Fix issue with byteOffset on ARM64E
[WebKit-https.git] / JSTests / ChangeLog
1 2019-05-14  Keith Miller  <keith_miller@apple.com>
2
3         Fix issue with byteOffset on ARM64E
4         https://bugs.webkit.org/show_bug.cgi?id=197884
5
6         Reviewed by Saam Barati.
7
8         We didn't have any tests that run with non-byte/non-zero offset
9         typed arrays.
10
11         * stress/ftl-gettypedarrayoffset-wasteful.js:
12
13 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
14
15         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
16         https://bugs.webkit.org/show_bug.cgi?id=197833
17
18         Reviewed by Darin Adler.
19
20         * stress/generator-name.js: Added.
21         (shouldBe):
22         (gen):
23         (catch):
24
25 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
26
27         JSObject::getOwnPropertyDescriptor is missing an exception check
28         https://bugs.webkit.org/show_bug.cgi?id=197693
29         <rdar://problem/50441784>
30
31         Reviewed by Saam Barati.
32
33         * stress/proxy-spread.js: Added.
34         (foo):
35
36 2019-05-10  Saam barati  <sbarati@apple.com>
37
38         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
39         https://bugs.webkit.org/show_bug.cgi?id=197807
40         <rdar://problem/50530400>
41
42         Reviewed by Yusuke Suzuki.
43
44         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
45         (test.getInstance):
46         (test):
47
48 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
49
50         [Test262] Unreviewed expectations update following r245188.
51
52         * test262/config.yaml:
53         * test262/expectations.yaml:
54
55         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
56         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
57         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
58         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
59         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
60         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
61         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
62         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
63         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
64         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
65         These files have invalid YAML comments. Will also submit corrections back to Test262.
66
67 2019-05-10  Keith Miller  <keith_miller@apple.com>
68
69         Update test262 tests.
70
71         Rubber-stamped by Yusuke Suzuki.
72
73         * test262/*: mega-patch too many things to list individually.
74
75 2019-05-09  Keith Miller  <keith_miller@apple.com>
76
77         Unreview, fix test to have a try-catch.
78
79         * stress/many-nested-functions-parser-stack-overflow.js:
80         (catch):
81
82 2019-05-09  Keith Miller  <keith_miller@apple.com>
83
84         parseStatementListItem needs a stack overflow check
85         https://bugs.webkit.org/show_bug.cgi?id=197749
86
87         Reviewed by Saam Barati.
88
89         * stress/many-nested-functions-parser-stack-overflow.js: Added.
90
91 2019-05-08  Saam barati  <sbarati@apple.com>
92
93         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
94         https://bugs.webkit.org/show_bug.cgi?id=197715
95         <rdar://problem/50399252>
96
97         Reviewed by Filip Pizlo.
98
99         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
100         (foo):
101         (bar):
102
103 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
104
105         Unreviewed, rolling out r245068.
106
107         Caused debug layout tests to exit early due to an assertion
108         failure.
109
110         Reverted changeset:
111
112         "All prototypes should call didBecomePrototype()"
113         https://bugs.webkit.org/show_bug.cgi?id=196315
114         https://trac.webkit.org/changeset/245068
115
116 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
117
118         Invalid DFG JIT genereation in high CPU usage state
119         https://bugs.webkit.org/show_bug.cgi?id=197453
120
121         Reviewed by Saam Barati.
122
123         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
124         (trigger):
125         (main):
126
127 2019-05-08  Robin Morisset  <rmorisset@apple.com>
128
129         All prototypes should call didBecomePrototype()
130         https://bugs.webkit.org/show_bug.cgi?id=196315
131
132         Reviewed by Saam Barati.
133
134         This changelog already landed, but the commit was missing the actual changes.
135
136         * stress/function-prototype-indexed-accessor.js: Added.
137
138 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
139
140         [BigInt] Add ValueMod into DFG
141         https://bugs.webkit.org/show_bug.cgi?id=186174
142
143         Reviewed by Saam Barati.
144
145         * microbenchmarks/mod-untyped.js: Added.
146         * stress/big-int-mod-osr.js: Added.
147         * stress/value-div-ai-rule.js: Added.
148         * stress/value-mod-ai-rule.js: Added.
149
150 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
151
152         [JSC] DFG_ASSERT failed in lowInt52
153         https://bugs.webkit.org/show_bug.cgi?id=197569
154
155         Reviewed by Saam Barati.
156
157         * stress/getstack-int52.js: Added.
158         (opt):
159         (main):
160
161 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
162
163         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
164         https://bugs.webkit.org/show_bug.cgi?id=197479
165
166         Reviewed by Saam Barati.
167
168         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
169         (shouldBe):
170
171 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
172
173         TemplateObject passed to template literal tags are not always identical for the same source location.
174         https://bugs.webkit.org/show_bug.cgi?id=190756
175
176         Reviewed by Saam Barati.
177
178         * complex.yaml:
179         * complex/tagged-template-regeneration-after.js: Added.
180         (shouldBe):
181         * complex/tagged-template-regeneration.js: Added.
182         (call):
183         (test):
184         * modules/tagged-template-inside-module.js: Added.
185         (from.string_appeared_here.call):
186         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
187         (call):
188         (export.otherTaggedTemplates):
189         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
190         (shouldBe):
191         (call):
192         (poly):
193         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
194         (shouldBe):
195         (call):
196         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
197         (shouldBe):
198         (call):
199         (test):
200         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
201         (shouldBe):
202         (call):
203         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
204         (shouldBe):
205         (call):
206         * stress/tagged-templates-in-multiple-functions.js: Added.
207         (shouldBe):
208         (call):
209         (a):
210         (b):
211         (c):
212         * stress/tagged-templates-with-same-start-offset.js: Added.
213         (shouldBe):
214
215 2019-05-07  Robin Morisset  <rmorisset@apple.com>
216
217         All prototypes should call didBecomePrototype()
218         https://bugs.webkit.org/show_bug.cgi?id=196315
219
220         Reviewed by Saam Barati.
221
222         * stress/function-prototype-indexed-accessor.js: Added.
223
224 2019-05-07  Commit Queue  <commit-queue@webkit.org>
225
226         Unreviewed, rolling out r244978.
227         https://bugs.webkit.org/show_bug.cgi?id=197671
228
229         TemplateObject map should use start/end offsets (Requested by
230         yusukesuzuki on #webkit).
231
232         Reverted changeset:
233
234         "TemplateObject passed to template literal tags are not always
235         identical for the same source location."
236         https://bugs.webkit.org/show_bug.cgi?id=190756
237         https://trac.webkit.org/changeset/244978
238
239 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
240
241         tryCachePutByID should not crash if target offset changes
242         https://bugs.webkit.org/show_bug.cgi?id=197311
243         <rdar://problem/48033612>
244
245         Reviewed by Filip Pizlo.
246
247         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
248         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
249
250         * stress/cache-put-by-id-delete-prototype.js: Added.
251         (A.prototype.set y):
252         (A):
253         (B.prototype.set y):
254         (B):
255         (C):
256         * stress/cache-put-by-id-different-__proto__.js: Added.
257         (A.prototype.set y):
258         (A):
259         (B1):
260         (B2.prototype.set y):
261         (B2):
262         (C):
263         (D):
264         * stress/cache-put-by-id-different-attributes.js: Added.
265         (Foo):
266         (set x):
267         * stress/cache-put-by-id-different-offset.js: Added.
268         (Foo):
269         (set x):
270         * stress/cache-put-by-id-insert-prototype.js: Added.
271         (A.prototype.set y):
272         (A):
273         (C):
274         * stress/cache-put-by-id-poly-proto.js: Added.
275         (Foo):
276         (set _):
277         (createBar.Bar):
278         (createBar):
279
280 2019-05-07  Saam Barati  <sbarati@apple.com>
281
282         Don't OSR enter into an FTL CodeBlock that has been jettisoned
283         https://bugs.webkit.org/show_bug.cgi?id=197531
284         <rdar://problem/50162379>
285
286         Reviewed by Yusuke Suzuki.
287
288         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
289
290 2019-05-06  Dean Jackson  <dino@apple.com>
291
292         Update test262 expectations for Proxy passes
293         https://bugs.webkit.org/show_bug.cgi?id=197628
294
295         Reviewed by Yusuke Suzuki.
296
297         There are two consistent passes in Proxy.ownKeys.
298
299         * test262/expectations.yaml:
300
301 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
302
303         [JSC] We should check OOM for description string of Symbol
304         https://bugs.webkit.org/show_bug.cgi?id=197634
305
306         Reviewed by Keith Miller.
307
308         * stress/check-symbol-description-oom.js: Added.
309         (shouldThrow):
310
311 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
312
313         Unreviewed, land one more test
314         https://bugs.webkit.org/show_bug.cgi?id=197587
315
316         * stress/setter-frame-flush.js: Added.
317         (setter):
318         (foo):
319         (bar):
320
321 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
322
323         TemplateObject passed to template literal tags are not always identical for the same source location.
324         https://bugs.webkit.org/show_bug.cgi?id=190756
325
326         Reviewed by Saam Barati.
327
328         * complex.yaml:
329         * complex/tagged-template-regeneration-after.js: Added.
330         (shouldBe):
331         * complex/tagged-template-regeneration.js: Added.
332         (call):
333         (test):
334         * modules/tagged-template-inside-module.js: Added.
335         (from.string_appeared_here.call):
336         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
337         (call):
338         (export.otherTaggedTemplates):
339         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
340         (shouldBe):
341         (call):
342         (poly):
343         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
344         (shouldBe):
345         (call):
346         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
347         (shouldBe):
348         (call):
349         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
350         (shouldBe):
351         (call):
352         * stress/tagged-templates-in-multiple-functions.js: Added.
353         (shouldBe):
354         (call):
355         (a):
356         (b):
357         (c):
358
359 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
360
361         [PlayStation] JSC Stress tests failing due to timezone printing
362         https://bugs.webkit.org/show_bug.cgi?id=197615
363
364         PlayStation's strftime does not give timezone strings, which
365         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
366         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
367         which causes diff failures with the expectations. Add expectations
368         without the timezone string and use those on playstation.
369
370         Reviewed by Ross Kirsling.
371
372         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
373         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
374         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
375         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
376
377 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
378
379         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
380         https://bugs.webkit.org/show_bug.cgi?id=197587
381
382         Reviewed by Sam Weinig.
383
384         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
385
386         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
387
388 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
389
390         TypedArrays should not store properties that are canonical numeric indices
391         https://bugs.webkit.org/show_bug.cgi?id=197228
392         <rdar://problem/49557381>
393
394         Reviewed by Saam Barati.
395
396         * stress/array-species-config-array-constructor.js:
397         (test):
398         * stress/put-direct-index-broken-2.js:
399         * stress/typed-array-canonical-numeric-index-string.js: Added.
400         (makeTest.assert):
401         (makeTest):
402         (const.testInvalidIndices.makeTest.set assert):
403         (const.testInvalidIndices.makeTest):
404         (const.makeTestValidIndex.configurable.set assert):
405         (const.makeTestValidIndex.configurable):
406         * stress/typedarray-access-monomorphic-neutered.js:
407         (checkNoException):
408         (testNoException):
409         (testFTLNoException):
410         * stress/typedarray-access-neutered.js:
411         (testNoException):
412         * stress/typedarray-getownproperty-not-configurable.js:
413         (foo):
414         * test262/expectations.yaml:
415
416 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
417
418         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
419         https://bugs.webkit.org/show_bug.cgi?id=197584
420
421         Reviewed by Saam Barati.
422
423         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
424         (X):
425         (foo):
426
427 2019-05-03  Michael Saboff  <msaboff@apple.com>
428
429         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
430         https://bugs.webkit.org/show_bug.cgi?id=197586
431
432         Reviewed by Keith Miller.
433
434         We should only run one config of this test and only when we think we'll have the memory.
435
436         * stress/json-stringify-string-builder-overflow.js:
437
438 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
439
440         [JSC] Generator CodeBlock generation should be idempotent
441         https://bugs.webkit.org/show_bug.cgi?id=197552
442
443         Reviewed by Keith Miller.
444
445         Add complex.yaml, which controls how to run JSC shell more.
446         We split test files into two to run macro task between them which allows debugger to be attached to VM.
447
448         * complex.yaml: Added.
449         * complex/generator-regeneration-after.js: Added.
450         * complex/generator-regeneration.js: Added.
451         (gen):
452
453 2019-05-02  Michael Saboff  <msaboff@apple.com>
454
455         Unreviewed rollout of r244862.
456
457         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
458
459 2019-05-01  Saam barati  <sbarati@apple.com>
460
461         Baseline JIT should do argument value profiling after checking for stack overflow
462         https://bugs.webkit.org/show_bug.cgi?id=197052
463         <rdar://problem/50009602>
464
465         Reviewed by Yusuke Suzuki.
466
467         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
468
469 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
470
471         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
472         https://bugs.webkit.org/show_bug.cgi?id=197405
473
474         Reviewed by Saam Barati.
475
476         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
477         (foo):
478         (test):
479         (i.o.get f):
480         (i.o.set f):
481
482 2019-05-01  Michael Saboff  <msaboff@apple.com>
483
484         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
485         https://bugs.webkit.org/show_bug.cgi?id=197485
486
487         Reviewed by Saam Barati.
488
489         New test.
490
491         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
492         (foo):
493
494 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
495
496         Unreviewed correction to Test262 expectations following r244828.
497
498         * test262/expectations.yaml:
499
500 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
501
502         Add memory-limited skipping to some tests generating very large strings
503         https://bugs.webkit.org/show_bug.cgi?id=197437
504
505         Reviewed by Ross Kirsling.
506
507         * stress/StringObject-define-length-getter-rope-string-oom.js:
508         * stress/create-error-out-of-memory-rope-string.js:
509         * stress/string-16bit-repeat-overflow.js:
510
511 2019-04-30  Commit Queue  <commit-queue@webkit.org>
512
513         Unreviewed, rolling out r244806.
514         https://bugs.webkit.org/show_bug.cgi?id=197446
515
516         Causing Test262 and JSC test failures on multiple builds
517         (Requested by ShawnRoberts on #webkit).
518
519         Reverted changeset:
520
521         "TypeArrays should not store properties that are canonical
522         numeric indices"
523         https://bugs.webkit.org/show_bug.cgi?id=197228
524         https://trac.webkit.org/changeset/244806
525
526 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
527
528         TypeArrays should not store properties that are canonical numeric indices
529         https://bugs.webkit.org/show_bug.cgi?id=197228
530         <rdar://problem/49557381>
531
532         Reviewed by Darin Adler.
533
534         * stress/typed-array-canonical-numeric-index-string.js: Added.
535         (makeTest.assert):
536         (makeTest):
537         (const.testInvalidIndices.makeTest.set assert):
538         (const.testInvalidIndices.makeTest):
539         (const.testValidIndices.makeTest.set assert):
540         (const.testValidIndices.makeTest):
541
542 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
543
544         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
545         https://bugs.webkit.org/show_bug.cgi?id=197362
546
547         Reviewed by Saam Barati.
548
549         * stress/map-with-nan.js: Added.
550         (shouldBe):
551         (div):
552         (NaN1):
553         (NaN2):
554         (NaN3):
555         (NaN4):
556         (NaN1NoInline):
557         (NaN2NoInline):
558         (NaN3NoInline):
559         (NaN4NoInline):
560         (test1):
561         (test2):
562         (test3):
563         (test4):
564         * stress/set-with-nan.js: Added.
565         (shouldBe):
566         (div):
567         (NaN1):
568         (NaN2):
569         (NaN3):
570         (NaN4):
571         (NaN1NoInline):
572         (NaN2NoInline):
573         (NaN3NoInline):
574         (NaN4NoInline):
575         (test2):
576         (test4):
577
578 2019-04-26  Commit Queue  <commit-queue@webkit.org>
579
580         Unreviewed, rolling out r244708.
581         https://bugs.webkit.org/show_bug.cgi?id=197334
582
583         "Broke the debug build" (Requested by rmorisset on #webkit).
584
585         Reverted changeset:
586
587         "All prototypes should call didBecomePrototype()"
588         https://bugs.webkit.org/show_bug.cgi?id=196315
589         https://trac.webkit.org/changeset/244708
590
591 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
592
593         [JSC] linkPolymorphicCall now does GC
594         https://bugs.webkit.org/show_bug.cgi?id=197306
595
596         Reviewed by Saam Barati.
597
598         * stress/link-polymorphic-call-can-gc.js: Added.
599         (module):
600         (instance):
601
602 2019-04-26  Robin Morisset  <rmorisset@apple.com>
603
604         All prototypes should call didBecomePrototype()
605         https://bugs.webkit.org/show_bug.cgi?id=196315
606
607         Reviewed by Saam Barati.
608
609         * stress/function-prototype-indexed-accessor.js: Added.
610
611 2019-04-23  Saam Barati  <sbarati@apple.com>
612
613         LICM incorrectly assumes it'll never insert a node which provably OSR exits
614         https://bugs.webkit.org/show_bug.cgi?id=196721
615         <rdar://problem/49556479> 
616
617         Reviewed by Filip Pizlo.
618
619         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
620         (foo):
621
622 2019-04-19  Saam Barati  <sbarati@apple.com>
623
624         AbstractValue can represent more than int52
625         https://bugs.webkit.org/show_bug.cgi?id=197118
626         <rdar://problem/49969960>
627
628         Reviewed by Michael Saboff.
629
630         * stress/abstract-value-can-include-int52.js: Added.
631         (foo):
632         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
633
634 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
635
636         [WTF] StringBuilder should set correct m_is8Bit flag when merging
637         https://bugs.webkit.org/show_bug.cgi?id=197053
638
639         Reviewed by Saam Barati.
640
641         * stress/merge-string-builder-in-dfg.js: Added.
642         (foo):
643
644 2019-04-16  Caitlin Potter  <caitp@igalia.com>
645
646         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
647         https://bugs.webkit.org/show_bug.cgi?id=176810
648
649         Reviewed by Saam Barati.
650
651         Add tests for the DontEnum filtering, and variations of other tests
652         take the DontEnum-filtering path.
653
654         * stress/proxy-own-keys.js:
655         (i.catch):
656         (set assert):
657         (set add):
658         (let.set new):
659         (get let):
660
661 2019-04-15  Saam barati  <sbarati@apple.com>
662
663         Modify how we do SetArgument when we inline varargs calls
664         https://bugs.webkit.org/show_bug.cgi?id=196712
665         <rdar://problem/49605012>
666
667         Reviewed by Michael Saboff.
668
669         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
670         (foo):
671
672 2019-04-15  Saam barati  <sbarati@apple.com>
673
674         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
675         https://bugs.webkit.org/show_bug.cgi?id=196945
676         <rdar://problem/49802750>
677
678         Reviewed by Filip Pizlo.
679
680         * stress/get-by-offset-should-use-correct-child.js: Added.
681         (foo.bar):
682         (foo):
683
684 2019-04-15  Robin Morisset  <rmorisset@apple.com>
685
686         DFG should be able to constant fold Object.create() with a constant prototype operand
687         https://bugs.webkit.org/show_bug.cgi?id=196886
688
689         Reviewed by Yusuke Suzuki.
690
691         Note that this new benchmark does not currently see a speedup with inlining removed.
692         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
693
694         * microbenchmarks/object-create-constant-prototype.js: Added.
695         (test):
696
697 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
698
699         Incremental bytecode cache should not append function updates when loaded from memory
700         https://bugs.webkit.org/show_bug.cgi?id=196865
701
702         Reviewed by Filip Pizlo.
703
704         * stress/bytecode-cache-shared-code-block.js: Added.
705         (b):
706         (program):
707
708 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
709
710         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
711         https://bugs.webkit.org/show_bug.cgi?id=196880
712
713         Reviewed by Yusuke Suzuki.
714
715         * stress/bytecode-cache-syntax-error.js: Added.
716         (catch):
717
718 2019-04-12  Saam barati  <sbarati@apple.com>
719
720         r244079 logically broke shouldSpeculateInt52
721         https://bugs.webkit.org/show_bug.cgi?id=196884
722
723         Reviewed by Yusuke Suzuki.
724
725         * microbenchmarks/int52-rand-function.js: Added.
726         (Math.random):
727
728 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
729
730         [JSC] op_has_indexed_property should not assume subscript part is Uint32
731         https://bugs.webkit.org/show_bug.cgi?id=196850
732
733         Reviewed by Saam Barati.
734
735         * stress/has-indexed-property-should-accept-non-int32.js: Added.
736         (foo):
737
738 2019-04-11  Saam barati  <sbarati@apple.com>
739
740         Remove invalid assertion in operationInstanceOfCustom
741         https://bugs.webkit.org/show_bug.cgi?id=196842
742         <rdar://problem/49725493>
743
744         Reviewed by Michael Saboff.
745
746         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
747
748 2019-04-10  Saam Barati  <sbarati@apple.com>
749
750         AbstractValue::validateOSREntryValue is wrong for Int52 constants
751         https://bugs.webkit.org/show_bug.cgi?id=196801
752         <rdar://problem/49771122>
753
754         Reviewed by Yusuke Suzuki.
755
756         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
757
758 2019-04-10  Robin Morisset  <rmorisset@apple.com>
759
760         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
761         https://bugs.webkit.org/show_bug.cgi?id=196746
762
763         Reviewed by Yusuke Suzuki.
764
765         * stress/cyclic-define-properties.js: Added.
766         (foo):
767
768 2019-04-09  Saam barati  <sbarati@apple.com>
769
770         Clean up Int52 code and some bugs in it
771         https://bugs.webkit.org/show_bug.cgi?id=196639
772         <rdar://problem/49515757>
773
774         Reviewed by Yusuke Suzuki.
775
776         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
777
778 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
779
780         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
781         https://bugs.webkit.org/show_bug.cgi?id=196708
782         <rdar://problem/49556803>
783
784         Reviewed by Yusuke Suzuki.
785
786         * stress/proxy-getter-stack-overflow.js: Added.
787         (const.handler.get target):
788         (const.handler.has):
789         (try.with):
790         (catch):
791
792 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
793
794         [JSC] DFG should respect node's strict flag
795         https://bugs.webkit.org/show_bug.cgi?id=196617
796
797         Reviewed by Saam Barati.
798
799         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
800         (shouldEqual):
801         (makeUnwriteableUnconfigurableObject):
802         (runTest):
803         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
804         (shouldBe):
805         (shouldThrow):
806         (with.result):
807         (with.putValueStrict):
808         (with.putValueSloppy):
809
810 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
811
812         [JSC] isRope jump in StringSlice should not jump over register allocations
813         https://bugs.webkit.org/show_bug.cgi?id=196716
814
815         Reviewed by Saam Barati.
816
817         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
818         (foo.bar):
819         (foo):
820
821 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
822
823         [JSC] to_index_string should not assume incoming value is Uint32
824         https://bugs.webkit.org/show_bug.cgi?id=196713
825
826         Reviewed by Saam Barati.
827
828         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
829         (foo):
830
831 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
832
833         [JSC] Add more tests for r243966
834         https://bugs.webkit.org/show_bug.cgi?id=196711
835
836         Reviewed by Saam Barati.
837
838         Adding one more test for r243966 fix. The added test will not crash after r243966.
839
840         * stress/stress-cleared-calllinkinfo.js: Added.
841         (runNearStackLimit.t):
842         (runNearStackLimit):
843         (repeat):
844         (cls):
845         (let.item.of.array.runNearStackLimit):
846
847 2019-04-08  Saam Barati  <sbarati@apple.com>
848
849         WebAssembly.RuntimeError missing exception check
850         https://bugs.webkit.org/show_bug.cgi?id=196700
851         <rdar://problem/49693932>
852
853         Reviewed by Yusuke Suzuki.
854
855         * wasm/js-api/runtime-error-should-exception-check.js: Added.
856
857 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
858
859         Unreviewed, rolling in r243948 with test fix
860         https://bugs.webkit.org/show_bug.cgi?id=196486
861
862         * stress/arrow-function-and-use-strict-directive.js: Added.
863         * stress/arrow-function-syntax.js: Added.
864         (checkSyntax):
865         (checkSyntaxError):
866
867 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
868
869         Unreviewed, rolling out r243948.
870
871         Caused inspector/runtime/parse.html to fail
872
873         Reverted changeset:
874
875         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
876         https://bugs.webkit.org/show_bug.cgi?id=196486
877         https://trac.webkit.org/changeset/243948
878
879 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
880
881         Unreviewed, rolling out r243943.
882
883         Caused test262 failures.
884
885         Reverted changeset:
886
887         "[JSC] Filter DontEnum properties in
888         ProxyObject::getOwnPropertyNames()"
889         https://bugs.webkit.org/show_bug.cgi?id=176810
890         https://trac.webkit.org/changeset/243943
891
892 2019-04-07  Michael Saboff  <msaboff@apple.com>
893
894         REGRESSION (r243642): Crash in reddit.com page
895         https://bugs.webkit.org/show_bug.cgi?id=196684
896
897         Reviewed by Geoffrey Garen.
898
899         New regression test.
900
901         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
902
903 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
904
905         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
906         https://bugs.webkit.org/show_bug.cgi?id=196683
907
908         Reviewed by Saam Barati.
909
910         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
911         (foo):
912
913 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
914
915         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
916         https://bugs.webkit.org/show_bug.cgi?id=196582
917
918         Reviewed by Saam Barati.
919
920         * stress/add-overflow-check-with-three-same-registers.js: Added.
921         (foo):
922         (Number.prototype.valueOf):
923         (runWithNumber):
924
925 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
926
927         Unreviewed, rolling out r243665.
928
929         Caused iOS JSC tests to exit with an exception.
930
931         Reverted changeset:
932
933         "Assertion failed in JSC::createError"
934         https://bugs.webkit.org/show_bug.cgi?id=196305
935         https://trac.webkit.org/changeset/243665
936
937 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
938
939         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
940         https://bugs.webkit.org/show_bug.cgi?id=196486
941
942         Reviewed by Saam Barati.
943
944         * stress/arrow-function-and-use-strict-directive.js: Added.
945         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
946         (checkSyntax):
947         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
948
949 2019-04-05  Caitlin Potter  <caitp@igalia.com>
950
951         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
952         https://bugs.webkit.org/show_bug.cgi?id=176810
953
954         Reviewed by Saam Barati.
955
956         Add tests for the DontEnum filtering, and variations of other tests
957         take the DontEnum-filtering path.
958
959         * stress/proxy-own-keys.js:
960         (i.catch):
961         (set assert):
962         (set add):
963         (let.set new):
964         (get let):
965
966 2019-04-05  Caitlin Potter  <caitp@igalia.com>
967
968         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
969         https://bugs.webkit.org/show_bug.cgi?id=185211
970
971         Reviewed by Saam Barati.
972
973         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
974
975         This changes several assertions to expect a TypeError to be thrown (in some cases,
976         changing thee expected message).
977
978         * es6/Proxy_ownKeys_duplicates.js:
979         (handler):
980         (shouldThrow):
981         (test):
982         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
983         (shouldThrow):
984         * stress/proxy-own-keys.js:
985         (i.catch):
986         (assert):
987
988 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
989
990         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
991         https://bugs.webkit.org/show_bug.cgi?id=196631
992
993         Reviewed by Saam Barati.
994
995         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
996         (assert):
997         (test):
998         (foo):
999
1000 2019-04-04  Saam Barati  <sbarati@apple.com>
1001
1002         Unreviewed. Make the test from r243906 catch the thrown exceptions.
1003
1004         * stress/inferred-types-regex-matches-array.js:
1005
1006 2019-04-04  Saam Barati  <sbarati@apple.com>
1007
1008         createRegExpMatchesArray does not respect inferred types
1009         https://bugs.webkit.org/show_bug.cgi?id=193287
1010
1011         Reviewed by Yusuke Suzuki.
1012
1013         This checks in the test case for 193287. This issue was discovered by
1014         Samuel GroƟ of Google Project Zero.
1015
1016         * stress/inferred-types-regex-matches-array.js: Added.
1017
1018 2019-04-04  Saam barati  <sbarati@apple.com>
1019
1020         Teach Call ICs how to call Wasm
1021         https://bugs.webkit.org/show_bug.cgi?id=196387
1022
1023         Reviewed by Filip Pizlo.
1024
1025         * wasm/function-tests/stack-trace.js:
1026
1027 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
1028
1029         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
1030         https://bugs.webkit.org/show_bug.cgi?id=194944
1031
1032         Reviewed by Keith Miller.
1033
1034         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
1035
1036 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1037
1038         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
1039         https://bugs.webkit.org/show_bug.cgi?id=196409
1040
1041         Reviewed by Saam Barati.
1042
1043         * stress/bytecode-cache-cached-string-impl.js: Added.
1044         (f):
1045         (g):
1046         * stress/bytecode-cache-run-string.js: Added.
1047
1048 2019-04-03  Robin Morisset  <rmorisset@apple.com>
1049
1050         B3 should use associativity to optimize expression trees
1051         https://bugs.webkit.org/show_bug.cgi?id=194081
1052
1053         Reviewed by Filip Pizlo.
1054
1055         Added three microbenchmarks:
1056         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
1057         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
1058           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
1059         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
1060
1061         * microbenchmarks/add-tree.js: Added.
1062         * microbenchmarks/bit-or-tree.js: Added.
1063         * microbenchmarks/bit-xor-tree.js: Added.
1064
1065 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1066
1067         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
1068         https://bugs.webkit.org/show_bug.cgi?id=196574
1069
1070         Reviewed by Saam Barati.
1071
1072         * stress/string-index-of-exception-check.js: Added.
1073         (blurType):
1074         (1.forEach):
1075
1076 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
1077
1078         Assertion failed in JSC::createError
1079         https://bugs.webkit.org/show_bug.cgi?id=196305
1080         <rdar://problem/49387382>
1081
1082         Reviewed by Saam Barati.
1083
1084         * stress/create-error-out-of-memory-rope-string-2.js: Added.
1085         (assert):
1086         (catch):
1087
1088 2019-03-28  Saam Barati  <sbarati@apple.com>
1089
1090         BackwardsGraph needs to consider back edges as the backward's root successor
1091         https://bugs.webkit.org/show_bug.cgi?id=195991
1092
1093         Reviewed by Filip Pizlo.
1094
1095         * stress/map-b3-licm-infinite-loop.js: Added.
1096
1097 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
1098
1099         CodeBlock::jettison() should disallow repatching its own calls
1100         https://bugs.webkit.org/show_bug.cgi?id=196359
1101         <rdar://problem/48973663>
1102
1103         Reviewed by Saam Barati.
1104
1105         * stress/call-link-info-osrexit-repatch.js: Added.
1106         (foo):
1107
1108 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
1109
1110         [JSC] imports-oom.js intermittently fails
1111         https://bugs.webkit.org/show_bug.cgi?id=196373
1112
1113         Reviewed by Saam Barati.
1114
1115         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
1116         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
1117         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
1118         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
1119         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
1120
1121         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
1122         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
1123
1124         * wasm/lowExecutableMemory/imports-oom.js:
1125
1126 2019-03-27  Saam Barati  <sbarati@apple.com>
1127
1128         validateOSREntryValue with Int52 should box the value being checked into double format
1129         https://bugs.webkit.org/show_bug.cgi?id=196313
1130         <rdar://problem/49306703>
1131
1132         Reviewed by Yusuke Suzuki.
1133
1134         * stress/validate-int-52-ai-state.js: Added.
1135
1136 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
1137
1138         [JSC] Owner of watchpoints should validate at GC finalizing phase
1139         https://bugs.webkit.org/show_bug.cgi?id=195827
1140
1141         Reviewed by Filip Pizlo.
1142
1143         * stress/gc-should-reap-dead-watchpoints.js: Added.
1144         (foo):
1145         (A.prototype.y):
1146         (A):
1147
1148 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
1149
1150         Skip WebAssembly test on 32-bit systems
1151         https://bugs.webkit.org/show_bug.cgi?id=196206
1152
1153         Reviewed by Saam Barati.
1154
1155         Invoking runDefault executes test immediately even though
1156         that test should be skipped due to missing WASM support.
1157         Therefore remove runDefault.
1158
1159         * wasm/regress/web-assembly-link-error-exception-check.js:
1160
1161 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
1162
1163         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
1164         https://bugs.webkit.org/show_bug.cgi?id=196217
1165
1166         Reviewed by Saam Barati.
1167
1168         Re-enable all NaN tests for f32.min, f64.min and f64.max.
1169
1170         * wasm/spec-tests/f32.wast.js:
1171         * wasm/spec-tests/f64.wast.js:
1172         * wasm/wasm.json:
1173
1174 2019-03-25  Keith Miller  <keith_miller@apple.com>
1175
1176         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
1177         https://bugs.webkit.org/show_bug.cgi?id=196176
1178
1179         Reviewed by Saam Barati.
1180
1181         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
1182         (main.v10):
1183         (main):
1184
1185 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
1186
1187         WebAssembly: f32.max with NaN generates incorrect result
1188         https://bugs.webkit.org/show_bug.cgi?id=175691
1189         <rdar://problem/33952228>
1190
1191         Reviewed by Saam Barati.
1192
1193         Enable all f32.max NaN tests
1194
1195         * wasm/spec-tests/f32.wast.js:
1196         * wasm/wasm.json:
1197
1198 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
1199
1200         [JSC] Move test into directory for WASM tests
1201         https://bugs.webkit.org/show_bug.cgi?id=196187
1202
1203         Reviewed by Mark Lam.
1204
1205         Move Test into wasm-directory. Otherwise this test
1206         is also executed on systems without WASM support.
1207
1208         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
1209
1210 2019-03-23  Mark Lam  <mark.lam@apple.com>
1211
1212         Rolling out r243032 and r243071 because the fix is incorrect.
1213         https://bugs.webkit.org/show_bug.cgi?id=195892
1214         <rdar://problem/48981239>
1215
1216         Not reviewed.
1217
1218         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
1219
1220 2019-03-22  Mark Lam  <mark.lam@apple.com>
1221
1222         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
1223         https://bugs.webkit.org/show_bug.cgi?id=196154
1224         <rdar://problem/49145307>
1225
1226         Reviewed by Filip Pizlo.
1227
1228         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
1229         There's no need to run this test on more than 1 test configuration.
1230
1231         * stress/typed-array-lastIndexOf-exception-check.js: Added.
1232         * stress/web-assembly-link-error-exception-check.js:
1233
1234 2019-03-22  Mark Lam  <mark.lam@apple.com>
1235
1236         Placate exception check validation in constructJSWebAssemblyLinkError().
1237         https://bugs.webkit.org/show_bug.cgi?id=196152
1238         <rdar://problem/49145257>
1239
1240         Reviewed by Michael Saboff.
1241
1242         * stress/web-assembly-link-error-exception-check.js: Added.
1243
1244 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
1245
1246         Skip tests running out of memory on ARM/MIPS
1247         https://bugs.webkit.org/show_bug.cgi?id=196131
1248
1249         Unreviewed. Skip test if memory is limited.
1250
1251         * microbenchmarks/put-by-val-direct-large-index.js:
1252
1253 2019-03-21  Mark Lam  <mark.lam@apple.com>
1254
1255         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
1256         https://bugs.webkit.org/show_bug.cgi?id=196116
1257         <rdar://problem/48976951>
1258
1259         Reviewed by Filip Pizlo.
1260
1261         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
1262
1263 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
1264
1265         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
1266         https://bugs.webkit.org/show_bug.cgi?id=196078
1267         <rdar://problem/35925380>
1268
1269         Reviewed by Mark Lam.
1270
1271         Add a new benchmark that allocates several objects and invokes put_by_val_direct
1272         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
1273
1274         * microbenchmarks/put-by-val-direct-large-index.js: Added.
1275
1276 2019-03-21  Mark Lam  <mark.lam@apple.com>
1277
1278         Placate exception check validation in operationArrayIndexOfString().
1279         https://bugs.webkit.org/show_bug.cgi?id=196067
1280         <rdar://problem/49056572>
1281
1282         Reviewed by Michael Saboff.
1283
1284         * stress/string-equal-exception-check.js: Added.
1285
1286 2019-03-21  Mark Lam  <mark.lam@apple.com>
1287
1288         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
1289         https://bugs.webkit.org/show_bug.cgi?id=196055
1290         <rdar://problem/49067448>
1291
1292         Reviewed by Yusuke Suzuki.
1293
1294         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
1295
1296 2019-03-20  Saam Barati  <sbarati@apple.com>
1297
1298         typeOfDoubleSum is wrong for when NaN can be produced
1299         https://bugs.webkit.org/show_bug.cgi?id=196030
1300
1301         Reviewed by Filip Pizlo.
1302
1303         * stress/double-add-sub-mul-can-produce-nan.js: Added.
1304         (assert):
1305         (noInline.sub):
1306         (noInline):
1307         (assert.mul):
1308         (assert.add):
1309
1310 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
1311
1312         Update the test to ensure OutOfMemoryError is thrown as intended
1313         https://bugs.webkit.org/show_bug.cgi?id=196032
1314         <rdar://problem/46842740>
1315
1316         Rubber stamped by Saam Barati.
1317
1318         * stress/create-error-out-of-memory-rope-string.js:
1319         (assert):
1320         (catch):
1321
1322 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
1323
1324         JSC::createError needs to check for OOM in errorDescriptionForValue
1325         https://bugs.webkit.org/show_bug.cgi?id=196032
1326         <rdar://problem/46842740>
1327
1328         Reviewed by Mark Lam.
1329
1330         * stress/create-error-out-of-memory-rope-string.js: Added.
1331
1332 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
1333
1334         Unreviewed, reduce # of iterations to avoid timing out after r242991
1335         https://bugs.webkit.org/show_bug.cgi?id=195791
1336
1337         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
1338
1339         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
1340
1341 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
1342
1343         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
1344         https://bugs.webkit.org/show_bug.cgi?id=195950
1345
1346         Unreviewed, reducing the amount of memory used on this test to avoid
1347         OOM on devices with memory restrictions.
1348
1349         * microbenchmarks/generate-multiple-llint-entrypoints.js:
1350
1351 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
1352
1353         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
1354         https://bugs.webkit.org/show_bug.cgi?id=194648
1355
1356         Reviewed by Keith Miller.
1357
1358         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
1359
1360 2019-03-18  Mark Lam  <mark.lam@apple.com>
1361
1362         Missing a ThrowScope release in JSObject::toString().
1363         https://bugs.webkit.org/show_bug.cgi?id=195893
1364         <rdar://problem/48970986>
1365
1366         Reviewed by Michael Saboff.
1367
1368         * stress/to-string-exception-check-release.js: Added.
1369
1370 2019-03-18  Mark Lam  <mark.lam@apple.com>
1371
1372         Structure::flattenDictionary() should clear unused property slots.
1373         https://bugs.webkit.org/show_bug.cgi?id=195871
1374         <rdar://problem/48959497>
1375
1376         Reviewed by Michael Saboff.
1377
1378         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
1379
1380 2019-03-15  Mark Lam  <mark.lam@apple.com>
1381
1382         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
1383         https://bugs.webkit.org/show_bug.cgi?id=195827
1384         <rdar://problem/48845513>
1385
1386         Reviewed by Filip Pizlo.
1387
1388         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
1389
1390 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
1391
1392         [ARM,MIPS] Skip slow tests
1393         https://bugs.webkit.org/show_bug.cgi?id=195799
1394
1395         Unreviewed, test does not finish on ARM and MIPS within the
1396         timeout limit.
1397
1398         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
1399
1400 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
1401
1402         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
1403         https://bugs.webkit.org/show_bug.cgi?id=195791
1404         <rdar://problem/48806130>
1405
1406         Reviewed by Mark Lam.
1407
1408         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
1409         (foo):
1410
1411 2019-03-14  Saam barati  <sbarati@apple.com>
1412
1413         We can't remove code after ForceOSRExit until after FixupPhase
1414         https://bugs.webkit.org/show_bug.cgi?id=186916
1415         <rdar://problem/41396612>
1416
1417         Reviewed by Yusuke Suzuki.
1418
1419         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
1420         (foo):
1421         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1422         (foo):
1423
1424 2019-03-13  Michael Saboff  <msaboff@apple.com>
1425
1426         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
1427         https://bugs.webkit.org/show_bug.cgi?id=195735
1428
1429         Reviewed by Mark Lam.
1430
1431         New regression test.
1432
1433         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
1434         (foo):
1435         (bar):
1436
1437 2019-03-14  Saam barati  <sbarati@apple.com>
1438
1439         Fixup uses KnownInt32 incorrectly in some nodes
1440         https://bugs.webkit.org/show_bug.cgi?id=195279
1441         <rdar://problem/47915654>
1442
1443         Reviewed by Yusuke Suzuki.
1444
1445         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
1446         (foo):
1447
1448 2019-03-14  Keith Miller  <keith_miller@apple.com>
1449
1450         DFG liveness can't skip tail caller inline frames
1451         https://bugs.webkit.org/show_bug.cgi?id=195715
1452
1453         Reviewed by Saam Barati.
1454
1455         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
1456         (i.foo):
1457
1458 2019-03-13  Mark Lam  <mark.lam@apple.com>
1459
1460         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
1461         https://bugs.webkit.org/show_bug.cgi?id=195415
1462
1463         Not reviewed.
1464
1465         Changed these tests to only run the default configuration.
1466         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
1467         There's no strong need to run this test on that variant.
1468
1469         * stress/dfg-to-string-on-int-does-gc.js:
1470         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
1471
1472 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
1473
1474         String overflow when using StringBuilder in JSC::createError
1475         https://bugs.webkit.org/show_bug.cgi?id=194957
1476
1477         Reviewed by Mark Lam.
1478
1479         Add test string-overflow-createError-bulder.js that overflows
1480         StringBuilder in notAFunctionSourceAppender. The second new test
1481         string-overflow-createError-fit.js has an error message that doesn't
1482         overflow, it still failed since the String's capacity can't be doubled.
1483         Run test string-overflow-createError.js only in the default
1484         configuration to reduce memory consumption when running the test
1485         in all configurations on multiple CPUs in parallel.
1486
1487         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
1488         (catch):
1489         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
1490         (catch):
1491         * stress/string-overflow-createError.js:
1492
1493 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
1494
1495         [JSC] OSR entry should respect abstract values in addition to flush formats
1496         https://bugs.webkit.org/show_bug.cgi?id=195653
1497
1498         Reviewed by Mark Lam.
1499
1500         * stress/osr-entry-locals-none.js: Added.
1501
1502 2019-03-12  Michael Saboff  <msaboff@apple.com>
1503
1504         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
1505         https://bugs.webkit.org/show_bug.cgi?id=195613
1506
1507         Reviewed by Mark Lam.
1508
1509         New regression test.
1510
1511         * stress/regexp-backref-inbounds.js: Added.
1512         (testRegExp):
1513
1514 2019-03-12  Mark Lam  <mark.lam@apple.com>
1515
1516         The HasIndexedProperty node does GC.
1517         https://bugs.webkit.org/show_bug.cgi?id=195559
1518         <rdar://problem/48767923>
1519
1520         Reviewed by Yusuke Suzuki.
1521
1522         * stress/HasIndexedProperty-does-gc.js: Added.
1523
1524 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
1525
1526         [ESNext][BigInt] Implement "~" unary operation
1527         https://bugs.webkit.org/show_bug.cgi?id=182216
1528
1529         Reviewed by Keith Miller.
1530
1531         * stress/big-int-bit-not-general.js: Added.
1532         * stress/big-int-bitwise-not-jit.js: Added.
1533         * stress/big-int-bitwise-not-wrapped-value.js: Added.
1534         * stress/bit-op-with-object-returning-int32.js:
1535         * stress/bitwise-not-fixup-rules.js: Added.
1536         * stress/value-bit-not-ai-rule.js: Added.
1537
1538 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
1539
1540         Invalid flags in a RegExp literal should be an early SyntaxError
1541         https://bugs.webkit.org/show_bug.cgi?id=195514
1542
1543         Reviewed by Darin Adler.
1544
1545         * test262/expectations.yaml:
1546         Mark 4 test cases as passing.
1547
1548         * stress/regexp-syntax-error-invalid-flags.js:
1549         * stress/regress-161995.js: Removed.
1550         Update existing test, merging in an older test for the same behavior.
1551
1552 2019-03-08  Mark Lam  <mark.lam@apple.com>
1553
1554         Stack overflow crash in JSC::JSObject::hasInstance.
1555         https://bugs.webkit.org/show_bug.cgi?id=195458
1556         <rdar://problem/48710195>
1557
1558         Reviewed by Yusuke Suzuki.
1559
1560         * stress/stack-overflow-in-custom-hasInstance.js: Added.
1561
1562 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
1563
1564         op_check_tdz does not def its argument
1565         https://bugs.webkit.org/show_bug.cgi?id=192880
1566         <rdar://problem/46221598>
1567
1568         Reviewed by Saam Barati.
1569
1570         * microbenchmarks/let-for-in.js: Added.
1571         (foo):
1572
1573 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
1574
1575         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
1576         https://bugs.webkit.org/show_bug.cgi?id=195429
1577
1578         Reviewed by Saam Barati.
1579
1580         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
1581         (foo):
1582         * stress/string-from-char-code-255.js: Added.
1583
1584 2019-03-06  Mark Lam  <mark.lam@apple.com>
1585
1586         Fix incorrect handling of try-finally completion values.
1587         https://bugs.webkit.org/show_bug.cgi?id=195131
1588         <rdar://problem/46222079>
1589
1590         Reviewed by Saam Barati and Yusuke Suzuki.
1591
1592         Added many permutations of new test case to test-finally.js.  test-finally.js has
1593         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
1594         tests passes there as well.
1595
1596         * stress/test-finally.js:
1597
1598 2019-03-06  Saam Barati  <sbarati@apple.com>
1599
1600         Air::reportUsedRegisters must padInterference
1601         https://bugs.webkit.org/show_bug.cgi?id=195303
1602         <rdar://problem/48270343>
1603
1604         Reviewed by Keith Miller.
1605
1606         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
1607
1608 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
1609
1610         [JSC] AI should not propagate AbstractValue relying on constant folding phase
1611         https://bugs.webkit.org/show_bug.cgi?id=195375
1612
1613         Reviewed by Saam Barati.
1614
1615         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
1616         (let.array):
1617
1618 2019-03-05  Saam barati  <sbarati@apple.com>
1619
1620         op_switch_char broken for rope strings after JSRopeString layout rewrite
1621         https://bugs.webkit.org/show_bug.cgi?id=195339
1622         <rdar://problem/48592545>
1623
1624         Reviewed by Yusuke Suzuki.
1625
1626         * stress/switch-on-char-llint-rope.js: Added.
1627
1628 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
1629
1630         [JSC] Store bits for JSRopeString in 3 stores
1631         https://bugs.webkit.org/show_bug.cgi?id=195234
1632
1633         Reviewed by Saam Barati.
1634
1635         * stress/null-rope-and-collectors.js: Added.
1636
1637 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
1638
1639         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
1640         https://bugs.webkit.org/show_bug.cgi?id=195207
1641
1642         Unreviewed. After test runtime was reduced in r242213, test can be
1643         run again on ARM/MIPS.
1644
1645         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1646
1647 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1648
1649         [JSC] sizeof(JSString) should be 16
1650         https://bugs.webkit.org/show_bug.cgi?id=194375
1651
1652         Reviewed by Saam Barati.
1653
1654         * microbenchmarks/make-rope.js: Added.
1655         (makeRope):
1656         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
1657         (returnRope.helper): Deleted.
1658         (returnRope): Deleted.
1659
1660 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1661
1662         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
1663         https://bugs.webkit.org/show_bug.cgi?id=195144
1664
1665         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
1666         Change the number from 1e8 to 1e5.
1667
1668         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1669         (foo):
1670
1671 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
1672
1673         Test times out on ARM/MIPS
1674         https://bugs.webkit.org/show_bug.cgi?id=195168
1675
1676         Unreviewed. Skip test on ARM/MIPS.
1677
1678         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1679
1680 2019-02-27  Mark Lam  <mark.lam@apple.com>
1681
1682         The parser is failing to record the token location of new in new.target.
1683         https://bugs.webkit.org/show_bug.cgi?id=195127
1684         <rdar://problem/39645578>
1685
1686         Reviewed by Yusuke Suzuki.
1687
1688         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
1689
1690 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
1691
1692         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
1693         https://bugs.webkit.org/show_bug.cgi?id=195144
1694         <rdar://problem/47595961>
1695
1696         Reviewed by Mark Lam.
1697
1698         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
1699         (bar):
1700         (foo):
1701         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
1702         (bar):
1703         (foo):
1704
1705 2019-02-27  Robin Morisset  <rmorisset@apple.com>
1706
1707         DFG: Loop-invariant code motion (LICM) should not hoist dead code
1708         https://bugs.webkit.org/show_bug.cgi?id=194945
1709         <rdar://problem/48311657>
1710
1711         Reviewed by Mark Lam.
1712
1713         * stress/licm-dead-code.js: Added.
1714
1715 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
1716
1717         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
1718         https://bugs.webkit.org/show_bug.cgi?id=194677
1719         <rdar://problem/48112492>
1720
1721         Reviewed by Mark Lam.
1722
1723         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
1724         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
1725         it immediately fails due the large size.
1726
1727         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
1728         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
1729         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
1730         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
1731
1732         This patch changes the test to produce 16bit string from String.fromCharCode.
1733
1734         * stress/regress-178386.js:
1735
1736 2019-02-26  Mark Lam  <mark.lam@apple.com>
1737
1738         wasmToJS() should purify incoming NaNs.
1739         https://bugs.webkit.org/show_bug.cgi?id=194807
1740         <rdar://problem/48189132>
1741
1742         Reviewed by Saam Barati.
1743
1744         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
1745
1746 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
1747
1748         [JSC] Repeat string created from Array.prototype.join() take too much memory
1749         https://bugs.webkit.org/show_bug.cgi?id=193912
1750
1751         Reviewed by Saam Barati.
1752
1753         Added a test and a microbenchmark for corner cases of
1754         Array.prototype.join() with an uninitialized array.
1755
1756         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1757         * stress/array-prototype-join-uninitialized.js: Added.
1758         (testArray):
1759         (testABC):
1760         (B):
1761         (C):
1762
1763 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1764
1765         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1766         https://bugs.webkit.org/show_bug.cgi?id=194953
1767         <rdar://problem/47595253>
1768
1769         Reviewed by Saam Barati.
1770
1771         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1772
1773         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1774
1775 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1776
1777         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1778         https://bugs.webkit.org/show_bug.cgi?id=172848
1779         <rdar://problem/25709212>
1780
1781         Reviewed by Mark Lam.
1782
1783         * typeProfiler/inheritance.js:
1784         Rewrite the test slightly for clarity. The hoisting was confusing.
1785
1786         * heapProfiler/class-names.js: Added.
1787         (MyES5Class):
1788         (MyES6Class):
1789         (MyES6Subclass):
1790         Test object types and improved class names.
1791
1792         * heapProfiler/driver/driver.js:
1793         (CheapHeapSnapshotNode):
1794         (CheapHeapSnapshot):
1795         (createCheapHeapSnapshot):
1796         (HeapSnapshot):
1797         (createHeapSnapshot):
1798         Update snapshot parsing from version 1 to version 2.
1799
1800 2019-02-19  Truitt Savell  <tsavell@apple.com>
1801
1802         Unreviewed, rolling out r241784.
1803
1804         Broke all OpenSource builds.
1805
1806         Reverted changeset:
1807
1808         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1809         instances view"
1810         https://bugs.webkit.org/show_bug.cgi?id=172848
1811         https://trac.webkit.org/changeset/241784
1812
1813 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1814
1815         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1816         https://bugs.webkit.org/show_bug.cgi?id=172848
1817         <rdar://problem/25709212>
1818
1819         Reviewed by Mark Lam.
1820
1821         * typeProfiler/inheritance.js:
1822         Rewrite the test slightly for clarity. The hoisting was confusing.
1823
1824         * heapProfiler/class-names.js: Added.
1825         (MyES5Class):
1826         (MyES6Class):
1827         (MyES6Subclass):
1828         Test object types and improved class names.
1829
1830         * heapProfiler/driver/driver.js:
1831         (CheapHeapSnapshotNode):
1832         (CheapHeapSnapshot):
1833         (createCheapHeapSnapshot):
1834         (HeapSnapshot):
1835         (createHeapSnapshot):
1836         Update snapshot parsing from version 1 to version 2.
1837
1838 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1839
1840         [ARM] Fix crash with sampling profiler
1841         https://bugs.webkit.org/show_bug.cgi?id=194772
1842
1843         Reviewed by Mark Lam.
1844
1845         Do not skip test since crash with sampling profiler is now fixed.
1846
1847         * stress/sampling-profiler-richards.js:
1848
1849 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1850
1851         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1852         https://bugs.webkit.org/show_bug.cgi?id=194784
1853         <rdar://problem/48154820>
1854
1855         Reviewed by Mark Lam.
1856
1857         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1858         (getProperties):
1859         (getRandomProperty):
1860         (i.catch):
1861
1862 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1863
1864         [ARM] Test gardening: Test running out of executable memory
1865         https://bugs.webkit.org/show_bug.cgi?id=194771
1866
1867         Unreviewed. Do not run test without LLInt, test is running out of executable
1868         memory on ARM otherwise.
1869
1870         * stress/tagged-template-object-collect.js:
1871
1872 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1873
1874         Unreviewed, skip the test on platforms without sampling profiler
1875
1876         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1877         (platformSupportsSamplingProfiler.foo):
1878         (platformSupportsSamplingProfiler.test):
1879         (platformSupportsSamplingProfiler):
1880         (foo): Deleted.
1881         (test): Deleted.
1882
1883 2019-02-17  Saam Barati  <sbarati@apple.com>
1884
1885         Deadlock when adding a Structure property transition and then doing incremental marking
1886         https://bugs.webkit.org/show_bug.cgi?id=194767
1887
1888         Reviewed by Mark Lam.
1889
1890         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1891
1892 2019-02-15  Michael Saboff  <msaboff@apple.com>
1893
1894         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1895         https://bugs.webkit.org/show_bug.cgi?id=194558
1896
1897         Reviewed by Saam Barati.
1898
1899         New regression test.
1900
1901         * stress/regexp-unicode-within-string.js: Added.
1902
1903 2019-02-15  Mark Lam  <mark.lam@apple.com>
1904
1905         SamplingProfiler::stackTracesAsJSON() should escape strings.
1906         https://bugs.webkit.org/show_bug.cgi?id=194649
1907         <rdar://problem/48072386>
1908
1909         Reviewed by Saam Barati.
1910
1911         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1912         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1913         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1914         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1915
1916 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1917         CodeBlock::jettison should clear related watchpoints
1918         https://bugs.webkit.org/show_bug.cgi?id=194544
1919
1920         Reviewed by Mark Lam.
1921
1922         * stress/regexp-replace-double-watchpoint.js: Added.
1923         (foo):
1924
1925 2019-02-15  Saam barati  <sbarati@apple.com>
1926
1927         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1928         https://bugs.webkit.org/show_bug.cgi?id=194036
1929
1930         Reviewed by Yusuke Suzuki.
1931
1932         * stress/tail-call-many-arguments.js: Added.
1933         (foo):
1934         (bar):
1935
1936 2019-02-14  Saam Barati  <sbarati@apple.com>
1937
1938         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1939         https://bugs.webkit.org/show_bug.cgi?id=194583
1940         <rdar://problem/48028140>
1941
1942         Reviewed by Yusuke Suzuki.
1943
1944         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1945
1946 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1947
1948         [JSC] String.fromCharCode's slow path always generates 16bit string
1949         https://bugs.webkit.org/show_bug.cgi?id=194466
1950
1951         Reviewed by Keith Miller.
1952
1953         * stress/string-from-char-code-slow-path.js: Added.
1954         (shouldBe):
1955         (testWithLength):
1956
1957 2019-02-08  Saam barati  <sbarati@apple.com>
1958
1959         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1960         https://bugs.webkit.org/show_bug.cgi?id=194334
1961         <rdar://problem/47844327>
1962
1963         Reviewed by Mark Lam.
1964
1965         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1966         (func):
1967
1968 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1969
1970         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1971         https://bugs.webkit.org/show_bug.cgi?id=194369
1972         <rdar://problem/47813087>
1973
1974         Reviewed by Saam Barati.
1975
1976         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1977         (A):
1978
1979 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1980
1981         [JSC] PrivateName to PublicName hash table is wasteful
1982         https://bugs.webkit.org/show_bug.cgi?id=194277
1983
1984         Reviewed by Michael Saboff.
1985
1986         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1987
1988         * ChakraCore.yaml:
1989
1990 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1991
1992         [ARM] Test running out of executable memory
1993         https://bugs.webkit.org/show_bug.cgi?id=194285
1994
1995         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1996         executable memory otherwise.
1997
1998         * stress/class-subclassing-function.js:
1999
2000 2019-02-04  Robin Morisset  <rmorisset@apple.com>
2001
2002         when lowering AssertNotEmpty, create the value before creating the patchpoint
2003         https://bugs.webkit.org/show_bug.cgi?id=194231
2004
2005         Reviewed by Saam Barati.
2006
2007         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
2008         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
2009         So even tiny changes to this test can change the path code taken.
2010
2011         * stress/assert-not-empty.js: Added.
2012         (foo):
2013
2014 2019-02-01  Mark Lam  <mark.lam@apple.com>
2015
2016         Remove invalid assertion in DFG's compileDoubleRep().
2017         https://bugs.webkit.org/show_bug.cgi?id=194130
2018         <rdar://problem/47699474>
2019
2020         Reviewed by Saam Barati.
2021
2022         * stress/constant-fold-double-rep-into-double-constant.js: Added.
2023
2024 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
2025
2026         Import latest Test262 updates.
2027
2028         Rubber-stamped by Keith Miller.
2029
2030         * test262.yaml: Deleted.
2031         * test262/config.yaml:
2032         * test262/expectations.yaml:
2033         * test262/latest-changes-summary.txt:
2034         * test262/test/:
2035         * test262/test262-Revision.txt:
2036
2037 2019-01-30  Robin Morisset  <rmorisset@apple.com>
2038
2039         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
2040         https://bugs.webkit.org/show_bug.cgi?id=194050
2041         <rdar://problem/47595592>
2042
2043         Reviewed by Yusuke Suzuki.
2044
2045         * stress/object-keys-osr-exit.js: Added.
2046         (foo):
2047         (catch):
2048
2049 2019-01-29  Mark Lam  <mark.lam@apple.com>
2050
2051         ValueRecovery::recover() should purify NaN values it recovers.
2052         https://bugs.webkit.org/show_bug.cgi?id=193978
2053         <rdar://problem/47625488>
2054
2055         Reviewed by Saam Barati.
2056
2057         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
2058
2059 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
2060
2061         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
2062         https://bugs.webkit.org/show_bug.cgi?id=193713
2063
2064         * stress/try-get-by-id-should-spill-registers-dfg.js:
2065         (let.f.createBuiltin):
2066
2067 2019-01-28  Mark Lam  <mark.lam@apple.com>
2068
2069         ToString node actually does GC.
2070         https://bugs.webkit.org/show_bug.cgi?id=193920
2071         <rdar://problem/46695900>
2072
2073         Reviewed by Yusuke Suzuki.
2074
2075         * stress/dfg-to-string-on-int-does-gc.js: Added.
2076         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
2077         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
2078
2079 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
2080
2081         [JSC] NativeErrorConstructor should not have own IsoSubspace
2082         https://bugs.webkit.org/show_bug.cgi?id=193713
2083
2084         Reviewed by Saam Barati.
2085
2086         Remove @Error use.
2087
2088         * stress/try-get-by-id-should-spill-registers-dfg.js:
2089         (let.f.createBuiltin):
2090
2091 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
2092
2093         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
2094         https://bugs.webkit.org/show_bug.cgi?id=190693
2095
2096         Reviewed by Michael Saboff.
2097
2098         * stress/regress-190693.js: Added.
2099         (truth):
2100         (assert):
2101         (shouldThrowInvalidConstAssignment):
2102         (taz):
2103
2104 2019-01-24  Saam Barati  <sbarati@apple.com>
2105
2106         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
2107         https://bugs.webkit.org/show_bug.cgi?id=193751
2108         <rdar://problem/47280215>
2109
2110         Reviewed by Michael Saboff.
2111
2112         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
2113         (let.thing):
2114         (foo.let.hello):
2115         (foo):
2116
2117 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
2118
2119         [JSC] Reenable baseline JIT on mips
2120         https://bugs.webkit.org/show_bug.cgi?id=192983
2121
2122         Reviewed by Mark Lam.
2123
2124         Added a new test for a case that was triggering a RELEASE_ASSERT when
2125         testing.
2126         Disable some slow tests that were already disabled for arm and x86.
2127
2128         * stress/json-parse-big-object.js: Added.
2129         * stress/new-largeish-contiguous-array-with-size.js:
2130         * stress/op_add.js:
2131         * stress/op_bitand.js:
2132         * stress/op_bitor.js:
2133         * stress/op_bitxor.js:
2134         * stress/op_lshift-ConstVar.js:
2135         * stress/op_lshift-VarConst.js:
2136         * stress/op_lshift-VarVar.js:
2137         * stress/op_mod-ConstVar.js:
2138         * stress/op_mod-VarConst.js:
2139         * stress/op_mod-VarVar.js:
2140         * stress/op_mul-ConstVar.js:
2141         * stress/op_mul-VarConst.js:
2142         * stress/op_mul-VarVar.js:
2143         * stress/op_rshift-ConstVar.js:
2144         * stress/op_rshift-VarConst.js:
2145         * stress/op_rshift-VarVar.js:
2146         * stress/op_sub-ConstVar.js:
2147         * stress/op_sub-VarConst.js:
2148         * stress/op_sub-VarVar.js:
2149         * stress/op_urshift-ConstVar.js:
2150         * stress/op_urshift-VarConst.js:
2151         * stress/op_urshift-VarVar.js:
2152         * stress/sampling-profiler-richards.js:
2153         * stress/spread-forward-call-varargs-stack-overflow.js:
2154
2155 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
2156
2157         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
2158         https://bugs.webkit.org/show_bug.cgi?id=193711
2159         <rdar://problem/47250262>
2160
2161         Reviewed by Saam Barati.
2162
2163         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
2164         (shouldBe):
2165         (foo):
2166         (bar):
2167         (baz):
2168
2169 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
2170
2171         Unreviewed, fix initial global lexical binding epoch
2172         https://bugs.webkit.org/show_bug.cgi?id=193603
2173         <rdar://problem/47380869>
2174
2175         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
2176         (f1.f2.f3.f4):
2177         (f1.f2.f3):
2178         (f1.f2):
2179         (f1):
2180
2181 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
2182
2183         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
2184         https://bugs.webkit.org/show_bug.cgi?id=193709
2185         <rdar://problem/47363838>
2186
2187         Unreviewed, rollout to watch the tests.
2188
2189         * stress/object-tostring-changed-proto.js: Removed.
2190         * stress/object-tostring-changed.js: Removed.
2191         * stress/object-tostring-misc.js: Removed.
2192         * stress/object-tostring-other.js: Removed.
2193         * stress/object-tostring-untyped.js: Removed.
2194
2195 2019-01-22  Saam Barati  <sbarati@apple.com>
2196
2197         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
2198
2199         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
2200         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
2201         (testUncheckedLessThanZero):
2202         (testUncheckedLessThanOrEqualZero):
2203         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
2204         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
2205
2206 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
2207
2208         [JSC] Invalidate old scope operations using global lexical binding epoch
2209         https://bugs.webkit.org/show_bug.cgi?id=193603
2210         <rdar://problem/47380869>
2211
2212         Reviewed by Saam Barati.
2213
2214         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
2215         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
2216         (shouldThrow):
2217         (bar):
2218         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
2219         (shouldBe):
2220         (get1):
2221         (get2):
2222         (get1If):
2223         (get2If):
2224         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
2225         (shouldThrow):
2226         (foo):
2227
2228 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
2229
2230         Unreviewed, roll out r240220 due to date-format-xparb regression
2231         https://bugs.webkit.org/show_bug.cgi?id=193603
2232
2233         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
2234         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
2235         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
2236         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
2237
2238 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
2239
2240         DoesGC rule is wrong for nodes with BigIntUse
2241         https://bugs.webkit.org/show_bug.cgi?id=193652
2242
2243         Reviewed by Saam Barati.
2244
2245         * stress/big-int-value-op-update-gc-rules.js: Added.
2246         (assert):
2247         (doesGCAdd):
2248         (doesGCSub):
2249         (doesGCDiv):
2250         (doesGCMul):
2251         (doesGCBitAnd):
2252         (doesGCBitOr):
2253         (doesGCBitXor):
2254
2255 2019-01-20  Saam Barati  <sbarati@apple.com>
2256
2257         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
2258         https://bugs.webkit.org/show_bug.cgi?id=193644
2259         <rdar://problem/46209745>
2260
2261         Reviewed by Yusuke Suzuki.
2262
2263         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
2264         (foo):
2265         * stress/data-view-set-intrinsic-undefined-result.js: Added.
2266         (foo):
2267         (bar):
2268
2269 2019-01-20  Saam Barati  <sbarati@apple.com>
2270
2271         MovHint must merge NodeBytecodeUsesAsValue for its child
2272         https://bugs.webkit.org/show_bug.cgi?id=186916
2273         <rdar://problem/41396612>
2274
2275         Reviewed by Yusuke Suzuki.
2276
2277         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
2278         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
2279
2280 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
2281
2282         [JSC] Invalidate old scope operations using global lexical binding epoch
2283         https://bugs.webkit.org/show_bug.cgi?id=193603
2284         <rdar://problem/47380869>
2285
2286         Reviewed by Saam Barati.
2287
2288         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
2289         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
2290         (shouldThrow):
2291         (bar):
2292         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
2293         (shouldBe):
2294         (get1):
2295         (get2):
2296         (get1If):
2297         (get2If):
2298         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
2299         (shouldThrow):
2300         (foo):
2301
2302 2019-01-17  Saam barati  <sbarati@apple.com>
2303
2304         StringObjectUse should not be a structure check for the original string object structure
2305         https://bugs.webkit.org/show_bug.cgi?id=193483
2306         <rdar://problem/47280522>
2307
2308         Reviewed by Yusuke Suzuki.
2309
2310         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
2311         (foo):
2312         (a.valueOf.0):
2313
2314 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2315
2316         [JSC] ToThis omission in DFGByteCodeParser is wrong
2317         https://bugs.webkit.org/show_bug.cgi?id=193513
2318         <rdar://problem/45842236>
2319
2320         Reviewed by Saam Barati.
2321
2322         * stress/to-this-omission-with-different-strict-modes.js: Added.
2323         (thisA):
2324         (thisAStrictWrapper):
2325
2326 2019-01-15  Mark Lam  <mark.lam@apple.com>
2327
2328         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
2329         https://bugs.webkit.org/show_bug.cgi?id=193423
2330         <rdar://problem/46209355>
2331
2332         Reviewed by Saam Barati.
2333
2334         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
2335         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
2336         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
2337         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
2338
2339 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2340
2341         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
2342         https://bugs.webkit.org/show_bug.cgi?id=193438
2343         <rdar://problem/45581249>
2344
2345         Reviewed by Saam Barati and Keith Miller.
2346
2347         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
2348         Then, GetByVal(String) crashed.
2349
2350         * stress/string-get-by-val-lowering.js: Added.
2351         (shouldBe):
2352         (test):
2353         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
2354         (Hello):
2355         (foo):
2356
2357 2019-01-15  Tomas Popela  <tpopela@redhat.com>
2358
2359         Unreviewed, skip JIT tests if it's not enabled
2360
2361         * stress/bit-op-with-object-returning-int32.js:
2362
2363 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
2364
2365         DFGByteCodeParser rules for bitwise operations should consider type of their operands
2366         https://bugs.webkit.org/show_bug.cgi?id=192966
2367
2368         Reviewed by Yusuke Suzuki.
2369
2370         * stress/bit-op-with-object-returning-int32.js: Added.
2371
2372 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
2373
2374         Skip a slow test and a flakey test on arm
2375
2376         Unreviewed gardening.
2377
2378         * typeProfiler/getter-richards.js:
2379         this test always times out, it used to be always skipped on arm and
2380         mips, but got accidentally enabled by r237919 now that we have DFG on
2381         arm. Also skipping on mips as we plan to soon enable DFG for it too.
2382
2383 2019-01-14  Keith Miller  <keith_miller@apple.com>
2384
2385         Skip type-check-hoisting-phase-hoist... with no jit
2386         https://bugs.webkit.org/show_bug.cgi?id=193421
2387
2388         Reviewed by Mark Lam.
2389
2390         It's timing out the 32-bit bots and takes 330 seconds
2391         on my machine when run by itself.
2392
2393         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
2394
2395 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2396
2397         [JSC] AI should check the given constant's array type when folding GetByVal into constant
2398         https://bugs.webkit.org/show_bug.cgi?id=193413
2399         <rdar://problem/46092389>
2400
2401         Reviewed by Keith Miller.
2402
2403         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
2404         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
2405         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
2406         but GetByVal does not have appropriate ArrayModes, JSC crashes.
2407
2408         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
2409         (compareArray):
2410
2411 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
2412
2413         [BigInt] Literal parsing is crashing when used inside a Object Literal
2414         https://bugs.webkit.org/show_bug.cgi?id=193404
2415
2416         Reviewed by Yusuke Suzuki.
2417
2418         * stress/big-int-literal-inside-literal-object.js: Added.
2419
2420 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2421
2422         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
2423         https://bugs.webkit.org/show_bug.cgi?id=193372
2424
2425         Reviewed by Saam Barati.
2426
2427         * stress/typed-array-array-modes-profile.js: Added.
2428         (foo):
2429
2430 2019-01-14  Mark Lam  <mark.lam@apple.com>
2431
2432         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
2433         https://bugs.webkit.org/show_bug.cgi?id=193402
2434         <rdar://problem/46012309>
2435
2436         Reviewed by Keith Miller.
2437
2438         * stress/regexp-compile-oom.js:
2439         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
2440           is enabled.  As a result, it will fail on cloop builds though there is no bug.
2441
2442 2019-01-11  Saam barati  <sbarati@apple.com>
2443
2444         DFG combined liveness can be wrong for terminal basic blocks
2445         https://bugs.webkit.org/show_bug.cgi?id=193304
2446         <rdar://problem/45268632>
2447
2448         Reviewed by Yusuke Suzuki.
2449
2450         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
2451
2452 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2453
2454         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
2455         https://bugs.webkit.org/show_bug.cgi?id=193308
2456         <rdar://problem/45546542>
2457
2458         Reviewed by Saam Barati.
2459
2460         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
2461         (shouldThrow):
2462         (shouldBe):
2463         (foo):
2464         (get shouldThrow):
2465         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
2466         (shouldThrow):
2467         (shouldBe):
2468         (foo):
2469         (get shouldBe):
2470         (get shouldThrow):
2471         (get return):
2472         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
2473         (shouldThrow):
2474         (shouldBe):
2475         (foo):
2476         (get shouldBe):
2477         (get shouldThrow):
2478         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
2479         (shouldThrow):
2480         (shouldBe):
2481         (foo):
2482         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
2483         (shouldThrow):
2484         (shouldBe):
2485         (foo):
2486         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
2487         (shouldThrow):
2488         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
2489         (shouldThrow):
2490         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
2491         (shouldThrow):
2492         (shouldBe):
2493         (foo):
2494         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
2495         (shouldThrow):
2496         (shouldBe):
2497         (foo):
2498         (get shouldBe):
2499         (get shouldThrow):
2500         (get return):
2501         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
2502         (shouldThrow):
2503         (shouldBe):
2504         (foo):
2505         (get shouldBe):
2506         (get shouldThrow):
2507         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
2508         (shouldThrow):
2509         (shouldBe):
2510         (foo):
2511         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
2512         (shouldThrow):
2513         (shouldBe):
2514         (foo):
2515
2516 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
2517
2518         Enable DFG on ARM/Linux again
2519         https://bugs.webkit.org/show_bug.cgi?id=192496
2520
2521         Reviewed by Yusuke Suzuki.
2522
2523         Test wasn't really skipped before moving the line with skip
2524         to the top.
2525
2526         * stress/regress-192717.js:
2527
2528 2019-01-10  Commit Queue  <commit-queue@webkit.org>
2529
2530         Unreviewed, rolling out r239825.
2531         https://bugs.webkit.org/show_bug.cgi?id=193330
2532
2533         Broke tests on armv7/linux bots (Requested by guijemont on
2534         #webkit).
2535
2536         Reverted changeset:
2537
2538         "Enable DFG on ARM/Linux again"
2539         https://bugs.webkit.org/show_bug.cgi?id=192496
2540         https://trac.webkit.org/changeset/239825
2541
2542 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
2543
2544         Enable DFG on ARM/Linux again
2545         https://bugs.webkit.org/show_bug.cgi?id=192496
2546
2547         Reviewed by Yusuke Suzuki.
2548
2549         Test wasn't really skipped before moving the line with skip
2550         to the top.
2551
2552         * stress/regress-192717.js:
2553
2554 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2555
2556         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
2557         https://bugs.webkit.org/show_bug.cgi?id=193127
2558
2559         Reviewed by Saam Barati.
2560
2561         * stress/array-species-create-should-handle-masquerader.js: Added.
2562         (shouldThrow):
2563         * stress/is-undefined-or-null-builtin.js: Added.
2564         (shouldBe):
2565         (isUndefinedOrNull.vm.createBuiltin):
2566
2567 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
2568
2569         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
2570         https://bugs.webkit.org/show_bug.cgi?id=193221
2571
2572         Reviewed by Mark Lam.
2573
2574         * stress/put-by-id-flags.js: Added.
2575         (f):
2576         (g):
2577         (numberOfDFGCompiles):
2578
2579 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
2580
2581         Baseline version of get_by_id may corrupt metadata
2582         https://bugs.webkit.org/show_bug.cgi?id=193085
2583         <rdar://problem/23453006>
2584
2585         Reviewed by Saam Barati.
2586
2587         * stress/get-by-id-change-mode.js: Added.
2588         (forEach):
2589
2590 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2591
2592         [JSC] Optimize Object.prototype.toString
2593         https://bugs.webkit.org/show_bug.cgi?id=193031
2594
2595         Reviewed by Saam Barati.
2596
2597         * stress/object-tostring-changed-proto.js: Added.
2598         (shouldBe):
2599         (test):
2600         * stress/object-tostring-changed.js: Added.
2601         (shouldBe):
2602         (test):
2603         * stress/object-tostring-misc.js: Added.
2604         (shouldBe):
2605         (test):
2606         (i.switch):
2607         * stress/object-tostring-other.js: Added.
2608         (shouldBe):
2609         (test):
2610         * stress/object-tostring-untyped.js: Added.
2611         (shouldBe):
2612         (test):
2613         (i.switch):
2614
2615 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
2616
2617         test262-runner misbehaves when test file YAML has a trailing space
2618         https://bugs.webkit.org/show_bug.cgi?id=193053
2619
2620         Reviewed by Yusuke Suzuki.
2621
2622         * test262/expectations.yaml:
2623         Mark two dozen tests as passing (and correct the output of another).
2624
2625 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2626
2627         Unreviewed, JSTests gardening with memoryLimited
2628
2629         * stress/string-overflow-createError.js:
2630
2631 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
2632
2633         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
2634         https://bugs.webkit.org/show_bug.cgi?id=193050
2635
2636         Reviewed by Yusuke Suzuki.
2637
2638         * test262.yaml:
2639         * test262/expectations.yaml:
2640         Mark 16 tests as passing.
2641
2642 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2643
2644         [BigInt] Support BigInt in JSON.stringify
2645         https://bugs.webkit.org/show_bug.cgi?id=192624
2646
2647         Reviewed by Saam Barati.
2648
2649         * stress/big-int-json-stringify-to-json.js: Added.
2650         (shouldBe):
2651         (shouldThrow):
2652         (BigInt.prototype.toJSON):
2653         (shouldBe.JSON.stringify):
2654         * stress/big-int-json-stringify.js: Added.
2655         (shouldBe):
2656         (shouldThrow):
2657
2658 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2659
2660         [JSC] Implement "well-formed JSON.stringify" proposal
2661         https://bugs.webkit.org/show_bug.cgi?id=191677
2662
2663         Reviewed by Darin Adler.
2664
2665         * stress/json-surrogate-pair.js: Added.
2666         (shouldBe):
2667         * test262/expectations.yaml:
2668
2669 2018-12-20  Keith Miller  <keith_miller@apple.com>
2670
2671         Add support for globalThis
2672         https://bugs.webkit.org/show_bug.cgi?id=165171
2673
2674         Reviewed by Mark Lam.
2675
2676         * test262/config.yaml:
2677
2678 2018-12-19  Keith Miller  <keith_miller@apple.com>
2679
2680         Update test262 configuration to not run tests dependent on ICU version.
2681         https://bugs.webkit.org/show_bug.cgi?id=192920
2682
2683         Reviewed by Saam Barati.
2684
2685         * test262/expectations.yaml:
2686
2687 2018-12-20  Mark Lam  <mark.lam@apple.com>
2688
2689         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
2690         https://bugs.webkit.org/show_bug.cgi?id=192939
2691         <rdar://problem/46869516>
2692
2693         Reviewed by Keith Miller.
2694
2695         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
2696
2697 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
2698
2699         WTF::String and StringImpl overflow MaxLength
2700         https://bugs.webkit.org/show_bug.cgi?id=192853
2701         <rdar://problem/45726906>
2702
2703         Reviewed by Mark Lam.
2704
2705         * stress/string-16bit-repeat-overflow.js: Added.
2706         (catch):
2707
2708 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
2709
2710         Unreviewed follow-up to r192914.
2711
2712         * test262/expectations.yaml:
2713         Add the last 20 missing expectations.
2714
2715 2018-12-19  Keith Miller  <keith_miller@apple.com>
2716
2717         Fix test262 expectations
2718         https://bugs.webkit.org/show_bug.cgi?id=192914
2719
2720         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
2721
2722         * test262/expectations.yaml:
2723
2724 2018-12-19  Keith Miller  <keith_miller@apple.com>
2725
2726         Update test262 tests.
2727         https://bugs.webkit.org/show_bug.cgi?id=192907
2728
2729         Rubber stamped by Mark Lam.
2730
2731         * test262/*: Omitted because prepare-changelog crashes.
2732
2733 2018-12-19  Mark Lam  <mark.lam@apple.com>
2734
2735         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
2736         https://bugs.webkit.org/show_bug.cgi?id=192464
2737         <rdar://problem/46519455>
2738
2739         Reviewed by Saam Barati.
2740
2741         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
2742         microbenchmark.
2743
2744         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
2745         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
2746
2747 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
2748
2749         String overflow in JSC::createError results in ASSERT in WTF::makeString
2750         https://bugs.webkit.org/show_bug.cgi?id=192833
2751         <rdar://problem/45706868>
2752
2753         Reviewed by Mark Lam.
2754
2755         * stress/string-overflow-createError.js: Added.
2756
2757 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2758
2759         Error message for `-x ** y` contains a typo.
2760         https://bugs.webkit.org/show_bug.cgi?id=192832
2761
2762         Reviewed by Saam Barati.
2763
2764         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2765         (assert.assert.return.throws):
2766         * stress/pow-expects-update-expression-on-lhs.js:
2767         (throw.new.Error):
2768         Update test expectations which match against the exact error message.
2769
2770 2018-12-18  Mark Lam  <mark.lam@apple.com>
2771
2772         Gardening: test options fix.
2773         https://bugs.webkit.org/show_bug.cgi?id=192822
2774
2775         Unreviewed.
2776
2777         * stress/json-stringify-string-builder-overflow.js:
2778
2779 2018-12-18  Mark Lam  <mark.lam@apple.com>
2780
2781         JSON.stringify() should throw OOM on StringBuilder overflows.
2782         https://bugs.webkit.org/show_bug.cgi?id=192822
2783         <rdar://problem/46670577>
2784
2785         Reviewed by Saam Barati.
2786
2787         * stress/json-stringify-string-builder-overflow.js: Added.
2788
2789 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2790
2791         Redeclaration of var over let/const/class should be a syntax error.
2792         https://bugs.webkit.org/show_bug.cgi?id=192298
2793
2794         Reviewed by Keith Miller.
2795
2796         * test262.yaml:
2797         * test262/expectations.yaml:
2798         Mark 46 tests as passing.
2799
2800         * stress/block-scope-redeclarations.js:
2801         Add some new tests.
2802
2803         * stress/for-in-invalidate-context-weird-assignments.js:
2804         * stress/for-in-tests.js:
2805         Replace tests for outdated behavior with tests for SyntaxError.
2806
2807         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2808         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2809         Update expectations.
2810
2811 2018-12-18  Mark Lam  <mark.lam@apple.com>
2812
2813         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2814         https://bugs.webkit.org/show_bug.cgi?id=191374
2815         <rdar://problem/46525447>
2816
2817         Reviewed by Yusuke Suzuki.
2818
2819         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2820
2821         * stress/elidable-new-object-roflcopter-then-exit.js:
2822
2823 2018-12-17  Mark Lam  <mark.lam@apple.com>
2824
2825         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2826         https://bugs.webkit.org/show_bug.cgi?id=192019
2827         <rdar://problem/46525456>
2828
2829         Reviewed by Yusuke Suzuki.
2830
2831         The test runs too slow on 32-bit.
2832
2833         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2834
2835 2018-12-17  Mark Lam  <mark.lam@apple.com>
2836
2837         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2838         https://bugs.webkit.org/show_bug.cgi?id=191373
2839         <rdar://problem/46525458>
2840
2841         Reviewed by Yusuke Suzuki.
2842
2843         The test is already slow running with a JIT on 64-bit.  It will always timeout
2844         on 32-bit without a JIT.
2845
2846         * stress/materialize-regexp-cyclic-regexp.js:
2847
2848 2018-12-17  Mark Lam  <mark.lam@apple.com>
2849
2850         Array unshift/shift should not race against the AI in the compiler thread.
2851         https://bugs.webkit.org/show_bug.cgi?id=192795
2852         <rdar://problem/46724263>
2853
2854         Reviewed by Saam Barati.
2855
2856         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2857
2858 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2859
2860         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2861         https://bugs.webkit.org/show_bug.cgi?id=190047
2862
2863         Reviewed by Saam Barati.
2864
2865         * stress/object-keys-cached-zero.js: Added.
2866         (shouldBe):
2867         (test):
2868         * stress/object-keys-changed-attribute.js: Added.
2869         (shouldBe):
2870         (test):
2871         * stress/object-keys-changed-index.js: Added.
2872         (shouldBe):
2873         (test):
2874         * stress/object-keys-changed.js: Added.
2875         (shouldBe):
2876         (test):
2877         * stress/object-keys-indexed-non-cache.js: Added.
2878         (shouldBe):
2879         (test):
2880         * stress/object-keys-overrides-get-property-names.js: Added.
2881         (shouldBe):
2882         (test):
2883         (noInline):
2884
2885 2018-12-17  Mark Lam  <mark.lam@apple.com>
2886
2887         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2888         https://bugs.webkit.org/show_bug.cgi?id=192779
2889         <rdar://problem/46775869>
2890
2891         Reviewed by Saam Barati.
2892
2893         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2894
2895 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2896
2897         Unreviewed test gardening, address a syntax error in a new test.
2898
2899         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2900
2901 2018-12-17  Mark Lam  <mark.lam@apple.com>
2902
2903         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2904         https://bugs.webkit.org/show_bug.cgi?id=192776
2905         <rdar://problem/46772368>
2906
2907         Reviewed by Keith Miller.
2908
2909         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2910
2911 2018-12-17  Mark Lam  <mark.lam@apple.com>
2912
2913         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2914         https://bugs.webkit.org/show_bug.cgi?id=192770
2915         <rdar://problem/46449037>
2916
2917         Reviewed by Keith Miller.
2918
2919         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2920
2921 2018-12-14  Mark Lam  <mark.lam@apple.com>
2922
2923         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2924         https://bugs.webkit.org/show_bug.cgi?id=192717
2925         <rdar://problem/46660677>
2926
2927         Reviewed by Saam Barati.
2928
2929         * stress/regress-192717.js: Added.
2930
2931 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2932
2933         Unreviewed, rolling out r239153, r239154, and r239155.
2934         https://bugs.webkit.org/show_bug.cgi?id=192715
2935
2936         Caused flaky GC-related crashes seen with layout tests
2937         (Requested by ryanhaddad on #webkit).
2938
2939         Reverted changesets:
2940
2941         "[JSC] Optimize Object.keys by caching own keys results in
2942         StructureRareData"
2943         https://bugs.webkit.org/show_bug.cgi?id=190047
2944         https://trac.webkit.org/changeset/239153
2945
2946         "Unreviewed, build fix after r239153"
2947         https://bugs.webkit.org/show_bug.cgi?id=190047
2948         https://trac.webkit.org/changeset/239154
2949
2950         "Unreviewed, build fix after r239153, part 2"
2951         https://bugs.webkit.org/show_bug.cgi?id=190047
2952         https://trac.webkit.org/changeset/239155
2953
2954 2018-12-14  Keith Miller  <keith_miller@apple.com>
2955
2956         Callers of JSString::getIndex should check for OOM exceptions
2957         https://bugs.webkit.org/show_bug.cgi?id=192709
2958
2959         Reviewed by Mark Lam.
2960
2961         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2962
2963 2018-12-13  Mark Lam  <mark.lam@apple.com>
2964
2965         Add a missing exception check.
2966         https://bugs.webkit.org/show_bug.cgi?id=192626
2967         <rdar://problem/46662163>
2968
2969         Reviewed by Keith Miller.
2970
2971         * stress/regress-192626.js: Added.
2972
2973 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2974
2975         [BigInt] Add ValueDiv into DFG
2976         https://bugs.webkit.org/show_bug.cgi?id=186178
2977
2978         Reviewed by Yusuke Suzuki.
2979
2980         * stress/big-int-div-jit-osr.js: Added.
2981         * stress/big-int-div-jit-untyped.js: Added.
2982         * stress/value-div-fixup-int32-big-int.js: Added.
2983
2984 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2985
2986         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2987         https://bugs.webkit.org/show_bug.cgi?id=190047
2988
2989         Reviewed by Keith Miller.
2990
2991         * stress/object-keys-cached-zero.js: Added.
2992         (shouldBe):
2993         (test):
2994         * stress/object-keys-changed-attribute.js: Added.
2995         (shouldBe):
2996         (test):
2997         * stress/object-keys-changed-index.js: Added.
2998         (shouldBe):
2999         (test):
3000         * stress/object-keys-changed.js: Added.
3001         (shouldBe):
3002         (test):
3003         * stress/object-keys-indexed-non-cache.js: Added.
3004         (shouldBe):
3005         (test):
3006         * stress/object-keys-overrides-get-property-names.js: Added.
3007         (shouldBe):
3008         (test):
3009         (noInline):
3010
3011 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3012
3013         [DFG][FTL] Add NewSymbol
3014         https://bugs.webkit.org/show_bug.cgi?id=192620
3015
3016         Reviewed by Saam Barati.
3017
3018         * microbenchmarks/symbol-creation.js: Added.
3019         (test):
3020         * stress/symbol-description-identity.js: Added.
3021         (shouldBe):
3022         (test):
3023         * stress/symbol-identity.js: Added.
3024         (shouldBe):
3025         (test):
3026         * stress/symbol-with-description-throw-error.js: Added.
3027         (shouldBe):
3028         (shouldThrow):
3029         (test):
3030         (object.toString):
3031
3032 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3033
3034         [BigInt] Implement DFG/FTL typeof for BigInt
3035         https://bugs.webkit.org/show_bug.cgi?id=192619
3036
3037         Reviewed by Keith Miller.
3038
3039         * stress/big-int-boolean-proven-type.js: Added.
3040         (assert):
3041         (bool):
3042         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
3043         (assert):
3044         (typeOf):
3045         (i.switch):
3046         * stress/big-int-type-of-proven-type-non-constant.js: Added.
3047         (assert):
3048         (typeOf):
3049         * stress/big-int-type-of.js:
3050         (typeOf):
3051         (func):
3052
3053 2018-12-10  Mark Lam  <mark.lam@apple.com>
3054
3055         PropertyAttribute needs a CustomValue bit.
3056         https://bugs.webkit.org/show_bug.cgi?id=191993
3057         <rdar://problem/46264467>
3058
3059         Reviewed by Saam Barati.
3060
3061         * stress/regress-191993.js: Added.
3062
3063 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
3064
3065         [BigInt] Add ValueMul into DFG
3066         https://bugs.webkit.org/show_bug.cgi?id=186175
3067
3068         Reviewed by Yusuke Suzuki.
3069
3070         * stress/big-int-mul-jit-osr.js: Added.
3071         * stress/big-int-mul-jit-untyped.js: Added.
3072         * stress/value-mul-fixup-int32-big-int.js: Added.
3073
3074 2018-12-06  Keith Miller  <keith_miller@apple.com>
3075
3076         stress/big-wasm-memory tests failing on 32-bit JSC bot
3077         https://bugs.webkit.org/show_bug.cgi?id=192020
3078
3079         Reviewed by Saam Barati.
3080
3081         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
3082         the wasm stress tests if the WebAssembly object does not exist.
3083
3084         * stress/big-wasm-memory-grow-no-max.js:
3085         (test.foo):
3086         (test):
3087         (foo): Deleted.
3088         (catch): Deleted.
3089         * stress/big-wasm-memory-grow.js:
3090         (test.foo):
3091         (test):
3092         (foo): Deleted.
3093         (catch): Deleted.
3094         * stress/big-wasm-memory.js:
3095         (test.foo):
3096         (test):
3097         (foo): Deleted.
3098         (catch): Deleted.
3099
3100 2018-12-05  Mark Lam  <mark.lam@apple.com>
3101
3102         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
3103         https://bugs.webkit.org/show_bug.cgi?id=192441
3104         <rdar://problem/46480355>
3105
3106         Reviewed by Saam Barati.
3107
3108         * stress/regress-192441.js: Added.
3109
3110 2018-12-04  Mark Lam  <mark.lam@apple.com>
3111
3112         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
3113         https://bugs.webkit.org/show_bug.cgi?id=192386
3114         <rdar://problem/46445516>
3115
3116         Reviewed by Saam Barati.
3117
3118         * stress/regress-192386.js: Added.
3119
3120 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
3121
3122         [ESNext][BigInt] Support logic operations
3123         https://bugs.webkit.org/show_bug.cgi?id=179903
3124
3125         Reviewed by Yusuke Suzuki.
3126
3127         * stress/big-int-branch-usage.js: Added.
3128         * stress/big-int-logical-and.js: Added.
3129         * stress/big-int-logical-not.js: Added.
3130         * stress/big-int-logical-or.js: Added.
3131
3132 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
3133
3134         Unreviewed, rolling out r238833.
3135
3136         Breaks macOS and iOS debug builds.
3137
3138         Reverted changeset:
3139
3140         "[ESNext][BigInt] Support logic operations"
3141         https://bugs.webkit.org/show_bug.cgi?id=179903
3142         https://trac.webkit.org/changeset/238833
3143
3144 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
3145
3146         [ESNext][BigInt] Support logic operations
3147         https://bugs.webkit.org/show_bug.cgi?id=179903
3148
3149         Reviewed by Yusuke Suzuki.
3150
3151         * stress/big-int-branch-usage.js: Added.
3152         * stress/big-int-logical-and.js: Added.
3153         * stress/big-int-logical-not.js: Added.
3154         * stress/big-int-logical-or.js: Added.
3155
3156 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
3157
3158         [ESNext][BigInt] Implement support for "<<" and ">>"
3159         https://bugs.webkit.org/show_bug.cgi?id=186233
3160
3161         Reviewed by Yusuke Suzuki.
3162
3163         * stress/big-int-left-shift-general.js: Added.
3164         * stress/big-int-left-shift-range-error.js: Added.
3165         * stress/big-int-left-shift-type-error.js: Added.
3166         * stress/big-int-left-shift-wrapped-value.js: Added.
3167         * stress/big-int-right-shift-general.js: Added.
3168         * stress/big-int-right-shift-type-error.js: Added.
3169         * stress/big-int-right-shift-wrapped-value.js: Added.
3170         * stress/left-shift-to-primitive-precedence.js: Added.
3171         * stress/right-shift-to-primitive-precedence.js: Added.
3172
3173 2018-11-30  Dean Jackson  <dino@apple.com>
3174
3175         Add first-class support for .mjs files in jsc binary
3176         https://bugs.webkit.org/show_bug.cgi?id=192190
3177         <rdar://problem/46375715>
3178
3179         Reviewed by Keith Miller.
3180
3181         * stress/simple-module.mjs: Added.
3182         * stress/simple-script.js: Added.
3183
3184 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
3185
3186         [BigInt] Implement ValueBitXor into DFG
3187         https://bugs.webkit.org/show_bug.cgi?id=190264
3188
3189         Reviewed by Yusuke Suzuki.
3190
3191         * stress/big-int-bitwise-xor-jit.js: Added.
3192         * stress/big-int-bitwise-xor-memory-stress.js: Added.
3193         * stress/big-int-bitwise-xor-untyped.js: Added.
3194
3195 2018-11-27  Saam barati  <sbarati@apple.com>
3196
3197         r238510 broke scopes of size zero
3198         https://bugs.webkit.org/show_bug.cgi?id=192033
3199         <rdar://problem/46281734>
3200
3201         Reviewed by Keith Miller.
3202
3203         * stress/r238510-bad-loop.js: Added.
3204         (foo):
3205
3206 2018-11-27  Mark Lam  <mark.lam@apple.com>
3207
3208         [Re-landing] NaNs read from Wasm code needs to be be purified.
3209         https://bugs.webkit.org/show_bug.cgi?id=191056
3210         <rdar://problem/45660341>
3211
3212         Reviewed by Filip Pizlo.
3213
3214         * wasm/regress/regress-191056.js: Added.
3215
3216 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
3217
3218         Unreviewed, rolling out r238509.
3219
3220         Causes JSC tests to fail on iOS.
3221
3222         Reverted changeset:
3223
3224         "NaNs read from Wasm code needs to be be purified."
3225         https://bugs.webkit.org/show_bug.cgi?id=191056
3226         https://trac.webkit.org/changeset/238509
3227
3228 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
3229
3230         Re-introduce op_bitnot
3231         https://bugs.webkit.org/show_bug.cgi?id=190923
3232
3233         Reviewed by Yusuke Suzuki.
3234
3235         * stress/bit-not-must-generate.js: Added.
3236         * stress/bitwise-not-no-int32.js: Added.
3237
3238 2018-11-26  Saam barati  <sbarati@apple.com>
3239
3240         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
3241         https://bugs.webkit.org/show_bug.cgi?id=191956
3242         <rdar://problem/45665806>
3243
3244         Reviewed by Yusuke Suzuki.
3245
3246         * stress/end-basic-block-set-local-should-filter-type.js: Added.
3247         (bar):
3248         (foo):
3249
3250 2018-11-26  Saam barati  <sbarati@apple.com>
3251
3252         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
3253         https://bugs.webkit.org/show_bug.cgi?id=191958
3254         <rdar://problem/46221877>
3255
3256         Reviewed by Yusuke Suzuki.
3257
3258         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
3259         (x):
3260         (foo):
3261
3262 2018-11-26  Mark Lam  <mark.lam@apple.com>
3263
3264         NaNs read from Wasm code needs to be be purified.
3265         https://bugs.webkit.org/show_bug.cgi?id=191056
3266         <rdar://problem/45660341>
3267
3268         Reviewed by Filip Pizlo.
3269
3270         * wasm/regress/regress-191056.js: Added.
3271
3272 2018-11-26  Michael Saboff  <msaboff@apple.com>
3273
3274         32-bit JSC test failure: stress/regexp-compile-oom.js
3275         https://bugs.webkit.org/show_bug.cgi?id=191375
3276
3277         Reviewed by Mark Lam.
3278
3279         Disabled the test for 32 bit platforms.
3280
3281         * stress/regexp-compile-oom.js:
3282
3283 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
3284
3285         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
3286         https://bugs.webkit.org/show_bug.cgi?id=191716
3287         <rdar://problem/45723878>
3288
3289         Reviewed by Saam Barati.
3290
3291         * stress/regress-187373.js: Added.
3292         (async.fn):
3293
3294 2018-11-21  Saam barati  <sbarati@apple.com>
3295
3296         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
3297         https://bugs.webkit.org/show_bug.cgi?id=191897
3298         <rdar://problem/45871998>
3299
3300         Reviewed by Mark Lam.
3301
3302         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
3303         (bar):
3304         (foo):
3305
3306 2018-11-21  Saam barati  <sbarati@apple.com>
3307
3308         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
3309         https://bugs.webkit.org/show_bug.cgi?id=191895
3310         <rdar://problem/46167406>
3311
3312         Reviewed by Mark Lam.
3313
3314         * stress/known-cell-use-needs-type-check-assertion.js: Added.
3315         (foo):
3316         (bar):
3317
3318 2018-11-21  Mark Lam  <mark.lam@apple.com>
3319
3320         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
3321         https://bugs.webkit.org/show_bug.cgi?id=191776
3322         <rdar://problem/46152851>
3323
3324         Reviewed by Saam Barati.
3325
3326         * stress/big-wasm-memory-grow-no-max.js:
3327         * stress/big-wasm-memory-grow.js:
3328         * stress/big-wasm-memory.js:
3329         - updated these to expect an OutOfMemoryError.
3330
3331         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
3332         (Binary.prototype.emit_u8):
3333         (Binary.prototype.emit_u32v):
3334         (Binary.prototype.emit_header):
3335         (Binary.prototype.emit_section):
3336         (Binary):
3337         (WasmModuleBuilder):
3338         (WasmModuleBuilder.prototype.addMemory):
3339         (WasmModuleBuilder.prototype.toArray):
3340         (WasmModuleBuilder.prototype.toBuffer):
3341         (WasmModuleBuilder.prototype.instantiate):
3342         (catch):
3343         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
3344         (catch):
3345
3346 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
3347
3348         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
3349         https://bugs.webkit.org/show_bug.cgi?id=190836
3350
3351         Reviewed by Saam Barati and Yusuke Suzuki.
3352
3353         * stress/big-int-out-of-memory-tests.js: Added.
3354
3355 2018-11-20  Mark Lam  <mark.lam@apple.com>
3356
3357         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
3358         https://bugs.webkit.org/show_bug.cgi?id=191856
3359         <rdar://problem/46089992>
3360
3361         Reviewed by Yusuke Suzuki.
3362
3363         * stress/regress-191856.js: Added.
3364         - this test is skipped for now until we have a fix for webkit.org/b/191855.
3365
3366 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
3367
3368         Enable JIT on ARM/Linux
3369         https://bugs.webkit.org/show_bug.cgi?id=191548
3370
3371         Reviewed by Yusuke Suzuki.
3372
3373         Disable test on system with limited memory. Program was killed by
3374         the OS before the exception was thrown.
3375
3376         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
3377
3378 2018-11-20  Saam barati  <sbarati@apple.com>
3379
3380         Merging an IC variant may lead to the IC status containing overlapping structure sets
3381         https://bugs.webkit.org/show_bug.cgi?id=191869
3382         <rdar://problem/45403453>
3383
3384         Reviewed by Mark Lam.
3385
3386         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
3387
3388 2018-11-19  Mark Lam  <mark.lam@apple.com>
3389
3390         globalFuncImportModule() should return a promise when it clears exceptions.
3391         https://bugs.webkit.org/show_bug.cgi?id=191792
3392         <rdar://problem/46090763>
3393
3394         Reviewed by Michael Saboff.
3395
3396         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
3397
3398 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
3399
3400         Skip new memory-hungry tests on memory limited devices
3401
3402         Unreviewed gardening.
3403
3404         * stress/big-wasm-memory-grow-no-max.js:
3405         * stress/big-wasm-memory-grow.js:
3406         * stress/big-wasm-memory.js:
3407
3408 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3409
3410         Unreviewed, rolling in the rest of r237254
3411         https://bugs.webkit.org/show_bug.cgi?id=190340
3412
3413         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3414         * stress/function-cache-with-parameters-end-position.js: Added.
3415         (shouldBe):
3416         (shouldThrow):
3417         (i.anonymous):
3418         * stress/function-constructor-name.js: Added.
3419         (shouldBe):
3420         (GeneratorFunction):
3421         (AsyncFunction.async):
3422         (AsyncGeneratorFunction.async):
3423         (anonymous):
3424         (async.anonymous):
3425         * test262/expectations.yaml:
3426
3427 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
3428
3429         All users of ArrayBuffer should agree on the same max size
3430         https://bugs.webkit.org/show_bug.cgi?id=191771
3431
3432         Reviewed by Mark Lam.
3433
3434         * stress/big-wasm-memory-grow-no-max.js: Added.
3435         (foo):
3436         (catch):
3437         * stress/big-wasm-memory-grow.js: Added.
3438         (foo):
3439         (catch):
3440         * stress/big-wasm-memory.js: Added.
3441         (foo):
3442         (catch):
3443
3444 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
3445
3446         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
3447         run for each JSC config since they're regression tests for runtime bugs.
3448
3449         * stress/json-stringified-overflow-2.js:
3450         * stress/json-stringified-overflow.js:
3451
3452 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
3453
3454         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
3455         config since they're regression tests for runtime bugs.
3456
3457         * stress/large-unshift-splice.js:
3458         * stress/regress-185888.js:
3459
3460 2018-11-16  Saam Barati  <sbarati@apple.com>
3461
3462         KnownCellUse should also have SpecCellCheck as its type filter
3463         https://bugs.webkit.org/show_bug.cgi?id=191729
3464         <rdar://problem/45872852>
3465
3466         Reviewed by Filip Pizlo.
3467
3468         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
3469         (C):
3470
3471 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
3472
3473         Fix assertion failure on BytecodeGenerator::recordOpcode
3474         https://bugs.webkit.org/show_bug.cgi?id=191724
3475         <rdar://problem/45724395>
3476
3477         Reviewed by Saam Barati.
3478
3479         * stress/regress-187373-2.js: Added.
3480         (foo):
3481
3482 2018-11-15  Mark Lam  <mark.lam@apple.com>
3483
3484         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
3485         https://bugs.webkit.org/show_bug.cgi?id=191730
3486         <rdar://problem/46048517>
3487
3488         Reviewed by Saam Barati.
3489
3490         * stress/regress-187006.js: Removed.
3491           - this test is invalid because its sole purpose is to test for the non-spec
3492             compliant behavior that we just fixed.
3493
3494         * stress/regress-191730.js: Added.
3495
3496 2018-11-15  Mark Lam  <mark.lam@apple.com>
3497
3498         RegExp operations should not take fast patch if lastIndex is not numeric.
3499         https://bugs.webkit.org/show_bug.cgi?id=191731
3500         <rdar://problem/46017305>
3501
3502         Reviewed by Saam Barati.
3503
3504         * stress/regress-191731.js: Added.
3505
3506 2018-11-13  Saam Barati  <sbarati@apple.com>
3507
3508         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
3509         https://bugs.webkit.org/show_bug.cgi?id=191600
3510
3511         Reviewed by Mark Lam.
3512
3513         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
3514         (foo):
3515         (test):
3516         (bar):
3517
3518 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
3519
3520         Unreviewed, rolling out r238132.
3521
3522         The test added with this change is timing out on Debug JSC
3523         bots.
3524
3525         Reverted changeset:
3526
3527         "[BigInt] JSBigInt::createWithLength should throw when length
3528         is greater than JSBigInt::maxLength"
3529         https://bugs.webkit.org/show_bug.cgi?id=190836
3530         https://trac.webkit.org/changeset/238132
3531
3532 2018-11-13  Mark Lam  <mark.lam@apple.com>
3533
3534         Add OOM detection to StringPrototype's substituteBackreferences().
3535         https://bugs.webkit.org/show_bug.cgi?id=191563
3536         <rdar://problem/45720428>
3537
3538         Reviewed by Saam Barati.
3539
3540         * stress/regress-191563.js: Added.
3541
3542 2018-11-13  Mark Lam  <mark.lam@apple.com>
3543
3544         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
3545         https://bugs.webkit.org/show_bug.cgi?id=191579
3546         <rdar://problem/45942472>
3547
3548         Reviewed by Saam Barati.
3549
3550         * stress/regress-191579.js: Added.
3551
3552 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
3553
3554         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
3555         https://bugs.webkit.org/show_bug.cgi?id=190836
3556
3557         Reviewed by Saam Barati.
3558
3559         * stress/big-int-out-of-memory-tests.js: Added.
3560
3561 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
3562
3563         U+180E is no longer a whitespace character
3564         https://bugs.webkit.org/show_bug.cgi?id=191415
3565
3566         Reviewed by Saam Barati.
3567
3568         * ChakraCore/test/es5/regexSpace.baseline:
3569         * ChakraCore/test/es6/unicode_whitespace.js:
3570         Update tests to latest version.
3571         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
3572
3573         * test262.yaml:
3574         * test262/config.yaml:
3575         * test262/expectations.yaml:
3576         Update expectations.
3577
3578 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
3579
3580         [BigInt] Add support to BigInt into ValueAdd
3581         https://bugs.webkit.org/show_bug.cgi?id=186177
3582
3583         Reviewed by Keith Miller.
3584
3585         * stress/big-int-negate-jit.js:
3586         * stress/value-add-big-int-and-string.js: Added.
3587         * stress/value-add-big-int-prediction-propagation.js: Added.
3588         * stress/value-add-big-int-untyped.js: Added.
3589
3590 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
3591
3592         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
3593         https://bugs.webkit.org/show_bug.cgi?id=191184
3594
3595         Reviewed by Saam Barati.
3596
3597         Most tests were failing due to timeouts, since they are too slow to
3598         run on CLoop. The exceptions are:
3599
3600         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
3601         dont-crash-on-stack-overflow-when-parsing-builtin.js and
3602         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
3603         to change the stack size since CLoop requires it to be page aligned.
3604
3605         * microbenchmarks/array-push-1.js:
3606         * microbenchmarks/array-push-2.js:
3607         * microbenchmarks/elidable-new-object-dag.js:
3608         * microbenchmarks/elidable-new-object-roflcopter.js:
3609         * microbenchmarks/elidable-new-object-tree.js:
3610         * microbenchmarks/getter-richards.js:
3611         * microbenchmarks/sinkable-new-object-dag.js:
3612         * microbenchmarks/string-concat-long-convert.js:
3613         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
3614         * slowMicrobenchmarks/array-push-3.js:
3615         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
3616         * slowMicrobenchmarks/spread-small-array.js:
3617         * slowMicrobenchmarks/undefined-property-access.js:
3618         * stress/activation-sink-default-value-tdz-error.js:
3619         * stress/activation-sink-default-value.js:
3620         * stress/activation-sink-osrexit-default-value-tdz-error.js:
3621         * stress/activation-sink-osrexit-default-value.js:
3622         * stress/activation-sink-osrexit.js:
3623         * stress/activation-sink.js:
3624         * stress/allow-math-ic-b3-code-duplication.js:
3625         * stress/array-push-multiple-int32.js:
3626         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
3627         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
3628         * stress/arrowfunction-lexical-this-activation-sink.js:
3629         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
3630         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
3631         * stress/elide-new-object-dag-then-exit.js:
3632         * stress/materialize-regexp-cyclic.js:
3633         * stress/new-regex-inline.js:
3634         * stress/op_add.js:
3635         * stress/op_bitand.js:
3636         * stress/op_bitor.js:
3637         * stress/op_bitxor.js:
3638         * stress/op_div-ConstVar.js:
3639         * stress/op_div-VarConst.js:
3640         * stress/op_div-VarVar.js:
3641         * stress/op_lshift-ConstVar.js:
3642         * stress/op_lshift-VarConst.js:
3643         * stress/op_lshift-VarVar.js:
3644         * stress/op_mod-ConstVar.js:
3645         * stress/op_mod-VarConst.js:
3646         * stress/op_mod-VarVar.js:
3647         * stress/op_mul-ConstVar.js:
3648         * stress/op_mul-VarConst.js:
3649         * stress/op_mul-VarVar.js:
3650         * stress/op_rshift-ConstVar.js:
3651         * stress/op_rshift-VarConst.js:
3652         * stress/op_rshift-VarVar.js:
3653         * stress/op_sub-ConstVar.js:
3654         * stress/op_sub-VarConst.js:
3655         * stress/op_sub-VarVar.js:
3656         * stress/op_urshift-ConstVar.js:
3657         * stress/op_urshift-VarConst.js:
3658         * stress/op_urshift-VarVar.js:
3659         * stress/proxy-get-set-correct-receiver.js:
3660         * stress/regress-179562.js:
3661         * stress/rest-parameter-many-arguments.js:
3662         * stress/sampling-profiler-richards.js:
3663         * stress/splay-flash-access-1ms.js:
3664         * stress/tailCallForwardArguments.js:
3665         * stress/typed-array-get-by-val-profiling.js:
3666         * typeProfiler/getter-richards.js:
3667
3668 2018-11-06  Michael Saboff  <msaboff@apple.com>
3669
3670         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
3671         https://bugs.webkit.org/show_bug.cgi?id=191271
3672
3673         Reviewed by Saam Barati.
3674
3675         Added more test cases and made all test cases run with the same deeply recursive stack
3676         instead of finding that same point for each test case.
3677
3678         * stress/regexp-compile-oom.js:
3679         (prototype.runTest):
3680         (recurseAndTest):
3681         (testList.push.new.TestAndExpectedException):
3682
3683 2018-11-05  Michael Saboff  <msaboff@apple.com>
3684
3685         Unreviewed build fix for linux.
3686
3687         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
3688
3689 2018-11-02  Michael Saboff  <msaboff@apple.com>
3690
3691         Rolling in r237753 with unreviewed build fix.
3692
3693         Fixed issues with DECLARE_THROW_SCOPE placement.
3694
3695 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
3696
3697         Unreviewed, rolling out r237753.
3698
3699         Introduced JSC test failures
3700
3701         Reverted changeset:
3702
3703         "Running out of stack space not properly handled in
3704         RegExp::compile() and its callers"
3705         https://bugs.webkit.org/show_bug.cgi?id=191206
3706         https://trac.webkit.org/changeset/237753
3707
3708 2018-11-02  Michael Saboff  <msaboff@apple.com>
3709
3710         Running out of stack space not properly handled in RegExp::compile() and its callers
3711         https://bugs.webkit.org/show_bug.cgi?id=191206
3712
3713         Reviewed by Filip Pizlo.
3714
3715         New regression test.
3716
3717         * stress/regexp-compile-oom.js: Added.
3718         (recurseAndTest):
3719
3720 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
3721
3722         Skip tests on arm/mips that time out now we're running on CLoop
3723
3724         Unreviewed gardening.
3725
3726         Since the JIT is temporarily disabled on 32-bit platforms, these tests
3727         time out on the bots and need to be disabled. There's more tests
3728         disabled on arm because the timeout is longer on the mips bot (as the
3729         device is slower to start with), so many of the tests don't time out
3730         there.
3731
3732         * microbenchmarks/getter-richards.js: disable on arm and mips.
3733         * stress/op_add.js: disable on arm.
3734         * stress/op_bitand.js: disable on arm.
3735         * stress/op_bitor.js: disable on arm.
3736         * stress/op_bitxor.js: disable on arm.
3737         * stress/op_lshift-ConstVar.js: disable on arm.
3738         * stress/op_lshift-VarConst.js: disable on arm.
3739         * stress/op_lshift-VarVar.js: disable on arm.
3740         * stress/op_mod-ConstVar.js: disable on arm.
3741         * stress/op_mod-VarConst.js: disable on arm.
3742         * stress/op_mod-VarVar.js: disable on arm.
3743         * stress/op_mul-ConstVar.js: disable on arm.
3744         * stress/op_mul-VarConst.js: disable on arm.
3745         * stress/op_mul-VarVar.js: disable on arm.
3746         * stress/op_rshift-ConstVar.js: disable on arm.
3747         * stress/op_rshift-VarConst.js: disable on arm.
3748         * stress/op_rshift-VarVar.js: disable on arm.
3749         * stress/op_sub-ConstVar.js: disable on arm.
3750         * stress/op_sub-VarConst.js: disable on arm.
3751         * stress/op_sub-VarVar.js: disable on arm.
3752         * stress/op_urshift-ConstVar.js: disable on arm.
3753         * stress/op_urshift-VarConst.js: disable on arm.
3754         * stress/op_urshift-VarVar.js: disable on arm.
3755         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
3756         * stress/value-to-boolean.js: disable on arm and mips.
3757
3758 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3759
3760         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3761         https://bugs.webkit.org/show_bug.cgi?id=191108
3762         <rdar://problem/45690700>
3763
3764         Reviewed by Saam Barati.
3765
3766         * stress/wide-op_catch.js: Added.
3767         (catch):
3768
3769 2018-10-29  Mark Lam  <mark.lam@apple.com>
3770
3771         Correctly detect string overflow when using the 'Function' constructor.
3772         https://bugs.webkit.org/show_bug.cgi?id=184883
3773         <rdar://problem/36320331>
3774
3775         Reviewed by Saam Barati.
3776
3777         I've verified that this passes on 32-bit as well.
3778
3779         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3780
3781 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3782
3783      &n