BackwardsGraph needs to consider back edges as the backward's root successor
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-28  Saam Barati  <sbarati@apple.com>
2
3         BackwardsGraph needs to consider back edges as the backward's root successor
4         https://bugs.webkit.org/show_bug.cgi?id=195991
5
6         Reviewed by Filip Pizlo.
7
8         * stress/map-b3-licm-infinite-loop.js: Added.
9
10 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
11
12         CodeBlock::jettison() should disallow repatching its own calls
13         https://bugs.webkit.org/show_bug.cgi?id=196359
14         <rdar://problem/48973663>
15
16         Reviewed by Saam Barati.
17
18         * stress/call-link-info-osrexit-repatch.js: Added.
19         (foo):
20
21 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
22
23         [JSC] imports-oom.js intermittently fails
24         https://bugs.webkit.org/show_bug.cgi?id=196373
25
26         Reviewed by Saam Barati.
27
28         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
29         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
30         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
31         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
32         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
33
34         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
35         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
36
37         * wasm/lowExecutableMemory/imports-oom.js:
38
39 2019-03-27  Saam Barati  <sbarati@apple.com>
40
41         validateOSREntryValue with Int52 should box the value being checked into double format
42         https://bugs.webkit.org/show_bug.cgi?id=196313
43         <rdar://problem/49306703>
44
45         Reviewed by Yusuke Suzuki.
46
47         * stress/validate-int-52-ai-state.js: Added.
48
49 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
50
51         [JSC] Owner of watchpoints should validate at GC finalizing phase
52         https://bugs.webkit.org/show_bug.cgi?id=195827
53
54         Reviewed by Filip Pizlo.
55
56         * stress/gc-should-reap-dead-watchpoints.js: Added.
57         (foo):
58         (A.prototype.y):
59         (A):
60
61 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
62
63         Skip WebAssembly test on 32-bit systems
64         https://bugs.webkit.org/show_bug.cgi?id=196206
65
66         Reviewed by Saam Barati.
67
68         Invoking runDefault executes test immediately even though
69         that test should be skipped due to missing WASM support.
70         Therefore remove runDefault.
71
72         * wasm/regress/web-assembly-link-error-exception-check.js:
73
74 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
75
76         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
77         https://bugs.webkit.org/show_bug.cgi?id=196217
78
79         Reviewed by Saam Barati.
80
81         Re-enable all NaN tests for f32.min, f64.min and f64.max.
82
83         * wasm/spec-tests/f32.wast.js:
84         * wasm/spec-tests/f64.wast.js:
85         * wasm/wasm.json:
86
87 2019-03-25  Keith Miller  <keith_miller@apple.com>
88
89         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
90         https://bugs.webkit.org/show_bug.cgi?id=196176
91
92         Reviewed by Saam Barati.
93
94         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
95         (main.v10):
96         (main):
97
98 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
99
100         WebAssembly: f32.max with NaN generates incorrect result
101         https://bugs.webkit.org/show_bug.cgi?id=175691
102         <rdar://problem/33952228>
103
104         Reviewed by Saam Barati.
105
106         Enable all f32.max NaN tests
107
108         * wasm/spec-tests/f32.wast.js:
109         * wasm/wasm.json:
110
111 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
112
113         [JSC] Move test into directory for WASM tests
114         https://bugs.webkit.org/show_bug.cgi?id=196187
115
116         Reviewed by Mark Lam.
117
118         Move Test into wasm-directory. Otherwise this test
119         is also executed on systems without WASM support.
120
121         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
122
123 2019-03-23  Mark Lam  <mark.lam@apple.com>
124
125         Rolling out r243032 and r243071 because the fix is incorrect.
126         https://bugs.webkit.org/show_bug.cgi?id=195892
127         <rdar://problem/48981239>
128
129         Not reviewed.
130
131         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
132
133 2019-03-22  Mark Lam  <mark.lam@apple.com>
134
135         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
136         https://bugs.webkit.org/show_bug.cgi?id=196154
137         <rdar://problem/49145307>
138
139         Reviewed by Filip Pizlo.
140
141         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
142         There's no need to run this test on more than 1 test configuration.
143
144         * stress/typed-array-lastIndexOf-exception-check.js: Added.
145         * stress/web-assembly-link-error-exception-check.js:
146
147 2019-03-22  Mark Lam  <mark.lam@apple.com>
148
149         Placate exception check validation in constructJSWebAssemblyLinkError().
150         https://bugs.webkit.org/show_bug.cgi?id=196152
151         <rdar://problem/49145257>
152
153         Reviewed by Michael Saboff.
154
155         * stress/web-assembly-link-error-exception-check.js: Added.
156
157 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
158
159         Skip tests running out of memory on ARM/MIPS
160         https://bugs.webkit.org/show_bug.cgi?id=196131
161
162         Unreviewed. Skip test if memory is limited.
163
164         * microbenchmarks/put-by-val-direct-large-index.js:
165
166 2019-03-21  Mark Lam  <mark.lam@apple.com>
167
168         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
169         https://bugs.webkit.org/show_bug.cgi?id=196116
170         <rdar://problem/48976951>
171
172         Reviewed by Filip Pizlo.
173
174         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
175
176 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
177
178         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
179         https://bugs.webkit.org/show_bug.cgi?id=196078
180         <rdar://problem/35925380>
181
182         Reviewed by Mark Lam.
183
184         Add a new benchmark that allocates several objects and invokes put_by_val_direct
185         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
186
187         * microbenchmarks/put-by-val-direct-large-index.js: Added.
188
189 2019-03-21  Mark Lam  <mark.lam@apple.com>
190
191         Placate exception check validation in operationArrayIndexOfString().
192         https://bugs.webkit.org/show_bug.cgi?id=196067
193         <rdar://problem/49056572>
194
195         Reviewed by Michael Saboff.
196
197         * stress/string-equal-exception-check.js: Added.
198
199 2019-03-21  Mark Lam  <mark.lam@apple.com>
200
201         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
202         https://bugs.webkit.org/show_bug.cgi?id=196055
203         <rdar://problem/49067448>
204
205         Reviewed by Yusuke Suzuki.
206
207         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
208
209 2019-03-20  Saam Barati  <sbarati@apple.com>
210
211         typeOfDoubleSum is wrong for when NaN can be produced
212         https://bugs.webkit.org/show_bug.cgi?id=196030
213
214         Reviewed by Filip Pizlo.
215
216         * stress/double-add-sub-mul-can-produce-nan.js: Added.
217         (assert):
218         (noInline.sub):
219         (noInline):
220         (assert.mul):
221         (assert.add):
222
223 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
224
225         Update the test to ensure OutOfMemoryError is thrown as intended
226         https://bugs.webkit.org/show_bug.cgi?id=196032
227         <rdar://problem/46842740>
228
229         Rubber stamped by Saam Barati.
230
231         * stress/create-error-out-of-memory-rope-string.js:
232         (assert):
233         (catch):
234
235 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
236
237         JSC::createError needs to check for OOM in errorDescriptionForValue
238         https://bugs.webkit.org/show_bug.cgi?id=196032
239         <rdar://problem/46842740>
240
241         Reviewed by Mark Lam.
242
243         * stress/create-error-out-of-memory-rope-string.js: Added.
244
245 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
246
247         Unreviewed, reduce # of iterations to avoid timing out after r242991
248         https://bugs.webkit.org/show_bug.cgi?id=195791
249
250         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
251
252         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
253
254 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
255
256         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
257         https://bugs.webkit.org/show_bug.cgi?id=195950
258
259         Unreviewed, reducing the amount of memory used on this test to avoid
260         OOM on devices with memory restrictions.
261
262         * microbenchmarks/generate-multiple-llint-entrypoints.js:
263
264 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
265
266         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
267         https://bugs.webkit.org/show_bug.cgi?id=194648
268
269         Reviewed by Keith Miller.
270
271         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
272
273 2019-03-18  Mark Lam  <mark.lam@apple.com>
274
275         Missing a ThrowScope release in JSObject::toString().
276         https://bugs.webkit.org/show_bug.cgi?id=195893
277         <rdar://problem/48970986>
278
279         Reviewed by Michael Saboff.
280
281         * stress/to-string-exception-check-release.js: Added.
282
283 2019-03-18  Mark Lam  <mark.lam@apple.com>
284
285         Structure::flattenDictionary() should clear unused property slots.
286         https://bugs.webkit.org/show_bug.cgi?id=195871
287         <rdar://problem/48959497>
288
289         Reviewed by Michael Saboff.
290
291         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
292
293 2019-03-15  Mark Lam  <mark.lam@apple.com>
294
295         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
296         https://bugs.webkit.org/show_bug.cgi?id=195827
297         <rdar://problem/48845513>
298
299         Reviewed by Filip Pizlo.
300
301         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
302
303 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
304
305         [ARM,MIPS] Skip slow tests
306         https://bugs.webkit.org/show_bug.cgi?id=195799
307
308         Unreviewed, test does not finish on ARM and MIPS within the
309         timeout limit.
310
311         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
312
313 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
314
315         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
316         https://bugs.webkit.org/show_bug.cgi?id=195791
317         <rdar://problem/48806130>
318
319         Reviewed by Mark Lam.
320
321         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
322         (foo):
323
324 2019-03-14  Saam barati  <sbarati@apple.com>
325
326         We can't remove code after ForceOSRExit until after FixupPhase
327         https://bugs.webkit.org/show_bug.cgi?id=186916
328         <rdar://problem/41396612>
329
330         Reviewed by Yusuke Suzuki.
331
332         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
333         (foo):
334         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
335         (foo):
336
337 2019-03-13  Michael Saboff  <msaboff@apple.com>
338
339         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
340         https://bugs.webkit.org/show_bug.cgi?id=195735
341
342         Reviewed by Mark Lam.
343
344         New regression test.
345
346         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
347         (foo):
348         (bar):
349
350 2019-03-14  Saam barati  <sbarati@apple.com>
351
352         Fixup uses KnownInt32 incorrectly in some nodes
353         https://bugs.webkit.org/show_bug.cgi?id=195279
354         <rdar://problem/47915654>
355
356         Reviewed by Yusuke Suzuki.
357
358         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
359         (foo):
360
361 2019-03-14  Keith Miller  <keith_miller@apple.com>
362
363         DFG liveness can't skip tail caller inline frames
364         https://bugs.webkit.org/show_bug.cgi?id=195715
365
366         Reviewed by Saam Barati.
367
368         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
369         (i.foo):
370
371 2019-03-13  Mark Lam  <mark.lam@apple.com>
372
373         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
374         https://bugs.webkit.org/show_bug.cgi?id=195415
375
376         Not reviewed.
377
378         Changed these tests to only run the default configuration.
379         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
380         There's no strong need to run this test on that variant.
381
382         * stress/dfg-to-string-on-int-does-gc.js:
383         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
384
385 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
386
387         String overflow when using StringBuilder in JSC::createError
388         https://bugs.webkit.org/show_bug.cgi?id=194957
389
390         Reviewed by Mark Lam.
391
392         Add test string-overflow-createError-bulder.js that overflows
393         StringBuilder in notAFunctionSourceAppender. The second new test
394         string-overflow-createError-fit.js has an error message that doesn't
395         overflow, it still failed since the String's capacity can't be doubled.
396         Run test string-overflow-createError.js only in the default
397         configuration to reduce memory consumption when running the test
398         in all configurations on multiple CPUs in parallel.
399
400         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
401         (catch):
402         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
403         (catch):
404         * stress/string-overflow-createError.js:
405
406 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
407
408         [JSC] OSR entry should respect abstract values in addition to flush formats
409         https://bugs.webkit.org/show_bug.cgi?id=195653
410
411         Reviewed by Mark Lam.
412
413         * stress/osr-entry-locals-none.js: Added.
414
415 2019-03-12  Michael Saboff  <msaboff@apple.com>
416
417         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
418         https://bugs.webkit.org/show_bug.cgi?id=195613
419
420         Reviewed by Mark Lam.
421
422         New regression test.
423
424         * stress/regexp-backref-inbounds.js: Added.
425         (testRegExp):
426
427 2019-03-12  Mark Lam  <mark.lam@apple.com>
428
429         The HasIndexedProperty node does GC.
430         https://bugs.webkit.org/show_bug.cgi?id=195559
431         <rdar://problem/48767923>
432
433         Reviewed by Yusuke Suzuki.
434
435         * stress/HasIndexedProperty-does-gc.js: Added.
436
437 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
438
439         [ESNext][BigInt] Implement "~" unary operation
440         https://bugs.webkit.org/show_bug.cgi?id=182216
441
442         Reviewed by Keith Miller.
443
444         * stress/big-int-bit-not-general.js: Added.
445         * stress/big-int-bitwise-not-jit.js: Added.
446         * stress/big-int-bitwise-not-wrapped-value.js: Added.
447         * stress/bit-op-with-object-returning-int32.js:
448         * stress/bitwise-not-fixup-rules.js: Added.
449         * stress/value-bit-not-ai-rule.js: Added.
450
451 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
452
453         Invalid flags in a RegExp literal should be an early SyntaxError
454         https://bugs.webkit.org/show_bug.cgi?id=195514
455
456         Reviewed by Darin Adler.
457
458         * test262/expectations.yaml:
459         Mark 4 test cases as passing.
460
461         * stress/regexp-syntax-error-invalid-flags.js:
462         * stress/regress-161995.js: Removed.
463         Update existing test, merging in an older test for the same behavior.
464
465 2019-03-08  Mark Lam  <mark.lam@apple.com>
466
467         Stack overflow crash in JSC::JSObject::hasInstance.
468         https://bugs.webkit.org/show_bug.cgi?id=195458
469         <rdar://problem/48710195>
470
471         Reviewed by Yusuke Suzuki.
472
473         * stress/stack-overflow-in-custom-hasInstance.js: Added.
474
475 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
476
477         op_check_tdz does not def its argument
478         https://bugs.webkit.org/show_bug.cgi?id=192880
479         <rdar://problem/46221598>
480
481         Reviewed by Saam Barati.
482
483         * microbenchmarks/let-for-in.js: Added.
484         (foo):
485
486 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
487
488         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
489         https://bugs.webkit.org/show_bug.cgi?id=195429
490
491         Reviewed by Saam Barati.
492
493         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
494         (foo):
495         * stress/string-from-char-code-255.js: Added.
496
497 2019-03-06  Mark Lam  <mark.lam@apple.com>
498
499         Fix incorrect handling of try-finally completion values.
500         https://bugs.webkit.org/show_bug.cgi?id=195131
501         <rdar://problem/46222079>
502
503         Reviewed by Saam Barati and Yusuke Suzuki.
504
505         Added many permutations of new test case to test-finally.js.  test-finally.js has
506         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
507         tests passes there as well.
508
509         * stress/test-finally.js:
510
511 2019-03-06  Saam Barati  <sbarati@apple.com>
512
513         Air::reportUsedRegisters must padInterference
514         https://bugs.webkit.org/show_bug.cgi?id=195303
515         <rdar://problem/48270343>
516
517         Reviewed by Keith Miller.
518
519         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
520
521 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
522
523         [JSC] AI should not propagate AbstractValue relying on constant folding phase
524         https://bugs.webkit.org/show_bug.cgi?id=195375
525
526         Reviewed by Saam Barati.
527
528         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
529         (let.array):
530
531 2019-03-05  Saam barati  <sbarati@apple.com>
532
533         op_switch_char broken for rope strings after JSRopeString layout rewrite
534         https://bugs.webkit.org/show_bug.cgi?id=195339
535         <rdar://problem/48592545>
536
537         Reviewed by Yusuke Suzuki.
538
539         * stress/switch-on-char-llint-rope.js: Added.
540
541 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
542
543         [JSC] Store bits for JSRopeString in 3 stores
544         https://bugs.webkit.org/show_bug.cgi?id=195234
545
546         Reviewed by Saam Barati.
547
548         * stress/null-rope-and-collectors.js: Added.
549
550 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
551
552         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
553         https://bugs.webkit.org/show_bug.cgi?id=195207
554
555         Unreviewed. After test runtime was reduced in r242213, test can be
556         run again on ARM/MIPS.
557
558         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
559
560 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
561
562         [JSC] sizeof(JSString) should be 16
563         https://bugs.webkit.org/show_bug.cgi?id=194375
564
565         Reviewed by Saam Barati.
566
567         * microbenchmarks/make-rope.js: Added.
568         (makeRope):
569         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
570         (returnRope.helper): Deleted.
571         (returnRope): Deleted.
572
573 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
574
575         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
576         https://bugs.webkit.org/show_bug.cgi?id=195144
577
578         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
579         Change the number from 1e8 to 1e5.
580
581         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
582         (foo):
583
584 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
585
586         Test times out on ARM/MIPS
587         https://bugs.webkit.org/show_bug.cgi?id=195168
588
589         Unreviewed. Skip test on ARM/MIPS.
590
591         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
592
593 2019-02-27  Mark Lam  <mark.lam@apple.com>
594
595         The parser is failing to record the token location of new in new.target.
596         https://bugs.webkit.org/show_bug.cgi?id=195127
597         <rdar://problem/39645578>
598
599         Reviewed by Yusuke Suzuki.
600
601         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
602
603 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
604
605         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
606         https://bugs.webkit.org/show_bug.cgi?id=195144
607         <rdar://problem/47595961>
608
609         Reviewed by Mark Lam.
610
611         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
612         (bar):
613         (foo):
614         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
615         (bar):
616         (foo):
617
618 2019-02-27  Robin Morisset  <rmorisset@apple.com>
619
620         DFG: Loop-invariant code motion (LICM) should not hoist dead code
621         https://bugs.webkit.org/show_bug.cgi?id=194945
622         <rdar://problem/48311657>
623
624         Reviewed by Mark Lam.
625
626         * stress/licm-dead-code.js: Added.
627
628 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
629
630         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
631         https://bugs.webkit.org/show_bug.cgi?id=194677
632         <rdar://problem/48112492>
633
634         Reviewed by Mark Lam.
635
636         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
637         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
638         it immediately fails due the large size.
639
640         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
641         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
642         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
643         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
644
645         This patch changes the test to produce 16bit string from String.fromCharCode.
646
647         * stress/regress-178386.js:
648
649 2019-02-26  Mark Lam  <mark.lam@apple.com>
650
651         wasmToJS() should purify incoming NaNs.
652         https://bugs.webkit.org/show_bug.cgi?id=194807
653         <rdar://problem/48189132>
654
655         Reviewed by Saam Barati.
656
657         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
658
659 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
660
661         [JSC] Repeat string created from Array.prototype.join() take too much memory
662         https://bugs.webkit.org/show_bug.cgi?id=193912
663
664         Reviewed by Saam Barati.
665
666         Added a test and a microbenchmark for corner cases of
667         Array.prototype.join() with an uninitialized array.
668
669         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
670         * stress/array-prototype-join-uninitialized.js: Added.
671         (testArray):
672         (testABC):
673         (B):
674         (C):
675
676 2019-02-22  Robin Morisset  <rmorisset@apple.com>
677
678         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
679         https://bugs.webkit.org/show_bug.cgi?id=194953
680         <rdar://problem/47595253>
681
682         Reviewed by Saam Barati.
683
684         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
685
686         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
687
688 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
689
690         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
691         https://bugs.webkit.org/show_bug.cgi?id=172848
692         <rdar://problem/25709212>
693
694         Reviewed by Mark Lam.
695
696         * typeProfiler/inheritance.js:
697         Rewrite the test slightly for clarity. The hoisting was confusing.
698
699         * heapProfiler/class-names.js: Added.
700         (MyES5Class):
701         (MyES6Class):
702         (MyES6Subclass):
703         Test object types and improved class names.
704
705         * heapProfiler/driver/driver.js:
706         (CheapHeapSnapshotNode):
707         (CheapHeapSnapshot):
708         (createCheapHeapSnapshot):
709         (HeapSnapshot):
710         (createHeapSnapshot):
711         Update snapshot parsing from version 1 to version 2.
712
713 2019-02-19  Truitt Savell  <tsavell@apple.com>
714
715         Unreviewed, rolling out r241784.
716
717         Broke all OpenSource builds.
718
719         Reverted changeset:
720
721         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
722         instances view"
723         https://bugs.webkit.org/show_bug.cgi?id=172848
724         https://trac.webkit.org/changeset/241784
725
726 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
727
728         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
729         https://bugs.webkit.org/show_bug.cgi?id=172848
730         <rdar://problem/25709212>
731
732         Reviewed by Mark Lam.
733
734         * typeProfiler/inheritance.js:
735         Rewrite the test slightly for clarity. The hoisting was confusing.
736
737         * heapProfiler/class-names.js: Added.
738         (MyES5Class):
739         (MyES6Class):
740         (MyES6Subclass):
741         Test object types and improved class names.
742
743         * heapProfiler/driver/driver.js:
744         (CheapHeapSnapshotNode):
745         (CheapHeapSnapshot):
746         (createCheapHeapSnapshot):
747         (HeapSnapshot):
748         (createHeapSnapshot):
749         Update snapshot parsing from version 1 to version 2.
750
751 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
752
753         [ARM] Fix crash with sampling profiler
754         https://bugs.webkit.org/show_bug.cgi?id=194772
755
756         Reviewed by Mark Lam.
757
758         Do not skip test since crash with sampling profiler is now fixed.
759
760         * stress/sampling-profiler-richards.js:
761
762 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
763
764         [JSC] Add LazyClassStructure::getInitializedOnMainThread
765         https://bugs.webkit.org/show_bug.cgi?id=194784
766         <rdar://problem/48154820>
767
768         Reviewed by Mark Lam.
769
770         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
771         (getProperties):
772         (getRandomProperty):
773         (i.catch):
774
775 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
776
777         [ARM] Test gardening: Test running out of executable memory
778         https://bugs.webkit.org/show_bug.cgi?id=194771
779
780         Unreviewed. Do not run test without LLInt, test is running out of executable
781         memory on ARM otherwise.
782
783         * stress/tagged-template-object-collect.js:
784
785 2019-02-18  Tomas Popela  <tpopela@redhat.com>
786
787         Unreviewed, skip the test on platforms without sampling profiler
788
789         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
790         (platformSupportsSamplingProfiler.foo):
791         (platformSupportsSamplingProfiler.test):
792         (platformSupportsSamplingProfiler):
793         (foo): Deleted.
794         (test): Deleted.
795
796 2019-02-17  Saam Barati  <sbarati@apple.com>
797
798         Deadlock when adding a Structure property transition and then doing incremental marking
799         https://bugs.webkit.org/show_bug.cgi?id=194767
800
801         Reviewed by Mark Lam.
802
803         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
804
805 2019-02-15  Michael Saboff  <msaboff@apple.com>
806
807         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
808         https://bugs.webkit.org/show_bug.cgi?id=194558
809
810         Reviewed by Saam Barati.
811
812         New regression test.
813
814         * stress/regexp-unicode-within-string.js: Added.
815
816 2019-02-15  Mark Lam  <mark.lam@apple.com>
817
818         SamplingProfiler::stackTracesAsJSON() should escape strings.
819         https://bugs.webkit.org/show_bug.cgi?id=194649
820         <rdar://problem/48072386>
821
822         Reviewed by Saam Barati.
823
824         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
825         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
826         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
827         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
828
829 2019-02-15  Robin Morisset  <rmorisset@apple.com>
830         CodeBlock::jettison should clear related watchpoints
831         https://bugs.webkit.org/show_bug.cgi?id=194544
832
833         Reviewed by Mark Lam.
834
835         * stress/regexp-replace-double-watchpoint.js: Added.
836         (foo):
837
838 2019-02-15  Saam barati  <sbarati@apple.com>
839
840         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
841         https://bugs.webkit.org/show_bug.cgi?id=194036
842
843         Reviewed by Yusuke Suzuki.
844
845         * stress/tail-call-many-arguments.js: Added.
846         (foo):
847         (bar):
848
849 2019-02-14  Saam Barati  <sbarati@apple.com>
850
851         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
852         https://bugs.webkit.org/show_bug.cgi?id=194583
853         <rdar://problem/48028140>
854
855         Reviewed by Yusuke Suzuki.
856
857         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
858
859 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
860
861         [JSC] String.fromCharCode's slow path always generates 16bit string
862         https://bugs.webkit.org/show_bug.cgi?id=194466
863
864         Reviewed by Keith Miller.
865
866         * stress/string-from-char-code-slow-path.js: Added.
867         (shouldBe):
868         (testWithLength):
869
870 2019-02-08  Saam barati  <sbarati@apple.com>
871
872         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
873         https://bugs.webkit.org/show_bug.cgi?id=194334
874         <rdar://problem/47844327>
875
876         Reviewed by Mark Lam.
877
878         * stress/check-in-bounds-should-be-a-child-use.js: Added.
879         (func):
880
881 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
882
883         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
884         https://bugs.webkit.org/show_bug.cgi?id=194369
885         <rdar://problem/47813087>
886
887         Reviewed by Saam Barati.
888
889         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
890         (A):
891
892 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
893
894         [JSC] PrivateName to PublicName hash table is wasteful
895         https://bugs.webkit.org/show_bug.cgi?id=194277
896
897         Reviewed by Michael Saboff.
898
899         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
900
901         * ChakraCore.yaml:
902
903 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
904
905         [ARM] Test running out of executable memory
906         https://bugs.webkit.org/show_bug.cgi?id=194285
907
908         Unreviewed. Do no execute test with LLInt disabled, test runs out of
909         executable memory otherwise.
910
911         * stress/class-subclassing-function.js:
912
913 2019-02-04  Robin Morisset  <rmorisset@apple.com>
914
915         when lowering AssertNotEmpty, create the value before creating the patchpoint
916         https://bugs.webkit.org/show_bug.cgi?id=194231
917
918         Reviewed by Saam Barati.
919
920         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
921         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
922         So even tiny changes to this test can change the path code taken.
923
924         * stress/assert-not-empty.js: Added.
925         (foo):
926
927 2019-02-01  Mark Lam  <mark.lam@apple.com>
928
929         Remove invalid assertion in DFG's compileDoubleRep().
930         https://bugs.webkit.org/show_bug.cgi?id=194130
931         <rdar://problem/47699474>
932
933         Reviewed by Saam Barati.
934
935         * stress/constant-fold-double-rep-into-double-constant.js: Added.
936
937 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
938
939         Import latest Test262 updates.
940
941         Rubber-stamped by Keith Miller.
942
943         * test262.yaml: Deleted.
944         * test262/config.yaml:
945         * test262/expectations.yaml:
946         * test262/latest-changes-summary.txt:
947         * test262/test/:
948         * test262/test262-Revision.txt:
949
950 2019-01-30  Robin Morisset  <rmorisset@apple.com>
951
952         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
953         https://bugs.webkit.org/show_bug.cgi?id=194050
954         <rdar://problem/47595592>
955
956         Reviewed by Yusuke Suzuki.
957
958         * stress/object-keys-osr-exit.js: Added.
959         (foo):
960         (catch):
961
962 2019-01-29  Mark Lam  <mark.lam@apple.com>
963
964         ValueRecovery::recover() should purify NaN values it recovers.
965         https://bugs.webkit.org/show_bug.cgi?id=193978
966         <rdar://problem/47625488>
967
968         Reviewed by Saam Barati.
969
970         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
971
972 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
973
974         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
975         https://bugs.webkit.org/show_bug.cgi?id=193713
976
977         * stress/try-get-by-id-should-spill-registers-dfg.js:
978         (let.f.createBuiltin):
979
980 2019-01-28  Mark Lam  <mark.lam@apple.com>
981
982         ToString node actually does GC.
983         https://bugs.webkit.org/show_bug.cgi?id=193920
984         <rdar://problem/46695900>
985
986         Reviewed by Yusuke Suzuki.
987
988         * stress/dfg-to-string-on-int-does-gc.js: Added.
989         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
990         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
991
992 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
993
994         [JSC] NativeErrorConstructor should not have own IsoSubspace
995         https://bugs.webkit.org/show_bug.cgi?id=193713
996
997         Reviewed by Saam Barati.
998
999         Remove @Error use.
1000
1001         * stress/try-get-by-id-should-spill-registers-dfg.js:
1002         (let.f.createBuiltin):
1003
1004 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1005
1006         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1007         https://bugs.webkit.org/show_bug.cgi?id=190693
1008
1009         Reviewed by Michael Saboff.
1010
1011         * stress/regress-190693.js: Added.
1012         (truth):
1013         (assert):
1014         (shouldThrowInvalidConstAssignment):
1015         (taz):
1016
1017 2019-01-24  Saam Barati  <sbarati@apple.com>
1018
1019         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1020         https://bugs.webkit.org/show_bug.cgi?id=193751
1021         <rdar://problem/47280215>
1022
1023         Reviewed by Michael Saboff.
1024
1025         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1026         (let.thing):
1027         (foo.let.hello):
1028         (foo):
1029
1030 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1031
1032         [JSC] Reenable baseline JIT on mips
1033         https://bugs.webkit.org/show_bug.cgi?id=192983
1034
1035         Reviewed by Mark Lam.
1036
1037         Added a new test for a case that was triggering a RELEASE_ASSERT when
1038         testing.
1039         Disable some slow tests that were already disabled for arm and x86.
1040
1041         * stress/json-parse-big-object.js: Added.
1042         * stress/new-largeish-contiguous-array-with-size.js:
1043         * stress/op_add.js:
1044         * stress/op_bitand.js:
1045         * stress/op_bitor.js:
1046         * stress/op_bitxor.js:
1047         * stress/op_lshift-ConstVar.js:
1048         * stress/op_lshift-VarConst.js:
1049         * stress/op_lshift-VarVar.js:
1050         * stress/op_mod-ConstVar.js:
1051         * stress/op_mod-VarConst.js:
1052         * stress/op_mod-VarVar.js:
1053         * stress/op_mul-ConstVar.js:
1054         * stress/op_mul-VarConst.js:
1055         * stress/op_mul-VarVar.js:
1056         * stress/op_rshift-ConstVar.js:
1057         * stress/op_rshift-VarConst.js:
1058         * stress/op_rshift-VarVar.js:
1059         * stress/op_sub-ConstVar.js:
1060         * stress/op_sub-VarConst.js:
1061         * stress/op_sub-VarVar.js:
1062         * stress/op_urshift-ConstVar.js:
1063         * stress/op_urshift-VarConst.js:
1064         * stress/op_urshift-VarVar.js:
1065         * stress/sampling-profiler-richards.js:
1066         * stress/spread-forward-call-varargs-stack-overflow.js:
1067
1068 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1069
1070         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1071         https://bugs.webkit.org/show_bug.cgi?id=193711
1072         <rdar://problem/47250262>
1073
1074         Reviewed by Saam Barati.
1075
1076         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1077         (shouldBe):
1078         (foo):
1079         (bar):
1080         (baz):
1081
1082 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1083
1084         Unreviewed, fix initial global lexical binding epoch
1085         https://bugs.webkit.org/show_bug.cgi?id=193603
1086         <rdar://problem/47380869>
1087
1088         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1089         (f1.f2.f3.f4):
1090         (f1.f2.f3):
1091         (f1.f2):
1092         (f1):
1093
1094 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1095
1096         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1097         https://bugs.webkit.org/show_bug.cgi?id=193709
1098         <rdar://problem/47363838>
1099
1100         Unreviewed, rollout to watch the tests.
1101
1102         * stress/object-tostring-changed-proto.js: Removed.
1103         * stress/object-tostring-changed.js: Removed.
1104         * stress/object-tostring-misc.js: Removed.
1105         * stress/object-tostring-other.js: Removed.
1106         * stress/object-tostring-untyped.js: Removed.
1107
1108 2019-01-22  Saam Barati  <sbarati@apple.com>
1109
1110         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1111
1112         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1113         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1114         (testUncheckedLessThanZero):
1115         (testUncheckedLessThanOrEqualZero):
1116         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1117         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1118
1119 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1120
1121         [JSC] Invalidate old scope operations using global lexical binding epoch
1122         https://bugs.webkit.org/show_bug.cgi?id=193603
1123         <rdar://problem/47380869>
1124
1125         Reviewed by Saam Barati.
1126
1127         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1128         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1129         (shouldThrow):
1130         (bar):
1131         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1132         (shouldBe):
1133         (get1):
1134         (get2):
1135         (get1If):
1136         (get2If):
1137         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1138         (shouldThrow):
1139         (foo):
1140
1141 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1142
1143         Unreviewed, roll out r240220 due to date-format-xparb regression
1144         https://bugs.webkit.org/show_bug.cgi?id=193603
1145
1146         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1147         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1148         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1149         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1150
1151 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1152
1153         DoesGC rule is wrong for nodes with BigIntUse
1154         https://bugs.webkit.org/show_bug.cgi?id=193652
1155
1156         Reviewed by Saam Barati.
1157
1158         * stress/big-int-value-op-update-gc-rules.js: Added.
1159         (assert):
1160         (doesGCAdd):
1161         (doesGCSub):
1162         (doesGCDiv):
1163         (doesGCMul):
1164         (doesGCBitAnd):
1165         (doesGCBitOr):
1166         (doesGCBitXor):
1167
1168 2019-01-20  Saam Barati  <sbarati@apple.com>
1169
1170         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1171         https://bugs.webkit.org/show_bug.cgi?id=193644
1172         <rdar://problem/46209745>
1173
1174         Reviewed by Yusuke Suzuki.
1175
1176         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1177         (foo):
1178         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1179         (foo):
1180         (bar):
1181
1182 2019-01-20  Saam Barati  <sbarati@apple.com>
1183
1184         MovHint must merge NodeBytecodeUsesAsValue for its child
1185         https://bugs.webkit.org/show_bug.cgi?id=186916
1186         <rdar://problem/41396612>
1187
1188         Reviewed by Yusuke Suzuki.
1189
1190         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1191         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1192
1193 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1194
1195         [JSC] Invalidate old scope operations using global lexical binding epoch
1196         https://bugs.webkit.org/show_bug.cgi?id=193603
1197         <rdar://problem/47380869>
1198
1199         Reviewed by Saam Barati.
1200
1201         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1202         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1203         (shouldThrow):
1204         (bar):
1205         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1206         (shouldBe):
1207         (get1):
1208         (get2):
1209         (get1If):
1210         (get2If):
1211         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1212         (shouldThrow):
1213         (foo):
1214
1215 2019-01-17  Saam barati  <sbarati@apple.com>
1216
1217         StringObjectUse should not be a structure check for the original string object structure
1218         https://bugs.webkit.org/show_bug.cgi?id=193483
1219         <rdar://problem/47280522>
1220
1221         Reviewed by Yusuke Suzuki.
1222
1223         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1224         (foo):
1225         (a.valueOf.0):
1226
1227 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1228
1229         [JSC] ToThis omission in DFGByteCodeParser is wrong
1230         https://bugs.webkit.org/show_bug.cgi?id=193513
1231         <rdar://problem/45842236>
1232
1233         Reviewed by Saam Barati.
1234
1235         * stress/to-this-omission-with-different-strict-modes.js: Added.
1236         (thisA):
1237         (thisAStrictWrapper):
1238
1239 2019-01-15  Mark Lam  <mark.lam@apple.com>
1240
1241         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1242         https://bugs.webkit.org/show_bug.cgi?id=193423
1243         <rdar://problem/46209355>
1244
1245         Reviewed by Saam Barati.
1246
1247         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1248         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1249         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1250         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1251
1252 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1253
1254         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1255         https://bugs.webkit.org/show_bug.cgi?id=193438
1256         <rdar://problem/45581249>
1257
1258         Reviewed by Saam Barati and Keith Miller.
1259
1260         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1261         Then, GetByVal(String) crashed.
1262
1263         * stress/string-get-by-val-lowering.js: Added.
1264         (shouldBe):
1265         (test):
1266         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1267         (Hello):
1268         (foo):
1269
1270 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1271
1272         Unreviewed, skip JIT tests if it's not enabled
1273
1274         * stress/bit-op-with-object-returning-int32.js:
1275
1276 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1277
1278         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1279         https://bugs.webkit.org/show_bug.cgi?id=192966
1280
1281         Reviewed by Yusuke Suzuki.
1282
1283         * stress/bit-op-with-object-returning-int32.js: Added.
1284
1285 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1286
1287         Skip a slow test and a flakey test on arm
1288
1289         Unreviewed gardening.
1290
1291         * typeProfiler/getter-richards.js:
1292         this test always times out, it used to be always skipped on arm and
1293         mips, but got accidentally enabled by r237919 now that we have DFG on
1294         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1295
1296 2019-01-14  Keith Miller  <keith_miller@apple.com>
1297
1298         Skip type-check-hoisting-phase-hoist... with no jit
1299         https://bugs.webkit.org/show_bug.cgi?id=193421
1300
1301         Reviewed by Mark Lam.
1302
1303         It's timing out the 32-bit bots and takes 330 seconds
1304         on my machine when run by itself.
1305
1306         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1307
1308 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1309
1310         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1311         https://bugs.webkit.org/show_bug.cgi?id=193413
1312         <rdar://problem/46092389>
1313
1314         Reviewed by Keith Miller.
1315
1316         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1317         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1318         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1319         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1320
1321         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1322         (compareArray):
1323
1324 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1325
1326         [BigInt] Literal parsing is crashing when used inside a Object Literal
1327         https://bugs.webkit.org/show_bug.cgi?id=193404
1328
1329         Reviewed by Yusuke Suzuki.
1330
1331         * stress/big-int-literal-inside-literal-object.js: Added.
1332
1333 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1334
1335         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1336         https://bugs.webkit.org/show_bug.cgi?id=193372
1337
1338         Reviewed by Saam Barati.
1339
1340         * stress/typed-array-array-modes-profile.js: Added.
1341         (foo):
1342
1343 2019-01-14  Mark Lam  <mark.lam@apple.com>
1344
1345         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1346         https://bugs.webkit.org/show_bug.cgi?id=193402
1347         <rdar://problem/46012309>
1348
1349         Reviewed by Keith Miller.
1350
1351         * stress/regexp-compile-oom.js:
1352         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1353           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1354
1355 2019-01-11  Saam barati  <sbarati@apple.com>
1356
1357         DFG combined liveness can be wrong for terminal basic blocks
1358         https://bugs.webkit.org/show_bug.cgi?id=193304
1359         <rdar://problem/45268632>
1360
1361         Reviewed by Yusuke Suzuki.
1362
1363         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1364
1365 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1366
1367         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1368         https://bugs.webkit.org/show_bug.cgi?id=193308
1369         <rdar://problem/45546542>
1370
1371         Reviewed by Saam Barati.
1372
1373         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1374         (shouldThrow):
1375         (shouldBe):
1376         (foo):
1377         (get shouldThrow):
1378         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1379         (shouldThrow):
1380         (shouldBe):
1381         (foo):
1382         (get shouldBe):
1383         (get shouldThrow):
1384         (get return):
1385         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1386         (shouldThrow):
1387         (shouldBe):
1388         (foo):
1389         (get shouldBe):
1390         (get shouldThrow):
1391         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1392         (shouldThrow):
1393         (shouldBe):
1394         (foo):
1395         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1396         (shouldThrow):
1397         (shouldBe):
1398         (foo):
1399         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1400         (shouldThrow):
1401         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1402         (shouldThrow):
1403         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1404         (shouldThrow):
1405         (shouldBe):
1406         (foo):
1407         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1408         (shouldThrow):
1409         (shouldBe):
1410         (foo):
1411         (get shouldBe):
1412         (get shouldThrow):
1413         (get return):
1414         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1415         (shouldThrow):
1416         (shouldBe):
1417         (foo):
1418         (get shouldBe):
1419         (get shouldThrow):
1420         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1421         (shouldThrow):
1422         (shouldBe):
1423         (foo):
1424         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1425         (shouldThrow):
1426         (shouldBe):
1427         (foo):
1428
1429 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1430
1431         Enable DFG on ARM/Linux again
1432         https://bugs.webkit.org/show_bug.cgi?id=192496
1433
1434         Reviewed by Yusuke Suzuki.
1435
1436         Test wasn't really skipped before moving the line with skip
1437         to the top.
1438
1439         * stress/regress-192717.js:
1440
1441 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1442
1443         Unreviewed, rolling out r239825.
1444         https://bugs.webkit.org/show_bug.cgi?id=193330
1445
1446         Broke tests on armv7/linux bots (Requested by guijemont on
1447         #webkit).
1448
1449         Reverted changeset:
1450
1451         "Enable DFG on ARM/Linux again"
1452         https://bugs.webkit.org/show_bug.cgi?id=192496
1453         https://trac.webkit.org/changeset/239825
1454
1455 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1456
1457         Enable DFG on ARM/Linux again
1458         https://bugs.webkit.org/show_bug.cgi?id=192496
1459
1460         Reviewed by Yusuke Suzuki.
1461
1462         Test wasn't really skipped before moving the line with skip
1463         to the top.
1464
1465         * stress/regress-192717.js:
1466
1467 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1468
1469         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1470         https://bugs.webkit.org/show_bug.cgi?id=193127
1471
1472         Reviewed by Saam Barati.
1473
1474         * stress/array-species-create-should-handle-masquerader.js: Added.
1475         (shouldThrow):
1476         * stress/is-undefined-or-null-builtin.js: Added.
1477         (shouldBe):
1478         (isUndefinedOrNull.vm.createBuiltin):
1479
1480 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1481
1482         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1483         https://bugs.webkit.org/show_bug.cgi?id=193221
1484
1485         Reviewed by Mark Lam.
1486
1487         * stress/put-by-id-flags.js: Added.
1488         (f):
1489         (g):
1490         (numberOfDFGCompiles):
1491
1492 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1493
1494         Baseline version of get_by_id may corrupt metadata
1495         https://bugs.webkit.org/show_bug.cgi?id=193085
1496         <rdar://problem/23453006>
1497
1498         Reviewed by Saam Barati.
1499
1500         * stress/get-by-id-change-mode.js: Added.
1501         (forEach):
1502
1503 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1504
1505         [JSC] Optimize Object.prototype.toString
1506         https://bugs.webkit.org/show_bug.cgi?id=193031
1507
1508         Reviewed by Saam Barati.
1509
1510         * stress/object-tostring-changed-proto.js: Added.
1511         (shouldBe):
1512         (test):
1513         * stress/object-tostring-changed.js: Added.
1514         (shouldBe):
1515         (test):
1516         * stress/object-tostring-misc.js: Added.
1517         (shouldBe):
1518         (test):
1519         (i.switch):
1520         * stress/object-tostring-other.js: Added.
1521         (shouldBe):
1522         (test):
1523         * stress/object-tostring-untyped.js: Added.
1524         (shouldBe):
1525         (test):
1526         (i.switch):
1527
1528 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1529
1530         test262-runner misbehaves when test file YAML has a trailing space
1531         https://bugs.webkit.org/show_bug.cgi?id=193053
1532
1533         Reviewed by Yusuke Suzuki.
1534
1535         * test262/expectations.yaml:
1536         Mark two dozen tests as passing (and correct the output of another).
1537
1538 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1539
1540         Unreviewed, JSTests gardening with memoryLimited
1541
1542         * stress/string-overflow-createError.js:
1543
1544 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1545
1546         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1547         https://bugs.webkit.org/show_bug.cgi?id=193050
1548
1549         Reviewed by Yusuke Suzuki.
1550
1551         * test262.yaml:
1552         * test262/expectations.yaml:
1553         Mark 16 tests as passing.
1554
1555 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1556
1557         [BigInt] Support BigInt in JSON.stringify
1558         https://bugs.webkit.org/show_bug.cgi?id=192624
1559
1560         Reviewed by Saam Barati.
1561
1562         * stress/big-int-json-stringify-to-json.js: Added.
1563         (shouldBe):
1564         (shouldThrow):
1565         (BigInt.prototype.toJSON):
1566         (shouldBe.JSON.stringify):
1567         * stress/big-int-json-stringify.js: Added.
1568         (shouldBe):
1569         (shouldThrow):
1570
1571 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1572
1573         [JSC] Implement "well-formed JSON.stringify" proposal
1574         https://bugs.webkit.org/show_bug.cgi?id=191677
1575
1576         Reviewed by Darin Adler.
1577
1578         * stress/json-surrogate-pair.js: Added.
1579         (shouldBe):
1580         * test262/expectations.yaml:
1581
1582 2018-12-20  Keith Miller  <keith_miller@apple.com>
1583
1584         Add support for globalThis
1585         https://bugs.webkit.org/show_bug.cgi?id=165171
1586
1587         Reviewed by Mark Lam.
1588
1589         * test262/config.yaml:
1590
1591 2018-12-19  Keith Miller  <keith_miller@apple.com>
1592
1593         Update test262 configuration to not run tests dependent on ICU version.
1594         https://bugs.webkit.org/show_bug.cgi?id=192920
1595
1596         Reviewed by Saam Barati.
1597
1598         * test262/expectations.yaml:
1599
1600 2018-12-20  Mark Lam  <mark.lam@apple.com>
1601
1602         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1603         https://bugs.webkit.org/show_bug.cgi?id=192939
1604         <rdar://problem/46869516>
1605
1606         Reviewed by Keith Miller.
1607
1608         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1609
1610 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1611
1612         WTF::String and StringImpl overflow MaxLength
1613         https://bugs.webkit.org/show_bug.cgi?id=192853
1614         <rdar://problem/45726906>
1615
1616         Reviewed by Mark Lam.
1617
1618         * stress/string-16bit-repeat-overflow.js: Added.
1619         (catch):
1620
1621 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1622
1623         Unreviewed follow-up to r192914.
1624
1625         * test262/expectations.yaml:
1626         Add the last 20 missing expectations.
1627
1628 2018-12-19  Keith Miller  <keith_miller@apple.com>
1629
1630         Fix test262 expectations
1631         https://bugs.webkit.org/show_bug.cgi?id=192914
1632
1633         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1634
1635         * test262/expectations.yaml:
1636
1637 2018-12-19  Keith Miller  <keith_miller@apple.com>
1638
1639         Update test262 tests.
1640         https://bugs.webkit.org/show_bug.cgi?id=192907
1641
1642         Rubber stamped by Mark Lam.
1643
1644         * test262/*: Omitted because prepare-changelog crashes.
1645
1646 2018-12-19  Mark Lam  <mark.lam@apple.com>
1647
1648         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1649         https://bugs.webkit.org/show_bug.cgi?id=192464
1650         <rdar://problem/46519455>
1651
1652         Reviewed by Saam Barati.
1653
1654         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1655         microbenchmark.
1656
1657         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1658         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1659
1660 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1661
1662         String overflow in JSC::createError results in ASSERT in WTF::makeString
1663         https://bugs.webkit.org/show_bug.cgi?id=192833
1664         <rdar://problem/45706868>
1665
1666         Reviewed by Mark Lam.
1667
1668         * stress/string-overflow-createError.js: Added.
1669
1670 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1671
1672         Error message for `-x ** y` contains a typo.
1673         https://bugs.webkit.org/show_bug.cgi?id=192832
1674
1675         Reviewed by Saam Barati.
1676
1677         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1678         (assert.assert.return.throws):
1679         * stress/pow-expects-update-expression-on-lhs.js:
1680         (throw.new.Error):
1681         Update test expectations which match against the exact error message.
1682
1683 2018-12-18  Mark Lam  <mark.lam@apple.com>
1684
1685         Gardening: test options fix.
1686         https://bugs.webkit.org/show_bug.cgi?id=192822
1687
1688         Unreviewed.
1689
1690         * stress/json-stringify-string-builder-overflow.js:
1691
1692 2018-12-18  Mark Lam  <mark.lam@apple.com>
1693
1694         JSON.stringify() should throw OOM on StringBuilder overflows.
1695         https://bugs.webkit.org/show_bug.cgi?id=192822
1696         <rdar://problem/46670577>
1697
1698         Reviewed by Saam Barati.
1699
1700         * stress/json-stringify-string-builder-overflow.js: Added.
1701
1702 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1703
1704         Redeclaration of var over let/const/class should be a syntax error.
1705         https://bugs.webkit.org/show_bug.cgi?id=192298
1706
1707         Reviewed by Keith Miller.
1708
1709         * test262.yaml:
1710         * test262/expectations.yaml:
1711         Mark 46 tests as passing.
1712
1713         * stress/block-scope-redeclarations.js:
1714         Add some new tests.
1715
1716         * stress/for-in-invalidate-context-weird-assignments.js:
1717         * stress/for-in-tests.js:
1718         Replace tests for outdated behavior with tests for SyntaxError.
1719
1720         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1721         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1722         Update expectations.
1723
1724 2018-12-18  Mark Lam  <mark.lam@apple.com>
1725
1726         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1727         https://bugs.webkit.org/show_bug.cgi?id=191374
1728         <rdar://problem/46525447>
1729
1730         Reviewed by Yusuke Suzuki.
1731
1732         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1733
1734         * stress/elidable-new-object-roflcopter-then-exit.js:
1735
1736 2018-12-17  Mark Lam  <mark.lam@apple.com>
1737
1738         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1739         https://bugs.webkit.org/show_bug.cgi?id=192019
1740         <rdar://problem/46525456>
1741
1742         Reviewed by Yusuke Suzuki.
1743
1744         The test runs too slow on 32-bit.
1745
1746         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1747
1748 2018-12-17  Mark Lam  <mark.lam@apple.com>
1749
1750         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1751         https://bugs.webkit.org/show_bug.cgi?id=191373
1752         <rdar://problem/46525458>
1753
1754         Reviewed by Yusuke Suzuki.
1755
1756         The test is already slow running with a JIT on 64-bit.  It will always timeout
1757         on 32-bit without a JIT.
1758
1759         * stress/materialize-regexp-cyclic-regexp.js:
1760
1761 2018-12-17  Mark Lam  <mark.lam@apple.com>
1762
1763         Array unshift/shift should not race against the AI in the compiler thread.
1764         https://bugs.webkit.org/show_bug.cgi?id=192795
1765         <rdar://problem/46724263>
1766
1767         Reviewed by Saam Barati.
1768
1769         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1770
1771 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1772
1773         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1774         https://bugs.webkit.org/show_bug.cgi?id=190047
1775
1776         Reviewed by Saam Barati.
1777
1778         * stress/object-keys-cached-zero.js: Added.
1779         (shouldBe):
1780         (test):
1781         * stress/object-keys-changed-attribute.js: Added.
1782         (shouldBe):
1783         (test):
1784         * stress/object-keys-changed-index.js: Added.
1785         (shouldBe):
1786         (test):
1787         * stress/object-keys-changed.js: Added.
1788         (shouldBe):
1789         (test):
1790         * stress/object-keys-indexed-non-cache.js: Added.
1791         (shouldBe):
1792         (test):
1793         * stress/object-keys-overrides-get-property-names.js: Added.
1794         (shouldBe):
1795         (test):
1796         (noInline):
1797
1798 2018-12-17  Mark Lam  <mark.lam@apple.com>
1799
1800         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1801         https://bugs.webkit.org/show_bug.cgi?id=192779
1802         <rdar://problem/46775869>
1803
1804         Reviewed by Saam Barati.
1805
1806         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1807
1808 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1809
1810         Unreviewed test gardening, address a syntax error in a new test.
1811
1812         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1813
1814 2018-12-17  Mark Lam  <mark.lam@apple.com>
1815
1816         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1817         https://bugs.webkit.org/show_bug.cgi?id=192776
1818         <rdar://problem/46772368>
1819
1820         Reviewed by Keith Miller.
1821
1822         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1823
1824 2018-12-17  Mark Lam  <mark.lam@apple.com>
1825
1826         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1827         https://bugs.webkit.org/show_bug.cgi?id=192770
1828         <rdar://problem/46449037>
1829
1830         Reviewed by Keith Miller.
1831
1832         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1833
1834 2018-12-14  Mark Lam  <mark.lam@apple.com>
1835
1836         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1837         https://bugs.webkit.org/show_bug.cgi?id=192717
1838         <rdar://problem/46660677>
1839
1840         Reviewed by Saam Barati.
1841
1842         * stress/regress-192717.js: Added.
1843
1844 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1845
1846         Unreviewed, rolling out r239153, r239154, and r239155.
1847         https://bugs.webkit.org/show_bug.cgi?id=192715
1848
1849         Caused flaky GC-related crashes seen with layout tests
1850         (Requested by ryanhaddad on #webkit).
1851
1852         Reverted changesets:
1853
1854         "[JSC] Optimize Object.keys by caching own keys results in
1855         StructureRareData"
1856         https://bugs.webkit.org/show_bug.cgi?id=190047
1857         https://trac.webkit.org/changeset/239153
1858
1859         "Unreviewed, build fix after r239153"
1860         https://bugs.webkit.org/show_bug.cgi?id=190047
1861         https://trac.webkit.org/changeset/239154
1862
1863         "Unreviewed, build fix after r239153, part 2"
1864         https://bugs.webkit.org/show_bug.cgi?id=190047
1865         https://trac.webkit.org/changeset/239155
1866
1867 2018-12-14  Keith Miller  <keith_miller@apple.com>
1868
1869         Callers of JSString::getIndex should check for OOM exceptions
1870         https://bugs.webkit.org/show_bug.cgi?id=192709
1871
1872         Reviewed by Mark Lam.
1873
1874         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1875
1876 2018-12-13  Mark Lam  <mark.lam@apple.com>
1877
1878         Add a missing exception check.
1879         https://bugs.webkit.org/show_bug.cgi?id=192626
1880         <rdar://problem/46662163>
1881
1882         Reviewed by Keith Miller.
1883
1884         * stress/regress-192626.js: Added.
1885
1886 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1887
1888         [BigInt] Add ValueDiv into DFG
1889         https://bugs.webkit.org/show_bug.cgi?id=186178
1890
1891         Reviewed by Yusuke Suzuki.
1892
1893         * stress/big-int-div-jit-osr.js: Added.
1894         * stress/big-int-div-jit-untyped.js: Added.
1895         * stress/value-div-fixup-int32-big-int.js: Added.
1896
1897 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1898
1899         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1900         https://bugs.webkit.org/show_bug.cgi?id=190047
1901
1902         Reviewed by Keith Miller.
1903
1904         * stress/object-keys-cached-zero.js: Added.
1905         (shouldBe):
1906         (test):
1907         * stress/object-keys-changed-attribute.js: Added.
1908         (shouldBe):
1909         (test):
1910         * stress/object-keys-changed-index.js: Added.
1911         (shouldBe):
1912         (test):
1913         * stress/object-keys-changed.js: Added.
1914         (shouldBe):
1915         (test):
1916         * stress/object-keys-indexed-non-cache.js: Added.
1917         (shouldBe):
1918         (test):
1919         * stress/object-keys-overrides-get-property-names.js: Added.
1920         (shouldBe):
1921         (test):
1922         (noInline):
1923
1924 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1925
1926         [DFG][FTL] Add NewSymbol
1927         https://bugs.webkit.org/show_bug.cgi?id=192620
1928
1929         Reviewed by Saam Barati.
1930
1931         * microbenchmarks/symbol-creation.js: Added.
1932         (test):
1933         * stress/symbol-description-identity.js: Added.
1934         (shouldBe):
1935         (test):
1936         * stress/symbol-identity.js: Added.
1937         (shouldBe):
1938         (test):
1939         * stress/symbol-with-description-throw-error.js: Added.
1940         (shouldBe):
1941         (shouldThrow):
1942         (test):
1943         (object.toString):
1944
1945 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1946
1947         [BigInt] Implement DFG/FTL typeof for BigInt
1948         https://bugs.webkit.org/show_bug.cgi?id=192619
1949
1950         Reviewed by Keith Miller.
1951
1952         * stress/big-int-boolean-proven-type.js: Added.
1953         (assert):
1954         (bool):
1955         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1956         (assert):
1957         (typeOf):
1958         (i.switch):
1959         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1960         (assert):
1961         (typeOf):
1962         * stress/big-int-type-of.js:
1963         (typeOf):
1964         (func):
1965
1966 2018-12-10  Mark Lam  <mark.lam@apple.com>
1967
1968         PropertyAttribute needs a CustomValue bit.
1969         https://bugs.webkit.org/show_bug.cgi?id=191993
1970         <rdar://problem/46264467>
1971
1972         Reviewed by Saam Barati.
1973
1974         * stress/regress-191993.js: Added.
1975
1976 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1977
1978         [BigInt] Add ValueMul into DFG
1979         https://bugs.webkit.org/show_bug.cgi?id=186175
1980
1981         Reviewed by Yusuke Suzuki.
1982
1983         * stress/big-int-mul-jit-osr.js: Added.
1984         * stress/big-int-mul-jit-untyped.js: Added.
1985         * stress/value-mul-fixup-int32-big-int.js: Added.
1986
1987 2018-12-06  Keith Miller  <keith_miller@apple.com>
1988
1989         stress/big-wasm-memory tests failing on 32-bit JSC bot
1990         https://bugs.webkit.org/show_bug.cgi?id=192020
1991
1992         Reviewed by Saam Barati.
1993
1994         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1995         the wasm stress tests if the WebAssembly object does not exist.
1996
1997         * stress/big-wasm-memory-grow-no-max.js:
1998         (test.foo):
1999         (test):
2000         (foo): Deleted.
2001         (catch): Deleted.
2002         * stress/big-wasm-memory-grow.js:
2003         (test.foo):
2004         (test):
2005         (foo): Deleted.
2006         (catch): Deleted.
2007         * stress/big-wasm-memory.js:
2008         (test.foo):
2009         (test):
2010         (foo): Deleted.
2011         (catch): Deleted.
2012
2013 2018-12-05  Mark Lam  <mark.lam@apple.com>
2014
2015         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2016         https://bugs.webkit.org/show_bug.cgi?id=192441
2017         <rdar://problem/46480355>
2018
2019         Reviewed by Saam Barati.
2020
2021         * stress/regress-192441.js: Added.
2022
2023 2018-12-04  Mark Lam  <mark.lam@apple.com>
2024
2025         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2026         https://bugs.webkit.org/show_bug.cgi?id=192386
2027         <rdar://problem/46445516>
2028
2029         Reviewed by Saam Barati.
2030
2031         * stress/regress-192386.js: Added.
2032
2033 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2034
2035         [ESNext][BigInt] Support logic operations
2036         https://bugs.webkit.org/show_bug.cgi?id=179903
2037
2038         Reviewed by Yusuke Suzuki.
2039
2040         * stress/big-int-branch-usage.js: Added.
2041         * stress/big-int-logical-and.js: Added.
2042         * stress/big-int-logical-not.js: Added.
2043         * stress/big-int-logical-or.js: Added.
2044
2045 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2046
2047         Unreviewed, rolling out r238833.
2048
2049         Breaks macOS and iOS debug builds.
2050
2051         Reverted changeset:
2052
2053         "[ESNext][BigInt] Support logic operations"
2054         https://bugs.webkit.org/show_bug.cgi?id=179903
2055         https://trac.webkit.org/changeset/238833
2056
2057 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2058
2059         [ESNext][BigInt] Support logic operations
2060         https://bugs.webkit.org/show_bug.cgi?id=179903
2061
2062         Reviewed by Yusuke Suzuki.
2063
2064         * stress/big-int-branch-usage.js: Added.
2065         * stress/big-int-logical-and.js: Added.
2066         * stress/big-int-logical-not.js: Added.
2067         * stress/big-int-logical-or.js: Added.
2068
2069 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2070
2071         [ESNext][BigInt] Implement support for "<<" and ">>"
2072         https://bugs.webkit.org/show_bug.cgi?id=186233
2073
2074         Reviewed by Yusuke Suzuki.
2075
2076         * stress/big-int-left-shift-general.js: Added.
2077         * stress/big-int-left-shift-range-error.js: Added.
2078         * stress/big-int-left-shift-type-error.js: Added.
2079         * stress/big-int-left-shift-wrapped-value.js: Added.
2080         * stress/big-int-right-shift-general.js: Added.
2081         * stress/big-int-right-shift-type-error.js: Added.
2082         * stress/big-int-right-shift-wrapped-value.js: Added.
2083         * stress/left-shift-to-primitive-precedence.js: Added.
2084         * stress/right-shift-to-primitive-precedence.js: Added.
2085
2086 2018-11-30  Dean Jackson  <dino@apple.com>
2087
2088         Add first-class support for .mjs files in jsc binary
2089         https://bugs.webkit.org/show_bug.cgi?id=192190
2090         <rdar://problem/46375715>
2091
2092         Reviewed by Keith Miller.
2093
2094         * stress/simple-module.mjs: Added.
2095         * stress/simple-script.js: Added.
2096
2097 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2098
2099         [BigInt] Implement ValueBitXor into DFG
2100         https://bugs.webkit.org/show_bug.cgi?id=190264
2101
2102         Reviewed by Yusuke Suzuki.
2103
2104         * stress/big-int-bitwise-xor-jit.js: Added.
2105         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2106         * stress/big-int-bitwise-xor-untyped.js: Added.
2107
2108 2018-11-27  Saam barati  <sbarati@apple.com>
2109
2110         r238510 broke scopes of size zero
2111         https://bugs.webkit.org/show_bug.cgi?id=192033
2112         <rdar://problem/46281734>
2113
2114         Reviewed by Keith Miller.
2115
2116         * stress/r238510-bad-loop.js: Added.
2117         (foo):
2118
2119 2018-11-27  Mark Lam  <mark.lam@apple.com>
2120
2121         [Re-landing] NaNs read from Wasm code needs to be be purified.
2122         https://bugs.webkit.org/show_bug.cgi?id=191056
2123         <rdar://problem/45660341>
2124
2125         Reviewed by Filip Pizlo.
2126
2127         * wasm/regress/regress-191056.js: Added.
2128
2129 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2130
2131         Unreviewed, rolling out r238509.
2132
2133         Causes JSC tests to fail on iOS.
2134
2135         Reverted changeset:
2136
2137         "NaNs read from Wasm code needs to be be purified."
2138         https://bugs.webkit.org/show_bug.cgi?id=191056
2139         https://trac.webkit.org/changeset/238509
2140
2141 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2142
2143         Re-introduce op_bitnot
2144         https://bugs.webkit.org/show_bug.cgi?id=190923
2145
2146         Reviewed by Yusuke Suzuki.
2147
2148         * stress/bit-not-must-generate.js: Added.
2149         * stress/bitwise-not-no-int32.js: Added.
2150
2151 2018-11-26  Saam barati  <sbarati@apple.com>
2152
2153         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2154         https://bugs.webkit.org/show_bug.cgi?id=191956
2155         <rdar://problem/45665806>
2156
2157         Reviewed by Yusuke Suzuki.
2158
2159         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2160         (bar):
2161         (foo):
2162
2163 2018-11-26  Saam barati  <sbarati@apple.com>
2164
2165         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2166         https://bugs.webkit.org/show_bug.cgi?id=191958
2167         <rdar://problem/46221877>
2168
2169         Reviewed by Yusuke Suzuki.
2170
2171         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2172         (x):
2173         (foo):
2174
2175 2018-11-26  Mark Lam  <mark.lam@apple.com>
2176
2177         NaNs read from Wasm code needs to be be purified.
2178         https://bugs.webkit.org/show_bug.cgi?id=191056
2179         <rdar://problem/45660341>
2180
2181         Reviewed by Filip Pizlo.
2182
2183         * wasm/regress/regress-191056.js: Added.
2184
2185 2018-11-26  Michael Saboff  <msaboff@apple.com>
2186
2187         32-bit JSC test failure: stress/regexp-compile-oom.js
2188         https://bugs.webkit.org/show_bug.cgi?id=191375
2189
2190         Reviewed by Mark Lam.
2191
2192         Disabled the test for 32 bit platforms.
2193
2194         * stress/regexp-compile-oom.js:
2195
2196 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2197
2198         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2199         https://bugs.webkit.org/show_bug.cgi?id=191716
2200         <rdar://problem/45723878>
2201
2202         Reviewed by Saam Barati.
2203
2204         * stress/regress-187373.js: Added.
2205         (async.fn):
2206
2207 2018-11-21  Saam barati  <sbarati@apple.com>
2208
2209         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2210         https://bugs.webkit.org/show_bug.cgi?id=191897
2211         <rdar://problem/45871998>
2212
2213         Reviewed by Mark Lam.
2214
2215         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2216         (bar):
2217         (foo):
2218
2219 2018-11-21  Saam barati  <sbarati@apple.com>
2220
2221         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2222         https://bugs.webkit.org/show_bug.cgi?id=191895
2223         <rdar://problem/46167406>
2224
2225         Reviewed by Mark Lam.
2226
2227         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2228         (foo):
2229         (bar):
2230
2231 2018-11-21  Mark Lam  <mark.lam@apple.com>
2232
2233         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2234         https://bugs.webkit.org/show_bug.cgi?id=191776
2235         <rdar://problem/46152851>
2236
2237         Reviewed by Saam Barati.
2238
2239         * stress/big-wasm-memory-grow-no-max.js:
2240         * stress/big-wasm-memory-grow.js:
2241         * stress/big-wasm-memory.js:
2242         - updated these to expect an OutOfMemoryError.
2243
2244         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2245         (Binary.prototype.emit_u8):
2246         (Binary.prototype.emit_u32v):
2247         (Binary.prototype.emit_header):
2248         (Binary.prototype.emit_section):
2249         (Binary):
2250         (WasmModuleBuilder):
2251         (WasmModuleBuilder.prototype.addMemory):
2252         (WasmModuleBuilder.prototype.toArray):
2253         (WasmModuleBuilder.prototype.toBuffer):
2254         (WasmModuleBuilder.prototype.instantiate):
2255         (catch):
2256         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2257         (catch):
2258
2259 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2260
2261         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2262         https://bugs.webkit.org/show_bug.cgi?id=190836
2263
2264         Reviewed by Saam Barati and Yusuke Suzuki.
2265
2266         * stress/big-int-out-of-memory-tests.js: Added.
2267
2268 2018-11-20  Mark Lam  <mark.lam@apple.com>
2269
2270         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2271         https://bugs.webkit.org/show_bug.cgi?id=191856
2272         <rdar://problem/46089992>
2273
2274         Reviewed by Yusuke Suzuki.
2275
2276         * stress/regress-191856.js: Added.
2277         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2278
2279 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2280
2281         Enable JIT on ARM/Linux
2282         https://bugs.webkit.org/show_bug.cgi?id=191548
2283
2284         Reviewed by Yusuke Suzuki.
2285
2286         Disable test on system with limited memory. Program was killed by
2287         the OS before the exception was thrown.
2288
2289         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2290
2291 2018-11-20  Saam barati  <sbarati@apple.com>
2292
2293         Merging an IC variant may lead to the IC status containing overlapping structure sets
2294         https://bugs.webkit.org/show_bug.cgi?id=191869
2295         <rdar://problem/45403453>
2296
2297         Reviewed by Mark Lam.
2298
2299         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2300
2301 2018-11-19  Mark Lam  <mark.lam@apple.com>
2302
2303         globalFuncImportModule() should return a promise when it clears exceptions.
2304         https://bugs.webkit.org/show_bug.cgi?id=191792
2305         <rdar://problem/46090763>
2306
2307         Reviewed by Michael Saboff.
2308
2309         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2310
2311 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2312
2313         Skip new memory-hungry tests on memory limited devices
2314
2315         Unreviewed gardening.
2316
2317         * stress/big-wasm-memory-grow-no-max.js:
2318         * stress/big-wasm-memory-grow.js:
2319         * stress/big-wasm-memory.js:
2320
2321 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2322
2323         Unreviewed, rolling in the rest of r237254
2324         https://bugs.webkit.org/show_bug.cgi?id=190340
2325
2326         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2327         * stress/function-cache-with-parameters-end-position.js: Added.
2328         (shouldBe):
2329         (shouldThrow):
2330         (i.anonymous):
2331         * stress/function-constructor-name.js: Added.
2332         (shouldBe):
2333         (GeneratorFunction):
2334         (AsyncFunction.async):
2335         (AsyncGeneratorFunction.async):
2336         (anonymous):
2337         (async.anonymous):
2338         * test262/expectations.yaml:
2339
2340 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2341
2342         All users of ArrayBuffer should agree on the same max size
2343         https://bugs.webkit.org/show_bug.cgi?id=191771
2344
2345         Reviewed by Mark Lam.
2346
2347         * stress/big-wasm-memory-grow-no-max.js: Added.
2348         (foo):
2349         (catch):
2350         * stress/big-wasm-memory-grow.js: Added.
2351         (foo):
2352         (catch):
2353         * stress/big-wasm-memory.js: Added.
2354         (foo):
2355         (catch):
2356
2357 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2358
2359         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2360         run for each JSC config since they're regression tests for runtime bugs.
2361
2362         * stress/json-stringified-overflow-2.js:
2363         * stress/json-stringified-overflow.js:
2364
2365 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2366
2367         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2368         config since they're regression tests for runtime bugs.
2369
2370         * stress/large-unshift-splice.js:
2371         * stress/regress-185888.js:
2372
2373 2018-11-16  Saam Barati  <sbarati@apple.com>
2374
2375         KnownCellUse should also have SpecCellCheck as its type filter
2376         https://bugs.webkit.org/show_bug.cgi?id=191729
2377         <rdar://problem/45872852>
2378
2379         Reviewed by Filip Pizlo.
2380
2381         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2382         (C):
2383
2384 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2385
2386         Fix assertion failure on BytecodeGenerator::recordOpcode
2387         https://bugs.webkit.org/show_bug.cgi?id=191724
2388         <rdar://problem/45724395>
2389
2390         Reviewed by Saam Barati.
2391
2392         * stress/regress-187373-2.js: Added.
2393         (foo):
2394
2395 2018-11-15  Mark Lam  <mark.lam@apple.com>
2396
2397         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2398         https://bugs.webkit.org/show_bug.cgi?id=191730
2399         <rdar://problem/46048517>
2400
2401         Reviewed by Saam Barati.
2402
2403         * stress/regress-187006.js: Removed.
2404           - this test is invalid because its sole purpose is to test for the non-spec
2405             compliant behavior that we just fixed.
2406
2407         * stress/regress-191730.js: Added.
2408
2409 2018-11-15  Mark Lam  <mark.lam@apple.com>
2410
2411         RegExp operations should not take fast patch if lastIndex is not numeric.
2412         https://bugs.webkit.org/show_bug.cgi?id=191731
2413         <rdar://problem/46017305>
2414
2415         Reviewed by Saam Barati.
2416
2417         * stress/regress-191731.js: Added.
2418
2419 2018-11-13  Saam Barati  <sbarati@apple.com>
2420
2421         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2422         https://bugs.webkit.org/show_bug.cgi?id=191600
2423
2424         Reviewed by Mark Lam.
2425
2426         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2427         (foo):
2428         (test):
2429         (bar):
2430
2431 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2432
2433         Unreviewed, rolling out r238132.
2434
2435         The test added with this change is timing out on Debug JSC
2436         bots.
2437
2438         Reverted changeset:
2439
2440         "[BigInt] JSBigInt::createWithLength should throw when length
2441         is greater than JSBigInt::maxLength"
2442         https://bugs.webkit.org/show_bug.cgi?id=190836
2443         https://trac.webkit.org/changeset/238132
2444
2445 2018-11-13  Mark Lam  <mark.lam@apple.com>
2446
2447         Add OOM detection to StringPrototype's substituteBackreferences().
2448         https://bugs.webkit.org/show_bug.cgi?id=191563
2449         <rdar://problem/45720428>
2450
2451         Reviewed by Saam Barati.
2452
2453         * stress/regress-191563.js: Added.
2454
2455 2018-11-13  Mark Lam  <mark.lam@apple.com>
2456
2457         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2458         https://bugs.webkit.org/show_bug.cgi?id=191579
2459         <rdar://problem/45942472>
2460
2461         Reviewed by Saam Barati.
2462
2463         * stress/regress-191579.js: Added.
2464
2465 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2466
2467         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2468         https://bugs.webkit.org/show_bug.cgi?id=190836
2469
2470         Reviewed by Saam Barati.
2471
2472         * stress/big-int-out-of-memory-tests.js: Added.
2473
2474 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2475
2476         U+180E is no longer a whitespace character
2477         https://bugs.webkit.org/show_bug.cgi?id=191415
2478
2479         Reviewed by Saam Barati.
2480
2481         * ChakraCore/test/es5/regexSpace.baseline:
2482         * ChakraCore/test/es6/unicode_whitespace.js:
2483         Update tests to latest version.
2484         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2485
2486         * test262.yaml:
2487         * test262/config.yaml:
2488         * test262/expectations.yaml:
2489         Update expectations.
2490
2491 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2492
2493         [BigInt] Add support to BigInt into ValueAdd
2494         https://bugs.webkit.org/show_bug.cgi?id=186177
2495
2496         Reviewed by Keith Miller.
2497
2498         * stress/big-int-negate-jit.js:
2499         * stress/value-add-big-int-and-string.js: Added.
2500         * stress/value-add-big-int-prediction-propagation.js: Added.
2501         * stress/value-add-big-int-untyped.js: Added.
2502
2503 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2504
2505         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2506         https://bugs.webkit.org/show_bug.cgi?id=191184
2507
2508         Reviewed by Saam Barati.
2509
2510         Most tests were failing due to timeouts, since they are too slow to
2511         run on CLoop. The exceptions are:
2512
2513         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2514         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2515         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2516         to change the stack size since CLoop requires it to be page aligned.
2517
2518         * microbenchmarks/array-push-1.js:
2519         * microbenchmarks/array-push-2.js:
2520         * microbenchmarks/elidable-new-object-dag.js:
2521         * microbenchmarks/elidable-new-object-roflcopter.js:
2522         * microbenchmarks/elidable-new-object-tree.js:
2523         * microbenchmarks/getter-richards.js:
2524         * microbenchmarks/sinkable-new-object-dag.js:
2525         * microbenchmarks/string-concat-long-convert.js:
2526         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2527         * slowMicrobenchmarks/array-push-3.js:
2528         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2529         * slowMicrobenchmarks/spread-small-array.js:
2530         * slowMicrobenchmarks/undefined-property-access.js:
2531         * stress/activation-sink-default-value-tdz-error.js:
2532         * stress/activation-sink-default-value.js:
2533         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2534         * stress/activation-sink-osrexit-default-value.js:
2535         * stress/activation-sink-osrexit.js:
2536         * stress/activation-sink.js:
2537         * stress/allow-math-ic-b3-code-duplication.js:
2538         * stress/array-push-multiple-int32.js:
2539         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2540         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2541         * stress/arrowfunction-lexical-this-activation-sink.js:
2542         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2543         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2544         * stress/elide-new-object-dag-then-exit.js:
2545         * stress/materialize-regexp-cyclic.js:
2546         * stress/new-regex-inline.js:
2547         * stress/op_add.js:
2548         * stress/op_bitand.js:
2549         * stress/op_bitor.js:
2550         * stress/op_bitxor.js:
2551         * stress/op_div-ConstVar.js:
2552         * stress/op_div-VarConst.js:
2553         * stress/op_div-VarVar.js:
2554         * stress/op_lshift-ConstVar.js:
2555         * stress/op_lshift-VarConst.js:
2556         * stress/op_lshift-VarVar.js:
2557         * stress/op_mod-ConstVar.js:
2558         * stress/op_mod-VarConst.js:
2559         * stress/op_mod-VarVar.js:
2560         * stress/op_mul-ConstVar.js:
2561         * stress/op_mul-VarConst.js:
2562         * stress/op_mul-VarVar.js:
2563         * stress/op_rshift-ConstVar.js:
2564         * stress/op_rshift-VarConst.js:
2565         * stress/op_rshift-VarVar.js:
2566         * stress/op_sub-ConstVar.js:
2567         * stress/op_sub-VarConst.js:
2568         * stress/op_sub-VarVar.js:
2569         * stress/op_urshift-ConstVar.js:
2570         * stress/op_urshift-VarConst.js:
2571         * stress/op_urshift-VarVar.js:
2572         * stress/proxy-get-set-correct-receiver.js:
2573         * stress/regress-179562.js:
2574         * stress/rest-parameter-many-arguments.js:
2575         * stress/sampling-profiler-richards.js:
2576         * stress/splay-flash-access-1ms.js:
2577         * stress/tailCallForwardArguments.js:
2578         * stress/typed-array-get-by-val-profiling.js:
2579         * typeProfiler/getter-richards.js:
2580
2581 2018-11-06  Michael Saboff  <msaboff@apple.com>
2582
2583         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2584         https://bugs.webkit.org/show_bug.cgi?id=191271
2585
2586         Reviewed by Saam Barati.
2587
2588         Added more test cases and made all test cases run with the same deeply recursive stack
2589         instead of finding that same point for each test case.
2590
2591         * stress/regexp-compile-oom.js:
2592         (prototype.runTest):
2593         (recurseAndTest):
2594         (testList.push.new.TestAndExpectedException):
2595
2596 2018-11-05  Michael Saboff  <msaboff@apple.com>
2597
2598         Unreviewed build fix for linux.
2599
2600         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2601
2602 2018-11-02  Michael Saboff  <msaboff@apple.com>
2603
2604         Rolling in r237753 with unreviewed build fix.
2605
2606         Fixed issues with DECLARE_THROW_SCOPE placement.
2607
2608 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2609
2610         Unreviewed, rolling out r237753.
2611
2612         Introduced JSC test failures
2613
2614         Reverted changeset:
2615
2616         "Running out of stack space not properly handled in
2617         RegExp::compile() and its callers"
2618         https://bugs.webkit.org/show_bug.cgi?id=191206
2619         https://trac.webkit.org/changeset/237753
2620
2621 2018-11-02  Michael Saboff  <msaboff@apple.com>
2622
2623         Running out of stack space not properly handled in RegExp::compile() and its callers
2624         https://bugs.webkit.org/show_bug.cgi?id=191206
2625
2626         Reviewed by Filip Pizlo.
2627
2628         New regression test.
2629
2630         * stress/regexp-compile-oom.js: Added.
2631         (recurseAndTest):
2632
2633 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2634
2635         Skip tests on arm/mips that time out now we're running on CLoop
2636
2637         Unreviewed gardening.
2638
2639         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2640         time out on the bots and need to be disabled. There's more tests
2641         disabled on arm because the timeout is longer on the mips bot (as the
2642         device is slower to start with), so many of the tests don't time out
2643         there.
2644
2645         * microbenchmarks/getter-richards.js: disable on arm and mips.
2646         * stress/op_add.js: disable on arm.
2647         * stress/op_bitand.js: disable on arm.
2648         * stress/op_bitor.js: disable on arm.
2649         * stress/op_bitxor.js: disable on arm.
2650         * stress/op_lshift-ConstVar.js: disable on arm.
2651         * stress/op_lshift-VarConst.js: disable on arm.
2652         * stress/op_lshift-VarVar.js: disable on arm.
2653         * stress/op_mod-ConstVar.js: disable on arm.
2654         * stress/op_mod-VarConst.js: disable on arm.
2655         * stress/op_mod-VarVar.js: disable on arm.
2656         * stress/op_mul-ConstVar.js: disable on arm.
2657         * stress/op_mul-VarConst.js: disable on arm.
2658         * stress/op_mul-VarVar.js: disable on arm.
2659         * stress/op_rshift-ConstVar.js: disable on arm.
2660         * stress/op_rshift-VarConst.js: disable on arm.
2661         * stress/op_rshift-VarVar.js: disable on arm.
2662         * stress/op_sub-ConstVar.js: disable on arm.
2663         * stress/op_sub-VarConst.js: disable on arm.
2664         * stress/op_sub-VarVar.js: disable on arm.
2665         * stress/op_urshift-ConstVar.js: disable on arm.
2666         * stress/op_urshift-VarConst.js: disable on arm.
2667         * stress/op_urshift-VarVar.js: disable on arm.
2668         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2669         * stress/value-to-boolean.js: disable on arm and mips.
2670
2671 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2672
2673         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2674         https://bugs.webkit.org/show_bug.cgi?id=191108
2675         <rdar://problem/45690700>
2676
2677         Reviewed by Saam Barati.
2678
2679         * stress/wide-op_catch.js: Added.
2680         (catch):
2681
2682 2018-10-29  Mark Lam  <mark.lam@apple.com>
2683
2684         Correctly detect string overflow when using the 'Function' constructor.
2685         https://bugs.webkit.org/show_bug.cgi?id=184883
2686         <rdar://problem/36320331>
2687
2688         Reviewed by Saam Barati.
2689
2690         I've verified that this passes on 32-bit as well.
2691
2692         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2693
2694 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2695
2696         Add support for GetStack FlushedDouble
2697         https://bugs.webkit.org/show_bug.cgi?id=191012
2698         <rdar://problem/45265141>
2699
2700         Reviewed by Saam Barati.
2701
2702         * stress/get-stack-double.js: Added.
2703         (bar):
2704         (noInline):
2705
2706 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2707
2708         New bytecode format for JSC
2709         https://bugs.webkit.org/show_bug.cgi?id=187373
2710         <rdar://problem/44186758>
2711
2712         Reviewed by Filip Pizlo.
2713
2714         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2715
2716         * stress/maximum-inline-capacity.js: Added.
2717         (test1):
2718         (test3.Foo):
2719         (test3):
2720
2721 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2722
2723         Unreviewed, rolling out r237479 and r237484.
2724         https://bugs.webkit.org/show_bug.cgi?id=190978
2725
2726         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2727
2728         Reverted changesets:
2729
2730         "New bytecode format for JSC"
2731         https://bugs.webkit.org/show_bug.cgi?id=187373
2732         https://trac.webkit.org/changeset/237479
2733
2734         "Gardening: Build fix after r237479."
2735         https://bugs.webkit.org/show_bug.cgi?id=187373
2736         https://trac.webkit.org/changeset/237484
2737
2738 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2739
2740         New bytecode format for JSC
2741         https://bugs.webkit.org/show_bug.cgi?id=187373
2742         <rdar://problem/44186758>
2743
2744         Reviewed by Filip Pizlo.
2745
2746         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2747
2748         * stress/maximum-inline-capacity.js: Added.
2749         (test1):
2750         (test3.Foo):
2751         (test3):
2752
2753 2018-10-26  Mark Lam  <mark.lam@apple.com>
2754
2755         Fix missing edge cases with JSGlobalObjects having a bad time.
2756         https://bugs.webkit.org/show_bug.cgi?id=189028
2757         <rdar://problem/45204939>
2758
2759         Reviewed by Saam Barati.
2760
2761         * stress/regress-189028.js: Added.
2762
2763 2018-10-22  Mark Lam  <mark.lam@apple.com>
2764
2765         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2766         https://bugs.webkit.org/show_bug.cgi?id=190515
2767         <rdar://problem/45222379>
2768
2769         Rubber-stamped by Saam Barati.
2770
2771         Adding another test.
2772
2773         * stress/regress-190515-2.js: Added.
2774
2775 2018-10-22  Mark Lam  <mark.lam@apple.com>
2776
2777         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2778         https://bugs.webkit.org/show_bug.cgi?id=190515
2779         <rdar://problem/45222379>
2780
2781         Reviewed by Saam Barati.
2782
2783         * stress/regress-190515.js: Added.
2784
2785 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2786
2787         Unreviewed, rolling out r237254.
2788         https://bugs.webkit.org/show_bug.cgi?id=190760
2789
2790         "It regresses JetStream 2 by 5% on some iOS devices"
2791         (Requested by saamyjoon on #webkit).
2792
2793         Reverted changeset:
2794
2795         "[JSC] JSC should have "parseFunction" to optimize Function
2796         constructor"
2797         https://bugs.webkit.org/show_bug.cgi?id=190340
2798         https://trac.webkit.org/changeset/237254
2799
2800 2018-10-19  Saam Barati  <sbarati@apple.com>
2801
2802         vmCall should check if we exit before emitting an OSR exit due to exceptions
2803         https://bugs.webkit.org/show_bug.cgi?id=190740
2804         <rdar://problem/45220139>
2805
2806         Reviewed by Mark Lam.
2807
2808         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2809         (foo):
2810
2811 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2812
2813         [ESNext][BigInt] Implement support for "^"
2814         https://bugs.webkit.org/show_bug.cgi?id=186235
2815
2816         Reviewed by Yusuke Suzuki.
2817
2818         * stress/big-int-bitwise-xor-general.js: Added.
2819         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2820         * stress/big-int-bitwise-xor-type-error.js: Added.
2821         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2822
2823 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2824
2825         [BigInt] Add ValueSub into DFG
2826         https://bugs.webkit.org/show_bug.cgi?id=186176
2827
2828         Reviewed by Yusuke Suzuki.
2829
2830         * stress/big-int-subtraction-jit.js:
2831         * stress/value-sub-big-int-prediction-propagation.js: Added.
2832         * stress/value-sub-big-int-untyped.js: Added.
2833         * stress/value-sub-spec-none-case.js: Added.
2834
2835 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2836
2837         [JSC] JSC should have "parseFunction" to optimize Function constructor
2838         https://bugs.webkit.org/show_bug.cgi?id=190340
2839
2840         Reviewed by Mark Lam.
2841
2842         This patch fixes the line number of syntax errors raised by the Function constructor,
2843         since we now parse the final code only once. And we no longer use block statement
2844         for Function constructor's parsing.
2845
2846         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2847         * stress/function-cache-with-parameters-end-position.js: Added.
2848         (shouldBe):
2849         (shouldThrow):
2850         (i.anonymous):
2851         * stress/function-constructor-name.js: Added.
2852         (shouldBe):
2853         (GeneratorFunction):
2854         (AsyncFunction.async):
2855         (AsyncGeneratorFunction.async):
2856         (anonymous):
2857         (async.anonymous):
2858         * test262/expectations.yaml:
2859
2860 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2861
2862         Unreviewed, rolling out r237242.
2863         https://bugs.webkit.org/show_bug.cgi?id=190701
2864
2865         it breaks "stress/sampling-profiler-basic.js" (Requested by
2866         caiolima on #webkit).
2867
2868         Reverted changeset:
2869
2870         "[BigInt] Add ValueSub into DFG"
2871         https://bugs.webkit.org/show_bug.cgi?id=186176
2872         https://trac.webkit.org/changeset/237242
2873
2874 2018-10-17  Keith Miller  <keith_miller@apple.com>
2875
2876         AI does not clear Phantom allocation nodes.
2877         https://bugs.webkit.org/show_bug.cgi?id=190694
2878
2879         Reviewed by Saam Barati.
2880
2881         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2882         (Day):
2883         (DaysInYear):
2884         (TimeInYear):
2885         (TimeFromYear):
2886         (DayFromYear):
2887         (InLeapYear):
2888         (YearFromTime):
2889         (WeekDay):
2890         (DaylightSavingTA):
2891         (GetSecondSundayInMarch):
2892         (TimeInMonth):
2893
2894 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2895
2896         [BigInt] Add ValueSub into DFG
2897         https://bugs.webkit.org/show_bug.cgi?id=186176
2898
2899         Reviewed by Yusuke Suzuki.
2900
2901         * stress/big-int-subtraction-jit.js:
2902         * stress/value-sub-big-int-prediction-propagation.js: Added.
2903         * stress/value-sub-big-int-untyped.js: Added.
2904
2905 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2906
2907         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2908         https://bugs.webkit.org/show_bug.cgi?id=190611
2909
2910         Reviewed by Saam Barati.
2911
2912         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2913         to improve test runtime. On ARM/MIPS this test even timed out when running all
2914         tests.
2915
2916         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2917         (test):
2918
2919 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2920
2921         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2922
2923         Unreviewed gardening.
2924
2925         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2926
2927 2018-10-15  Saam barati  <sbarati@apple.com>
2928
2929         Emit fjcvtzs on ARM64E on Darwin
2930         https://bugs.webkit.org/show_bug.cgi?id=184023
2931
2932         Reviewed by Yusuke Suzuki and Filip Pizlo.
2933
2934         * stress/double-to-int32-NaN.js: Added.
2935         (assert):
2936         (foo):
2937
2938 2018-10-15  Saam Barati  <sbarati@apple.com>
2939
2940         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2941         https://bugs.webkit.org/show_bug.cgi?id=190262
2942         <rdar://problem/44986241>
2943
2944         Reviewed by Mark Lam.
2945
2946         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2947         (test):
2948         * stress/slice-array-storage-with-holes.js: Added.
2949         (main):
2950
2951 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2952
2953         Unreviewed, rolling out r237054.
2954         https://bugs.webkit.org/show_bug.cgi?id=190593
2955
2956         "this regressed JetStream 2 by 6% on iOS" (Requested by
2957         saamyjoon on #webkit).
2958
2959         Reverted changeset:
2960
2961         "[JSC] JSC should have "parseFunction" to optimize Function
2962         constructor"
2963         https://bugs.webkit.org/show_bug.cgi?id=190340
2964         https://trac.webkit.org/changeset/237054
2965
2966 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2967
2968         [JSC] JSON.stringify can accept call-with-no-arguments
2969         https://bugs.webkit.org/show_bug.cgi?id=190343
2970
2971         Reviewed by Mark Lam.
2972
2973         * stress/json-stringify-no-arguments.js: Added.
2974         (shouldBe):
2975
2976 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2977
2978         [JSC] JSC should have "parseFunction" to optimize Function constructor
2979         https://bugs.webkit.org/show_bug.cgi?id=190340
2980
2981         Reviewed by Mark Lam.
2982
2983         This patch fixes the line number of syntax errors raised by the Function constructor,
2984         since we now parse the final code only once. And we no longer use block statement
2985         for Function constructor's parsing.
2986
2987         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2988         * stress/function-cache-with-parameters-end-position.js: Added.
2989         (shouldBe):
2990         (shouldThrow):
2991         (i.anonymous):
2992         * stress/function-constructor-name.js: Added.
2993         (shouldBe):
2994         (GeneratorFunction):
2995         (AsyncFunction.async):
2996         (AsyncGeneratorFunction.async):
2997         (anonymous):
2998         (async.anonymous):
2999         * test262/expectations.yaml:
3000
3001 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3002
3003         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3004         https://bugs.webkit.org/show_bug.cgi?id=190426
3005
3006         Unreviewed gardening.
3007
3008         * stress/sampling-profiler-richards.js:
3009
3010 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3011
3012         [ESNext][BigInt] Implement support for "|"
3013         https://bugs.webkit.org/show_bug.cgi?id=186229
3014
3015         Reviewed by Yusuke Suzuki.
3016
3017         * stress/big-int-bitwise-and-jit.js:
3018         * stress/big-int-bitwise-or-general.js: Added.
3019         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3020         * stress/big-int-bitwise-or-jit.js: Added.
3021         * stress/big-int-bitwise-or-memory-stress.js: Added.
3022         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3023         * stress/big-int-bitwise-or-type-error.js: Added.
3024         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3025
3026 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3027
3028         Skip test on systems with limited memory
3029         https://bugs.webkit.org/show_bug.cgi?id=190310
3030
3031         Invoking runDefault adds test to runlist, skipping the test in the next
3032         line does not prevent the test from executing. Change order of lines such
3033         that runDefault is only executed if test is not executed.
3034
3035         Reviewed by Mark Lam.
3036
3037         * stress/regress-190187.js:
3038
3039 2018-10-03  Saam barati  <sbarati@apple.com>
3040
3041         lowXYZ in FTLLower should always filter the type of the incoming edge
3042         https://bugs.webkit.org/show_bug.cgi?id=189939
3043         <rdar://problem/44407030>
3044
3045         Reviewed by Michael Saboff.
3046
3047         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3048         (foo):
3049         (test):
3050
3051 2018-10-03  Mark Lam  <mark.lam@apple.com>
3052
3053         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3054         https://bugs.webkit.org/show_bug.cgi?id=190187
3055         <rdar://problem/42512909>
3056
3057         Reviewed by Michael Saboff.
3058
3059         * stress/regress-190187.js: Added.
3060
3061 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3062
3063         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3064         https://bugs.webkit.org/show_bug.cgi?id=190033
3065
3066         Reviewed by Yusuke Suzuki.
3067
3068         * stress/big-int-to-string.js:
3069
3070 2018-10-01  Mark Lam  <mark.lam@apple.com>
3071
3072         Function.toString() should also copy the source code Functions that are class definitions.
3073         https://bugs.webkit.org/show_bug.cgi?id=190186
3074         <rdar://problem/44733360>
3075
3076         Reviewed by Saam Barati.
3077
3078         * stress/regress-190186.js: Added.
3079
3080 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3081
3082         Split NaN-check into separate test
3083         https://bugs.webkit.org/show_bug.cgi?id=190010
3084
3085         Reviewed by Saam Barati.
3086
3087         DataView exposes NaN-representation, which is not necessarily the same on each
3088         architecture. Therefore move the check of the NaN-representation into its own
3089         file such that we can disable this test on MIPS where NaN-representation can be
3090         different on older CPUs.
3091
3092         * stress/dataview-jit-set-nan.js: Added.
3093         (assert):
3094         (test.storeLittleEndian):
3095         (test.storeBigEndian):
3096         (test.store):
3097         (test):
3098         * stress/dataview-jit-set.js:
3099         (test5):
3100
3101 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3102
3103         Unreviewed, rolling out r236647.
3104         https://bugs.webkit.org/show_bug.cgi?id=190124
3105
3106         Breaking test stress/big-int-to-string.js (Requested by
3107         caiolima_ on #webkit).
3108
3109         Reverted changeset:
3110
3111         "[BigInt] BigInt.proptotype.toString is broken when radix is
3112         power of 2"
3113         https://bugs.webkit.org/show_bug.cgi?id=190033
3114         https://trac.webkit.org/changeset/236647
3115
3116 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3117
3118         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3119         https://bugs.webkit.org/show_bug.cgi?id=190033
3120
3121         Reviewed by Yusuke Suzuki.
3122
3123         * stress/big-int-to-string.js:
3124
3125 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3126
3127         [ESNext][BigInt] Implement support for "&"
3128         https://bugs.webkit.org/show_bug.cgi?id=186228
3129
3130         Reviewed by Yusuke Suzuki.
3131
3132         * stress/big-int-bitwise-and-general.js: Added.
3133         (assert):
3134         (assert.sameValue):
3135         * stress/big-int-bitwise-and-jit.js: Added.
3136         (let.assert.sameValue):
3137         (bigIntBitAnd):
3138         * stress/big-int-bitwise-and-memory-stress.js: Added.
3139         (assert):
3140         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3141         (assert.sameValue):
3142         (let.o.Symbol.toPrimitive):
3143         (catch):
3144         * stress/big-int-bitwise-and-type-error.js: Added.
3145         (assert):
3146         (assertThrowTypeError):
3147         (let.o.valueOf):
3148         (o.valueOf):
3149         (o.toString):
3150         (o.Symbol.toPrimitive):
3151         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3152         (assert.sameValue):
3153         (testBitAnd):
3154         (let.o.Symbol.toPrimitive):
3155         (o.valueOf):
3156         (o.toString):
3157
3158 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3159
3160         JSC test stress/jsc-read.js doesn't support CRLF
3161         https://bugs.webkit.org/show_bug.cgi?id=190063
3162
3163         Reviewed by Yusuke Suzuki.
3164
3165         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3166
3167         * stress/jsc-read.js:
3168         (test):
3169
3170 2018-09-27  Saam barati  <sbarati@apple.com>
3171
3172         Verify the contents of AssemblerBuffer on arm64e
3173         https://bugs.webkit.org/show_bug.cgi?id=190057
3174         <rdar://problem/38916630>
3175
3176         Reviewed by Mark Lam.
3177
3178         * stress/regress-189132.js:
3179
3180 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3181
3182         Disable test without LLInt on ARMv7
3183         https://bugs.webkit.org/show_bug.cgi?id=190037
3184
3185         Reviewed by Mark Lam.
3186
3187         Test runs out of executable memory on ARMv7, do not run
3188         this test without LLInt enabled.
3189
3190         * stress/regress-169445.js:
3191
3192 2018-09-26  Keith Miller  <keith_miller@apple.com>
3193
3194         We should zero unused property storage when rebalancing array storage.
3195         https://bugs.webkit.org/show_bug.cgi?id=188151
3196
3197         Reviewed by Michael Saboff.
3198
3199         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3200
3201 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3202
3203         [JSC] Optimize Array#lastIndexOf
3204         https://bugs.webkit.org/show_bug.cgi?id=189780
3205
3206         Reviewed by Saam Barati.
3207
3208         * stress/array-lastindexof-array-prototype-trap.js: Added.
3209         (shouldBe):
3210         (AncestorArray.prototype.get 2):
3211         (AncestorArray):
3212         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3213         (shouldBe):
3214         * stress/array-lastindexof-hole-nan.js: Added.
3215         (shouldBe):
3216         (throw.new.Error):
3217         * stress/array-lastindexof-infinity.js: Added.
3218         (shouldBe):
3219         (throw.new.Error):
3220         * stress/array-lastindexof-negative-zero.js: Added.
3221         (shouldBe):
3222         (throw.new.Error):
3223         * stress/array-lastindexof-own-getter.js: Added.
3224         (shouldBe):
3225         (throw.new.Error.get array):
3226         (get array):
3227         * stress/array-lastindexof-prototype-trap.js: Added.
3228         (shouldBe):
3229         (DerivedArray.prototype.get 2):
3230         (DerivedArray):
3231
3232 2018-09-25  Saam Barati  <sbarati@apple.com>
3233
3234         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3235         https://bugs.webkit.org/show_bug.cgi?id=189940
3236         <rdar://problem/43640987>
3237
3238         Reviewed by Mark Lam.
3239
3240         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3241
3242 2018-09-24  Saam Barati  <sbarati@apple.com>
3243
3244         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3245         https://bugs.webkit.org/show_bug.cgi?id=189922
3246         <rdar://problem/44651275>
3247
3248         Reviewed by Mark Lam.
3249
3250         * stress/array-indexof-fast-path-effects.js: Added.
3251         * stress/array-indexof-cached-length.js: Added.
3252
3253 2018-09-24  Saam barati  <sbarati@apple.com>
3254
3255         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3256         https://bugs.webkit.org/show_bug.cgi?id=189682
3257         <rdar://problem/43557315>
3258
3259         Reviewed by Mark Lam.
3260
3261         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3262         (foo):
3263
3264 2018-09-22  Saam barati  <sbarati@apple.com>
3265
3266         The sampling should not use Strong<CodeBlock> in its machineLocation field
3267         https://bugs.webkit.org/show_bug.cgi?id=189319
3268
3269         Reviewed by Filip Pizlo.
3270
3271         * stress/sampling-profiler-richards.js: Added.
3272
3273 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3274
3275         [JSC] Optimize Array#indexOf in C++ runtime
3276         https://bugs.webkit.org/show_bug.cgi?id=189507
3277
3278         Reviewed by Saam Barati.
3279
3280         * stress/array-indexof-array-prototype-trap.js: Added.
3281         (shouldBe):
3282         (AncestorArray.prototype.get 2):
3283         (AncestorArray):
3284         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3285         (shouldBe):
3286         * stress/array-indexof-hole-nan.js: Added.
3287         (shouldBe):
3288         (throw.new.Error):
3289         * stress/array-indexof-infinity.js: Added.
3290         (shouldBe):
3291         (throw.new.Error):
3292         * stress/array-indexof-negative-zero.js: Added.
3293         (shouldBe):
3294         (throw.new.Error):
3295         * stress/array-indexof-own-getter.js: Added.
3296         (shouldBe):
3297         (throw.new.Error.get array):
3298         (get array):
3299         * stress/array-indexof-prototype-trap.js: Added.
3300         (shouldBe):
3301         (DerivedArray.prototype.get 2):
3302         (DerivedArray):
3303
3304 2018-09-19  Saam barati  <sbarati@apple.com>
3305
3306         AI rule for MultiPutByOffset executes its effects in the wrong order
3307         https://bugs.webkit.org/show_bug.cgi?id=189757
3308         <rdar://problem/43535257>
3309
3310         Reviewed by Michael Saboff.
3311
3312         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3313         (foo):
3314         (Foo):
3315         (g):
3316
3317 2018-09-17  Mark Lam  <mark.lam@apple.com>
3318
3319         Ensure that ForInContexts are invalidated if their loop local is over-written.
3320         https://bugs.webkit.org/show_bug.cgi?id=189571
3321         <rdar://problem/44402277>
3322
3323         Reviewed by Saam Barati.
3324
3325         * stress/regress-189571.js: Added.
3326
3327 2018-09-17  Saam barati  <sbarati@apple.com>
3328
3329         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3330         https://bugs.webkit.org/show_bug.cgi?id=189676
3331         <rdar://problem/39682897>
3332
3333         Reviewed by Michael Saboff.
3334
3335         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3336         (A):
3337         (K):
3338         (i.catch):
3339
3340 2018-09-14  Saam barati  <sbarati@apple.com>
3341
3342         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3343         https://bugs.webkit.org/show_bug.cgi?id=189628
3344         <rdar://problem/39481690>
3345
3346         Reviewed by Mark Lam.
3347
3348         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3349         (foo):
3350
3351 2018-09-11  Mark Lam  <mark.lam@apple.com>
3352
3353         Test for array initialization in arrayProtoFuncSplice.
3354         https://bugs.webkit.org/show_bug.cgi?id=170253
3355         <rdar://problem/31328773>
3356
3357         Rubber-stamped by Saam Barati.
3358
3359         * stress/regress-170253.js: Added.
3360
3361 2018-09-11  Mark Lam  <mark.lam@apple.com>
3362
3363         Test for IntlObject initialization.
3364         https://bugs.webkit.org/show_bug.cgi?id=170251
3365         <rdar://problem/31328419>
3366
3367         Rubber-stamped by Saam Barati.
3368
3369         * stress/regress-170251.js: Added.
3370
3371 2018-09-11  Mark Lam  <mark.lam@apple.com>
3372
3373         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3374         https://bugs.webkit.org/show_bug.cgi?id=169889
3375         <rdar://problem/31155607>
3376
3377         Reviewed by Saam Barati.
3378
3379         * stress/regress-169889-array-concat.js: Added.
3380         * stress/regress-169889-array-concat1.js: Added.
3381         * stress/regress-169889-array-slice.js: Added.
3382
3383 2018-09-11  Mark Lam  <mark.lam@apple.com>
3384
3385         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3386         https://bugs.webkit.org/show_bug.cgi?id=169445
3387         <rdar://problem/30957435>
3388
3389         Reviewed by Saam Barati.
3390
3391         * stress/regress-169445.js: Added.
3392         (let.gun.eval.A):
3393         (let.gun.eval.B.C):
3394         (let.gun.eval.B.C.prototype.trigger):
3395         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3396         (let.gun.eval.B):
3397         (let.gun.eval):
3398
3399 == Rolled over to ChangeLog-2018-09-11 ==