[BigInt] Literal parsing is crashing when used inside a Object Literal
[WebKit-https.git] / JSTests / ChangeLog
1 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
2
3         [BigInt] Literal parsing is crashing when used inside a Object Literal
4         https://bugs.webkit.org/show_bug.cgi?id=193404
5
6         Reviewed by Yusuke Suzuki.
7
8         * stress/big-int-literal-inside-literal-object.js: Added.
9
10 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
11
12         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
13         https://bugs.webkit.org/show_bug.cgi?id=193372
14
15         Reviewed by Saam Barati.
16
17         * stress/typed-array-array-modes-profile.js: Added.
18         (foo):
19
20 2019-01-14  Mark Lam  <mark.lam@apple.com>
21
22         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
23         https://bugs.webkit.org/show_bug.cgi?id=193402
24         <rdar://problem/46012309>
25
26         Reviewed by Keith Miller.
27
28         * stress/regexp-compile-oom.js:
29         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
30           is enabled.  As a result, it will fail on cloop builds though there is no bug.
31
32 2019-01-11  Saam barati  <sbarati@apple.com>
33
34         DFG combined liveness can be wrong for terminal basic blocks
35         https://bugs.webkit.org/show_bug.cgi?id=193304
36         <rdar://problem/45268632>
37
38         Reviewed by Yusuke Suzuki.
39
40         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
41
42 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
43
44         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
45         https://bugs.webkit.org/show_bug.cgi?id=193308
46         <rdar://problem/45546542>
47
48         Reviewed by Saam Barati.
49
50         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
51         (shouldThrow):
52         (shouldBe):
53         (foo):
54         (get shouldThrow):
55         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
56         (shouldThrow):
57         (shouldBe):
58         (foo):
59         (get shouldBe):
60         (get shouldThrow):
61         (get return):
62         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
63         (shouldThrow):
64         (shouldBe):
65         (foo):
66         (get shouldBe):
67         (get shouldThrow):
68         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
69         (shouldThrow):
70         (shouldBe):
71         (foo):
72         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
73         (shouldThrow):
74         (shouldBe):
75         (foo):
76         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
77         (shouldThrow):
78         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
79         (shouldThrow):
80         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
81         (shouldThrow):
82         (shouldBe):
83         (foo):
84         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
85         (shouldThrow):
86         (shouldBe):
87         (foo):
88         (get shouldBe):
89         (get shouldThrow):
90         (get return):
91         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
92         (shouldThrow):
93         (shouldBe):
94         (foo):
95         (get shouldBe):
96         (get shouldThrow):
97         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
98         (shouldThrow):
99         (shouldBe):
100         (foo):
101         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
102         (shouldThrow):
103         (shouldBe):
104         (foo):
105
106 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
107
108         Enable DFG on ARM/Linux again
109         https://bugs.webkit.org/show_bug.cgi?id=192496
110
111         Reviewed by Yusuke Suzuki.
112
113         Test wasn't really skipped before moving the line with skip
114         to the top.
115
116         * stress/regress-192717.js:
117
118 2019-01-10  Commit Queue  <commit-queue@webkit.org>
119
120         Unreviewed, rolling out r239825.
121         https://bugs.webkit.org/show_bug.cgi?id=193330
122
123         Broke tests on armv7/linux bots (Requested by guijemont on
124         #webkit).
125
126         Reverted changeset:
127
128         "Enable DFG on ARM/Linux again"
129         https://bugs.webkit.org/show_bug.cgi?id=192496
130         https://trac.webkit.org/changeset/239825
131
132 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
133
134         Enable DFG on ARM/Linux again
135         https://bugs.webkit.org/show_bug.cgi?id=192496
136
137         Reviewed by Yusuke Suzuki.
138
139         Test wasn't really skipped before moving the line with skip
140         to the top.
141
142         * stress/regress-192717.js:
143
144 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
145
146         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
147         https://bugs.webkit.org/show_bug.cgi?id=193127
148
149         Reviewed by Saam Barati.
150
151         * stress/array-species-create-should-handle-masquerader.js: Added.
152         (shouldThrow):
153         * stress/is-undefined-or-null-builtin.js: Added.
154         (shouldBe):
155         (isUndefinedOrNull.vm.createBuiltin):
156
157 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
158
159         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
160         https://bugs.webkit.org/show_bug.cgi?id=193221
161
162         Reviewed by Mark Lam.
163
164         * stress/put-by-id-flags.js: Added.
165         (f):
166         (g):
167         (numberOfDFGCompiles):
168
169 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
170
171         Baseline version of get_by_id may corrupt metadata
172         https://bugs.webkit.org/show_bug.cgi?id=193085
173         <rdar://problem/23453006>
174
175         Reviewed by Saam Barati.
176
177         * stress/get-by-id-change-mode.js: Added.
178         (forEach):
179
180 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
181
182         [JSC] Optimize Object.prototype.toString
183         https://bugs.webkit.org/show_bug.cgi?id=193031
184
185         Reviewed by Saam Barati.
186
187         * stress/object-tostring-changed-proto.js: Added.
188         (shouldBe):
189         (test):
190         * stress/object-tostring-changed.js: Added.
191         (shouldBe):
192         (test):
193         * stress/object-tostring-misc.js: Added.
194         (shouldBe):
195         (test):
196         (i.switch):
197         * stress/object-tostring-other.js: Added.
198         (shouldBe):
199         (test):
200         * stress/object-tostring-untyped.js: Added.
201         (shouldBe):
202         (test):
203         (i.switch):
204
205 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
206
207         test262-runner misbehaves when test file YAML has a trailing space
208         https://bugs.webkit.org/show_bug.cgi?id=193053
209
210         Reviewed by Yusuke Suzuki.
211
212         * test262/expectations.yaml:
213         Mark two dozen tests as passing (and correct the output of another).
214
215 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
216
217         Unreviewed, JSTests gardening with memoryLimited
218
219         * stress/string-overflow-createError.js:
220
221 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
222
223         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
224         https://bugs.webkit.org/show_bug.cgi?id=193050
225
226         Reviewed by Yusuke Suzuki.
227
228         * test262.yaml:
229         * test262/expectations.yaml:
230         Mark 16 tests as passing.
231
232 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
233
234         [BigInt] Support BigInt in JSON.stringify
235         https://bugs.webkit.org/show_bug.cgi?id=192624
236
237         Reviewed by Saam Barati.
238
239         * stress/big-int-json-stringify-to-json.js: Added.
240         (shouldBe):
241         (shouldThrow):
242         (BigInt.prototype.toJSON):
243         (shouldBe.JSON.stringify):
244         * stress/big-int-json-stringify.js: Added.
245         (shouldBe):
246         (shouldThrow):
247
248 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
249
250         [JSC] Implement "well-formed JSON.stringify" proposal
251         https://bugs.webkit.org/show_bug.cgi?id=191677
252
253         Reviewed by Darin Adler.
254
255         * stress/json-surrogate-pair.js: Added.
256         (shouldBe):
257         * test262/expectations.yaml:
258
259 2018-12-20  Keith Miller  <keith_miller@apple.com>
260
261         Add support for globalThis
262         https://bugs.webkit.org/show_bug.cgi?id=165171
263
264         Reviewed by Mark Lam.
265
266         * test262/config.yaml:
267
268 2018-12-19  Keith Miller  <keith_miller@apple.com>
269
270         Update test262 configuration to not run tests dependent on ICU version.
271         https://bugs.webkit.org/show_bug.cgi?id=192920
272
273         Reviewed by Saam Barati.
274
275         * test262/expectations.yaml:
276
277 2018-12-20  Mark Lam  <mark.lam@apple.com>
278
279         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
280         https://bugs.webkit.org/show_bug.cgi?id=192939
281         <rdar://problem/46869516>
282
283         Reviewed by Keith Miller.
284
285         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
286
287 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
288
289         WTF::String and StringImpl overflow MaxLength
290         https://bugs.webkit.org/show_bug.cgi?id=192853
291         <rdar://problem/45726906>
292
293         Reviewed by Mark Lam.
294
295         * stress/string-16bit-repeat-overflow.js: Added.
296         (catch):
297
298 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
299
300         Unreviewed follow-up to r192914.
301
302         * test262/expectations.yaml:
303         Add the last 20 missing expectations.
304
305 2018-12-19  Keith Miller  <keith_miller@apple.com>
306
307         Fix test262 expectations
308         https://bugs.webkit.org/show_bug.cgi?id=192914
309
310         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
311
312         * test262/expectations.yaml:
313
314 2018-12-19  Keith Miller  <keith_miller@apple.com>
315
316         Update test262 tests.
317         https://bugs.webkit.org/show_bug.cgi?id=192907
318
319         Rubber stamped by Mark Lam.
320
321         * test262/*: Omitted because prepare-changelog crashes.
322
323 2018-12-19  Mark Lam  <mark.lam@apple.com>
324
325         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
326         https://bugs.webkit.org/show_bug.cgi?id=192464
327         <rdar://problem/46519455>
328
329         Reviewed by Saam Barati.
330
331         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
332         microbenchmark.
333
334         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
335         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
336
337 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
338
339         String overflow in JSC::createError results in ASSERT in WTF::makeString
340         https://bugs.webkit.org/show_bug.cgi?id=192833
341         <rdar://problem/45706868>
342
343         Reviewed by Mark Lam.
344
345         * stress/string-overflow-createError.js: Added.
346
347 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
348
349         Error message for `-x ** y` contains a typo.
350         https://bugs.webkit.org/show_bug.cgi?id=192832
351
352         Reviewed by Saam Barati.
353
354         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
355         (assert.assert.return.throws):
356         * stress/pow-expects-update-expression-on-lhs.js:
357         (throw.new.Error):
358         Update test expectations which match against the exact error message.
359
360 2018-12-18  Mark Lam  <mark.lam@apple.com>
361
362         Gardening: test options fix.
363         https://bugs.webkit.org/show_bug.cgi?id=192822
364
365         Unreviewed.
366
367         * stress/json-stringify-string-builder-overflow.js:
368
369 2018-12-18  Mark Lam  <mark.lam@apple.com>
370
371         JSON.stringify() should throw OOM on StringBuilder overflows.
372         https://bugs.webkit.org/show_bug.cgi?id=192822
373         <rdar://problem/46670577>
374
375         Reviewed by Saam Barati.
376
377         * stress/json-stringify-string-builder-overflow.js: Added.
378
379 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
380
381         Redeclaration of var over let/const/class should be a syntax error.
382         https://bugs.webkit.org/show_bug.cgi?id=192298
383
384         Reviewed by Keith Miller.
385
386         * test262.yaml:
387         * test262/expectations.yaml:
388         Mark 46 tests as passing.
389
390         * stress/block-scope-redeclarations.js:
391         Add some new tests.
392
393         * stress/for-in-invalidate-context-weird-assignments.js:
394         * stress/for-in-tests.js:
395         Replace tests for outdated behavior with tests for SyntaxError.
396
397         * ChakraCore/test/LetConst/defer3.baseline-jsc:
398         * ChakraCore/test/LetConst/letvar.baseline-jsc:
399         Update expectations.
400
401 2018-12-18  Mark Lam  <mark.lam@apple.com>
402
403         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
404         https://bugs.webkit.org/show_bug.cgi?id=191374
405         <rdar://problem/46525447>
406
407         Reviewed by Yusuke Suzuki.
408
409         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
410
411         * stress/elidable-new-object-roflcopter-then-exit.js:
412
413 2018-12-17  Mark Lam  <mark.lam@apple.com>
414
415         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
416         https://bugs.webkit.org/show_bug.cgi?id=192019
417         <rdar://problem/46525456>
418
419         Reviewed by Yusuke Suzuki.
420
421         The test runs too slow on 32-bit.
422
423         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
424
425 2018-12-17  Mark Lam  <mark.lam@apple.com>
426
427         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
428         https://bugs.webkit.org/show_bug.cgi?id=191373
429         <rdar://problem/46525458>
430
431         Reviewed by Yusuke Suzuki.
432
433         The test is already slow running with a JIT on 64-bit.  It will always timeout
434         on 32-bit without a JIT.
435
436         * stress/materialize-regexp-cyclic-regexp.js:
437
438 2018-12-17  Mark Lam  <mark.lam@apple.com>
439
440         Array unshift/shift should not race against the AI in the compiler thread.
441         https://bugs.webkit.org/show_bug.cgi?id=192795
442         <rdar://problem/46724263>
443
444         Reviewed by Saam Barati.
445
446         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
447
448 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
449
450         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
451         https://bugs.webkit.org/show_bug.cgi?id=190047
452
453         Reviewed by Saam Barati.
454
455         * stress/object-keys-cached-zero.js: Added.
456         (shouldBe):
457         (test):
458         * stress/object-keys-changed-attribute.js: Added.
459         (shouldBe):
460         (test):
461         * stress/object-keys-changed-index.js: Added.
462         (shouldBe):
463         (test):
464         * stress/object-keys-changed.js: Added.
465         (shouldBe):
466         (test):
467         * stress/object-keys-indexed-non-cache.js: Added.
468         (shouldBe):
469         (test):
470         * stress/object-keys-overrides-get-property-names.js: Added.
471         (shouldBe):
472         (test):
473         (noInline):
474
475 2018-12-17  Mark Lam  <mark.lam@apple.com>
476
477         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
478         https://bugs.webkit.org/show_bug.cgi?id=192779
479         <rdar://problem/46775869>
480
481         Reviewed by Saam Barati.
482
483         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
484
485 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
486
487         Unreviewed test gardening, address a syntax error in a new test.
488
489         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
490
491 2018-12-17  Mark Lam  <mark.lam@apple.com>
492
493         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
494         https://bugs.webkit.org/show_bug.cgi?id=192776
495         <rdar://problem/46772368>
496
497         Reviewed by Keith Miller.
498
499         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
500
501 2018-12-17  Mark Lam  <mark.lam@apple.com>
502
503         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
504         https://bugs.webkit.org/show_bug.cgi?id=192770
505         <rdar://problem/46449037>
506
507         Reviewed by Keith Miller.
508
509         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
510
511 2018-12-14  Mark Lam  <mark.lam@apple.com>
512
513         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
514         https://bugs.webkit.org/show_bug.cgi?id=192717
515         <rdar://problem/46660677>
516
517         Reviewed by Saam Barati.
518
519         * stress/regress-192717.js: Added.
520
521 2018-12-14  Commit Queue  <commit-queue@webkit.org>
522
523         Unreviewed, rolling out r239153, r239154, and r239155.
524         https://bugs.webkit.org/show_bug.cgi?id=192715
525
526         Caused flaky GC-related crashes seen with layout tests
527         (Requested by ryanhaddad on #webkit).
528
529         Reverted changesets:
530
531         "[JSC] Optimize Object.keys by caching own keys results in
532         StructureRareData"
533         https://bugs.webkit.org/show_bug.cgi?id=190047
534         https://trac.webkit.org/changeset/239153
535
536         "Unreviewed, build fix after r239153"
537         https://bugs.webkit.org/show_bug.cgi?id=190047
538         https://trac.webkit.org/changeset/239154
539
540         "Unreviewed, build fix after r239153, part 2"
541         https://bugs.webkit.org/show_bug.cgi?id=190047
542         https://trac.webkit.org/changeset/239155
543
544 2018-12-14  Keith Miller  <keith_miller@apple.com>
545
546         Callers of JSString::getIndex should check for OOM exceptions
547         https://bugs.webkit.org/show_bug.cgi?id=192709
548
549         Reviewed by Mark Lam.
550
551         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
552
553 2018-12-13  Mark Lam  <mark.lam@apple.com>
554
555         Add a missing exception check.
556         https://bugs.webkit.org/show_bug.cgi?id=192626
557         <rdar://problem/46662163>
558
559         Reviewed by Keith Miller.
560
561         * stress/regress-192626.js: Added.
562
563 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
564
565         [BigInt] Add ValueDiv into DFG
566         https://bugs.webkit.org/show_bug.cgi?id=186178
567
568         Reviewed by Yusuke Suzuki.
569
570         * stress/big-int-div-jit-osr.js: Added.
571         * stress/big-int-div-jit-untyped.js: Added.
572         * stress/value-div-fixup-int32-big-int.js: Added.
573
574 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
575
576         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
577         https://bugs.webkit.org/show_bug.cgi?id=190047
578
579         Reviewed by Keith Miller.
580
581         * stress/object-keys-cached-zero.js: Added.
582         (shouldBe):
583         (test):
584         * stress/object-keys-changed-attribute.js: Added.
585         (shouldBe):
586         (test):
587         * stress/object-keys-changed-index.js: Added.
588         (shouldBe):
589         (test):
590         * stress/object-keys-changed.js: Added.
591         (shouldBe):
592         (test):
593         * stress/object-keys-indexed-non-cache.js: Added.
594         (shouldBe):
595         (test):
596         * stress/object-keys-overrides-get-property-names.js: Added.
597         (shouldBe):
598         (test):
599         (noInline):
600
601 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
602
603         [DFG][FTL] Add NewSymbol
604         https://bugs.webkit.org/show_bug.cgi?id=192620
605
606         Reviewed by Saam Barati.
607
608         * microbenchmarks/symbol-creation.js: Added.
609         (test):
610         * stress/symbol-description-identity.js: Added.
611         (shouldBe):
612         (test):
613         * stress/symbol-identity.js: Added.
614         (shouldBe):
615         (test):
616         * stress/symbol-with-description-throw-error.js: Added.
617         (shouldBe):
618         (shouldThrow):
619         (test):
620         (object.toString):
621
622 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
623
624         [BigInt] Implement DFG/FTL typeof for BigInt
625         https://bugs.webkit.org/show_bug.cgi?id=192619
626
627         Reviewed by Keith Miller.
628
629         * stress/big-int-boolean-proven-type.js: Added.
630         (assert):
631         (bool):
632         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
633         (assert):
634         (typeOf):
635         (i.switch):
636         * stress/big-int-type-of-proven-type-non-constant.js: Added.
637         (assert):
638         (typeOf):
639         * stress/big-int-type-of.js:
640         (typeOf):
641         (func):
642
643 2018-12-10  Mark Lam  <mark.lam@apple.com>
644
645         PropertyAttribute needs a CustomValue bit.
646         https://bugs.webkit.org/show_bug.cgi?id=191993
647         <rdar://problem/46264467>
648
649         Reviewed by Saam Barati.
650
651         * stress/regress-191993.js: Added.
652
653 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
654
655         [BigInt] Add ValueMul into DFG
656         https://bugs.webkit.org/show_bug.cgi?id=186175
657
658         Reviewed by Yusuke Suzuki.
659
660         * stress/big-int-mul-jit-osr.js: Added.
661         * stress/big-int-mul-jit-untyped.js: Added.
662         * stress/value-mul-fixup-int32-big-int.js: Added.
663
664 2018-12-06  Keith Miller  <keith_miller@apple.com>
665
666         stress/big-wasm-memory tests failing on 32-bit JSC bot
667         https://bugs.webkit.org/show_bug.cgi?id=192020
668
669         Reviewed by Saam Barati.
670
671         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
672         the wasm stress tests if the WebAssembly object does not exist.
673
674         * stress/big-wasm-memory-grow-no-max.js:
675         (test.foo):
676         (test):
677         (foo): Deleted.
678         (catch): Deleted.
679         * stress/big-wasm-memory-grow.js:
680         (test.foo):
681         (test):
682         (foo): Deleted.
683         (catch): Deleted.
684         * stress/big-wasm-memory.js:
685         (test.foo):
686         (test):
687         (foo): Deleted.
688         (catch): Deleted.
689
690 2018-12-05  Mark Lam  <mark.lam@apple.com>
691
692         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
693         https://bugs.webkit.org/show_bug.cgi?id=192441
694         <rdar://problem/46480355>
695
696         Reviewed by Saam Barati.
697
698         * stress/regress-192441.js: Added.
699
700 2018-12-04  Mark Lam  <mark.lam@apple.com>
701
702         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
703         https://bugs.webkit.org/show_bug.cgi?id=192386
704         <rdar://problem/46445516>
705
706         Reviewed by Saam Barati.
707
708         * stress/regress-192386.js: Added.
709
710 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
711
712         [ESNext][BigInt] Support logic operations
713         https://bugs.webkit.org/show_bug.cgi?id=179903
714
715         Reviewed by Yusuke Suzuki.
716
717         * stress/big-int-branch-usage.js: Added.
718         * stress/big-int-logical-and.js: Added.
719         * stress/big-int-logical-not.js: Added.
720         * stress/big-int-logical-or.js: Added.
721
722 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
723
724         Unreviewed, rolling out r238833.
725
726         Breaks macOS and iOS debug builds.
727
728         Reverted changeset:
729
730         "[ESNext][BigInt] Support logic operations"
731         https://bugs.webkit.org/show_bug.cgi?id=179903
732         https://trac.webkit.org/changeset/238833
733
734 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
735
736         [ESNext][BigInt] Support logic operations
737         https://bugs.webkit.org/show_bug.cgi?id=179903
738
739         Reviewed by Yusuke Suzuki.
740
741         * stress/big-int-branch-usage.js: Added.
742         * stress/big-int-logical-and.js: Added.
743         * stress/big-int-logical-not.js: Added.
744         * stress/big-int-logical-or.js: Added.
745
746 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
747
748         [ESNext][BigInt] Implement support for "<<" and ">>"
749         https://bugs.webkit.org/show_bug.cgi?id=186233
750
751         Reviewed by Yusuke Suzuki.
752
753         * stress/big-int-left-shift-general.js: Added.
754         * stress/big-int-left-shift-range-error.js: Added.
755         * stress/big-int-left-shift-type-error.js: Added.
756         * stress/big-int-left-shift-wrapped-value.js: Added.
757         * stress/big-int-right-shift-general.js: Added.
758         * stress/big-int-right-shift-type-error.js: Added.
759         * stress/big-int-right-shift-wrapped-value.js: Added.
760         * stress/left-shift-to-primitive-precedence.js: Added.
761         * stress/right-shift-to-primitive-precedence.js: Added.
762
763 2018-11-30  Dean Jackson  <dino@apple.com>
764
765         Add first-class support for .mjs files in jsc binary
766         https://bugs.webkit.org/show_bug.cgi?id=192190
767         <rdar://problem/46375715>
768
769         Reviewed by Keith Miller.
770
771         * stress/simple-module.mjs: Added.
772         * stress/simple-script.js: Added.
773
774 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
775
776         [BigInt] Implement ValueBitXor into DFG
777         https://bugs.webkit.org/show_bug.cgi?id=190264
778
779         Reviewed by Yusuke Suzuki.
780
781         * stress/big-int-bitwise-xor-jit.js: Added.
782         * stress/big-int-bitwise-xor-memory-stress.js: Added.
783         * stress/big-int-bitwise-xor-untyped.js: Added.
784
785 2018-11-27  Saam barati  <sbarati@apple.com>
786
787         r238510 broke scopes of size zero
788         https://bugs.webkit.org/show_bug.cgi?id=192033
789         <rdar://problem/46281734>
790
791         Reviewed by Keith Miller.
792
793         * stress/r238510-bad-loop.js: Added.
794         (foo):
795
796 2018-11-27  Mark Lam  <mark.lam@apple.com>
797
798         [Re-landing] NaNs read from Wasm code needs to be be purified.
799         https://bugs.webkit.org/show_bug.cgi?id=191056
800         <rdar://problem/45660341>
801
802         Reviewed by Filip Pizlo.
803
804         * wasm/regress/regress-191056.js: Added.
805
806 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
807
808         Unreviewed, rolling out r238509.
809
810         Causes JSC tests to fail on iOS.
811
812         Reverted changeset:
813
814         "NaNs read from Wasm code needs to be be purified."
815         https://bugs.webkit.org/show_bug.cgi?id=191056
816         https://trac.webkit.org/changeset/238509
817
818 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
819
820         Re-introduce op_bitnot
821         https://bugs.webkit.org/show_bug.cgi?id=190923
822
823         Reviewed by Yusuke Suzuki.
824
825         * stress/bit-not-must-generate.js: Added.
826         * stress/bitwise-not-no-int32.js: Added.
827
828 2018-11-26  Saam barati  <sbarati@apple.com>
829
830         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
831         https://bugs.webkit.org/show_bug.cgi?id=191956
832         <rdar://problem/45665806>
833
834         Reviewed by Yusuke Suzuki.
835
836         * stress/end-basic-block-set-local-should-filter-type.js: Added.
837         (bar):
838         (foo):
839
840 2018-11-26  Saam barati  <sbarati@apple.com>
841
842         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
843         https://bugs.webkit.org/show_bug.cgi?id=191958
844         <rdar://problem/46221877>
845
846         Reviewed by Yusuke Suzuki.
847
848         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
849         (x):
850         (foo):
851
852 2018-11-26  Mark Lam  <mark.lam@apple.com>
853
854         NaNs read from Wasm code needs to be be purified.
855         https://bugs.webkit.org/show_bug.cgi?id=191056
856         <rdar://problem/45660341>
857
858         Reviewed by Filip Pizlo.
859
860         * wasm/regress/regress-191056.js: Added.
861
862 2018-11-26  Michael Saboff  <msaboff@apple.com>
863
864         32-bit JSC test failure: stress/regexp-compile-oom.js
865         https://bugs.webkit.org/show_bug.cgi?id=191375
866
867         Reviewed by Mark Lam.
868
869         Disabled the test for 32 bit platforms.
870
871         * stress/regexp-compile-oom.js:
872
873 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
874
875         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
876         https://bugs.webkit.org/show_bug.cgi?id=191716
877         <rdar://problem/45723878>
878
879         Reviewed by Saam Barati.
880
881         * stress/regress-187373.js: Added.
882         (async.fn):
883
884 2018-11-21  Saam barati  <sbarati@apple.com>
885
886         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
887         https://bugs.webkit.org/show_bug.cgi?id=191897
888         <rdar://problem/45871998>
889
890         Reviewed by Mark Lam.
891
892         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
893         (bar):
894         (foo):
895
896 2018-11-21  Saam barati  <sbarati@apple.com>
897
898         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
899         https://bugs.webkit.org/show_bug.cgi?id=191895
900         <rdar://problem/46167406>
901
902         Reviewed by Mark Lam.
903
904         * stress/known-cell-use-needs-type-check-assertion.js: Added.
905         (foo):
906         (bar):
907
908 2018-11-21  Mark Lam  <mark.lam@apple.com>
909
910         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
911         https://bugs.webkit.org/show_bug.cgi?id=191776
912         <rdar://problem/46152851>
913
914         Reviewed by Saam Barati.
915
916         * stress/big-wasm-memory-grow-no-max.js:
917         * stress/big-wasm-memory-grow.js:
918         * stress/big-wasm-memory.js:
919         - updated these to expect an OutOfMemoryError.
920
921         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
922         (Binary.prototype.emit_u8):
923         (Binary.prototype.emit_u32v):
924         (Binary.prototype.emit_header):
925         (Binary.prototype.emit_section):
926         (Binary):
927         (WasmModuleBuilder):
928         (WasmModuleBuilder.prototype.addMemory):
929         (WasmModuleBuilder.prototype.toArray):
930         (WasmModuleBuilder.prototype.toBuffer):
931         (WasmModuleBuilder.prototype.instantiate):
932         (catch):
933         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
934         (catch):
935
936 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
937
938         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
939         https://bugs.webkit.org/show_bug.cgi?id=190836
940
941         Reviewed by Saam Barati and Yusuke Suzuki.
942
943         * stress/big-int-out-of-memory-tests.js: Added.
944
945 2018-11-20  Mark Lam  <mark.lam@apple.com>
946
947         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
948         https://bugs.webkit.org/show_bug.cgi?id=191856
949         <rdar://problem/46089992>
950
951         Reviewed by Yusuke Suzuki.
952
953         * stress/regress-191856.js: Added.
954         - this test is skipped for now until we have a fix for webkit.org/b/191855.
955
956 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
957
958         Enable JIT on ARM/Linux
959         https://bugs.webkit.org/show_bug.cgi?id=191548
960
961         Reviewed by Yusuke Suzuki.
962
963         Disable test on system with limited memory. Program was killed by
964         the OS before the exception was thrown.
965
966         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
967
968 2018-11-20  Saam barati  <sbarati@apple.com>
969
970         Merging an IC variant may lead to the IC status containing overlapping structure sets
971         https://bugs.webkit.org/show_bug.cgi?id=191869
972         <rdar://problem/45403453>
973
974         Reviewed by Mark Lam.
975
976         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
977
978 2018-11-19  Mark Lam  <mark.lam@apple.com>
979
980         globalFuncImportModule() should return a promise when it clears exceptions.
981         https://bugs.webkit.org/show_bug.cgi?id=191792
982         <rdar://problem/46090763>
983
984         Reviewed by Michael Saboff.
985
986         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
987
988 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
989
990         Skip new memory-hungry tests on memory limited devices
991
992         Unreviewed gardening.
993
994         * stress/big-wasm-memory-grow-no-max.js:
995         * stress/big-wasm-memory-grow.js:
996         * stress/big-wasm-memory.js:
997
998 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
999
1000         Unreviewed, rolling in the rest of r237254
1001         https://bugs.webkit.org/show_bug.cgi?id=190340
1002
1003         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1004         * stress/function-cache-with-parameters-end-position.js: Added.
1005         (shouldBe):
1006         (shouldThrow):
1007         (i.anonymous):
1008         * stress/function-constructor-name.js: Added.
1009         (shouldBe):
1010         (GeneratorFunction):
1011         (AsyncFunction.async):
1012         (AsyncGeneratorFunction.async):
1013         (anonymous):
1014         (async.anonymous):
1015         * test262/expectations.yaml:
1016
1017 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1018
1019         All users of ArrayBuffer should agree on the same max size
1020         https://bugs.webkit.org/show_bug.cgi?id=191771
1021
1022         Reviewed by Mark Lam.
1023
1024         * stress/big-wasm-memory-grow-no-max.js: Added.
1025         (foo):
1026         (catch):
1027         * stress/big-wasm-memory-grow.js: Added.
1028         (foo):
1029         (catch):
1030         * stress/big-wasm-memory.js: Added.
1031         (foo):
1032         (catch):
1033
1034 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1035
1036         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1037         run for each JSC config since they're regression tests for runtime bugs.
1038
1039         * stress/json-stringified-overflow-2.js:
1040         * stress/json-stringified-overflow.js:
1041
1042 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1043
1044         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1045         config since they're regression tests for runtime bugs.
1046
1047         * stress/large-unshift-splice.js:
1048         * stress/regress-185888.js:
1049
1050 2018-11-16  Saam Barati  <sbarati@apple.com>
1051
1052         KnownCellUse should also have SpecCellCheck as its type filter
1053         https://bugs.webkit.org/show_bug.cgi?id=191729
1054         <rdar://problem/45872852>
1055
1056         Reviewed by Filip Pizlo.
1057
1058         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1059         (C):
1060
1061 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1062
1063         Fix assertion failure on BytecodeGenerator::recordOpcode
1064         https://bugs.webkit.org/show_bug.cgi?id=191724
1065         <rdar://problem/45724395>
1066
1067         Reviewed by Saam Barati.
1068
1069         * stress/regress-187373-2.js: Added.
1070         (foo):
1071
1072 2018-11-15  Mark Lam  <mark.lam@apple.com>
1073
1074         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1075         https://bugs.webkit.org/show_bug.cgi?id=191730
1076         <rdar://problem/46048517>
1077
1078         Reviewed by Saam Barati.
1079
1080         * stress/regress-187006.js: Removed.
1081           - this test is invalid because its sole purpose is to test for the non-spec
1082             compliant behavior that we just fixed.
1083
1084         * stress/regress-191730.js: Added.
1085
1086 2018-11-15  Mark Lam  <mark.lam@apple.com>
1087
1088         RegExp operations should not take fast patch if lastIndex is not numeric.
1089         https://bugs.webkit.org/show_bug.cgi?id=191731
1090         <rdar://problem/46017305>
1091
1092         Reviewed by Saam Barati.
1093
1094         * stress/regress-191731.js: Added.
1095
1096 2018-11-13  Saam Barati  <sbarati@apple.com>
1097
1098         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1099         https://bugs.webkit.org/show_bug.cgi?id=191600
1100
1101         Reviewed by Mark Lam.
1102
1103         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1104         (foo):
1105         (test):
1106         (bar):
1107
1108 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1109
1110         Unreviewed, rolling out r238132.
1111
1112         The test added with this change is timing out on Debug JSC
1113         bots.
1114
1115         Reverted changeset:
1116
1117         "[BigInt] JSBigInt::createWithLength should throw when length
1118         is greater than JSBigInt::maxLength"
1119         https://bugs.webkit.org/show_bug.cgi?id=190836
1120         https://trac.webkit.org/changeset/238132
1121
1122 2018-11-13  Mark Lam  <mark.lam@apple.com>
1123
1124         Add OOM detection to StringPrototype's substituteBackreferences().
1125         https://bugs.webkit.org/show_bug.cgi?id=191563
1126         <rdar://problem/45720428>
1127
1128         Reviewed by Saam Barati.
1129
1130         * stress/regress-191563.js: Added.
1131
1132 2018-11-13  Mark Lam  <mark.lam@apple.com>
1133
1134         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1135         https://bugs.webkit.org/show_bug.cgi?id=191579
1136         <rdar://problem/45942472>
1137
1138         Reviewed by Saam Barati.
1139
1140         * stress/regress-191579.js: Added.
1141
1142 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1143
1144         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1145         https://bugs.webkit.org/show_bug.cgi?id=190836
1146
1147         Reviewed by Saam Barati.
1148
1149         * stress/big-int-out-of-memory-tests.js: Added.
1150
1151 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1152
1153         U+180E is no longer a whitespace character
1154         https://bugs.webkit.org/show_bug.cgi?id=191415
1155
1156         Reviewed by Saam Barati.
1157
1158         * ChakraCore/test/es5/regexSpace.baseline:
1159         * ChakraCore/test/es6/unicode_whitespace.js:
1160         Update tests to latest version.
1161         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1162
1163         * test262.yaml:
1164         * test262/config.yaml:
1165         * test262/expectations.yaml:
1166         Update expectations.
1167
1168 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1169
1170         [BigInt] Add support to BigInt into ValueAdd
1171         https://bugs.webkit.org/show_bug.cgi?id=186177
1172
1173         Reviewed by Keith Miller.
1174
1175         * stress/big-int-negate-jit.js:
1176         * stress/value-add-big-int-and-string.js: Added.
1177         * stress/value-add-big-int-prediction-propagation.js: Added.
1178         * stress/value-add-big-int-untyped.js: Added.
1179
1180 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1181
1182         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1183         https://bugs.webkit.org/show_bug.cgi?id=191184
1184
1185         Reviewed by Saam Barati.
1186
1187         Most tests were failing due to timeouts, since they are too slow to
1188         run on CLoop. The exceptions are:
1189
1190         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1191         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1192         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1193         to change the stack size since CLoop requires it to be page aligned.
1194
1195         * microbenchmarks/array-push-1.js:
1196         * microbenchmarks/array-push-2.js:
1197         * microbenchmarks/elidable-new-object-dag.js:
1198         * microbenchmarks/elidable-new-object-roflcopter.js:
1199         * microbenchmarks/elidable-new-object-tree.js:
1200         * microbenchmarks/getter-richards.js:
1201         * microbenchmarks/sinkable-new-object-dag.js:
1202         * microbenchmarks/string-concat-long-convert.js:
1203         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1204         * slowMicrobenchmarks/array-push-3.js:
1205         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1206         * slowMicrobenchmarks/spread-small-array.js:
1207         * slowMicrobenchmarks/undefined-property-access.js:
1208         * stress/activation-sink-default-value-tdz-error.js:
1209         * stress/activation-sink-default-value.js:
1210         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1211         * stress/activation-sink-osrexit-default-value.js:
1212         * stress/activation-sink-osrexit.js:
1213         * stress/activation-sink.js:
1214         * stress/allow-math-ic-b3-code-duplication.js:
1215         * stress/array-push-multiple-int32.js:
1216         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1217         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1218         * stress/arrowfunction-lexical-this-activation-sink.js:
1219         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1220         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1221         * stress/elide-new-object-dag-then-exit.js:
1222         * stress/materialize-regexp-cyclic.js:
1223         * stress/new-regex-inline.js:
1224         * stress/op_add.js:
1225         * stress/op_bitand.js:
1226         * stress/op_bitor.js:
1227         * stress/op_bitxor.js:
1228         * stress/op_div-ConstVar.js:
1229         * stress/op_div-VarConst.js:
1230         * stress/op_div-VarVar.js:
1231         * stress/op_lshift-ConstVar.js:
1232         * stress/op_lshift-VarConst.js:
1233         * stress/op_lshift-VarVar.js:
1234         * stress/op_mod-ConstVar.js:
1235         * stress/op_mod-VarConst.js:
1236         * stress/op_mod-VarVar.js:
1237         * stress/op_mul-ConstVar.js:
1238         * stress/op_mul-VarConst.js:
1239         * stress/op_mul-VarVar.js:
1240         * stress/op_rshift-ConstVar.js:
1241         * stress/op_rshift-VarConst.js:
1242         * stress/op_rshift-VarVar.js:
1243         * stress/op_sub-ConstVar.js:
1244         * stress/op_sub-VarConst.js:
1245         * stress/op_sub-VarVar.js:
1246         * stress/op_urshift-ConstVar.js:
1247         * stress/op_urshift-VarConst.js:
1248         * stress/op_urshift-VarVar.js:
1249         * stress/proxy-get-set-correct-receiver.js:
1250         * stress/regress-179562.js:
1251         * stress/rest-parameter-many-arguments.js:
1252         * stress/sampling-profiler-richards.js:
1253         * stress/splay-flash-access-1ms.js:
1254         * stress/tailCallForwardArguments.js:
1255         * stress/typed-array-get-by-val-profiling.js:
1256         * typeProfiler/getter-richards.js:
1257
1258 2018-11-06  Michael Saboff  <msaboff@apple.com>
1259
1260         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1261         https://bugs.webkit.org/show_bug.cgi?id=191271
1262
1263         Reviewed by Saam Barati.
1264
1265         Added more test cases and made all test cases run with the same deeply recursive stack
1266         instead of finding that same point for each test case.
1267
1268         * stress/regexp-compile-oom.js:
1269         (prototype.runTest):
1270         (recurseAndTest):
1271         (testList.push.new.TestAndExpectedException):
1272
1273 2018-11-05  Michael Saboff  <msaboff@apple.com>
1274
1275         Unreviewed build fix for linux.
1276
1277         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1278
1279 2018-11-02  Michael Saboff  <msaboff@apple.com>
1280
1281         Rolling in r237753 with unreviewed build fix.
1282
1283         Fixed issues with DECLARE_THROW_SCOPE placement.
1284
1285 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1286
1287         Unreviewed, rolling out r237753.
1288
1289         Introduced JSC test failures
1290
1291         Reverted changeset:
1292
1293         "Running out of stack space not properly handled in
1294         RegExp::compile() and its callers"
1295         https://bugs.webkit.org/show_bug.cgi?id=191206
1296         https://trac.webkit.org/changeset/237753
1297
1298 2018-11-02  Michael Saboff  <msaboff@apple.com>
1299
1300         Running out of stack space not properly handled in RegExp::compile() and its callers
1301         https://bugs.webkit.org/show_bug.cgi?id=191206
1302
1303         Reviewed by Filip Pizlo.
1304
1305         New regression test.
1306
1307         * stress/regexp-compile-oom.js: Added.
1308         (recurseAndTest):
1309
1310 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1311
1312         Skip tests on arm/mips that time out now we're running on CLoop
1313
1314         Unreviewed gardening.
1315
1316         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1317         time out on the bots and need to be disabled. There's more tests
1318         disabled on arm because the timeout is longer on the mips bot (as the
1319         device is slower to start with), so many of the tests don't time out
1320         there.
1321
1322         * microbenchmarks/getter-richards.js: disable on arm and mips.
1323         * stress/op_add.js: disable on arm.
1324         * stress/op_bitand.js: disable on arm.
1325         * stress/op_bitor.js: disable on arm.
1326         * stress/op_bitxor.js: disable on arm.
1327         * stress/op_lshift-ConstVar.js: disable on arm.
1328         * stress/op_lshift-VarConst.js: disable on arm.
1329         * stress/op_lshift-VarVar.js: disable on arm.
1330         * stress/op_mod-ConstVar.js: disable on arm.
1331         * stress/op_mod-VarConst.js: disable on arm.
1332         * stress/op_mod-VarVar.js: disable on arm.
1333         * stress/op_mul-ConstVar.js: disable on arm.
1334         * stress/op_mul-VarConst.js: disable on arm.
1335         * stress/op_mul-VarVar.js: disable on arm.
1336         * stress/op_rshift-ConstVar.js: disable on arm.
1337         * stress/op_rshift-VarConst.js: disable on arm.
1338         * stress/op_rshift-VarVar.js: disable on arm.
1339         * stress/op_sub-ConstVar.js: disable on arm.
1340         * stress/op_sub-VarConst.js: disable on arm.
1341         * stress/op_sub-VarVar.js: disable on arm.
1342         * stress/op_urshift-ConstVar.js: disable on arm.
1343         * stress/op_urshift-VarConst.js: disable on arm.
1344         * stress/op_urshift-VarVar.js: disable on arm.
1345         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1346         * stress/value-to-boolean.js: disable on arm and mips.
1347
1348 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1349
1350         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1351         https://bugs.webkit.org/show_bug.cgi?id=191108
1352         <rdar://problem/45690700>
1353
1354         Reviewed by Saam Barati.
1355
1356         * stress/wide-op_catch.js: Added.
1357         (catch):
1358
1359 2018-10-29  Mark Lam  <mark.lam@apple.com>
1360
1361         Correctly detect string overflow when using the 'Function' constructor.
1362         https://bugs.webkit.org/show_bug.cgi?id=184883
1363         <rdar://problem/36320331>
1364
1365         Reviewed by Saam Barati.
1366
1367         I've verified that this passes on 32-bit as well.
1368
1369         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1370
1371 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1372
1373         Add support for GetStack FlushedDouble
1374         https://bugs.webkit.org/show_bug.cgi?id=191012
1375         <rdar://problem/45265141>
1376
1377         Reviewed by Saam Barati.
1378
1379         * stress/get-stack-double.js: Added.
1380         (bar):
1381         (noInline):
1382
1383 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1384
1385         New bytecode format for JSC
1386         https://bugs.webkit.org/show_bug.cgi?id=187373
1387         <rdar://problem/44186758>
1388
1389         Reviewed by Filip Pizlo.
1390
1391         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1392
1393         * stress/maximum-inline-capacity.js: Added.
1394         (test1):
1395         (test3.Foo):
1396         (test3):
1397
1398 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1399
1400         Unreviewed, rolling out r237479 and r237484.
1401         https://bugs.webkit.org/show_bug.cgi?id=190978
1402
1403         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1404
1405         Reverted changesets:
1406
1407         "New bytecode format for JSC"
1408         https://bugs.webkit.org/show_bug.cgi?id=187373
1409         https://trac.webkit.org/changeset/237479
1410
1411         "Gardening: Build fix after r237479."
1412         https://bugs.webkit.org/show_bug.cgi?id=187373
1413         https://trac.webkit.org/changeset/237484
1414
1415 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1416
1417         New bytecode format for JSC
1418         https://bugs.webkit.org/show_bug.cgi?id=187373
1419         <rdar://problem/44186758>
1420
1421         Reviewed by Filip Pizlo.
1422
1423         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1424
1425         * stress/maximum-inline-capacity.js: Added.
1426         (test1):
1427         (test3.Foo):
1428         (test3):
1429
1430 2018-10-26  Mark Lam  <mark.lam@apple.com>
1431
1432         Fix missing edge cases with JSGlobalObjects having a bad time.
1433         https://bugs.webkit.org/show_bug.cgi?id=189028
1434         <rdar://problem/45204939>
1435
1436         Reviewed by Saam Barati.
1437
1438         * stress/regress-189028.js: Added.
1439
1440 2018-10-22  Mark Lam  <mark.lam@apple.com>
1441
1442         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1443         https://bugs.webkit.org/show_bug.cgi?id=190515
1444         <rdar://problem/45222379>
1445
1446         Rubber-stamped by Saam Barati.
1447
1448         Adding another test.
1449
1450         * stress/regress-190515-2.js: Added.
1451
1452 2018-10-22  Mark Lam  <mark.lam@apple.com>
1453
1454         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1455         https://bugs.webkit.org/show_bug.cgi?id=190515
1456         <rdar://problem/45222379>
1457
1458         Reviewed by Saam Barati.
1459
1460         * stress/regress-190515.js: Added.
1461
1462 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1463
1464         Unreviewed, rolling out r237254.
1465         https://bugs.webkit.org/show_bug.cgi?id=190760
1466
1467         "It regresses JetStream 2 by 5% on some iOS devices"
1468         (Requested by saamyjoon on #webkit).
1469
1470         Reverted changeset:
1471
1472         "[JSC] JSC should have "parseFunction" to optimize Function
1473         constructor"
1474         https://bugs.webkit.org/show_bug.cgi?id=190340
1475         https://trac.webkit.org/changeset/237254
1476
1477 2018-10-19  Saam Barati  <sbarati@apple.com>
1478
1479         vmCall should check if we exit before emitting an OSR exit due to exceptions
1480         https://bugs.webkit.org/show_bug.cgi?id=190740
1481         <rdar://problem/45220139>
1482
1483         Reviewed by Mark Lam.
1484
1485         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1486         (foo):
1487
1488 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1489
1490         [ESNext][BigInt] Implement support for "^"
1491         https://bugs.webkit.org/show_bug.cgi?id=186235
1492
1493         Reviewed by Yusuke Suzuki.
1494
1495         * stress/big-int-bitwise-xor-general.js: Added.
1496         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1497         * stress/big-int-bitwise-xor-type-error.js: Added.
1498         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1499
1500 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1501
1502         [BigInt] Add ValueSub into DFG
1503         https://bugs.webkit.org/show_bug.cgi?id=186176
1504
1505         Reviewed by Yusuke Suzuki.
1506
1507         * stress/big-int-subtraction-jit.js:
1508         * stress/value-sub-big-int-prediction-propagation.js: Added.
1509         * stress/value-sub-big-int-untyped.js: Added.
1510         * stress/value-sub-spec-none-case.js: Added.
1511
1512 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1513
1514         [JSC] JSC should have "parseFunction" to optimize Function constructor
1515         https://bugs.webkit.org/show_bug.cgi?id=190340
1516
1517         Reviewed by Mark Lam.
1518
1519         This patch fixes the line number of syntax errors raised by the Function constructor,
1520         since we now parse the final code only once. And we no longer use block statement
1521         for Function constructor's parsing.
1522
1523         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1524         * stress/function-cache-with-parameters-end-position.js: Added.
1525         (shouldBe):
1526         (shouldThrow):
1527         (i.anonymous):
1528         * stress/function-constructor-name.js: Added.
1529         (shouldBe):
1530         (GeneratorFunction):
1531         (AsyncFunction.async):
1532         (AsyncGeneratorFunction.async):
1533         (anonymous):
1534         (async.anonymous):
1535         * test262/expectations.yaml:
1536
1537 2018-10-18  Commit Queue  <commit-queue@webkit.org>
1538
1539         Unreviewed, rolling out r237242.
1540         https://bugs.webkit.org/show_bug.cgi?id=190701
1541
1542         it breaks "stress/sampling-profiler-basic.js" (Requested by
1543         caiolima on #webkit).
1544
1545         Reverted changeset:
1546
1547         "[BigInt] Add ValueSub into DFG"
1548         https://bugs.webkit.org/show_bug.cgi?id=186176
1549         https://trac.webkit.org/changeset/237242
1550
1551 2018-10-17  Keith Miller  <keith_miller@apple.com>
1552
1553         AI does not clear Phantom allocation nodes.
1554         https://bugs.webkit.org/show_bug.cgi?id=190694
1555
1556         Reviewed by Saam Barati.
1557
1558         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1559         (Day):
1560         (DaysInYear):
1561         (TimeInYear):
1562         (TimeFromYear):
1563         (DayFromYear):
1564         (InLeapYear):
1565         (YearFromTime):
1566         (WeekDay):
1567         (DaylightSavingTA):
1568         (GetSecondSundayInMarch):
1569         (TimeInMonth):
1570
1571 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1572
1573         [BigInt] Add ValueSub into DFG
1574         https://bugs.webkit.org/show_bug.cgi?id=186176
1575
1576         Reviewed by Yusuke Suzuki.
1577
1578         * stress/big-int-subtraction-jit.js:
1579         * stress/value-sub-big-int-prediction-propagation.js: Added.
1580         * stress/value-sub-big-int-untyped.js: Added.
1581
1582 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1583
1584         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1585         https://bugs.webkit.org/show_bug.cgi?id=190611
1586
1587         Reviewed by Saam Barati.
1588
1589         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1590         to improve test runtime. On ARM/MIPS this test even timed out when running all
1591         tests.
1592
1593         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1594         (test):
1595
1596 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1597
1598         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1599
1600         Unreviewed gardening.
1601
1602         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1603
1604 2018-10-15  Saam barati  <sbarati@apple.com>
1605
1606         Emit fjcvtzs on ARM64E on Darwin
1607         https://bugs.webkit.org/show_bug.cgi?id=184023
1608
1609         Reviewed by Yusuke Suzuki and Filip Pizlo.
1610
1611         * stress/double-to-int32-NaN.js: Added.
1612         (assert):
1613         (foo):
1614
1615 2018-10-15  Saam Barati  <sbarati@apple.com>
1616
1617         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1618         https://bugs.webkit.org/show_bug.cgi?id=190262
1619         <rdar://problem/44986241>
1620
1621         Reviewed by Mark Lam.
1622
1623         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1624         (test):
1625         * stress/slice-array-storage-with-holes.js: Added.
1626         (main):
1627
1628 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1629
1630         Unreviewed, rolling out r237054.
1631         https://bugs.webkit.org/show_bug.cgi?id=190593
1632
1633         "this regressed JetStream 2 by 6% on iOS" (Requested by
1634         saamyjoon on #webkit).
1635
1636         Reverted changeset:
1637
1638         "[JSC] JSC should have "parseFunction" to optimize Function
1639         constructor"
1640         https://bugs.webkit.org/show_bug.cgi?id=190340
1641         https://trac.webkit.org/changeset/237054
1642
1643 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1644
1645         [JSC] JSON.stringify can accept call-with-no-arguments
1646         https://bugs.webkit.org/show_bug.cgi?id=190343
1647
1648         Reviewed by Mark Lam.
1649
1650         * stress/json-stringify-no-arguments.js: Added.
1651         (shouldBe):
1652
1653 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1654
1655         [JSC] JSC should have "parseFunction" to optimize Function constructor
1656         https://bugs.webkit.org/show_bug.cgi?id=190340
1657
1658         Reviewed by Mark Lam.
1659
1660         This patch fixes the line number of syntax errors raised by the Function constructor,
1661         since we now parse the final code only once. And we no longer use block statement
1662         for Function constructor's parsing.
1663
1664         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1665         * stress/function-cache-with-parameters-end-position.js: Added.
1666         (shouldBe):
1667         (shouldThrow):
1668         (i.anonymous):
1669         * stress/function-constructor-name.js: Added.
1670         (shouldBe):
1671         (GeneratorFunction):
1672         (AsyncFunction.async):
1673         (AsyncGeneratorFunction.async):
1674         (anonymous):
1675         (async.anonymous):
1676         * test262/expectations.yaml:
1677
1678 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
1679
1680         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
1681         https://bugs.webkit.org/show_bug.cgi?id=190426
1682
1683         Unreviewed gardening.
1684
1685         * stress/sampling-profiler-richards.js:
1686
1687 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
1688
1689         [ESNext][BigInt] Implement support for "|"
1690         https://bugs.webkit.org/show_bug.cgi?id=186229
1691
1692         Reviewed by Yusuke Suzuki.
1693
1694         * stress/big-int-bitwise-and-jit.js:
1695         * stress/big-int-bitwise-or-general.js: Added.
1696         * stress/big-int-bitwise-or-jit-untyped.js: Added.
1697         * stress/big-int-bitwise-or-jit.js: Added.
1698         * stress/big-int-bitwise-or-memory-stress.js: Added.
1699         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
1700         * stress/big-int-bitwise-or-type-error.js: Added.
1701         * stress/big-int-bitwise-or-wrapped-value.js: Added.
1702
1703 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
1704
1705         Skip test on systems with limited memory
1706         https://bugs.webkit.org/show_bug.cgi?id=190310
1707
1708         Invoking runDefault adds test to runlist, skipping the test in the next
1709         line does not prevent the test from executing. Change order of lines such
1710         that runDefault is only executed if test is not executed.
1711
1712         Reviewed by Mark Lam.
1713
1714         * stress/regress-190187.js:
1715
1716 2018-10-03  Saam barati  <sbarati@apple.com>
1717
1718         lowXYZ in FTLLower should always filter the type of the incoming edge
1719         https://bugs.webkit.org/show_bug.cgi?id=189939
1720         <rdar://problem/44407030>
1721
1722         Reviewed by Michael Saboff.
1723
1724         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
1725         (foo):
1726         (test):
1727
1728 2018-10-03  Mark Lam  <mark.lam@apple.com>
1729
1730         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1731         https://bugs.webkit.org/show_bug.cgi?id=190187
1732         <rdar://problem/42512909>
1733
1734         Reviewed by Michael Saboff.
1735
1736         * stress/regress-190187.js: Added.
1737
1738 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1739
1740         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1741         https://bugs.webkit.org/show_bug.cgi?id=190033
1742
1743         Reviewed by Yusuke Suzuki.
1744
1745         * stress/big-int-to-string.js:
1746
1747 2018-10-01  Mark Lam  <mark.lam@apple.com>
1748
1749         Function.toString() should also copy the source code Functions that are class definitions.
1750         https://bugs.webkit.org/show_bug.cgi?id=190186
1751         <rdar://problem/44733360>
1752
1753         Reviewed by Saam Barati.
1754
1755         * stress/regress-190186.js: Added.
1756
1757 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
1758
1759         Split NaN-check into separate test
1760         https://bugs.webkit.org/show_bug.cgi?id=190010
1761
1762         Reviewed by Saam Barati.
1763
1764         DataView exposes NaN-representation, which is not necessarily the same on each
1765         architecture. Therefore move the check of the NaN-representation into its own
1766         file such that we can disable this test on MIPS where NaN-representation can be
1767         different on older CPUs.
1768
1769         * stress/dataview-jit-set-nan.js: Added.
1770         (assert):
1771         (test.storeLittleEndian):
1772         (test.storeBigEndian):
1773         (test.store):
1774         (test):
1775         * stress/dataview-jit-set.js:
1776         (test5):
1777
1778 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1779
1780         Unreviewed, rolling out r236647.
1781         https://bugs.webkit.org/show_bug.cgi?id=190124
1782
1783         Breaking test stress/big-int-to-string.js (Requested by
1784         caiolima_ on #webkit).
1785
1786         Reverted changeset:
1787
1788         "[BigInt] BigInt.proptotype.toString is broken when radix is
1789         power of 2"
1790         https://bugs.webkit.org/show_bug.cgi?id=190033
1791         https://trac.webkit.org/changeset/236647
1792
1793 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1794
1795         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1796         https://bugs.webkit.org/show_bug.cgi?id=190033
1797
1798         Reviewed by Yusuke Suzuki.
1799
1800         * stress/big-int-to-string.js:
1801
1802 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1803
1804         [ESNext][BigInt] Implement support for "&"
1805         https://bugs.webkit.org/show_bug.cgi?id=186228
1806
1807         Reviewed by Yusuke Suzuki.
1808
1809         * stress/big-int-bitwise-and-general.js: Added.
1810         (assert):
1811         (assert.sameValue):
1812         * stress/big-int-bitwise-and-jit.js: Added.
1813         (let.assert.sameValue):
1814         (bigIntBitAnd):
1815         * stress/big-int-bitwise-and-memory-stress.js: Added.
1816         (assert):
1817         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
1818         (assert.sameValue):
1819         (let.o.Symbol.toPrimitive):
1820         (catch):
1821         * stress/big-int-bitwise-and-type-error.js: Added.
1822         (assert):
1823         (assertThrowTypeError):
1824         (let.o.valueOf):
1825         (o.valueOf):
1826         (o.toString):
1827         (o.Symbol.toPrimitive):
1828         * stress/big-int-bitwise-and-wrapped-value.js: Added.
1829         (assert.sameValue):
1830         (testBitAnd):
1831         (let.o.Symbol.toPrimitive):
1832         (o.valueOf):
1833         (o.toString):
1834
1835 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
1836
1837         JSC test stress/jsc-read.js doesn't support CRLF
1838         https://bugs.webkit.org/show_bug.cgi?id=190063
1839
1840         Reviewed by Yusuke Suzuki.
1841
1842         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
1843
1844         * stress/jsc-read.js:
1845         (test):
1846
1847 2018-09-27  Saam barati  <sbarati@apple.com>
1848
1849         Verify the contents of AssemblerBuffer on arm64e
1850         https://bugs.webkit.org/show_bug.cgi?id=190057
1851         <rdar://problem/38916630>
1852
1853         Reviewed by Mark Lam.
1854
1855         * stress/regress-189132.js:
1856
1857 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
1858
1859         Disable test without LLInt on ARMv7
1860         https://bugs.webkit.org/show_bug.cgi?id=190037
1861
1862         Reviewed by Mark Lam.
1863
1864         Test runs out of executable memory on ARMv7, do not run
1865         this test without LLInt enabled.
1866
1867         * stress/regress-169445.js:
1868
1869 2018-09-26  Keith Miller  <keith_miller@apple.com>
1870
1871         We should zero unused property storage when rebalancing array storage.
1872         https://bugs.webkit.org/show_bug.cgi?id=188151
1873
1874         Reviewed by Michael Saboff.
1875
1876         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
1877
1878 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1879
1880         [JSC] Optimize Array#lastIndexOf
1881         https://bugs.webkit.org/show_bug.cgi?id=189780
1882
1883         Reviewed by Saam Barati.
1884
1885         * stress/array-lastindexof-array-prototype-trap.js: Added.
1886         (shouldBe):
1887         (AncestorArray.prototype.get 2):
1888         (AncestorArray):
1889         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
1890         (shouldBe):
1891         * stress/array-lastindexof-hole-nan.js: Added.
1892         (shouldBe):
1893         (throw.new.Error):
1894         * stress/array-lastindexof-infinity.js: Added.
1895         (shouldBe):
1896         (throw.new.Error):
1897         * stress/array-lastindexof-negative-zero.js: Added.
1898         (shouldBe):
1899         (throw.new.Error):
1900         * stress/array-lastindexof-own-getter.js: Added.
1901         (shouldBe):
1902         (throw.new.Error.get array):
1903         (get array):
1904         * stress/array-lastindexof-prototype-trap.js: Added.
1905         (shouldBe):
1906         (DerivedArray.prototype.get 2):
1907         (DerivedArray):
1908
1909 2018-09-25  Saam Barati  <sbarati@apple.com>
1910
1911         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
1912         https://bugs.webkit.org/show_bug.cgi?id=189940
1913         <rdar://problem/43640987>
1914
1915         Reviewed by Mark Lam.
1916
1917         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
1918
1919 2018-09-24  Saam Barati  <sbarati@apple.com>
1920
1921         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
1922         https://bugs.webkit.org/show_bug.cgi?id=189922
1923         <rdar://problem/44651275>
1924
1925         Reviewed by Mark Lam.
1926
1927         * stress/array-indexof-fast-path-effects.js: Added.
1928         * stress/array-indexof-cached-length.js: Added.
1929
1930 2018-09-24  Saam barati  <sbarati@apple.com>
1931
1932         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
1933         https://bugs.webkit.org/show_bug.cgi?id=189682
1934         <rdar://problem/43557315>
1935
1936         Reviewed by Mark Lam.
1937
1938         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
1939         (foo):
1940
1941 2018-09-22  Saam barati  <sbarati@apple.com>
1942
1943         The sampling should not use Strong<CodeBlock> in its machineLocation field
1944         https://bugs.webkit.org/show_bug.cgi?id=189319
1945
1946         Reviewed by Filip Pizlo.
1947
1948         * stress/sampling-profiler-richards.js: Added.
1949
1950 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1951
1952         [JSC] Optimize Array#indexOf in C++ runtime
1953         https://bugs.webkit.org/show_bug.cgi?id=189507
1954
1955         Reviewed by Saam Barati.
1956
1957         * stress/array-indexof-array-prototype-trap.js: Added.
1958         (shouldBe):
1959         (AncestorArray.prototype.get 2):
1960         (AncestorArray):
1961         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
1962         (shouldBe):
1963         * stress/array-indexof-hole-nan.js: Added.
1964         (shouldBe):
1965         (throw.new.Error):
1966         * stress/array-indexof-infinity.js: Added.
1967         (shouldBe):
1968         (throw.new.Error):
1969         * stress/array-indexof-negative-zero.js: Added.
1970         (shouldBe):
1971         (throw.new.Error):
1972         * stress/array-indexof-own-getter.js: Added.
1973         (shouldBe):
1974         (throw.new.Error.get array):
1975         (get array):
1976         * stress/array-indexof-prototype-trap.js: Added.
1977         (shouldBe):
1978         (DerivedArray.prototype.get 2):
1979         (DerivedArray):
1980
1981 2018-09-19  Saam barati  <sbarati@apple.com>
1982
1983         AI rule for MultiPutByOffset executes its effects in the wrong order
1984         https://bugs.webkit.org/show_bug.cgi?id=189757
1985         <rdar://problem/43535257>
1986
1987         Reviewed by Michael Saboff.
1988
1989         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
1990         (foo):
1991         (Foo):
1992         (g):
1993
1994 2018-09-17  Mark Lam  <mark.lam@apple.com>
1995
1996         Ensure that ForInContexts are invalidated if their loop local is over-written.
1997         https://bugs.webkit.org/show_bug.cgi?id=189571
1998         <rdar://problem/44402277>
1999
2000         Reviewed by Saam Barati.
2001
2002         * stress/regress-189571.js: Added.
2003
2004 2018-09-17  Saam barati  <sbarati@apple.com>
2005
2006         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2007         https://bugs.webkit.org/show_bug.cgi?id=189676
2008         <rdar://problem/39682897>
2009
2010         Reviewed by Michael Saboff.
2011
2012         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2013         (A):
2014         (K):
2015         (i.catch):
2016
2017 2018-09-14  Saam barati  <sbarati@apple.com>
2018
2019         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2020         https://bugs.webkit.org/show_bug.cgi?id=189628
2021         <rdar://problem/39481690>
2022
2023         Reviewed by Mark Lam.
2024
2025         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2026         (foo):
2027
2028 2018-09-11  Mark Lam  <mark.lam@apple.com>
2029
2030         Test for array initialization in arrayProtoFuncSplice.
2031         https://bugs.webkit.org/show_bug.cgi?id=170253
2032         <rdar://problem/31328773>
2033
2034         Rubber-stamped by Saam Barati.
2035
2036         * stress/regress-170253.js: Added.
2037
2038 2018-09-11  Mark Lam  <mark.lam@apple.com>
2039
2040         Test for IntlObject initialization.
2041         https://bugs.webkit.org/show_bug.cgi?id=170251
2042         <rdar://problem/31328419>
2043
2044         Rubber-stamped by Saam Barati.
2045
2046         * stress/regress-170251.js: Added.
2047
2048 2018-09-11  Mark Lam  <mark.lam@apple.com>
2049
2050         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2051         https://bugs.webkit.org/show_bug.cgi?id=169889
2052         <rdar://problem/31155607>
2053
2054         Reviewed by Saam Barati.
2055
2056         * stress/regress-169889-array-concat.js: Added.
2057         * stress/regress-169889-array-concat1.js: Added.
2058         * stress/regress-169889-array-slice.js: Added.
2059
2060 2018-09-11  Mark Lam  <mark.lam@apple.com>
2061
2062         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2063         https://bugs.webkit.org/show_bug.cgi?id=169445
2064         <rdar://problem/30957435>
2065
2066         Reviewed by Saam Barati.
2067
2068         * stress/regress-169445.js: Added.
2069         (let.gun.eval.A):
2070         (let.gun.eval.B.C):
2071         (let.gun.eval.B.C.prototype.trigger):
2072         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2073         (let.gun.eval.B):
2074         (let.gun.eval):
2075
2076 == Rolled over to ChangeLog-2018-09-11 ==