83833b55e930f36c2b292f2d8537303390da5084
[WebKit-https.git] / JSTests / ChangeLog
1 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
4         https://bugs.webkit.org/show_bug.cgi?id=193713
5
6         * stress/try-get-by-id-should-spill-registers-dfg.js:
7         (let.f.createBuiltin):
8
9 2019-01-28  Mark Lam  <mark.lam@apple.com>
10
11         ToString node actually does GC.
12         https://bugs.webkit.org/show_bug.cgi?id=193920
13         <rdar://problem/46695900>
14
15         Reviewed by Yusuke Suzuki.
16
17         * stress/dfg-to-string-on-int-does-gc.js: Added.
18         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
19         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
20
21 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
22
23         [JSC] NativeErrorConstructor should not have own IsoSubspace
24         https://bugs.webkit.org/show_bug.cgi?id=193713
25
26         Reviewed by Saam Barati.
27
28         Remove @Error use.
29
30         * stress/try-get-by-id-should-spill-registers-dfg.js:
31         (let.f.createBuiltin):
32
33 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
34
35         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
36         https://bugs.webkit.org/show_bug.cgi?id=190693
37
38         Reviewed by Michael Saboff.
39
40         * stress/regress-190693.js: Added.
41         (truth):
42         (assert):
43         (shouldThrowInvalidConstAssignment):
44         (taz):
45
46 2019-01-24  Saam Barati  <sbarati@apple.com>
47
48         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
49         https://bugs.webkit.org/show_bug.cgi?id=193751
50         <rdar://problem/47280215>
51
52         Reviewed by Michael Saboff.
53
54         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
55         (let.thing):
56         (foo.let.hello):
57         (foo):
58
59 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
60
61         [JSC] Reenable baseline JIT on mips
62         https://bugs.webkit.org/show_bug.cgi?id=192983
63
64         Reviewed by Mark Lam.
65
66         Added a new test for a case that was triggering a RELEASE_ASSERT when
67         testing.
68         Disable some slow tests that were already disabled for arm and x86.
69
70         * stress/json-parse-big-object.js: Added.
71         * stress/new-largeish-contiguous-array-with-size.js:
72         * stress/op_add.js:
73         * stress/op_bitand.js:
74         * stress/op_bitor.js:
75         * stress/op_bitxor.js:
76         * stress/op_lshift-ConstVar.js:
77         * stress/op_lshift-VarConst.js:
78         * stress/op_lshift-VarVar.js:
79         * stress/op_mod-ConstVar.js:
80         * stress/op_mod-VarConst.js:
81         * stress/op_mod-VarVar.js:
82         * stress/op_mul-ConstVar.js:
83         * stress/op_mul-VarConst.js:
84         * stress/op_mul-VarVar.js:
85         * stress/op_rshift-ConstVar.js:
86         * stress/op_rshift-VarConst.js:
87         * stress/op_rshift-VarVar.js:
88         * stress/op_sub-ConstVar.js:
89         * stress/op_sub-VarConst.js:
90         * stress/op_sub-VarVar.js:
91         * stress/op_urshift-ConstVar.js:
92         * stress/op_urshift-VarConst.js:
93         * stress/op_urshift-VarVar.js:
94         * stress/sampling-profiler-richards.js:
95         * stress/spread-forward-call-varargs-stack-overflow.js:
96
97 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
98
99         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
100         https://bugs.webkit.org/show_bug.cgi?id=193711
101         <rdar://problem/47250262>
102
103         Reviewed by Saam Barati.
104
105         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
106         (shouldBe):
107         (foo):
108         (bar):
109         (baz):
110
111 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
112
113         Unreviewed, fix initial global lexical binding epoch
114         https://bugs.webkit.org/show_bug.cgi?id=193603
115         <rdar://problem/47380869>
116
117         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
118         (f1.f2.f3.f4):
119         (f1.f2.f3):
120         (f1.f2):
121         (f1):
122
123 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
124
125         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
126         https://bugs.webkit.org/show_bug.cgi?id=193709
127         <rdar://problem/47363838>
128
129         Unreviewed, rollout to watch the tests.
130
131         * stress/object-tostring-changed-proto.js: Removed.
132         * stress/object-tostring-changed.js: Removed.
133         * stress/object-tostring-misc.js: Removed.
134         * stress/object-tostring-other.js: Removed.
135         * stress/object-tostring-untyped.js: Removed.
136
137 2019-01-22  Saam Barati  <sbarati@apple.com>
138
139         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
140
141         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
142         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
143         (testUncheckedLessThanZero):
144         (testUncheckedLessThanOrEqualZero):
145         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
146         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
147
148 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
149
150         [JSC] Invalidate old scope operations using global lexical binding epoch
151         https://bugs.webkit.org/show_bug.cgi?id=193603
152         <rdar://problem/47380869>
153
154         Reviewed by Saam Barati.
155
156         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
157         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
158         (shouldThrow):
159         (bar):
160         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
161         (shouldBe):
162         (get1):
163         (get2):
164         (get1If):
165         (get2If):
166         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
167         (shouldThrow):
168         (foo):
169
170 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
171
172         Unreviewed, roll out r240220 due to date-format-xparb regression
173         https://bugs.webkit.org/show_bug.cgi?id=193603
174
175         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
176         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
177         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
178         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
179
180 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
181
182         DoesGC rule is wrong for nodes with BigIntUse
183         https://bugs.webkit.org/show_bug.cgi?id=193652
184
185         Reviewed by Saam Barati.
186
187         * stress/big-int-value-op-update-gc-rules.js: Added.
188         (assert):
189         (doesGCAdd):
190         (doesGCSub):
191         (doesGCDiv):
192         (doesGCMul):
193         (doesGCBitAnd):
194         (doesGCBitOr):
195         (doesGCBitXor):
196
197 2019-01-20  Saam Barati  <sbarati@apple.com>
198
199         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
200         https://bugs.webkit.org/show_bug.cgi?id=193644
201         <rdar://problem/46209745>
202
203         Reviewed by Yusuke Suzuki.
204
205         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
206         (foo):
207         * stress/data-view-set-intrinsic-undefined-result.js: Added.
208         (foo):
209         (bar):
210
211 2019-01-20  Saam Barati  <sbarati@apple.com>
212
213         MovHint must merge NodeBytecodeUsesAsValue for its child
214         https://bugs.webkit.org/show_bug.cgi?id=186916
215         <rdar://problem/41396612>
216
217         Reviewed by Yusuke Suzuki.
218
219         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
220         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
221
222 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
223
224         [JSC] Invalidate old scope operations using global lexical binding epoch
225         https://bugs.webkit.org/show_bug.cgi?id=193603
226         <rdar://problem/47380869>
227
228         Reviewed by Saam Barati.
229
230         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
231         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
232         (shouldThrow):
233         (bar):
234         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
235         (shouldBe):
236         (get1):
237         (get2):
238         (get1If):
239         (get2If):
240         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
241         (shouldThrow):
242         (foo):
243
244 2019-01-17  Saam barati  <sbarati@apple.com>
245
246         StringObjectUse should not be a structure check for the original string object structure
247         https://bugs.webkit.org/show_bug.cgi?id=193483
248         <rdar://problem/47280522>
249
250         Reviewed by Yusuke Suzuki.
251
252         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
253         (foo):
254         (a.valueOf.0):
255
256 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
257
258         [JSC] ToThis omission in DFGByteCodeParser is wrong
259         https://bugs.webkit.org/show_bug.cgi?id=193513
260         <rdar://problem/45842236>
261
262         Reviewed by Saam Barati.
263
264         * stress/to-this-omission-with-different-strict-modes.js: Added.
265         (thisA):
266         (thisAStrictWrapper):
267
268 2019-01-15  Mark Lam  <mark.lam@apple.com>
269
270         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
271         https://bugs.webkit.org/show_bug.cgi?id=193423
272         <rdar://problem/46209355>
273
274         Reviewed by Saam Barati.
275
276         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
277         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
278         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
279         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
280
281 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
282
283         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
284         https://bugs.webkit.org/show_bug.cgi?id=193438
285         <rdar://problem/45581249>
286
287         Reviewed by Saam Barati and Keith Miller.
288
289         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
290         Then, GetByVal(String) crashed.
291
292         * stress/string-get-by-val-lowering.js: Added.
293         (shouldBe):
294         (test):
295         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
296         (Hello):
297         (foo):
298
299 2019-01-15  Tomas Popela  <tpopela@redhat.com>
300
301         Unreviewed, skip JIT tests if it's not enabled
302
303         * stress/bit-op-with-object-returning-int32.js:
304
305 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
306
307         DFGByteCodeParser rules for bitwise operations should consider type of their operands
308         https://bugs.webkit.org/show_bug.cgi?id=192966
309
310         Reviewed by Yusuke Suzuki.
311
312         * stress/bit-op-with-object-returning-int32.js: Added.
313
314 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
315
316         Skip a slow test and a flakey test on arm
317
318         Unreviewed gardening.
319
320         * typeProfiler/getter-richards.js:
321         this test always times out, it used to be always skipped on arm and
322         mips, but got accidentally enabled by r237919 now that we have DFG on
323         arm. Also skipping on mips as we plan to soon enable DFG for it too.
324
325 2019-01-14  Keith Miller  <keith_miller@apple.com>
326
327         Skip type-check-hoisting-phase-hoist... with no jit
328         https://bugs.webkit.org/show_bug.cgi?id=193421
329
330         Reviewed by Mark Lam.
331
332         It's timing out the 32-bit bots and takes 330 seconds
333         on my machine when run by itself.
334
335         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
336
337 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
338
339         [JSC] AI should check the given constant's array type when folding GetByVal into constant
340         https://bugs.webkit.org/show_bug.cgi?id=193413
341         <rdar://problem/46092389>
342
343         Reviewed by Keith Miller.
344
345         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
346         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
347         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
348         but GetByVal does not have appropriate ArrayModes, JSC crashes.
349
350         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
351         (compareArray):
352
353 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
354
355         [BigInt] Literal parsing is crashing when used inside a Object Literal
356         https://bugs.webkit.org/show_bug.cgi?id=193404
357
358         Reviewed by Yusuke Suzuki.
359
360         * stress/big-int-literal-inside-literal-object.js: Added.
361
362 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
363
364         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
365         https://bugs.webkit.org/show_bug.cgi?id=193372
366
367         Reviewed by Saam Barati.
368
369         * stress/typed-array-array-modes-profile.js: Added.
370         (foo):
371
372 2019-01-14  Mark Lam  <mark.lam@apple.com>
373
374         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
375         https://bugs.webkit.org/show_bug.cgi?id=193402
376         <rdar://problem/46012309>
377
378         Reviewed by Keith Miller.
379
380         * stress/regexp-compile-oom.js:
381         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
382           is enabled.  As a result, it will fail on cloop builds though there is no bug.
383
384 2019-01-11  Saam barati  <sbarati@apple.com>
385
386         DFG combined liveness can be wrong for terminal basic blocks
387         https://bugs.webkit.org/show_bug.cgi?id=193304
388         <rdar://problem/45268632>
389
390         Reviewed by Yusuke Suzuki.
391
392         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
393
394 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
395
396         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
397         https://bugs.webkit.org/show_bug.cgi?id=193308
398         <rdar://problem/45546542>
399
400         Reviewed by Saam Barati.
401
402         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
403         (shouldThrow):
404         (shouldBe):
405         (foo):
406         (get shouldThrow):
407         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
408         (shouldThrow):
409         (shouldBe):
410         (foo):
411         (get shouldBe):
412         (get shouldThrow):
413         (get return):
414         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
415         (shouldThrow):
416         (shouldBe):
417         (foo):
418         (get shouldBe):
419         (get shouldThrow):
420         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
421         (shouldThrow):
422         (shouldBe):
423         (foo):
424         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
425         (shouldThrow):
426         (shouldBe):
427         (foo):
428         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
429         (shouldThrow):
430         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
431         (shouldThrow):
432         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
433         (shouldThrow):
434         (shouldBe):
435         (foo):
436         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
437         (shouldThrow):
438         (shouldBe):
439         (foo):
440         (get shouldBe):
441         (get shouldThrow):
442         (get return):
443         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
444         (shouldThrow):
445         (shouldBe):
446         (foo):
447         (get shouldBe):
448         (get shouldThrow):
449         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
450         (shouldThrow):
451         (shouldBe):
452         (foo):
453         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
454         (shouldThrow):
455         (shouldBe):
456         (foo):
457
458 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
459
460         Enable DFG on ARM/Linux again
461         https://bugs.webkit.org/show_bug.cgi?id=192496
462
463         Reviewed by Yusuke Suzuki.
464
465         Test wasn't really skipped before moving the line with skip
466         to the top.
467
468         * stress/regress-192717.js:
469
470 2019-01-10  Commit Queue  <commit-queue@webkit.org>
471
472         Unreviewed, rolling out r239825.
473         https://bugs.webkit.org/show_bug.cgi?id=193330
474
475         Broke tests on armv7/linux bots (Requested by guijemont on
476         #webkit).
477
478         Reverted changeset:
479
480         "Enable DFG on ARM/Linux again"
481         https://bugs.webkit.org/show_bug.cgi?id=192496
482         https://trac.webkit.org/changeset/239825
483
484 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
485
486         Enable DFG on ARM/Linux again
487         https://bugs.webkit.org/show_bug.cgi?id=192496
488
489         Reviewed by Yusuke Suzuki.
490
491         Test wasn't really skipped before moving the line with skip
492         to the top.
493
494         * stress/regress-192717.js:
495
496 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
497
498         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
499         https://bugs.webkit.org/show_bug.cgi?id=193127
500
501         Reviewed by Saam Barati.
502
503         * stress/array-species-create-should-handle-masquerader.js: Added.
504         (shouldThrow):
505         * stress/is-undefined-or-null-builtin.js: Added.
506         (shouldBe):
507         (isUndefinedOrNull.vm.createBuiltin):
508
509 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
510
511         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
512         https://bugs.webkit.org/show_bug.cgi?id=193221
513
514         Reviewed by Mark Lam.
515
516         * stress/put-by-id-flags.js: Added.
517         (f):
518         (g):
519         (numberOfDFGCompiles):
520
521 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
522
523         Baseline version of get_by_id may corrupt metadata
524         https://bugs.webkit.org/show_bug.cgi?id=193085
525         <rdar://problem/23453006>
526
527         Reviewed by Saam Barati.
528
529         * stress/get-by-id-change-mode.js: Added.
530         (forEach):
531
532 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
533
534         [JSC] Optimize Object.prototype.toString
535         https://bugs.webkit.org/show_bug.cgi?id=193031
536
537         Reviewed by Saam Barati.
538
539         * stress/object-tostring-changed-proto.js: Added.
540         (shouldBe):
541         (test):
542         * stress/object-tostring-changed.js: Added.
543         (shouldBe):
544         (test):
545         * stress/object-tostring-misc.js: Added.
546         (shouldBe):
547         (test):
548         (i.switch):
549         * stress/object-tostring-other.js: Added.
550         (shouldBe):
551         (test):
552         * stress/object-tostring-untyped.js: Added.
553         (shouldBe):
554         (test):
555         (i.switch):
556
557 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
558
559         test262-runner misbehaves when test file YAML has a trailing space
560         https://bugs.webkit.org/show_bug.cgi?id=193053
561
562         Reviewed by Yusuke Suzuki.
563
564         * test262/expectations.yaml:
565         Mark two dozen tests as passing (and correct the output of another).
566
567 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
568
569         Unreviewed, JSTests gardening with memoryLimited
570
571         * stress/string-overflow-createError.js:
572
573 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
574
575         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
576         https://bugs.webkit.org/show_bug.cgi?id=193050
577
578         Reviewed by Yusuke Suzuki.
579
580         * test262.yaml:
581         * test262/expectations.yaml:
582         Mark 16 tests as passing.
583
584 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
585
586         [BigInt] Support BigInt in JSON.stringify
587         https://bugs.webkit.org/show_bug.cgi?id=192624
588
589         Reviewed by Saam Barati.
590
591         * stress/big-int-json-stringify-to-json.js: Added.
592         (shouldBe):
593         (shouldThrow):
594         (BigInt.prototype.toJSON):
595         (shouldBe.JSON.stringify):
596         * stress/big-int-json-stringify.js: Added.
597         (shouldBe):
598         (shouldThrow):
599
600 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
601
602         [JSC] Implement "well-formed JSON.stringify" proposal
603         https://bugs.webkit.org/show_bug.cgi?id=191677
604
605         Reviewed by Darin Adler.
606
607         * stress/json-surrogate-pair.js: Added.
608         (shouldBe):
609         * test262/expectations.yaml:
610
611 2018-12-20  Keith Miller  <keith_miller@apple.com>
612
613         Add support for globalThis
614         https://bugs.webkit.org/show_bug.cgi?id=165171
615
616         Reviewed by Mark Lam.
617
618         * test262/config.yaml:
619
620 2018-12-19  Keith Miller  <keith_miller@apple.com>
621
622         Update test262 configuration to not run tests dependent on ICU version.
623         https://bugs.webkit.org/show_bug.cgi?id=192920
624
625         Reviewed by Saam Barati.
626
627         * test262/expectations.yaml:
628
629 2018-12-20  Mark Lam  <mark.lam@apple.com>
630
631         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
632         https://bugs.webkit.org/show_bug.cgi?id=192939
633         <rdar://problem/46869516>
634
635         Reviewed by Keith Miller.
636
637         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
638
639 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
640
641         WTF::String and StringImpl overflow MaxLength
642         https://bugs.webkit.org/show_bug.cgi?id=192853
643         <rdar://problem/45726906>
644
645         Reviewed by Mark Lam.
646
647         * stress/string-16bit-repeat-overflow.js: Added.
648         (catch):
649
650 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
651
652         Unreviewed follow-up to r192914.
653
654         * test262/expectations.yaml:
655         Add the last 20 missing expectations.
656
657 2018-12-19  Keith Miller  <keith_miller@apple.com>
658
659         Fix test262 expectations
660         https://bugs.webkit.org/show_bug.cgi?id=192914
661
662         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
663
664         * test262/expectations.yaml:
665
666 2018-12-19  Keith Miller  <keith_miller@apple.com>
667
668         Update test262 tests.
669         https://bugs.webkit.org/show_bug.cgi?id=192907
670
671         Rubber stamped by Mark Lam.
672
673         * test262/*: Omitted because prepare-changelog crashes.
674
675 2018-12-19  Mark Lam  <mark.lam@apple.com>
676
677         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
678         https://bugs.webkit.org/show_bug.cgi?id=192464
679         <rdar://problem/46519455>
680
681         Reviewed by Saam Barati.
682
683         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
684         microbenchmark.
685
686         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
687         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
688
689 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
690
691         String overflow in JSC::createError results in ASSERT in WTF::makeString
692         https://bugs.webkit.org/show_bug.cgi?id=192833
693         <rdar://problem/45706868>
694
695         Reviewed by Mark Lam.
696
697         * stress/string-overflow-createError.js: Added.
698
699 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
700
701         Error message for `-x ** y` contains a typo.
702         https://bugs.webkit.org/show_bug.cgi?id=192832
703
704         Reviewed by Saam Barati.
705
706         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
707         (assert.assert.return.throws):
708         * stress/pow-expects-update-expression-on-lhs.js:
709         (throw.new.Error):
710         Update test expectations which match against the exact error message.
711
712 2018-12-18  Mark Lam  <mark.lam@apple.com>
713
714         Gardening: test options fix.
715         https://bugs.webkit.org/show_bug.cgi?id=192822
716
717         Unreviewed.
718
719         * stress/json-stringify-string-builder-overflow.js:
720
721 2018-12-18  Mark Lam  <mark.lam@apple.com>
722
723         JSON.stringify() should throw OOM on StringBuilder overflows.
724         https://bugs.webkit.org/show_bug.cgi?id=192822
725         <rdar://problem/46670577>
726
727         Reviewed by Saam Barati.
728
729         * stress/json-stringify-string-builder-overflow.js: Added.
730
731 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
732
733         Redeclaration of var over let/const/class should be a syntax error.
734         https://bugs.webkit.org/show_bug.cgi?id=192298
735
736         Reviewed by Keith Miller.
737
738         * test262.yaml:
739         * test262/expectations.yaml:
740         Mark 46 tests as passing.
741
742         * stress/block-scope-redeclarations.js:
743         Add some new tests.
744
745         * stress/for-in-invalidate-context-weird-assignments.js:
746         * stress/for-in-tests.js:
747         Replace tests for outdated behavior with tests for SyntaxError.
748
749         * ChakraCore/test/LetConst/defer3.baseline-jsc:
750         * ChakraCore/test/LetConst/letvar.baseline-jsc:
751         Update expectations.
752
753 2018-12-18  Mark Lam  <mark.lam@apple.com>
754
755         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
756         https://bugs.webkit.org/show_bug.cgi?id=191374
757         <rdar://problem/46525447>
758
759         Reviewed by Yusuke Suzuki.
760
761         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
762
763         * stress/elidable-new-object-roflcopter-then-exit.js:
764
765 2018-12-17  Mark Lam  <mark.lam@apple.com>
766
767         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
768         https://bugs.webkit.org/show_bug.cgi?id=192019
769         <rdar://problem/46525456>
770
771         Reviewed by Yusuke Suzuki.
772
773         The test runs too slow on 32-bit.
774
775         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
776
777 2018-12-17  Mark Lam  <mark.lam@apple.com>
778
779         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
780         https://bugs.webkit.org/show_bug.cgi?id=191373
781         <rdar://problem/46525458>
782
783         Reviewed by Yusuke Suzuki.
784
785         The test is already slow running with a JIT on 64-bit.  It will always timeout
786         on 32-bit without a JIT.
787
788         * stress/materialize-regexp-cyclic-regexp.js:
789
790 2018-12-17  Mark Lam  <mark.lam@apple.com>
791
792         Array unshift/shift should not race against the AI in the compiler thread.
793         https://bugs.webkit.org/show_bug.cgi?id=192795
794         <rdar://problem/46724263>
795
796         Reviewed by Saam Barati.
797
798         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
799
800 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
801
802         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
803         https://bugs.webkit.org/show_bug.cgi?id=190047
804
805         Reviewed by Saam Barati.
806
807         * stress/object-keys-cached-zero.js: Added.
808         (shouldBe):
809         (test):
810         * stress/object-keys-changed-attribute.js: Added.
811         (shouldBe):
812         (test):
813         * stress/object-keys-changed-index.js: Added.
814         (shouldBe):
815         (test):
816         * stress/object-keys-changed.js: Added.
817         (shouldBe):
818         (test):
819         * stress/object-keys-indexed-non-cache.js: Added.
820         (shouldBe):
821         (test):
822         * stress/object-keys-overrides-get-property-names.js: Added.
823         (shouldBe):
824         (test):
825         (noInline):
826
827 2018-12-17  Mark Lam  <mark.lam@apple.com>
828
829         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
830         https://bugs.webkit.org/show_bug.cgi?id=192779
831         <rdar://problem/46775869>
832
833         Reviewed by Saam Barati.
834
835         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
836
837 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
838
839         Unreviewed test gardening, address a syntax error in a new test.
840
841         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
842
843 2018-12-17  Mark Lam  <mark.lam@apple.com>
844
845         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
846         https://bugs.webkit.org/show_bug.cgi?id=192776
847         <rdar://problem/46772368>
848
849         Reviewed by Keith Miller.
850
851         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
852
853 2018-12-17  Mark Lam  <mark.lam@apple.com>
854
855         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
856         https://bugs.webkit.org/show_bug.cgi?id=192770
857         <rdar://problem/46449037>
858
859         Reviewed by Keith Miller.
860
861         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
862
863 2018-12-14  Mark Lam  <mark.lam@apple.com>
864
865         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
866         https://bugs.webkit.org/show_bug.cgi?id=192717
867         <rdar://problem/46660677>
868
869         Reviewed by Saam Barati.
870
871         * stress/regress-192717.js: Added.
872
873 2018-12-14  Commit Queue  <commit-queue@webkit.org>
874
875         Unreviewed, rolling out r239153, r239154, and r239155.
876         https://bugs.webkit.org/show_bug.cgi?id=192715
877
878         Caused flaky GC-related crashes seen with layout tests
879         (Requested by ryanhaddad on #webkit).
880
881         Reverted changesets:
882
883         "[JSC] Optimize Object.keys by caching own keys results in
884         StructureRareData"
885         https://bugs.webkit.org/show_bug.cgi?id=190047
886         https://trac.webkit.org/changeset/239153
887
888         "Unreviewed, build fix after r239153"
889         https://bugs.webkit.org/show_bug.cgi?id=190047
890         https://trac.webkit.org/changeset/239154
891
892         "Unreviewed, build fix after r239153, part 2"
893         https://bugs.webkit.org/show_bug.cgi?id=190047
894         https://trac.webkit.org/changeset/239155
895
896 2018-12-14  Keith Miller  <keith_miller@apple.com>
897
898         Callers of JSString::getIndex should check for OOM exceptions
899         https://bugs.webkit.org/show_bug.cgi?id=192709
900
901         Reviewed by Mark Lam.
902
903         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
904
905 2018-12-13  Mark Lam  <mark.lam@apple.com>
906
907         Add a missing exception check.
908         https://bugs.webkit.org/show_bug.cgi?id=192626
909         <rdar://problem/46662163>
910
911         Reviewed by Keith Miller.
912
913         * stress/regress-192626.js: Added.
914
915 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
916
917         [BigInt] Add ValueDiv into DFG
918         https://bugs.webkit.org/show_bug.cgi?id=186178
919
920         Reviewed by Yusuke Suzuki.
921
922         * stress/big-int-div-jit-osr.js: Added.
923         * stress/big-int-div-jit-untyped.js: Added.
924         * stress/value-div-fixup-int32-big-int.js: Added.
925
926 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
927
928         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
929         https://bugs.webkit.org/show_bug.cgi?id=190047
930
931         Reviewed by Keith Miller.
932
933         * stress/object-keys-cached-zero.js: Added.
934         (shouldBe):
935         (test):
936         * stress/object-keys-changed-attribute.js: Added.
937         (shouldBe):
938         (test):
939         * stress/object-keys-changed-index.js: Added.
940         (shouldBe):
941         (test):
942         * stress/object-keys-changed.js: Added.
943         (shouldBe):
944         (test):
945         * stress/object-keys-indexed-non-cache.js: Added.
946         (shouldBe):
947         (test):
948         * stress/object-keys-overrides-get-property-names.js: Added.
949         (shouldBe):
950         (test):
951         (noInline):
952
953 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
954
955         [DFG][FTL] Add NewSymbol
956         https://bugs.webkit.org/show_bug.cgi?id=192620
957
958         Reviewed by Saam Barati.
959
960         * microbenchmarks/symbol-creation.js: Added.
961         (test):
962         * stress/symbol-description-identity.js: Added.
963         (shouldBe):
964         (test):
965         * stress/symbol-identity.js: Added.
966         (shouldBe):
967         (test):
968         * stress/symbol-with-description-throw-error.js: Added.
969         (shouldBe):
970         (shouldThrow):
971         (test):
972         (object.toString):
973
974 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
975
976         [BigInt] Implement DFG/FTL typeof for BigInt
977         https://bugs.webkit.org/show_bug.cgi?id=192619
978
979         Reviewed by Keith Miller.
980
981         * stress/big-int-boolean-proven-type.js: Added.
982         (assert):
983         (bool):
984         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
985         (assert):
986         (typeOf):
987         (i.switch):
988         * stress/big-int-type-of-proven-type-non-constant.js: Added.
989         (assert):
990         (typeOf):
991         * stress/big-int-type-of.js:
992         (typeOf):
993         (func):
994
995 2018-12-10  Mark Lam  <mark.lam@apple.com>
996
997         PropertyAttribute needs a CustomValue bit.
998         https://bugs.webkit.org/show_bug.cgi?id=191993
999         <rdar://problem/46264467>
1000
1001         Reviewed by Saam Barati.
1002
1003         * stress/regress-191993.js: Added.
1004
1005 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1006
1007         [BigInt] Add ValueMul into DFG
1008         https://bugs.webkit.org/show_bug.cgi?id=186175
1009
1010         Reviewed by Yusuke Suzuki.
1011
1012         * stress/big-int-mul-jit-osr.js: Added.
1013         * stress/big-int-mul-jit-untyped.js: Added.
1014         * stress/value-mul-fixup-int32-big-int.js: Added.
1015
1016 2018-12-06  Keith Miller  <keith_miller@apple.com>
1017
1018         stress/big-wasm-memory tests failing on 32-bit JSC bot
1019         https://bugs.webkit.org/show_bug.cgi?id=192020
1020
1021         Reviewed by Saam Barati.
1022
1023         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1024         the wasm stress tests if the WebAssembly object does not exist.
1025
1026         * stress/big-wasm-memory-grow-no-max.js:
1027         (test.foo):
1028         (test):
1029         (foo): Deleted.
1030         (catch): Deleted.
1031         * stress/big-wasm-memory-grow.js:
1032         (test.foo):
1033         (test):
1034         (foo): Deleted.
1035         (catch): Deleted.
1036         * stress/big-wasm-memory.js:
1037         (test.foo):
1038         (test):
1039         (foo): Deleted.
1040         (catch): Deleted.
1041
1042 2018-12-05  Mark Lam  <mark.lam@apple.com>
1043
1044         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1045         https://bugs.webkit.org/show_bug.cgi?id=192441
1046         <rdar://problem/46480355>
1047
1048         Reviewed by Saam Barati.
1049
1050         * stress/regress-192441.js: Added.
1051
1052 2018-12-04  Mark Lam  <mark.lam@apple.com>
1053
1054         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1055         https://bugs.webkit.org/show_bug.cgi?id=192386
1056         <rdar://problem/46445516>
1057
1058         Reviewed by Saam Barati.
1059
1060         * stress/regress-192386.js: Added.
1061
1062 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1063
1064         [ESNext][BigInt] Support logic operations
1065         https://bugs.webkit.org/show_bug.cgi?id=179903
1066
1067         Reviewed by Yusuke Suzuki.
1068
1069         * stress/big-int-branch-usage.js: Added.
1070         * stress/big-int-logical-and.js: Added.
1071         * stress/big-int-logical-not.js: Added.
1072         * stress/big-int-logical-or.js: Added.
1073
1074 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1075
1076         Unreviewed, rolling out r238833.
1077
1078         Breaks macOS and iOS debug builds.
1079
1080         Reverted changeset:
1081
1082         "[ESNext][BigInt] Support logic operations"
1083         https://bugs.webkit.org/show_bug.cgi?id=179903
1084         https://trac.webkit.org/changeset/238833
1085
1086 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1087
1088         [ESNext][BigInt] Support logic operations
1089         https://bugs.webkit.org/show_bug.cgi?id=179903
1090
1091         Reviewed by Yusuke Suzuki.
1092
1093         * stress/big-int-branch-usage.js: Added.
1094         * stress/big-int-logical-and.js: Added.
1095         * stress/big-int-logical-not.js: Added.
1096         * stress/big-int-logical-or.js: Added.
1097
1098 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1099
1100         [ESNext][BigInt] Implement support for "<<" and ">>"
1101         https://bugs.webkit.org/show_bug.cgi?id=186233
1102
1103         Reviewed by Yusuke Suzuki.
1104
1105         * stress/big-int-left-shift-general.js: Added.
1106         * stress/big-int-left-shift-range-error.js: Added.
1107         * stress/big-int-left-shift-type-error.js: Added.
1108         * stress/big-int-left-shift-wrapped-value.js: Added.
1109         * stress/big-int-right-shift-general.js: Added.
1110         * stress/big-int-right-shift-type-error.js: Added.
1111         * stress/big-int-right-shift-wrapped-value.js: Added.
1112         * stress/left-shift-to-primitive-precedence.js: Added.
1113         * stress/right-shift-to-primitive-precedence.js: Added.
1114
1115 2018-11-30  Dean Jackson  <dino@apple.com>
1116
1117         Add first-class support for .mjs files in jsc binary
1118         https://bugs.webkit.org/show_bug.cgi?id=192190
1119         <rdar://problem/46375715>
1120
1121         Reviewed by Keith Miller.
1122
1123         * stress/simple-module.mjs: Added.
1124         * stress/simple-script.js: Added.
1125
1126 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1127
1128         [BigInt] Implement ValueBitXor into DFG
1129         https://bugs.webkit.org/show_bug.cgi?id=190264
1130
1131         Reviewed by Yusuke Suzuki.
1132
1133         * stress/big-int-bitwise-xor-jit.js: Added.
1134         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1135         * stress/big-int-bitwise-xor-untyped.js: Added.
1136
1137 2018-11-27  Saam barati  <sbarati@apple.com>
1138
1139         r238510 broke scopes of size zero
1140         https://bugs.webkit.org/show_bug.cgi?id=192033
1141         <rdar://problem/46281734>
1142
1143         Reviewed by Keith Miller.
1144
1145         * stress/r238510-bad-loop.js: Added.
1146         (foo):
1147
1148 2018-11-27  Mark Lam  <mark.lam@apple.com>
1149
1150         [Re-landing] NaNs read from Wasm code needs to be be purified.
1151         https://bugs.webkit.org/show_bug.cgi?id=191056
1152         <rdar://problem/45660341>
1153
1154         Reviewed by Filip Pizlo.
1155
1156         * wasm/regress/regress-191056.js: Added.
1157
1158 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1159
1160         Unreviewed, rolling out r238509.
1161
1162         Causes JSC tests to fail on iOS.
1163
1164         Reverted changeset:
1165
1166         "NaNs read from Wasm code needs to be be purified."
1167         https://bugs.webkit.org/show_bug.cgi?id=191056
1168         https://trac.webkit.org/changeset/238509
1169
1170 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1171
1172         Re-introduce op_bitnot
1173         https://bugs.webkit.org/show_bug.cgi?id=190923
1174
1175         Reviewed by Yusuke Suzuki.
1176
1177         * stress/bit-not-must-generate.js: Added.
1178         * stress/bitwise-not-no-int32.js: Added.
1179
1180 2018-11-26  Saam barati  <sbarati@apple.com>
1181
1182         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1183         https://bugs.webkit.org/show_bug.cgi?id=191956
1184         <rdar://problem/45665806>
1185
1186         Reviewed by Yusuke Suzuki.
1187
1188         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1189         (bar):
1190         (foo):
1191
1192 2018-11-26  Saam barati  <sbarati@apple.com>
1193
1194         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1195         https://bugs.webkit.org/show_bug.cgi?id=191958
1196         <rdar://problem/46221877>
1197
1198         Reviewed by Yusuke Suzuki.
1199
1200         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1201         (x):
1202         (foo):
1203
1204 2018-11-26  Mark Lam  <mark.lam@apple.com>
1205
1206         NaNs read from Wasm code needs to be be purified.
1207         https://bugs.webkit.org/show_bug.cgi?id=191056
1208         <rdar://problem/45660341>
1209
1210         Reviewed by Filip Pizlo.
1211
1212         * wasm/regress/regress-191056.js: Added.
1213
1214 2018-11-26  Michael Saboff  <msaboff@apple.com>
1215
1216         32-bit JSC test failure: stress/regexp-compile-oom.js
1217         https://bugs.webkit.org/show_bug.cgi?id=191375
1218
1219         Reviewed by Mark Lam.
1220
1221         Disabled the test for 32 bit platforms.
1222
1223         * stress/regexp-compile-oom.js:
1224
1225 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1226
1227         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1228         https://bugs.webkit.org/show_bug.cgi?id=191716
1229         <rdar://problem/45723878>
1230
1231         Reviewed by Saam Barati.
1232
1233         * stress/regress-187373.js: Added.
1234         (async.fn):
1235
1236 2018-11-21  Saam barati  <sbarati@apple.com>
1237
1238         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1239         https://bugs.webkit.org/show_bug.cgi?id=191897
1240         <rdar://problem/45871998>
1241
1242         Reviewed by Mark Lam.
1243
1244         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1245         (bar):
1246         (foo):
1247
1248 2018-11-21  Saam barati  <sbarati@apple.com>
1249
1250         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1251         https://bugs.webkit.org/show_bug.cgi?id=191895
1252         <rdar://problem/46167406>
1253
1254         Reviewed by Mark Lam.
1255
1256         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1257         (foo):
1258         (bar):
1259
1260 2018-11-21  Mark Lam  <mark.lam@apple.com>
1261
1262         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1263         https://bugs.webkit.org/show_bug.cgi?id=191776
1264         <rdar://problem/46152851>
1265
1266         Reviewed by Saam Barati.
1267
1268         * stress/big-wasm-memory-grow-no-max.js:
1269         * stress/big-wasm-memory-grow.js:
1270         * stress/big-wasm-memory.js:
1271         - updated these to expect an OutOfMemoryError.
1272
1273         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1274         (Binary.prototype.emit_u8):
1275         (Binary.prototype.emit_u32v):
1276         (Binary.prototype.emit_header):
1277         (Binary.prototype.emit_section):
1278         (Binary):
1279         (WasmModuleBuilder):
1280         (WasmModuleBuilder.prototype.addMemory):
1281         (WasmModuleBuilder.prototype.toArray):
1282         (WasmModuleBuilder.prototype.toBuffer):
1283         (WasmModuleBuilder.prototype.instantiate):
1284         (catch):
1285         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1286         (catch):
1287
1288 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1289
1290         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1291         https://bugs.webkit.org/show_bug.cgi?id=190836
1292
1293         Reviewed by Saam Barati and Yusuke Suzuki.
1294
1295         * stress/big-int-out-of-memory-tests.js: Added.
1296
1297 2018-11-20  Mark Lam  <mark.lam@apple.com>
1298
1299         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1300         https://bugs.webkit.org/show_bug.cgi?id=191856
1301         <rdar://problem/46089992>
1302
1303         Reviewed by Yusuke Suzuki.
1304
1305         * stress/regress-191856.js: Added.
1306         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1307
1308 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1309
1310         Enable JIT on ARM/Linux
1311         https://bugs.webkit.org/show_bug.cgi?id=191548
1312
1313         Reviewed by Yusuke Suzuki.
1314
1315         Disable test on system with limited memory. Program was killed by
1316         the OS before the exception was thrown.
1317
1318         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1319
1320 2018-11-20  Saam barati  <sbarati@apple.com>
1321
1322         Merging an IC variant may lead to the IC status containing overlapping structure sets
1323         https://bugs.webkit.org/show_bug.cgi?id=191869
1324         <rdar://problem/45403453>
1325
1326         Reviewed by Mark Lam.
1327
1328         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1329
1330 2018-11-19  Mark Lam  <mark.lam@apple.com>
1331
1332         globalFuncImportModule() should return a promise when it clears exceptions.
1333         https://bugs.webkit.org/show_bug.cgi?id=191792
1334         <rdar://problem/46090763>
1335
1336         Reviewed by Michael Saboff.
1337
1338         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1339
1340 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1341
1342         Skip new memory-hungry tests on memory limited devices
1343
1344         Unreviewed gardening.
1345
1346         * stress/big-wasm-memory-grow-no-max.js:
1347         * stress/big-wasm-memory-grow.js:
1348         * stress/big-wasm-memory.js:
1349
1350 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1351
1352         Unreviewed, rolling in the rest of r237254
1353         https://bugs.webkit.org/show_bug.cgi?id=190340
1354
1355         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1356         * stress/function-cache-with-parameters-end-position.js: Added.
1357         (shouldBe):
1358         (shouldThrow):
1359         (i.anonymous):
1360         * stress/function-constructor-name.js: Added.
1361         (shouldBe):
1362         (GeneratorFunction):
1363         (AsyncFunction.async):
1364         (AsyncGeneratorFunction.async):
1365         (anonymous):
1366         (async.anonymous):
1367         * test262/expectations.yaml:
1368
1369 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1370
1371         All users of ArrayBuffer should agree on the same max size
1372         https://bugs.webkit.org/show_bug.cgi?id=191771
1373
1374         Reviewed by Mark Lam.
1375
1376         * stress/big-wasm-memory-grow-no-max.js: Added.
1377         (foo):
1378         (catch):
1379         * stress/big-wasm-memory-grow.js: Added.
1380         (foo):
1381         (catch):
1382         * stress/big-wasm-memory.js: Added.
1383         (foo):
1384         (catch):
1385
1386 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1387
1388         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1389         run for each JSC config since they're regression tests for runtime bugs.
1390
1391         * stress/json-stringified-overflow-2.js:
1392         * stress/json-stringified-overflow.js:
1393
1394 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1395
1396         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1397         config since they're regression tests for runtime bugs.
1398
1399         * stress/large-unshift-splice.js:
1400         * stress/regress-185888.js:
1401
1402 2018-11-16  Saam Barati  <sbarati@apple.com>
1403
1404         KnownCellUse should also have SpecCellCheck as its type filter
1405         https://bugs.webkit.org/show_bug.cgi?id=191729
1406         <rdar://problem/45872852>
1407
1408         Reviewed by Filip Pizlo.
1409
1410         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1411         (C):
1412
1413 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1414
1415         Fix assertion failure on BytecodeGenerator::recordOpcode
1416         https://bugs.webkit.org/show_bug.cgi?id=191724
1417         <rdar://problem/45724395>
1418
1419         Reviewed by Saam Barati.
1420
1421         * stress/regress-187373-2.js: Added.
1422         (foo):
1423
1424 2018-11-15  Mark Lam  <mark.lam@apple.com>
1425
1426         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1427         https://bugs.webkit.org/show_bug.cgi?id=191730
1428         <rdar://problem/46048517>
1429
1430         Reviewed by Saam Barati.
1431
1432         * stress/regress-187006.js: Removed.
1433           - this test is invalid because its sole purpose is to test for the non-spec
1434             compliant behavior that we just fixed.
1435
1436         * stress/regress-191730.js: Added.
1437
1438 2018-11-15  Mark Lam  <mark.lam@apple.com>
1439
1440         RegExp operations should not take fast patch if lastIndex is not numeric.
1441         https://bugs.webkit.org/show_bug.cgi?id=191731
1442         <rdar://problem/46017305>
1443
1444         Reviewed by Saam Barati.
1445
1446         * stress/regress-191731.js: Added.
1447
1448 2018-11-13  Saam Barati  <sbarati@apple.com>
1449
1450         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1451         https://bugs.webkit.org/show_bug.cgi?id=191600
1452
1453         Reviewed by Mark Lam.
1454
1455         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1456         (foo):
1457         (test):
1458         (bar):
1459
1460 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1461
1462         Unreviewed, rolling out r238132.
1463
1464         The test added with this change is timing out on Debug JSC
1465         bots.
1466
1467         Reverted changeset:
1468
1469         "[BigInt] JSBigInt::createWithLength should throw when length
1470         is greater than JSBigInt::maxLength"
1471         https://bugs.webkit.org/show_bug.cgi?id=190836
1472         https://trac.webkit.org/changeset/238132
1473
1474 2018-11-13  Mark Lam  <mark.lam@apple.com>
1475
1476         Add OOM detection to StringPrototype's substituteBackreferences().
1477         https://bugs.webkit.org/show_bug.cgi?id=191563
1478         <rdar://problem/45720428>
1479
1480         Reviewed by Saam Barati.
1481
1482         * stress/regress-191563.js: Added.
1483
1484 2018-11-13  Mark Lam  <mark.lam@apple.com>
1485
1486         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1487         https://bugs.webkit.org/show_bug.cgi?id=191579
1488         <rdar://problem/45942472>
1489
1490         Reviewed by Saam Barati.
1491
1492         * stress/regress-191579.js: Added.
1493
1494 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1495
1496         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1497         https://bugs.webkit.org/show_bug.cgi?id=190836
1498
1499         Reviewed by Saam Barati.
1500
1501         * stress/big-int-out-of-memory-tests.js: Added.
1502
1503 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1504
1505         U+180E is no longer a whitespace character
1506         https://bugs.webkit.org/show_bug.cgi?id=191415
1507
1508         Reviewed by Saam Barati.
1509
1510         * ChakraCore/test/es5/regexSpace.baseline:
1511         * ChakraCore/test/es6/unicode_whitespace.js:
1512         Update tests to latest version.
1513         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1514
1515         * test262.yaml:
1516         * test262/config.yaml:
1517         * test262/expectations.yaml:
1518         Update expectations.
1519
1520 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1521
1522         [BigInt] Add support to BigInt into ValueAdd
1523         https://bugs.webkit.org/show_bug.cgi?id=186177
1524
1525         Reviewed by Keith Miller.
1526
1527         * stress/big-int-negate-jit.js:
1528         * stress/value-add-big-int-and-string.js: Added.
1529         * stress/value-add-big-int-prediction-propagation.js: Added.
1530         * stress/value-add-big-int-untyped.js: Added.
1531
1532 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1533
1534         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1535         https://bugs.webkit.org/show_bug.cgi?id=191184
1536
1537         Reviewed by Saam Barati.
1538
1539         Most tests were failing due to timeouts, since they are too slow to
1540         run on CLoop. The exceptions are:
1541
1542         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1543         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1544         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1545         to change the stack size since CLoop requires it to be page aligned.
1546
1547         * microbenchmarks/array-push-1.js:
1548         * microbenchmarks/array-push-2.js:
1549         * microbenchmarks/elidable-new-object-dag.js:
1550         * microbenchmarks/elidable-new-object-roflcopter.js:
1551         * microbenchmarks/elidable-new-object-tree.js:
1552         * microbenchmarks/getter-richards.js:
1553         * microbenchmarks/sinkable-new-object-dag.js:
1554         * microbenchmarks/string-concat-long-convert.js:
1555         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1556         * slowMicrobenchmarks/array-push-3.js:
1557         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1558         * slowMicrobenchmarks/spread-small-array.js:
1559         * slowMicrobenchmarks/undefined-property-access.js:
1560         * stress/activation-sink-default-value-tdz-error.js:
1561         * stress/activation-sink-default-value.js:
1562         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1563         * stress/activation-sink-osrexit-default-value.js:
1564         * stress/activation-sink-osrexit.js:
1565         * stress/activation-sink.js:
1566         * stress/allow-math-ic-b3-code-duplication.js:
1567         * stress/array-push-multiple-int32.js:
1568         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1569         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1570         * stress/arrowfunction-lexical-this-activation-sink.js:
1571         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1572         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1573         * stress/elide-new-object-dag-then-exit.js:
1574         * stress/materialize-regexp-cyclic.js:
1575         * stress/new-regex-inline.js:
1576         * stress/op_add.js:
1577         * stress/op_bitand.js:
1578         * stress/op_bitor.js:
1579         * stress/op_bitxor.js:
1580         * stress/op_div-ConstVar.js:
1581         * stress/op_div-VarConst.js:
1582         * stress/op_div-VarVar.js:
1583         * stress/op_lshift-ConstVar.js:
1584         * stress/op_lshift-VarConst.js:
1585         * stress/op_lshift-VarVar.js:
1586         * stress/op_mod-ConstVar.js:
1587         * stress/op_mod-VarConst.js:
1588         * stress/op_mod-VarVar.js:
1589         * stress/op_mul-ConstVar.js:
1590         * stress/op_mul-VarConst.js:
1591         * stress/op_mul-VarVar.js:
1592         * stress/op_rshift-ConstVar.js:
1593         * stress/op_rshift-VarConst.js:
1594         * stress/op_rshift-VarVar.js:
1595         * stress/op_sub-ConstVar.js:
1596         * stress/op_sub-VarConst.js:
1597         * stress/op_sub-VarVar.js:
1598         * stress/op_urshift-ConstVar.js:
1599         * stress/op_urshift-VarConst.js:
1600         * stress/op_urshift-VarVar.js:
1601         * stress/proxy-get-set-correct-receiver.js:
1602         * stress/regress-179562.js:
1603         * stress/rest-parameter-many-arguments.js:
1604         * stress/sampling-profiler-richards.js:
1605         * stress/splay-flash-access-1ms.js:
1606         * stress/tailCallForwardArguments.js:
1607         * stress/typed-array-get-by-val-profiling.js:
1608         * typeProfiler/getter-richards.js:
1609
1610 2018-11-06  Michael Saboff  <msaboff@apple.com>
1611
1612         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1613         https://bugs.webkit.org/show_bug.cgi?id=191271
1614
1615         Reviewed by Saam Barati.
1616
1617         Added more test cases and made all test cases run with the same deeply recursive stack
1618         instead of finding that same point for each test case.
1619
1620         * stress/regexp-compile-oom.js:
1621         (prototype.runTest):
1622         (recurseAndTest):
1623         (testList.push.new.TestAndExpectedException):
1624
1625 2018-11-05  Michael Saboff  <msaboff@apple.com>
1626
1627         Unreviewed build fix for linux.
1628
1629         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1630
1631 2018-11-02  Michael Saboff  <msaboff@apple.com>
1632
1633         Rolling in r237753 with unreviewed build fix.
1634
1635         Fixed issues with DECLARE_THROW_SCOPE placement.
1636
1637 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1638
1639         Unreviewed, rolling out r237753.
1640
1641         Introduced JSC test failures
1642
1643         Reverted changeset:
1644
1645         "Running out of stack space not properly handled in
1646         RegExp::compile() and its callers"
1647         https://bugs.webkit.org/show_bug.cgi?id=191206
1648         https://trac.webkit.org/changeset/237753
1649
1650 2018-11-02  Michael Saboff  <msaboff@apple.com>
1651
1652         Running out of stack space not properly handled in RegExp::compile() and its callers
1653         https://bugs.webkit.org/show_bug.cgi?id=191206
1654
1655         Reviewed by Filip Pizlo.
1656
1657         New regression test.
1658
1659         * stress/regexp-compile-oom.js: Added.
1660         (recurseAndTest):
1661
1662 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1663
1664         Skip tests on arm/mips that time out now we're running on CLoop
1665
1666         Unreviewed gardening.
1667
1668         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1669         time out on the bots and need to be disabled. There's more tests
1670         disabled on arm because the timeout is longer on the mips bot (as the
1671         device is slower to start with), so many of the tests don't time out
1672         there.
1673
1674         * microbenchmarks/getter-richards.js: disable on arm and mips.
1675         * stress/op_add.js: disable on arm.
1676         * stress/op_bitand.js: disable on arm.
1677         * stress/op_bitor.js: disable on arm.
1678         * stress/op_bitxor.js: disable on arm.
1679         * stress/op_lshift-ConstVar.js: disable on arm.
1680         * stress/op_lshift-VarConst.js: disable on arm.
1681         * stress/op_lshift-VarVar.js: disable on arm.
1682         * stress/op_mod-ConstVar.js: disable on arm.
1683         * stress/op_mod-VarConst.js: disable on arm.
1684         * stress/op_mod-VarVar.js: disable on arm.
1685         * stress/op_mul-ConstVar.js: disable on arm.
1686         * stress/op_mul-VarConst.js: disable on arm.
1687         * stress/op_mul-VarVar.js: disable on arm.
1688         * stress/op_rshift-ConstVar.js: disable on arm.
1689         * stress/op_rshift-VarConst.js: disable on arm.
1690         * stress/op_rshift-VarVar.js: disable on arm.
1691         * stress/op_sub-ConstVar.js: disable on arm.
1692         * stress/op_sub-VarConst.js: disable on arm.
1693         * stress/op_sub-VarVar.js: disable on arm.
1694         * stress/op_urshift-ConstVar.js: disable on arm.
1695         * stress/op_urshift-VarConst.js: disable on arm.
1696         * stress/op_urshift-VarVar.js: disable on arm.
1697         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1698         * stress/value-to-boolean.js: disable on arm and mips.
1699
1700 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1701
1702         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1703         https://bugs.webkit.org/show_bug.cgi?id=191108
1704         <rdar://problem/45690700>
1705
1706         Reviewed by Saam Barati.
1707
1708         * stress/wide-op_catch.js: Added.
1709         (catch):
1710
1711 2018-10-29  Mark Lam  <mark.lam@apple.com>
1712
1713         Correctly detect string overflow when using the 'Function' constructor.
1714         https://bugs.webkit.org/show_bug.cgi?id=184883
1715         <rdar://problem/36320331>
1716
1717         Reviewed by Saam Barati.
1718
1719         I've verified that this passes on 32-bit as well.
1720
1721         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1722
1723 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1724
1725         Add support for GetStack FlushedDouble
1726         https://bugs.webkit.org/show_bug.cgi?id=191012
1727         <rdar://problem/45265141>
1728
1729         Reviewed by Saam Barati.
1730
1731         * stress/get-stack-double.js: Added.
1732         (bar):
1733         (noInline):
1734
1735 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1736
1737         New bytecode format for JSC
1738         https://bugs.webkit.org/show_bug.cgi?id=187373
1739         <rdar://problem/44186758>
1740
1741         Reviewed by Filip Pizlo.
1742
1743         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1744
1745         * stress/maximum-inline-capacity.js: Added.
1746         (test1):
1747         (test3.Foo):
1748         (test3):
1749
1750 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1751
1752         Unreviewed, rolling out r237479 and r237484.
1753         https://bugs.webkit.org/show_bug.cgi?id=190978
1754
1755         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1756
1757         Reverted changesets:
1758
1759         "New bytecode format for JSC"
1760         https://bugs.webkit.org/show_bug.cgi?id=187373
1761         https://trac.webkit.org/changeset/237479
1762
1763         "Gardening: Build fix after r237479."
1764         https://bugs.webkit.org/show_bug.cgi?id=187373
1765         https://trac.webkit.org/changeset/237484
1766
1767 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1768
1769         New bytecode format for JSC
1770         https://bugs.webkit.org/show_bug.cgi?id=187373
1771         <rdar://problem/44186758>
1772
1773         Reviewed by Filip Pizlo.
1774
1775         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1776
1777         * stress/maximum-inline-capacity.js: Added.
1778         (test1):
1779         (test3.Foo):
1780         (test3):
1781
1782 2018-10-26  Mark Lam  <mark.lam@apple.com>
1783
1784         Fix missing edge cases with JSGlobalObjects having a bad time.
1785         https://bugs.webkit.org/show_bug.cgi?id=189028
1786         <rdar://problem/45204939>
1787
1788         Reviewed by Saam Barati.
1789
1790         * stress/regress-189028.js: Added.
1791
1792 2018-10-22  Mark Lam  <mark.lam@apple.com>
1793
1794         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1795         https://bugs.webkit.org/show_bug.cgi?id=190515
1796         <rdar://problem/45222379>
1797
1798         Rubber-stamped by Saam Barati.
1799
1800         Adding another test.
1801
1802         * stress/regress-190515-2.js: Added.
1803
1804 2018-10-22  Mark Lam  <mark.lam@apple.com>
1805
1806         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1807         https://bugs.webkit.org/show_bug.cgi?id=190515
1808         <rdar://problem/45222379>
1809
1810         Reviewed by Saam Barati.
1811
1812         * stress/regress-190515.js: Added.
1813
1814 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1815
1816         Unreviewed, rolling out r237254.
1817         https://bugs.webkit.org/show_bug.cgi?id=190760
1818
1819         "It regresses JetStream 2 by 5% on some iOS devices"
1820         (Requested by saamyjoon on #webkit).
1821
1822         Reverted changeset:
1823
1824         "[JSC] JSC should have "parseFunction" to optimize Function
1825         constructor"
1826         https://bugs.webkit.org/show_bug.cgi?id=190340
1827         https://trac.webkit.org/changeset/237254
1828
1829 2018-10-19  Saam Barati  <sbarati@apple.com>
1830
1831         vmCall should check if we exit before emitting an OSR exit due to exceptions
1832         https://bugs.webkit.org/show_bug.cgi?id=190740
1833         <rdar://problem/45220139>
1834
1835         Reviewed by Mark Lam.
1836
1837         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1838         (foo):
1839
1840 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1841
1842         [ESNext][BigInt] Implement support for "^"
1843         https://bugs.webkit.org/show_bug.cgi?id=186235
1844
1845         Reviewed by Yusuke Suzuki.
1846
1847         * stress/big-int-bitwise-xor-general.js: Added.
1848         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1849         * stress/big-int-bitwise-xor-type-error.js: Added.
1850         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1851
1852 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1853
1854         [BigInt] Add ValueSub into DFG
1855         https://bugs.webkit.org/show_bug.cgi?id=186176
1856
1857         Reviewed by Yusuke Suzuki.
1858
1859         * stress/big-int-subtraction-jit.js:
1860         * stress/value-sub-big-int-prediction-propagation.js: Added.
1861         * stress/value-sub-big-int-untyped.js: Added.
1862         * stress/value-sub-spec-none-case.js: Added.
1863
1864 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1865
1866         [JSC] JSC should have "parseFunction" to optimize Function constructor
1867         https://bugs.webkit.org/show_bug.cgi?id=190340
1868
1869         Reviewed by Mark Lam.
1870
1871         This patch fixes the line number of syntax errors raised by the Function constructor,
1872         since we now parse the final code only once. And we no longer use block statement
1873         for Function constructor's parsing.
1874
1875         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1876         * stress/function-cache-with-parameters-end-position.js: Added.
1877         (shouldBe):
1878         (shouldThrow):
1879         (i.anonymous):
1880         * stress/function-constructor-name.js: Added.
1881         (shouldBe):
1882         (GeneratorFunction):
1883         (AsyncFunction.async):
1884         (AsyncGeneratorFunction.async):
1885         (anonymous):
1886         (async.anonymous):
1887         * test262/expectations.yaml:
1888
1889 2018-10-18  Commit Queue  <commit-queue@webkit.org>
1890
1891         Unreviewed, rolling out r237242.
1892         https://bugs.webkit.org/show_bug.cgi?id=190701
1893
1894         it breaks "stress/sampling-profiler-basic.js" (Requested by
1895         caiolima on #webkit).
1896
1897         Reverted changeset:
1898
1899         "[BigInt] Add ValueSub into DFG"
1900         https://bugs.webkit.org/show_bug.cgi?id=186176
1901         https://trac.webkit.org/changeset/237242
1902
1903 2018-10-17  Keith Miller  <keith_miller@apple.com>
1904
1905         AI does not clear Phantom allocation nodes.
1906         https://bugs.webkit.org/show_bug.cgi?id=190694
1907
1908         Reviewed by Saam Barati.
1909
1910         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1911         (Day):
1912         (DaysInYear):
1913         (TimeInYear):
1914         (TimeFromYear):
1915         (DayFromYear):
1916         (InLeapYear):
1917         (YearFromTime):
1918         (WeekDay):
1919         (DaylightSavingTA):
1920         (GetSecondSundayInMarch):
1921         (TimeInMonth):
1922
1923 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1924
1925         [BigInt] Add ValueSub into DFG
1926         https://bugs.webkit.org/show_bug.cgi?id=186176
1927
1928         Reviewed by Yusuke Suzuki.
1929
1930         * stress/big-int-subtraction-jit.js:
1931         * stress/value-sub-big-int-prediction-propagation.js: Added.
1932         * stress/value-sub-big-int-untyped.js: Added.
1933
1934 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1935
1936         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1937         https://bugs.webkit.org/show_bug.cgi?id=190611
1938
1939         Reviewed by Saam Barati.
1940
1941         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1942         to improve test runtime. On ARM/MIPS this test even timed out when running all
1943         tests.
1944
1945         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1946         (test):
1947
1948 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1949
1950         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1951
1952         Unreviewed gardening.
1953
1954         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1955
1956 2018-10-15  Saam barati  <sbarati@apple.com>
1957
1958         Emit fjcvtzs on ARM64E on Darwin
1959         https://bugs.webkit.org/show_bug.cgi?id=184023
1960
1961         Reviewed by Yusuke Suzuki and Filip Pizlo.
1962
1963         * stress/double-to-int32-NaN.js: Added.
1964         (assert):
1965         (foo):
1966
1967 2018-10-15  Saam Barati  <sbarati@apple.com>
1968
1969         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1970         https://bugs.webkit.org/show_bug.cgi?id=190262
1971         <rdar://problem/44986241>
1972
1973         Reviewed by Mark Lam.
1974
1975         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1976         (test):
1977         * stress/slice-array-storage-with-holes.js: Added.
1978         (main):
1979
1980 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1981
1982         Unreviewed, rolling out r237054.
1983         https://bugs.webkit.org/show_bug.cgi?id=190593
1984
1985         "this regressed JetStream 2 by 6% on iOS" (Requested by
1986         saamyjoon on #webkit).
1987
1988         Reverted changeset:
1989
1990         "[JSC] JSC should have "parseFunction" to optimize Function
1991         constructor"
1992         https://bugs.webkit.org/show_bug.cgi?id=190340
1993         https://trac.webkit.org/changeset/237054
1994
1995 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1996
1997         [JSC] JSON.stringify can accept call-with-no-arguments
1998         https://bugs.webkit.org/show_bug.cgi?id=190343
1999
2000         Reviewed by Mark Lam.
2001
2002         * stress/json-stringify-no-arguments.js: Added.
2003         (shouldBe):
2004
2005 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2006
2007         [JSC] JSC should have "parseFunction" to optimize Function constructor
2008         https://bugs.webkit.org/show_bug.cgi?id=190340
2009
2010         Reviewed by Mark Lam.
2011
2012         This patch fixes the line number of syntax errors raised by the Function constructor,
2013         since we now parse the final code only once. And we no longer use block statement
2014         for Function constructor's parsing.
2015
2016         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2017         * stress/function-cache-with-parameters-end-position.js: Added.
2018         (shouldBe):
2019         (shouldThrow):
2020         (i.anonymous):
2021         * stress/function-constructor-name.js: Added.
2022         (shouldBe):
2023         (GeneratorFunction):
2024         (AsyncFunction.async):
2025         (AsyncGeneratorFunction.async):
2026         (anonymous):
2027         (async.anonymous):
2028         * test262/expectations.yaml:
2029
2030 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2031
2032         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2033         https://bugs.webkit.org/show_bug.cgi?id=190426
2034
2035         Unreviewed gardening.
2036
2037         * stress/sampling-profiler-richards.js:
2038
2039 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2040
2041         [ESNext][BigInt] Implement support for "|"
2042         https://bugs.webkit.org/show_bug.cgi?id=186229
2043
2044         Reviewed by Yusuke Suzuki.
2045
2046         * stress/big-int-bitwise-and-jit.js:
2047         * stress/big-int-bitwise-or-general.js: Added.
2048         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2049         * stress/big-int-bitwise-or-jit.js: Added.
2050         * stress/big-int-bitwise-or-memory-stress.js: Added.
2051         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2052         * stress/big-int-bitwise-or-type-error.js: Added.
2053         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2054
2055 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2056
2057         Skip test on systems with limited memory
2058         https://bugs.webkit.org/show_bug.cgi?id=190310
2059
2060         Invoking runDefault adds test to runlist, skipping the test in the next
2061         line does not prevent the test from executing. Change order of lines such
2062         that runDefault is only executed if test is not executed.
2063
2064         Reviewed by Mark Lam.
2065
2066         * stress/regress-190187.js:
2067
2068 2018-10-03  Saam barati  <sbarati@apple.com>
2069
2070         lowXYZ in FTLLower should always filter the type of the incoming edge
2071         https://bugs.webkit.org/show_bug.cgi?id=189939
2072         <rdar://problem/44407030>
2073
2074         Reviewed by Michael Saboff.
2075
2076         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2077         (foo):
2078         (test):
2079
2080 2018-10-03  Mark Lam  <mark.lam@apple.com>
2081
2082         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2083         https://bugs.webkit.org/show_bug.cgi?id=190187
2084         <rdar://problem/42512909>
2085
2086         Reviewed by Michael Saboff.
2087
2088         * stress/regress-190187.js: Added.
2089
2090 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2091
2092         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2093         https://bugs.webkit.org/show_bug.cgi?id=190033
2094
2095         Reviewed by Yusuke Suzuki.
2096
2097         * stress/big-int-to-string.js:
2098
2099 2018-10-01  Mark Lam  <mark.lam@apple.com>
2100
2101         Function.toString() should also copy the source code Functions that are class definitions.
2102         https://bugs.webkit.org/show_bug.cgi?id=190186
2103         <rdar://problem/44733360>
2104
2105         Reviewed by Saam Barati.
2106
2107         * stress/regress-190186.js: Added.
2108
2109 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2110
2111         Split NaN-check into separate test
2112         https://bugs.webkit.org/show_bug.cgi?id=190010
2113
2114         Reviewed by Saam Barati.
2115
2116         DataView exposes NaN-representation, which is not necessarily the same on each
2117         architecture. Therefore move the check of the NaN-representation into its own
2118         file such that we can disable this test on MIPS where NaN-representation can be
2119         different on older CPUs.
2120
2121         * stress/dataview-jit-set-nan.js: Added.
2122         (assert):
2123         (test.storeLittleEndian):
2124         (test.storeBigEndian):
2125         (test.store):
2126         (test):
2127         * stress/dataview-jit-set.js:
2128         (test5):
2129
2130 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2131
2132         Unreviewed, rolling out r236647.
2133         https://bugs.webkit.org/show_bug.cgi?id=190124
2134
2135         Breaking test stress/big-int-to-string.js (Requested by
2136         caiolima_ on #webkit).
2137
2138         Reverted changeset:
2139
2140         "[BigInt] BigInt.proptotype.toString is broken when radix is
2141         power of 2"
2142         https://bugs.webkit.org/show_bug.cgi?id=190033
2143         https://trac.webkit.org/changeset/236647
2144
2145 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2146
2147         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2148         https://bugs.webkit.org/show_bug.cgi?id=190033
2149
2150         Reviewed by Yusuke Suzuki.
2151
2152         * stress/big-int-to-string.js:
2153
2154 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2155
2156         [ESNext][BigInt] Implement support for "&"
2157         https://bugs.webkit.org/show_bug.cgi?id=186228
2158
2159         Reviewed by Yusuke Suzuki.
2160
2161         * stress/big-int-bitwise-and-general.js: Added.
2162         (assert):
2163         (assert.sameValue):
2164         * stress/big-int-bitwise-and-jit.js: Added.
2165         (let.assert.sameValue):
2166         (bigIntBitAnd):
2167         * stress/big-int-bitwise-and-memory-stress.js: Added.
2168         (assert):
2169         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2170         (assert.sameValue):
2171         (let.o.Symbol.toPrimitive):
2172         (catch):
2173         * stress/big-int-bitwise-and-type-error.js: Added.
2174         (assert):
2175         (assertThrowTypeError):
2176         (let.o.valueOf):
2177         (o.valueOf):
2178         (o.toString):
2179         (o.Symbol.toPrimitive):
2180         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2181         (assert.sameValue):
2182         (testBitAnd):
2183         (let.o.Symbol.toPrimitive):
2184         (o.valueOf):
2185         (o.toString):
2186
2187 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2188
2189         JSC test stress/jsc-read.js doesn't support CRLF
2190         https://bugs.webkit.org/show_bug.cgi?id=190063
2191
2192         Reviewed by Yusuke Suzuki.
2193
2194         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2195
2196         * stress/jsc-read.js:
2197         (test):
2198
2199 2018-09-27  Saam barati  <sbarati@apple.com>
2200
2201         Verify the contents of AssemblerBuffer on arm64e
2202         https://bugs.webkit.org/show_bug.cgi?id=190057
2203         <rdar://problem/38916630>
2204
2205         Reviewed by Mark Lam.
2206
2207         * stress/regress-189132.js:
2208
2209 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2210
2211         Disable test without LLInt on ARMv7
2212         https://bugs.webkit.org/show_bug.cgi?id=190037
2213
2214         Reviewed by Mark Lam.
2215
2216         Test runs out of executable memory on ARMv7, do not run
2217         this test without LLInt enabled.
2218
2219         * stress/regress-169445.js:
2220
2221 2018-09-26  Keith Miller  <keith_miller@apple.com>
2222
2223         We should zero unused property storage when rebalancing array storage.
2224         https://bugs.webkit.org/show_bug.cgi?id=188151
2225
2226         Reviewed by Michael Saboff.
2227
2228         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2229
2230 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2231
2232         [JSC] Optimize Array#lastIndexOf
2233         https://bugs.webkit.org/show_bug.cgi?id=189780
2234
2235         Reviewed by Saam Barati.
2236
2237         * stress/array-lastindexof-array-prototype-trap.js: Added.
2238         (shouldBe):
2239         (AncestorArray.prototype.get 2):
2240         (AncestorArray):
2241         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2242         (shouldBe):
2243         * stress/array-lastindexof-hole-nan.js: Added.
2244         (shouldBe):
2245         (throw.new.Error):
2246         * stress/array-lastindexof-infinity.js: Added.
2247         (shouldBe):
2248         (throw.new.Error):
2249         * stress/array-lastindexof-negative-zero.js: Added.
2250         (shouldBe):
2251         (throw.new.Error):
2252         * stress/array-lastindexof-own-getter.js: Added.
2253         (shouldBe):
2254         (throw.new.Error.get array):
2255         (get array):
2256         * stress/array-lastindexof-prototype-trap.js: Added.
2257         (shouldBe):
2258         (DerivedArray.prototype.get 2):
2259         (DerivedArray):
2260
2261 2018-09-25  Saam Barati  <sbarati@apple.com>
2262
2263         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2264         https://bugs.webkit.org/show_bug.cgi?id=189940
2265         <rdar://problem/43640987>
2266
2267         Reviewed by Mark Lam.
2268
2269         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2270
2271 2018-09-24  Saam Barati  <sbarati@apple.com>
2272
2273         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2274         https://bugs.webkit.org/show_bug.cgi?id=189922
2275         <rdar://problem/44651275>
2276
2277         Reviewed by Mark Lam.
2278
2279         * stress/array-indexof-fast-path-effects.js: Added.
2280         * stress/array-indexof-cached-length.js: Added.
2281
2282 2018-09-24  Saam barati  <sbarati@apple.com>
2283
2284         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2285         https://bugs.webkit.org/show_bug.cgi?id=189682
2286         <rdar://problem/43557315>
2287
2288         Reviewed by Mark Lam.
2289
2290         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2291         (foo):
2292
2293 2018-09-22  Saam barati  <sbarati@apple.com>
2294
2295         The sampling should not use Strong<CodeBlock> in its machineLocation field
2296         https://bugs.webkit.org/show_bug.cgi?id=189319
2297
2298         Reviewed by Filip Pizlo.
2299
2300         * stress/sampling-profiler-richards.js: Added.
2301
2302 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2303
2304         [JSC] Optimize Array#indexOf in C++ runtime
2305         https://bugs.webkit.org/show_bug.cgi?id=189507
2306
2307         Reviewed by Saam Barati.
2308
2309         * stress/array-indexof-array-prototype-trap.js: Added.
2310         (shouldBe):
2311         (AncestorArray.prototype.get 2):
2312         (AncestorArray):
2313         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2314         (shouldBe):
2315         * stress/array-indexof-hole-nan.js: Added.
2316         (shouldBe):
2317         (throw.new.Error):
2318         * stress/array-indexof-infinity.js: Added.
2319         (shouldBe):
2320         (throw.new.Error):
2321         * stress/array-indexof-negative-zero.js: Added.
2322         (shouldBe):
2323         (throw.new.Error):
2324         * stress/array-indexof-own-getter.js: Added.
2325         (shouldBe):
2326         (throw.new.Error.get array):
2327         (get array):
2328         * stress/array-indexof-prototype-trap.js: Added.
2329         (shouldBe):
2330         (DerivedArray.prototype.get 2):
2331         (DerivedArray):
2332
2333 2018-09-19  Saam barati  <sbarati@apple.com>
2334
2335         AI rule for MultiPutByOffset executes its effects in the wrong order
2336         https://bugs.webkit.org/show_bug.cgi?id=189757
2337         <rdar://problem/43535257>
2338
2339         Reviewed by Michael Saboff.
2340
2341         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2342         (foo):
2343         (Foo):
2344         (g):
2345
2346 2018-09-17  Mark Lam  <mark.lam@apple.com>
2347
2348         Ensure that ForInContexts are invalidated if their loop local is over-written.
2349         https://bugs.webkit.org/show_bug.cgi?id=189571
2350         <rdar://problem/44402277>
2351
2352         Reviewed by Saam Barati.
2353
2354         * stress/regress-189571.js: Added.
2355
2356 2018-09-17  Saam barati  <sbarati@apple.com>
2357
2358         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2359         https://bugs.webkit.org/show_bug.cgi?id=189676
2360         <rdar://problem/39682897>
2361
2362         Reviewed by Michael Saboff.
2363
2364         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2365         (A):
2366         (K):
2367         (i.catch):
2368
2369 2018-09-14  Saam barati  <sbarati@apple.com>
2370
2371         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2372         https://bugs.webkit.org/show_bug.cgi?id=189628
2373         <rdar://problem/39481690>
2374
2375         Reviewed by Mark Lam.
2376
2377         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2378         (foo):
2379
2380 2018-09-11  Mark Lam  <mark.lam@apple.com>
2381
2382         Test for array initialization in arrayProtoFuncSplice.
2383         https://bugs.webkit.org/show_bug.cgi?id=170253
2384         <rdar://problem/31328773>
2385
2386         Rubber-stamped by Saam Barati.
2387
2388         * stress/regress-170253.js: Added.
2389
2390 2018-09-11  Mark Lam  <mark.lam@apple.com>
2391
2392         Test for IntlObject initialization.
2393         https://bugs.webkit.org/show_bug.cgi?id=170251
2394         <rdar://problem/31328419>
2395
2396         Rubber-stamped by Saam Barati.
2397
2398         * stress/regress-170251.js: Added.
2399
2400 2018-09-11  Mark Lam  <mark.lam@apple.com>
2401
2402         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2403         https://bugs.webkit.org/show_bug.cgi?id=169889
2404         <rdar://problem/31155607>
2405
2406         Reviewed by Saam Barati.
2407
2408         * stress/regress-169889-array-concat.js: Added.
2409         * stress/regress-169889-array-concat1.js: Added.
2410         * stress/regress-169889-array-slice.js: Added.
2411
2412 2018-09-11  Mark Lam  <mark.lam@apple.com>
2413
2414         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2415         https://bugs.webkit.org/show_bug.cgi?id=169445
2416         <rdar://problem/30957435>
2417
2418         Reviewed by Saam Barati.
2419
2420         * stress/regress-169445.js: Added.
2421         (let.gun.eval.A):
2422         (let.gun.eval.B.C):
2423         (let.gun.eval.B.C.prototype.trigger):
2424         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2425         (let.gun.eval.B):
2426         (let.gun.eval):
2427
2428 == Rolled over to ChangeLog-2018-09-11 ==