86ee2061ea146a6cfd328682d23b15d64e62a276
[WebKit-https.git] / JSTests / ChangeLog
1 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] String.fromCharCode's slow path always generates 16bit string
4         https://bugs.webkit.org/show_bug.cgi?id=194466
5
6         Reviewed by Keith Miller.
7
8         * stress/string-from-char-code-slow-path.js: Added.
9         (shouldBe):
10         (testWithLength):
11
12 2019-02-08  Saam barati  <sbarati@apple.com>
13
14         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
15         https://bugs.webkit.org/show_bug.cgi?id=194334
16         <rdar://problem/47844327>
17
18         Reviewed by Mark Lam.
19
20         * stress/check-in-bounds-should-be-a-child-use.js: Added.
21         (func):
22
23 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
24
25         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
26         https://bugs.webkit.org/show_bug.cgi?id=194369
27         <rdar://problem/47813087>
28
29         Reviewed by Saam Barati.
30
31         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
32         (A):
33
34 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
35
36         [JSC] PrivateName to PublicName hash table is wasteful
37         https://bugs.webkit.org/show_bug.cgi?id=194277
38
39         Reviewed by Michael Saboff.
40
41         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
42
43         * ChakraCore.yaml:
44
45 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
46
47         [ARM] Test running out of executable memory
48         https://bugs.webkit.org/show_bug.cgi?id=194285
49
50         Unreviewed. Do no execute test with LLInt disabled, test runs out of
51         executable memory otherwise.
52
53         * stress/class-subclassing-function.js:
54
55 2019-02-04  Robin Morisset  <rmorisset@apple.com>
56
57         when lowering AssertNotEmpty, create the value before creating the patchpoint
58         https://bugs.webkit.org/show_bug.cgi?id=194231
59
60         Reviewed by Saam Barati.
61
62         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
63         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
64         So even tiny changes to this test can change the path code taken.
65
66         * stress/assert-not-empty.js: Added.
67         (foo):
68
69 2019-02-01  Mark Lam  <mark.lam@apple.com>
70
71         Remove invalid assertion in DFG's compileDoubleRep().
72         https://bugs.webkit.org/show_bug.cgi?id=194130
73         <rdar://problem/47699474>
74
75         Reviewed by Saam Barati.
76
77         * stress/constant-fold-double-rep-into-double-constant.js: Added.
78
79 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
80
81         Import latest Test262 updates.
82
83         Rubber-stamped by Keith Miller.
84
85         * test262.yaml: Deleted.
86         * test262/config.yaml:
87         * test262/expectations.yaml:
88         * test262/latest-changes-summary.txt:
89         * test262/test/:
90         * test262/test262-Revision.txt:
91
92 2019-01-30  Robin Morisset  <rmorisset@apple.com>
93
94         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
95         https://bugs.webkit.org/show_bug.cgi?id=194050
96         <rdar://problem/47595592>
97
98         Reviewed by Yusuke Suzuki.
99
100         * stress/object-keys-osr-exit.js: Added.
101         (foo):
102         (catch):
103
104 2019-01-29  Mark Lam  <mark.lam@apple.com>
105
106         ValueRecovery::recover() should purify NaN values it recovers.
107         https://bugs.webkit.org/show_bug.cgi?id=193978
108         <rdar://problem/47625488>
109
110         Reviewed by Saam Barati.
111
112         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
113
114 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
115
116         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
117         https://bugs.webkit.org/show_bug.cgi?id=193713
118
119         * stress/try-get-by-id-should-spill-registers-dfg.js:
120         (let.f.createBuiltin):
121
122 2019-01-28  Mark Lam  <mark.lam@apple.com>
123
124         ToString node actually does GC.
125         https://bugs.webkit.org/show_bug.cgi?id=193920
126         <rdar://problem/46695900>
127
128         Reviewed by Yusuke Suzuki.
129
130         * stress/dfg-to-string-on-int-does-gc.js: Added.
131         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
132         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
133
134 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
135
136         [JSC] NativeErrorConstructor should not have own IsoSubspace
137         https://bugs.webkit.org/show_bug.cgi?id=193713
138
139         Reviewed by Saam Barati.
140
141         Remove @Error use.
142
143         * stress/try-get-by-id-should-spill-registers-dfg.js:
144         (let.f.createBuiltin):
145
146 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
147
148         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
149         https://bugs.webkit.org/show_bug.cgi?id=190693
150
151         Reviewed by Michael Saboff.
152
153         * stress/regress-190693.js: Added.
154         (truth):
155         (assert):
156         (shouldThrowInvalidConstAssignment):
157         (taz):
158
159 2019-01-24  Saam Barati  <sbarati@apple.com>
160
161         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
162         https://bugs.webkit.org/show_bug.cgi?id=193751
163         <rdar://problem/47280215>
164
165         Reviewed by Michael Saboff.
166
167         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
168         (let.thing):
169         (foo.let.hello):
170         (foo):
171
172 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
173
174         [JSC] Reenable baseline JIT on mips
175         https://bugs.webkit.org/show_bug.cgi?id=192983
176
177         Reviewed by Mark Lam.
178
179         Added a new test for a case that was triggering a RELEASE_ASSERT when
180         testing.
181         Disable some slow tests that were already disabled for arm and x86.
182
183         * stress/json-parse-big-object.js: Added.
184         * stress/new-largeish-contiguous-array-with-size.js:
185         * stress/op_add.js:
186         * stress/op_bitand.js:
187         * stress/op_bitor.js:
188         * stress/op_bitxor.js:
189         * stress/op_lshift-ConstVar.js:
190         * stress/op_lshift-VarConst.js:
191         * stress/op_lshift-VarVar.js:
192         * stress/op_mod-ConstVar.js:
193         * stress/op_mod-VarConst.js:
194         * stress/op_mod-VarVar.js:
195         * stress/op_mul-ConstVar.js:
196         * stress/op_mul-VarConst.js:
197         * stress/op_mul-VarVar.js:
198         * stress/op_rshift-ConstVar.js:
199         * stress/op_rshift-VarConst.js:
200         * stress/op_rshift-VarVar.js:
201         * stress/op_sub-ConstVar.js:
202         * stress/op_sub-VarConst.js:
203         * stress/op_sub-VarVar.js:
204         * stress/op_urshift-ConstVar.js:
205         * stress/op_urshift-VarConst.js:
206         * stress/op_urshift-VarVar.js:
207         * stress/sampling-profiler-richards.js:
208         * stress/spread-forward-call-varargs-stack-overflow.js:
209
210 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
211
212         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
213         https://bugs.webkit.org/show_bug.cgi?id=193711
214         <rdar://problem/47250262>
215
216         Reviewed by Saam Barati.
217
218         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
219         (shouldBe):
220         (foo):
221         (bar):
222         (baz):
223
224 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
225
226         Unreviewed, fix initial global lexical binding epoch
227         https://bugs.webkit.org/show_bug.cgi?id=193603
228         <rdar://problem/47380869>
229
230         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
231         (f1.f2.f3.f4):
232         (f1.f2.f3):
233         (f1.f2):
234         (f1):
235
236 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
237
238         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
239         https://bugs.webkit.org/show_bug.cgi?id=193709
240         <rdar://problem/47363838>
241
242         Unreviewed, rollout to watch the tests.
243
244         * stress/object-tostring-changed-proto.js: Removed.
245         * stress/object-tostring-changed.js: Removed.
246         * stress/object-tostring-misc.js: Removed.
247         * stress/object-tostring-other.js: Removed.
248         * stress/object-tostring-untyped.js: Removed.
249
250 2019-01-22  Saam Barati  <sbarati@apple.com>
251
252         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
253
254         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
255         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
256         (testUncheckedLessThanZero):
257         (testUncheckedLessThanOrEqualZero):
258         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
259         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
260
261 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
262
263         [JSC] Invalidate old scope operations using global lexical binding epoch
264         https://bugs.webkit.org/show_bug.cgi?id=193603
265         <rdar://problem/47380869>
266
267         Reviewed by Saam Barati.
268
269         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
270         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
271         (shouldThrow):
272         (bar):
273         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
274         (shouldBe):
275         (get1):
276         (get2):
277         (get1If):
278         (get2If):
279         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
280         (shouldThrow):
281         (foo):
282
283 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
284
285         Unreviewed, roll out r240220 due to date-format-xparb regression
286         https://bugs.webkit.org/show_bug.cgi?id=193603
287
288         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
289         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
290         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
291         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
292
293 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
294
295         DoesGC rule is wrong for nodes with BigIntUse
296         https://bugs.webkit.org/show_bug.cgi?id=193652
297
298         Reviewed by Saam Barati.
299
300         * stress/big-int-value-op-update-gc-rules.js: Added.
301         (assert):
302         (doesGCAdd):
303         (doesGCSub):
304         (doesGCDiv):
305         (doesGCMul):
306         (doesGCBitAnd):
307         (doesGCBitOr):
308         (doesGCBitXor):
309
310 2019-01-20  Saam Barati  <sbarati@apple.com>
311
312         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
313         https://bugs.webkit.org/show_bug.cgi?id=193644
314         <rdar://problem/46209745>
315
316         Reviewed by Yusuke Suzuki.
317
318         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
319         (foo):
320         * stress/data-view-set-intrinsic-undefined-result.js: Added.
321         (foo):
322         (bar):
323
324 2019-01-20  Saam Barati  <sbarati@apple.com>
325
326         MovHint must merge NodeBytecodeUsesAsValue for its child
327         https://bugs.webkit.org/show_bug.cgi?id=186916
328         <rdar://problem/41396612>
329
330         Reviewed by Yusuke Suzuki.
331
332         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
333         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
334
335 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
336
337         [JSC] Invalidate old scope operations using global lexical binding epoch
338         https://bugs.webkit.org/show_bug.cgi?id=193603
339         <rdar://problem/47380869>
340
341         Reviewed by Saam Barati.
342
343         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
344         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
345         (shouldThrow):
346         (bar):
347         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
348         (shouldBe):
349         (get1):
350         (get2):
351         (get1If):
352         (get2If):
353         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
354         (shouldThrow):
355         (foo):
356
357 2019-01-17  Saam barati  <sbarati@apple.com>
358
359         StringObjectUse should not be a structure check for the original string object structure
360         https://bugs.webkit.org/show_bug.cgi?id=193483
361         <rdar://problem/47280522>
362
363         Reviewed by Yusuke Suzuki.
364
365         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
366         (foo):
367         (a.valueOf.0):
368
369 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
370
371         [JSC] ToThis omission in DFGByteCodeParser is wrong
372         https://bugs.webkit.org/show_bug.cgi?id=193513
373         <rdar://problem/45842236>
374
375         Reviewed by Saam Barati.
376
377         * stress/to-this-omission-with-different-strict-modes.js: Added.
378         (thisA):
379         (thisAStrictWrapper):
380
381 2019-01-15  Mark Lam  <mark.lam@apple.com>
382
383         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
384         https://bugs.webkit.org/show_bug.cgi?id=193423
385         <rdar://problem/46209355>
386
387         Reviewed by Saam Barati.
388
389         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
390         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
391         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
392         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
393
394 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
395
396         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
397         https://bugs.webkit.org/show_bug.cgi?id=193438
398         <rdar://problem/45581249>
399
400         Reviewed by Saam Barati and Keith Miller.
401
402         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
403         Then, GetByVal(String) crashed.
404
405         * stress/string-get-by-val-lowering.js: Added.
406         (shouldBe):
407         (test):
408         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
409         (Hello):
410         (foo):
411
412 2019-01-15  Tomas Popela  <tpopela@redhat.com>
413
414         Unreviewed, skip JIT tests if it's not enabled
415
416         * stress/bit-op-with-object-returning-int32.js:
417
418 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
419
420         DFGByteCodeParser rules for bitwise operations should consider type of their operands
421         https://bugs.webkit.org/show_bug.cgi?id=192966
422
423         Reviewed by Yusuke Suzuki.
424
425         * stress/bit-op-with-object-returning-int32.js: Added.
426
427 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
428
429         Skip a slow test and a flakey test on arm
430
431         Unreviewed gardening.
432
433         * typeProfiler/getter-richards.js:
434         this test always times out, it used to be always skipped on arm and
435         mips, but got accidentally enabled by r237919 now that we have DFG on
436         arm. Also skipping on mips as we plan to soon enable DFG for it too.
437
438 2019-01-14  Keith Miller  <keith_miller@apple.com>
439
440         Skip type-check-hoisting-phase-hoist... with no jit
441         https://bugs.webkit.org/show_bug.cgi?id=193421
442
443         Reviewed by Mark Lam.
444
445         It's timing out the 32-bit bots and takes 330 seconds
446         on my machine when run by itself.
447
448         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
449
450 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
451
452         [JSC] AI should check the given constant's array type when folding GetByVal into constant
453         https://bugs.webkit.org/show_bug.cgi?id=193413
454         <rdar://problem/46092389>
455
456         Reviewed by Keith Miller.
457
458         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
459         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
460         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
461         but GetByVal does not have appropriate ArrayModes, JSC crashes.
462
463         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
464         (compareArray):
465
466 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
467
468         [BigInt] Literal parsing is crashing when used inside a Object Literal
469         https://bugs.webkit.org/show_bug.cgi?id=193404
470
471         Reviewed by Yusuke Suzuki.
472
473         * stress/big-int-literal-inside-literal-object.js: Added.
474
475 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
476
477         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
478         https://bugs.webkit.org/show_bug.cgi?id=193372
479
480         Reviewed by Saam Barati.
481
482         * stress/typed-array-array-modes-profile.js: Added.
483         (foo):
484
485 2019-01-14  Mark Lam  <mark.lam@apple.com>
486
487         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
488         https://bugs.webkit.org/show_bug.cgi?id=193402
489         <rdar://problem/46012309>
490
491         Reviewed by Keith Miller.
492
493         * stress/regexp-compile-oom.js:
494         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
495           is enabled.  As a result, it will fail on cloop builds though there is no bug.
496
497 2019-01-11  Saam barati  <sbarati@apple.com>
498
499         DFG combined liveness can be wrong for terminal basic blocks
500         https://bugs.webkit.org/show_bug.cgi?id=193304
501         <rdar://problem/45268632>
502
503         Reviewed by Yusuke Suzuki.
504
505         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
506
507 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
508
509         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
510         https://bugs.webkit.org/show_bug.cgi?id=193308
511         <rdar://problem/45546542>
512
513         Reviewed by Saam Barati.
514
515         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
516         (shouldThrow):
517         (shouldBe):
518         (foo):
519         (get shouldThrow):
520         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
521         (shouldThrow):
522         (shouldBe):
523         (foo):
524         (get shouldBe):
525         (get shouldThrow):
526         (get return):
527         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
528         (shouldThrow):
529         (shouldBe):
530         (foo):
531         (get shouldBe):
532         (get shouldThrow):
533         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
534         (shouldThrow):
535         (shouldBe):
536         (foo):
537         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
538         (shouldThrow):
539         (shouldBe):
540         (foo):
541         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
542         (shouldThrow):
543         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
544         (shouldThrow):
545         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
546         (shouldThrow):
547         (shouldBe):
548         (foo):
549         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
550         (shouldThrow):
551         (shouldBe):
552         (foo):
553         (get shouldBe):
554         (get shouldThrow):
555         (get return):
556         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
557         (shouldThrow):
558         (shouldBe):
559         (foo):
560         (get shouldBe):
561         (get shouldThrow):
562         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
563         (shouldThrow):
564         (shouldBe):
565         (foo):
566         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
567         (shouldThrow):
568         (shouldBe):
569         (foo):
570
571 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
572
573         Enable DFG on ARM/Linux again
574         https://bugs.webkit.org/show_bug.cgi?id=192496
575
576         Reviewed by Yusuke Suzuki.
577
578         Test wasn't really skipped before moving the line with skip
579         to the top.
580
581         * stress/regress-192717.js:
582
583 2019-01-10  Commit Queue  <commit-queue@webkit.org>
584
585         Unreviewed, rolling out r239825.
586         https://bugs.webkit.org/show_bug.cgi?id=193330
587
588         Broke tests on armv7/linux bots (Requested by guijemont on
589         #webkit).
590
591         Reverted changeset:
592
593         "Enable DFG on ARM/Linux again"
594         https://bugs.webkit.org/show_bug.cgi?id=192496
595         https://trac.webkit.org/changeset/239825
596
597 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
598
599         Enable DFG on ARM/Linux again
600         https://bugs.webkit.org/show_bug.cgi?id=192496
601
602         Reviewed by Yusuke Suzuki.
603
604         Test wasn't really skipped before moving the line with skip
605         to the top.
606
607         * stress/regress-192717.js:
608
609 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
610
611         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
612         https://bugs.webkit.org/show_bug.cgi?id=193127
613
614         Reviewed by Saam Barati.
615
616         * stress/array-species-create-should-handle-masquerader.js: Added.
617         (shouldThrow):
618         * stress/is-undefined-or-null-builtin.js: Added.
619         (shouldBe):
620         (isUndefinedOrNull.vm.createBuiltin):
621
622 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
623
624         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
625         https://bugs.webkit.org/show_bug.cgi?id=193221
626
627         Reviewed by Mark Lam.
628
629         * stress/put-by-id-flags.js: Added.
630         (f):
631         (g):
632         (numberOfDFGCompiles):
633
634 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
635
636         Baseline version of get_by_id may corrupt metadata
637         https://bugs.webkit.org/show_bug.cgi?id=193085
638         <rdar://problem/23453006>
639
640         Reviewed by Saam Barati.
641
642         * stress/get-by-id-change-mode.js: Added.
643         (forEach):
644
645 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
646
647         [JSC] Optimize Object.prototype.toString
648         https://bugs.webkit.org/show_bug.cgi?id=193031
649
650         Reviewed by Saam Barati.
651
652         * stress/object-tostring-changed-proto.js: Added.
653         (shouldBe):
654         (test):
655         * stress/object-tostring-changed.js: Added.
656         (shouldBe):
657         (test):
658         * stress/object-tostring-misc.js: Added.
659         (shouldBe):
660         (test):
661         (i.switch):
662         * stress/object-tostring-other.js: Added.
663         (shouldBe):
664         (test):
665         * stress/object-tostring-untyped.js: Added.
666         (shouldBe):
667         (test):
668         (i.switch):
669
670 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
671
672         test262-runner misbehaves when test file YAML has a trailing space
673         https://bugs.webkit.org/show_bug.cgi?id=193053
674
675         Reviewed by Yusuke Suzuki.
676
677         * test262/expectations.yaml:
678         Mark two dozen tests as passing (and correct the output of another).
679
680 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
681
682         Unreviewed, JSTests gardening with memoryLimited
683
684         * stress/string-overflow-createError.js:
685
686 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
687
688         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
689         https://bugs.webkit.org/show_bug.cgi?id=193050
690
691         Reviewed by Yusuke Suzuki.
692
693         * test262.yaml:
694         * test262/expectations.yaml:
695         Mark 16 tests as passing.
696
697 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
698
699         [BigInt] Support BigInt in JSON.stringify
700         https://bugs.webkit.org/show_bug.cgi?id=192624
701
702         Reviewed by Saam Barati.
703
704         * stress/big-int-json-stringify-to-json.js: Added.
705         (shouldBe):
706         (shouldThrow):
707         (BigInt.prototype.toJSON):
708         (shouldBe.JSON.stringify):
709         * stress/big-int-json-stringify.js: Added.
710         (shouldBe):
711         (shouldThrow):
712
713 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
714
715         [JSC] Implement "well-formed JSON.stringify" proposal
716         https://bugs.webkit.org/show_bug.cgi?id=191677
717
718         Reviewed by Darin Adler.
719
720         * stress/json-surrogate-pair.js: Added.
721         (shouldBe):
722         * test262/expectations.yaml:
723
724 2018-12-20  Keith Miller  <keith_miller@apple.com>
725
726         Add support for globalThis
727         https://bugs.webkit.org/show_bug.cgi?id=165171
728
729         Reviewed by Mark Lam.
730
731         * test262/config.yaml:
732
733 2018-12-19  Keith Miller  <keith_miller@apple.com>
734
735         Update test262 configuration to not run tests dependent on ICU version.
736         https://bugs.webkit.org/show_bug.cgi?id=192920
737
738         Reviewed by Saam Barati.
739
740         * test262/expectations.yaml:
741
742 2018-12-20  Mark Lam  <mark.lam@apple.com>
743
744         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
745         https://bugs.webkit.org/show_bug.cgi?id=192939
746         <rdar://problem/46869516>
747
748         Reviewed by Keith Miller.
749
750         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
751
752 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
753
754         WTF::String and StringImpl overflow MaxLength
755         https://bugs.webkit.org/show_bug.cgi?id=192853
756         <rdar://problem/45726906>
757
758         Reviewed by Mark Lam.
759
760         * stress/string-16bit-repeat-overflow.js: Added.
761         (catch):
762
763 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
764
765         Unreviewed follow-up to r192914.
766
767         * test262/expectations.yaml:
768         Add the last 20 missing expectations.
769
770 2018-12-19  Keith Miller  <keith_miller@apple.com>
771
772         Fix test262 expectations
773         https://bugs.webkit.org/show_bug.cgi?id=192914
774
775         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
776
777         * test262/expectations.yaml:
778
779 2018-12-19  Keith Miller  <keith_miller@apple.com>
780
781         Update test262 tests.
782         https://bugs.webkit.org/show_bug.cgi?id=192907
783
784         Rubber stamped by Mark Lam.
785
786         * test262/*: Omitted because prepare-changelog crashes.
787
788 2018-12-19  Mark Lam  <mark.lam@apple.com>
789
790         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
791         https://bugs.webkit.org/show_bug.cgi?id=192464
792         <rdar://problem/46519455>
793
794         Reviewed by Saam Barati.
795
796         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
797         microbenchmark.
798
799         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
800         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
801
802 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
803
804         String overflow in JSC::createError results in ASSERT in WTF::makeString
805         https://bugs.webkit.org/show_bug.cgi?id=192833
806         <rdar://problem/45706868>
807
808         Reviewed by Mark Lam.
809
810         * stress/string-overflow-createError.js: Added.
811
812 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
813
814         Error message for `-x ** y` contains a typo.
815         https://bugs.webkit.org/show_bug.cgi?id=192832
816
817         Reviewed by Saam Barati.
818
819         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
820         (assert.assert.return.throws):
821         * stress/pow-expects-update-expression-on-lhs.js:
822         (throw.new.Error):
823         Update test expectations which match against the exact error message.
824
825 2018-12-18  Mark Lam  <mark.lam@apple.com>
826
827         Gardening: test options fix.
828         https://bugs.webkit.org/show_bug.cgi?id=192822
829
830         Unreviewed.
831
832         * stress/json-stringify-string-builder-overflow.js:
833
834 2018-12-18  Mark Lam  <mark.lam@apple.com>
835
836         JSON.stringify() should throw OOM on StringBuilder overflows.
837         https://bugs.webkit.org/show_bug.cgi?id=192822
838         <rdar://problem/46670577>
839
840         Reviewed by Saam Barati.
841
842         * stress/json-stringify-string-builder-overflow.js: Added.
843
844 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
845
846         Redeclaration of var over let/const/class should be a syntax error.
847         https://bugs.webkit.org/show_bug.cgi?id=192298
848
849         Reviewed by Keith Miller.
850
851         * test262.yaml:
852         * test262/expectations.yaml:
853         Mark 46 tests as passing.
854
855         * stress/block-scope-redeclarations.js:
856         Add some new tests.
857
858         * stress/for-in-invalidate-context-weird-assignments.js:
859         * stress/for-in-tests.js:
860         Replace tests for outdated behavior with tests for SyntaxError.
861
862         * ChakraCore/test/LetConst/defer3.baseline-jsc:
863         * ChakraCore/test/LetConst/letvar.baseline-jsc:
864         Update expectations.
865
866 2018-12-18  Mark Lam  <mark.lam@apple.com>
867
868         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
869         https://bugs.webkit.org/show_bug.cgi?id=191374
870         <rdar://problem/46525447>
871
872         Reviewed by Yusuke Suzuki.
873
874         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
875
876         * stress/elidable-new-object-roflcopter-then-exit.js:
877
878 2018-12-17  Mark Lam  <mark.lam@apple.com>
879
880         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
881         https://bugs.webkit.org/show_bug.cgi?id=192019
882         <rdar://problem/46525456>
883
884         Reviewed by Yusuke Suzuki.
885
886         The test runs too slow on 32-bit.
887
888         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
889
890 2018-12-17  Mark Lam  <mark.lam@apple.com>
891
892         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
893         https://bugs.webkit.org/show_bug.cgi?id=191373
894         <rdar://problem/46525458>
895
896         Reviewed by Yusuke Suzuki.
897
898         The test is already slow running with a JIT on 64-bit.  It will always timeout
899         on 32-bit without a JIT.
900
901         * stress/materialize-regexp-cyclic-regexp.js:
902
903 2018-12-17  Mark Lam  <mark.lam@apple.com>
904
905         Array unshift/shift should not race against the AI in the compiler thread.
906         https://bugs.webkit.org/show_bug.cgi?id=192795
907         <rdar://problem/46724263>
908
909         Reviewed by Saam Barati.
910
911         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
912
913 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
914
915         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
916         https://bugs.webkit.org/show_bug.cgi?id=190047
917
918         Reviewed by Saam Barati.
919
920         * stress/object-keys-cached-zero.js: Added.
921         (shouldBe):
922         (test):
923         * stress/object-keys-changed-attribute.js: Added.
924         (shouldBe):
925         (test):
926         * stress/object-keys-changed-index.js: Added.
927         (shouldBe):
928         (test):
929         * stress/object-keys-changed.js: Added.
930         (shouldBe):
931         (test):
932         * stress/object-keys-indexed-non-cache.js: Added.
933         (shouldBe):
934         (test):
935         * stress/object-keys-overrides-get-property-names.js: Added.
936         (shouldBe):
937         (test):
938         (noInline):
939
940 2018-12-17  Mark Lam  <mark.lam@apple.com>
941
942         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
943         https://bugs.webkit.org/show_bug.cgi?id=192779
944         <rdar://problem/46775869>
945
946         Reviewed by Saam Barati.
947
948         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
949
950 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
951
952         Unreviewed test gardening, address a syntax error in a new test.
953
954         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
955
956 2018-12-17  Mark Lam  <mark.lam@apple.com>
957
958         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
959         https://bugs.webkit.org/show_bug.cgi?id=192776
960         <rdar://problem/46772368>
961
962         Reviewed by Keith Miller.
963
964         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
965
966 2018-12-17  Mark Lam  <mark.lam@apple.com>
967
968         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
969         https://bugs.webkit.org/show_bug.cgi?id=192770
970         <rdar://problem/46449037>
971
972         Reviewed by Keith Miller.
973
974         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
975
976 2018-12-14  Mark Lam  <mark.lam@apple.com>
977
978         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
979         https://bugs.webkit.org/show_bug.cgi?id=192717
980         <rdar://problem/46660677>
981
982         Reviewed by Saam Barati.
983
984         * stress/regress-192717.js: Added.
985
986 2018-12-14  Commit Queue  <commit-queue@webkit.org>
987
988         Unreviewed, rolling out r239153, r239154, and r239155.
989         https://bugs.webkit.org/show_bug.cgi?id=192715
990
991         Caused flaky GC-related crashes seen with layout tests
992         (Requested by ryanhaddad on #webkit).
993
994         Reverted changesets:
995
996         "[JSC] Optimize Object.keys by caching own keys results in
997         StructureRareData"
998         https://bugs.webkit.org/show_bug.cgi?id=190047
999         https://trac.webkit.org/changeset/239153
1000
1001         "Unreviewed, build fix after r239153"
1002         https://bugs.webkit.org/show_bug.cgi?id=190047
1003         https://trac.webkit.org/changeset/239154
1004
1005         "Unreviewed, build fix after r239153, part 2"
1006         https://bugs.webkit.org/show_bug.cgi?id=190047
1007         https://trac.webkit.org/changeset/239155
1008
1009 2018-12-14  Keith Miller  <keith_miller@apple.com>
1010
1011         Callers of JSString::getIndex should check for OOM exceptions
1012         https://bugs.webkit.org/show_bug.cgi?id=192709
1013
1014         Reviewed by Mark Lam.
1015
1016         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1017
1018 2018-12-13  Mark Lam  <mark.lam@apple.com>
1019
1020         Add a missing exception check.
1021         https://bugs.webkit.org/show_bug.cgi?id=192626
1022         <rdar://problem/46662163>
1023
1024         Reviewed by Keith Miller.
1025
1026         * stress/regress-192626.js: Added.
1027
1028 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1029
1030         [BigInt] Add ValueDiv into DFG
1031         https://bugs.webkit.org/show_bug.cgi?id=186178
1032
1033         Reviewed by Yusuke Suzuki.
1034
1035         * stress/big-int-div-jit-osr.js: Added.
1036         * stress/big-int-div-jit-untyped.js: Added.
1037         * stress/value-div-fixup-int32-big-int.js: Added.
1038
1039 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1040
1041         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1042         https://bugs.webkit.org/show_bug.cgi?id=190047
1043
1044         Reviewed by Keith Miller.
1045
1046         * stress/object-keys-cached-zero.js: Added.
1047         (shouldBe):
1048         (test):
1049         * stress/object-keys-changed-attribute.js: Added.
1050         (shouldBe):
1051         (test):
1052         * stress/object-keys-changed-index.js: Added.
1053         (shouldBe):
1054         (test):
1055         * stress/object-keys-changed.js: Added.
1056         (shouldBe):
1057         (test):
1058         * stress/object-keys-indexed-non-cache.js: Added.
1059         (shouldBe):
1060         (test):
1061         * stress/object-keys-overrides-get-property-names.js: Added.
1062         (shouldBe):
1063         (test):
1064         (noInline):
1065
1066 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1067
1068         [DFG][FTL] Add NewSymbol
1069         https://bugs.webkit.org/show_bug.cgi?id=192620
1070
1071         Reviewed by Saam Barati.
1072
1073         * microbenchmarks/symbol-creation.js: Added.
1074         (test):
1075         * stress/symbol-description-identity.js: Added.
1076         (shouldBe):
1077         (test):
1078         * stress/symbol-identity.js: Added.
1079         (shouldBe):
1080         (test):
1081         * stress/symbol-with-description-throw-error.js: Added.
1082         (shouldBe):
1083         (shouldThrow):
1084         (test):
1085         (object.toString):
1086
1087 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1088
1089         [BigInt] Implement DFG/FTL typeof for BigInt
1090         https://bugs.webkit.org/show_bug.cgi?id=192619
1091
1092         Reviewed by Keith Miller.
1093
1094         * stress/big-int-boolean-proven-type.js: Added.
1095         (assert):
1096         (bool):
1097         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1098         (assert):
1099         (typeOf):
1100         (i.switch):
1101         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1102         (assert):
1103         (typeOf):
1104         * stress/big-int-type-of.js:
1105         (typeOf):
1106         (func):
1107
1108 2018-12-10  Mark Lam  <mark.lam@apple.com>
1109
1110         PropertyAttribute needs a CustomValue bit.
1111         https://bugs.webkit.org/show_bug.cgi?id=191993
1112         <rdar://problem/46264467>
1113
1114         Reviewed by Saam Barati.
1115
1116         * stress/regress-191993.js: Added.
1117
1118 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1119
1120         [BigInt] Add ValueMul into DFG
1121         https://bugs.webkit.org/show_bug.cgi?id=186175
1122
1123         Reviewed by Yusuke Suzuki.
1124
1125         * stress/big-int-mul-jit-osr.js: Added.
1126         * stress/big-int-mul-jit-untyped.js: Added.
1127         * stress/value-mul-fixup-int32-big-int.js: Added.
1128
1129 2018-12-06  Keith Miller  <keith_miller@apple.com>
1130
1131         stress/big-wasm-memory tests failing on 32-bit JSC bot
1132         https://bugs.webkit.org/show_bug.cgi?id=192020
1133
1134         Reviewed by Saam Barati.
1135
1136         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1137         the wasm stress tests if the WebAssembly object does not exist.
1138
1139         * stress/big-wasm-memory-grow-no-max.js:
1140         (test.foo):
1141         (test):
1142         (foo): Deleted.
1143         (catch): Deleted.
1144         * stress/big-wasm-memory-grow.js:
1145         (test.foo):
1146         (test):
1147         (foo): Deleted.
1148         (catch): Deleted.
1149         * stress/big-wasm-memory.js:
1150         (test.foo):
1151         (test):
1152         (foo): Deleted.
1153         (catch): Deleted.
1154
1155 2018-12-05  Mark Lam  <mark.lam@apple.com>
1156
1157         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1158         https://bugs.webkit.org/show_bug.cgi?id=192441
1159         <rdar://problem/46480355>
1160
1161         Reviewed by Saam Barati.
1162
1163         * stress/regress-192441.js: Added.
1164
1165 2018-12-04  Mark Lam  <mark.lam@apple.com>
1166
1167         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1168         https://bugs.webkit.org/show_bug.cgi?id=192386
1169         <rdar://problem/46445516>
1170
1171         Reviewed by Saam Barati.
1172
1173         * stress/regress-192386.js: Added.
1174
1175 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1176
1177         [ESNext][BigInt] Support logic operations
1178         https://bugs.webkit.org/show_bug.cgi?id=179903
1179
1180         Reviewed by Yusuke Suzuki.
1181
1182         * stress/big-int-branch-usage.js: Added.
1183         * stress/big-int-logical-and.js: Added.
1184         * stress/big-int-logical-not.js: Added.
1185         * stress/big-int-logical-or.js: Added.
1186
1187 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1188
1189         Unreviewed, rolling out r238833.
1190
1191         Breaks macOS and iOS debug builds.
1192
1193         Reverted changeset:
1194
1195         "[ESNext][BigInt] Support logic operations"
1196         https://bugs.webkit.org/show_bug.cgi?id=179903
1197         https://trac.webkit.org/changeset/238833
1198
1199 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1200
1201         [ESNext][BigInt] Support logic operations
1202         https://bugs.webkit.org/show_bug.cgi?id=179903
1203
1204         Reviewed by Yusuke Suzuki.
1205
1206         * stress/big-int-branch-usage.js: Added.
1207         * stress/big-int-logical-and.js: Added.
1208         * stress/big-int-logical-not.js: Added.
1209         * stress/big-int-logical-or.js: Added.
1210
1211 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1212
1213         [ESNext][BigInt] Implement support for "<<" and ">>"
1214         https://bugs.webkit.org/show_bug.cgi?id=186233
1215
1216         Reviewed by Yusuke Suzuki.
1217
1218         * stress/big-int-left-shift-general.js: Added.
1219         * stress/big-int-left-shift-range-error.js: Added.
1220         * stress/big-int-left-shift-type-error.js: Added.
1221         * stress/big-int-left-shift-wrapped-value.js: Added.
1222         * stress/big-int-right-shift-general.js: Added.
1223         * stress/big-int-right-shift-type-error.js: Added.
1224         * stress/big-int-right-shift-wrapped-value.js: Added.
1225         * stress/left-shift-to-primitive-precedence.js: Added.
1226         * stress/right-shift-to-primitive-precedence.js: Added.
1227
1228 2018-11-30  Dean Jackson  <dino@apple.com>
1229
1230         Add first-class support for .mjs files in jsc binary
1231         https://bugs.webkit.org/show_bug.cgi?id=192190
1232         <rdar://problem/46375715>
1233
1234         Reviewed by Keith Miller.
1235
1236         * stress/simple-module.mjs: Added.
1237         * stress/simple-script.js: Added.
1238
1239 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1240
1241         [BigInt] Implement ValueBitXor into DFG
1242         https://bugs.webkit.org/show_bug.cgi?id=190264
1243
1244         Reviewed by Yusuke Suzuki.
1245
1246         * stress/big-int-bitwise-xor-jit.js: Added.
1247         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1248         * stress/big-int-bitwise-xor-untyped.js: Added.
1249
1250 2018-11-27  Saam barati  <sbarati@apple.com>
1251
1252         r238510 broke scopes of size zero
1253         https://bugs.webkit.org/show_bug.cgi?id=192033
1254         <rdar://problem/46281734>
1255
1256         Reviewed by Keith Miller.
1257
1258         * stress/r238510-bad-loop.js: Added.
1259         (foo):
1260
1261 2018-11-27  Mark Lam  <mark.lam@apple.com>
1262
1263         [Re-landing] NaNs read from Wasm code needs to be be purified.
1264         https://bugs.webkit.org/show_bug.cgi?id=191056
1265         <rdar://problem/45660341>
1266
1267         Reviewed by Filip Pizlo.
1268
1269         * wasm/regress/regress-191056.js: Added.
1270
1271 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1272
1273         Unreviewed, rolling out r238509.
1274
1275         Causes JSC tests to fail on iOS.
1276
1277         Reverted changeset:
1278
1279         "NaNs read from Wasm code needs to be be purified."
1280         https://bugs.webkit.org/show_bug.cgi?id=191056
1281         https://trac.webkit.org/changeset/238509
1282
1283 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1284
1285         Re-introduce op_bitnot
1286         https://bugs.webkit.org/show_bug.cgi?id=190923
1287
1288         Reviewed by Yusuke Suzuki.
1289
1290         * stress/bit-not-must-generate.js: Added.
1291         * stress/bitwise-not-no-int32.js: Added.
1292
1293 2018-11-26  Saam barati  <sbarati@apple.com>
1294
1295         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1296         https://bugs.webkit.org/show_bug.cgi?id=191956
1297         <rdar://problem/45665806>
1298
1299         Reviewed by Yusuke Suzuki.
1300
1301         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1302         (bar):
1303         (foo):
1304
1305 2018-11-26  Saam barati  <sbarati@apple.com>
1306
1307         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1308         https://bugs.webkit.org/show_bug.cgi?id=191958
1309         <rdar://problem/46221877>
1310
1311         Reviewed by Yusuke Suzuki.
1312
1313         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1314         (x):
1315         (foo):
1316
1317 2018-11-26  Mark Lam  <mark.lam@apple.com>
1318
1319         NaNs read from Wasm code needs to be be purified.
1320         https://bugs.webkit.org/show_bug.cgi?id=191056
1321         <rdar://problem/45660341>
1322
1323         Reviewed by Filip Pizlo.
1324
1325         * wasm/regress/regress-191056.js: Added.
1326
1327 2018-11-26  Michael Saboff  <msaboff@apple.com>
1328
1329         32-bit JSC test failure: stress/regexp-compile-oom.js
1330         https://bugs.webkit.org/show_bug.cgi?id=191375
1331
1332         Reviewed by Mark Lam.
1333
1334         Disabled the test for 32 bit platforms.
1335
1336         * stress/regexp-compile-oom.js:
1337
1338 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1339
1340         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1341         https://bugs.webkit.org/show_bug.cgi?id=191716
1342         <rdar://problem/45723878>
1343
1344         Reviewed by Saam Barati.
1345
1346         * stress/regress-187373.js: Added.
1347         (async.fn):
1348
1349 2018-11-21  Saam barati  <sbarati@apple.com>
1350
1351         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1352         https://bugs.webkit.org/show_bug.cgi?id=191897
1353         <rdar://problem/45871998>
1354
1355         Reviewed by Mark Lam.
1356
1357         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1358         (bar):
1359         (foo):
1360
1361 2018-11-21  Saam barati  <sbarati@apple.com>
1362
1363         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1364         https://bugs.webkit.org/show_bug.cgi?id=191895
1365         <rdar://problem/46167406>
1366
1367         Reviewed by Mark Lam.
1368
1369         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1370         (foo):
1371         (bar):
1372
1373 2018-11-21  Mark Lam  <mark.lam@apple.com>
1374
1375         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1376         https://bugs.webkit.org/show_bug.cgi?id=191776
1377         <rdar://problem/46152851>
1378
1379         Reviewed by Saam Barati.
1380
1381         * stress/big-wasm-memory-grow-no-max.js:
1382         * stress/big-wasm-memory-grow.js:
1383         * stress/big-wasm-memory.js:
1384         - updated these to expect an OutOfMemoryError.
1385
1386         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1387         (Binary.prototype.emit_u8):
1388         (Binary.prototype.emit_u32v):
1389         (Binary.prototype.emit_header):
1390         (Binary.prototype.emit_section):
1391         (Binary):
1392         (WasmModuleBuilder):
1393         (WasmModuleBuilder.prototype.addMemory):
1394         (WasmModuleBuilder.prototype.toArray):
1395         (WasmModuleBuilder.prototype.toBuffer):
1396         (WasmModuleBuilder.prototype.instantiate):
1397         (catch):
1398         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1399         (catch):
1400
1401 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1402
1403         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1404         https://bugs.webkit.org/show_bug.cgi?id=190836
1405
1406         Reviewed by Saam Barati and Yusuke Suzuki.
1407
1408         * stress/big-int-out-of-memory-tests.js: Added.
1409
1410 2018-11-20  Mark Lam  <mark.lam@apple.com>
1411
1412         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1413         https://bugs.webkit.org/show_bug.cgi?id=191856
1414         <rdar://problem/46089992>
1415
1416         Reviewed by Yusuke Suzuki.
1417
1418         * stress/regress-191856.js: Added.
1419         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1420
1421 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1422
1423         Enable JIT on ARM/Linux
1424         https://bugs.webkit.org/show_bug.cgi?id=191548
1425
1426         Reviewed by Yusuke Suzuki.
1427
1428         Disable test on system with limited memory. Program was killed by
1429         the OS before the exception was thrown.
1430
1431         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1432
1433 2018-11-20  Saam barati  <sbarati@apple.com>
1434
1435         Merging an IC variant may lead to the IC status containing overlapping structure sets
1436         https://bugs.webkit.org/show_bug.cgi?id=191869
1437         <rdar://problem/45403453>
1438
1439         Reviewed by Mark Lam.
1440
1441         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1442
1443 2018-11-19  Mark Lam  <mark.lam@apple.com>
1444
1445         globalFuncImportModule() should return a promise when it clears exceptions.
1446         https://bugs.webkit.org/show_bug.cgi?id=191792
1447         <rdar://problem/46090763>
1448
1449         Reviewed by Michael Saboff.
1450
1451         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1452
1453 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1454
1455         Skip new memory-hungry tests on memory limited devices
1456
1457         Unreviewed gardening.
1458
1459         * stress/big-wasm-memory-grow-no-max.js:
1460         * stress/big-wasm-memory-grow.js:
1461         * stress/big-wasm-memory.js:
1462
1463 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1464
1465         Unreviewed, rolling in the rest of r237254
1466         https://bugs.webkit.org/show_bug.cgi?id=190340
1467
1468         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1469         * stress/function-cache-with-parameters-end-position.js: Added.
1470         (shouldBe):
1471         (shouldThrow):
1472         (i.anonymous):
1473         * stress/function-constructor-name.js: Added.
1474         (shouldBe):
1475         (GeneratorFunction):
1476         (AsyncFunction.async):
1477         (AsyncGeneratorFunction.async):
1478         (anonymous):
1479         (async.anonymous):
1480         * test262/expectations.yaml:
1481
1482 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1483
1484         All users of ArrayBuffer should agree on the same max size
1485         https://bugs.webkit.org/show_bug.cgi?id=191771
1486
1487         Reviewed by Mark Lam.
1488
1489         * stress/big-wasm-memory-grow-no-max.js: Added.
1490         (foo):
1491         (catch):
1492         * stress/big-wasm-memory-grow.js: Added.
1493         (foo):
1494         (catch):
1495         * stress/big-wasm-memory.js: Added.
1496         (foo):
1497         (catch):
1498
1499 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1500
1501         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1502         run for each JSC config since they're regression tests for runtime bugs.
1503
1504         * stress/json-stringified-overflow-2.js:
1505         * stress/json-stringified-overflow.js:
1506
1507 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1508
1509         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1510         config since they're regression tests for runtime bugs.
1511
1512         * stress/large-unshift-splice.js:
1513         * stress/regress-185888.js:
1514
1515 2018-11-16  Saam Barati  <sbarati@apple.com>
1516
1517         KnownCellUse should also have SpecCellCheck as its type filter
1518         https://bugs.webkit.org/show_bug.cgi?id=191729
1519         <rdar://problem/45872852>
1520
1521         Reviewed by Filip Pizlo.
1522
1523         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1524         (C):
1525
1526 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1527
1528         Fix assertion failure on BytecodeGenerator::recordOpcode
1529         https://bugs.webkit.org/show_bug.cgi?id=191724
1530         <rdar://problem/45724395>
1531
1532         Reviewed by Saam Barati.
1533
1534         * stress/regress-187373-2.js: Added.
1535         (foo):
1536
1537 2018-11-15  Mark Lam  <mark.lam@apple.com>
1538
1539         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1540         https://bugs.webkit.org/show_bug.cgi?id=191730
1541         <rdar://problem/46048517>
1542
1543         Reviewed by Saam Barati.
1544
1545         * stress/regress-187006.js: Removed.
1546           - this test is invalid because its sole purpose is to test for the non-spec
1547             compliant behavior that we just fixed.
1548
1549         * stress/regress-191730.js: Added.
1550
1551 2018-11-15  Mark Lam  <mark.lam@apple.com>
1552
1553         RegExp operations should not take fast patch if lastIndex is not numeric.
1554         https://bugs.webkit.org/show_bug.cgi?id=191731
1555         <rdar://problem/46017305>
1556
1557         Reviewed by Saam Barati.
1558
1559         * stress/regress-191731.js: Added.
1560
1561 2018-11-13  Saam Barati  <sbarati@apple.com>
1562
1563         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1564         https://bugs.webkit.org/show_bug.cgi?id=191600
1565
1566         Reviewed by Mark Lam.
1567
1568         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1569         (foo):
1570         (test):
1571         (bar):
1572
1573 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1574
1575         Unreviewed, rolling out r238132.
1576
1577         The test added with this change is timing out on Debug JSC
1578         bots.
1579
1580         Reverted changeset:
1581
1582         "[BigInt] JSBigInt::createWithLength should throw when length
1583         is greater than JSBigInt::maxLength"
1584         https://bugs.webkit.org/show_bug.cgi?id=190836
1585         https://trac.webkit.org/changeset/238132
1586
1587 2018-11-13  Mark Lam  <mark.lam@apple.com>
1588
1589         Add OOM detection to StringPrototype's substituteBackreferences().
1590         https://bugs.webkit.org/show_bug.cgi?id=191563
1591         <rdar://problem/45720428>
1592
1593         Reviewed by Saam Barati.
1594
1595         * stress/regress-191563.js: Added.
1596
1597 2018-11-13  Mark Lam  <mark.lam@apple.com>
1598
1599         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1600         https://bugs.webkit.org/show_bug.cgi?id=191579
1601         <rdar://problem/45942472>
1602
1603         Reviewed by Saam Barati.
1604
1605         * stress/regress-191579.js: Added.
1606
1607 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1608
1609         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1610         https://bugs.webkit.org/show_bug.cgi?id=190836
1611
1612         Reviewed by Saam Barati.
1613
1614         * stress/big-int-out-of-memory-tests.js: Added.
1615
1616 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1617
1618         U+180E is no longer a whitespace character
1619         https://bugs.webkit.org/show_bug.cgi?id=191415
1620
1621         Reviewed by Saam Barati.
1622
1623         * ChakraCore/test/es5/regexSpace.baseline:
1624         * ChakraCore/test/es6/unicode_whitespace.js:
1625         Update tests to latest version.
1626         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1627
1628         * test262.yaml:
1629         * test262/config.yaml:
1630         * test262/expectations.yaml:
1631         Update expectations.
1632
1633 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1634
1635         [BigInt] Add support to BigInt into ValueAdd
1636         https://bugs.webkit.org/show_bug.cgi?id=186177
1637
1638         Reviewed by Keith Miller.
1639
1640         * stress/big-int-negate-jit.js:
1641         * stress/value-add-big-int-and-string.js: Added.
1642         * stress/value-add-big-int-prediction-propagation.js: Added.
1643         * stress/value-add-big-int-untyped.js: Added.
1644
1645 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1646
1647         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1648         https://bugs.webkit.org/show_bug.cgi?id=191184
1649
1650         Reviewed by Saam Barati.
1651
1652         Most tests were failing due to timeouts, since they are too slow to
1653         run on CLoop. The exceptions are:
1654
1655         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1656         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1657         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1658         to change the stack size since CLoop requires it to be page aligned.
1659
1660         * microbenchmarks/array-push-1.js:
1661         * microbenchmarks/array-push-2.js:
1662         * microbenchmarks/elidable-new-object-dag.js:
1663         * microbenchmarks/elidable-new-object-roflcopter.js:
1664         * microbenchmarks/elidable-new-object-tree.js:
1665         * microbenchmarks/getter-richards.js:
1666         * microbenchmarks/sinkable-new-object-dag.js:
1667         * microbenchmarks/string-concat-long-convert.js:
1668         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1669         * slowMicrobenchmarks/array-push-3.js:
1670         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1671         * slowMicrobenchmarks/spread-small-array.js:
1672         * slowMicrobenchmarks/undefined-property-access.js:
1673         * stress/activation-sink-default-value-tdz-error.js:
1674         * stress/activation-sink-default-value.js:
1675         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1676         * stress/activation-sink-osrexit-default-value.js:
1677         * stress/activation-sink-osrexit.js:
1678         * stress/activation-sink.js:
1679         * stress/allow-math-ic-b3-code-duplication.js:
1680         * stress/array-push-multiple-int32.js:
1681         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1682         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1683         * stress/arrowfunction-lexical-this-activation-sink.js:
1684         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1685         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1686         * stress/elide-new-object-dag-then-exit.js:
1687         * stress/materialize-regexp-cyclic.js:
1688         * stress/new-regex-inline.js:
1689         * stress/op_add.js:
1690         * stress/op_bitand.js:
1691         * stress/op_bitor.js:
1692         * stress/op_bitxor.js:
1693         * stress/op_div-ConstVar.js:
1694         * stress/op_div-VarConst.js:
1695         * stress/op_div-VarVar.js:
1696         * stress/op_lshift-ConstVar.js:
1697         * stress/op_lshift-VarConst.js:
1698         * stress/op_lshift-VarVar.js:
1699         * stress/op_mod-ConstVar.js:
1700         * stress/op_mod-VarConst.js:
1701         * stress/op_mod-VarVar.js:
1702         * stress/op_mul-ConstVar.js:
1703         * stress/op_mul-VarConst.js:
1704         * stress/op_mul-VarVar.js:
1705         * stress/op_rshift-ConstVar.js:
1706         * stress/op_rshift-VarConst.js:
1707         * stress/op_rshift-VarVar.js:
1708         * stress/op_sub-ConstVar.js:
1709         * stress/op_sub-VarConst.js:
1710         * stress/op_sub-VarVar.js:
1711         * stress/op_urshift-ConstVar.js:
1712         * stress/op_urshift-VarConst.js:
1713         * stress/op_urshift-VarVar.js:
1714         * stress/proxy-get-set-correct-receiver.js:
1715         * stress/regress-179562.js:
1716         * stress/rest-parameter-many-arguments.js:
1717         * stress/sampling-profiler-richards.js:
1718         * stress/splay-flash-access-1ms.js:
1719         * stress/tailCallForwardArguments.js:
1720         * stress/typed-array-get-by-val-profiling.js:
1721         * typeProfiler/getter-richards.js:
1722
1723 2018-11-06  Michael Saboff  <msaboff@apple.com>
1724
1725         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1726         https://bugs.webkit.org/show_bug.cgi?id=191271
1727
1728         Reviewed by Saam Barati.
1729
1730         Added more test cases and made all test cases run with the same deeply recursive stack
1731         instead of finding that same point for each test case.
1732
1733         * stress/regexp-compile-oom.js:
1734         (prototype.runTest):
1735         (recurseAndTest):
1736         (testList.push.new.TestAndExpectedException):
1737
1738 2018-11-05  Michael Saboff  <msaboff@apple.com>
1739
1740         Unreviewed build fix for linux.
1741
1742         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1743
1744 2018-11-02  Michael Saboff  <msaboff@apple.com>
1745
1746         Rolling in r237753 with unreviewed build fix.
1747
1748         Fixed issues with DECLARE_THROW_SCOPE placement.
1749
1750 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1751
1752         Unreviewed, rolling out r237753.
1753
1754         Introduced JSC test failures
1755
1756         Reverted changeset:
1757
1758         "Running out of stack space not properly handled in
1759         RegExp::compile() and its callers"
1760         https://bugs.webkit.org/show_bug.cgi?id=191206
1761         https://trac.webkit.org/changeset/237753
1762
1763 2018-11-02  Michael Saboff  <msaboff@apple.com>
1764
1765         Running out of stack space not properly handled in RegExp::compile() and its callers
1766         https://bugs.webkit.org/show_bug.cgi?id=191206
1767
1768         Reviewed by Filip Pizlo.
1769
1770         New regression test.
1771
1772         * stress/regexp-compile-oom.js: Added.
1773         (recurseAndTest):
1774
1775 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1776
1777         Skip tests on arm/mips that time out now we're running on CLoop
1778
1779         Unreviewed gardening.
1780
1781         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1782         time out on the bots and need to be disabled. There's more tests
1783         disabled on arm because the timeout is longer on the mips bot (as the
1784         device is slower to start with), so many of the tests don't time out
1785         there.
1786
1787         * microbenchmarks/getter-richards.js: disable on arm and mips.
1788         * stress/op_add.js: disable on arm.
1789         * stress/op_bitand.js: disable on arm.
1790         * stress/op_bitor.js: disable on arm.
1791         * stress/op_bitxor.js: disable on arm.
1792         * stress/op_lshift-ConstVar.js: disable on arm.
1793         * stress/op_lshift-VarConst.js: disable on arm.
1794         * stress/op_lshift-VarVar.js: disable on arm.
1795         * stress/op_mod-ConstVar.js: disable on arm.
1796         * stress/op_mod-VarConst.js: disable on arm.
1797         * stress/op_mod-VarVar.js: disable on arm.
1798         * stress/op_mul-ConstVar.js: disable on arm.
1799         * stress/op_mul-VarConst.js: disable on arm.
1800         * stress/op_mul-VarVar.js: disable on arm.
1801         * stress/op_rshift-ConstVar.js: disable on arm.
1802         * stress/op_rshift-VarConst.js: disable on arm.
1803         * stress/op_rshift-VarVar.js: disable on arm.
1804         * stress/op_sub-ConstVar.js: disable on arm.
1805         * stress/op_sub-VarConst.js: disable on arm.
1806         * stress/op_sub-VarVar.js: disable on arm.
1807         * stress/op_urshift-ConstVar.js: disable on arm.
1808         * stress/op_urshift-VarConst.js: disable on arm.
1809         * stress/op_urshift-VarVar.js: disable on arm.
1810         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1811         * stress/value-to-boolean.js: disable on arm and mips.
1812
1813 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1814
1815         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1816         https://bugs.webkit.org/show_bug.cgi?id=191108
1817         <rdar://problem/45690700>
1818
1819         Reviewed by Saam Barati.
1820
1821         * stress/wide-op_catch.js: Added.
1822         (catch):
1823
1824 2018-10-29  Mark Lam  <mark.lam@apple.com>
1825
1826         Correctly detect string overflow when using the 'Function' constructor.
1827         https://bugs.webkit.org/show_bug.cgi?id=184883
1828         <rdar://problem/36320331>
1829
1830         Reviewed by Saam Barati.
1831
1832         I've verified that this passes on 32-bit as well.
1833
1834         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1835
1836 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1837
1838         Add support for GetStack FlushedDouble
1839         https://bugs.webkit.org/show_bug.cgi?id=191012
1840         <rdar://problem/45265141>
1841
1842         Reviewed by Saam Barati.
1843
1844         * stress/get-stack-double.js: Added.
1845         (bar):
1846         (noInline):
1847
1848 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1849
1850         New bytecode format for JSC
1851         https://bugs.webkit.org/show_bug.cgi?id=187373
1852         <rdar://problem/44186758>
1853
1854         Reviewed by Filip Pizlo.
1855
1856         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1857
1858         * stress/maximum-inline-capacity.js: Added.
1859         (test1):
1860         (test3.Foo):
1861         (test3):
1862
1863 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1864
1865         Unreviewed, rolling out r237479 and r237484.
1866         https://bugs.webkit.org/show_bug.cgi?id=190978
1867
1868         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1869
1870         Reverted changesets:
1871
1872         "New bytecode format for JSC"
1873         https://bugs.webkit.org/show_bug.cgi?id=187373
1874         https://trac.webkit.org/changeset/237479
1875
1876         "Gardening: Build fix after r237479."
1877         https://bugs.webkit.org/show_bug.cgi?id=187373
1878         https://trac.webkit.org/changeset/237484
1879
1880 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1881
1882         New bytecode format for JSC
1883         https://bugs.webkit.org/show_bug.cgi?id=187373
1884         <rdar://problem/44186758>
1885
1886         Reviewed by Filip Pizlo.
1887
1888         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1889
1890         * stress/maximum-inline-capacity.js: Added.
1891         (test1):
1892         (test3.Foo):
1893         (test3):
1894
1895 2018-10-26  Mark Lam  <mark.lam@apple.com>
1896
1897         Fix missing edge cases with JSGlobalObjects having a bad time.
1898         https://bugs.webkit.org/show_bug.cgi?id=189028
1899         <rdar://problem/45204939>
1900
1901         Reviewed by Saam Barati.
1902
1903         * stress/regress-189028.js: Added.
1904
1905 2018-10-22  Mark Lam  <mark.lam@apple.com>
1906
1907         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1908         https://bugs.webkit.org/show_bug.cgi?id=190515
1909         <rdar://problem/45222379>
1910
1911         Rubber-stamped by Saam Barati.
1912
1913         Adding another test.
1914
1915         * stress/regress-190515-2.js: Added.
1916
1917 2018-10-22  Mark Lam  <mark.lam@apple.com>
1918
1919         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1920         https://bugs.webkit.org/show_bug.cgi?id=190515
1921         <rdar://problem/45222379>
1922
1923         Reviewed by Saam Barati.
1924
1925         * stress/regress-190515.js: Added.
1926
1927 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1928
1929         Unreviewed, rolling out r237254.
1930         https://bugs.webkit.org/show_bug.cgi?id=190760
1931
1932         "It regresses JetStream 2 by 5% on some iOS devices"
1933         (Requested by saamyjoon on #webkit).
1934
1935         Reverted changeset:
1936
1937         "[JSC] JSC should have "parseFunction" to optimize Function
1938         constructor"
1939         https://bugs.webkit.org/show_bug.cgi?id=190340
1940         https://trac.webkit.org/changeset/237254
1941
1942 2018-10-19  Saam Barati  <sbarati@apple.com>
1943
1944         vmCall should check if we exit before emitting an OSR exit due to exceptions
1945         https://bugs.webkit.org/show_bug.cgi?id=190740
1946         <rdar://problem/45220139>
1947
1948         Reviewed by Mark Lam.
1949
1950         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1951         (foo):
1952
1953 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1954
1955         [ESNext][BigInt] Implement support for "^"
1956         https://bugs.webkit.org/show_bug.cgi?id=186235
1957
1958         Reviewed by Yusuke Suzuki.
1959
1960         * stress/big-int-bitwise-xor-general.js: Added.
1961         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1962         * stress/big-int-bitwise-xor-type-error.js: Added.
1963         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1964
1965 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1966
1967         [BigInt] Add ValueSub into DFG
1968         https://bugs.webkit.org/show_bug.cgi?id=186176
1969
1970         Reviewed by Yusuke Suzuki.
1971
1972         * stress/big-int-subtraction-jit.js:
1973         * stress/value-sub-big-int-prediction-propagation.js: Added.
1974         * stress/value-sub-big-int-untyped.js: Added.
1975         * stress/value-sub-spec-none-case.js: Added.
1976
1977 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1978
1979         [JSC] JSC should have "parseFunction" to optimize Function constructor
1980         https://bugs.webkit.org/show_bug.cgi?id=190340
1981
1982         Reviewed by Mark Lam.
1983
1984         This patch fixes the line number of syntax errors raised by the Function constructor,
1985         since we now parse the final code only once. And we no longer use block statement
1986         for Function constructor's parsing.
1987
1988         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1989         * stress/function-cache-with-parameters-end-position.js: Added.
1990         (shouldBe):
1991         (shouldThrow):
1992         (i.anonymous):
1993         * stress/function-constructor-name.js: Added.
1994         (shouldBe):
1995         (GeneratorFunction):
1996         (AsyncFunction.async):
1997         (AsyncGeneratorFunction.async):
1998         (anonymous):
1999         (async.anonymous):
2000         * test262/expectations.yaml:
2001
2002 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2003
2004         Unreviewed, rolling out r237242.
2005         https://bugs.webkit.org/show_bug.cgi?id=190701
2006
2007         it breaks "stress/sampling-profiler-basic.js" (Requested by
2008         caiolima on #webkit).
2009
2010         Reverted changeset:
2011
2012         "[BigInt] Add ValueSub into DFG"
2013         https://bugs.webkit.org/show_bug.cgi?id=186176
2014         https://trac.webkit.org/changeset/237242
2015
2016 2018-10-17  Keith Miller  <keith_miller@apple.com>
2017
2018         AI does not clear Phantom allocation nodes.
2019         https://bugs.webkit.org/show_bug.cgi?id=190694
2020
2021         Reviewed by Saam Barati.
2022
2023         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2024         (Day):
2025         (DaysInYear):
2026         (TimeInYear):
2027         (TimeFromYear):
2028         (DayFromYear):
2029         (InLeapYear):
2030         (YearFromTime):
2031         (WeekDay):
2032         (DaylightSavingTA):
2033         (GetSecondSundayInMarch):
2034         (TimeInMonth):
2035
2036 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2037
2038         [BigInt] Add ValueSub into DFG
2039         https://bugs.webkit.org/show_bug.cgi?id=186176
2040
2041         Reviewed by Yusuke Suzuki.
2042
2043         * stress/big-int-subtraction-jit.js:
2044         * stress/value-sub-big-int-prediction-propagation.js: Added.
2045         * stress/value-sub-big-int-untyped.js: Added.
2046
2047 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2048
2049         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2050         https://bugs.webkit.org/show_bug.cgi?id=190611
2051
2052         Reviewed by Saam Barati.
2053
2054         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2055         to improve test runtime. On ARM/MIPS this test even timed out when running all
2056         tests.
2057
2058         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2059         (test):
2060
2061 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2062
2063         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2064
2065         Unreviewed gardening.
2066
2067         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2068
2069 2018-10-15  Saam barati  <sbarati@apple.com>
2070
2071         Emit fjcvtzs on ARM64E on Darwin
2072         https://bugs.webkit.org/show_bug.cgi?id=184023
2073
2074         Reviewed by Yusuke Suzuki and Filip Pizlo.
2075
2076         * stress/double-to-int32-NaN.js: Added.
2077         (assert):
2078         (foo):
2079
2080 2018-10-15  Saam Barati  <sbarati@apple.com>
2081
2082         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2083         https://bugs.webkit.org/show_bug.cgi?id=190262
2084         <rdar://problem/44986241>
2085
2086         Reviewed by Mark Lam.
2087
2088         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2089         (test):
2090         * stress/slice-array-storage-with-holes.js: Added.
2091         (main):
2092
2093 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2094
2095         Unreviewed, rolling out r237054.
2096         https://bugs.webkit.org/show_bug.cgi?id=190593
2097
2098         "this regressed JetStream 2 by 6% on iOS" (Requested by
2099         saamyjoon on #webkit).
2100
2101         Reverted changeset:
2102
2103         "[JSC] JSC should have "parseFunction" to optimize Function
2104         constructor"
2105         https://bugs.webkit.org/show_bug.cgi?id=190340
2106         https://trac.webkit.org/changeset/237054
2107
2108 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2109
2110         [JSC] JSON.stringify can accept call-with-no-arguments
2111         https://bugs.webkit.org/show_bug.cgi?id=190343
2112
2113         Reviewed by Mark Lam.
2114
2115         * stress/json-stringify-no-arguments.js: Added.
2116         (shouldBe):
2117
2118 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2119
2120         [JSC] JSC should have "parseFunction" to optimize Function constructor
2121         https://bugs.webkit.org/show_bug.cgi?id=190340
2122
2123         Reviewed by Mark Lam.
2124
2125         This patch fixes the line number of syntax errors raised by the Function constructor,
2126         since we now parse the final code only once. And we no longer use block statement
2127         for Function constructor's parsing.
2128
2129         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2130         * stress/function-cache-with-parameters-end-position.js: Added.
2131         (shouldBe):
2132         (shouldThrow):
2133         (i.anonymous):
2134         * stress/function-constructor-name.js: Added.
2135         (shouldBe):
2136         (GeneratorFunction):
2137         (AsyncFunction.async):
2138         (AsyncGeneratorFunction.async):
2139         (anonymous):
2140         (async.anonymous):
2141         * test262/expectations.yaml:
2142
2143 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2144
2145         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2146         https://bugs.webkit.org/show_bug.cgi?id=190426
2147
2148         Unreviewed gardening.
2149
2150         * stress/sampling-profiler-richards.js:
2151
2152 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2153
2154         [ESNext][BigInt] Implement support for "|"
2155         https://bugs.webkit.org/show_bug.cgi?id=186229
2156
2157         Reviewed by Yusuke Suzuki.
2158
2159         * stress/big-int-bitwise-and-jit.js:
2160         * stress/big-int-bitwise-or-general.js: Added.
2161         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2162         * stress/big-int-bitwise-or-jit.js: Added.
2163         * stress/big-int-bitwise-or-memory-stress.js: Added.
2164         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2165         * stress/big-int-bitwise-or-type-error.js: Added.
2166         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2167
2168 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2169
2170         Skip test on systems with limited memory
2171         https://bugs.webkit.org/show_bug.cgi?id=190310
2172
2173         Invoking runDefault adds test to runlist, skipping the test in the next
2174         line does not prevent the test from executing. Change order of lines such
2175         that runDefault is only executed if test is not executed.
2176
2177         Reviewed by Mark Lam.
2178
2179         * stress/regress-190187.js:
2180
2181 2018-10-03  Saam barati  <sbarati@apple.com>
2182
2183         lowXYZ in FTLLower should always filter the type of the incoming edge
2184         https://bugs.webkit.org/show_bug.cgi?id=189939
2185         <rdar://problem/44407030>
2186
2187         Reviewed by Michael Saboff.
2188
2189         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2190         (foo):
2191         (test):
2192
2193 2018-10-03  Mark Lam  <mark.lam@apple.com>
2194
2195         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2196         https://bugs.webkit.org/show_bug.cgi?id=190187
2197         <rdar://problem/42512909>
2198
2199         Reviewed by Michael Saboff.
2200
2201         * stress/regress-190187.js: Added.
2202
2203 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2204
2205         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2206         https://bugs.webkit.org/show_bug.cgi?id=190033
2207
2208         Reviewed by Yusuke Suzuki.
2209
2210         * stress/big-int-to-string.js:
2211
2212 2018-10-01  Mark Lam  <mark.lam@apple.com>
2213
2214         Function.toString() should also copy the source code Functions that are class definitions.
2215         https://bugs.webkit.org/show_bug.cgi?id=190186
2216         <rdar://problem/44733360>
2217
2218         Reviewed by Saam Barati.
2219
2220         * stress/regress-190186.js: Added.
2221
2222 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2223
2224         Split NaN-check into separate test
2225         https://bugs.webkit.org/show_bug.cgi?id=190010
2226
2227         Reviewed by Saam Barati.
2228
2229         DataView exposes NaN-representation, which is not necessarily the same on each
2230         architecture. Therefore move the check of the NaN-representation into its own
2231         file such that we can disable this test on MIPS where NaN-representation can be
2232         different on older CPUs.
2233
2234         * stress/dataview-jit-set-nan.js: Added.
2235         (assert):
2236         (test.storeLittleEndian):
2237         (test.storeBigEndian):
2238         (test.store):
2239         (test):
2240         * stress/dataview-jit-set.js:
2241         (test5):
2242
2243 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2244
2245         Unreviewed, rolling out r236647.
2246         https://bugs.webkit.org/show_bug.cgi?id=190124
2247
2248         Breaking test stress/big-int-to-string.js (Requested by
2249         caiolima_ on #webkit).
2250
2251         Reverted changeset:
2252
2253         "[BigInt] BigInt.proptotype.toString is broken when radix is
2254         power of 2"
2255         https://bugs.webkit.org/show_bug.cgi?id=190033
2256         https://trac.webkit.org/changeset/236647
2257
2258 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2259
2260         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2261         https://bugs.webkit.org/show_bug.cgi?id=190033
2262
2263         Reviewed by Yusuke Suzuki.
2264
2265         * stress/big-int-to-string.js:
2266
2267 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2268
2269         [ESNext][BigInt] Implement support for "&"
2270         https://bugs.webkit.org/show_bug.cgi?id=186228
2271
2272         Reviewed by Yusuke Suzuki.
2273
2274         * stress/big-int-bitwise-and-general.js: Added.
2275         (assert):
2276         (assert.sameValue):
2277         * stress/big-int-bitwise-and-jit.js: Added.
2278         (let.assert.sameValue):
2279         (bigIntBitAnd):
2280         * stress/big-int-bitwise-and-memory-stress.js: Added.
2281         (assert):
2282         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2283         (assert.sameValue):
2284         (let.o.Symbol.toPrimitive):
2285         (catch):
2286         * stress/big-int-bitwise-and-type-error.js: Added.
2287         (assert):
2288         (assertThrowTypeError):
2289         (let.o.valueOf):
2290         (o.valueOf):
2291         (o.toString):
2292         (o.Symbol.toPrimitive):
2293         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2294         (assert.sameValue):
2295         (testBitAnd):
2296         (let.o.Symbol.toPrimitive):
2297         (o.valueOf):
2298         (o.toString):
2299
2300 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2301
2302         JSC test stress/jsc-read.js doesn't support CRLF
2303         https://bugs.webkit.org/show_bug.cgi?id=190063
2304
2305         Reviewed by Yusuke Suzuki.
2306
2307         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2308
2309         * stress/jsc-read.js:
2310         (test):
2311
2312 2018-09-27  Saam barati  <sbarati@apple.com>
2313
2314         Verify the contents of AssemblerBuffer on arm64e
2315         https://bugs.webkit.org/show_bug.cgi?id=190057
2316         <rdar://problem/38916630>
2317
2318         Reviewed by Mark Lam.
2319
2320         * stress/regress-189132.js:
2321
2322 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2323
2324         Disable test without LLInt on ARMv7
2325         https://bugs.webkit.org/show_bug.cgi?id=190037
2326
2327         Reviewed by Mark Lam.
2328
2329         Test runs out of executable memory on ARMv7, do not run
2330         this test without LLInt enabled.
2331
2332         * stress/regress-169445.js:
2333
2334 2018-09-26  Keith Miller  <keith_miller@apple.com>
2335
2336         We should zero unused property storage when rebalancing array storage.
2337         https://bugs.webkit.org/show_bug.cgi?id=188151
2338
2339         Reviewed by Michael Saboff.
2340
2341         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2342
2343 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2344
2345         [JSC] Optimize Array#lastIndexOf
2346         https://bugs.webkit.org/show_bug.cgi?id=189780
2347
2348         Reviewed by Saam Barati.
2349
2350         * stress/array-lastindexof-array-prototype-trap.js: Added.
2351         (shouldBe):
2352         (AncestorArray.prototype.get 2):
2353         (AncestorArray):
2354         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2355         (shouldBe):
2356         * stress/array-lastindexof-hole-nan.js: Added.
2357         (shouldBe):
2358         (throw.new.Error):
2359         * stress/array-lastindexof-infinity.js: Added.
2360         (shouldBe):
2361         (throw.new.Error):
2362         * stress/array-lastindexof-negative-zero.js: Added.
2363         (shouldBe):
2364         (throw.new.Error):
2365         * stress/array-lastindexof-own-getter.js: Added.
2366         (shouldBe):
2367         (throw.new.Error.get array):
2368         (get array):
2369         * stress/array-lastindexof-prototype-trap.js: Added.
2370         (shouldBe):
2371         (DerivedArray.prototype.get 2):
2372         (DerivedArray):
2373
2374 2018-09-25  Saam Barati  <sbarati@apple.com>
2375
2376         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2377         https://bugs.webkit.org/show_bug.cgi?id=189940
2378         <rdar://problem/43640987>
2379
2380         Reviewed by Mark Lam.
2381
2382         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2383
2384 2018-09-24  Saam Barati  <sbarati@apple.com>
2385
2386         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2387         https://bugs.webkit.org/show_bug.cgi?id=189922
2388         <rdar://problem/44651275>
2389
2390         Reviewed by Mark Lam.
2391
2392         * stress/array-indexof-fast-path-effects.js: Added.
2393         * stress/array-indexof-cached-length.js: Added.
2394
2395 2018-09-24  Saam barati  <sbarati@apple.com>
2396
2397         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2398         https://bugs.webkit.org/show_bug.cgi?id=189682
2399         <rdar://problem/43557315>
2400
2401         Reviewed by Mark Lam.
2402
2403         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2404         (foo):
2405
2406 2018-09-22  Saam barati  <sbarati@apple.com>
2407
2408         The sampling should not use Strong<CodeBlock> in its machineLocation field
2409         https://bugs.webkit.org/show_bug.cgi?id=189319
2410
2411         Reviewed by Filip Pizlo.
2412
2413         * stress/sampling-profiler-richards.js: Added.
2414
2415 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2416
2417         [JSC] Optimize Array#indexOf in C++ runtime
2418         https://bugs.webkit.org/show_bug.cgi?id=189507
2419
2420         Reviewed by Saam Barati.
2421
2422         * stress/array-indexof-array-prototype-trap.js: Added.
2423         (shouldBe):
2424         (AncestorArray.prototype.get 2):
2425         (AncestorArray):
2426         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2427         (shouldBe):
2428         * stress/array-indexof-hole-nan.js: Added.
2429         (shouldBe):
2430         (throw.new.Error):
2431         * stress/array-indexof-infinity.js: Added.
2432         (shouldBe):
2433         (throw.new.Error):
2434         * stress/array-indexof-negative-zero.js: Added.
2435         (shouldBe):
2436         (throw.new.Error):
2437         * stress/array-indexof-own-getter.js: Added.
2438         (shouldBe):
2439         (throw.new.Error.get array):
2440         (get array):
2441         * stress/array-indexof-prototype-trap.js: Added.
2442         (shouldBe):
2443         (DerivedArray.prototype.get 2):
2444         (DerivedArray):
2445
2446 2018-09-19  Saam barati  <sbarati@apple.com>
2447
2448         AI rule for MultiPutByOffset executes its effects in the wrong order
2449         https://bugs.webkit.org/show_bug.cgi?id=189757
2450         <rdar://problem/43535257>
2451
2452         Reviewed by Michael Saboff.
2453
2454         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2455         (foo):
2456         (Foo):
2457         (g):
2458
2459 2018-09-17  Mark Lam  <mark.lam@apple.com>
2460
2461         Ensure that ForInContexts are invalidated if their loop local is over-written.
2462         https://bugs.webkit.org/show_bug.cgi?id=189571
2463         <rdar://problem/44402277>
2464
2465         Reviewed by Saam Barati.
2466
2467         * stress/regress-189571.js: Added.
2468
2469 2018-09-17  Saam barati  <sbarati@apple.com>
2470
2471         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2472         https://bugs.webkit.org/show_bug.cgi?id=189676
2473         <rdar://problem/39682897>
2474
2475         Reviewed by Michael Saboff.
2476
2477         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2478         (A):
2479         (K):
2480         (i.catch):
2481
2482 2018-09-14  Saam barati  <sbarati@apple.com>
2483
2484         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2485         https://bugs.webkit.org/show_bug.cgi?id=189628
2486         <rdar://problem/39481690>
2487
2488         Reviewed by Mark Lam.
2489
2490         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2491         (foo):
2492
2493 2018-09-11  Mark Lam  <mark.lam@apple.com>
2494
2495         Test for array initialization in arrayProtoFuncSplice.
2496         https://bugs.webkit.org/show_bug.cgi?id=170253
2497         <rdar://problem/31328773>
2498
2499         Rubber-stamped by Saam Barati.
2500
2501         * stress/regress-170253.js: Added.
2502
2503 2018-09-11  Mark Lam  <mark.lam@apple.com>
2504
2505         Test for IntlObject initialization.
2506         https://bugs.webkit.org/show_bug.cgi?id=170251
2507         <rdar://problem/31328419>
2508
2509         Rubber-stamped by Saam Barati.
2510
2511         * stress/regress-170251.js: Added.
2512
2513 2018-09-11  Mark Lam  <mark.lam@apple.com>
2514
2515         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2516         https://bugs.webkit.org/show_bug.cgi?id=169889
2517         <rdar://problem/31155607>
2518
2519         Reviewed by Saam Barati.
2520
2521         * stress/regress-169889-array-concat.js: Added.
2522         * stress/regress-169889-array-concat1.js: Added.
2523         * stress/regress-169889-array-slice.js: Added.
2524
2525 2018-09-11  Mark Lam  <mark.lam@apple.com>
2526
2527         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2528         https://bugs.webkit.org/show_bug.cgi?id=169445
2529         <rdar://problem/30957435>
2530
2531         Reviewed by Saam Barati.
2532
2533         * stress/regress-169445.js: Added.
2534         (let.gun.eval.A):
2535         (let.gun.eval.B.C):
2536         (let.gun.eval.B.C.prototype.trigger):
2537         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2538         (let.gun.eval.B):
2539         (let.gun.eval):
2540
2541 == Rolled over to ChangeLog-2018-09-11 ==