Refactoring: Pull all fullscreen code out of Document and into its own helper class
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [WTF] StringBuilder should set correct m_is8Bit flag when merging
4         https://bugs.webkit.org/show_bug.cgi?id=197053
5
6         Reviewed by Saam Barati.
7
8         * stress/merge-string-builder-in-dfg.js: Added.
9         (foo):
10
11 2019-04-16  Caitlin Potter  <caitp@igalia.com>
12
13         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
14         https://bugs.webkit.org/show_bug.cgi?id=176810
15
16         Reviewed by Saam Barati.
17
18         Add tests for the DontEnum filtering, and variations of other tests
19         take the DontEnum-filtering path.
20
21         * stress/proxy-own-keys.js:
22         (i.catch):
23         (set assert):
24         (set add):
25         (let.set new):
26         (get let):
27
28 2019-04-15  Saam barati  <sbarati@apple.com>
29
30         Modify how we do SetArgument when we inline varargs calls
31         https://bugs.webkit.org/show_bug.cgi?id=196712
32         <rdar://problem/49605012>
33
34         Reviewed by Michael Saboff.
35
36         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
37         (foo):
38
39 2019-04-15  Saam barati  <sbarati@apple.com>
40
41         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
42         https://bugs.webkit.org/show_bug.cgi?id=196945
43         <rdar://problem/49802750>
44
45         Reviewed by Filip Pizlo.
46
47         * stress/get-by-offset-should-use-correct-child.js: Added.
48         (foo.bar):
49         (foo):
50
51 2019-04-15  Robin Morisset  <rmorisset@apple.com>
52
53         DFG should be able to constant fold Object.create() with a constant prototype operand
54         https://bugs.webkit.org/show_bug.cgi?id=196886
55
56         Reviewed by Yusuke Suzuki.
57
58         Note that this new benchmark does not currently see a speedup with inlining removed.
59         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
60
61         * microbenchmarks/object-create-constant-prototype.js: Added.
62         (test):
63
64 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
65
66         Incremental bytecode cache should not append function updates when loaded from memory
67         https://bugs.webkit.org/show_bug.cgi?id=196865
68
69         Reviewed by Filip Pizlo.
70
71         * stress/bytecode-cache-shared-code-block.js: Added.
72         (b):
73         (program):
74
75 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
76
77         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
78         https://bugs.webkit.org/show_bug.cgi?id=196880
79
80         Reviewed by Yusuke Suzuki.
81
82         * stress/bytecode-cache-syntax-error.js: Added.
83         (catch):
84
85 2019-04-12  Saam barati  <sbarati@apple.com>
86
87         r244079 logically broke shouldSpeculateInt52
88         https://bugs.webkit.org/show_bug.cgi?id=196884
89
90         Reviewed by Yusuke Suzuki.
91
92         * microbenchmarks/int52-rand-function.js: Added.
93         (Math.random):
94
95 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
96
97         [JSC] op_has_indexed_property should not assume subscript part is Uint32
98         https://bugs.webkit.org/show_bug.cgi?id=196850
99
100         Reviewed by Saam Barati.
101
102         * stress/has-indexed-property-should-accept-non-int32.js: Added.
103         (foo):
104
105 2019-04-11  Saam barati  <sbarati@apple.com>
106
107         Remove invalid assertion in operationInstanceOfCustom
108         https://bugs.webkit.org/show_bug.cgi?id=196842
109         <rdar://problem/49725493>
110
111         Reviewed by Michael Saboff.
112
113         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
114
115 2019-04-10  Saam Barati  <sbarati@apple.com>
116
117         AbstractValue::validateOSREntryValue is wrong for Int52 constants
118         https://bugs.webkit.org/show_bug.cgi?id=196801
119         <rdar://problem/49771122>
120
121         Reviewed by Yusuke Suzuki.
122
123         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
124
125 2019-04-10  Robin Morisset  <rmorisset@apple.com>
126
127         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
128         https://bugs.webkit.org/show_bug.cgi?id=196746
129
130         Reviewed by Yusuke Suzuki.
131
132         * stress/cyclic-define-properties.js: Added.
133         (foo):
134
135 2019-04-09  Saam barati  <sbarati@apple.com>
136
137         Clean up Int52 code and some bugs in it
138         https://bugs.webkit.org/show_bug.cgi?id=196639
139         <rdar://problem/49515757>
140
141         Reviewed by Yusuke Suzuki.
142
143         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
144
145 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
146
147         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
148         https://bugs.webkit.org/show_bug.cgi?id=196708
149         <rdar://problem/49556803>
150
151         Reviewed by Yusuke Suzuki.
152
153         * stress/proxy-getter-stack-overflow.js: Added.
154         (const.handler.get target):
155         (const.handler.has):
156         (try.with):
157         (catch):
158
159 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
160
161         [JSC] DFG should respect node's strict flag
162         https://bugs.webkit.org/show_bug.cgi?id=196617
163
164         Reviewed by Saam Barati.
165
166         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
167         (shouldEqual):
168         (makeUnwriteableUnconfigurableObject):
169         (runTest):
170         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
171         (shouldBe):
172         (shouldThrow):
173         (with.result):
174         (with.putValueStrict):
175         (with.putValueSloppy):
176
177 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
178
179         [JSC] isRope jump in StringSlice should not jump over register allocations
180         https://bugs.webkit.org/show_bug.cgi?id=196716
181
182         Reviewed by Saam Barati.
183
184         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
185         (foo.bar):
186         (foo):
187
188 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
189
190         [JSC] to_index_string should not assume incoming value is Uint32
191         https://bugs.webkit.org/show_bug.cgi?id=196713
192
193         Reviewed by Saam Barati.
194
195         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
196         (foo):
197
198 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
199
200         [JSC] Add more tests for r243966
201         https://bugs.webkit.org/show_bug.cgi?id=196711
202
203         Reviewed by Saam Barati.
204
205         Adding one more test for r243966 fix. The added test will not crash after r243966.
206
207         * stress/stress-cleared-calllinkinfo.js: Added.
208         (runNearStackLimit.t):
209         (runNearStackLimit):
210         (repeat):
211         (cls):
212         (let.item.of.array.runNearStackLimit):
213
214 2019-04-08  Saam Barati  <sbarati@apple.com>
215
216         WebAssembly.RuntimeError missing exception check
217         https://bugs.webkit.org/show_bug.cgi?id=196700
218         <rdar://problem/49693932>
219
220         Reviewed by Yusuke Suzuki.
221
222         * wasm/js-api/runtime-error-should-exception-check.js: Added.
223
224 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
225
226         Unreviewed, rolling in r243948 with test fix
227         https://bugs.webkit.org/show_bug.cgi?id=196486
228
229         * stress/arrow-function-and-use-strict-directive.js: Added.
230         * stress/arrow-function-syntax.js: Added.
231         (checkSyntax):
232         (checkSyntaxError):
233
234 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
235
236         Unreviewed, rolling out r243948.
237
238         Caused inspector/runtime/parse.html to fail
239
240         Reverted changeset:
241
242         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
243         https://bugs.webkit.org/show_bug.cgi?id=196486
244         https://trac.webkit.org/changeset/243948
245
246 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
247
248         Unreviewed, rolling out r243943.
249
250         Caused test262 failures.
251
252         Reverted changeset:
253
254         "[JSC] Filter DontEnum properties in
255         ProxyObject::getOwnPropertyNames()"
256         https://bugs.webkit.org/show_bug.cgi?id=176810
257         https://trac.webkit.org/changeset/243943
258
259 2019-04-07  Michael Saboff  <msaboff@apple.com>
260
261         REGRESSION (r243642): Crash in reddit.com page
262         https://bugs.webkit.org/show_bug.cgi?id=196684
263
264         Reviewed by Geoffrey Garen.
265
266         New regression test.
267
268         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
269
270 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
271
272         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
273         https://bugs.webkit.org/show_bug.cgi?id=196683
274
275         Reviewed by Saam Barati.
276
277         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
278         (foo):
279
280 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
281
282         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
283         https://bugs.webkit.org/show_bug.cgi?id=196582
284
285         Reviewed by Saam Barati.
286
287         * stress/add-overflow-check-with-three-same-registers.js: Added.
288         (foo):
289         (Number.prototype.valueOf):
290         (runWithNumber):
291
292 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
293
294         Unreviewed, rolling out r243665.
295
296         Caused iOS JSC tests to exit with an exception.
297
298         Reverted changeset:
299
300         "Assertion failed in JSC::createError"
301         https://bugs.webkit.org/show_bug.cgi?id=196305
302         https://trac.webkit.org/changeset/243665
303
304 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
305
306         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
307         https://bugs.webkit.org/show_bug.cgi?id=196486
308
309         Reviewed by Saam Barati.
310
311         * stress/arrow-function-and-use-strict-directive.js: Added.
312         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
313         (checkSyntax):
314         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
315
316 2019-04-05  Caitlin Potter  <caitp@igalia.com>
317
318         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
319         https://bugs.webkit.org/show_bug.cgi?id=176810
320
321         Reviewed by Saam Barati.
322
323         Add tests for the DontEnum filtering, and variations of other tests
324         take the DontEnum-filtering path.
325
326         * stress/proxy-own-keys.js:
327         (i.catch):
328         (set assert):
329         (set add):
330         (let.set new):
331         (get let):
332
333 2019-04-05  Caitlin Potter  <caitp@igalia.com>
334
335         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
336         https://bugs.webkit.org/show_bug.cgi?id=185211
337
338         Reviewed by Saam Barati.
339
340         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
341
342         This changes several assertions to expect a TypeError to be thrown (in some cases,
343         changing thee expected message).
344
345         * es6/Proxy_ownKeys_duplicates.js:
346         (handler):
347         (shouldThrow):
348         (test):
349         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
350         (shouldThrow):
351         * stress/proxy-own-keys.js:
352         (i.catch):
353         (assert):
354
355 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
356
357         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
358         https://bugs.webkit.org/show_bug.cgi?id=196631
359
360         Reviewed by Saam Barati.
361
362         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
363         (assert):
364         (test):
365         (foo):
366
367 2019-04-04  Saam Barati  <sbarati@apple.com>
368
369         Unreviewed. Make the test from r243906 catch the thrown exceptions.
370
371         * stress/inferred-types-regex-matches-array.js:
372
373 2019-04-04  Saam Barati  <sbarati@apple.com>
374
375         createRegExpMatchesArray does not respect inferred types
376         https://bugs.webkit.org/show_bug.cgi?id=193287
377
378         Reviewed by Yusuke Suzuki.
379
380         This checks in the test case for 193287. This issue was discovered by
381         Samuel GroƟ of Google Project Zero.
382
383         * stress/inferred-types-regex-matches-array.js: Added.
384
385 2019-04-04  Saam barati  <sbarati@apple.com>
386
387         Teach Call ICs how to call Wasm
388         https://bugs.webkit.org/show_bug.cgi?id=196387
389
390         Reviewed by Filip Pizlo.
391
392         * wasm/function-tests/stack-trace.js:
393
394 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
395
396         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
397         https://bugs.webkit.org/show_bug.cgi?id=194944
398
399         Reviewed by Keith Miller.
400
401         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
402
403 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
404
405         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
406         https://bugs.webkit.org/show_bug.cgi?id=196409
407
408         Reviewed by Saam Barati.
409
410         * stress/bytecode-cache-cached-string-impl.js: Added.
411         (f):
412         (g):
413         * stress/bytecode-cache-run-string.js: Added.
414
415 2019-04-03  Robin Morisset  <rmorisset@apple.com>
416
417         B3 should use associativity to optimize expression trees
418         https://bugs.webkit.org/show_bug.cgi?id=194081
419
420         Reviewed by Filip Pizlo.
421
422         Added three microbenchmarks:
423         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
424         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
425           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
426         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
427
428         * microbenchmarks/add-tree.js: Added.
429         * microbenchmarks/bit-or-tree.js: Added.
430         * microbenchmarks/bit-xor-tree.js: Added.
431
432 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
433
434         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
435         https://bugs.webkit.org/show_bug.cgi?id=196574
436
437         Reviewed by Saam Barati.
438
439         * stress/string-index-of-exception-check.js: Added.
440         (blurType):
441         (1.forEach):
442
443 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
444
445         Assertion failed in JSC::createError
446         https://bugs.webkit.org/show_bug.cgi?id=196305
447         <rdar://problem/49387382>
448
449         Reviewed by Saam Barati.
450
451         * stress/create-error-out-of-memory-rope-string-2.js: Added.
452         (assert):
453         (catch):
454
455 2019-03-28  Saam Barati  <sbarati@apple.com>
456
457         BackwardsGraph needs to consider back edges as the backward's root successor
458         https://bugs.webkit.org/show_bug.cgi?id=195991
459
460         Reviewed by Filip Pizlo.
461
462         * stress/map-b3-licm-infinite-loop.js: Added.
463
464 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
465
466         CodeBlock::jettison() should disallow repatching its own calls
467         https://bugs.webkit.org/show_bug.cgi?id=196359
468         <rdar://problem/48973663>
469
470         Reviewed by Saam Barati.
471
472         * stress/call-link-info-osrexit-repatch.js: Added.
473         (foo):
474
475 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
476
477         [JSC] imports-oom.js intermittently fails
478         https://bugs.webkit.org/show_bug.cgi?id=196373
479
480         Reviewed by Saam Barati.
481
482         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
483         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
484         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
485         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
486         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
487
488         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
489         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
490
491         * wasm/lowExecutableMemory/imports-oom.js:
492
493 2019-03-27  Saam Barati  <sbarati@apple.com>
494
495         validateOSREntryValue with Int52 should box the value being checked into double format
496         https://bugs.webkit.org/show_bug.cgi?id=196313
497         <rdar://problem/49306703>
498
499         Reviewed by Yusuke Suzuki.
500
501         * stress/validate-int-52-ai-state.js: Added.
502
503 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
504
505         [JSC] Owner of watchpoints should validate at GC finalizing phase
506         https://bugs.webkit.org/show_bug.cgi?id=195827
507
508         Reviewed by Filip Pizlo.
509
510         * stress/gc-should-reap-dead-watchpoints.js: Added.
511         (foo):
512         (A.prototype.y):
513         (A):
514
515 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
516
517         Skip WebAssembly test on 32-bit systems
518         https://bugs.webkit.org/show_bug.cgi?id=196206
519
520         Reviewed by Saam Barati.
521
522         Invoking runDefault executes test immediately even though
523         that test should be skipped due to missing WASM support.
524         Therefore remove runDefault.
525
526         * wasm/regress/web-assembly-link-error-exception-check.js:
527
528 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
529
530         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
531         https://bugs.webkit.org/show_bug.cgi?id=196217
532
533         Reviewed by Saam Barati.
534
535         Re-enable all NaN tests for f32.min, f64.min and f64.max.
536
537         * wasm/spec-tests/f32.wast.js:
538         * wasm/spec-tests/f64.wast.js:
539         * wasm/wasm.json:
540
541 2019-03-25  Keith Miller  <keith_miller@apple.com>
542
543         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
544         https://bugs.webkit.org/show_bug.cgi?id=196176
545
546         Reviewed by Saam Barati.
547
548         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
549         (main.v10):
550         (main):
551
552 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
553
554         WebAssembly: f32.max with NaN generates incorrect result
555         https://bugs.webkit.org/show_bug.cgi?id=175691
556         <rdar://problem/33952228>
557
558         Reviewed by Saam Barati.
559
560         Enable all f32.max NaN tests
561
562         * wasm/spec-tests/f32.wast.js:
563         * wasm/wasm.json:
564
565 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
566
567         [JSC] Move test into directory for WASM tests
568         https://bugs.webkit.org/show_bug.cgi?id=196187
569
570         Reviewed by Mark Lam.
571
572         Move Test into wasm-directory. Otherwise this test
573         is also executed on systems without WASM support.
574
575         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
576
577 2019-03-23  Mark Lam  <mark.lam@apple.com>
578
579         Rolling out r243032 and r243071 because the fix is incorrect.
580         https://bugs.webkit.org/show_bug.cgi?id=195892
581         <rdar://problem/48981239>
582
583         Not reviewed.
584
585         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
586
587 2019-03-22  Mark Lam  <mark.lam@apple.com>
588
589         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
590         https://bugs.webkit.org/show_bug.cgi?id=196154
591         <rdar://problem/49145307>
592
593         Reviewed by Filip Pizlo.
594
595         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
596         There's no need to run this test on more than 1 test configuration.
597
598         * stress/typed-array-lastIndexOf-exception-check.js: Added.
599         * stress/web-assembly-link-error-exception-check.js:
600
601 2019-03-22  Mark Lam  <mark.lam@apple.com>
602
603         Placate exception check validation in constructJSWebAssemblyLinkError().
604         https://bugs.webkit.org/show_bug.cgi?id=196152
605         <rdar://problem/49145257>
606
607         Reviewed by Michael Saboff.
608
609         * stress/web-assembly-link-error-exception-check.js: Added.
610
611 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
612
613         Skip tests running out of memory on ARM/MIPS
614         https://bugs.webkit.org/show_bug.cgi?id=196131
615
616         Unreviewed. Skip test if memory is limited.
617
618         * microbenchmarks/put-by-val-direct-large-index.js:
619
620 2019-03-21  Mark Lam  <mark.lam@apple.com>
621
622         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
623         https://bugs.webkit.org/show_bug.cgi?id=196116
624         <rdar://problem/48976951>
625
626         Reviewed by Filip Pizlo.
627
628         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
629
630 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
631
632         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
633         https://bugs.webkit.org/show_bug.cgi?id=196078
634         <rdar://problem/35925380>
635
636         Reviewed by Mark Lam.
637
638         Add a new benchmark that allocates several objects and invokes put_by_val_direct
639         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
640
641         * microbenchmarks/put-by-val-direct-large-index.js: Added.
642
643 2019-03-21  Mark Lam  <mark.lam@apple.com>
644
645         Placate exception check validation in operationArrayIndexOfString().
646         https://bugs.webkit.org/show_bug.cgi?id=196067
647         <rdar://problem/49056572>
648
649         Reviewed by Michael Saboff.
650
651         * stress/string-equal-exception-check.js: Added.
652
653 2019-03-21  Mark Lam  <mark.lam@apple.com>
654
655         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
656         https://bugs.webkit.org/show_bug.cgi?id=196055
657         <rdar://problem/49067448>
658
659         Reviewed by Yusuke Suzuki.
660
661         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
662
663 2019-03-20  Saam Barati  <sbarati@apple.com>
664
665         typeOfDoubleSum is wrong for when NaN can be produced
666         https://bugs.webkit.org/show_bug.cgi?id=196030
667
668         Reviewed by Filip Pizlo.
669
670         * stress/double-add-sub-mul-can-produce-nan.js: Added.
671         (assert):
672         (noInline.sub):
673         (noInline):
674         (assert.mul):
675         (assert.add):
676
677 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
678
679         Update the test to ensure OutOfMemoryError is thrown as intended
680         https://bugs.webkit.org/show_bug.cgi?id=196032
681         <rdar://problem/46842740>
682
683         Rubber stamped by Saam Barati.
684
685         * stress/create-error-out-of-memory-rope-string.js:
686         (assert):
687         (catch):
688
689 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
690
691         JSC::createError needs to check for OOM in errorDescriptionForValue
692         https://bugs.webkit.org/show_bug.cgi?id=196032
693         <rdar://problem/46842740>
694
695         Reviewed by Mark Lam.
696
697         * stress/create-error-out-of-memory-rope-string.js: Added.
698
699 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
700
701         Unreviewed, reduce # of iterations to avoid timing out after r242991
702         https://bugs.webkit.org/show_bug.cgi?id=195791
703
704         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
705
706         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
707
708 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
709
710         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
711         https://bugs.webkit.org/show_bug.cgi?id=195950
712
713         Unreviewed, reducing the amount of memory used on this test to avoid
714         OOM on devices with memory restrictions.
715
716         * microbenchmarks/generate-multiple-llint-entrypoints.js:
717
718 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
719
720         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
721         https://bugs.webkit.org/show_bug.cgi?id=194648
722
723         Reviewed by Keith Miller.
724
725         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
726
727 2019-03-18  Mark Lam  <mark.lam@apple.com>
728
729         Missing a ThrowScope release in JSObject::toString().
730         https://bugs.webkit.org/show_bug.cgi?id=195893
731         <rdar://problem/48970986>
732
733         Reviewed by Michael Saboff.
734
735         * stress/to-string-exception-check-release.js: Added.
736
737 2019-03-18  Mark Lam  <mark.lam@apple.com>
738
739         Structure::flattenDictionary() should clear unused property slots.
740         https://bugs.webkit.org/show_bug.cgi?id=195871
741         <rdar://problem/48959497>
742
743         Reviewed by Michael Saboff.
744
745         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
746
747 2019-03-15  Mark Lam  <mark.lam@apple.com>
748
749         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
750         https://bugs.webkit.org/show_bug.cgi?id=195827
751         <rdar://problem/48845513>
752
753         Reviewed by Filip Pizlo.
754
755         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
756
757 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
758
759         [ARM,MIPS] Skip slow tests
760         https://bugs.webkit.org/show_bug.cgi?id=195799
761
762         Unreviewed, test does not finish on ARM and MIPS within the
763         timeout limit.
764
765         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
766
767 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
768
769         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
770         https://bugs.webkit.org/show_bug.cgi?id=195791
771         <rdar://problem/48806130>
772
773         Reviewed by Mark Lam.
774
775         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
776         (foo):
777
778 2019-03-14  Saam barati  <sbarati@apple.com>
779
780         We can't remove code after ForceOSRExit until after FixupPhase
781         https://bugs.webkit.org/show_bug.cgi?id=186916
782         <rdar://problem/41396612>
783
784         Reviewed by Yusuke Suzuki.
785
786         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
787         (foo):
788         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
789         (foo):
790
791 2019-03-13  Michael Saboff  <msaboff@apple.com>
792
793         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
794         https://bugs.webkit.org/show_bug.cgi?id=195735
795
796         Reviewed by Mark Lam.
797
798         New regression test.
799
800         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
801         (foo):
802         (bar):
803
804 2019-03-14  Saam barati  <sbarati@apple.com>
805
806         Fixup uses KnownInt32 incorrectly in some nodes
807         https://bugs.webkit.org/show_bug.cgi?id=195279
808         <rdar://problem/47915654>
809
810         Reviewed by Yusuke Suzuki.
811
812         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
813         (foo):
814
815 2019-03-14  Keith Miller  <keith_miller@apple.com>
816
817         DFG liveness can't skip tail caller inline frames
818         https://bugs.webkit.org/show_bug.cgi?id=195715
819
820         Reviewed by Saam Barati.
821
822         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
823         (i.foo):
824
825 2019-03-13  Mark Lam  <mark.lam@apple.com>
826
827         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
828         https://bugs.webkit.org/show_bug.cgi?id=195415
829
830         Not reviewed.
831
832         Changed these tests to only run the default configuration.
833         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
834         There's no strong need to run this test on that variant.
835
836         * stress/dfg-to-string-on-int-does-gc.js:
837         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
838
839 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
840
841         String overflow when using StringBuilder in JSC::createError
842         https://bugs.webkit.org/show_bug.cgi?id=194957
843
844         Reviewed by Mark Lam.
845
846         Add test string-overflow-createError-bulder.js that overflows
847         StringBuilder in notAFunctionSourceAppender. The second new test
848         string-overflow-createError-fit.js has an error message that doesn't
849         overflow, it still failed since the String's capacity can't be doubled.
850         Run test string-overflow-createError.js only in the default
851         configuration to reduce memory consumption when running the test
852         in all configurations on multiple CPUs in parallel.
853
854         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
855         (catch):
856         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
857         (catch):
858         * stress/string-overflow-createError.js:
859
860 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
861
862         [JSC] OSR entry should respect abstract values in addition to flush formats
863         https://bugs.webkit.org/show_bug.cgi?id=195653
864
865         Reviewed by Mark Lam.
866
867         * stress/osr-entry-locals-none.js: Added.
868
869 2019-03-12  Michael Saboff  <msaboff@apple.com>
870
871         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
872         https://bugs.webkit.org/show_bug.cgi?id=195613
873
874         Reviewed by Mark Lam.
875
876         New regression test.
877
878         * stress/regexp-backref-inbounds.js: Added.
879         (testRegExp):
880
881 2019-03-12  Mark Lam  <mark.lam@apple.com>
882
883         The HasIndexedProperty node does GC.
884         https://bugs.webkit.org/show_bug.cgi?id=195559
885         <rdar://problem/48767923>
886
887         Reviewed by Yusuke Suzuki.
888
889         * stress/HasIndexedProperty-does-gc.js: Added.
890
891 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
892
893         [ESNext][BigInt] Implement "~" unary operation
894         https://bugs.webkit.org/show_bug.cgi?id=182216
895
896         Reviewed by Keith Miller.
897
898         * stress/big-int-bit-not-general.js: Added.
899         * stress/big-int-bitwise-not-jit.js: Added.
900         * stress/big-int-bitwise-not-wrapped-value.js: Added.
901         * stress/bit-op-with-object-returning-int32.js:
902         * stress/bitwise-not-fixup-rules.js: Added.
903         * stress/value-bit-not-ai-rule.js: Added.
904
905 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
906
907         Invalid flags in a RegExp literal should be an early SyntaxError
908         https://bugs.webkit.org/show_bug.cgi?id=195514
909
910         Reviewed by Darin Adler.
911
912         * test262/expectations.yaml:
913         Mark 4 test cases as passing.
914
915         * stress/regexp-syntax-error-invalid-flags.js:
916         * stress/regress-161995.js: Removed.
917         Update existing test, merging in an older test for the same behavior.
918
919 2019-03-08  Mark Lam  <mark.lam@apple.com>
920
921         Stack overflow crash in JSC::JSObject::hasInstance.
922         https://bugs.webkit.org/show_bug.cgi?id=195458
923         <rdar://problem/48710195>
924
925         Reviewed by Yusuke Suzuki.
926
927         * stress/stack-overflow-in-custom-hasInstance.js: Added.
928
929 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
930
931         op_check_tdz does not def its argument
932         https://bugs.webkit.org/show_bug.cgi?id=192880
933         <rdar://problem/46221598>
934
935         Reviewed by Saam Barati.
936
937         * microbenchmarks/let-for-in.js: Added.
938         (foo):
939
940 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
941
942         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
943         https://bugs.webkit.org/show_bug.cgi?id=195429
944
945         Reviewed by Saam Barati.
946
947         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
948         (foo):
949         * stress/string-from-char-code-255.js: Added.
950
951 2019-03-06  Mark Lam  <mark.lam@apple.com>
952
953         Fix incorrect handling of try-finally completion values.
954         https://bugs.webkit.org/show_bug.cgi?id=195131
955         <rdar://problem/46222079>
956
957         Reviewed by Saam Barati and Yusuke Suzuki.
958
959         Added many permutations of new test case to test-finally.js.  test-finally.js has
960         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
961         tests passes there as well.
962
963         * stress/test-finally.js:
964
965 2019-03-06  Saam Barati  <sbarati@apple.com>
966
967         Air::reportUsedRegisters must padInterference
968         https://bugs.webkit.org/show_bug.cgi?id=195303
969         <rdar://problem/48270343>
970
971         Reviewed by Keith Miller.
972
973         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
974
975 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
976
977         [JSC] AI should not propagate AbstractValue relying on constant folding phase
978         https://bugs.webkit.org/show_bug.cgi?id=195375
979
980         Reviewed by Saam Barati.
981
982         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
983         (let.array):
984
985 2019-03-05  Saam barati  <sbarati@apple.com>
986
987         op_switch_char broken for rope strings after JSRopeString layout rewrite
988         https://bugs.webkit.org/show_bug.cgi?id=195339
989         <rdar://problem/48592545>
990
991         Reviewed by Yusuke Suzuki.
992
993         * stress/switch-on-char-llint-rope.js: Added.
994
995 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
996
997         [JSC] Store bits for JSRopeString in 3 stores
998         https://bugs.webkit.org/show_bug.cgi?id=195234
999
1000         Reviewed by Saam Barati.
1001
1002         * stress/null-rope-and-collectors.js: Added.
1003
1004 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
1005
1006         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
1007         https://bugs.webkit.org/show_bug.cgi?id=195207
1008
1009         Unreviewed. After test runtime was reduced in r242213, test can be
1010         run again on ARM/MIPS.
1011
1012         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1013
1014 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1015
1016         [JSC] sizeof(JSString) should be 16
1017         https://bugs.webkit.org/show_bug.cgi?id=194375
1018
1019         Reviewed by Saam Barati.
1020
1021         * microbenchmarks/make-rope.js: Added.
1022         (makeRope):
1023         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
1024         (returnRope.helper): Deleted.
1025         (returnRope): Deleted.
1026
1027 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1028
1029         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
1030         https://bugs.webkit.org/show_bug.cgi?id=195144
1031
1032         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
1033         Change the number from 1e8 to 1e5.
1034
1035         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1036         (foo):
1037
1038 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
1039
1040         Test times out on ARM/MIPS
1041         https://bugs.webkit.org/show_bug.cgi?id=195168
1042
1043         Unreviewed. Skip test on ARM/MIPS.
1044
1045         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1046
1047 2019-02-27  Mark Lam  <mark.lam@apple.com>
1048
1049         The parser is failing to record the token location of new in new.target.
1050         https://bugs.webkit.org/show_bug.cgi?id=195127
1051         <rdar://problem/39645578>
1052
1053         Reviewed by Yusuke Suzuki.
1054
1055         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
1056
1057 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
1058
1059         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
1060         https://bugs.webkit.org/show_bug.cgi?id=195144
1061         <rdar://problem/47595961>
1062
1063         Reviewed by Mark Lam.
1064
1065         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
1066         (bar):
1067         (foo):
1068         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
1069         (bar):
1070         (foo):
1071
1072 2019-02-27  Robin Morisset  <rmorisset@apple.com>
1073
1074         DFG: Loop-invariant code motion (LICM) should not hoist dead code
1075         https://bugs.webkit.org/show_bug.cgi?id=194945
1076         <rdar://problem/48311657>
1077
1078         Reviewed by Mark Lam.
1079
1080         * stress/licm-dead-code.js: Added.
1081
1082 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
1083
1084         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
1085         https://bugs.webkit.org/show_bug.cgi?id=194677
1086         <rdar://problem/48112492>
1087
1088         Reviewed by Mark Lam.
1089
1090         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
1091         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
1092         it immediately fails due the large size.
1093
1094         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
1095         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
1096         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
1097         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
1098
1099         This patch changes the test to produce 16bit string from String.fromCharCode.
1100
1101         * stress/regress-178386.js:
1102
1103 2019-02-26  Mark Lam  <mark.lam@apple.com>
1104
1105         wasmToJS() should purify incoming NaNs.
1106         https://bugs.webkit.org/show_bug.cgi?id=194807
1107         <rdar://problem/48189132>
1108
1109         Reviewed by Saam Barati.
1110
1111         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
1112
1113 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
1114
1115         [JSC] Repeat string created from Array.prototype.join() take too much memory
1116         https://bugs.webkit.org/show_bug.cgi?id=193912
1117
1118         Reviewed by Saam Barati.
1119
1120         Added a test and a microbenchmark for corner cases of
1121         Array.prototype.join() with an uninitialized array.
1122
1123         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1124         * stress/array-prototype-join-uninitialized.js: Added.
1125         (testArray):
1126         (testABC):
1127         (B):
1128         (C):
1129
1130 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1131
1132         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1133         https://bugs.webkit.org/show_bug.cgi?id=194953
1134         <rdar://problem/47595253>
1135
1136         Reviewed by Saam Barati.
1137
1138         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1139
1140         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1141
1142 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1143
1144         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1145         https://bugs.webkit.org/show_bug.cgi?id=172848
1146         <rdar://problem/25709212>
1147
1148         Reviewed by Mark Lam.
1149
1150         * typeProfiler/inheritance.js:
1151         Rewrite the test slightly for clarity. The hoisting was confusing.
1152
1153         * heapProfiler/class-names.js: Added.
1154         (MyES5Class):
1155         (MyES6Class):
1156         (MyES6Subclass):
1157         Test object types and improved class names.
1158
1159         * heapProfiler/driver/driver.js:
1160         (CheapHeapSnapshotNode):
1161         (CheapHeapSnapshot):
1162         (createCheapHeapSnapshot):
1163         (HeapSnapshot):
1164         (createHeapSnapshot):
1165         Update snapshot parsing from version 1 to version 2.
1166
1167 2019-02-19  Truitt Savell  <tsavell@apple.com>
1168
1169         Unreviewed, rolling out r241784.
1170
1171         Broke all OpenSource builds.
1172
1173         Reverted changeset:
1174
1175         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1176         instances view"
1177         https://bugs.webkit.org/show_bug.cgi?id=172848
1178         https://trac.webkit.org/changeset/241784
1179
1180 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1181
1182         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1183         https://bugs.webkit.org/show_bug.cgi?id=172848
1184         <rdar://problem/25709212>
1185
1186         Reviewed by Mark Lam.
1187
1188         * typeProfiler/inheritance.js:
1189         Rewrite the test slightly for clarity. The hoisting was confusing.
1190
1191         * heapProfiler/class-names.js: Added.
1192         (MyES5Class):
1193         (MyES6Class):
1194         (MyES6Subclass):
1195         Test object types and improved class names.
1196
1197         * heapProfiler/driver/driver.js:
1198         (CheapHeapSnapshotNode):
1199         (CheapHeapSnapshot):
1200         (createCheapHeapSnapshot):
1201         (HeapSnapshot):
1202         (createHeapSnapshot):
1203         Update snapshot parsing from version 1 to version 2.
1204
1205 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1206
1207         [ARM] Fix crash with sampling profiler
1208         https://bugs.webkit.org/show_bug.cgi?id=194772
1209
1210         Reviewed by Mark Lam.
1211
1212         Do not skip test since crash with sampling profiler is now fixed.
1213
1214         * stress/sampling-profiler-richards.js:
1215
1216 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1217
1218         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1219         https://bugs.webkit.org/show_bug.cgi?id=194784
1220         <rdar://problem/48154820>
1221
1222         Reviewed by Mark Lam.
1223
1224         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1225         (getProperties):
1226         (getRandomProperty):
1227         (i.catch):
1228
1229 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1230
1231         [ARM] Test gardening: Test running out of executable memory
1232         https://bugs.webkit.org/show_bug.cgi?id=194771
1233
1234         Unreviewed. Do not run test without LLInt, test is running out of executable
1235         memory on ARM otherwise.
1236
1237         * stress/tagged-template-object-collect.js:
1238
1239 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1240
1241         Unreviewed, skip the test on platforms without sampling profiler
1242
1243         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1244         (platformSupportsSamplingProfiler.foo):
1245         (platformSupportsSamplingProfiler.test):
1246         (platformSupportsSamplingProfiler):
1247         (foo): Deleted.
1248         (test): Deleted.
1249
1250 2019-02-17  Saam Barati  <sbarati@apple.com>
1251
1252         Deadlock when adding a Structure property transition and then doing incremental marking
1253         https://bugs.webkit.org/show_bug.cgi?id=194767
1254
1255         Reviewed by Mark Lam.
1256
1257         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1258
1259 2019-02-15  Michael Saboff  <msaboff@apple.com>
1260
1261         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1262         https://bugs.webkit.org/show_bug.cgi?id=194558
1263
1264         Reviewed by Saam Barati.
1265
1266         New regression test.
1267
1268         * stress/regexp-unicode-within-string.js: Added.
1269
1270 2019-02-15  Mark Lam  <mark.lam@apple.com>
1271
1272         SamplingProfiler::stackTracesAsJSON() should escape strings.
1273         https://bugs.webkit.org/show_bug.cgi?id=194649
1274         <rdar://problem/48072386>
1275
1276         Reviewed by Saam Barati.
1277
1278         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1279         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1280         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1281         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1282
1283 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1284         CodeBlock::jettison should clear related watchpoints
1285         https://bugs.webkit.org/show_bug.cgi?id=194544
1286
1287         Reviewed by Mark Lam.
1288
1289         * stress/regexp-replace-double-watchpoint.js: Added.
1290         (foo):
1291
1292 2019-02-15  Saam barati  <sbarati@apple.com>
1293
1294         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1295         https://bugs.webkit.org/show_bug.cgi?id=194036
1296
1297         Reviewed by Yusuke Suzuki.
1298
1299         * stress/tail-call-many-arguments.js: Added.
1300         (foo):
1301         (bar):
1302
1303 2019-02-14  Saam Barati  <sbarati@apple.com>
1304
1305         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1306         https://bugs.webkit.org/show_bug.cgi?id=194583
1307         <rdar://problem/48028140>
1308
1309         Reviewed by Yusuke Suzuki.
1310
1311         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1312
1313 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1314
1315         [JSC] String.fromCharCode's slow path always generates 16bit string
1316         https://bugs.webkit.org/show_bug.cgi?id=194466
1317
1318         Reviewed by Keith Miller.
1319
1320         * stress/string-from-char-code-slow-path.js: Added.
1321         (shouldBe):
1322         (testWithLength):
1323
1324 2019-02-08  Saam barati  <sbarati@apple.com>
1325
1326         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1327         https://bugs.webkit.org/show_bug.cgi?id=194334
1328         <rdar://problem/47844327>
1329
1330         Reviewed by Mark Lam.
1331
1332         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1333         (func):
1334
1335 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1336
1337         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1338         https://bugs.webkit.org/show_bug.cgi?id=194369
1339         <rdar://problem/47813087>
1340
1341         Reviewed by Saam Barati.
1342
1343         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1344         (A):
1345
1346 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1347
1348         [JSC] PrivateName to PublicName hash table is wasteful
1349         https://bugs.webkit.org/show_bug.cgi?id=194277
1350
1351         Reviewed by Michael Saboff.
1352
1353         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1354
1355         * ChakraCore.yaml:
1356
1357 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1358
1359         [ARM] Test running out of executable memory
1360         https://bugs.webkit.org/show_bug.cgi?id=194285
1361
1362         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1363         executable memory otherwise.
1364
1365         * stress/class-subclassing-function.js:
1366
1367 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1368
1369         when lowering AssertNotEmpty, create the value before creating the patchpoint
1370         https://bugs.webkit.org/show_bug.cgi?id=194231
1371
1372         Reviewed by Saam Barati.
1373
1374         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1375         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1376         So even tiny changes to this test can change the path code taken.
1377
1378         * stress/assert-not-empty.js: Added.
1379         (foo):
1380
1381 2019-02-01  Mark Lam  <mark.lam@apple.com>
1382
1383         Remove invalid assertion in DFG's compileDoubleRep().
1384         https://bugs.webkit.org/show_bug.cgi?id=194130
1385         <rdar://problem/47699474>
1386
1387         Reviewed by Saam Barati.
1388
1389         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1390
1391 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1392
1393         Import latest Test262 updates.
1394
1395         Rubber-stamped by Keith Miller.
1396
1397         * test262.yaml: Deleted.
1398         * test262/config.yaml:
1399         * test262/expectations.yaml:
1400         * test262/latest-changes-summary.txt:
1401         * test262/test/:
1402         * test262/test262-Revision.txt:
1403
1404 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1405
1406         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1407         https://bugs.webkit.org/show_bug.cgi?id=194050
1408         <rdar://problem/47595592>
1409
1410         Reviewed by Yusuke Suzuki.
1411
1412         * stress/object-keys-osr-exit.js: Added.
1413         (foo):
1414         (catch):
1415
1416 2019-01-29  Mark Lam  <mark.lam@apple.com>
1417
1418         ValueRecovery::recover() should purify NaN values it recovers.
1419         https://bugs.webkit.org/show_bug.cgi?id=193978
1420         <rdar://problem/47625488>
1421
1422         Reviewed by Saam Barati.
1423
1424         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1425
1426 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1427
1428         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1429         https://bugs.webkit.org/show_bug.cgi?id=193713
1430
1431         * stress/try-get-by-id-should-spill-registers-dfg.js:
1432         (let.f.createBuiltin):
1433
1434 2019-01-28  Mark Lam  <mark.lam@apple.com>
1435
1436         ToString node actually does GC.
1437         https://bugs.webkit.org/show_bug.cgi?id=193920
1438         <rdar://problem/46695900>
1439
1440         Reviewed by Yusuke Suzuki.
1441
1442         * stress/dfg-to-string-on-int-does-gc.js: Added.
1443         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1444         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1445
1446 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1447
1448         [JSC] NativeErrorConstructor should not have own IsoSubspace
1449         https://bugs.webkit.org/show_bug.cgi?id=193713
1450
1451         Reviewed by Saam Barati.
1452
1453         Remove @Error use.
1454
1455         * stress/try-get-by-id-should-spill-registers-dfg.js:
1456         (let.f.createBuiltin):
1457
1458 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1459
1460         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1461         https://bugs.webkit.org/show_bug.cgi?id=190693
1462
1463         Reviewed by Michael Saboff.
1464
1465         * stress/regress-190693.js: Added.
1466         (truth):
1467         (assert):
1468         (shouldThrowInvalidConstAssignment):
1469         (taz):
1470
1471 2019-01-24  Saam Barati  <sbarati@apple.com>
1472
1473         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1474         https://bugs.webkit.org/show_bug.cgi?id=193751
1475         <rdar://problem/47280215>
1476
1477         Reviewed by Michael Saboff.
1478
1479         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1480         (let.thing):
1481         (foo.let.hello):
1482         (foo):
1483
1484 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1485
1486         [JSC] Reenable baseline JIT on mips
1487         https://bugs.webkit.org/show_bug.cgi?id=192983
1488
1489         Reviewed by Mark Lam.
1490
1491         Added a new test for a case that was triggering a RELEASE_ASSERT when
1492         testing.
1493         Disable some slow tests that were already disabled for arm and x86.
1494
1495         * stress/json-parse-big-object.js: Added.
1496         * stress/new-largeish-contiguous-array-with-size.js:
1497         * stress/op_add.js:
1498         * stress/op_bitand.js:
1499         * stress/op_bitor.js:
1500         * stress/op_bitxor.js:
1501         * stress/op_lshift-ConstVar.js:
1502         * stress/op_lshift-VarConst.js:
1503         * stress/op_lshift-VarVar.js:
1504         * stress/op_mod-ConstVar.js:
1505         * stress/op_mod-VarConst.js:
1506         * stress/op_mod-VarVar.js:
1507         * stress/op_mul-ConstVar.js:
1508         * stress/op_mul-VarConst.js:
1509         * stress/op_mul-VarVar.js:
1510         * stress/op_rshift-ConstVar.js:
1511         * stress/op_rshift-VarConst.js:
1512         * stress/op_rshift-VarVar.js:
1513         * stress/op_sub-ConstVar.js:
1514         * stress/op_sub-VarConst.js:
1515         * stress/op_sub-VarVar.js:
1516         * stress/op_urshift-ConstVar.js:
1517         * stress/op_urshift-VarConst.js:
1518         * stress/op_urshift-VarVar.js:
1519         * stress/sampling-profiler-richards.js:
1520         * stress/spread-forward-call-varargs-stack-overflow.js:
1521
1522 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1523
1524         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1525         https://bugs.webkit.org/show_bug.cgi?id=193711
1526         <rdar://problem/47250262>
1527
1528         Reviewed by Saam Barati.
1529
1530         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1531         (shouldBe):
1532         (foo):
1533         (bar):
1534         (baz):
1535
1536 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1537
1538         Unreviewed, fix initial global lexical binding epoch
1539         https://bugs.webkit.org/show_bug.cgi?id=193603
1540         <rdar://problem/47380869>
1541
1542         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1543         (f1.f2.f3.f4):
1544         (f1.f2.f3):
1545         (f1.f2):
1546         (f1):
1547
1548 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1549
1550         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1551         https://bugs.webkit.org/show_bug.cgi?id=193709
1552         <rdar://problem/47363838>
1553
1554         Unreviewed, rollout to watch the tests.
1555
1556         * stress/object-tostring-changed-proto.js: Removed.
1557         * stress/object-tostring-changed.js: Removed.
1558         * stress/object-tostring-misc.js: Removed.
1559         * stress/object-tostring-other.js: Removed.
1560         * stress/object-tostring-untyped.js: Removed.
1561
1562 2019-01-22  Saam Barati  <sbarati@apple.com>
1563
1564         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1565
1566         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1567         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1568         (testUncheckedLessThanZero):
1569         (testUncheckedLessThanOrEqualZero):
1570         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1571         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1572
1573 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1574
1575         [JSC] Invalidate old scope operations using global lexical binding epoch
1576         https://bugs.webkit.org/show_bug.cgi?id=193603
1577         <rdar://problem/47380869>
1578
1579         Reviewed by Saam Barati.
1580
1581         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1582         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1583         (shouldThrow):
1584         (bar):
1585         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1586         (shouldBe):
1587         (get1):
1588         (get2):
1589         (get1If):
1590         (get2If):
1591         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1592         (shouldThrow):
1593         (foo):
1594
1595 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1596
1597         Unreviewed, roll out r240220 due to date-format-xparb regression
1598         https://bugs.webkit.org/show_bug.cgi?id=193603
1599
1600         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1601         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1602         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1603         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1604
1605 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1606
1607         DoesGC rule is wrong for nodes with BigIntUse
1608         https://bugs.webkit.org/show_bug.cgi?id=193652
1609
1610         Reviewed by Saam Barati.
1611
1612         * stress/big-int-value-op-update-gc-rules.js: Added.
1613         (assert):
1614         (doesGCAdd):
1615         (doesGCSub):
1616         (doesGCDiv):
1617         (doesGCMul):
1618         (doesGCBitAnd):
1619         (doesGCBitOr):
1620         (doesGCBitXor):
1621
1622 2019-01-20  Saam Barati  <sbarati@apple.com>
1623
1624         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1625         https://bugs.webkit.org/show_bug.cgi?id=193644
1626         <rdar://problem/46209745>
1627
1628         Reviewed by Yusuke Suzuki.
1629
1630         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1631         (foo):
1632         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1633         (foo):
1634         (bar):
1635
1636 2019-01-20  Saam Barati  <sbarati@apple.com>
1637
1638         MovHint must merge NodeBytecodeUsesAsValue for its child
1639         https://bugs.webkit.org/show_bug.cgi?id=186916
1640         <rdar://problem/41396612>
1641
1642         Reviewed by Yusuke Suzuki.
1643
1644         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1645         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1646
1647 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1648
1649         [JSC] Invalidate old scope operations using global lexical binding epoch
1650         https://bugs.webkit.org/show_bug.cgi?id=193603
1651         <rdar://problem/47380869>
1652
1653         Reviewed by Saam Barati.
1654
1655         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1656         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1657         (shouldThrow):
1658         (bar):
1659         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1660         (shouldBe):
1661         (get1):
1662         (get2):
1663         (get1If):
1664         (get2If):
1665         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1666         (shouldThrow):
1667         (foo):
1668
1669 2019-01-17  Saam barati  <sbarati@apple.com>
1670
1671         StringObjectUse should not be a structure check for the original string object structure
1672         https://bugs.webkit.org/show_bug.cgi?id=193483
1673         <rdar://problem/47280522>
1674
1675         Reviewed by Yusuke Suzuki.
1676
1677         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1678         (foo):
1679         (a.valueOf.0):
1680
1681 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1682
1683         [JSC] ToThis omission in DFGByteCodeParser is wrong
1684         https://bugs.webkit.org/show_bug.cgi?id=193513
1685         <rdar://problem/45842236>
1686
1687         Reviewed by Saam Barati.
1688
1689         * stress/to-this-omission-with-different-strict-modes.js: Added.
1690         (thisA):
1691         (thisAStrictWrapper):
1692
1693 2019-01-15  Mark Lam  <mark.lam@apple.com>
1694
1695         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1696         https://bugs.webkit.org/show_bug.cgi?id=193423
1697         <rdar://problem/46209355>
1698
1699         Reviewed by Saam Barati.
1700
1701         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1702         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1703         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1704         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1705
1706 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1707
1708         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1709         https://bugs.webkit.org/show_bug.cgi?id=193438
1710         <rdar://problem/45581249>
1711
1712         Reviewed by Saam Barati and Keith Miller.
1713
1714         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1715         Then, GetByVal(String) crashed.
1716
1717         * stress/string-get-by-val-lowering.js: Added.
1718         (shouldBe):
1719         (test):
1720         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1721         (Hello):
1722         (foo):
1723
1724 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1725
1726         Unreviewed, skip JIT tests if it's not enabled
1727
1728         * stress/bit-op-with-object-returning-int32.js:
1729
1730 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1731
1732         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1733         https://bugs.webkit.org/show_bug.cgi?id=192966
1734
1735         Reviewed by Yusuke Suzuki.
1736
1737         * stress/bit-op-with-object-returning-int32.js: Added.
1738
1739 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1740
1741         Skip a slow test and a flakey test on arm
1742
1743         Unreviewed gardening.
1744
1745         * typeProfiler/getter-richards.js:
1746         this test always times out, it used to be always skipped on arm and
1747         mips, but got accidentally enabled by r237919 now that we have DFG on
1748         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1749
1750 2019-01-14  Keith Miller  <keith_miller@apple.com>
1751
1752         Skip type-check-hoisting-phase-hoist... with no jit
1753         https://bugs.webkit.org/show_bug.cgi?id=193421
1754
1755         Reviewed by Mark Lam.
1756
1757         It's timing out the 32-bit bots and takes 330 seconds
1758         on my machine when run by itself.
1759
1760         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1761
1762 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1763
1764         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1765         https://bugs.webkit.org/show_bug.cgi?id=193413
1766         <rdar://problem/46092389>
1767
1768         Reviewed by Keith Miller.
1769
1770         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1771         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1772         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1773         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1774
1775         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1776         (compareArray):
1777
1778 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1779
1780         [BigInt] Literal parsing is crashing when used inside a Object Literal
1781         https://bugs.webkit.org/show_bug.cgi?id=193404
1782
1783         Reviewed by Yusuke Suzuki.
1784
1785         * stress/big-int-literal-inside-literal-object.js: Added.
1786
1787 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1788
1789         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1790         https://bugs.webkit.org/show_bug.cgi?id=193372
1791
1792         Reviewed by Saam Barati.
1793
1794         * stress/typed-array-array-modes-profile.js: Added.
1795         (foo):
1796
1797 2019-01-14  Mark Lam  <mark.lam@apple.com>
1798
1799         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1800         https://bugs.webkit.org/show_bug.cgi?id=193402
1801         <rdar://problem/46012309>
1802
1803         Reviewed by Keith Miller.
1804
1805         * stress/regexp-compile-oom.js:
1806         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1807           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1808
1809 2019-01-11  Saam barati  <sbarati@apple.com>
1810
1811         DFG combined liveness can be wrong for terminal basic blocks
1812         https://bugs.webkit.org/show_bug.cgi?id=193304
1813         <rdar://problem/45268632>
1814
1815         Reviewed by Yusuke Suzuki.
1816
1817         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1818
1819 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1820
1821         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1822         https://bugs.webkit.org/show_bug.cgi?id=193308
1823         <rdar://problem/45546542>
1824
1825         Reviewed by Saam Barati.
1826
1827         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1828         (shouldThrow):
1829         (shouldBe):
1830         (foo):
1831         (get shouldThrow):
1832         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1833         (shouldThrow):
1834         (shouldBe):
1835         (foo):
1836         (get shouldBe):
1837         (get shouldThrow):
1838         (get return):
1839         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1840         (shouldThrow):
1841         (shouldBe):
1842         (foo):
1843         (get shouldBe):
1844         (get shouldThrow):
1845         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1846         (shouldThrow):
1847         (shouldBe):
1848         (foo):
1849         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1850         (shouldThrow):
1851         (shouldBe):
1852         (foo):
1853         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1854         (shouldThrow):
1855         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1856         (shouldThrow):
1857         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1858         (shouldThrow):
1859         (shouldBe):
1860         (foo):
1861         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1862         (shouldThrow):
1863         (shouldBe):
1864         (foo):
1865         (get shouldBe):
1866         (get shouldThrow):
1867         (get return):
1868         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1869         (shouldThrow):
1870         (shouldBe):
1871         (foo):
1872         (get shouldBe):
1873         (get shouldThrow):
1874         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1875         (shouldThrow):
1876         (shouldBe):
1877         (foo):
1878         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1879         (shouldThrow):
1880         (shouldBe):
1881         (foo):
1882
1883 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1884
1885         Enable DFG on ARM/Linux again
1886         https://bugs.webkit.org/show_bug.cgi?id=192496
1887
1888         Reviewed by Yusuke Suzuki.
1889
1890         Test wasn't really skipped before moving the line with skip
1891         to the top.
1892
1893         * stress/regress-192717.js:
1894
1895 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1896
1897         Unreviewed, rolling out r239825.
1898         https://bugs.webkit.org/show_bug.cgi?id=193330
1899
1900         Broke tests on armv7/linux bots (Requested by guijemont on
1901         #webkit).
1902
1903         Reverted changeset:
1904
1905         "Enable DFG on ARM/Linux again"
1906         https://bugs.webkit.org/show_bug.cgi?id=192496
1907         https://trac.webkit.org/changeset/239825
1908
1909 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1910
1911         Enable DFG on ARM/Linux again
1912         https://bugs.webkit.org/show_bug.cgi?id=192496
1913
1914         Reviewed by Yusuke Suzuki.
1915
1916         Test wasn't really skipped before moving the line with skip
1917         to the top.
1918
1919         * stress/regress-192717.js:
1920
1921 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1922
1923         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1924         https://bugs.webkit.org/show_bug.cgi?id=193127
1925
1926         Reviewed by Saam Barati.
1927
1928         * stress/array-species-create-should-handle-masquerader.js: Added.
1929         (shouldThrow):
1930         * stress/is-undefined-or-null-builtin.js: Added.
1931         (shouldBe):
1932         (isUndefinedOrNull.vm.createBuiltin):
1933
1934 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1935
1936         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1937         https://bugs.webkit.org/show_bug.cgi?id=193221
1938
1939         Reviewed by Mark Lam.
1940
1941         * stress/put-by-id-flags.js: Added.
1942         (f):
1943         (g):
1944         (numberOfDFGCompiles):
1945
1946 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1947
1948         Baseline version of get_by_id may corrupt metadata
1949         https://bugs.webkit.org/show_bug.cgi?id=193085
1950         <rdar://problem/23453006>
1951
1952         Reviewed by Saam Barati.
1953
1954         * stress/get-by-id-change-mode.js: Added.
1955         (forEach):
1956
1957 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1958
1959         [JSC] Optimize Object.prototype.toString
1960         https://bugs.webkit.org/show_bug.cgi?id=193031
1961
1962         Reviewed by Saam Barati.
1963
1964         * stress/object-tostring-changed-proto.js: Added.
1965         (shouldBe):
1966         (test):
1967         * stress/object-tostring-changed.js: Added.
1968         (shouldBe):
1969         (test):
1970         * stress/object-tostring-misc.js: Added.
1971         (shouldBe):
1972         (test):
1973         (i.switch):
1974         * stress/object-tostring-other.js: Added.
1975         (shouldBe):
1976         (test):
1977         * stress/object-tostring-untyped.js: Added.
1978         (shouldBe):
1979         (test):
1980         (i.switch):
1981
1982 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1983
1984         test262-runner misbehaves when test file YAML has a trailing space
1985         https://bugs.webkit.org/show_bug.cgi?id=193053
1986
1987         Reviewed by Yusuke Suzuki.
1988
1989         * test262/expectations.yaml:
1990         Mark two dozen tests as passing (and correct the output of another).
1991
1992 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1993
1994         Unreviewed, JSTests gardening with memoryLimited
1995
1996         * stress/string-overflow-createError.js:
1997
1998 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1999
2000         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
2001         https://bugs.webkit.org/show_bug.cgi?id=193050
2002
2003         Reviewed by Yusuke Suzuki.
2004
2005         * test262.yaml:
2006         * test262/expectations.yaml:
2007         Mark 16 tests as passing.
2008
2009 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2010
2011         [BigInt] Support BigInt in JSON.stringify
2012         https://bugs.webkit.org/show_bug.cgi?id=192624
2013
2014         Reviewed by Saam Barati.
2015
2016         * stress/big-int-json-stringify-to-json.js: Added.
2017         (shouldBe):
2018         (shouldThrow):
2019         (BigInt.prototype.toJSON):
2020         (shouldBe.JSON.stringify):
2021         * stress/big-int-json-stringify.js: Added.
2022         (shouldBe):
2023         (shouldThrow):
2024
2025 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2026
2027         [JSC] Implement "well-formed JSON.stringify" proposal
2028         https://bugs.webkit.org/show_bug.cgi?id=191677
2029
2030         Reviewed by Darin Adler.
2031
2032         * stress/json-surrogate-pair.js: Added.
2033         (shouldBe):
2034         * test262/expectations.yaml:
2035
2036 2018-12-20  Keith Miller  <keith_miller@apple.com>
2037
2038         Add support for globalThis
2039         https://bugs.webkit.org/show_bug.cgi?id=165171
2040
2041         Reviewed by Mark Lam.
2042
2043         * test262/config.yaml:
2044
2045 2018-12-19  Keith Miller  <keith_miller@apple.com>
2046
2047         Update test262 configuration to not run tests dependent on ICU version.
2048         https://bugs.webkit.org/show_bug.cgi?id=192920
2049
2050         Reviewed by Saam Barati.
2051
2052         * test262/expectations.yaml:
2053
2054 2018-12-20  Mark Lam  <mark.lam@apple.com>
2055
2056         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
2057         https://bugs.webkit.org/show_bug.cgi?id=192939
2058         <rdar://problem/46869516>
2059
2060         Reviewed by Keith Miller.
2061
2062         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
2063
2064 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
2065
2066         WTF::String and StringImpl overflow MaxLength
2067         https://bugs.webkit.org/show_bug.cgi?id=192853
2068         <rdar://problem/45726906>
2069
2070         Reviewed by Mark Lam.
2071
2072         * stress/string-16bit-repeat-overflow.js: Added.
2073         (catch):
2074
2075 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
2076
2077         Unreviewed follow-up to r192914.
2078
2079         * test262/expectations.yaml:
2080         Add the last 20 missing expectations.
2081
2082 2018-12-19  Keith Miller  <keith_miller@apple.com>
2083
2084         Fix test262 expectations
2085         https://bugs.webkit.org/show_bug.cgi?id=192914
2086
2087         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
2088
2089         * test262/expectations.yaml:
2090
2091 2018-12-19  Keith Miller  <keith_miller@apple.com>
2092
2093         Update test262 tests.
2094         https://bugs.webkit.org/show_bug.cgi?id=192907
2095
2096         Rubber stamped by Mark Lam.
2097
2098         * test262/*: Omitted because prepare-changelog crashes.
2099
2100 2018-12-19  Mark Lam  <mark.lam@apple.com>
2101
2102         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
2103         https://bugs.webkit.org/show_bug.cgi?id=192464
2104         <rdar://problem/46519455>
2105
2106         Reviewed by Saam Barati.
2107
2108         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
2109         microbenchmark.
2110
2111         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
2112         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
2113
2114 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
2115
2116         String overflow in JSC::createError results in ASSERT in WTF::makeString
2117         https://bugs.webkit.org/show_bug.cgi?id=192833
2118         <rdar://problem/45706868>
2119
2120         Reviewed by Mark Lam.
2121
2122         * stress/string-overflow-createError.js: Added.
2123
2124 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2125
2126         Error message for `-x ** y` contains a typo.
2127         https://bugs.webkit.org/show_bug.cgi?id=192832
2128
2129         Reviewed by Saam Barati.
2130
2131         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2132         (assert.assert.return.throws):
2133         * stress/pow-expects-update-expression-on-lhs.js:
2134         (throw.new.Error):
2135         Update test expectations which match against the exact error message.
2136
2137 2018-12-18  Mark Lam  <mark.lam@apple.com>
2138
2139         Gardening: test options fix.
2140         https://bugs.webkit.org/show_bug.cgi?id=192822
2141
2142         Unreviewed.
2143
2144         * stress/json-stringify-string-builder-overflow.js:
2145
2146 2018-12-18  Mark Lam  <mark.lam@apple.com>
2147
2148         JSON.stringify() should throw OOM on StringBuilder overflows.
2149         https://bugs.webkit.org/show_bug.cgi?id=192822
2150         <rdar://problem/46670577>
2151
2152         Reviewed by Saam Barati.
2153
2154         * stress/json-stringify-string-builder-overflow.js: Added.
2155
2156 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2157
2158         Redeclaration of var over let/const/class should be a syntax error.
2159         https://bugs.webkit.org/show_bug.cgi?id=192298
2160
2161         Reviewed by Keith Miller.
2162
2163         * test262.yaml:
2164         * test262/expectations.yaml:
2165         Mark 46 tests as passing.
2166
2167         * stress/block-scope-redeclarations.js:
2168         Add some new tests.
2169
2170         * stress/for-in-invalidate-context-weird-assignments.js:
2171         * stress/for-in-tests.js:
2172         Replace tests for outdated behavior with tests for SyntaxError.
2173
2174         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2175         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2176         Update expectations.
2177
2178 2018-12-18  Mark Lam  <mark.lam@apple.com>
2179
2180         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2181         https://bugs.webkit.org/show_bug.cgi?id=191374
2182         <rdar://problem/46525447>
2183
2184         Reviewed by Yusuke Suzuki.
2185
2186         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2187
2188         * stress/elidable-new-object-roflcopter-then-exit.js:
2189
2190 2018-12-17  Mark Lam  <mark.lam@apple.com>
2191
2192         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2193         https://bugs.webkit.org/show_bug.cgi?id=192019
2194         <rdar://problem/46525456>
2195
2196         Reviewed by Yusuke Suzuki.
2197
2198         The test runs too slow on 32-bit.
2199
2200         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2201
2202 2018-12-17  Mark Lam  <mark.lam@apple.com>
2203
2204         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2205         https://bugs.webkit.org/show_bug.cgi?id=191373
2206         <rdar://problem/46525458>
2207
2208         Reviewed by Yusuke Suzuki.
2209
2210         The test is already slow running with a JIT on 64-bit.  It will always timeout
2211         on 32-bit without a JIT.
2212
2213         * stress/materialize-regexp-cyclic-regexp.js:
2214
2215 2018-12-17  Mark Lam  <mark.lam@apple.com>
2216
2217         Array unshift/shift should not race against the AI in the compiler thread.
2218         https://bugs.webkit.org/show_bug.cgi?id=192795
2219         <rdar://problem/46724263>
2220
2221         Reviewed by Saam Barati.
2222
2223         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2224
2225 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2226
2227         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2228         https://bugs.webkit.org/show_bug.cgi?id=190047
2229
2230         Reviewed by Saam Barati.
2231
2232         * stress/object-keys-cached-zero.js: Added.
2233         (shouldBe):
2234         (test):
2235         * stress/object-keys-changed-attribute.js: Added.
2236         (shouldBe):
2237         (test):
2238         * stress/object-keys-changed-index.js: Added.
2239         (shouldBe):
2240         (test):
2241         * stress/object-keys-changed.js: Added.
2242         (shouldBe):
2243         (test):
2244         * stress/object-keys-indexed-non-cache.js: Added.
2245         (shouldBe):
2246         (test):
2247         * stress/object-keys-overrides-get-property-names.js: Added.
2248         (shouldBe):
2249         (test):
2250         (noInline):
2251
2252 2018-12-17  Mark Lam  <mark.lam@apple.com>
2253
2254         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2255         https://bugs.webkit.org/show_bug.cgi?id=192779
2256         <rdar://problem/46775869>
2257
2258         Reviewed by Saam Barati.
2259
2260         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2261
2262 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2263
2264         Unreviewed test gardening, address a syntax error in a new test.
2265
2266         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2267
2268 2018-12-17  Mark Lam  <mark.lam@apple.com>
2269
2270         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2271         https://bugs.webkit.org/show_bug.cgi?id=192776
2272         <rdar://problem/46772368>
2273
2274         Reviewed by Keith Miller.
2275
2276         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2277
2278 2018-12-17  Mark Lam  <mark.lam@apple.com>
2279
2280         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2281         https://bugs.webkit.org/show_bug.cgi?id=192770
2282         <rdar://problem/46449037>
2283
2284         Reviewed by Keith Miller.
2285
2286         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2287
2288 2018-12-14  Mark Lam  <mark.lam@apple.com>
2289
2290         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2291         https://bugs.webkit.org/show_bug.cgi?id=192717
2292         <rdar://problem/46660677>
2293
2294         Reviewed by Saam Barati.
2295
2296         * stress/regress-192717.js: Added.
2297
2298 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2299
2300         Unreviewed, rolling out r239153, r239154, and r239155.
2301         https://bugs.webkit.org/show_bug.cgi?id=192715
2302
2303         Caused flaky GC-related crashes seen with layout tests
2304         (Requested by ryanhaddad on #webkit).
2305
2306         Reverted changesets:
2307
2308         "[JSC] Optimize Object.keys by caching own keys results in
2309         StructureRareData"
2310         https://bugs.webkit.org/show_bug.cgi?id=190047
2311         https://trac.webkit.org/changeset/239153
2312
2313         "Unreviewed, build fix after r239153"
2314         https://bugs.webkit.org/show_bug.cgi?id=190047
2315         https://trac.webkit.org/changeset/239154
2316
2317         "Unreviewed, build fix after r239153, part 2"
2318         https://bugs.webkit.org/show_bug.cgi?id=190047
2319         https://trac.webkit.org/changeset/239155
2320
2321 2018-12-14  Keith Miller  <keith_miller@apple.com>
2322
2323         Callers of JSString::getIndex should check for OOM exceptions
2324         https://bugs.webkit.org/show_bug.cgi?id=192709
2325
2326         Reviewed by Mark Lam.
2327
2328         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2329
2330 2018-12-13  Mark Lam  <mark.lam@apple.com>
2331
2332         Add a missing exception check.
2333         https://bugs.webkit.org/show_bug.cgi?id=192626
2334         <rdar://problem/46662163>
2335
2336         Reviewed by Keith Miller.
2337
2338         * stress/regress-192626.js: Added.
2339
2340 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2341
2342         [BigInt] Add ValueDiv into DFG
2343         https://bugs.webkit.org/show_bug.cgi?id=186178
2344
2345         Reviewed by Yusuke Suzuki.
2346
2347         * stress/big-int-div-jit-osr.js: Added.
2348         * stress/big-int-div-jit-untyped.js: Added.
2349         * stress/value-div-fixup-int32-big-int.js: Added.
2350
2351 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2352
2353         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2354         https://bugs.webkit.org/show_bug.cgi?id=190047
2355
2356         Reviewed by Keith Miller.
2357
2358         * stress/object-keys-cached-zero.js: Added.
2359         (shouldBe):
2360         (test):
2361         * stress/object-keys-changed-attribute.js: Added.
2362         (shouldBe):
2363         (test):
2364         * stress/object-keys-changed-index.js: Added.
2365         (shouldBe):
2366         (test):
2367         * stress/object-keys-changed.js: Added.
2368         (shouldBe):
2369         (test):
2370         * stress/object-keys-indexed-non-cache.js: Added.
2371         (shouldBe):
2372         (test):
2373         * stress/object-keys-overrides-get-property-names.js: Added.
2374         (shouldBe):
2375         (test):
2376         (noInline):
2377
2378 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2379
2380         [DFG][FTL] Add NewSymbol
2381         https://bugs.webkit.org/show_bug.cgi?id=192620
2382
2383         Reviewed by Saam Barati.
2384
2385         * microbenchmarks/symbol-creation.js: Added.
2386         (test):
2387         * stress/symbol-description-identity.js: Added.
2388         (shouldBe):
2389         (test):
2390         * stress/symbol-identity.js: Added.
2391         (shouldBe):
2392         (test):
2393         * stress/symbol-with-description-throw-error.js: Added.
2394         (shouldBe):
2395         (shouldThrow):
2396         (test):
2397         (object.toString):
2398
2399 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2400
2401         [BigInt] Implement DFG/FTL typeof for BigInt
2402         https://bugs.webkit.org/show_bug.cgi?id=192619
2403
2404         Reviewed by Keith Miller.
2405
2406         * stress/big-int-boolean-proven-type.js: Added.
2407         (assert):
2408         (bool):
2409         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2410         (assert):
2411         (typeOf):
2412         (i.switch):
2413         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2414         (assert):
2415         (typeOf):
2416         * stress/big-int-type-of.js:
2417         (typeOf):
2418         (func):
2419
2420 2018-12-10  Mark Lam  <mark.lam@apple.com>
2421
2422         PropertyAttribute needs a CustomValue bit.
2423         https://bugs.webkit.org/show_bug.cgi?id=191993
2424         <rdar://problem/46264467>
2425
2426         Reviewed by Saam Barati.
2427
2428         * stress/regress-191993.js: Added.
2429
2430 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2431
2432         [BigInt] Add ValueMul into DFG
2433         https://bugs.webkit.org/show_bug.cgi?id=186175
2434
2435         Reviewed by Yusuke Suzuki.
2436
2437         * stress/big-int-mul-jit-osr.js: Added.
2438         * stress/big-int-mul-jit-untyped.js: Added.
2439         * stress/value-mul-fixup-int32-big-int.js: Added.
2440
2441 2018-12-06  Keith Miller  <keith_miller@apple.com>
2442
2443         stress/big-wasm-memory tests failing on 32-bit JSC bot
2444         https://bugs.webkit.org/show_bug.cgi?id=192020
2445
2446         Reviewed by Saam Barati.
2447
2448         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2449         the wasm stress tests if the WebAssembly object does not exist.
2450
2451         * stress/big-wasm-memory-grow-no-max.js:
2452         (test.foo):
2453         (test):
2454         (foo): Deleted.
2455         (catch): Deleted.
2456         * stress/big-wasm-memory-grow.js:
2457         (test.foo):
2458         (test):
2459         (foo): Deleted.
2460         (catch): Deleted.
2461         * stress/big-wasm-memory.js:
2462         (test.foo):
2463         (test):
2464         (foo): Deleted.
2465         (catch): Deleted.
2466
2467 2018-12-05  Mark Lam  <mark.lam@apple.com>
2468
2469         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2470         https://bugs.webkit.org/show_bug.cgi?id=192441
2471         <rdar://problem/46480355>
2472
2473         Reviewed by Saam Barati.
2474
2475         * stress/regress-192441.js: Added.
2476
2477 2018-12-04  Mark Lam  <mark.lam@apple.com>
2478
2479         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2480         https://bugs.webkit.org/show_bug.cgi?id=192386
2481         <rdar://problem/46445516>
2482
2483         Reviewed by Saam Barati.
2484
2485         * stress/regress-192386.js: Added.
2486
2487 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2488
2489         [ESNext][BigInt] Support logic operations
2490         https://bugs.webkit.org/show_bug.cgi?id=179903
2491
2492         Reviewed by Yusuke Suzuki.
2493
2494         * stress/big-int-branch-usage.js: Added.
2495         * stress/big-int-logical-and.js: Added.
2496         * stress/big-int-logical-not.js: Added.
2497         * stress/big-int-logical-or.js: Added.
2498
2499 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2500
2501         Unreviewed, rolling out r238833.
2502
2503         Breaks macOS and iOS debug builds.
2504
2505         Reverted changeset:
2506
2507         "[ESNext][BigInt] Support logic operations"
2508         https://bugs.webkit.org/show_bug.cgi?id=179903
2509         https://trac.webkit.org/changeset/238833
2510
2511 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2512
2513         [ESNext][BigInt] Support logic operations
2514         https://bugs.webkit.org/show_bug.cgi?id=179903
2515
2516         Reviewed by Yusuke Suzuki.
2517
2518         * stress/big-int-branch-usage.js: Added.
2519         * stress/big-int-logical-and.js: Added.
2520         * stress/big-int-logical-not.js: Added.
2521         * stress/big-int-logical-or.js: Added.
2522
2523 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2524
2525         [ESNext][BigInt] Implement support for "<<" and ">>"
2526         https://bugs.webkit.org/show_bug.cgi?id=186233
2527
2528         Reviewed by Yusuke Suzuki.
2529
2530         * stress/big-int-left-shift-general.js: Added.
2531         * stress/big-int-left-shift-range-error.js: Added.
2532         * stress/big-int-left-shift-type-error.js: Added.
2533         * stress/big-int-left-shift-wrapped-value.js: Added.
2534         * stress/big-int-right-shift-general.js: Added.
2535         * stress/big-int-right-shift-type-error.js: Added.
2536         * stress/big-int-right-shift-wrapped-value.js: Added.
2537         * stress/left-shift-to-primitive-precedence.js: Added.
2538         * stress/right-shift-to-primitive-precedence.js: Added.
2539
2540 2018-11-30  Dean Jackson  <dino@apple.com>
2541
2542         Add first-class support for .mjs files in jsc binary
2543         https://bugs.webkit.org/show_bug.cgi?id=192190
2544         <rdar://problem/46375715>
2545
2546         Reviewed by Keith Miller.
2547
2548         * stress/simple-module.mjs: Added.
2549         * stress/simple-script.js: Added.
2550
2551 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2552
2553         [BigInt] Implement ValueBitXor into DFG
2554         https://bugs.webkit.org/show_bug.cgi?id=190264
2555
2556         Reviewed by Yusuke Suzuki.
2557
2558         * stress/big-int-bitwise-xor-jit.js: Added.
2559         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2560         * stress/big-int-bitwise-xor-untyped.js: Added.
2561
2562 2018-11-27  Saam barati  <sbarati@apple.com>
2563
2564         r238510 broke scopes of size zero
2565         https://bugs.webkit.org/show_bug.cgi?id=192033
2566         <rdar://problem/46281734>
2567
2568         Reviewed by Keith Miller.
2569
2570         * stress/r238510-bad-loop.js: Added.
2571         (foo):
2572
2573 2018-11-27  Mark Lam  <mark.lam@apple.com>
2574
2575         [Re-landing] NaNs read from Wasm code needs to be be purified.
2576         https://bugs.webkit.org/show_bug.cgi?id=191056
2577         <rdar://problem/45660341>
2578
2579         Reviewed by Filip Pizlo.
2580
2581         * wasm/regress/regress-191056.js: Added.
2582
2583 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2584
2585         Unreviewed, rolling out r238509.
2586
2587         Causes JSC tests to fail on iOS.
2588
2589         Reverted changeset:
2590
2591         "NaNs read from Wasm code needs to be be purified."
2592         https://bugs.webkit.org/show_bug.cgi?id=191056
2593         https://trac.webkit.org/changeset/238509
2594
2595 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2596
2597         Re-introduce op_bitnot
2598         https://bugs.webkit.org/show_bug.cgi?id=190923
2599
2600         Reviewed by Yusuke Suzuki.
2601
2602         * stress/bit-not-must-generate.js: Added.
2603         * stress/bitwise-not-no-int32.js: Added.
2604
2605 2018-11-26  Saam barati  <sbarati@apple.com>
2606
2607         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2608         https://bugs.webkit.org/show_bug.cgi?id=191956
2609         <rdar://problem/45665806>
2610
2611         Reviewed by Yusuke Suzuki.
2612
2613         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2614         (bar):
2615         (foo):
2616
2617 2018-11-26  Saam barati  <sbarati@apple.com>
2618
2619         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2620         https://bugs.webkit.org/show_bug.cgi?id=191958
2621         <rdar://problem/46221877>
2622
2623         Reviewed by Yusuke Suzuki.
2624
2625         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2626         (x):
2627         (foo):
2628
2629 2018-11-26  Mark Lam  <mark.lam@apple.com>
2630
2631         NaNs read from Wasm code needs to be be purified.
2632         https://bugs.webkit.org/show_bug.cgi?id=191056
2633         <rdar://problem/45660341>
2634
2635         Reviewed by Filip Pizlo.
2636
2637         * wasm/regress/regress-191056.js: Added.
2638
2639 2018-11-26  Michael Saboff  <msaboff@apple.com>
2640
2641         32-bit JSC test failure: stress/regexp-compile-oom.js
2642         https://bugs.webkit.org/show_bug.cgi?id=191375
2643
2644         Reviewed by Mark Lam.
2645
2646         Disabled the test for 32 bit platforms.
2647
2648         * stress/regexp-compile-oom.js:
2649
2650 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2651
2652         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2653         https://bugs.webkit.org/show_bug.cgi?id=191716
2654         <rdar://problem/45723878>
2655
2656         Reviewed by Saam Barati.
2657
2658         * stress/regress-187373.js: Added.
2659         (async.fn):
2660
2661 2018-11-21  Saam barati  <sbarati@apple.com>
2662
2663         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2664         https://bugs.webkit.org/show_bug.cgi?id=191897
2665         <rdar://problem/45871998>
2666
2667         Reviewed by Mark Lam.
2668
2669         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2670         (bar):
2671         (foo):
2672
2673 2018-11-21  Saam barati  <sbarati@apple.com>
2674
2675         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2676         https://bugs.webkit.org/show_bug.cgi?id=191895
2677         <rdar://problem/46167406>
2678
2679         Reviewed by Mark Lam.
2680
2681         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2682         (foo):
2683         (bar):
2684
2685 2018-11-21  Mark Lam  <mark.lam@apple.com>
2686
2687         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2688         https://bugs.webkit.org/show_bug.cgi?id=191776
2689         <rdar://problem/46152851>
2690
2691         Reviewed by Saam Barati.
2692
2693         * stress/big-wasm-memory-grow-no-max.js:
2694         * stress/big-wasm-memory-grow.js:
2695         * stress/big-wasm-memory.js:
2696         - updated these to expect an OutOfMemoryError.
2697
2698         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2699         (Binary.prototype.emit_u8):
2700         (Binary.prototype.emit_u32v):
2701         (Binary.prototype.emit_header):
2702         (Binary.prototype.emit_section):
2703         (Binary):
2704         (WasmModuleBuilder):
2705         (WasmModuleBuilder.prototype.addMemory):
2706         (WasmModuleBuilder.prototype.toArray):
2707         (WasmModuleBuilder.prototype.toBuffer):
2708         (WasmModuleBuilder.prototype.instantiate):
2709         (catch):
2710         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2711         (catch):
2712
2713 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2714
2715         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2716         https://bugs.webkit.org/show_bug.cgi?id=190836
2717
2718         Reviewed by Saam Barati and Yusuke Suzuki.
2719
2720         * stress/big-int-out-of-memory-tests.js: Added.
2721
2722 2018-11-20  Mark Lam  <mark.lam@apple.com>
2723
2724         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2725         https://bugs.webkit.org/show_bug.cgi?id=191856
2726         <rdar://problem/46089992>
2727
2728         Reviewed by Yusuke Suzuki.
2729
2730         * stress/regress-191856.js: Added.
2731         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2732
2733 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2734
2735         Enable JIT on ARM/Linux
2736         https://bugs.webkit.org/show_bug.cgi?id=191548
2737
2738         Reviewed by Yusuke Suzuki.
2739
2740         Disable test on system with limited memory. Program was killed by
2741         the OS before the exception was thrown.
2742
2743         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2744
2745 2018-11-20  Saam barati  <sbarati@apple.com>
2746
2747         Merging an IC variant may lead to the IC status containing overlapping structure sets
2748         https://bugs.webkit.org/show_bug.cgi?id=191869
2749         <rdar://problem/45403453>
2750
2751         Reviewed by Mark Lam.
2752
2753         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2754
2755 2018-11-19  Mark Lam  <mark.lam@apple.com>
2756
2757         globalFuncImportModule() should return a promise when it clears exceptions.
2758         https://bugs.webkit.org/show_bug.cgi?id=191792
2759         <rdar://problem/46090763>
2760
2761         Reviewed by Michael Saboff.
2762
2763         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2764
2765 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2766
2767         Skip new memory-hungry tests on memory limited devices
2768
2769         Unreviewed gardening.
2770
2771         * stress/big-wasm-memory-grow-no-max.js:
2772         * stress/big-wasm-memory-grow.js:
2773         * stress/big-wasm-memory.js:
2774
2775 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2776
2777         Unreviewed, rolling in the rest of r237254
2778         https://bugs.webkit.org/show_bug.cgi?id=190340
2779
2780         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2781         * stress/function-cache-with-parameters-end-position.js: Added.
2782         (shouldBe):
2783         (shouldThrow):
2784         (i.anonymous):
2785         * stress/function-constructor-name.js: Added.
2786         (shouldBe):
2787         (GeneratorFunction):
2788         (AsyncFunction.async):
2789         (AsyncGeneratorFunction.async):
2790         (anonymous):
2791         (async.anonymous):
2792         * test262/expectations.yaml:
2793
2794 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2795
2796         All users of ArrayBuffer should agree on the same max size
2797         https://bugs.webkit.org/show_bug.cgi?id=191771
2798
2799         Reviewed by Mark Lam.
2800
2801         * stress/big-wasm-memory-grow-no-max.js: Added.
2802         (foo):
2803         (catch):
2804         * stress/big-wasm-memory-grow.js: Added.
2805         (foo):
2806         (catch):
2807         * stress/big-wasm-memory.js: Added.
2808         (foo):
2809         (catch):
2810
2811 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2812
2813         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2814         run for each JSC config since they're regression tests for runtime bugs.
2815
2816         * stress/json-stringified-overflow-2.js:
2817         * stress/json-stringified-overflow.js:
2818
2819 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2820
2821         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2822         config since they're regression tests for runtime bugs.
2823
2824         * stress/large-unshift-splice.js:
2825         * stress/regress-185888.js:
2826
2827 2018-11-16  Saam Barati  <sbarati@apple.com>
2828
2829         KnownCellUse should also have SpecCellCheck as its type filter
2830         https://bugs.webkit.org/show_bug.cgi?id=191729
2831         <rdar://problem/45872852>
2832
2833         Reviewed by Filip Pizlo.
2834
2835         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2836         (C):
2837
2838 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2839
2840         Fix assertion failure on BytecodeGenerator::recordOpcode
2841         https://bugs.webkit.org/show_bug.cgi?id=191724
2842         <rdar://problem/45724395>
2843
2844         Reviewed by Saam Barati.
2845
2846         * stress/regress-187373-2.js: Added.
2847         (foo):
2848
2849 2018-11-15  Mark Lam  <mark.lam@apple.com>
2850
2851         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2852         https://bugs.webkit.org/show_bug.cgi?id=191730
2853         <rdar://problem/46048517>
2854
2855         Reviewed by Saam Barati.
2856
2857         * stress/regress-187006.js: Removed.
2858           - this test is invalid because its sole purpose is to test for the non-spec
2859             compliant behavior that we just fixed.
2860
2861         * stress/regress-191730.js: Added.
2862
2863 2018-11-15  Mark Lam  <mark.lam@apple.com>
2864
2865         RegExp operations should not take fast patch if lastIndex is not numeric.
2866         https://bugs.webkit.org/show_bug.cgi?id=191731
2867         <rdar://problem/46017305>
2868
2869         Reviewed by Saam Barati.
2870
2871         * stress/regress-191731.js: Added.
2872
2873 2018-11-13  Saam Barati  <sbarati@apple.com>
2874
2875         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2876         https://bugs.webkit.org/show_bug.cgi?id=191600
2877
2878         Reviewed by Mark Lam.
2879
2880         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2881         (foo):
2882         (test):
2883         (bar):
2884
2885 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2886
2887         Unreviewed, rolling out r238132.
2888
2889         The test added with this change is timing out on Debug JSC
2890         bots.
2891
2892         Reverted changeset:
2893
2894         "[BigInt] JSBigInt::createWithLength should throw when length
2895         is greater than JSBigInt::maxLength"
2896         https://bugs.webkit.org/show_bug.cgi?id=190836
2897         https://trac.webkit.org/changeset/238132
2898
2899 2018-11-13  Mark Lam  <mark.lam@apple.com>
2900
2901         Add OOM detection to StringPrototype's substituteBackreferences().
2902         https://bugs.webkit.org/show_bug.cgi?id=191563
2903         <rdar://problem/45720428>
2904
2905         Reviewed by Saam Barati.
2906
2907         * stress/regress-191563.js: Added.
2908
2909 2018-11-13  Mark Lam  <mark.lam@apple.com>
2910
2911         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2912         https://bugs.webkit.org/show_bug.cgi?id=191579
2913         <rdar://problem/45942472>
2914
2915         Reviewed by Saam Barati.
2916
2917         * stress/regress-191579.js: Added.
2918
2919 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2920
2921         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2922         https://bugs.webkit.org/show_bug.cgi?id=190836
2923
2924         Reviewed by Saam Barati.
2925
2926         * stress/big-int-out-of-memory-tests.js: Added.
2927
2928 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2929
2930         U+180E is no longer a whitespace character
2931         https://bugs.webkit.org/show_bug.cgi?id=191415
2932
2933         Reviewed by Saam Barati.
2934
2935         * ChakraCore/test/es5/regexSpace.baseline:
2936         * ChakraCore/test/es6/unicode_whitespace.js:
2937         Update tests to latest version.
2938         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2939
2940         * test262.yaml:
2941         * test262/config.yaml:
2942         * test262/expectations.yaml:
2943         Update expectations.
2944
2945 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2946
2947         [BigInt] Add support to BigInt into ValueAdd
2948         https://bugs.webkit.org/show_bug.cgi?id=186177
2949
2950         Reviewed by Keith Miller.
2951
2952         * stress/big-int-negate-jit.js:
2953         * stress/value-add-big-int-and-string.js: Added.
2954         * stress/value-add-big-int-prediction-propagation.js: Added.
2955         * stress/value-add-big-int-untyped.js: Added.
2956
2957 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2958
2959         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2960         https://bugs.webkit.org/show_bug.cgi?id=191184
2961
2962         Reviewed by Saam Barati.
2963
2964         Most tests were failing due to timeouts, since they are too slow to
2965         run on CLoop. The exceptions are:
2966
2967         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2968         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2969         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2970         to change the stack size since CLoop requires it to be page aligned.
2971
2972         * microbenchmarks/array-push-1.js:
2973         * microbenchmarks/array-push-2.js:
2974         * microbenchmarks/elidable-new-object-dag.js:
2975         * microbenchmarks/elidable-new-object-roflcopter.js:
2976         * microbenchmarks/elidable-new-object-tree.js:
2977         * microbenchmarks/getter-richards.js:
2978         * microbenchmarks/sinkable-new-object-dag.js:
2979         * microbenchmarks/string-concat-long-convert.js:
2980         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2981         * slowMicrobenchmarks/array-push-3.js:
2982         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2983         * slowMicrobenchmarks/spread-small-array.js:
2984         * slowMicrobenchmarks/undefined-property-access.js:
2985         * stress/activation-sink-default-value-tdz-error.js:
2986         * stress/activation-sink-default-value.js:
2987         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2988         * stress/activation-sink-osrexit-default-value.js:
2989         * stress/activation-sink-osrexit.js:
2990         * stress/activation-sink.js:
2991         * stress/allow-math-ic-b3-code-duplication.js:
2992         * stress/array-push-multiple-int32.js:
2993         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2994         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2995         * stress/arrowfunction-lexical-this-activation-sink.js:
2996         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2997         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2998         * stress/elide-new-object-dag-then-exit.js:
2999         * stress/materialize-regexp-cyclic.js:
3000         * stress/new-regex-inline.js:
3001         * stress/op_add.js:
3002         * stress/op_bitand.js:
3003         * stress/op_bitor.js:
3004         * stress/op_bitxor.js:
3005         * stress/op_div-ConstVar.js:
3006         * stress/op_div-VarConst.js:
3007         * stress/op_div-VarVar.js:
3008         * stress/op_lshift-ConstVar.js:
3009         * stress/op_lshift-VarConst.js:
3010         * stress/op_lshift-VarVar.js:
3011         * stress/op_mod-ConstVar.js:
3012         * stress/op_mod-VarConst.js:
3013         * stress/op_mod-VarVar.js:
3014         * stress/op_mul-ConstVar.js:
3015         * stress/op_mul-VarConst.js:
3016         * stress/op_mul-VarVar.js:
3017         * stress/op_rshift-ConstVar.js:
3018         * stress/op_rshift-VarConst.js:
3019         * stress/op_rshift-VarVar.js:
3020         * stress/op_sub-ConstVar.js:
3021         * stress/op_sub-VarConst.js:
3022         * stress/op_sub-VarVar.js:
3023         * stress/op_urshift-ConstVar.js:
3024         * stress/op_urshift-VarConst.js:
3025         * stress/op_urshift-VarVar.js:
3026         * stress/proxy-get-set-correct-receiver.js:
3027         * stress/regress-179562.js:
3028         * stress/rest-parameter-many-arguments.js:
3029         * stress/sampling-profiler-richards.js:
3030         * stress/splay-flash-access-1ms.js:
3031         * stress/tailCallForwardArguments.js:
3032         * stress/typed-array-get-by-val-profiling.js:
3033         * typeProfiler/getter-richards.js:
3034
3035 2018-11-06  Michael Saboff  <msaboff@apple.com>
3036
3037         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
3038         https://bugs.webkit.org/show_bug.cgi?id=191271
3039
3040         Reviewed by Saam Barati.
3041
3042         Added more test cases and made all test cases run with the same deeply recursive stack
3043         instead of finding that same point for each test case.
3044
3045         * stress/regexp-compile-oom.js:
3046         (prototype.runTest):
3047         (recurseAndTest):
3048         (testList.push.new.TestAndExpectedException):
3049
3050 2018-11-05  Michael Saboff  <msaboff@apple.com>
3051
3052         Unreviewed build fix for linux.
3053
3054         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
3055
3056 2018-11-02  Michael Saboff  <msaboff@apple.com>
3057
3058         Rolling in r237753 with unreviewed build fix.
3059
3060         Fixed issues with DECLARE_THROW_SCOPE placement.
3061
3062 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
3063
3064         Unreviewed, rolling out r237753.
3065
3066         Introduced JSC test failures
3067
3068         Reverted changeset:
3069
3070         "Running out of stack space not properly handled in
3071         RegExp::compile() and its callers"
3072         https://bugs.webkit.org/show_bug.cgi?id=191206
3073         https://trac.webkit.org/changeset/237753
3074
3075 2018-11-02  Michael Saboff  <msaboff@apple.com>
3076
3077         Running out of stack space not properly handled in RegExp::compile() and its callers
3078         https://bugs.webkit.org/show_bug.cgi?id=191206
3079
3080         Reviewed by Filip Pizlo.
3081
3082         New regression test.
3083
3084         * stress/regexp-compile-oom.js: Added.
3085         (recurseAndTest):
3086
3087 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
3088
3089         Skip tests on arm/mips that time out now we're running on CLoop
3090
3091         Unreviewed gardening.
3092
3093         Since the JIT is temporarily disabled on 32-bit platforms, these tests
3094         time out on the bots and need to be disabled. There's more tests
3095         disabled on arm because the timeout is longer on the mips bot (as the
3096         device is slower to start with), so many of the tests don't time out
3097         there.
3098
3099         * microbenchmarks/getter-richards.js: disable on arm and mips.
3100         * stress/op_add.js: disable on arm.
3101         * stress/op_bitand.js: disable on arm.
3102         * stress/op_bitor.js: disable on arm.
3103         * stress/op_bitxor.js: disable on arm.
3104         * stress/op_lshift-ConstVar.js: disable on arm.
3105         * stress/op_lshift-VarConst.js: disable on arm.
3106         * stress/op_lshift-VarVar.js: disable on arm.
3107         * stress/op_mod-ConstVar.js: disable on arm.
3108         * stress/op_mod-VarConst.js: disable on arm.
3109         * stress/op_mod-VarVar.js: disable on arm.
3110         * stress/op_mul-ConstVar.js: disable on arm.
3111         * stress/op_mul-VarConst.js: disable on arm.
3112         * stress/op_mul-VarVar.js: disable on arm.
3113         * stress/op_rshift-ConstVar.js: disable on arm.
3114         * stress/op_rshift-VarConst.js: disable on arm.
3115         * stress/op_rshift-VarVar.js: disable on arm.
3116         * stress/op_sub-ConstVar.js: disable on arm.
3117         * stress/op_sub-VarConst.js: disable on arm.
3118         * stress/op_sub-VarVar.js: disable on arm.
3119         * stress/op_urshift-ConstVar.js: disable on arm.
3120         * stress/op_urshift-VarConst.js: disable on arm.
3121         * stress/op_urshift-VarVar.js: disable on arm.
3122         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
3123         * stress/value-to-boolean.js: disable on arm and mips.
3124
3125 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3126
3127         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3128         https://bugs.webkit.org/show_bug.cgi?id=191108
3129         <rdar://problem/45690700>
3130
3131         Reviewed by Saam Barati.
3132
3133         * stress/wide-op_catch.js: Added.
3134         (catch):
3135
3136 2018-10-29  Mark Lam  <mark.lam@apple.com>
3137
3138         Correctly detect string overflow when using the 'Function' constructor.
3139         https://bugs.webkit.org/show_bug.cgi?id=184883
3140         <rdar://problem/36320331>
3141
3142         Reviewed by Saam Barati.
3143
3144         I've verified that this passes on 32-bit as well.
3145
3146         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3147
3148 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3149
3150         Add support for GetStack FlushedDouble
3151         https://bugs.webkit.org/show_bug.cgi?id=191012
3152         <rdar://problem/45265141>
3153
3154         Reviewed by Saam Barati.
3155
3156         * stress/get-stack-double.js: Added.
3157         (bar):
3158         (noInline):
3159
3160 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3161
3162         New bytecode format for JSC
3163         https://bugs.webkit.org/show_bug.cgi?id=187373
3164         <rdar://problem/44186758>
3165
3166         Reviewed by Filip Pizlo.
3167
3168         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3169
3170         * stress/maximum-inline-capacity.js: Added.
3171         (test1):
3172         (test3.Foo):
3173         (test3):
3174
3175 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3176
3177         Unreviewed, rolling out r237479 and r237484.
3178         https://bugs.webkit.org/show_bug.cgi?id=190978
3179
3180         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3181
3182         Reverted changesets:
3183
3184         "New bytecode format for JSC"
3185         https://bugs.webkit.org/show_bug.cgi?id=187373
3186         https://trac.webkit.org/changeset/237479
3187
3188         "Gardening: Build fix after r237479."
3189         https://bugs.webkit.org/show_bug.cgi?id=187373
3190         https://trac.webkit.org/changeset/237484
3191
3192 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3193
3194         New bytecode format for JSC
3195         https://bugs.webkit.org/show_bug.cgi?id=187373
3196         <rdar://problem/44186758>
3197
3198         Reviewed by Filip Pizlo.
3199
3200         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3201
3202         * stress/maximum-inline-capacity.js: Added.
3203         (test1):
3204         (test3.Foo):
3205         (test3):
3206
3207 2018-10-26  Mark Lam  <mark.lam@apple.com>
3208
3209         Fix missing edge cases with JSGlobalObjects having a bad time.
3210         https://bugs.webkit.org/show_bug.cgi?id=189028
3211         <rdar://problem/45204939>
3212
3213         Reviewed by Saam Barati.
3214
3215         * stress/regress-189028.js: Added.
3216
3217 2018-10-22  Mark Lam  <mark.lam@apple.com>
3218
3219         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3220         https://bugs.webkit.org/show_bug.cgi?id=190515
3221         <rdar://problem/45222379>
3222
3223         Rubber-stamped by Saam Barati.
3224
3225         Adding another test.
3226
3227         * stress/regress-190515-2.js: Added.
3228
3229 2018-10-22  Mark Lam  <mark.lam@apple.com>
3230
3231         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3232         https://bugs.webkit.org/show_bug.cgi?id=190515
3233         <rdar://problem/45222379>
3234
3235         Reviewed by Saam Barati.
3236
3237         * stress/regress-190515.js: Added.
3238
3239 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3240
3241         Unreviewed, rolling out r237254.
3242         https://bugs.webkit.org/show_bug.cgi?id=190760
3243
3244         "It regresses JetStream 2 by 5% on some iOS devices"
3245         (Requested by saamyjoon on #webkit).
3246
3247         Reverted changeset:
3248
3249         "[JSC] JSC should have "parseFunction" to optimize Function
3250         constructor"
3251         https://bugs.webkit.org/show_bug.cgi?id=190340
3252         https://trac.webkit.org/changeset/237254
3253
3254 2018-10-19  Saam Barati  <sbarati@apple.com>
3255
3256         vmCall should check if we exit before emitting an OSR exit due to exceptions
3257         https://bugs.webkit.org/show_bug.cgi?id=190740
3258         <rdar://problem/45220139>
3259
3260         Reviewed by Mark Lam.
3261
3262         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3263         (foo):
3264
3265 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3266
3267         [ESNext][BigInt] Implement support for "^"
3268         https://bugs.webkit.org/show_bug.cgi?id=186235
3269
3270         Reviewed by Yusuke Suzuki.
3271
3272         * stress/big-int-bitwise-xor-general.js: Added.
3273         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3274         * stress/big-int-bitwise-xor-type-error.js: Added.
3275         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3276
3277 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3278
3279         [BigInt] Add ValueSub into DFG
3280         https://bugs.webkit.org/show_bug.cgi?id=186176
3281
3282         Reviewed by Yusuke Suzuki.
3283
3284         * stress/big-int-subtraction-jit.js:
3285         * stress/value-sub-big-int-prediction-propagation.js: Added.
3286         * stress/value-sub-big-int-untyped.js: Added.
3287         * stress/value-sub-spec-none-case.js: Added.
3288
3289 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3290
3291         [JSC] JSC should have "parseFunction" to optimize Function constructor
3292         https://bugs.webkit.org/show_bug.cgi?id=190340
3293
3294         Reviewed by Mark Lam.
3295
3296         This patch fixes the line number of syntax errors raised by the Function constructor,
3297         since we now parse the final code only once. And we no longer use block statement
3298         for Function constructor's parsing.
3299
3300         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3301         * stress/function-cache-with-parameters-end-position.js: Added.
3302         (shouldBe):
3303         (shouldThrow):
3304         (i.anonymous):
3305         * stress/function-constructor-name.js: Added.
3306         (shouldBe):
3307         (GeneratorFunction):
3308         (AsyncFunction.async):
3309         (AsyncGeneratorFunction.async):
3310         (anonymous):
3311         (async.anonymous):
3312         * test262/expectations.yaml:
3313
3314 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3315
3316         Unreviewed, rolling out r237242.
3317         https://bugs.webkit.org/show_bug.cgi?id=190701
3318
3319         it breaks "stress/sampling-profiler-basic.js" (Requested by
3320         caiolima on #webkit).
3321
3322         Reverted changeset:
3323
3324         "[BigInt] Add ValueSub into DFG"
3325         https://bugs.webkit.org/show_bug.cgi?id=186176
3326         https://trac.webkit.org/changeset/237242
3327
3328 2018-10-17  Keith Miller  <keith_miller@apple.com>
3329
3330         AI does not clear Phantom allocation nodes.
3331         https://bugs.webkit.org/show_bug.cgi?id=190694
3332
3333         Reviewed by Saam Barati.
3334
3335         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3336         (Day):
3337         (DaysInYear):
3338         (TimeInYear):
3339         (TimeFromYear):
3340         (DayFromYear):
3341         (InLeapYear):
3342         (YearFromTime):
3343         (WeekDay):
3344         (DaylightSavingTA):
3345         (GetSecondSundayInMarch):
3346         (TimeInMonth):
3347
3348 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3349
3350         [BigInt] Add ValueSub into DFG
3351         https://bugs.webkit.org/show_bug.cgi?id=186176
3352
3353         Reviewed by Yusuke Suzuki.
3354
3355         * stress/big-int-subtraction-jit.js:
3356         * stress/value-sub-big-int-prediction-propagation.js: Added.
3357         * stress/value-sub-big-int-untyped.js: Added.
3358
3359 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3360
3361         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3362         https://bugs.webkit.org/show_bug.cgi?id=190611
3363
3364         Reviewed by Saam Barati.
3365
3366         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3367         to improve test runtime. On ARM/MIPS this test even timed out when running all
3368         tests.
3369
3370         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3371         (test):
3372
3373 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3374
3375         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3376
3377         Unreviewed gardening.
3378
3379         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3380
3381 2018-10-15  Saam barati  <sbarati@apple.com>
3382
3383         Emit fjcvtzs on ARM64E on Darwin
3384         https://bugs.webkit.org/show_bug.cgi?id=184023
3385
3386         Reviewed by Yusuke Suzuki and Filip Pizlo.
3387
3388         * stress/double-to-int32-NaN.js: Added.
3389         (assert):
3390         (foo):
3391
3392 2018-10-15  Saam Barati  <sbarati@apple.com>
3393
3394         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3395         https://bugs.webkit.org/show_bug.cgi?id=190262
3396         <rdar://problem/44986241>
3397
3398         Reviewed by Mark Lam.
3399
3400         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3401         (test):
3402         * stress/slice-array-storage-with-holes.js: Added.
3403         (main):
3404
3405 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3406
3407         Unreviewed, rolling out r237054.
3408         https://bugs.webkit.org/show_bug.cgi?id=190593
3409
3410         "this regressed JetStream 2 by 6% on iOS" (Requested by
3411         saamyjoon on #webkit).
3412
3413         Reverted changeset:
3414
3415         "[JSC] JSC should have "parseFunction" to optimize Function
3416         constructor"
3417         https://bugs.webkit.org/show_bug.cgi?id=190340
3418         https://trac.webkit.org/changeset/237054
3419
3420 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3421
3422         [JSC] JSON.stringify can accept call-with-no-arguments
3423         https://bugs.webkit.org/show_bug.cgi?id=190343
3424
3425         Reviewed by Mark Lam.
3426
3427         * stress/json-stringify-no-arguments.js: Added.
3428         (shouldBe):
3429
3430 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3431
3432         [JSC] JSC should have "parseFunction" to optimize Function constructor
3433         https://bugs.webkit.org/show_bug.cgi?id=190340
3434
3435         Reviewed by Mark Lam.
3436
3437         This patch fixes the line number of syntax errors raised by the Function constructor,
3438         since we now parse the final code only once. And we no longer use block statement
3439         for Function constructor's parsing.
3440
3441         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3442         * stress/function-cache-with-parameters-end-position.js: Added.
3443         (shouldBe):
3444         (shouldThrow):
3445         (i.anonymous):
3446         * stress/function-constructor-name.js: Added.
3447         (shouldBe):
3448         (GeneratorFunction):
3449         (AsyncFunction.async):
3450         (AsyncGeneratorFunction.async):
3451         (anonymous):
3452         (async.anonymous):
3453         * test262/expectations.yaml:
3454
3455 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3456
3457         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3458         https://bugs.webkit.org/show_bug.cgi?id=190426
3459
3460         Unreviewed gardening.
3461
3462         * stress/sampling-profiler-richards.js:
3463
3464 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3465
3466         [ESNext][BigInt] Implement support for "|"
3467         https://bugs.webkit.org/show_bug.cgi?id=186229
3468
3469         Reviewed by Yusuke Suzuki.
3470
3471         * stress/big-int-bitwise-and-jit.js:
3472         * stress/big-int-bitwise-or-general.js: Added.
3473         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3474         * stress/big-int-bitwise-or-jit.js: Added.
3475         * stress/big-int-bitwise-or-memory-stress.js: Added.
3476         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3477         * stress/big-int-bitwise-or-type-error.js: Added.
3478         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3479
3480 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3481
3482         Skip test on systems with limited memory
3483         https://bugs.webkit.org/show_bug.cgi?id=190310
3484
3485         Invoking runDefault adds test to runlist, skipping the test in the next
3486         line does not prevent the test from executing. Change order of lines such
3487         that runDefault is only executed if test is not executed.
3488
3489         Reviewed by Mark Lam.
3490
3491         * stress/regress-190187.js:
3492
3493 2018-10-03  Saam barati  <sbarati@apple.com>
3494
3495         lowXYZ in FTLLower should always filter the type of the incoming edge
3496         https://bugs.webkit.org/show_bug.cgi?id=189939
3497         <rdar://problem/44407030>
3498
3499         Reviewed by Michael Saboff.
3500
3501         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3502         (foo):
3503         (test):
3504
3505 2018-10-03  Mark Lam  <mark.lam@apple.com>
3506
3507         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3508         https://bugs.webkit.org/show_bug.cgi?id=190187
3509         <rdar://problem/42512909>
3510
3511         Reviewed by Michael Saboff.
3512
3513         * stress/regress-190187.js: Added.
3514
3515 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3516
3517         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3518         https://bugs.webkit.org/show_bug.cgi?id=190033
3519
3520         Reviewed by Yusuke Suzuki.
3521
3522         * stress/big-int-to-string.js:
3523
3524 2018-10-01  Mark Lam  <mark.lam@apple.com>
3525
3526         Function.toString() should also copy the source code Functions that are class definitions.
3527         https://bugs.webkit.org/show_bug.cgi?id=190186
3528         <rdar://problem/44733360>
3529
3530         Reviewed by Saam Barati.
3531
3532         * stress/regress-190186.js: Added.
3533
3534 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3535
3536         Split NaN-check into separate test
3537         https://bugs.webkit.org/show_bug.cgi?id=190010
3538
3539         Reviewed by Saam Barati.
3540
3541         DataView exposes NaN-representation, which is not necessarily the same on each
3542         architecture. Therefore move the check of the NaN-representation into its own
3543         file such that we can disable this test on MIPS where NaN-representation can be
3544         different on older CPUs.
3545
3546         * stress/dataview-jit-set-nan.js: Added.
3547         (assert):
3548         (test.storeLittleEndian):
3549         (test.storeBigEndian):
3550         (test.store):
3551         (test):
3552         * stress/dataview-jit-set.js:
3553         (test5):
3554
3555 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3556
3557         Unreviewed, rolling out r236647.
3558         https://bugs.webkit.org/show_bug.cgi?id=190124
3559
3560         Breaking test stress/big-int-to-string.js (Requested by
3561         caiolima_ on #webkit).
3562
3563         Reverted changeset:
3564
3565         "[BigInt] BigInt.proptotype.toString is broken when radix is
3566         power of 2"
3567         https://bugs.webkit.org/show_bug.cgi?id=190033
3568         https://trac.webkit.org/changeset/236647
3569
3570 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3571
3572         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3573         https://bugs.webkit.org/show_bug.cgi?id=190033
3574
3575         Reviewed by Yusuke Suzuki.
3576
3577         * stress/big-int-to-string.js:
3578
3579 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3580
3581         [ESNext][BigInt] Implement support for "&"
3582         https://bugs.webkit.org/show_bug.cgi?id=186228
3583
3584         Reviewed by Yusuke Suzuki.
3585
3586         * stress/big-int-bitwise-and-general.js: Added.
3587         (assert):
3588         (assert.sameValue):
3589         * stress/big-int-bitwise-and-jit.js: Added.
3590         (let.assert.sameValue):
3591         (bigIntBitAnd):
3592         * stress/big-int-bitwise-and-memory-stress.js: Added.
3593         (assert):
3594         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3595         (assert.sameValue):
3596         (let.o.Symbol.toPrimitive):
3597         (catch):
3598         * stress/big-int-bitwise-and-type-error.js: Added.
3599         (assert):
3600         (assertThrowTypeError):
3601         (let.o.valueOf):
3602         (o.valueOf):
3603         (o.toString):
3604         (o.Symbol.toPrimitive):
3605         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3606         (assert.sameValue):
3607         (testBitAnd):
3608         (let.o.Symbol.toPrimitive):
3609         (o.valueOf):
3610         (o.toString):
3611
3612 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3613
3614         JSC test stress/jsc-read.js doesn't support CRLF
3615         https://bugs.webkit.org/show_bug.cgi?id=190063
3616
3617         Reviewed by Yusuke Suzuki.
3618
3619         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3620
3621         * stress/jsc-read.js:
3622         (test):
3623
3624 2018-09-27  Saam barati  <sbarati@apple.com>
3625
3626         Verify the contents of AssemblerBuffer on arm64e
3627         https://bugs.webkit.org/show_bug.cgi?id=190057
3628         <rdar://problem/38916630>
3629
3630         Reviewed by Mark Lam.
3631
3632         * stress/regress-189132.js:
3633
3634 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3635
3636         Disable test without LLInt on ARMv7
3637         https://bugs.webkit.org/show_bug.cgi?id=190037
3638
3639         Reviewed by Mark Lam.
3640
3641         Test runs out of executable memory on ARMv7, do not run
3642         this test without LLInt enabled.
3643
3644         * stress/regress-169445.js:
3645
3646 2018-09-26  Keith Miller  <keith_miller@apple.com>
3647
3648         We should zero unused property storage when rebalancing array storage.
3649         https://bugs.webkit.org/show_bug.cgi?id=188151
3650
3651         Reviewed by Michael Saboff.
3652
3653         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3654
3655 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3656
3657         [JSC] Optimize Array#lastIndexOf
3658         https://bugs.webkit.org/show_bug.cgi?id=189780
3659
3660         Reviewed by Saam Barati.
3661
3662         * stress/array-lastindexof-array-prototype-trap.js: Added.
3663         (shouldBe):
3664         (AncestorArray.prototype.get 2):
3665         (AncestorArray):
3666         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3667         (shouldBe):
3668         * stress/array-lastindexof-hole-nan.js: Added.
3669         (shouldBe):
3670         (throw.new.Error):
3671         * stress/array-lastindexof-infinity.js: Added.
3672         (shouldBe):
3673         (throw.new.Error):
3674         * stress/array-lastindexof-negative-zero.js: Added.
3675         (shouldBe):
3676         (throw.new.Error):
3677         * stress/array-lastindexof-own-getter.js: Added.
3678         (shouldBe):
3679         (throw.new.Error.get array):
3680         (get array):
3681         * stress/array-lastindexof-prototype-trap.js: Added.
3682         (shouldBe):
3683         (DerivedArray.prototype.get 2):
3684         (DerivedArray):
3685
3686 2018-09-25  Saam Barati  <sbarati@apple.com>
3687
3688         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3689         https://bugs.webkit.org/show_bug.cgi?id=189940
3690         <rdar://problem/43640987>
3691
3692         Reviewed by Mark Lam.
3693
3694         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3695
3696 2018-09-24  Saam Barati  <sbarati@apple.com>
3697
3698         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3699         https://bugs.webkit.org/show_bug.cgi?id=189922
3700         <rdar://problem/44651275>
3701
3702         Reviewed by Mark Lam.
3703
3704         * stress/array-indexof-fast-path-effects.js: Added.
3705         * stress/array-indexof-cached-length.js: Added.
3706
3707 2018-09-24  Saam barati  <sbarati@apple.com>
3708
3709         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3710         https://bugs.webkit.org/show_bug.cgi?id=189682
3711         <rdar://problem/43557315>
3712
3713         Reviewed by Mark Lam.
3714
3715         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3716         (foo):
3717
3718 2018-09-22  Saam barati  <sbarati@apple.com>
3719
3720         The sampling should not use Strong<CodeBlock> in its machineLocation field
3721         https://bugs.webkit.org/show_bug.cgi?id=189319
3722
3723         Reviewed by Filip Pizlo.
3724
3725         * stress/sampling-profiler-richards.js: Added.
3726
3727 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3728
3729         [JSC] Optimize Array#indexOf in C++ runtime
3730         https://bugs.webkit.org/show_bug.cgi?id=189507
3731
3732         Reviewed by Saam Barati.
3733
3734         * stress/array-indexof-array-prototype-trap.js: Added.
3735         (shouldBe):
3736         (AncestorArray.prototype.get 2):
3737         (AncestorArray):
3738         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3739         (shouldBe):
3740         * stress/array-indexof-hole-nan.js: Added.
3741         (shouldBe):
3742         (throw.new.Error):
3743         * stress/array-indexof-infinity.js: Added.
3744         (shouldBe):
3745         (throw.new.Error):
3746         * stress/array-indexof-negative-zero.js: Added.
3747         (shouldBe):
3748         (throw.new.Error):
3749         * stress/array-indexof-own-getter.js: Added.
3750         (shouldBe):
3751         (throw.new.Error.get array):
3752         (get array):
3753         * stress/array-indexof-prototype-trap.js: Added.
3754         (shouldBe):
3755         (DerivedArray.prototype.get 2):
3756         (DerivedArray):
3757
3758 2018-09-19  Saam barati  <sbarati@apple.com>
3759
3760         AI rule for MultiPutByOffset executes its effects in the wrong order
3761         https://bugs.webkit.org/show_bug.cgi?id=189757
3762         <rdar://problem/43535257>
3763
3764         Reviewed by Michael Saboff.
3765
3766         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3767         (foo):
3768         (Foo):
3769         (g):
3770
3771 2018-09-17  Mark Lam  <mark.lam@apple.com>
3772
3773         Ensure that ForInContexts are invalidated if their loop local is over-written.
3774         https://bugs.webkit.org/show_bug.cgi?id=189571
3775         <rdar://problem/44402277>
3776
3777         Reviewed by Saam Barati.
3778
3779         * stress/regress-189571.js: Added.
3780
3781 2018-09-17  Saam barati  <sbarati@apple.com>
3782
3783         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3784         https://bugs.webkit.org/show_bug.cgi?id=189676
3785         <rdar://problem/39682897>