:
1732         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1733           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1734
1735 2019-01-11  Saam barati  <sbarati@apple.com>
1736
1737         DFG combined liveness can be wrong for terminal basic blocks
1738         https://bugs.webkit.org/show_bug.cgi?id=193304
1739         <rdar://problem/45268632>
1740
1741         Reviewed by Yusuke Suzuki.
1742
1743         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1744
1745 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1746
1747         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1748         https://bugs.webkit.org/show_bug.cgi?id=193308
1749         <rdar://problem/45546542>
1750
1751         Reviewed by Saam Barati.
1752
1753         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1754         (shouldThrow):
1755         (shouldBe):
1756         (foo):
1757         (get shouldThrow):
1758         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1759         (shouldThrow):
1760         (shouldBe):
1761         (foo):
1762         (get shouldBe):
1763         (get shouldThrow):
1764         (get return):
1765         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1766         (shouldThrow):
1767         (shouldBe):
1768         (foo):
1769         (get shouldBe):
1770         (get shouldThrow):
1771         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1772         (shouldThrow):
1773         (shouldBe):
1774         (foo):
1775         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1776         (shouldThrow):
1777         (shouldBe):
1778         (foo):
1779         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1780         (shouldThrow):
1781         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1782         (shouldThrow):
1783         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1784         (shouldThrow):
1785         (shouldBe):
1786         (foo):
1787         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1788         (shouldThrow):
1789         (shouldBe):
1790         (foo):
1791         (get shouldBe):
1792         (get shouldThrow):
1793         (get return):
1794         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1795         (shouldThrow):
1796         (shouldBe):
1797         (foo):
1798         (get shouldBe):
1799         (get shouldThrow):
1800         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1801         (shouldThrow):
1802         (shouldBe):
1803         (foo):
1804         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1805         (shouldThrow):
1806         (shouldBe):
1807         (foo):
1808
1809 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1810
1811         Enable DFG on ARM/Linux again
1812         https://bugs.webkit.org/show_bug.cgi?id=192496
1813
1814         Reviewed by Yusuke Suzuki.
1815
1816         Test wasn't really skipped before moving the line with skip
1817         to the top.
1818
1819         * stress/regress-192717.js:
1820
1821 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1822
1823         Unreviewed, rolling out r239825.
1824         https://bugs.webkit.org/show_bug.cgi?id=193330
1825
1826         Broke tests on armv7/linux bots (Requested by guijemont on
1827         #webkit).
1828
1829         Reverted changeset:
1830
1831         "Enable DFG on ARM/Linux again"
1832         https://bugs.webkit.org/show_bug.cgi?id=192496
1833         https://trac.webkit.org/changeset/239825
1834
1835 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1836
1837         Enable DFG on ARM/Linux again
1838         https://bugs.webkit.org/show_bug.cgi?id=192496
1839
1840         Reviewed by Yusuke Suzuki.
1841
1842         Test wasn't really skipped before moving the line with skip
1843         to the top.
1844
1845         * stress/regress-192717.js:
1846
1847 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1848
1849         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1850         https://bugs.webkit.org/show_bug.cgi?id=193127
1851
1852         Reviewed by Saam Barati.
1853
1854         * stress/array-species-create-should-handle-masquerader.js: Added.
1855         (shouldThrow):
1856         * stress/is-undefined-or-null-builtin.js: Added.
1857         (shouldBe):
1858         (isUndefinedOrNull.vm.createBuiltin):
1859
1860 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1861
1862         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1863         https://bugs.webkit.org/show_bug.cgi?id=193221
1864
1865         Reviewed by Mark Lam.
1866
1867         * stress/put-by-id-flags.js: Added.
1868         (f):
1869         (g):
1870         (numberOfDFGCompiles):
1871
1872 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1873
1874         Baseline version of get_by_id may corrupt metadata
1875         https://bugs.webkit.org/show_bug.cgi?id=193085
1876         <rdar://problem/23453006>
1877
1878         Reviewed by Saam Barati.
1879
1880         * stress/get-by-id-change-mode.js: Added.
1881         (forEach):
1882
1883 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1884
1885         [JSC] Optimize Object.prototype.toString
1886         https://bugs.webkit.org/show_bug.cgi?id=193031
1887
1888         Reviewed by Saam Barati.
1889
1890         * stress/object-tostring-changed-proto.js: Added.
1891         (shouldBe):
1892         (test):
1893         * stress/object-tostring-changed.js: Added.
1894         (shouldBe):
1895         (test):
1896         * stress/object-tostring-misc.js: Added.
1897         (shouldBe):
1898         (test):
1899         (i.switch):
1900         * stress/object-tostring-other.js: Added.
1901         (shouldBe):
1902         (test):
1903         * stress/object-tostring-untyped.js: Added.
1904         (shouldBe):
1905         (test):
1906         (i.switch):
1907
1908 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1909
1910         test262-runner misbehaves when test file YAML has a trailing space
1911         https://bugs.webkit.org/show_bug.cgi?id=193053
1912
1913         Reviewed by Yusuke Suzuki.
1914
1915         * test262/expectations.yaml:
1916         Mark two dozen tests as passing (and correct the output of another).
1917
1918 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1919
1920         Unreviewed, JSTests gardening with memoryLimited
1921
1922         * stress/string-overflow-createError.js:
1923
1924 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1925
1926         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1927         https://bugs.webkit.org/show_bug.cgi?id=193050
1928
1929         Reviewed by Yusuke Suzuki.
1930
1931         * test262.yaml:
1932         * test262/expectations.yaml:
1933         Mark 16 tests as passing.
1934
1935 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1936
1937         [BigInt] Support BigInt in JSON.stringify
1938         https://bugs.webkit.org/show_bug.cgi?id=192624
1939
1940         Reviewed by Saam Barati.
1941
1942         * stress/big-int-json-stringify-to-json.js: Added.
1943         (shouldBe):
1944         (shouldThrow):
1945         (BigInt.prototype.toJSON):
1946         (shouldBe.JSON.stringify):
1947         * stress/big-int-json-stringify.js: Added.
1948         (shouldBe):
1949         (shouldThrow):
1950
1951 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1952
1953         [JSC] Implement "well-formed JSON.stringify" proposal
1954         https://bugs.webkit.org/show_bug.cgi?id=191677
1955
1956         Reviewed by Darin Adler.
1957
1958         * stress/json-surrogate-pair.js: Added.
1959         (shouldBe):
1960         * test262/expectations.yaml:
1961
1962 2018-12-20  Keith Miller  <keith_miller@apple.com>
1963
1964         Add support for globalThis
1965         https://bugs.webkit.org/show_bug.cgi?id=165171
1966
1967         Reviewed by Mark Lam.
1968
1969         * test262/config.yaml:
1970
1971 2018-12-19  Keith Miller  <keith_miller@apple.com>
1972
1973         Update test262 configuration to not run tests dependent on ICU version.
1974         https://bugs.webkit.org/show_bug.cgi?id=192920
1975
1976         Reviewed by Saam Barati.
1977
1978         * test262/expectations.yaml:
1979
1980 2018-12-20  Mark Lam  <mark.lam@apple.com>
1981
1982         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1983         https://bugs.webkit.org/show_bug.cgi?id=192939
1984         <rdar://problem/46869516>
1985
1986         Reviewed by Keith Miller.
1987
1988         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1989
1990 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1991
1992         WTF::String and StringImpl overflow MaxLength
1993         https://bugs.webkit.org/show_bug.cgi?id=192853
1994         <rdar://problem/45726906>
1995
1996         Reviewed by Mark Lam.
1997
1998         * stress/string-16bit-repeat-overflow.js: Added.
1999         (catch):
2000
2001 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
2002
2003         Unreviewed follow-up to r192914.
2004
2005         * test262/expectations.yaml:
2006         Add the last 20 missing expectations.
2007
2008 2018-12-19  Keith Miller  <keith_miller@apple.com>
2009
2010         Fix test262 expectations
2011         https://bugs.webkit.org/show_bug.cgi?id=192914
2012
2013         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
2014
2015         * test262/expectations.yaml:
2016
2017 2018-12-19  Keith Miller  <keith_miller@apple.com>
2018
2019         Update test262 tests.
2020         https://bugs.webkit.org/show_bug.cgi?id=192907
2021
2022         Rubber stamped by Mark Lam.
2023
2024         * test262/*: Omitted because prepare-changelog crashes.
2025
2026 2018-12-19  Mark Lam  <mark.lam@apple.com>
2027
2028         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
2029         https://bugs.webkit.org/show_bug.cgi?id=192464
2030         <rdar://problem/46519455>
2031
2032         Reviewed by Saam Barati.
2033
2034         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
2035         microbenchmark.
2036
2037         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
2038         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
2039
2040 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
2041
2042         String overflow in JSC::createError results in ASSERT in WTF::makeString
2043         https://bugs.webkit.org/show_bug.cgi?id=192833
2044         <rdar://problem/45706868>
2045
2046         Reviewed by Mark Lam.
2047
2048         * stress/string-overflow-createError.js: Added.
2049
2050 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2051
2052         Error message for `-x ** y` contains a typo.
2053         https://bugs.webkit.org/show_bug.cgi?id=192832
2054
2055         Reviewed by Saam Barati.
2056
2057         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2058         (assert.assert.return.throws):
2059         * stress/pow-expects-update-expression-on-lhs.js:
2060         (throw.new.Error):
2061         Update test expectations which match against the exact error message.
2062
2063 2018-12-18  Mark Lam  <mark.lam@apple.com>
2064
2065         Gardening: test options fix.
2066         https://bugs.webkit.org/show_bug.cgi?id=192822
2067
2068         Unreviewed.
2069
2070         * stress/json-stringify-string-builder-overflow.js:
2071
2072 2018-12-18  Mark Lam  <mark.lam@apple.com>
2073
2074         JSON.stringify() should throw OOM on StringBuilder overflows.
2075         https://bugs.webkit.org/show_bug.cgi?id=192822
2076         <rdar://problem/46670577>
2077
2078         Reviewed by Saam Barati.
2079
2080         * stress/json-stringify-string-builder-overflow.js: Added.
2081
2082 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2083
2084         Redeclaration of var over let/const/class should be a syntax error.
2085         https://bugs.webkit.org/show_bug.cgi?id=192298
2086
2087         Reviewed by Keith Miller.
2088
2089         * test262.yaml:
2090         * test262/expectations.yaml:
2091         Mark 46 tests as passing.
2092
2093         * stress/block-scope-redeclarations.js:
2094         Add some new tests.
2095
2096         * stress/for-in-invalidate-context-weird-assignments.js:
2097         * stress/for-in-tests.js:
2098         Replace tests for outdated behavior with tests for SyntaxError.
2099
2100         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2101         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2102         Update expectations.
2103
2104 2018-12-18  Mark Lam  <mark.lam@apple.com>
2105
2106         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2107         https://bugs.webkit.org/show_bug.cgi?id=191374
2108         <rdar://problem/46525447>
2109
2110         Reviewed by Yusuke Suzuki.
2111
2112         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2113
2114         * stress/elidable-new-object-roflcopter-then-exit.js:
2115
2116 2018-12-17  Mark Lam  <mark.lam@apple.com>
2117
2118         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2119         https://bugs.webkit.org/show_bug.cgi?id=192019
2120         <rdar://problem/46525456>
2121
2122         Reviewed by Yusuke Suzuki.
2123
2124         The test runs too slow on 32-bit.
2125
2126         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2127
2128 2018-12-17  Mark Lam  <mark.lam@apple.com>
2129
2130         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2131         https://bugs.webkit.org/show_bug.cgi?id=191373
2132         <rdar://problem/46525458>
2133
2134         Reviewed by Yusuke Suzuki.
2135
2136         The test is already slow running with a JIT on 64-bit.  It will always timeout
2137         on 32-bit without a JIT.
2138
2139         * stress/materialize-regexp-cyclic-regexp.js:
2140
2141 2018-12-17  Mark Lam  <mark.lam@apple.com>
2142
2143         Array unshift/shift should not race against the AI in the compiler thread.
2144         https://bugs.webkit.org/show_bug.cgi?id=192795
2145         <rdar://problem/46724263>
2146
2147         Reviewed by Saam Barati.
2148
2149         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2150
2151 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2152
2153         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2154         https://bugs.webkit.org/show_bug.cgi?id=190047
2155
2156         Reviewed by Saam Barati.
2157
2158         * stress/object-keys-cached-zero.js: Added.
2159         (shouldBe):
2160         (test):
2161         * stress/object-keys-changed-attribute.js: Added.
2162         (shouldBe):
2163         (test):
2164         * stress/object-keys-changed-index.js: Added.
2165         (shouldBe):
2166         (test):
2167         * stress/object-keys-changed.js: Added.
2168         (shouldBe):
2169         (test):
2170         * stress/object-keys-indexed-non-cache.js: Added.
2171         (shouldBe):
2172         (test):
2173         * stress/object-keys-overrides-get-property-names.js: Added.
2174         (shouldBe):
2175         (test):
2176         (noInline):
2177
2178 2018-12-17  Mark Lam  <mark.lam@apple.com>
2179
2180         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2181         https://bugs.webkit.org/show_bug.cgi?id=192779
2182         <rdar://problem/46775869>
2183
2184         Reviewed by Saam Barati.
2185
2186         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2187
2188 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2189
2190         Unreviewed test gardening, address a syntax error in a new test.
2191
2192         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2193
2194 2018-12-17  Mark Lam  <mark.lam@apple.com>
2195
2196         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2197         https://bugs.webkit.org/show_bug.cgi?id=192776
2198         <rdar://problem/46772368>
2199
2200         Reviewed by Keith Miller.
2201
2202         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2203
2204 2018-12-17  Mark Lam  <mark.lam@apple.com>
2205
2206         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2207         https://bugs.webkit.org/show_bug.cgi?id=192770
2208         <rdar://problem/46449037>
2209
2210         Reviewed by Keith Miller.
2211
2212         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2213
2214 2018-12-14  Mark Lam  <mark.lam@apple.com>
2215
2216         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2217         https://bugs.webkit.org/show_bug.cgi?id=192717
2218         <rdar://problem/46660677>
2219
2220         Reviewed by Saam Barati.
2221
2222         * stress/regress-192717.js: Added.
2223
2224 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2225
2226         Unreviewed, rolling out r239153, r239154, and r239155.
2227         https://bugs.webkit.org/show_bug.cgi?id=192715
2228
2229         Caused flaky GC-related crashes seen with layout tests
2230         (Requested by ryanhaddad on #webkit).
2231
2232         Reverted changesets:
2233
2234         "[JSC] Optimize Object.keys by caching own keys results in
2235         StructureRareData"
2236         https://bugs.webkit.org/show_bug.cgi?id=190047
2237         https://trac.webkit.org/changeset/239153
2238
2239         "Unreviewed, build fix after r239153"
2240         https://bugs.webkit.org/show_bug.cgi?id=190047
2241         https://trac.webkit.org/changeset/239154
2242
2243         "Unreviewed, build fix after r239153, part 2"
2244         https://bugs.webkit.org/show_bug.cgi?id=190047
2245         https://trac.webkit.org/changeset/239155
2246
2247 2018-12-14  Keith Miller  <keith_miller@apple.com>
2248
2249         Callers of JSString::getIndex should check for OOM exceptions
2250         https://bugs.webkit.org/show_bug.cgi?id=192709
2251
2252         Reviewed by Mark Lam.
2253
2254         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2255
2256 2018-12-13  Mark Lam  <mark.lam@apple.com>
2257
2258         Add a missing exception check.
2259         https://bugs.webkit.org/show_bug.cgi?id=192626
2260         <rdar://problem/46662163>
2261
2262         Reviewed by Keith Miller.
2263
2264         * stress/regress-192626.js: Added.
2265
2266 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2267
2268         [BigInt] Add ValueDiv into DFG
2269         https://bugs.webkit.org/show_bug.cgi?id=186178
2270
2271         Reviewed by Yusuke Suzuki.
2272
2273         * stress/big-int-div-jit-osr.js: Added.
2274         * stress/big-int-div-jit-untyped.js: Added.
2275         * stress/value-div-fixup-int32-big-int.js: Added.
2276
2277 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2278
2279         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2280         https://bugs.webkit.org/show_bug.cgi?id=190047
2281
2282         Reviewed by Keith Miller.
2283
2284         * stress/object-keys-cached-zero.js: Added.
2285         (shouldBe):
2286         (test):
2287         * stress/object-keys-changed-attribute.js: Added.
2288         (shouldBe):
2289         (test):
2290         * stress/object-keys-changed-index.js: Added.
2291         (shouldBe):
2292         (test):
2293         * stress/object-keys-changed.js: Added.
2294         (shouldBe):
2295         (test):
2296         * stress/object-keys-indexed-non-cache.js: Added.
2297         (shouldBe):
2298         (test):
2299         * stress/object-keys-overrides-get-property-names.js: Added.
2300         (shouldBe):
2301         (test):
2302         (noInline):
2303
2304 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2305
2306         [DFG][FTL] Add NewSymbol
2307         https://bugs.webkit.org/show_bug.cgi?id=192620
2308
2309         Reviewed by Saam Barati.
2310
2311         * microbenchmarks/symbol-creation.js: Added.
2312         (test):
2313         * stress/symbol-description-identity.js: Added.
2314         (shouldBe):
2315         (test):
2316         * stress/symbol-identity.js: Added.
2317         (shouldBe):
2318         (test):
2319         * stress/symbol-with-description-throw-error.js: Added.
2320         (shouldBe):
2321         (shouldThrow):
2322         (test):
2323         (object.toString):
2324
2325 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2326
2327         [BigInt] Implement DFG/FTL typeof for BigInt
2328         https://bugs.webkit.org/show_bug.cgi?id=192619
2329
2330         Reviewed by Keith Miller.
2331
2332         * stress/big-int-boolean-proven-type.js: Added.
2333         (assert):
2334         (bool):
2335         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2336         (assert):
2337         (typeOf):
2338         (i.switch):
2339         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2340         (assert):
2341         (typeOf):
2342         * stress/big-int-type-of.js:
2343         (typeOf):
2344         (func):
2345
2346 2018-12-10  Mark Lam  <mark.lam@apple.com>
2347
2348         PropertyAttribute needs a CustomValue bit.
2349         https://bugs.webkit.org/show_bug.cgi?id=191993
2350         <rdar://problem/46264467>
2351
2352         Reviewed by Saam Barati.
2353
2354         * stress/regress-191993.js: Added.
2355
2356 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2357
2358         [BigInt] Add ValueMul into DFG
2359         https://bugs.webkit.org/show_bug.cgi?id=186175
2360
2361         Reviewed by Yusuke Suzuki.
2362
2363         * stress/big-int-mul-jit-osr.js: Added.
2364         * stress/big-int-mul-jit-untyped.js: Added.
2365         * stress/value-mul-fixup-int32-big-int.js: Added.
2366
2367 2018-12-06  Keith Miller  <keith_miller@apple.com>
2368
2369         stress/big-wasm-memory tests failing on 32-bit JSC bot
2370         https://bugs.webkit.org/show_bug.cgi?id=192020
2371
2372         Reviewed by Saam Barati.
2373
2374         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2375         the wasm stress tests if the WebAssembly object does not exist.
2376
2377         * stress/big-wasm-memory-grow-no-max.js:
2378         (test.foo):
2379         (test):
2380         (foo): Deleted.
2381         (catch): Deleted.
2382         * stress/big-wasm-memory-grow.js:
2383         (test.foo):
2384         (test):
2385         (foo): Deleted.
2386         (catch): Deleted.
2387         * stress/big-wasm-memory.js:
2388         (test.foo):
2389         (test):
2390         (foo): Deleted.
2391         (catch): Deleted.
2392
2393 2018-12-05  Mark Lam  <mark.lam@apple.com>
2394
2395         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2396         https://bugs.webkit.org/show_bug.cgi?id=192441
2397         <rdar://problem/46480355>
2398
2399         Reviewed by Saam Barati.
2400
2401         * stress/regress-192441.js: Added.
2402
2403 2018-12-04  Mark Lam  <mark.lam@apple.com>
2404
2405         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2406         https://bugs.webkit.org/show_bug.cgi?id=192386
2407         <rdar://problem/46445516>
2408
2409         Reviewed by Saam Barati.
2410
2411         * stress/regress-192386.js: Added.
2412
2413 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2414
2415         [ESNext][BigInt] Support logic operations
2416         https://bugs.webkit.org/show_bug.cgi?id=179903
2417
2418         Reviewed by Yusuke Suzuki.
2419
2420         * stress/big-int-branch-usage.js: Added.
2421         * stress/big-int-logical-and.js: Added.
2422         * stress/big-int-logical-not.js: Added.
2423         * stress/big-int-logical-or.js: Added.
2424
2425 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2426
2427         Unreviewed, rolling out r238833.
2428
2429         Breaks macOS and iOS debug builds.
2430
2431         Reverted changeset:
2432
2433         "[ESNext][BigInt] Support logic operations"
2434         https://bugs.webkit.org/show_bug.cgi?id=179903
2435         https://trac.webkit.org/changeset/238833
2436
2437 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2438
2439         [ESNext][BigInt] Support logic operations
2440         https://bugs.webkit.org/show_bug.cgi?id=179903
2441
2442         Reviewed by Yusuke Suzuki.
2443
2444         * stress/big-int-branch-usage.js: Added.
2445         * stress/big-int-logical-and.js: Added.
2446         * stress/big-int-logical-not.js: Added.
2447         * stress/big-int-logical-or.js: Added.
2448
2449 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2450
2451         [ESNext][BigInt] Implement support for "<<" and ">>"
2452         https://bugs.webkit.org/show_bug.cgi?id=186233
2453
2454         Reviewed by Yusuke Suzuki.
2455
2456         * stress/big-int-left-shift-general.js: Added.
2457         * stress/big-int-left-shift-range-error.js: Added.
2458         * stress/big-int-left-shift-type-error.js: Added.
2459         * stress/big-int-left-shift-wrapped-value.js: Added.
2460         * stress/big-int-right-shift-general.js: Added.
2461         * stress/big-int-right-shift-type-error.js: Added.
2462         * stress/big-int-right-shift-wrapped-value.js: Added.
2463         * stress/left-shift-to-primitive-precedence.js: Added.
2464         * stress/right-shift-to-primitive-precedence.js: Added.
2465
2466 2018-11-30  Dean Jackson  <dino@apple.com>
2467
2468         Add first-class support for .mjs files in jsc binary
2469         https://bugs.webkit.org/show_bug.cgi?id=192190
2470         <rdar://problem/46375715>
2471
2472         Reviewed by Keith Miller.
2473
2474         * stress/simple-module.mjs: Added.
2475         * stress/simple-script.js: Added.
2476
2477 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2478
2479         [BigInt] Implement ValueBitXor into DFG
2480         https://bugs.webkit.org/show_bug.cgi?id=190264
2481
2482         Reviewed by Yusuke Suzuki.
2483
2484         * stress/big-int-bitwise-xor-jit.js: Added.
2485         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2486         * stress/big-int-bitwise-xor-untyped.js: Added.
2487
2488 2018-11-27  Saam barati  <sbarati@apple.com>
2489
2490         r238510 broke scopes of size zero
2491         https://bugs.webkit.org/show_bug.cgi?id=192033
2492         <rdar://problem/46281734>
2493
2494         Reviewed by Keith Miller.
2495
2496         * stress/r238510-bad-loop.js: Added.
2497         (foo):
2498
2499 2018-11-27  Mark Lam  <mark.lam@apple.com>
2500
2501         [Re-landing] NaNs read from Wasm code needs to be be purified.
2502         https://bugs.webkit.org/show_bug.cgi?id=191056
2503         <rdar://problem/45660341>
2504
2505         Reviewed by Filip Pizlo.
2506
2507         * wasm/regress/regress-191056.js: Added.
2508
2509 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2510
2511         Unreviewed, rolling out r238509.
2512
2513         Causes JSC tests to fail on iOS.
2514
2515         Reverted changeset:
2516
2517         "NaNs read from Wasm code needs to be be purified."
2518         https://bugs.webkit.org/show_bug.cgi?id=191056
2519         https://trac.webkit.org/changeset/238509
2520
2521 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2522
2523         Re-introduce op_bitnot
2524         https://bugs.webkit.org/show_bug.cgi?id=190923
2525
2526         Reviewed by Yusuke Suzuki.
2527
2528         * stress/bit-not-must-generate.js: Added.
2529         * stress/bitwise-not-no-int32.js: Added.
2530
2531 2018-11-26  Saam barati  <sbarati@apple.com>
2532
2533         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2534         https://bugs.webkit.org/show_bug.cgi?id=191956
2535         <rdar://problem/45665806>
2536
2537         Reviewed by Yusuke Suzuki.
2538
2539         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2540         (bar):
2541         (foo):
2542
2543 2018-11-26  Saam barati  <sbarati@apple.com>
2544
2545         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2546         https://bugs.webkit.org/show_bug.cgi?id=191958
2547         <rdar://problem/46221877>
2548
2549         Reviewed by Yusuke Suzuki.
2550
2551         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2552         (x):
2553         (foo):
2554
2555 2018-11-26  Mark Lam  <mark.lam@apple.com>
2556
2557         NaNs read from Wasm code needs to be be purified.
2558         https://bugs.webkit.org/show_bug.cgi?id=191056
2559         <rdar://problem/45660341>
2560
2561         Reviewed by Filip Pizlo.
2562
2563         * wasm/regress/regress-191056.js: Added.
2564
2565 2018-11-26  Michael Saboff  <msaboff@apple.com>
2566
2567         32-bit JSC test failure: stress/regexp-compile-oom.js
2568         https://bugs.webkit.org/show_bug.cgi?id=191375
2569
2570         Reviewed by Mark Lam.
2571
2572         Disabled the test for 32 bit platforms.
2573
2574         * stress/regexp-compile-oom.js:
2575
2576 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2577
2578         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2579         https://bugs.webkit.org/show_bug.cgi?id=191716
2580         <rdar://problem/45723878>
2581
2582         Reviewed by Saam Barati.
2583
2584         * stress/regress-187373.js: Added.
2585         (async.fn):
2586
2587 2018-11-21  Saam barati  <sbarati@apple.com>
2588
2589         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2590         https://bugs.webkit.org/show_bug.cgi?id=191897
2591         <rdar://problem/45871998>
2592
2593         Reviewed by Mark Lam.
2594
2595         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2596         (bar):
2597         (foo):
2598
2599 2018-11-21  Saam barati  <sbarati@apple.com>
2600
2601         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2602         https://bugs.webkit.org/show_bug.cgi?id=191895
2603         <rdar://problem/46167406>
2604
2605         Reviewed by Mark Lam.
2606
2607         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2608         (foo):
2609         (bar):
2610
2611 2018-11-21  Mark Lam  <mark.lam@apple.com>
2612
2613         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2614         https://bugs.webkit.org/show_bug.cgi?id=191776
2615         <rdar://problem/46152851>
2616
2617         Reviewed by Saam Barati.
2618
2619         * stress/big-wasm-memory-grow-no-max.js:
2620         * stress/big-wasm-memory-grow.js:
2621         * stress/big-wasm-memory.js:
2622         - updated these to expect an OutOfMemoryError.
2623
2624         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2625         (Binary.prototype.emit_u8):
2626         (Binary.prototype.emit_u32v):
2627         (Binary.prototype.emit_header):
2628         (Binary.prototype.emit_section):
2629         (Binary):
2630         (WasmModuleBuilder):
2631         (WasmModuleBuilder.prototype.addMemory):
2632         (WasmModuleBuilder.prototype.toArray):
2633         (WasmModuleBuilder.prototype.toBuffer):
2634         (WasmModuleBuilder.prototype.instantiate):
2635         (catch):
2636         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2637         (catch):
2638
2639 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2640
2641         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2642         https://bugs.webkit.org/show_bug.cgi?id=190836
2643
2644         Reviewed by Saam Barati and Yusuke Suzuki.
2645
2646         * stress/big-int-out-of-memory-tests.js: Added.
2647
2648 2018-11-20  Mark Lam  <mark.lam@apple.com>
2649
2650         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2651         https://bugs.webkit.org/show_bug.cgi?id=191856
2652         <rdar://problem/46089992>
2653
2654         Reviewed by Yusuke Suzuki.
2655
2656         * stress/regress-191856.js: Added.
2657         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2658
2659 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2660
2661         Enable JIT on ARM/Linux
2662         https://bugs.webkit.org/show_bug.cgi?id=191548
2663
2664         Reviewed by Yusuke Suzuki.
2665
2666         Disable test on system with limited memory. Program was killed by
2667         the OS before the exception was thrown.
2668
2669         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2670
2671 2018-11-20  Saam barati  <sbarati@apple.com>
2672
2673         Merging an IC variant may lead to the IC status containing overlapping structure sets
2674         https://bugs.webkit.org/show_bug.cgi?id=191869
2675         <rdar://problem/45403453>
2676
2677         Reviewed by Mark Lam.
2678
2679         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2680
2681 2018-11-19  Mark Lam  <mark.lam@apple.com>
2682
2683         globalFuncImportModule() should return a promise when it clears exceptions.
2684         https://bugs.webkit.org/show_bug.cgi?id=191792
2685         <rdar://problem/46090763>
2686
2687         Reviewed by Michael Saboff.
2688
2689         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2690
2691 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2692
2693         Skip new memory-hungry tests on memory limited devices
2694
2695         Unreviewed gardening.
2696
2697         * stress/big-wasm-memory-grow-no-max.js:
2698         * stress/big-wasm-memory-grow.js:
2699         * stress/big-wasm-memory.js:
2700
2701 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2702
2703         Unreviewed, rolling in the rest of r237254
2704         https://bugs.webkit.org/show_bug.cgi?id=190340
2705
2706         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2707         * stress/function-cache-with-parameters-end-position.js: Added.
2708         (shouldBe):
2709         (shouldThrow):
2710         (i.anonymous):
2711         * stress/function-constructor-name.js: Added.
2712         (shouldBe):
2713         (GeneratorFunction):
2714         (AsyncFunction.async):
2715         (AsyncGeneratorFunction.async):
2716         (anonymous):
2717         (async.anonymous):
2718         * test262/expectations.yaml:
2719
2720 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2721
2722         All users of ArrayBuffer should agree on the same max size
2723         https://bugs.webkit.org/show_bug.cgi?id=191771
2724
2725         Reviewed by Mark Lam.
2726
2727         * stress/big-wasm-memory-grow-no-max.js: Added.
2728         (foo):
2729         (catch):
2730         * stress/big-wasm-memory-grow.js: Added.
2731         (foo):
2732         (catch):
2733         * stress/big-wasm-memory.js: Added.
2734         (foo):
2735         (catch):
2736
2737 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2738
2739         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2740         run for each JSC config since they're regression tests for runtime bugs.
2741
2742         * stress/json-stringified-overflow-2.js:
2743         * stress/json-stringified-overflow.js:
2744
2745 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2746
2747         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2748         config since they're regression tests for runtime bugs.
2749
2750         * stress/large-unshift-splice.js:
2751         * stress/regress-185888.js:
2752
2753 2018-11-16  Saam Barati  <sbarati@apple.com>
2754
2755         KnownCellUse should also have SpecCellCheck as its type filter
2756         https://bugs.webkit.org/show_bug.cgi?id=191729
2757         <rdar://problem/45872852>
2758
2759         Reviewed by Filip Pizlo.
2760
2761         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2762         (C):
2763
2764 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2765
2766         Fix assertion failure on BytecodeGenerator::recordOpcode
2767         https://bugs.webkit.org/show_bug.cgi?id=191724
2768         <rdar://problem/45724395>
2769
2770         Reviewed by Saam Barati.
2771
2772         * stress/regress-187373-2.js: Added.
2773         (foo):
2774
2775 2018-11-15  Mark Lam  <mark.lam@apple.com>
2776
2777         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2778         https://bugs.webkit.org/show_bug.cgi?id=191730
2779         <rdar://problem/46048517>
2780
2781         Reviewed by Saam Barati.
2782
2783         * stress/regress-187006.js: Removed.
2784           - this test is invalid because its sole purpose is to test for the non-spec
2785             compliant behavior that we just fixed.
2786
2787         * stress/regress-191730.js: Added.
2788
2789 2018-11-15  Mark Lam  <mark.lam@apple.com>
2790
2791         RegExp operations should not take fast patch if lastIndex is not numeric.
2792         https://bugs.webkit.org/show_bug.cgi?id=191731
2793         <rdar://problem/46017305>
2794
2795         Reviewed by Saam Barati.
2796
2797         * stress/regress-191731.js: Added.
2798
2799 2018-11-13  Saam Barati  <sbarati@apple.com>
2800
2801         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2802         https://bugs.webkit.org/show_bug.cgi?id=191600
2803
2804         Reviewed by Mark Lam.
2805
2806         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2807         (foo):
2808         (test):
2809         (bar):
2810
2811 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2812
2813         Unreviewed, rolling out r238132.
2814
2815         The test added with this change is timing out on Debug JSC
2816         bots.
2817
2818         Reverted changeset:
2819
2820         "[BigInt] JSBigInt::createWithLength should throw when length
2821         is greater than JSBigInt::maxLength"
2822         https://bugs.webkit.org/show_bug.cgi?id=190836
2823         https://trac.webkit.org/changeset/238132
2824
2825 2018-11-13  Mark Lam  <mark.lam@apple.com>
2826
2827         Add OOM detection to StringPrototype's substituteBackreferences().
2828         https://bugs.webkit.org/show_bug.cgi?id=191563
2829         <rdar://problem/45720428>
2830
2831         Reviewed by Saam Barati.
2832
2833         * stress/regress-191563.js: Added.
2834
2835 2018-11-13  Mark Lam  <mark.lam@apple.com>
2836
2837         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2838         https://bugs.webkit.org/show_bug.cgi?id=191579
2839         <rdar://problem/45942472>
2840
2841         Reviewed by Saam Barati.
2842
2843         * stress/regress-191579.js: Added.
2844
2845 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2846
2847         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2848         https://bugs.webkit.org/show_bug.cgi?id=190836
2849
2850         Reviewed by Saam Barati.
2851
2852         * stress/big-int-out-of-memory-tests.js: Added.
2853
2854 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2855
2856         U+180E is no longer a whitespace character
2857         https://bugs.webkit.org/show_bug.cgi?id=191415
2858
2859         Reviewed by Saam Barati.
2860
2861         * ChakraCore/test/es5/regexSpace.baseline:
2862         * ChakraCore/test/es6/unicode_whitespace.js:
2863         Update tests to latest version.
2864         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2865
2866         * test262.yaml:
2867         * test262/config.yaml:
2868         * test262/expectations.yaml:
2869         Update expectations.
2870
2871 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2872
2873         [BigInt] Add support to BigInt into ValueAdd
2874         https://bugs.webkit.org/show_bug.cgi?id=186177
2875
2876         Reviewed by Keith Miller.
2877
2878         * stress/big-int-negate-jit.js:
2879         * stress/value-add-big-int-and-string.js: Added.
2880         * stress/value-add-big-int-prediction-propagation.js: Added.
2881         * stress/value-add-big-int-untyped.js: Added.
2882
2883 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2884
2885         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2886         https://bugs.webkit.org/show_bug.cgi?id=191184
2887
2888         Reviewed by Saam Barati.
2889
2890         Most tests were failing due to timeouts, since they are too slow to
2891         run on CLoop. The exceptions are:
2892
2893         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2894         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2895         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2896         to change the stack size since CLoop requires it to be page aligned.
2897
2898         * microbenchmarks/array-push-1.js:
2899         * microbenchmarks/array-push-2.js:
2900         * microbenchmarks/elidable-new-object-dag.js:
2901         * microbenchmarks/elidable-new-object-roflcopter.js:
2902         * microbenchmarks/elidable-new-object-tree.js:
2903         * microbenchmarks/getter-richards.js:
2904         * microbenchmarks/sinkable-new-object-dag.js:
2905         * microbenchmarks/string-concat-long-convert.js:
2906         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2907         * slowMicrobenchmarks/array-push-3.js:
2908         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2909         * slowMicrobenchmarks/spread-small-array.js:
2910         * slowMicrobenchmarks/undefined-property-access.js:
2911         * stress/activation-sink-default-value-tdz-error.js:
2912         * stress/activation-sink-default-value.js:
2913         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2914         * stress/activation-sink-osrexit-default-value.js:
2915         * stress/activation-sink-osrexit.js:
2916         * stress/activation-sink.js:
2917         * stress/allow-math-ic-b3-code-duplication.js:
2918         * stress/array-push-multiple-int32.js:
2919         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2920         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2921         * stress/arrowfunction-lexical-this-activation-sink.js:
2922         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2923         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2924         * stress/elide-new-object-dag-then-exit.js:
2925         * stress/materialize-regexp-cyclic.js:
2926         * stress/new-regex-inline.js:
2927         * stress/op_add.js:
2928         * stress/op_bitand.js:
2929         * stress/op_bitor.js:
2930         * stress/op_bitxor.js:
2931         * stress/op_div-ConstVar.js:
2932         * stress/op_div-VarConst.js:
2933         * stress/op_div-VarVar.js:
2934         * stress/op_lshift-ConstVar.js:
2935         * stress/op_lshift-VarConst.js:
2936         * stress/op_lshift-VarVar.js:
2937         * stress/op_mod-ConstVar.js:
2938         * stress/op_mod-VarConst.js:
2939         * stress/op_mod-VarVar.js:
2940         * stress/op_mul-ConstVar.js:
2941         * stress/op_mul-VarConst.js:
2942         * stress/op_mul-VarVar.js:
2943         * stress/op_rshift-ConstVar.js:
2944         * stress/op_rshift-VarConst.js:
2945         * stress/op_rshift-VarVar.js:
2946         * stress/op_sub-ConstVar.js:
2947         * stress/op_sub-VarConst.js:
2948         * stress/op_sub-VarVar.js:
2949         * stress/op_urshift-ConstVar.js:
2950         * stress/op_urshift-VarConst.js:
2951         * stress/op_urshift-VarVar.js:
2952         * stress/proxy-get-set-correct-receiver.js:
2953         * stress/regress-179562.js:
2954         * stress/rest-parameter-many-arguments.js:
2955         * stress/sampling-profiler-richards.js:
2956         * stress/splay-flash-access-1ms.js:
2957         * stress/tailCallForwardArguments.js:
2958         * stress/typed-array-get-by-val-profiling.js:
2959         * typeProfiler/getter-richards.js:
2960
2961 2018-11-06  Michael Saboff  <msaboff@apple.com>
2962
2963         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2964         https://bugs.webkit.org/show_bug.cgi?id=191271
2965
2966         Reviewed by Saam Barati.
2967
2968         Added more test cases and made all test cases run with the same deeply recursive stack
2969         instead of finding that same point for each test case.
2970
2971         * stress/regexp-compile-oom.js:
2972         (prototype.runTest):
2973         (recurseAndTest):
2974         (testList.push.new.TestAndExpectedException):
2975
2976 2018-11-05  Michael Saboff  <msaboff@apple.com>
2977
2978         Unreviewed build fix for linux.
2979
2980         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2981
2982 2018-11-02  Michael Saboff  <msaboff@apple.com>
2983
2984         Rolling in r237753 with unreviewed build fix.
2985
2986         Fixed issues with DECLARE_THROW_SCOPE placement.
2987
2988 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2989
2990         Unreviewed, rolling out r237753.
2991
2992         Introduced JSC test failures
2993
2994         Reverted changeset:
2995
2996         "Running out of stack space not properly handled in
2997         RegExp::compile() and its callers"
2998         https://bugs.webkit.org/show_bug.cgi?id=191206
2999         https://trac.webkit.org/changeset/237753
3000
3001 2018-11-02  Michael Saboff  <msaboff@apple.com>
3002
3003         Running out of stack space not properly handled in RegExp::compile() and its callers
3004         https://bugs.webkit.org/show_bug.cgi?id=191206
3005
3006         Reviewed by Filip Pizlo.
3007
3008         New regression test.
3009
3010         * stress/regexp-compile-oom.js: Added.
3011         (recurseAndTest):
3012
3013 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
3014
3015         Skip tests on arm/mips that time out now we're running on CLoop
3016
3017         Unreviewed gardening.
3018
3019         Since the JIT is temporarily disabled on 32-bit platforms, these tests
3020         time out on the bots and need to be disabled. There's more tests
3021         disabled on arm because the timeout is longer on the mips bot (as the
3022         device is slower to start with), so many of the tests don't time out
3023         there.
3024
3025         * microbenchmarks/getter-richards.js: disable on arm and mips.
3026         * stress/op_add.js: disable on arm.
3027         * stress/op_bitand.js: disable on arm.
3028         * stress/op_bitor.js: disable on arm.
3029         * stress/op_bitxor.js: disable on arm.
3030         * stress/op_lshift-ConstVar.js: disable on arm.
3031         * stress/op_lshift-VarConst.js: disable on arm.
3032         * stress/op_lshift-VarVar.js: disable on arm.
3033         * stress/op_mod-ConstVar.js: disable on arm.
3034         * stress/op_mod-VarConst.js: disable on arm.
3035         * stress/op_mod-VarVar.js: disable on arm.
3036         * stress/op_mul-ConstVar.js: disable on arm.
3037         * stress/op_mul-VarConst.js: disable on arm.
3038         * stress/op_mul-VarVar.js: disable on arm.
3039         * stress/op_rshift-ConstVar.js: disable on arm.
3040         * stress/op_rshift-VarConst.js: disable on arm.
3041         * stress/op_rshift-VarVar.js: disable on arm.
3042         * stress/op_sub-ConstVar.js: disable on arm.
3043         * stress/op_sub-VarConst.js: disable on arm.
3044         * stress/op_sub-VarVar.js: disable on arm.
3045         * stress/op_urshift-ConstVar.js: disable on arm.
3046         * stress/op_urshift-VarConst.js: disable on arm.
3047         * stress/op_urshift-VarVar.js: disable on arm.
3048         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
3049         * stress/value-to-boolean.js: disable on arm and mips.
3050
3051 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3052
3053         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3054         https://bugs.webkit.org/show_bug.cgi?id=191108
3055         <rdar://problem/45690700>
3056
3057         Reviewed by Saam Barati.
3058
3059         * stress/wide-op_catch.js: Added.
3060         (catch):
3061
3062 2018-10-29  Mark Lam  <mark.lam@apple.com>
3063
3064         Correctly detect string overflow when using the 'Function' constructor.
3065         https://bugs.webkit.org/show_bug.cgi?id=184883
3066         <rdar://problem/36320331>
3067
3068         Reviewed by Saam Barati.
3069
3070         I've verified that this passes on 32-bit as well.
3071
3072         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3073
3074 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3075
3076         Add support for GetStack FlushedDouble
3077         https://bugs.webkit.org/show_bug.cgi?id=191012
3078         <rdar://problem/45265141>
3079
3080         Reviewed by Saam Barati.
3081
3082         * stress/get-stack-double.js: Added.
3083         (bar):
3084         (noInline):
3085
3086 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3087
3088         New bytecode format for JSC
3089         https://bugs.webkit.org/show_bug.cgi?id=187373
3090         <rdar://problem/44186758>
3091
3092         Reviewed by Filip Pizlo.
3093
3094         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3095
3096         * stress/maximum-inline-capacity.js: Added.
3097         (test1):
3098         (test3.Foo):
3099         (test3):
3100
3101 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3102
3103         Unreviewed, rolling out r237479 and r237484.
3104         https://bugs.webkit.org/show_bug.cgi?id=190978
3105
3106         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3107
3108         Reverted changesets:
3109
3110         "New bytecode format for JSC"
3111         https://bugs.webkit.org/show_bug.cgi?id=187373
3112         https://trac.webkit.org/changeset/237479
3113
3114         "Gardening: Build fix after r237479."
3115         https://bugs.webkit.org/show_bug.cgi?id=187373
3116         https://trac.webkit.org/changeset/237484
3117
3118 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3119
3120         New bytecode format for JSC
3121         https://bugs.webkit.org/show_bug.cgi?id=187373
3122         <rdar://problem/44186758>
3123
3124         Reviewed by Filip Pizlo.
3125
3126         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3127
3128         * stress/maximum-inline-capacity.js: Added.
3129         (test1):
3130         (test3.Foo):
3131         (test3):
3132
3133 2018-10-26  Mark Lam  <mark.lam@apple.com>
3134
3135         Fix missing edge cases with JSGlobalObjects having a bad time.
3136         https://bugs.webkit.org/show_bug.cgi?id=189028
3137         <rdar://problem/45204939>
3138
3139         Reviewed by Saam Barati.
3140
3141         * stress/regress-189028.js: Added.
3142
3143 2018-10-22  Mark Lam  <mark.lam@apple.com>
3144
3145         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3146         https://bugs.webkit.org/show_bug.cgi?id=190515
3147         <rdar://problem/45222379>
3148
3149         Rubber-stamped by Saam Barati.
3150
3151         Adding another test.
3152
3153         * stress/regress-190515-2.js: Added.
3154
3155 2018-10-22  Mark Lam  <mark.lam@apple.com>
3156
3157         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3158         https://bugs.webkit.org/show_bug.cgi?id=190515
3159         <rdar://problem/45222379>
3160
3161         Reviewed by Saam Barati.
3162
3163         * stress/regress-190515.js: Added.
3164
3165 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3166
3167         Unreviewed, rolling out r237254.
3168         https://bugs.webkit.org/show_bug.cgi?id=190760
3169
3170         "It regresses JetStream 2 by 5% on some iOS devices"
3171         (Requested by saamyjoon on #webkit).
3172
3173         Reverted changeset:
3174
3175         "[JSC] JSC should have "parseFunction" to optimize Function
3176         constructor"
3177         https://bugs.webkit.org/show_bug.cgi?id=190340
3178         https://trac.webkit.org/changeset/237254
3179
3180 2018-10-19  Saam Barati  <sbarati@apple.com>
3181
3182         vmCall should check if we exit before emitting an OSR exit due to exceptions
3183         https://bugs.webkit.org/show_bug.cgi?id=190740
3184         <rdar://problem/45220139>
3185
3186         Reviewed by Mark Lam.
3187
3188         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3189         (foo):
3190
3191 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3192
3193         [ESNext][BigInt] Implement support for "^"
3194         https://bugs.webkit.org/show_bug.cgi?id=186235
3195
3196         Reviewed by Yusuke Suzuki.
3197
3198         * stress/big-int-bitwise-xor-general.js: Added.
3199         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3200         * stress/big-int-bitwise-xor-type-error.js: Added.
3201         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3202
3203 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3204
3205         [BigInt] Add ValueSub into DFG
3206         https://bugs.webkit.org/show_bug.cgi?id=186176
3207
3208         Reviewed by Yusuke Suzuki.
3209
3210         * stress/big-int-subtraction-jit.js:
3211         * stress/value-sub-big-int-prediction-propagation.js: Added.
3212         * stress/value-sub-big-int-untyped.js: Added.
3213         * stress/value-sub-spec-none-case.js: Added.
3214
3215 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3216
3217         [JSC] JSC should have "parseFunction" to optimize Function constructor
3218         https://bugs.webkit.org/show_bug.cgi?id=190340
3219
3220         Reviewed by Mark Lam.
3221
3222         This patch fixes the line number of syntax errors raised by the Function constructor,
3223         since we now parse the final code only once. And we no longer use block statement
3224         for Function constructor's parsing.
3225
3226         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3227         * stress/function-cache-with-parameters-end-position.js: Added.
3228         (shouldBe):
3229         (shouldThrow):
3230         (i.anonymous):
3231         * stress/function-constructor-name.js: Added.
3232         (shouldBe):
3233         (GeneratorFunction):
3234         (AsyncFunction.async):
3235         (AsyncGeneratorFunction.async):
3236         (anonymous):
3237         (async.anonymous):
3238         * test262/expectations.yaml:
3239
3240 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3241
3242         Unreviewed, rolling out r237242.
3243         https://bugs.webkit.org/show_bug.cgi?id=190701
3244
3245         it breaks "stress/sampling-profiler-basic.js" (Requested by
3246         caiolima on #webkit).
3247
3248         Reverted changeset:
3249
3250         "[BigInt] Add ValueSub into DFG"
3251         https://bugs.webkit.org/show_bug.cgi?id=186176
3252         https://trac.webkit.org/changeset/237242
3253
3254 2018-10-17  Keith Miller  <keith_miller@apple.com>
3255
3256         AI does not clear Phantom allocation nodes.
3257         https://bugs.webkit.org/show_bug.cgi?id=190694
3258
3259         Reviewed by Saam Barati.
3260
3261         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3262         (Day):
3263         (DaysInYear):
3264         (TimeInYear):
3265         (TimeFromYear):
3266         (DayFromYear):
3267         (InLeapYear):
3268         (YearFromTime):
3269         (WeekDay):
3270         (DaylightSavingTA):
3271         (GetSecondSundayInMarch):
3272         (TimeInMonth):
3273
3274 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3275
3276         [BigInt] Add ValueSub into DFG
3277         https://bugs.webkit.org/show_bug.cgi?id=186176
3278
3279         Reviewed by Yusuke Suzuki.
3280
3281         * stress/big-int-subtraction-jit.js:
3282         * stress/value-sub-big-int-prediction-propagation.js: Added.
3283         * stress/value-sub-big-int-untyped.js: Added.
3284
3285 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3286
3287         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3288         https://bugs.webkit.org/show_bug.cgi?id=190611
3289
3290         Reviewed by Saam Barati.
3291
3292         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3293         to improve test runtime. On ARM/MIPS this test even timed out when running all
3294         tests.
3295
3296         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3297         (test):
3298
3299 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3300
3301         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3302
3303         Unreviewed gardening.
3304
3305         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3306
3307 2018-10-15  Saam barati  <sbarati@apple.com>
3308
3309         Emit fjcvtzs on ARM64E on Darwin
3310         https://bugs.webkit.org/show_bug.cgi?id=184023
3311
3312         Reviewed by Yusuke Suzuki and Filip Pizlo.
3313
3314         * stress/double-to-int32-NaN.js: Added.
3315         (assert):
3316         (foo):
3317
3318 2018-10-15  Saam Barati  <sbarati@apple.com>
3319
3320         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3321         https://bugs.webkit.org/show_bug.cgi?id=190262
3322         <rdar://problem/44986241>
3323
3324         Reviewed by Mark Lam.
3325
3326         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3327         (test):
3328         * stress/slice-array-storage-with-holes.js: Added.
3329         (main):
3330
3331 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3332
3333         Unreviewed, rolling out r237054.
3334         https://bugs.webkit.org/show_bug.cgi?id=190593
3335
3336         "this regressed JetStream 2 by 6% on iOS" (Requested by
3337         saamyjoon on #webkit).
3338
3339         Reverted changeset:
3340
3341         "[JSC] JSC should have "parseFunction" to optimize Function
3342         constructor"
3343         https://bugs.webkit.org/show_bug.cgi?id=190340
3344         https://trac.webkit.org/changeset/237054
3345
3346 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3347
3348         [JSC] JSON.stringify can accept call-with-no-arguments
3349         https://bugs.webkit.org/show_bug.cgi?id=190343
3350
3351         Reviewed by Mark Lam.
3352
3353         * stress/json-stringify-no-arguments.js: Added.
3354         (shouldBe):
3355
3356 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3357
3358         [JSC] JSC should have "parseFunction" to optimize Function constructor
3359         https://bugs.webkit.org/show_bug.cgi?id=190340
3360
3361         Reviewed by Mark Lam.
3362
3363         This patch fixes the line number of syntax errors raised by the Function constructor,
3364         since we now parse the final code only once. And we no longer use block statement
3365         for Function constructor's parsing.
3366
3367         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3368         * stress/function-cache-with-parameters-end-position.js: Added.
3369         (shouldBe):
3370         (shouldThrow):
3371         (i.anonymous):
3372         * stress/function-constructor-name.js: Added.
3373         (shouldBe):
3374         (GeneratorFunction):
3375         (AsyncFunction.async):
3376         (AsyncGeneratorFunction.async):
3377         (anonymous):
3378         (async.anonymous):
3379         * test262/expectations.yaml:
3380
3381 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3382
3383         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3384         https://bugs.webkit.org/show_bug.cgi?id=190426
3385
3386         Unreviewed gardening.
3387
3388         * stress/sampling-profiler-richards.js:
3389
3390 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3391
3392         [ESNext][BigInt] Implement support for "|"
3393         https://bugs.webkit.org/show_bug.cgi?id=186229
3394
3395         Reviewed by Yusuke Suzuki.
3396
3397         * stress/big-int-bitwise-and-jit.js:
3398         * stress/big-int-bitwise-or-general.js: Added.
3399         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3400         * stress/big-int-bitwise-or-jit.js: Added.
3401         * stress/big-int-bitwise-or-memory-stress.js: Added.
3402         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3403         * stress/big-int-bitwise-or-type-error.js: Added.
3404         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3405
3406 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3407
3408         Skip test on systems with limited memory
3409         https://bugs.webkit.org/show_bug.cgi?id=190310
3410
3411         Invoking runDefault adds test to runlist, skipping the test in the next
3412         line does not prevent the test from executing. Change order of lines such
3413         that runDefault is only executed if test is not executed.
3414
3415         Reviewed by Mark Lam.
3416
3417         * stress/regress-190187.js:
3418
3419 2018-10-03  Saam barati  <sbarati@apple.com>
3420
3421         lowXYZ in FTLLower should always filter the type of the incoming edge
3422         https://bugs.webkit.org/show_bug.cgi?id=189939
3423         <rdar://problem/44407030>
3424
3425         Reviewed by Michael Saboff.
3426
3427         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3428         (foo):
3429         (test):
3430
3431 2018-10-03  Mark Lam  <mark.lam@apple.com>
3432
3433         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3434         https://bugs.webkit.org/show_bug.cgi?id=190187
3435         <rdar://problem/42512909>
3436
3437         Reviewed by Michael Saboff.
3438
3439         * stress/regress-190187.js: Added.
3440
3441 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3442
3443         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3444         https://bugs.webkit.org/show_bug.cgi?id=190033
3445
3446         Reviewed by Yusuke Suzuki.
3447
3448         * stress/big-int-to-string.js:
3449
3450 2018-10-01  Mark Lam  <mark.lam@apple.com>
3451
3452         Function.toString() should also copy the source code Functions that are class definitions.
3453         https://bugs.webkit.org/show_bug.cgi?id=190186
3454         <rdar://problem/44733360>
3455
3456         Reviewed by Saam Barati.
3457
3458         * stress/regress-190186.js: Added.
3459
3460 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3461
3462         Split NaN-check into separate test
3463         https://bugs.webkit.org/show_bug.cgi?id=190010
3464
3465         Reviewed by Saam Barati.
3466
3467         DataView exposes NaN-representation, which is not necessarily the same on each
3468         architecture. Therefore move the check of the NaN-representation into its own
3469         file such that we can disable this test on MIPS where NaN-representation can be
3470         different on older CPUs.
3471
3472         * stress/dataview-jit-set-nan.js: Added.
3473         (assert):
3474         (test.storeLittleEndian):
3475         (test.storeBigEndian):
3476         (test.store):
3477         (test):
3478         * stress/dataview-jit-set.js:
3479         (test5):
3480
3481 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3482
3483         Unreviewed, rolling out r236647.
3484         https://bugs.webkit.org/show_bug.cgi?id=190124
3485
3486         Breaking test stress/big-int-to-string.js (Requested by
3487         caiolima_ on #webkit).
3488
3489         Reverted changeset:
3490
3491         "[BigInt] BigInt.proptotype.toString is broken when radix is
3492         power of 2"
3493         https://bugs.webkit.org/show_bug.cgi?id=190033
3494         https://trac.webkit.org/changeset/236647
3495
3496 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3497
3498         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3499         https://bugs.webkit.org/show_bug.cgi?id=190033
3500
3501         Reviewed by Yusuke Suzuki.
3502
3503         * stress/big-int-to-string.js:
3504
3505 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3506
3507         [ESNext][BigInt] Implement support for "&"
3508         https://bugs.webkit.org/show_bug.cgi?id=186228
3509
3510         Reviewed by Yusuke Suzuki.
3511
3512         * stress/big-int-bitwise-and-general.js: Added.
3513         (assert):
3514         (assert.sameValue):
3515         * stress/big-int-bitwise-and-jit.js: Added.
3516         (let.assert.sameValue):
3517         (bigIntBitAnd):
3518         * stress/big-int-bitwise-and-memory-stress.js: Added.
3519         (assert):
3520         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3521         (assert.sameValue):
3522         (let.o.Symbol.toPrimitive):
3523         (catch):
3524         * stress/big-int-bitwise-and-type-error.js: Added.
3525         (assert):
3526         (assertThrowTypeError):
3527         (let.o.valueOf):
3528         (o.valueOf):
3529         (o.toString):
3530         (o.Symbol.toPrimitive):
3531         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3532         (assert.sameValue):
3533         (testBitAnd):
3534         (let.o.Symbol.toPrimitive):
3535         (o.valueOf):
3536         (o.toString):
3537
3538 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3539
3540         JSC test stress/jsc-read.js doesn't support CRLF
3541         https://bugs.webkit.org/show_bug.cgi?id=190063
3542
3543         Reviewed by Yusuke Suzuki.
3544
3545         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3546
3547         * stress/jsc-read.js:
3548         (test):
3549
3550 2018-09-27  Saam barati  <sbarati@apple.com>
3551
3552         Verify the contents of AssemblerBuffer on arm64e
3553         https://bugs.webkit.org/show_bug.cgi?id=190057
3554         <rdar://problem/38916630>
3555
3556         Reviewed by Mark Lam.
3557
3558         * stress/regress-189132.js:
3559
3560 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3561
3562         Disable test without LLInt on ARMv7
3563         https://bugs.webkit.org/show_bug.cgi?id=190037
3564
3565         Reviewed by Mark Lam.
3566
3567         Test runs out of executable memory on ARMv7, do not run
3568         this test without LLInt enabled.
3569
3570         * stress/regress-169445.js:
3571
3572 2018-09-26  Keith Miller  <keith_miller@apple.com>
3573
3574         We should zero unused property storage when rebalancing array storage.
3575         https://bugs.webkit.org/show_bug.cgi?id=188151
3576
3577         Reviewed by Michael Saboff.
3578
3579         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3580
3581 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3582
3583         [JSC] Optimize Array#lastIndexOf
3584         https://bugs.webkit.org/show_bug.cgi?id=189780
3585
3586         Reviewed by Saam Barati.
3587
3588         * stress/array-lastindexof-array-prototype-trap.js: Added.
3589         (shouldBe):
3590         (AncestorArray.prototype.get 2):
3591         (AncestorArray):
3592         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3593         (shouldBe):
3594         * stress/array-lastindexof-hole-nan.js: Added.
3595         (shouldBe):
3596         (throw.new.Error):
3597         * stress/array-lastindexof-infinity.js: Added.
3598         (shouldBe):
3599         (throw.new.Error):
3600         * stress/array-lastindexof-negative-zero.js: Added.
3601         (shouldBe):
3602         (throw.new.Error):
3603         * stress/array-lastindexof-own-getter.js: Added.
3604         (shouldBe):
3605         (throw.new.Error.get array):
3606         (get array):
3607         * stress/array-lastindexof-prototype-trap.js: Added.
3608         (shouldBe):
3609         (DerivedArray.prototype.get 2):
3610         (DerivedArray):
3611
3612 2018-09-25  Saam Barati  <sbarati@apple.com>
3613
3614         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3615         https://bugs.webkit.org/show_bug.cgi?id=189940
3616         <rdar://problem/43640987>
3617
3618         Reviewed by Mark Lam.
3619
3620         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3621
3622 2018-09-24  Saam Barati  <sbarati@apple.com>
3623
3624         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3625         https://bugs.webkit.org/show_bug.cgi?id=189922
3626         <rdar://problem/44651275>
3627
3628         Reviewed by Mark Lam.
3629
3630         * stress/array-indexof-fast-path-effects.js: Added.
3631         * stress/array-indexof-cached-length.js: Added.
3632
3633 2018-09-24  Saam barati  <sbarati@apple.com>
3634
3635         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3636         https://bugs.webkit.org/show_bug.cgi?id=189682
3637         <rdar://problem/43557315>
3638
3639         Reviewed by Mark Lam.
3640
3641         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3642         (foo):
3643
3644 2018-09-22  Saam barati  <sbarati@apple.com>
3645
3646         The sampling should not use Strong<CodeBlock> in its machineLocation field
3647         https://bugs.webkit.org/show_bug.cgi?id=189319
3648
3649         Reviewed by Filip Pizlo.
3650
3651         * stress/sampling-profiler-richards.js: Added.
3652
3653 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3654
3655         [JSC] Optimize Array#indexOf in C++ runtime
3656         https://bugs.webkit.org/show_bug.cgi?id=189507
3657
3658         Reviewed by Saam Barati.
3659
3660         * stress/array-indexof-array-prototype-trap.js: Added.
3661         (shouldBe):
3662         (AncestorArray.prototype.get 2):
3663         (AncestorArray):
3664         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3665         (shouldBe):
3666         * stress/array-indexof-hole-nan.js: Added.
3667         (shouldBe):
3668         (throw.new.Error):
3669         * stress/array-indexof-infinity.js: Added.
3670         (shouldBe):
3671         (throw.new.Error):
3672         * stress/array-indexof-negative-zero.js: Added.
3673         (shouldBe):
3674         (throw.new.Error):
3675         * stress/array-indexof-own-getter.js: Added.
3676         (shouldBe):
3677         (throw.new.Error.get array):
3678         (get array):
3679         * stress/array-indexof-prototype-trap.js: Added.
3680         (shouldBe):
3681         (DerivedArray.prototype.get 2):
3682         (DerivedArray):
3683
3684 2018-09-19  Saam barati  <sbarati@apple.com>
3685
3686         AI rule for MultiPutByOffset executes its effects in the wrong order
3687         https://bugs.webkit.org/show_bug.cgi?id=189757
3688         <rdar://problem/43535257>
3689
3690         Reviewed by Michael Saboff.
3691
3692         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3693         (foo):
3694         (Foo):
3695         (g):
3696
3697 2018-09-17  Mark Lam  <mark.lam@apple.com>
3698
3699         Ensure that ForInContexts are invalidated if their loop local is over-written.
3700         https://bugs.webkit.org/show_bug.cgi?id=189571
3701         <rdar://problem/44402277>
3702
3703         Reviewed by Saam Barati.
3704
3705         * stress/regress-189571.js: Added.
3706
3707 2018-09-17  Saam barati  <sbarati@apple.com>
3708
3709         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3710         https://bugs.webkit.org/show_bug.cgi?id=189676
3711         <rdar://problem/39682897>
3712
3713         Reviewed by Michael Saboff.
3714
3715         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3716         (A):
3717         (K):
3718         (i.catch):
3719
3720 2018-09-14  Saam barati  <sbarati@apple.com>
3721
3722         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3723         https://bugs.webkit.org/show_bug.cgi?id=189628
3724         <rdar://problem/39481690>
3725
3726         Reviewed by Mark Lam.
3727
3728         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3729         (foo):
3730
3731 2018-09-11  Mark Lam  <mark.lam@apple.com>
3732
3733         Test for array initialization in arrayProtoFuncSplice.
3734         https://bugs.webkit.org/show_bug.cgi?id=170253
3735         <rdar://problem/31328773>
3736
3737         Rubber-stamped by Saam Barati.
3738
3739         * stress/regress-170253.js: Added.
3740
3741 2018-09-11  Mark Lam  <mark.lam@apple.com>
3742
3743         Test for IntlObject initialization.
3744         https://bugs.webkit.org/show_bug.cgi?id=170251
3745         <rdar://problem/31328419>
3746
3747         Rubber-stamped by Saam Barati.
3748
3749         * stress/regress-170251.js: Added.
3750
3751 2018-09-11  Mark Lam  <mark.lam@apple.com>
3752
3753         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3754         https://bugs.webkit.org/show_bug.cgi?id=169889
3755         <rdar://problem/31155607>
3756
3757         Reviewed by Saam Barati.
3758
3759         * stress/regress-169889-array-concat.js: Added.
3760         * stress/regress-169889-array-concat1.js: Added.
3761         * stress/regress-169889-array-slice.js: Added.
3762
3763 2018-09-11  Mark Lam  <mark.lam@apple.com>
3764
3765         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3766         https://bugs.webkit.org/show_bug.cgi?id=169445
3767         <rdar://problem/30957435>
3768
3769         Reviewed by Saam Barati.
3770
3771         * stress/regress-169445.js: Added.
3772         (let.gun.eval.A):
3773         (let.gun.eval.B.C):
3774         (let.gun.eval.B.C.prototype.trigger):
3775         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3776         (let.gun.eval.B):
3777         (let.gun.eval):
3778
3779 == Rolled over to ChangeLog-2018-09-11 ==