B3 should use associativity to optimize expression trees
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-03  Robin Morisset  <rmorisset@apple.com>
2
3         B3 should use associativity to optimize expression trees
4         https://bugs.webkit.org/show_bug.cgi?id=194081
5
6         Reviewed by Filip Pizlo.
7
8         Added three microbenchmarks:
9         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
10         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
11           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
12         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
13
14         * microbenchmarks/add-tree.js: Added.
15         * microbenchmarks/bit-or-tree.js: Added.
16         * microbenchmarks/bit-xor-tree.js: Added.
17
18 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
19
20         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
21         https://bugs.webkit.org/show_bug.cgi?id=196574
22
23         Reviewed by Saam Barati.
24
25         * stress/string-index-of-exception-check.js: Added.
26         (blurType):
27         (1.forEach):
28
29 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
30
31         Assertion failed in JSC::createError
32         https://bugs.webkit.org/show_bug.cgi?id=196305
33         <rdar://problem/49387382>
34
35         Reviewed by Saam Barati.
36
37         * stress/create-error-out-of-memory-rope-string-2.js: Added.
38         (assert):
39         (catch):
40
41 2019-03-28  Saam Barati  <sbarati@apple.com>
42
43         BackwardsGraph needs to consider back edges as the backward's root successor
44         https://bugs.webkit.org/show_bug.cgi?id=195991
45
46         Reviewed by Filip Pizlo.
47
48         * stress/map-b3-licm-infinite-loop.js: Added.
49
50 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
51
52         CodeBlock::jettison() should disallow repatching its own calls
53         https://bugs.webkit.org/show_bug.cgi?id=196359
54         <rdar://problem/48973663>
55
56         Reviewed by Saam Barati.
57
58         * stress/call-link-info-osrexit-repatch.js: Added.
59         (foo):
60
61 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
62
63         [JSC] imports-oom.js intermittently fails
64         https://bugs.webkit.org/show_bug.cgi?id=196373
65
66         Reviewed by Saam Barati.
67
68         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
69         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
70         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
71         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
72         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
73
74         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
75         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
76
77         * wasm/lowExecutableMemory/imports-oom.js:
78
79 2019-03-27  Saam Barati  <sbarati@apple.com>
80
81         validateOSREntryValue with Int52 should box the value being checked into double format
82         https://bugs.webkit.org/show_bug.cgi?id=196313
83         <rdar://problem/49306703>
84
85         Reviewed by Yusuke Suzuki.
86
87         * stress/validate-int-52-ai-state.js: Added.
88
89 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
90
91         [JSC] Owner of watchpoints should validate at GC finalizing phase
92         https://bugs.webkit.org/show_bug.cgi?id=195827
93
94         Reviewed by Filip Pizlo.
95
96         * stress/gc-should-reap-dead-watchpoints.js: Added.
97         (foo):
98         (A.prototype.y):
99         (A):
100
101 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
102
103         Skip WebAssembly test on 32-bit systems
104         https://bugs.webkit.org/show_bug.cgi?id=196206
105
106         Reviewed by Saam Barati.
107
108         Invoking runDefault executes test immediately even though
109         that test should be skipped due to missing WASM support.
110         Therefore remove runDefault.
111
112         * wasm/regress/web-assembly-link-error-exception-check.js:
113
114 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
115
116         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
117         https://bugs.webkit.org/show_bug.cgi?id=196217
118
119         Reviewed by Saam Barati.
120
121         Re-enable all NaN tests for f32.min, f64.min and f64.max.
122
123         * wasm/spec-tests/f32.wast.js:
124         * wasm/spec-tests/f64.wast.js:
125         * wasm/wasm.json:
126
127 2019-03-25  Keith Miller  <keith_miller@apple.com>
128
129         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
130         https://bugs.webkit.org/show_bug.cgi?id=196176
131
132         Reviewed by Saam Barati.
133
134         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
135         (main.v10):
136         (main):
137
138 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
139
140         WebAssembly: f32.max with NaN generates incorrect result
141         https://bugs.webkit.org/show_bug.cgi?id=175691
142         <rdar://problem/33952228>
143
144         Reviewed by Saam Barati.
145
146         Enable all f32.max NaN tests
147
148         * wasm/spec-tests/f32.wast.js:
149         * wasm/wasm.json:
150
151 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
152
153         [JSC] Move test into directory for WASM tests
154         https://bugs.webkit.org/show_bug.cgi?id=196187
155
156         Reviewed by Mark Lam.
157
158         Move Test into wasm-directory. Otherwise this test
159         is also executed on systems without WASM support.
160
161         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
162
163 2019-03-23  Mark Lam  <mark.lam@apple.com>
164
165         Rolling out r243032 and r243071 because the fix is incorrect.
166         https://bugs.webkit.org/show_bug.cgi?id=195892
167         <rdar://problem/48981239>
168
169         Not reviewed.
170
171         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
172
173 2019-03-22  Mark Lam  <mark.lam@apple.com>
174
175         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
176         https://bugs.webkit.org/show_bug.cgi?id=196154
177         <rdar://problem/49145307>
178
179         Reviewed by Filip Pizlo.
180
181         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
182         There's no need to run this test on more than 1 test configuration.
183
184         * stress/typed-array-lastIndexOf-exception-check.js: Added.
185         * stress/web-assembly-link-error-exception-check.js:
186
187 2019-03-22  Mark Lam  <mark.lam@apple.com>
188
189         Placate exception check validation in constructJSWebAssemblyLinkError().
190         https://bugs.webkit.org/show_bug.cgi?id=196152
191         <rdar://problem/49145257>
192
193         Reviewed by Michael Saboff.
194
195         * stress/web-assembly-link-error-exception-check.js: Added.
196
197 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
198
199         Skip tests running out of memory on ARM/MIPS
200         https://bugs.webkit.org/show_bug.cgi?id=196131
201
202         Unreviewed. Skip test if memory is limited.
203
204         * microbenchmarks/put-by-val-direct-large-index.js:
205
206 2019-03-21  Mark Lam  <mark.lam@apple.com>
207
208         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
209         https://bugs.webkit.org/show_bug.cgi?id=196116
210         <rdar://problem/48976951>
211
212         Reviewed by Filip Pizlo.
213
214         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
215
216 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
217
218         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
219         https://bugs.webkit.org/show_bug.cgi?id=196078
220         <rdar://problem/35925380>
221
222         Reviewed by Mark Lam.
223
224         Add a new benchmark that allocates several objects and invokes put_by_val_direct
225         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
226
227         * microbenchmarks/put-by-val-direct-large-index.js: Added.
228
229 2019-03-21  Mark Lam  <mark.lam@apple.com>
230
231         Placate exception check validation in operationArrayIndexOfString().
232         https://bugs.webkit.org/show_bug.cgi?id=196067
233         <rdar://problem/49056572>
234
235         Reviewed by Michael Saboff.
236
237         * stress/string-equal-exception-check.js: Added.
238
239 2019-03-21  Mark Lam  <mark.lam@apple.com>
240
241         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
242         https://bugs.webkit.org/show_bug.cgi?id=196055
243         <rdar://problem/49067448>
244
245         Reviewed by Yusuke Suzuki.
246
247         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
248
249 2019-03-20  Saam Barati  <sbarati@apple.com>
250
251         typeOfDoubleSum is wrong for when NaN can be produced
252         https://bugs.webkit.org/show_bug.cgi?id=196030
253
254         Reviewed by Filip Pizlo.
255
256         * stress/double-add-sub-mul-can-produce-nan.js: Added.
257         (assert):
258         (noInline.sub):
259         (noInline):
260         (assert.mul):
261         (assert.add):
262
263 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
264
265         Update the test to ensure OutOfMemoryError is thrown as intended
266         https://bugs.webkit.org/show_bug.cgi?id=196032
267         <rdar://problem/46842740>
268
269         Rubber stamped by Saam Barati.
270
271         * stress/create-error-out-of-memory-rope-string.js:
272         (assert):
273         (catch):
274
275 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
276
277         JSC::createError needs to check for OOM in errorDescriptionForValue
278         https://bugs.webkit.org/show_bug.cgi?id=196032
279         <rdar://problem/46842740>
280
281         Reviewed by Mark Lam.
282
283         * stress/create-error-out-of-memory-rope-string.js: Added.
284
285 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
286
287         Unreviewed, reduce # of iterations to avoid timing out after r242991
288         https://bugs.webkit.org/show_bug.cgi?id=195791
289
290         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
291
292         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
293
294 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
295
296         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
297         https://bugs.webkit.org/show_bug.cgi?id=195950
298
299         Unreviewed, reducing the amount of memory used on this test to avoid
300         OOM on devices with memory restrictions.
301
302         * microbenchmarks/generate-multiple-llint-entrypoints.js:
303
304 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
305
306         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
307         https://bugs.webkit.org/show_bug.cgi?id=194648
308
309         Reviewed by Keith Miller.
310
311         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
312
313 2019-03-18  Mark Lam  <mark.lam@apple.com>
314
315         Missing a ThrowScope release in JSObject::toString().
316         https://bugs.webkit.org/show_bug.cgi?id=195893
317         <rdar://problem/48970986>
318
319         Reviewed by Michael Saboff.
320
321         * stress/to-string-exception-check-release.js: Added.
322
323 2019-03-18  Mark Lam  <mark.lam@apple.com>
324
325         Structure::flattenDictionary() should clear unused property slots.
326         https://bugs.webkit.org/show_bug.cgi?id=195871
327         <rdar://problem/48959497>
328
329         Reviewed by Michael Saboff.
330
331         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
332
333 2019-03-15  Mark Lam  <mark.lam@apple.com>
334
335         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
336         https://bugs.webkit.org/show_bug.cgi?id=195827
337         <rdar://problem/48845513>
338
339         Reviewed by Filip Pizlo.
340
341         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
342
343 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
344
345         [ARM,MIPS] Skip slow tests
346         https://bugs.webkit.org/show_bug.cgi?id=195799
347
348         Unreviewed, test does not finish on ARM and MIPS within the
349         timeout limit.
350
351         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
352
353 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
354
355         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
356         https://bugs.webkit.org/show_bug.cgi?id=195791
357         <rdar://problem/48806130>
358
359         Reviewed by Mark Lam.
360
361         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
362         (foo):
363
364 2019-03-14  Saam barati  <sbarati@apple.com>
365
366         We can't remove code after ForceOSRExit until after FixupPhase
367         https://bugs.webkit.org/show_bug.cgi?id=186916
368         <rdar://problem/41396612>
369
370         Reviewed by Yusuke Suzuki.
371
372         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
373         (foo):
374         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
375         (foo):
376
377 2019-03-13  Michael Saboff  <msaboff@apple.com>
378
379         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
380         https://bugs.webkit.org/show_bug.cgi?id=195735
381
382         Reviewed by Mark Lam.
383
384         New regression test.
385
386         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
387         (foo):
388         (bar):
389
390 2019-03-14  Saam barati  <sbarati@apple.com>
391
392         Fixup uses KnownInt32 incorrectly in some nodes
393         https://bugs.webkit.org/show_bug.cgi?id=195279
394         <rdar://problem/47915654>
395
396         Reviewed by Yusuke Suzuki.
397
398         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
399         (foo):
400
401 2019-03-14  Keith Miller  <keith_miller@apple.com>
402
403         DFG liveness can't skip tail caller inline frames
404         https://bugs.webkit.org/show_bug.cgi?id=195715
405
406         Reviewed by Saam Barati.
407
408         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
409         (i.foo):
410
411 2019-03-13  Mark Lam  <mark.lam@apple.com>
412
413         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
414         https://bugs.webkit.org/show_bug.cgi?id=195415
415
416         Not reviewed.
417
418         Changed these tests to only run the default configuration.
419         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
420         There's no strong need to run this test on that variant.
421
422         * stress/dfg-to-string-on-int-does-gc.js:
423         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
424
425 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
426
427         String overflow when using StringBuilder in JSC::createError
428         https://bugs.webkit.org/show_bug.cgi?id=194957
429
430         Reviewed by Mark Lam.
431
432         Add test string-overflow-createError-bulder.js that overflows
433         StringBuilder in notAFunctionSourceAppender. The second new test
434         string-overflow-createError-fit.js has an error message that doesn't
435         overflow, it still failed since the String's capacity can't be doubled.
436         Run test string-overflow-createError.js only in the default
437         configuration to reduce memory consumption when running the test
438         in all configurations on multiple CPUs in parallel.
439
440         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
441         (catch):
442         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
443         (catch):
444         * stress/string-overflow-createError.js:
445
446 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
447
448         [JSC] OSR entry should respect abstract values in addition to flush formats
449         https://bugs.webkit.org/show_bug.cgi?id=195653
450
451         Reviewed by Mark Lam.
452
453         * stress/osr-entry-locals-none.js: Added.
454
455 2019-03-12  Michael Saboff  <msaboff@apple.com>
456
457         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
458         https://bugs.webkit.org/show_bug.cgi?id=195613
459
460         Reviewed by Mark Lam.
461
462         New regression test.
463
464         * stress/regexp-backref-inbounds.js: Added.
465         (testRegExp):
466
467 2019-03-12  Mark Lam  <mark.lam@apple.com>
468
469         The HasIndexedProperty node does GC.
470         https://bugs.webkit.org/show_bug.cgi?id=195559
471         <rdar://problem/48767923>
472
473         Reviewed by Yusuke Suzuki.
474
475         * stress/HasIndexedProperty-does-gc.js: Added.
476
477 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
478
479         [ESNext][BigInt] Implement "~" unary operation
480         https://bugs.webkit.org/show_bug.cgi?id=182216
481
482         Reviewed by Keith Miller.
483
484         * stress/big-int-bit-not-general.js: Added.
485         * stress/big-int-bitwise-not-jit.js: Added.
486         * stress/big-int-bitwise-not-wrapped-value.js: Added.
487         * stress/bit-op-with-object-returning-int32.js:
488         * stress/bitwise-not-fixup-rules.js: Added.
489         * stress/value-bit-not-ai-rule.js: Added.
490
491 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
492
493         Invalid flags in a RegExp literal should be an early SyntaxError
494         https://bugs.webkit.org/show_bug.cgi?id=195514
495
496         Reviewed by Darin Adler.
497
498         * test262/expectations.yaml:
499         Mark 4 test cases as passing.
500
501         * stress/regexp-syntax-error-invalid-flags.js:
502         * stress/regress-161995.js: Removed.
503         Update existing test, merging in an older test for the same behavior.
504
505 2019-03-08  Mark Lam  <mark.lam@apple.com>
506
507         Stack overflow crash in JSC::JSObject::hasInstance.
508         https://bugs.webkit.org/show_bug.cgi?id=195458
509         <rdar://problem/48710195>
510
511         Reviewed by Yusuke Suzuki.
512
513         * stress/stack-overflow-in-custom-hasInstance.js: Added.
514
515 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
516
517         op_check_tdz does not def its argument
518         https://bugs.webkit.org/show_bug.cgi?id=192880
519         <rdar://problem/46221598>
520
521         Reviewed by Saam Barati.
522
523         * microbenchmarks/let-for-in.js: Added.
524         (foo):
525
526 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
527
528         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
529         https://bugs.webkit.org/show_bug.cgi?id=195429
530
531         Reviewed by Saam Barati.
532
533         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
534         (foo):
535         * stress/string-from-char-code-255.js: Added.
536
537 2019-03-06  Mark Lam  <mark.lam@apple.com>
538
539         Fix incorrect handling of try-finally completion values.
540         https://bugs.webkit.org/show_bug.cgi?id=195131
541         <rdar://problem/46222079>
542
543         Reviewed by Saam Barati and Yusuke Suzuki.
544
545         Added many permutations of new test case to test-finally.js.  test-finally.js has
546         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
547         tests passes there as well.
548
549         * stress/test-finally.js:
550
551 2019-03-06  Saam Barati  <sbarati@apple.com>
552
553         Air::reportUsedRegisters must padInterference
554         https://bugs.webkit.org/show_bug.cgi?id=195303
555         <rdar://problem/48270343>
556
557         Reviewed by Keith Miller.
558
559         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
560
561 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
562
563         [JSC] AI should not propagate AbstractValue relying on constant folding phase
564         https://bugs.webkit.org/show_bug.cgi?id=195375
565
566         Reviewed by Saam Barati.
567
568         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
569         (let.array):
570
571 2019-03-05  Saam barati  <sbarati@apple.com>
572
573         op_switch_char broken for rope strings after JSRopeString layout rewrite
574         https://bugs.webkit.org/show_bug.cgi?id=195339
575         <rdar://problem/48592545>
576
577         Reviewed by Yusuke Suzuki.
578
579         * stress/switch-on-char-llint-rope.js: Added.
580
581 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
582
583         [JSC] Store bits for JSRopeString in 3 stores
584         https://bugs.webkit.org/show_bug.cgi?id=195234
585
586         Reviewed by Saam Barati.
587
588         * stress/null-rope-and-collectors.js: Added.
589
590 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
591
592         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
593         https://bugs.webkit.org/show_bug.cgi?id=195207
594
595         Unreviewed. After test runtime was reduced in r242213, test can be
596         run again on ARM/MIPS.
597
598         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
599
600 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
601
602         [JSC] sizeof(JSString) should be 16
603         https://bugs.webkit.org/show_bug.cgi?id=194375
604
605         Reviewed by Saam Barati.
606
607         * microbenchmarks/make-rope.js: Added.
608         (makeRope):
609         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
610         (returnRope.helper): Deleted.
611         (returnRope): Deleted.
612
613 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
614
615         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
616         https://bugs.webkit.org/show_bug.cgi?id=195144
617
618         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
619         Change the number from 1e8 to 1e5.
620
621         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
622         (foo):
623
624 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
625
626         Test times out on ARM/MIPS
627         https://bugs.webkit.org/show_bug.cgi?id=195168
628
629         Unreviewed. Skip test on ARM/MIPS.
630
631         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
632
633 2019-02-27  Mark Lam  <mark.lam@apple.com>
634
635         The parser is failing to record the token location of new in new.target.
636         https://bugs.webkit.org/show_bug.cgi?id=195127
637         <rdar://problem/39645578>
638
639         Reviewed by Yusuke Suzuki.
640
641         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
642
643 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
644
645         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
646         https://bugs.webkit.org/show_bug.cgi?id=195144
647         <rdar://problem/47595961>
648
649         Reviewed by Mark Lam.
650
651         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
652         (bar):
653         (foo):
654         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
655         (bar):
656         (foo):
657
658 2019-02-27  Robin Morisset  <rmorisset@apple.com>
659
660         DFG: Loop-invariant code motion (LICM) should not hoist dead code
661         https://bugs.webkit.org/show_bug.cgi?id=194945
662         <rdar://problem/48311657>
663
664         Reviewed by Mark Lam.
665
666         * stress/licm-dead-code.js: Added.
667
668 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
669
670         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
671         https://bugs.webkit.org/show_bug.cgi?id=194677
672         <rdar://problem/48112492>
673
674         Reviewed by Mark Lam.
675
676         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
677         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
678         it immediately fails due the large size.
679
680         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
681         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
682         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
683         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
684
685         This patch changes the test to produce 16bit string from String.fromCharCode.
686
687         * stress/regress-178386.js:
688
689 2019-02-26  Mark Lam  <mark.lam@apple.com>
690
691         wasmToJS() should purify incoming NaNs.
692         https://bugs.webkit.org/show_bug.cgi?id=194807
693         <rdar://problem/48189132>
694
695         Reviewed by Saam Barati.
696
697         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
698
699 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
700
701         [JSC] Repeat string created from Array.prototype.join() take too much memory
702         https://bugs.webkit.org/show_bug.cgi?id=193912
703
704         Reviewed by Saam Barati.
705
706         Added a test and a microbenchmark for corner cases of
707         Array.prototype.join() with an uninitialized array.
708
709         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
710         * stress/array-prototype-join-uninitialized.js: Added.
711         (testArray):
712         (testABC):
713         (B):
714         (C):
715
716 2019-02-22  Robin Morisset  <rmorisset@apple.com>
717
718         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
719         https://bugs.webkit.org/show_bug.cgi?id=194953
720         <rdar://problem/47595253>
721
722         Reviewed by Saam Barati.
723
724         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
725
726         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
727
728 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
729
730         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
731         https://bugs.webkit.org/show_bug.cgi?id=172848
732         <rdar://problem/25709212>
733
734         Reviewed by Mark Lam.
735
736         * typeProfiler/inheritance.js:
737         Rewrite the test slightly for clarity. The hoisting was confusing.
738
739         * heapProfiler/class-names.js: Added.
740         (MyES5Class):
741         (MyES6Class):
742         (MyES6Subclass):
743         Test object types and improved class names.
744
745         * heapProfiler/driver/driver.js:
746         (CheapHeapSnapshotNode):
747         (CheapHeapSnapshot):
748         (createCheapHeapSnapshot):
749         (HeapSnapshot):
750         (createHeapSnapshot):
751         Update snapshot parsing from version 1 to version 2.
752
753 2019-02-19  Truitt Savell  <tsavell@apple.com>
754
755         Unreviewed, rolling out r241784.
756
757         Broke all OpenSource builds.
758
759         Reverted changeset:
760
761         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
762         instances view"
763         https://bugs.webkit.org/show_bug.cgi?id=172848
764         https://trac.webkit.org/changeset/241784
765
766 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
767
768         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
769         https://bugs.webkit.org/show_bug.cgi?id=172848
770         <rdar://problem/25709212>
771
772         Reviewed by Mark Lam.
773
774         * typeProfiler/inheritance.js:
775         Rewrite the test slightly for clarity. The hoisting was confusing.
776
777         * heapProfiler/class-names.js: Added.
778         (MyES5Class):
779         (MyES6Class):
780         (MyES6Subclass):
781         Test object types and improved class names.
782
783         * heapProfiler/driver/driver.js:
784         (CheapHeapSnapshotNode):
785         (CheapHeapSnapshot):
786         (createCheapHeapSnapshot):
787         (HeapSnapshot):
788         (createHeapSnapshot):
789         Update snapshot parsing from version 1 to version 2.
790
791 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
792
793         [ARM] Fix crash with sampling profiler
794         https://bugs.webkit.org/show_bug.cgi?id=194772
795
796         Reviewed by Mark Lam.
797
798         Do not skip test since crash with sampling profiler is now fixed.
799
800         * stress/sampling-profiler-richards.js:
801
802 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
803
804         [JSC] Add LazyClassStructure::getInitializedOnMainThread
805         https://bugs.webkit.org/show_bug.cgi?id=194784
806         <rdar://problem/48154820>
807
808         Reviewed by Mark Lam.
809
810         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
811         (getProperties):
812         (getRandomProperty):
813         (i.catch):
814
815 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
816
817         [ARM] Test gardening: Test running out of executable memory
818         https://bugs.webkit.org/show_bug.cgi?id=194771
819
820         Unreviewed. Do not run test without LLInt, test is running out of executable
821         memory on ARM otherwise.
822
823         * stress/tagged-template-object-collect.js:
824
825 2019-02-18  Tomas Popela  <tpopela@redhat.com>
826
827         Unreviewed, skip the test on platforms without sampling profiler
828
829         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
830         (platformSupportsSamplingProfiler.foo):
831         (platformSupportsSamplingProfiler.test):
832         (platformSupportsSamplingProfiler):
833         (foo): Deleted.
834         (test): Deleted.
835
836 2019-02-17  Saam Barati  <sbarati@apple.com>
837
838         Deadlock when adding a Structure property transition and then doing incremental marking
839         https://bugs.webkit.org/show_bug.cgi?id=194767
840
841         Reviewed by Mark Lam.
842
843         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
844
845 2019-02-15  Michael Saboff  <msaboff@apple.com>
846
847         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
848         https://bugs.webkit.org/show_bug.cgi?id=194558
849
850         Reviewed by Saam Barati.
851
852         New regression test.
853
854         * stress/regexp-unicode-within-string.js: Added.
855
856 2019-02-15  Mark Lam  <mark.lam@apple.com>
857
858         SamplingProfiler::stackTracesAsJSON() should escape strings.
859         https://bugs.webkit.org/show_bug.cgi?id=194649
860         <rdar://problem/48072386>
861
862         Reviewed by Saam Barati.
863
864         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
865         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
866         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
867         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
868
869 2019-02-15  Robin Morisset  <rmorisset@apple.com>
870         CodeBlock::jettison should clear related watchpoints
871         https://bugs.webkit.org/show_bug.cgi?id=194544
872
873         Reviewed by Mark Lam.
874
875         * stress/regexp-replace-double-watchpoint.js: Added.
876         (foo):
877
878 2019-02-15  Saam barati  <sbarati@apple.com>
879
880         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
881         https://bugs.webkit.org/show_bug.cgi?id=194036
882
883         Reviewed by Yusuke Suzuki.
884
885         * stress/tail-call-many-arguments.js: Added.
886         (foo):
887         (bar):
888
889 2019-02-14  Saam Barati  <sbarati@apple.com>
890
891         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
892         https://bugs.webkit.org/show_bug.cgi?id=194583
893         <rdar://problem/48028140>
894
895         Reviewed by Yusuke Suzuki.
896
897         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
898
899 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
900
901         [JSC] String.fromCharCode's slow path always generates 16bit string
902         https://bugs.webkit.org/show_bug.cgi?id=194466
903
904         Reviewed by Keith Miller.
905
906         * stress/string-from-char-code-slow-path.js: Added.
907         (shouldBe):
908         (testWithLength):
909
910 2019-02-08  Saam barati  <sbarati@apple.com>
911
912         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
913         https://bugs.webkit.org/show_bug.cgi?id=194334
914         <rdar://problem/47844327>
915
916         Reviewed by Mark Lam.
917
918         * stress/check-in-bounds-should-be-a-child-use.js: Added.
919         (func):
920
921 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
922
923         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
924         https://bugs.webkit.org/show_bug.cgi?id=194369
925         <rdar://problem/47813087>
926
927         Reviewed by Saam Barati.
928
929         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
930         (A):
931
932 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
933
934         [JSC] PrivateName to PublicName hash table is wasteful
935         https://bugs.webkit.org/show_bug.cgi?id=194277
936
937         Reviewed by Michael Saboff.
938
939         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
940
941         * ChakraCore.yaml:
942
943 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
944
945         [ARM] Test running out of executable memory
946         https://bugs.webkit.org/show_bug.cgi?id=194285
947
948         Unreviewed. Do no execute test with LLInt disabled, test runs out of
949         executable memory otherwise.
950
951         * stress/class-subclassing-function.js:
952
953 2019-02-04  Robin Morisset  <rmorisset@apple.com>
954
955         when lowering AssertNotEmpty, create the value before creating the patchpoint
956         https://bugs.webkit.org/show_bug.cgi?id=194231
957
958         Reviewed by Saam Barati.
959
960         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
961         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
962         So even tiny changes to this test can change the path code taken.
963
964         * stress/assert-not-empty.js: Added.
965         (foo):
966
967 2019-02-01  Mark Lam  <mark.lam@apple.com>
968
969         Remove invalid assertion in DFG's compileDoubleRep().
970         https://bugs.webkit.org/show_bug.cgi?id=194130
971         <rdar://problem/47699474>
972
973         Reviewed by Saam Barati.
974
975         * stress/constant-fold-double-rep-into-double-constant.js: Added.
976
977 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
978
979         Import latest Test262 updates.
980
981         Rubber-stamped by Keith Miller.
982
983         * test262.yaml: Deleted.
984         * test262/config.yaml:
985         * test262/expectations.yaml:
986         * test262/latest-changes-summary.txt:
987         * test262/test/:
988         * test262/test262-Revision.txt:
989
990 2019-01-30  Robin Morisset  <rmorisset@apple.com>
991
992         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
993         https://bugs.webkit.org/show_bug.cgi?id=194050
994         <rdar://problem/47595592>
995
996         Reviewed by Yusuke Suzuki.
997
998         * stress/object-keys-osr-exit.js: Added.
999         (foo):
1000         (catch):
1001
1002 2019-01-29  Mark Lam  <mark.lam@apple.com>
1003
1004         ValueRecovery::recover() should purify NaN values it recovers.
1005         https://bugs.webkit.org/show_bug.cgi?id=193978
1006         <rdar://problem/47625488>
1007
1008         Reviewed by Saam Barati.
1009
1010         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1011
1012 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1013
1014         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1015         https://bugs.webkit.org/show_bug.cgi?id=193713
1016
1017         * stress/try-get-by-id-should-spill-registers-dfg.js:
1018         (let.f.createBuiltin):
1019
1020 2019-01-28  Mark Lam  <mark.lam@apple.com>
1021
1022         ToString node actually does GC.
1023         https://bugs.webkit.org/show_bug.cgi?id=193920
1024         <rdar://problem/46695900>
1025
1026         Reviewed by Yusuke Suzuki.
1027
1028         * stress/dfg-to-string-on-int-does-gc.js: Added.
1029         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1030         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1031
1032 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1033
1034         [JSC] NativeErrorConstructor should not have own IsoSubspace
1035         https://bugs.webkit.org/show_bug.cgi?id=193713
1036
1037         Reviewed by Saam Barati.
1038
1039         Remove @Error use.
1040
1041         * stress/try-get-by-id-should-spill-registers-dfg.js:
1042         (let.f.createBuiltin):
1043
1044 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1045
1046         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1047         https://bugs.webkit.org/show_bug.cgi?id=190693
1048
1049         Reviewed by Michael Saboff.
1050
1051         * stress/regress-190693.js: Added.
1052         (truth):
1053         (assert):
1054         (shouldThrowInvalidConstAssignment):
1055         (taz):
1056
1057 2019-01-24  Saam Barati  <sbarati@apple.com>
1058
1059         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1060         https://bugs.webkit.org/show_bug.cgi?id=193751
1061         <rdar://problem/47280215>
1062
1063         Reviewed by Michael Saboff.
1064
1065         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1066         (let.thing):
1067         (foo.let.hello):
1068         (foo):
1069
1070 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1071
1072         [JSC] Reenable baseline JIT on mips
1073         https://bugs.webkit.org/show_bug.cgi?id=192983
1074
1075         Reviewed by Mark Lam.
1076
1077         Added a new test for a case that was triggering a RELEASE_ASSERT when
1078         testing.
1079         Disable some slow tests that were already disabled for arm and x86.
1080
1081         * stress/json-parse-big-object.js: Added.
1082         * stress/new-largeish-contiguous-array-with-size.js:
1083         * stress/op_add.js:
1084         * stress/op_bitand.js:
1085         * stress/op_bitor.js:
1086         * stress/op_bitxor.js:
1087         * stress/op_lshift-ConstVar.js:
1088         * stress/op_lshift-VarConst.js:
1089         * stress/op_lshift-VarVar.js:
1090         * stress/op_mod-ConstVar.js:
1091         * stress/op_mod-VarConst.js:
1092         * stress/op_mod-VarVar.js:
1093         * stress/op_mul-ConstVar.js:
1094         * stress/op_mul-VarConst.js:
1095         * stress/op_mul-VarVar.js:
1096         * stress/op_rshift-ConstVar.js:
1097         * stress/op_rshift-VarConst.js:
1098         * stress/op_rshift-VarVar.js:
1099         * stress/op_sub-ConstVar.js:
1100         * stress/op_sub-VarConst.js:
1101         * stress/op_sub-VarVar.js:
1102         * stress/op_urshift-ConstVar.js:
1103         * stress/op_urshift-VarConst.js:
1104         * stress/op_urshift-VarVar.js:
1105         * stress/sampling-profiler-richards.js:
1106         * stress/spread-forward-call-varargs-stack-overflow.js:
1107
1108 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1109
1110         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1111         https://bugs.webkit.org/show_bug.cgi?id=193711
1112         <rdar://problem/47250262>
1113
1114         Reviewed by Saam Barati.
1115
1116         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1117         (shouldBe):
1118         (foo):
1119         (bar):
1120         (baz):
1121
1122 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1123
1124         Unreviewed, fix initial global lexical binding epoch
1125         https://bugs.webkit.org/show_bug.cgi?id=193603
1126         <rdar://problem/47380869>
1127
1128         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1129         (f1.f2.f3.f4):
1130         (f1.f2.f3):
1131         (f1.f2):
1132         (f1):
1133
1134 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1135
1136         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1137         https://bugs.webkit.org/show_bug.cgi?id=193709
1138         <rdar://problem/47363838>
1139
1140         Unreviewed, rollout to watch the tests.
1141
1142         * stress/object-tostring-changed-proto.js: Removed.
1143         * stress/object-tostring-changed.js: Removed.
1144         * stress/object-tostring-misc.js: Removed.
1145         * stress/object-tostring-other.js: Removed.
1146         * stress/object-tostring-untyped.js: Removed.
1147
1148 2019-01-22  Saam Barati  <sbarati@apple.com>
1149
1150         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1151
1152         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1153         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1154         (testUncheckedLessThanZero):
1155         (testUncheckedLessThanOrEqualZero):
1156         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1157         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1158
1159 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1160
1161         [JSC] Invalidate old scope operations using global lexical binding epoch
1162         https://bugs.webkit.org/show_bug.cgi?id=193603
1163         <rdar://problem/47380869>
1164
1165         Reviewed by Saam Barati.
1166
1167         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1168         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1169         (shouldThrow):
1170         (bar):
1171         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1172         (shouldBe):
1173         (get1):
1174         (get2):
1175         (get1If):
1176         (get2If):
1177         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1178         (shouldThrow):
1179         (foo):
1180
1181 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1182
1183         Unreviewed, roll out r240220 due to date-format-xparb regression
1184         https://bugs.webkit.org/show_bug.cgi?id=193603
1185
1186         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1187         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1188         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1189         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1190
1191 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1192
1193         DoesGC rule is wrong for nodes with BigIntUse
1194         https://bugs.webkit.org/show_bug.cgi?id=193652
1195
1196         Reviewed by Saam Barati.
1197
1198         * stress/big-int-value-op-update-gc-rules.js: Added.
1199         (assert):
1200         (doesGCAdd):
1201         (doesGCSub):
1202         (doesGCDiv):
1203         (doesGCMul):
1204         (doesGCBitAnd):
1205         (doesGCBitOr):
1206         (doesGCBitXor):
1207
1208 2019-01-20  Saam Barati  <sbarati@apple.com>
1209
1210         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1211         https://bugs.webkit.org/show_bug.cgi?id=193644
1212         <rdar://problem/46209745>
1213
1214         Reviewed by Yusuke Suzuki.
1215
1216         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1217         (foo):
1218         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1219         (foo):
1220         (bar):
1221
1222 2019-01-20  Saam Barati  <sbarati@apple.com>
1223
1224         MovHint must merge NodeBytecodeUsesAsValue for its child
1225         https://bugs.webkit.org/show_bug.cgi?id=186916
1226         <rdar://problem/41396612>
1227
1228         Reviewed by Yusuke Suzuki.
1229
1230         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1231         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1232
1233 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1234
1235         [JSC] Invalidate old scope operations using global lexical binding epoch
1236         https://bugs.webkit.org/show_bug.cgi?id=193603
1237         <rdar://problem/47380869>
1238
1239         Reviewed by Saam Barati.
1240
1241         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1242         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1243         (shouldThrow):
1244         (bar):
1245         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1246         (shouldBe):
1247         (get1):
1248         (get2):
1249         (get1If):
1250         (get2If):
1251         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1252         (shouldThrow):
1253         (foo):
1254
1255 2019-01-17  Saam barati  <sbarati@apple.com>
1256
1257         StringObjectUse should not be a structure check for the original string object structure
1258         https://bugs.webkit.org/show_bug.cgi?id=193483
1259         <rdar://problem/47280522>
1260
1261         Reviewed by Yusuke Suzuki.
1262
1263         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1264         (foo):
1265         (a.valueOf.0):
1266
1267 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1268
1269         [JSC] ToThis omission in DFGByteCodeParser is wrong
1270         https://bugs.webkit.org/show_bug.cgi?id=193513
1271         <rdar://problem/45842236>
1272
1273         Reviewed by Saam Barati.
1274
1275         * stress/to-this-omission-with-different-strict-modes.js: Added.
1276         (thisA):
1277         (thisAStrictWrapper):
1278
1279 2019-01-15  Mark Lam  <mark.lam@apple.com>
1280
1281         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1282         https://bugs.webkit.org/show_bug.cgi?id=193423
1283         <rdar://problem/46209355>
1284
1285         Reviewed by Saam Barati.
1286
1287         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1288         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1289         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1290         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1291
1292 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1293
1294         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1295         https://bugs.webkit.org/show_bug.cgi?id=193438
1296         <rdar://problem/45581249>
1297
1298         Reviewed by Saam Barati and Keith Miller.
1299
1300         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1301         Then, GetByVal(String) crashed.
1302
1303         * stress/string-get-by-val-lowering.js: Added.
1304         (shouldBe):
1305         (test):
1306         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1307         (Hello):
1308         (foo):
1309
1310 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1311
1312         Unreviewed, skip JIT tests if it's not enabled
1313
1314         * stress/bit-op-with-object-returning-int32.js:
1315
1316 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1317
1318         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1319         https://bugs.webkit.org/show_bug.cgi?id=192966
1320
1321         Reviewed by Yusuke Suzuki.
1322
1323         * stress/bit-op-with-object-returning-int32.js: Added.
1324
1325 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1326
1327         Skip a slow test and a flakey test on arm
1328
1329         Unreviewed gardening.
1330
1331         * typeProfiler/getter-richards.js:
1332         this test always times out, it used to be always skipped on arm and
1333         mips, but got accidentally enabled by r237919 now that we have DFG on
1334         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1335
1336 2019-01-14  Keith Miller  <keith_miller@apple.com>
1337
1338         Skip type-check-hoisting-phase-hoist... with no jit
1339         https://bugs.webkit.org/show_bug.cgi?id=193421
1340
1341         Reviewed by Mark Lam.
1342
1343         It's timing out the 32-bit bots and takes 330 seconds
1344         on my machine when run by itself.
1345
1346         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1347
1348 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1349
1350         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1351         https://bugs.webkit.org/show_bug.cgi?id=193413
1352         <rdar://problem/46092389>
1353
1354         Reviewed by Keith Miller.
1355
1356         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1357         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1358         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1359         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1360
1361         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1362         (compareArray):
1363
1364 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1365
1366         [BigInt] Literal parsing is crashing when used inside a Object Literal
1367         https://bugs.webkit.org/show_bug.cgi?id=193404
1368
1369         Reviewed by Yusuke Suzuki.
1370
1371         * stress/big-int-literal-inside-literal-object.js: Added.
1372
1373 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1374
1375         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1376         https://bugs.webkit.org/show_bug.cgi?id=193372
1377
1378         Reviewed by Saam Barati.
1379
1380         * stress/typed-array-array-modes-profile.js: Added.
1381         (foo):
1382
1383 2019-01-14  Mark Lam  <mark.lam@apple.com>
1384
1385         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1386         https://bugs.webkit.org/show_bug.cgi?id=193402
1387         <rdar://problem/46012309>
1388
1389         Reviewed by Keith Miller.
1390
1391         * stress/regexp-compile-oom.js:
1392         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1393           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1394
1395 2019-01-11  Saam barati  <sbarati@apple.com>
1396
1397         DFG combined liveness can be wrong for terminal basic blocks
1398         https://bugs.webkit.org/show_bug.cgi?id=193304
1399         <rdar://problem/45268632>
1400
1401         Reviewed by Yusuke Suzuki.
1402
1403         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1404
1405 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1406
1407         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1408         https://bugs.webkit.org/show_bug.cgi?id=193308
1409         <rdar://problem/45546542>
1410
1411         Reviewed by Saam Barati.
1412
1413         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1414         (shouldThrow):
1415         (shouldBe):
1416         (foo):
1417         (get shouldThrow):
1418         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1419         (shouldThrow):
1420         (shouldBe):
1421         (foo):
1422         (get shouldBe):
1423         (get shouldThrow):
1424         (get return):
1425         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1426         (shouldThrow):
1427         (shouldBe):
1428         (foo):
1429         (get shouldBe):
1430         (get shouldThrow):
1431         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1432         (shouldThrow):
1433         (shouldBe):
1434         (foo):
1435         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1436         (shouldThrow):
1437         (shouldBe):
1438         (foo):
1439         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1440         (shouldThrow):
1441         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1442         (shouldThrow):
1443         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1444         (shouldThrow):
1445         (shouldBe):
1446         (foo):
1447         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1448         (shouldThrow):
1449         (shouldBe):
1450         (foo):
1451         (get shouldBe):
1452         (get shouldThrow):
1453         (get return):
1454         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1455         (shouldThrow):
1456         (shouldBe):
1457         (foo):
1458         (get shouldBe):
1459         (get shouldThrow):
1460         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1461         (shouldThrow):
1462         (shouldBe):
1463         (foo):
1464         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1465         (shouldThrow):
1466         (shouldBe):
1467         (foo):
1468
1469 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1470
1471         Enable DFG on ARM/Linux again
1472         https://bugs.webkit.org/show_bug.cgi?id=192496
1473
1474         Reviewed by Yusuke Suzuki.
1475
1476         Test wasn't really skipped before moving the line with skip
1477         to the top.
1478
1479         * stress/regress-192717.js:
1480
1481 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1482
1483         Unreviewed, rolling out r239825.
1484         https://bugs.webkit.org/show_bug.cgi?id=193330
1485
1486         Broke tests on armv7/linux bots (Requested by guijemont on
1487         #webkit).
1488
1489         Reverted changeset:
1490
1491         "Enable DFG on ARM/Linux again"
1492         https://bugs.webkit.org/show_bug.cgi?id=192496
1493         https://trac.webkit.org/changeset/239825
1494
1495 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1496
1497         Enable DFG on ARM/Linux again
1498         https://bugs.webkit.org/show_bug.cgi?id=192496
1499
1500         Reviewed by Yusuke Suzuki.
1501
1502         Test wasn't really skipped before moving the line with skip
1503         to the top.
1504
1505         * stress/regress-192717.js:
1506
1507 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1508
1509         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1510         https://bugs.webkit.org/show_bug.cgi?id=193127
1511
1512         Reviewed by Saam Barati.
1513
1514         * stress/array-species-create-should-handle-masquerader.js: Added.
1515         (shouldThrow):
1516         * stress/is-undefined-or-null-builtin.js: Added.
1517         (shouldBe):
1518         (isUndefinedOrNull.vm.createBuiltin):
1519
1520 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1521
1522         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1523         https://bugs.webkit.org/show_bug.cgi?id=193221
1524
1525         Reviewed by Mark Lam.
1526
1527         * stress/put-by-id-flags.js: Added.
1528         (f):
1529         (g):
1530         (numberOfDFGCompiles):
1531
1532 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1533
1534         Baseline version of get_by_id may corrupt metadata
1535         https://bugs.webkit.org/show_bug.cgi?id=193085
1536         <rdar://problem/23453006>
1537
1538         Reviewed by Saam Barati.
1539
1540         * stress/get-by-id-change-mode.js: Added.
1541         (forEach):
1542
1543 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1544
1545         [JSC] Optimize Object.prototype.toString
1546         https://bugs.webkit.org/show_bug.cgi?id=193031
1547
1548         Reviewed by Saam Barati.
1549
1550         * stress/object-tostring-changed-proto.js: Added.
1551         (shouldBe):
1552         (test):
1553         * stress/object-tostring-changed.js: Added.
1554         (shouldBe):
1555         (test):
1556         * stress/object-tostring-misc.js: Added.
1557         (shouldBe):
1558         (test):
1559         (i.switch):
1560         * stress/object-tostring-other.js: Added.
1561         (shouldBe):
1562         (test):
1563         * stress/object-tostring-untyped.js: Added.
1564         (shouldBe):
1565         (test):
1566         (i.switch):
1567
1568 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1569
1570         test262-runner misbehaves when test file YAML has a trailing space
1571         https://bugs.webkit.org/show_bug.cgi?id=193053
1572
1573         Reviewed by Yusuke Suzuki.
1574
1575         * test262/expectations.yaml:
1576         Mark two dozen tests as passing (and correct the output of another).
1577
1578 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1579
1580         Unreviewed, JSTests gardening with memoryLimited
1581
1582         * stress/string-overflow-createError.js:
1583
1584 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1585
1586         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1587         https://bugs.webkit.org/show_bug.cgi?id=193050
1588
1589         Reviewed by Yusuke Suzuki.
1590
1591         * test262.yaml:
1592         * test262/expectations.yaml:
1593         Mark 16 tests as passing.
1594
1595 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1596
1597         [BigInt] Support BigInt in JSON.stringify
1598         https://bugs.webkit.org/show_bug.cgi?id=192624
1599
1600         Reviewed by Saam Barati.
1601
1602         * stress/big-int-json-stringify-to-json.js: Added.
1603         (shouldBe):
1604         (shouldThrow):
1605         (BigInt.prototype.toJSON):
1606         (shouldBe.JSON.stringify):
1607         * stress/big-int-json-stringify.js: Added.
1608         (shouldBe):
1609         (shouldThrow):
1610
1611 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1612
1613         [JSC] Implement "well-formed JSON.stringify" proposal
1614         https://bugs.webkit.org/show_bug.cgi?id=191677
1615
1616         Reviewed by Darin Adler.
1617
1618         * stress/json-surrogate-pair.js: Added.
1619         (shouldBe):
1620         * test262/expectations.yaml:
1621
1622 2018-12-20  Keith Miller  <keith_miller@apple.com>
1623
1624         Add support for globalThis
1625         https://bugs.webkit.org/show_bug.cgi?id=165171
1626
1627         Reviewed by Mark Lam.
1628
1629         * test262/config.yaml:
1630
1631 2018-12-19  Keith Miller  <keith_miller@apple.com>
1632
1633         Update test262 configuration to not run tests dependent on ICU version.
1634         https://bugs.webkit.org/show_bug.cgi?id=192920
1635
1636         Reviewed by Saam Barati.
1637
1638         * test262/expectations.yaml:
1639
1640 2018-12-20  Mark Lam  <mark.lam@apple.com>
1641
1642         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1643         https://bugs.webkit.org/show_bug.cgi?id=192939
1644         <rdar://problem/46869516>
1645
1646         Reviewed by Keith Miller.
1647
1648         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1649
1650 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1651
1652         WTF::String and StringImpl overflow MaxLength
1653         https://bugs.webkit.org/show_bug.cgi?id=192853
1654         <rdar://problem/45726906>
1655
1656         Reviewed by Mark Lam.
1657
1658         * stress/string-16bit-repeat-overflow.js: Added.
1659         (catch):
1660
1661 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1662
1663         Unreviewed follow-up to r192914.
1664
1665         * test262/expectations.yaml:
1666         Add the last 20 missing expectations.
1667
1668 2018-12-19  Keith Miller  <keith_miller@apple.com>
1669
1670         Fix test262 expectations
1671         https://bugs.webkit.org/show_bug.cgi?id=192914
1672
1673         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1674
1675         * test262/expectations.yaml:
1676
1677 2018-12-19  Keith Miller  <keith_miller@apple.com>
1678
1679         Update test262 tests.
1680         https://bugs.webkit.org/show_bug.cgi?id=192907
1681
1682         Rubber stamped by Mark Lam.
1683
1684         * test262/*: Omitted because prepare-changelog crashes.
1685
1686 2018-12-19  Mark Lam  <mark.lam@apple.com>
1687
1688         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1689         https://bugs.webkit.org/show_bug.cgi?id=192464
1690         <rdar://problem/46519455>
1691
1692         Reviewed by Saam Barati.
1693
1694         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1695         microbenchmark.
1696
1697         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1698         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1699
1700 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1701
1702         String overflow in JSC::createError results in ASSERT in WTF::makeString
1703         https://bugs.webkit.org/show_bug.cgi?id=192833
1704         <rdar://problem/45706868>
1705
1706         Reviewed by Mark Lam.
1707
1708         * stress/string-overflow-createError.js: Added.
1709
1710 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1711
1712         Error message for `-x ** y` contains a typo.
1713         https://bugs.webkit.org/show_bug.cgi?id=192832
1714
1715         Reviewed by Saam Barati.
1716
1717         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1718         (assert.assert.return.throws):
1719         * stress/pow-expects-update-expression-on-lhs.js:
1720         (throw.new.Error):
1721         Update test expectations which match against the exact error message.
1722
1723 2018-12-18  Mark Lam  <mark.lam@apple.com>
1724
1725         Gardening: test options fix.
1726         https://bugs.webkit.org/show_bug.cgi?id=192822
1727
1728         Unreviewed.
1729
1730         * stress/json-stringify-string-builder-overflow.js:
1731
1732 2018-12-18  Mark Lam  <mark.lam@apple.com>
1733
1734         JSON.stringify() should throw OOM on StringBuilder overflows.
1735         https://bugs.webkit.org/show_bug.cgi?id=192822
1736         <rdar://problem/46670577>
1737
1738         Reviewed by Saam Barati.
1739
1740         * stress/json-stringify-string-builder-overflow.js: Added.
1741
1742 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1743
1744         Redeclaration of var over let/const/class should be a syntax error.
1745         https://bugs.webkit.org/show_bug.cgi?id=192298
1746
1747         Reviewed by Keith Miller.
1748
1749         * test262.yaml:
1750         * test262/expectations.yaml:
1751         Mark 46 tests as passing.
1752
1753         * stress/block-scope-redeclarations.js:
1754         Add some new tests.
1755
1756         * stress/for-in-invalidate-context-weird-assignments.js:
1757         * stress/for-in-tests.js:
1758         Replace tests for outdated behavior with tests for SyntaxError.
1759
1760         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1761         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1762         Update expectations.
1763
1764 2018-12-18  Mark Lam  <mark.lam@apple.com>
1765
1766         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1767         https://bugs.webkit.org/show_bug.cgi?id=191374
1768         <rdar://problem/46525447>
1769
1770         Reviewed by Yusuke Suzuki.
1771
1772         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1773
1774         * stress/elidable-new-object-roflcopter-then-exit.js:
1775
1776 2018-12-17  Mark Lam  <mark.lam@apple.com>
1777
1778         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1779         https://bugs.webkit.org/show_bug.cgi?id=192019
1780         <rdar://problem/46525456>
1781
1782         Reviewed by Yusuke Suzuki.
1783
1784         The test runs too slow on 32-bit.
1785
1786         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1787
1788 2018-12-17  Mark Lam  <mark.lam@apple.com>
1789
1790         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1791         https://bugs.webkit.org/show_bug.cgi?id=191373
1792         <rdar://problem/46525458>
1793
1794         Reviewed by Yusuke Suzuki.
1795
1796         The test is already slow running with a JIT on 64-bit.  It will always timeout
1797         on 32-bit without a JIT.
1798
1799         * stress/materialize-regexp-cyclic-regexp.js:
1800
1801 2018-12-17  Mark Lam  <mark.lam@apple.com>
1802
1803         Array unshift/shift should not race against the AI in the compiler thread.
1804         https://bugs.webkit.org/show_bug.cgi?id=192795
1805         <rdar://problem/46724263>
1806
1807         Reviewed by Saam Barati.
1808
1809         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1810
1811 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1812
1813         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1814         https://bugs.webkit.org/show_bug.cgi?id=190047
1815
1816         Reviewed by Saam Barati.
1817
1818         * stress/object-keys-cached-zero.js: Added.
1819         (shouldBe):
1820         (test):
1821         * stress/object-keys-changed-attribute.js: Added.
1822         (shouldBe):
1823         (test):
1824         * stress/object-keys-changed-index.js: Added.
1825         (shouldBe):
1826         (test):
1827         * stress/object-keys-changed.js: Added.
1828         (shouldBe):
1829         (test):
1830         * stress/object-keys-indexed-non-cache.js: Added.
1831         (shouldBe):
1832         (test):
1833         * stress/object-keys-overrides-get-property-names.js: Added.
1834         (shouldBe):
1835         (test):
1836         (noInline):
1837
1838 2018-12-17  Mark Lam  <mark.lam@apple.com>
1839
1840         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1841         https://bugs.webkit.org/show_bug.cgi?id=192779
1842         <rdar://problem/46775869>
1843
1844         Reviewed by Saam Barati.
1845
1846         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1847
1848 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1849
1850         Unreviewed test gardening, address a syntax error in a new test.
1851
1852         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1853
1854 2018-12-17  Mark Lam  <mark.lam@apple.com>
1855
1856         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1857         https://bugs.webkit.org/show_bug.cgi?id=192776
1858         <rdar://problem/46772368>
1859
1860         Reviewed by Keith Miller.
1861
1862         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1863
1864 2018-12-17  Mark Lam  <mark.lam@apple.com>
1865
1866         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1867         https://bugs.webkit.org/show_bug.cgi?id=192770
1868         <rdar://problem/46449037>
1869
1870         Reviewed by Keith Miller.
1871
1872         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1873
1874 2018-12-14  Mark Lam  <mark.lam@apple.com>
1875
1876         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1877         https://bugs.webkit.org/show_bug.cgi?id=192717
1878         <rdar://problem/46660677>
1879
1880         Reviewed by Saam Barati.
1881
1882         * stress/regress-192717.js: Added.
1883
1884 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1885
1886         Unreviewed, rolling out r239153, r239154, and r239155.
1887         https://bugs.webkit.org/show_bug.cgi?id=192715
1888
1889         Caused flaky GC-related crashes seen with layout tests
1890         (Requested by ryanhaddad on #webkit).
1891
1892         Reverted changesets:
1893
1894         "[JSC] Optimize Object.keys by caching own keys results in
1895         StructureRareData"
1896         https://bugs.webkit.org/show_bug.cgi?id=190047
1897         https://trac.webkit.org/changeset/239153
1898
1899         "Unreviewed, build fix after r239153"
1900         https://bugs.webkit.org/show_bug.cgi?id=190047
1901         https://trac.webkit.org/changeset/239154
1902
1903         "Unreviewed, build fix after r239153, part 2"
1904         https://bugs.webkit.org/show_bug.cgi?id=190047
1905         https://trac.webkit.org/changeset/239155
1906
1907 2018-12-14  Keith Miller  <keith_miller@apple.com>
1908
1909         Callers of JSString::getIndex should check for OOM exceptions
1910         https://bugs.webkit.org/show_bug.cgi?id=192709
1911
1912         Reviewed by Mark Lam.
1913
1914         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1915
1916 2018-12-13  Mark Lam  <mark.lam@apple.com>
1917
1918         Add a missing exception check.
1919         https://bugs.webkit.org/show_bug.cgi?id=192626
1920         <rdar://problem/46662163>
1921
1922         Reviewed by Keith Miller.
1923
1924         * stress/regress-192626.js: Added.
1925
1926 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1927
1928         [BigInt] Add ValueDiv into DFG
1929         https://bugs.webkit.org/show_bug.cgi?id=186178
1930
1931         Reviewed by Yusuke Suzuki.
1932
1933         * stress/big-int-div-jit-osr.js: Added.
1934         * stress/big-int-div-jit-untyped.js: Added.
1935         * stress/value-div-fixup-int32-big-int.js: Added.
1936
1937 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1938
1939         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1940         https://bugs.webkit.org/show_bug.cgi?id=190047
1941
1942         Reviewed by Keith Miller.
1943
1944         * stress/object-keys-cached-zero.js: Added.
1945         (shouldBe):
1946         (test):
1947         * stress/object-keys-changed-attribute.js: Added.
1948         (shouldBe):
1949         (test):
1950         * stress/object-keys-changed-index.js: Added.
1951         (shouldBe):
1952         (test):
1953         * stress/object-keys-changed.js: Added.
1954         (shouldBe):
1955         (test):
1956         * stress/object-keys-indexed-non-cache.js: Added.
1957         (shouldBe):
1958         (test):
1959         * stress/object-keys-overrides-get-property-names.js: Added.
1960         (shouldBe):
1961         (test):
1962         (noInline):
1963
1964 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1965
1966         [DFG][FTL] Add NewSymbol
1967         https://bugs.webkit.org/show_bug.cgi?id=192620
1968
1969         Reviewed by Saam Barati.
1970
1971         * microbenchmarks/symbol-creation.js: Added.
1972         (test):
1973         * stress/symbol-description-identity.js: Added.
1974         (shouldBe):
1975         (test):
1976         * stress/symbol-identity.js: Added.
1977         (shouldBe):
1978         (test):
1979         * stress/symbol-with-description-throw-error.js: Added.
1980         (shouldBe):
1981         (shouldThrow):
1982         (test):
1983         (object.toString):
1984
1985 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1986
1987         [BigInt] Implement DFG/FTL typeof for BigInt
1988         https://bugs.webkit.org/show_bug.cgi?id=192619
1989
1990         Reviewed by Keith Miller.
1991
1992         * stress/big-int-boolean-proven-type.js: Added.
1993         (assert):
1994         (bool):
1995         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1996         (assert):
1997         (typeOf):
1998         (i.switch):
1999         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2000         (assert):
2001         (typeOf):
2002         * stress/big-int-type-of.js:
2003         (typeOf):
2004         (func):
2005
2006 2018-12-10  Mark Lam  <mark.lam@apple.com>
2007
2008         PropertyAttribute needs a CustomValue bit.
2009         https://bugs.webkit.org/show_bug.cgi?id=191993
2010         <rdar://problem/46264467>
2011
2012         Reviewed by Saam Barati.
2013
2014         * stress/regress-191993.js: Added.
2015
2016 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2017
2018         [BigInt] Add ValueMul into DFG
2019         https://bugs.webkit.org/show_bug.cgi?id=186175
2020
2021         Reviewed by Yusuke Suzuki.
2022
2023         * stress/big-int-mul-jit-osr.js: Added.
2024         * stress/big-int-mul-jit-untyped.js: Added.
2025         * stress/value-mul-fixup-int32-big-int.js: Added.
2026
2027 2018-12-06  Keith Miller  <keith_miller@apple.com>
2028
2029         stress/big-wasm-memory tests failing on 32-bit JSC bot
2030         https://bugs.webkit.org/show_bug.cgi?id=192020
2031
2032         Reviewed by Saam Barati.
2033
2034         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2035         the wasm stress tests if the WebAssembly object does not exist.
2036
2037         * stress/big-wasm-memory-grow-no-max.js:
2038         (test.foo):
2039         (test):
2040         (foo): Deleted.
2041         (catch): Deleted.
2042         * stress/big-wasm-memory-grow.js:
2043         (test.foo):
2044         (test):
2045         (foo): Deleted.
2046         (catch): Deleted.
2047         * stress/big-wasm-memory.js:
2048         (test.foo):
2049         (test):
2050         (foo): Deleted.
2051         (catch): Deleted.
2052
2053 2018-12-05  Mark Lam  <mark.lam@apple.com>
2054
2055         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2056         https://bugs.webkit.org/show_bug.cgi?id=192441
2057         <rdar://problem/46480355>
2058
2059         Reviewed by Saam Barati.
2060
2061         * stress/regress-192441.js: Added.
2062
2063 2018-12-04  Mark Lam  <mark.lam@apple.com>
2064
2065         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2066         https://bugs.webkit.org/show_bug.cgi?id=192386
2067         <rdar://problem/46445516>
2068
2069         Reviewed by Saam Barati.
2070
2071         * stress/regress-192386.js: Added.
2072
2073 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2074
2075         [ESNext][BigInt] Support logic operations
2076         https://bugs.webkit.org/show_bug.cgi?id=179903
2077
2078         Reviewed by Yusuke Suzuki.
2079
2080         * stress/big-int-branch-usage.js: Added.
2081         * stress/big-int-logical-and.js: Added.
2082         * stress/big-int-logical-not.js: Added.
2083         * stress/big-int-logical-or.js: Added.
2084
2085 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2086
2087         Unreviewed, rolling out r238833.
2088
2089         Breaks macOS and iOS debug builds.
2090
2091         Reverted changeset:
2092
2093         "[ESNext][BigInt] Support logic operations"
2094         https://bugs.webkit.org/show_bug.cgi?id=179903
2095         https://trac.webkit.org/changeset/238833
2096
2097 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2098
2099         [ESNext][BigInt] Support logic operations
2100         https://bugs.webkit.org/show_bug.cgi?id=179903
2101
2102         Reviewed by Yusuke Suzuki.
2103
2104         * stress/big-int-branch-usage.js: Added.
2105         * stress/big-int-logical-and.js: Added.
2106         * stress/big-int-logical-not.js: Added.
2107         * stress/big-int-logical-or.js: Added.
2108
2109 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2110
2111         [ESNext][BigInt] Implement support for "<<" and ">>"
2112         https://bugs.webkit.org/show_bug.cgi?id=186233
2113
2114         Reviewed by Yusuke Suzuki.
2115
2116         * stress/big-int-left-shift-general.js: Added.
2117         * stress/big-int-left-shift-range-error.js: Added.
2118         * stress/big-int-left-shift-type-error.js: Added.
2119         * stress/big-int-left-shift-wrapped-value.js: Added.
2120         * stress/big-int-right-shift-general.js: Added.
2121         * stress/big-int-right-shift-type-error.js: Added.
2122         * stress/big-int-right-shift-wrapped-value.js: Added.
2123         * stress/left-shift-to-primitive-precedence.js: Added.
2124         * stress/right-shift-to-primitive-precedence.js: Added.
2125
2126 2018-11-30  Dean Jackson  <dino@apple.com>
2127
2128         Add first-class support for .mjs files in jsc binary
2129         https://bugs.webkit.org/show_bug.cgi?id=192190
2130         <rdar://problem/46375715>
2131
2132         Reviewed by Keith Miller.
2133
2134         * stress/simple-module.mjs: Added.
2135         * stress/simple-script.js: Added.
2136
2137 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2138
2139         [BigInt] Implement ValueBitXor into DFG
2140         https://bugs.webkit.org/show_bug.cgi?id=190264
2141
2142         Reviewed by Yusuke Suzuki.
2143
2144         * stress/big-int-bitwise-xor-jit.js: Added.
2145         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2146         * stress/big-int-bitwise-xor-untyped.js: Added.
2147
2148 2018-11-27  Saam barati  <sbarati@apple.com>
2149
2150         r238510 broke scopes of size zero
2151         https://bugs.webkit.org/show_bug.cgi?id=192033
2152         <rdar://problem/46281734>
2153
2154         Reviewed by Keith Miller.
2155
2156         * stress/r238510-bad-loop.js: Added.
2157         (foo):
2158
2159 2018-11-27  Mark Lam  <mark.lam@apple.com>
2160
2161         [Re-landing] NaNs read from Wasm code needs to be be purified.
2162         https://bugs.webkit.org/show_bug.cgi?id=191056
2163         <rdar://problem/45660341>
2164
2165         Reviewed by Filip Pizlo.
2166
2167         * wasm/regress/regress-191056.js: Added.
2168
2169 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2170
2171         Unreviewed, rolling out r238509.
2172
2173         Causes JSC tests to fail on iOS.
2174
2175         Reverted changeset:
2176
2177         "NaNs read from Wasm code needs to be be purified."
2178         https://bugs.webkit.org/show_bug.cgi?id=191056
2179         https://trac.webkit.org/changeset/238509
2180
2181 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2182
2183         Re-introduce op_bitnot
2184         https://bugs.webkit.org/show_bug.cgi?id=190923
2185
2186         Reviewed by Yusuke Suzuki.
2187
2188         * stress/bit-not-must-generate.js: Added.
2189         * stress/bitwise-not-no-int32.js: Added.
2190
2191 2018-11-26  Saam barati  <sbarati@apple.com>
2192
2193         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2194         https://bugs.webkit.org/show_bug.cgi?id=191956
2195         <rdar://problem/45665806>
2196
2197         Reviewed by Yusuke Suzuki.
2198
2199         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2200         (bar):
2201         (foo):
2202
2203 2018-11-26  Saam barati  <sbarati@apple.com>
2204
2205         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2206         https://bugs.webkit.org/show_bug.cgi?id=191958
2207         <rdar://problem/46221877>
2208
2209         Reviewed by Yusuke Suzuki.
2210
2211         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2212         (x):
2213         (foo):
2214
2215 2018-11-26  Mark Lam  <mark.lam@apple.com>
2216
2217         NaNs read from Wasm code needs to be be purified.
2218         https://bugs.webkit.org/show_bug.cgi?id=191056
2219         <rdar://problem/45660341>
2220
2221         Reviewed by Filip Pizlo.
2222
2223         * wasm/regress/regress-191056.js: Added.
2224
2225 2018-11-26  Michael Saboff  <msaboff@apple.com>
2226
2227         32-bit JSC test failure: stress/regexp-compile-oom.js
2228         https://bugs.webkit.org/show_bug.cgi?id=191375
2229
2230         Reviewed by Mark Lam.
2231
2232         Disabled the test for 32 bit platforms.
2233
2234         * stress/regexp-compile-oom.js:
2235
2236 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2237
2238         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2239         https://bugs.webkit.org/show_bug.cgi?id=191716
2240         <rdar://problem/45723878>
2241
2242         Reviewed by Saam Barati.
2243
2244         * stress/regress-187373.js: Added.
2245         (async.fn):
2246
2247 2018-11-21  Saam barati  <sbarati@apple.com>
2248
2249         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2250         https://bugs.webkit.org/show_bug.cgi?id=191897
2251         <rdar://problem/45871998>
2252
2253         Reviewed by Mark Lam.
2254
2255         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2256         (bar):
2257         (foo):
2258
2259 2018-11-21  Saam barati  <sbarati@apple.com>
2260
2261         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2262         https://bugs.webkit.org/show_bug.cgi?id=191895
2263         <rdar://problem/46167406>
2264
2265         Reviewed by Mark Lam.
2266
2267         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2268         (foo):
2269         (bar):
2270
2271 2018-11-21  Mark Lam  <mark.lam@apple.com>
2272
2273         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2274         https://bugs.webkit.org/show_bug.cgi?id=191776
2275         <rdar://problem/46152851>
2276
2277         Reviewed by Saam Barati.
2278
2279         * stress/big-wasm-memory-grow-no-max.js:
2280         * stress/big-wasm-memory-grow.js:
2281         * stress/big-wasm-memory.js:
2282         - updated these to expect an OutOfMemoryError.
2283
2284         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2285         (Binary.prototype.emit_u8):
2286         (Binary.prototype.emit_u32v):
2287         (Binary.prototype.emit_header):
2288         (Binary.prototype.emit_section):
2289         (Binary):
2290         (WasmModuleBuilder):
2291         (WasmModuleBuilder.prototype.addMemory):
2292         (WasmModuleBuilder.prototype.toArray):
2293         (WasmModuleBuilder.prototype.toBuffer):
2294         (WasmModuleBuilder.prototype.instantiate):
2295         (catch):
2296         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2297         (catch):
2298
2299 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2300
2301         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2302         https://bugs.webkit.org/show_bug.cgi?id=190836
2303
2304         Reviewed by Saam Barati and Yusuke Suzuki.
2305
2306         * stress/big-int-out-of-memory-tests.js: Added.
2307
2308 2018-11-20  Mark Lam  <mark.lam@apple.com>
2309
2310         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2311         https://bugs.webkit.org/show_bug.cgi?id=191856
2312         <rdar://problem/46089992>
2313
2314         Reviewed by Yusuke Suzuki.
2315
2316         * stress/regress-191856.js: Added.
2317         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2318
2319 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2320
2321         Enable JIT on ARM/Linux
2322         https://bugs.webkit.org/show_bug.cgi?id=191548
2323
2324         Reviewed by Yusuke Suzuki.
2325
2326         Disable test on system with limited memory. Program was killed by
2327         the OS before the exception was thrown.
2328
2329         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2330
2331 2018-11-20  Saam barati  <sbarati@apple.com>
2332
2333         Merging an IC variant may lead to the IC status containing overlapping structure sets
2334         https://bugs.webkit.org/show_bug.cgi?id=191869
2335         <rdar://problem/45403453>
2336
2337         Reviewed by Mark Lam.
2338
2339         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2340
2341 2018-11-19  Mark Lam  <mark.lam@apple.com>
2342
2343         globalFuncImportModule() should return a promise when it clears exceptions.
2344         https://bugs.webkit.org/show_bug.cgi?id=191792
2345         <rdar://problem/46090763>
2346
2347         Reviewed by Michael Saboff.
2348
2349         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2350
2351 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2352
2353         Skip new memory-hungry tests on memory limited devices
2354
2355         Unreviewed gardening.
2356
2357         * stress/big-wasm-memory-grow-no-max.js:
2358         * stress/big-wasm-memory-grow.js:
2359         * stress/big-wasm-memory.js:
2360
2361 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2362
2363         Unreviewed, rolling in the rest of r237254
2364         https://bugs.webkit.org/show_bug.cgi?id=190340
2365
2366         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2367         * stress/function-cache-with-parameters-end-position.js: Added.
2368         (shouldBe):
2369         (shouldThrow):
2370         (i.anonymous):
2371         * stress/function-constructor-name.js: Added.
2372         (shouldBe):
2373         (GeneratorFunction):
2374         (AsyncFunction.async):
2375         (AsyncGeneratorFunction.async):
2376         (anonymous):
2377         (async.anonymous):
2378         * test262/expectations.yaml:
2379
2380 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2381
2382         All users of ArrayBuffer should agree on the same max size
2383         https://bugs.webkit.org/show_bug.cgi?id=191771
2384
2385         Reviewed by Mark Lam.
2386
2387         * stress/big-wasm-memory-grow-no-max.js: Added.
2388         (foo):
2389         (catch):
2390         * stress/big-wasm-memory-grow.js: Added.
2391         (foo):
2392         (catch):
2393         * stress/big-wasm-memory.js: Added.
2394         (foo):
2395         (catch):
2396
2397 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2398
2399         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2400         run for each JSC config since they're regression tests for runtime bugs.
2401
2402         * stress/json-stringified-overflow-2.js:
2403         * stress/json-stringified-overflow.js:
2404
2405 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2406
2407         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2408         config since they're regression tests for runtime bugs.
2409
2410         * stress/large-unshift-splice.js:
2411         * stress/regress-185888.js:
2412
2413 2018-11-16  Saam Barati  <sbarati@apple.com>
2414
2415         KnownCellUse should also have SpecCellCheck as its type filter
2416         https://bugs.webkit.org/show_bug.cgi?id=191729
2417         <rdar://problem/45872852>
2418
2419         Reviewed by Filip Pizlo.
2420
2421         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2422         (C):
2423
2424 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2425
2426         Fix assertion failure on BytecodeGenerator::recordOpcode
2427         https://bugs.webkit.org/show_bug.cgi?id=191724
2428         <rdar://problem/45724395>
2429
2430         Reviewed by Saam Barati.
2431
2432         * stress/regress-187373-2.js: Added.
2433         (foo):
2434
2435 2018-11-15  Mark Lam  <mark.lam@apple.com>
2436
2437         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2438         https://bugs.webkit.org/show_bug.cgi?id=191730
2439         <rdar://problem/46048517>
2440
2441         Reviewed by Saam Barati.
2442
2443         * stress/regress-187006.js: Removed.
2444           - this test is invalid because its sole purpose is to test for the non-spec
2445             compliant behavior that we just fixed.
2446
2447         * stress/regress-191730.js: Added.
2448
2449 2018-11-15  Mark Lam  <mark.lam@apple.com>
2450
2451         RegExp operations should not take fast patch if lastIndex is not numeric.
2452         https://bugs.webkit.org/show_bug.cgi?id=191731
2453         <rdar://problem/46017305>
2454
2455         Reviewed by Saam Barati.
2456
2457         * stress/regress-191731.js: Added.
2458
2459 2018-11-13  Saam Barati  <sbarati@apple.com>
2460
2461         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2462         https://bugs.webkit.org/show_bug.cgi?id=191600
2463
2464         Reviewed by Mark Lam.
2465
2466         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2467         (foo):
2468         (test):
2469         (bar):
2470
2471 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2472
2473         Unreviewed, rolling out r238132.
2474
2475         The test added with this change is timing out on Debug JSC
2476         bots.
2477
2478         Reverted changeset:
2479
2480         "[BigInt] JSBigInt::createWithLength should throw when length
2481         is greater than JSBigInt::maxLength"
2482         https://bugs.webkit.org/show_bug.cgi?id=190836
2483         https://trac.webkit.org/changeset/238132
2484
2485 2018-11-13  Mark Lam  <mark.lam@apple.com>
2486
2487         Add OOM detection to StringPrototype's substituteBackreferences().
2488         https://bugs.webkit.org/show_bug.cgi?id=191563
2489         <rdar://problem/45720428>
2490
2491         Reviewed by Saam Barati.
2492
2493         * stress/regress-191563.js: Added.
2494
2495 2018-11-13  Mark Lam  <mark.lam@apple.com>
2496
2497         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2498         https://bugs.webkit.org/show_bug.cgi?id=191579
2499         <rdar://problem/45942472>
2500
2501         Reviewed by Saam Barati.
2502
2503         * stress/regress-191579.js: Added.
2504
2505 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2506
2507         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2508         https://bugs.webkit.org/show_bug.cgi?id=190836
2509
2510         Reviewed by Saam Barati.
2511
2512         * stress/big-int-out-of-memory-tests.js: Added.
2513
2514 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2515
2516         U+180E is no longer a whitespace character
2517         https://bugs.webkit.org/show_bug.cgi?id=191415
2518
2519         Reviewed by Saam Barati.
2520
2521         * ChakraCore/test/es5/regexSpace.baseline:
2522         * ChakraCore/test/es6/unicode_whitespace.js:
2523         Update tests to latest version.
2524         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2525
2526         * test262.yaml:
2527         * test262/config.yaml:
2528         * test262/expectations.yaml:
2529         Update expectations.
2530
2531 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2532
2533         [BigInt] Add support to BigInt into ValueAdd
2534         https://bugs.webkit.org/show_bug.cgi?id=186177
2535
2536         Reviewed by Keith Miller.
2537
2538         * stress/big-int-negate-jit.js:
2539         * stress/value-add-big-int-and-string.js: Added.
2540         * stress/value-add-big-int-prediction-propagation.js: Added.
2541         * stress/value-add-big-int-untyped.js: Added.
2542
2543 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2544
2545         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2546         https://bugs.webkit.org/show_bug.cgi?id=191184
2547
2548         Reviewed by Saam Barati.
2549
2550         Most tests were failing due to timeouts, since they are too slow to
2551         run on CLoop. The exceptions are:
2552
2553         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2554         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2555         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2556         to change the stack size since CLoop requires it to be page aligned.
2557
2558         * microbenchmarks/array-push-1.js:
2559         * microbenchmarks/array-push-2.js:
2560         * microbenchmarks/elidable-new-object-dag.js:
2561         * microbenchmarks/elidable-new-object-roflcopter.js:
2562         * microbenchmarks/elidable-new-object-tree.js:
2563         * microbenchmarks/getter-richards.js:
2564         * microbenchmarks/sinkable-new-object-dag.js:
2565         * microbenchmarks/string-concat-long-convert.js:
2566         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2567         * slowMicrobenchmarks/array-push-3.js:
2568         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2569         * slowMicrobenchmarks/spread-small-array.js:
2570         * slowMicrobenchmarks/undefined-property-access.js:
2571         * stress/activation-sink-default-value-tdz-error.js:
2572         * stress/activation-sink-default-value.js:
2573         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2574         * stress/activation-sink-osrexit-default-value.js:
2575         * stress/activation-sink-osrexit.js:
2576         * stress/activation-sink.js:
2577         * stress/allow-math-ic-b3-code-duplication.js:
2578         * stress/array-push-multiple-int32.js:
2579         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2580         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2581         * stress/arrowfunction-lexical-this-activation-sink.js:
2582         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2583         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2584         * stress/elide-new-object-dag-then-exit.js:
2585         * stress/materialize-regexp-cyclic.js:
2586         * stress/new-regex-inline.js:
2587         * stress/op_add.js:
2588         * stress/op_bitand.js:
2589         * stress/op_bitor.js:
2590         * stress/op_bitxor.js:
2591         * stress/op_div-ConstVar.js:
2592         * stress/op_div-VarConst.js:
2593         * stress/op_div-VarVar.js:
2594         * stress/op_lshift-ConstVar.js:
2595         * stress/op_lshift-VarConst.js:
2596         * stress/op_lshift-VarVar.js:
2597         * stress/op_mod-ConstVar.js:
2598         * stress/op_mod-VarConst.js:
2599         * stress/op_mod-VarVar.js:
2600         * stress/op_mul-ConstVar.js:
2601         * stress/op_mul-VarConst.js:
2602         * stress/op_mul-VarVar.js:
2603         * stress/op_rshift-ConstVar.js:
2604         * stress/op_rshift-VarConst.js:
2605         * stress/op_rshift-VarVar.js:
2606         * stress/op_sub-ConstVar.js:
2607         * stress/op_sub-VarConst.js:
2608         * stress/op_sub-VarVar.js:
2609         * stress/op_urshift-ConstVar.js:
2610         * stress/op_urshift-VarConst.js:
2611         * stress/op_urshift-VarVar.js:
2612         * stress/proxy-get-set-correct-receiver.js:
2613         * stress/regress-179562.js:
2614         * stress/rest-parameter-many-arguments.js:
2615         * stress/sampling-profiler-richards.js:
2616         * stress/splay-flash-access-1ms.js:
2617         * stress/tailCallForwardArguments.js:
2618         * stress/typed-array-get-by-val-profiling.js:
2619         * typeProfiler/getter-richards.js:
2620
2621 2018-11-06  Michael Saboff  <msaboff@apple.com>
2622
2623         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2624         https://bugs.webkit.org/show_bug.cgi?id=191271
2625
2626         Reviewed by Saam Barati.
2627
2628         Added more test cases and made all test cases run with the same deeply recursive stack
2629         instead of finding that same point for each test case.
2630
2631         * stress/regexp-compile-oom.js:
2632         (prototype.runTest):
2633         (recurseAndTest):
2634         (testList.push.new.TestAndExpectedException):
2635
2636 2018-11-05  Michael Saboff  <msaboff@apple.com>
2637
2638         Unreviewed build fix for linux.
2639
2640         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2641
2642 2018-11-02  Michael Saboff  <msaboff@apple.com>
2643
2644         Rolling in r237753 with unreviewed build fix.
2645
2646         Fixed issues with DECLARE_THROW_SCOPE placement.
2647
2648 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2649
2650         Unreviewed, rolling out r237753.
2651
2652         Introduced JSC test failures
2653
2654         Reverted changeset:
2655
2656         "Running out of stack space not properly handled in
2657         RegExp::compile() and its callers"
2658         https://bugs.webkit.org/show_bug.cgi?id=191206
2659         https://trac.webkit.org/changeset/237753
2660
2661 2018-11-02  Michael Saboff  <msaboff@apple.com>
2662
2663         Running out of stack space not properly handled in RegExp::compile() and its callers
2664         https://bugs.webkit.org/show_bug.cgi?id=191206
2665
2666         Reviewed by Filip Pizlo.
2667
2668         New regression test.
2669
2670         * stress/regexp-compile-oom.js: Added.
2671         (recurseAndTest):
2672
2673 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2674
2675         Skip tests on arm/mips that time out now we're running on CLoop
2676
2677         Unreviewed gardening.
2678
2679         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2680         time out on the bots and need to be disabled. There's more tests
2681         disabled on arm because the timeout is longer on the mips bot (as the
2682         device is slower to start with), so many of the tests don't time out
2683         there.
2684
2685         * microbenchmarks/getter-richards.js: disable on arm and mips.
2686         * stress/op_add.js: disable on arm.
2687         * stress/op_bitand.js: disable on arm.
2688         * stress/op_bitor.js: disable on arm.
2689         * stress/op_bitxor.js: disable on arm.
2690         * stress/op_lshift-ConstVar.js: disable on arm.
2691         * stress/op_lshift-VarConst.js: disable on arm.
2692         * stress/op_lshift-VarVar.js: disable on arm.
2693         * stress/op_mod-ConstVar.js: disable on arm.
2694         * stress/op_mod-VarConst.js: disable on arm.
2695         * stress/op_mod-VarVar.js: disable on arm.
2696         * stress/op_mul-ConstVar.js: disable on arm.
2697         * stress/op_mul-VarConst.js: disable on arm.
2698         * stress/op_mul-VarVar.js: disable on arm.
2699         * stress/op_rshift-ConstVar.js: disable on arm.
2700         * stress/op_rshift-VarConst.js: disable on arm.
2701         * stress/op_rshift-VarVar.js: disable on arm.
2702         * stress/op_sub-ConstVar.js: disable on arm.
2703         * stress/op_sub-VarConst.js: disable on arm.
2704         * stress/op_sub-VarVar.js: disable on arm.
2705         * stress/op_urshift-ConstVar.js: disable on arm.
2706         * stress/op_urshift-VarConst.js: disable on arm.
2707         * stress/op_urshift-VarVar.js: disable on arm.
2708         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2709         * stress/value-to-boolean.js: disable on arm and mips.
2710
2711 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2712
2713         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2714         https://bugs.webkit.org/show_bug.cgi?id=191108
2715         <rdar://problem/45690700>
2716
2717         Reviewed by Saam Barati.
2718
2719         * stress/wide-op_catch.js: Added.
2720         (catch):
2721
2722 2018-10-29  Mark Lam  <mark.lam@apple.com>
2723
2724         Correctly detect string overflow when using the 'Function' constructor.
2725         https://bugs.webkit.org/show_bug.cgi?id=184883
2726         <rdar://problem/36320331>
2727
2728         Reviewed by Saam Barati.
2729
2730         I've verified that this passes on 32-bit as well.
2731
2732         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2733
2734 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2735
2736         Add support for GetStack FlushedDouble
2737         https://bugs.webkit.org/show_bug.cgi?id=191012
2738         <rdar://problem/45265141>
2739
2740         Reviewed by Saam Barati.
2741
2742         * stress/get-stack-double.js: Added.
2743         (bar):
2744         (noInline):
2745
2746 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2747
2748         New bytecode format for JSC
2749         https://bugs.webkit.org/show_bug.cgi?id=187373
2750         <rdar://problem/44186758>
2751
2752         Reviewed by Filip Pizlo.
2753
2754         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2755
2756         * stress/maximum-inline-capacity.js: Added.
2757         (test1):
2758         (test3.Foo):
2759         (test3):
2760
2761 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2762
2763         Unreviewed, rolling out r237479 and r237484.
2764         https://bugs.webkit.org/show_bug.cgi?id=190978
2765
2766         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2767
2768         Reverted changesets:
2769
2770         "New bytecode format for JSC"
2771         https://bugs.webkit.org/show_bug.cgi?id=187373
2772         https://trac.webkit.org/changeset/237479
2773
2774         "Gardening: Build fix after r237479."
2775         https://bugs.webkit.org/show_bug.cgi?id=187373
2776         https://trac.webkit.org/changeset/237484
2777
2778 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2779
2780         New bytecode format for JSC
2781         https://bugs.webkit.org/show_bug.cgi?id=187373
2782         <rdar://problem/44186758>
2783
2784         Reviewed by Filip Pizlo.
2785
2786         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2787
2788         * stress/maximum-inline-capacity.js: Added.
2789         (test1):
2790         (test3.Foo):
2791         (test3):
2792
2793 2018-10-26  Mark Lam  <mark.lam@apple.com>
2794
2795         Fix missing edge cases with JSGlobalObjects having a bad time.
2796         https://bugs.webkit.org/show_bug.cgi?id=189028
2797         <rdar://problem/45204939>
2798
2799         Reviewed by Saam Barati.
2800
2801         * stress/regress-189028.js: Added.
2802
2803 2018-10-22  Mark Lam  <mark.lam@apple.com>
2804
2805         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2806         https://bugs.webkit.org/show_bug.cgi?id=190515
2807         <rdar://problem/45222379>
2808
2809         Rubber-stamped by Saam Barati.
2810
2811         Adding another test.
2812
2813         * stress/regress-190515-2.js: Added.
2814
2815 2018-10-22  Mark Lam  <mark.lam@apple.com>
2816
2817         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2818         https://bugs.webkit.org/show_bug.cgi?id=190515
2819         <rdar://problem/45222379>
2820
2821         Reviewed by Saam Barati.
2822
2823         * stress/regress-190515.js: Added.
2824
2825 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2826
2827         Unreviewed, rolling out r237254.
2828         https://bugs.webkit.org/show_bug.cgi?id=190760
2829
2830         "It regresses JetStream 2 by 5% on some iOS devices"
2831         (Requested by saamyjoon on #webkit).
2832
2833         Reverted changeset:
2834
2835         "[JSC] JSC should have "parseFunction" to optimize Function
2836         constructor"
2837         https://bugs.webkit.org/show_bug.cgi?id=190340
2838         https://trac.webkit.org/changeset/237254
2839
2840 2018-10-19  Saam Barati  <sbarati@apple.com>
2841
2842         vmCall should check if we exit before emitting an OSR exit due to exceptions
2843         https://bugs.webkit.org/show_bug.cgi?id=190740
2844         <rdar://problem/45220139>
2845
2846         Reviewed by Mark Lam.
2847
2848         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2849         (foo):
2850
2851 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2852
2853         [ESNext][BigInt] Implement support for "^"
2854         https://bugs.webkit.org/show_bug.cgi?id=186235
2855
2856         Reviewed by Yusuke Suzuki.
2857
2858         * stress/big-int-bitwise-xor-general.js: Added.
2859         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2860         * stress/big-int-bitwise-xor-type-error.js: Added.
2861         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2862
2863 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2864
2865         [BigInt] Add ValueSub into DFG
2866         https://bugs.webkit.org/show_bug.cgi?id=186176
2867
2868         Reviewed by Yusuke Suzuki.
2869
2870         * stress/big-int-subtraction-jit.js:
2871         * stress/value-sub-big-int-prediction-propagation.js: Added.
2872         * stress/value-sub-big-int-untyped.js: Added.
2873         * stress/value-sub-spec-none-case.js: Added.
2874
2875 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2876
2877         [JSC] JSC should have "parseFunction" to optimize Function constructor
2878         https://bugs.webkit.org/show_bug.cgi?id=190340
2879
2880         Reviewed by Mark Lam.
2881
2882         This patch fixes the line number of syntax errors raised by the Function constructor,
2883         since we now parse the final code only once. And we no longer use block statement
2884         for Function constructor's parsing.
2885
2886         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2887         * stress/function-cache-with-parameters-end-position.js: Added.
2888         (shouldBe):
2889         (shouldThrow):
2890         (i.anonymous):
2891         * stress/function-constructor-name.js: Added.
2892         (shouldBe):
2893         (GeneratorFunction):
2894         (AsyncFunction.async):
2895         (AsyncGeneratorFunction.async):
2896         (anonymous):
2897         (async.anonymous):
2898         * test262/expectations.yaml:
2899
2900 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2901
2902         Unreviewed, rolling out r237242.
2903         https://bugs.webkit.org/show_bug.cgi?id=190701
2904
2905         it breaks "stress/sampling-profiler-basic.js" (Requested by
2906         caiolima on #webkit).
2907
2908         Reverted changeset:
2909
2910         "[BigInt] Add ValueSub into DFG"
2911         https://bugs.webkit.org/show_bug.cgi?id=186176
2912         https://trac.webkit.org/changeset/237242
2913
2914 2018-10-17  Keith Miller  <keith_miller@apple.com>
2915
2916         AI does not clear Phantom allocation nodes.
2917         https://bugs.webkit.org/show_bug.cgi?id=190694
2918
2919         Reviewed by Saam Barati.
2920
2921         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2922         (Day):
2923         (DaysInYear):
2924         (TimeInYear):
2925         (TimeFromYear):
2926         (DayFromYear):
2927         (InLeapYear):
2928         (YearFromTime):
2929         (WeekDay):
2930         (DaylightSavingTA):
2931         (GetSecondSundayInMarch):
2932         (TimeInMonth):
2933
2934 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2935
2936         [BigInt] Add ValueSub into DFG
2937         https://bugs.webkit.org/show_bug.cgi?id=186176
2938
2939         Reviewed by Yusuke Suzuki.
2940
2941         * stress/big-int-subtraction-jit.js:
2942         * stress/value-sub-big-int-prediction-propagation.js: Added.
2943         * stress/value-sub-big-int-untyped.js: Added.
2944
2945 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2946
2947         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2948         https://bugs.webkit.org/show_bug.cgi?id=190611
2949
2950         Reviewed by Saam Barati.
2951
2952         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2953         to improve test runtime. On ARM/MIPS this test even timed out when running all
2954         tests.
2955
2956         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2957         (test):
2958
2959 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2960
2961         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2962
2963         Unreviewed gardening.
2964
2965         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2966
2967 2018-10-15  Saam barati  <sbarati@apple.com>
2968
2969         Emit fjcvtzs on ARM64E on Darwin
2970         https://bugs.webkit.org/show_bug.cgi?id=184023
2971
2972         Reviewed by Yusuke Suzuki and Filip Pizlo.
2973
2974         * stress/double-to-int32-NaN.js: Added.
2975         (assert):
2976         (foo):
2977
2978 2018-10-15  Saam Barati  <sbarati@apple.com>
2979
2980         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2981         https://bugs.webkit.org/show_bug.cgi?id=190262
2982         <rdar://problem/44986241>
2983
2984         Reviewed by Mark Lam.
2985
2986         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2987         (test):
2988         * stress/slice-array-storage-with-holes.js: Added.
2989         (main):
2990
2991 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2992
2993         Unreviewed, rolling out r237054.
2994         https://bugs.webkit.org/show_bug.cgi?id=190593
2995
2996         "this regressed JetStream 2 by 6% on iOS" (Requested by
2997         saamyjoon on #webkit).
2998
2999         Reverted changeset:
3000
3001         "[JSC] JSC should have "parseFunction" to optimize Function
3002         constructor"
3003         https://bugs.webkit.org/show_bug.cgi?id=190340
3004         https://trac.webkit.org/changeset/237054
3005
3006 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3007
3008         [JSC] JSON.stringify can accept call-with-no-arguments
3009         https://bugs.webkit.org/show_bug.cgi?id=190343
3010
3011         Reviewed by Mark Lam.
3012
3013         * stress/json-stringify-no-arguments.js: Added.
3014         (shouldBe):
3015
3016 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3017
3018         [JSC] JSC should have "parseFunction" to optimize Function constructor
3019         https://bugs.webkit.org/show_bug.cgi?id=190340
3020
3021         Reviewed by Mark Lam.
3022
3023         This patch fixes the line number of syntax errors raised by the Function constructor,
3024         since we now parse the final code only once. And we no longer use block statement
3025         for Function constructor's parsing.
3026
3027         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3028         * stress/function-cache-with-parameters-end-position.js: Added.
3029         (shouldBe):
3030         (shouldThrow):
3031         (i.anonymous):
3032         * stress/function-constructor-name.js: Added.
3033         (shouldBe):
3034         (GeneratorFunction):
3035         (AsyncFunction.async):
3036         (AsyncGeneratorFunction.async):
3037         (anonymous):
3038         (async.anonymous):
3039         * test262/expectations.yaml:
3040
3041 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3042
3043         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3044         https://bugs.webkit.org/show_bug.cgi?id=190426
3045
3046         Unreviewed gardening.
3047
3048         * stress/sampling-profiler-richards.js:
3049
3050 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3051
3052         [ESNext][BigInt] Implement support for "|"
3053         https://bugs.webkit.org/show_bug.cgi?id=186229
3054
3055         Reviewed by Yusuke Suzuki.
3056
3057         * stress/big-int-bitwise-and-jit.js:
3058         * stress/big-int-bitwise-or-general.js: Added.
3059         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3060         * stress/big-int-bitwise-or-jit.js: Added.
3061         * stress/big-int-bitwise-or-memory-stress.js: Added.
3062         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3063         * stress/big-int-bitwise-or-type-error.js: Added.
3064         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3065
3066 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3067
3068         Skip test on systems with limited memory
3069         https://bugs.webkit.org/show_bug.cgi?id=190310
3070
3071         Invoking runDefault adds test to runlist, skipping the test in the next
3072         line does not prevent the test from executing. Change order of lines such
3073         that runDefault is only executed if test is not executed.
3074
3075         Reviewed by Mark Lam.
3076
3077         * stress/regress-190187.js:
3078
3079 2018-10-03  Saam barati  <sbarati@apple.com>
3080
3081         lowXYZ in FTLLower should always filter the type of the incoming edge
3082         https://bugs.webkit.org/show_bug.cgi?id=189939
3083         <rdar://problem/44407030>
3084
3085         Reviewed by Michael Saboff.
3086
3087         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3088         (foo):
3089         (test):
3090
3091 2018-10-03  Mark Lam  <mark.lam@apple.com>
3092
3093         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3094         https://bugs.webkit.org/show_bug.cgi?id=190187
3095         <rdar://problem/42512909>
3096
3097         Reviewed by Michael Saboff.
3098
3099         * stress/regress-190187.js: Added.
3100
3101 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3102
3103         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3104         https://bugs.webkit.org/show_bug.cgi?id=190033
3105
3106         Reviewed by Yusuke Suzuki.
3107
3108         * stress/big-int-to-string.js:
3109
3110 2018-10-01  Mark Lam  <mark.lam@apple.com>
3111
3112         Function.toString() should also copy the source code Functions that are class definitions.
3113         https://bugs.webkit.org/show_bug.cgi?id=190186
3114         <rdar://problem/44733360>
3115
3116         Reviewed by Saam Barati.
3117
3118         * stress/regress-190186.js: Added.
3119
3120 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3121
3122         Split NaN-check into separate test
3123         https://bugs.webkit.org/show_bug.cgi?id=190010
3124
3125         Reviewed by Saam Barati.
3126
3127         DataView exposes NaN-representation, which is not necessarily the same on each
3128         architecture. Therefore move the check of the NaN-representation into its own
3129         file such that we can disable this test on MIPS where NaN-representation can be
3130         different on older CPUs.
3131
3132         * stress/dataview-jit-set-nan.js: Added.
3133         (assert):
3134         (test.storeLittleEndian):
3135         (test.storeBigEndian):
3136         (test.store):
3137         (test):
3138         * stress/dataview-jit-set.js:
3139         (test5):
3140
3141 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3142
3143         Unreviewed, rolling out r236647.
3144         https://bugs.webkit.org/show_bug.cgi?id=190124
3145
3146         Breaking test stress/big-int-to-string.js (Requested by
3147         caiolima_ on #webkit).
3148
3149         Reverted changeset:
3150
3151         "[BigInt] BigInt.proptotype.toString is broken when radix is
3152         power of 2"
3153         https://bugs.webkit.org/show_bug.cgi?id=190033
3154         https://trac.webkit.org/changeset/236647
3155
3156 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3157
3158         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3159         https://bugs.webkit.org/show_bug.cgi?id=190033
3160
3161         Reviewed by Yusuke Suzuki.
3162
3163         * stress/big-int-to-string.js:
3164
3165 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3166
3167         [ESNext][BigInt] Implement support for "&"
3168         https://bugs.webkit.org/show_bug.cgi?id=186228
3169
3170         Reviewed by Yusuke Suzuki.
3171
3172         * stress/big-int-bitwise-and-general.js: Added.
3173         (assert):
3174         (assert.sameValue):
3175         * stress/big-int-bitwise-and-jit.js: Added.
3176         (let.assert.sameValue):
3177         (bigIntBitAnd):
3178         * stress/big-int-bitwise-and-memory-stress.js: Added.
3179         (assert):
3180         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3181         (assert.sameValue):
3182         (let.o.Symbol.toPrimitive):
3183         (catch):
3184         * stress/big-int-bitwise-and-type-error.js: Added.
3185         (assert):
3186         (assertThrowTypeError):
3187         (let.o.valueOf):
3188         (o.valueOf):
3189         (o.toString):
3190         (o.Symbol.toPrimitive):
3191         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3192         (assert.sameValue):
3193         (testBitAnd):
3194         (let.o.Symbol.toPrimitive):
3195         (o.valueOf):
3196         (o.toString):
3197
3198 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3199
3200         JSC test stress/jsc-read.js doesn't support CRLF
3201         https://bugs.webkit.org/show_bug.cgi?id=190063
3202
3203         Reviewed by Yusuke Suzuki.
3204
3205         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3206
3207         * stress/jsc-read.js:
3208         (test):
3209
3210 2018-09-27  Saam barati  <sbarati@apple.com>
3211
3212         Verify the contents of AssemblerBuffer on arm64e
3213         https://bugs.webkit.org/show_bug.cgi?id=190057
3214         <rdar://problem/38916630>
3215
3216         Reviewed by Mark Lam.
3217
3218         * stress/regress-189132.js:
3219
3220 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3221
3222         Disable test without LLInt on ARMv7
3223         https://bugs.webkit.org/show_bug.cgi?id=190037
3224
3225         Reviewed by Mark Lam.
3226
3227         Test runs out of executable memory on ARMv7, do not run
3228         this test without LLInt enabled.
3229
3230         * stress/regress-169445.js:
3231
3232 2018-09-26  Keith Miller  <keith_miller@apple.com>
3233
3234         We should zero unused property storage when rebalancing array storage.
3235         https://bugs.webkit.org/show_bug.cgi?id=188151
3236
3237         Reviewed by Michael Saboff.
3238
3239         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3240
3241 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3242
3243         [JSC] Optimize Array#lastIndexOf
3244         https://bugs.webkit.org/show_bug.cgi?id=189780
3245
3246         Reviewed by Saam Barati.
3247
3248         * stress/array-lastindexof-array-prototype-trap.js: Added.
3249         (shouldBe):
3250         (AncestorArray.prototype.get 2):
3251         (AncestorArray):
3252         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3253         (shouldBe):
3254         * stress/array-lastindexof-hole-nan.js: Added.
3255         (shouldBe):
3256         (throw.new.Error):
3257         * stress/array-lastindexof-infinity.js: Added.
3258         (shouldBe):
3259         (throw.new.Error):
3260         * stress/array-lastindexof-negative-zero.js: Added.
3261         (shouldBe):
3262         (throw.new.Error):
3263         * stress/array-lastindexof-own-getter.js: Added.
3264         (shouldBe):
3265         (throw.new.Error.get array):
3266         (get array):
3267         * stress/array-lastindexof-prototype-trap.js: Added.
3268         (shouldBe):
3269         (DerivedArray.prototype.get 2):
3270         (DerivedArray):
3271
3272 2018-09-25  Saam Barati  <sbarati@apple.com>
3273
3274         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3275         https://bugs.webkit.org/show_bug.cgi?id=189940
3276         <rdar://problem/43640987>
3277
3278         Reviewed by Mark Lam.
3279
3280         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3281
3282 2018-09-24  Saam Barati  <sbarati@apple.com>
3283
3284         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3285         https://bugs.webkit.org/show_bug.cgi?id=189922
3286         <rdar://problem/44651275>
3287
3288         Reviewed by Mark Lam.
3289
3290         * stress/array-indexof-fast-path-effects.js: Added.
3291         * stress/array-indexof-cached-length.js: Added.
3292
3293 2018-09-24  Saam barati  <sbarati@apple.com>
3294
3295         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3296         https://bugs.webkit.org/show_bug.cgi?id=189682
3297         <rdar://problem/43557315>
3298
3299         Reviewed by Mark Lam.
3300
3301         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3302         (foo):
3303
3304 2018-09-22  Saam barati  <sbarati@apple.com>
3305
3306         The sampling should not use Strong<CodeBlock> in its machineLocation field
3307         https://bugs.webkit.org/show_bug.cgi?id=189319
3308
3309         Reviewed by Filip Pizlo.
3310
3311         * stress/sampling-profiler-richards.js: Added.
3312
3313 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3314
3315         [JSC] Optimize Array#indexOf in C++ runtime
3316         https://bugs.webkit.org/show_bug.cgi?id=189507
3317
3318         Reviewed by Saam Barati.
3319
3320         * stress/array-indexof-array-prototype-trap.js: Added.
3321         (shouldBe):
3322         (AncestorArray.prototype.get 2):
3323         (AncestorArray):
3324         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3325         (shouldBe):
3326         * stress/array-indexof-hole-nan.js: Added.
3327         (shouldBe):
3328         (throw.new.Error):
3329         * stress/array-indexof-infinity.js: Added.
3330         (shouldBe):
3331         (throw.new.Error):
3332         * stress/array-indexof-negative-zero.js: Added.
3333         (shouldBe):
3334         (throw.new.Error):
3335         * stress/array-indexof-own-getter.js: Added.
3336         (shouldBe):
3337         (throw.new.Error.get array):
3338         (get array):
3339         * stress/array-indexof-prototype-trap.js: Added.
3340         (shouldBe):
3341         (DerivedArray.prototype.get 2):
3342         (DerivedArray):
3343
3344 2018-09-19  Saam barati  <sbarati@apple.com>
3345
3346         AI rule for MultiPutByOffset executes its effects in the wrong order
3347         https://bugs.webkit.org/show_bug.cgi?id=189757
3348         <rdar://problem/43535257>
3349
3350         Reviewed by Michael Saboff.
3351
3352         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3353         (foo):
3354         (Foo):
3355         (g):
3356
3357 2018-09-17  Mark Lam  <mark.lam@apple.com>
3358
3359         Ensure that ForInContexts are invalidated if their loop local is over-written.
3360         https://bugs.webkit.org/show_bug.cgi?id=189571
3361         <rdar://problem/44402277>
3362
3363         Reviewed by Saam Barati.
3364
3365         * stress/regress-189571.js: Added.
3366
3367 2018-09-17  Saam barati  <sbarati@apple.com>
3368
3369         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3370         https://bugs.webkit.org/show_bug.cgi?id=189676
3371         <rdar://problem/39682897>
3372
3373         Reviewed by Michael Saboff.
3374
3375         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3376         (A):
3377         (K):
3378         (i.catch):
3379
3380 2018-09-14  Saam barati  <sbarati@apple.com>
3381
3382         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3383         https://bugs.webkit.org/show_bug.cgi?id=189628
3384         <rdar://problem/39481690>
3385
3386         Reviewed by Mark Lam.
3387
3388         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3389         (foo):
3390
3391 2018-09-11  Mark Lam  <mark.lam@apple.com>
3392
3393         Test for array initialization in arrayProtoFuncSplice.
3394         https://bugs.webkit.org/show_bug.cgi?id=170253
3395         <rdar://problem/31328773>
3396
3397         Rubber-stamped by Saam Barati.
3398
3399         * stress/regress-170253.js: Added.
3400
3401 2018-09-11  Mark Lam  <mark.lam@apple.com>
3402
3403         Test for IntlObject initialization.
3404         https://bugs.webkit.org/show_bug.cgi?id=170251
3405         <rdar://problem/31328419>
3406
3407         Rubber-stamped by Saam Barati.
3408
3409         * stress/regress-170251.js: Added.
3410
3411 2018-09-11  Mark Lam  <mark.lam@apple.com>
3412
3413         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3414         https://bugs.webkit.org/show_bug.cgi?id=169889
3415         <rdar://problem/31155607>
3416
3417         Reviewed by Saam Barati.
3418
3419         * stress/regress-169889-array-concat.js: Added.
3420         * stress/regress-169889-array-concat1.js: Added.
3421         * stress/regress-169889-array-slice.js: Added.
3422
3423 2018-09-11  Mark Lam  <mark.lam@apple.com>
3424
3425         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3426         https://bugs.webkit.org/show_bug.cgi?id=169445
3427         <rdar://problem/30957435>
3428
3429         Reviewed by Saam Barati.
3430
3431         * stress/regress-169445.js: Added.
3432         (let.gun.eval.A):
3433         (let.gun.eval.B.C):
3434         (let.gun.eval.B.C.prototype.trigger):
3435         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3436         (let.gun.eval.B):
3437         (let.gun.eval):
3438
3439 == Rolled over to ChangeLog-2018-09-11 ==