Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-21  Mark Lam  <mark.lam@apple.com>
2
3         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
4         https://bugs.webkit.org/show_bug.cgi?id=196055
5         <rdar://problem/49067448>
6
7         Reviewed by Yusuke Suzuki.
8
9         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
10
11 2019-03-20  Saam Barati  <sbarati@apple.com>
12
13         typeOfDoubleSum is wrong for when NaN can be produced
14         https://bugs.webkit.org/show_bug.cgi?id=196030
15
16         Reviewed by Filip Pizlo.
17
18         * stress/double-add-sub-mul-can-produce-nan.js: Added.
19         (assert):
20         (noInline.sub):
21         (noInline):
22         (assert.mul):
23         (assert.add):
24
25 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
26
27         Update the test to ensure OutOfMemoryError is thrown as intended
28         https://bugs.webkit.org/show_bug.cgi?id=196032
29         <rdar://problem/46842740>
30
31         Rubber stamped by Saam Barati.
32
33         * stress/create-error-out-of-memory-rope-string.js:
34         (assert):
35         (catch):
36
37 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
38
39         JSC::createError needs to check for OOM in errorDescriptionForValue
40         https://bugs.webkit.org/show_bug.cgi?id=196032
41         <rdar://problem/46842740>
42
43         Reviewed by Mark Lam.
44
45         * stress/create-error-out-of-memory-rope-string.js: Added.
46
47 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
48
49         Unreviewed, reduce # of iterations to avoid timing out after r242991
50         https://bugs.webkit.org/show_bug.cgi?id=195791
51
52         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
53
54         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
55
56 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
57
58         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
59         https://bugs.webkit.org/show_bug.cgi?id=195950
60
61         Unreviewed, reducing the amount of memory used on this test to avoid
62         OOM on devices with memory restrictions.
63
64         * microbenchmarks/generate-multiple-llint-entrypoints.js:
65
66 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
67
68         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
69         https://bugs.webkit.org/show_bug.cgi?id=194648
70
71         Reviewed by Keith Miller.
72
73         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
74
75 2019-03-18  Mark Lam  <mark.lam@apple.com>
76
77         Missing a ThrowScope release in JSObject::toString().
78         https://bugs.webkit.org/show_bug.cgi?id=195893
79         <rdar://problem/48970986>
80
81         Reviewed by Michael Saboff.
82
83         * stress/to-string-exception-check-release.js: Added.
84
85 2019-03-18  Mark Lam  <mark.lam@apple.com>
86
87         Structure::flattenDictionary() should clear unused property slots.
88         https://bugs.webkit.org/show_bug.cgi?id=195871
89         <rdar://problem/48959497>
90
91         Reviewed by Michael Saboff.
92
93         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
94
95 2019-03-15  Mark Lam  <mark.lam@apple.com>
96
97         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
98         https://bugs.webkit.org/show_bug.cgi?id=195827
99         <rdar://problem/48845513>
100
101         Reviewed by Filip Pizlo.
102
103         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
104
105 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
106
107         [ARM,MIPS] Skip slow tests
108         https://bugs.webkit.org/show_bug.cgi?id=195799
109
110         Unreviewed, test does not finish on ARM and MIPS within the
111         timeout limit.
112
113         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
114
115 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
116
117         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
118         https://bugs.webkit.org/show_bug.cgi?id=195791
119         <rdar://problem/48806130>
120
121         Reviewed by Mark Lam.
122
123         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
124         (foo):
125
126 2019-03-14  Saam barati  <sbarati@apple.com>
127
128         We can't remove code after ForceOSRExit until after FixupPhase
129         https://bugs.webkit.org/show_bug.cgi?id=186916
130         <rdar://problem/41396612>
131
132         Reviewed by Yusuke Suzuki.
133
134         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
135         (foo):
136         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
137         (foo):
138
139 2019-03-13  Michael Saboff  <msaboff@apple.com>
140
141         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
142         https://bugs.webkit.org/show_bug.cgi?id=195735
143
144         Reviewed by Mark Lam.
145
146         New regression test.
147
148         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
149         (foo):
150         (bar):
151
152 2019-03-14  Saam barati  <sbarati@apple.com>
153
154         Fixup uses KnownInt32 incorrectly in some nodes
155         https://bugs.webkit.org/show_bug.cgi?id=195279
156         <rdar://problem/47915654>
157
158         Reviewed by Yusuke Suzuki.
159
160         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
161         (foo):
162
163 2019-03-14  Keith Miller  <keith_miller@apple.com>
164
165         DFG liveness can't skip tail caller inline frames
166         https://bugs.webkit.org/show_bug.cgi?id=195715
167
168         Reviewed by Saam Barati.
169
170         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
171         (i.foo):
172
173 2019-03-13  Mark Lam  <mark.lam@apple.com>
174
175         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
176         https://bugs.webkit.org/show_bug.cgi?id=195415
177
178         Not reviewed.
179
180         Changed these tests to only run the default configuration.
181         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
182         There's no strong need to run this test on that variant.
183
184         * stress/dfg-to-string-on-int-does-gc.js:
185         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
186
187 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
188
189         String overflow when using StringBuilder in JSC::createError
190         https://bugs.webkit.org/show_bug.cgi?id=194957
191
192         Reviewed by Mark Lam.
193
194         Add test string-overflow-createError-bulder.js that overflows
195         StringBuilder in notAFunctionSourceAppender. The second new test
196         string-overflow-createError-fit.js has an error message that doesn't
197         overflow, it still failed since the String's capacity can't be doubled.
198         Run test string-overflow-createError.js only in the default
199         configuration to reduce memory consumption when running the test
200         in all configurations on multiple CPUs in parallel.
201
202         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
203         (catch):
204         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
205         (catch):
206         * stress/string-overflow-createError.js:
207
208 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
209
210         [JSC] OSR entry should respect abstract values in addition to flush formats
211         https://bugs.webkit.org/show_bug.cgi?id=195653
212
213         Reviewed by Mark Lam.
214
215         * stress/osr-entry-locals-none.js: Added.
216
217 2019-03-12  Michael Saboff  <msaboff@apple.com>
218
219         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
220         https://bugs.webkit.org/show_bug.cgi?id=195613
221
222         Reviewed by Mark Lam.
223
224         New regression test.
225
226         * stress/regexp-backref-inbounds.js: Added.
227         (testRegExp):
228
229 2019-03-12  Mark Lam  <mark.lam@apple.com>
230
231         The HasIndexedProperty node does GC.
232         https://bugs.webkit.org/show_bug.cgi?id=195559
233         <rdar://problem/48767923>
234
235         Reviewed by Yusuke Suzuki.
236
237         * stress/HasIndexedProperty-does-gc.js: Added.
238
239 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
240
241         [ESNext][BigInt] Implement "~" unary operation
242         https://bugs.webkit.org/show_bug.cgi?id=182216
243
244         Reviewed by Keith Miller.
245
246         * stress/big-int-bit-not-general.js: Added.
247         * stress/big-int-bitwise-not-jit.js: Added.
248         * stress/big-int-bitwise-not-wrapped-value.js: Added.
249         * stress/bit-op-with-object-returning-int32.js:
250         * stress/bitwise-not-fixup-rules.js: Added.
251         * stress/value-bit-not-ai-rule.js: Added.
252
253 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
254
255         Invalid flags in a RegExp literal should be an early SyntaxError
256         https://bugs.webkit.org/show_bug.cgi?id=195514
257
258         Reviewed by Darin Adler.
259
260         * test262/expectations.yaml:
261         Mark 4 test cases as passing.
262
263         * stress/regexp-syntax-error-invalid-flags.js:
264         * stress/regress-161995.js: Removed.
265         Update existing test, merging in an older test for the same behavior.
266
267 2019-03-08  Mark Lam  <mark.lam@apple.com>
268
269         Stack overflow crash in JSC::JSObject::hasInstance.
270         https://bugs.webkit.org/show_bug.cgi?id=195458
271         <rdar://problem/48710195>
272
273         Reviewed by Yusuke Suzuki.
274
275         * stress/stack-overflow-in-custom-hasInstance.js: Added.
276
277 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
278
279         op_check_tdz does not def its argument
280         https://bugs.webkit.org/show_bug.cgi?id=192880
281         <rdar://problem/46221598>
282
283         Reviewed by Saam Barati.
284
285         * microbenchmarks/let-for-in.js: Added.
286         (foo):
287
288 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
289
290         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
291         https://bugs.webkit.org/show_bug.cgi?id=195429
292
293         Reviewed by Saam Barati.
294
295         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
296         (foo):
297         * stress/string-from-char-code-255.js: Added.
298
299 2019-03-06  Mark Lam  <mark.lam@apple.com>
300
301         Fix incorrect handling of try-finally completion values.
302         https://bugs.webkit.org/show_bug.cgi?id=195131
303         <rdar://problem/46222079>
304
305         Reviewed by Saam Barati and Yusuke Suzuki.
306
307         Added many permutations of new test case to test-finally.js.  test-finally.js has
308         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
309         tests passes there as well.
310
311         * stress/test-finally.js:
312
313 2019-03-06  Saam Barati  <sbarati@apple.com>
314
315         Air::reportUsedRegisters must padInterference
316         https://bugs.webkit.org/show_bug.cgi?id=195303
317         <rdar://problem/48270343>
318
319         Reviewed by Keith Miller.
320
321         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
322
323 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
324
325         [JSC] AI should not propagate AbstractValue relying on constant folding phase
326         https://bugs.webkit.org/show_bug.cgi?id=195375
327
328         Reviewed by Saam Barati.
329
330         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
331         (let.array):
332
333 2019-03-05  Saam barati  <sbarati@apple.com>
334
335         op_switch_char broken for rope strings after JSRopeString layout rewrite
336         https://bugs.webkit.org/show_bug.cgi?id=195339
337         <rdar://problem/48592545>
338
339         Reviewed by Yusuke Suzuki.
340
341         * stress/switch-on-char-llint-rope.js: Added.
342
343 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
344
345         [JSC] Store bits for JSRopeString in 3 stores
346         https://bugs.webkit.org/show_bug.cgi?id=195234
347
348         Reviewed by Saam Barati.
349
350         * stress/null-rope-and-collectors.js: Added.
351
352 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
353
354         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
355         https://bugs.webkit.org/show_bug.cgi?id=195207
356
357         Unreviewed. After test runtime was reduced in r242213, test can be
358         run again on ARM/MIPS.
359
360         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
361
362 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
363
364         [JSC] sizeof(JSString) should be 16
365         https://bugs.webkit.org/show_bug.cgi?id=194375
366
367         Reviewed by Saam Barati.
368
369         * microbenchmarks/make-rope.js: Added.
370         (makeRope):
371         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
372         (returnRope.helper): Deleted.
373         (returnRope): Deleted.
374
375 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
376
377         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
378         https://bugs.webkit.org/show_bug.cgi?id=195144
379
380         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
381         Change the number from 1e8 to 1e5.
382
383         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
384         (foo):
385
386 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
387
388         Test times out on ARM/MIPS
389         https://bugs.webkit.org/show_bug.cgi?id=195168
390
391         Unreviewed. Skip test on ARM/MIPS.
392
393         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
394
395 2019-02-27  Mark Lam  <mark.lam@apple.com>
396
397         The parser is failing to record the token location of new in new.target.
398         https://bugs.webkit.org/show_bug.cgi?id=195127
399         <rdar://problem/39645578>
400
401         Reviewed by Yusuke Suzuki.
402
403         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
404
405 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
406
407         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
408         https://bugs.webkit.org/show_bug.cgi?id=195144
409         <rdar://problem/47595961>
410
411         Reviewed by Mark Lam.
412
413         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
414         (bar):
415         (foo):
416         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
417         (bar):
418         (foo):
419
420 2019-02-27  Robin Morisset  <rmorisset@apple.com>
421
422         DFG: Loop-invariant code motion (LICM) should not hoist dead code
423         https://bugs.webkit.org/show_bug.cgi?id=194945
424         <rdar://problem/48311657>
425
426         Reviewed by Mark Lam.
427
428         * stress/licm-dead-code.js: Added.
429
430 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
431
432         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
433         https://bugs.webkit.org/show_bug.cgi?id=194677
434         <rdar://problem/48112492>
435
436         Reviewed by Mark Lam.
437
438         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
439         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
440         it immediately fails due the large size.
441
442         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
443         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
444         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
445         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
446
447         This patch changes the test to produce 16bit string from String.fromCharCode.
448
449         * stress/regress-178386.js:
450
451 2019-02-26  Mark Lam  <mark.lam@apple.com>
452
453         wasmToJS() should purify incoming NaNs.
454         https://bugs.webkit.org/show_bug.cgi?id=194807
455         <rdar://problem/48189132>
456
457         Reviewed by Saam Barati.
458
459         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
460
461 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
462
463         [JSC] Repeat string created from Array.prototype.join() take too much memory
464         https://bugs.webkit.org/show_bug.cgi?id=193912
465
466         Reviewed by Saam Barati.
467
468         Added a test and a microbenchmark for corner cases of
469         Array.prototype.join() with an uninitialized array.
470
471         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
472         * stress/array-prototype-join-uninitialized.js: Added.
473         (testArray):
474         (testABC):
475         (B):
476         (C):
477
478 2019-02-22  Robin Morisset  <rmorisset@apple.com>
479
480         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
481         https://bugs.webkit.org/show_bug.cgi?id=194953
482         <rdar://problem/47595253>
483
484         Reviewed by Saam Barati.
485
486         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
487
488         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
489
490 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
491
492         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
493         https://bugs.webkit.org/show_bug.cgi?id=172848
494         <rdar://problem/25709212>
495
496         Reviewed by Mark Lam.
497
498         * typeProfiler/inheritance.js:
499         Rewrite the test slightly for clarity. The hoisting was confusing.
500
501         * heapProfiler/class-names.js: Added.
502         (MyES5Class):
503         (MyES6Class):
504         (MyES6Subclass):
505         Test object types and improved class names.
506
507         * heapProfiler/driver/driver.js:
508         (CheapHeapSnapshotNode):
509         (CheapHeapSnapshot):
510         (createCheapHeapSnapshot):
511         (HeapSnapshot):
512         (createHeapSnapshot):
513         Update snapshot parsing from version 1 to version 2.
514
515 2019-02-19  Truitt Savell  <tsavell@apple.com>
516
517         Unreviewed, rolling out r241784.
518
519         Broke all OpenSource builds.
520
521         Reverted changeset:
522
523         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
524         instances view"
525         https://bugs.webkit.org/show_bug.cgi?id=172848
526         https://trac.webkit.org/changeset/241784
527
528 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
529
530         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
531         https://bugs.webkit.org/show_bug.cgi?id=172848
532         <rdar://problem/25709212>
533
534         Reviewed by Mark Lam.
535
536         * typeProfiler/inheritance.js:
537         Rewrite the test slightly for clarity. The hoisting was confusing.
538
539         * heapProfiler/class-names.js: Added.
540         (MyES5Class):
541         (MyES6Class):
542         (MyES6Subclass):
543         Test object types and improved class names.
544
545         * heapProfiler/driver/driver.js:
546         (CheapHeapSnapshotNode):
547         (CheapHeapSnapshot):
548         (createCheapHeapSnapshot):
549         (HeapSnapshot):
550         (createHeapSnapshot):
551         Update snapshot parsing from version 1 to version 2.
552
553 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
554
555         [ARM] Fix crash with sampling profiler
556         https://bugs.webkit.org/show_bug.cgi?id=194772
557
558         Reviewed by Mark Lam.
559
560         Do not skip test since crash with sampling profiler is now fixed.
561
562         * stress/sampling-profiler-richards.js:
563
564 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
565
566         [JSC] Add LazyClassStructure::getInitializedOnMainThread
567         https://bugs.webkit.org/show_bug.cgi?id=194784
568         <rdar://problem/48154820>
569
570         Reviewed by Mark Lam.
571
572         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
573         (getProperties):
574         (getRandomProperty):
575         (i.catch):
576
577 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
578
579         [ARM] Test gardening: Test running out of executable memory
580         https://bugs.webkit.org/show_bug.cgi?id=194771
581
582         Unreviewed. Do not run test without LLInt, test is running out of executable
583         memory on ARM otherwise.
584
585         * stress/tagged-template-object-collect.js:
586
587 2019-02-18  Tomas Popela  <tpopela@redhat.com>
588
589         Unreviewed, skip the test on platforms without sampling profiler
590
591         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
592         (platformSupportsSamplingProfiler.foo):
593         (platformSupportsSamplingProfiler.test):
594         (platformSupportsSamplingProfiler):
595         (foo): Deleted.
596         (test): Deleted.
597
598 2019-02-17  Saam Barati  <sbarati@apple.com>
599
600         Deadlock when adding a Structure property transition and then doing incremental marking
601         https://bugs.webkit.org/show_bug.cgi?id=194767
602
603         Reviewed by Mark Lam.
604
605         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
606
607 2019-02-15  Michael Saboff  <msaboff@apple.com>
608
609         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
610         https://bugs.webkit.org/show_bug.cgi?id=194558
611
612         Reviewed by Saam Barati.
613
614         New regression test.
615
616         * stress/regexp-unicode-within-string.js: Added.
617
618 2019-02-15  Mark Lam  <mark.lam@apple.com>
619
620         SamplingProfiler::stackTracesAsJSON() should escape strings.
621         https://bugs.webkit.org/show_bug.cgi?id=194649
622         <rdar://problem/48072386>
623
624         Reviewed by Saam Barati.
625
626         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
627         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
628         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
629         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
630
631 2019-02-15  Robin Morisset  <rmorisset@apple.com>
632         CodeBlock::jettison should clear related watchpoints
633         https://bugs.webkit.org/show_bug.cgi?id=194544
634
635         Reviewed by Mark Lam.
636
637         * stress/regexp-replace-double-watchpoint.js: Added.
638         (foo):
639
640 2019-02-15  Saam barati  <sbarati@apple.com>
641
642         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
643         https://bugs.webkit.org/show_bug.cgi?id=194036
644
645         Reviewed by Yusuke Suzuki.
646
647         * stress/tail-call-many-arguments.js: Added.
648         (foo):
649         (bar):
650
651 2019-02-14  Saam Barati  <sbarati@apple.com>
652
653         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
654         https://bugs.webkit.org/show_bug.cgi?id=194583
655         <rdar://problem/48028140>
656
657         Reviewed by Yusuke Suzuki.
658
659         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
660
661 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
662
663         [JSC] String.fromCharCode's slow path always generates 16bit string
664         https://bugs.webkit.org/show_bug.cgi?id=194466
665
666         Reviewed by Keith Miller.
667
668         * stress/string-from-char-code-slow-path.js: Added.
669         (shouldBe):
670         (testWithLength):
671
672 2019-02-08  Saam barati  <sbarati@apple.com>
673
674         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
675         https://bugs.webkit.org/show_bug.cgi?id=194334
676         <rdar://problem/47844327>
677
678         Reviewed by Mark Lam.
679
680         * stress/check-in-bounds-should-be-a-child-use.js: Added.
681         (func):
682
683 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
684
685         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
686         https://bugs.webkit.org/show_bug.cgi?id=194369
687         <rdar://problem/47813087>
688
689         Reviewed by Saam Barati.
690
691         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
692         (A):
693
694 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
695
696         [JSC] PrivateName to PublicName hash table is wasteful
697         https://bugs.webkit.org/show_bug.cgi?id=194277
698
699         Reviewed by Michael Saboff.
700
701         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
702
703         * ChakraCore.yaml:
704
705 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
706
707         [ARM] Test running out of executable memory
708         https://bugs.webkit.org/show_bug.cgi?id=194285
709
710         Unreviewed. Do no execute test with LLInt disabled, test runs out of
711         executable memory otherwise.
712
713         * stress/class-subclassing-function.js:
714
715 2019-02-04  Robin Morisset  <rmorisset@apple.com>
716
717         when lowering AssertNotEmpty, create the value before creating the patchpoint
718         https://bugs.webkit.org/show_bug.cgi?id=194231
719
720         Reviewed by Saam Barati.
721
722         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
723         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
724         So even tiny changes to this test can change the path code taken.
725
726         * stress/assert-not-empty.js: Added.
727         (foo):
728
729 2019-02-01  Mark Lam  <mark.lam@apple.com>
730
731         Remove invalid assertion in DFG's compileDoubleRep().
732         https://bugs.webkit.org/show_bug.cgi?id=194130
733         <rdar://problem/47699474>
734
735         Reviewed by Saam Barati.
736
737         * stress/constant-fold-double-rep-into-double-constant.js: Added.
738
739 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
740
741         Import latest Test262 updates.
742
743         Rubber-stamped by Keith Miller.
744
745         * test262.yaml: Deleted.
746         * test262/config.yaml:
747         * test262/expectations.yaml:
748         * test262/latest-changes-summary.txt:
749         * test262/test/:
750         * test262/test262-Revision.txt:
751
752 2019-01-30  Robin Morisset  <rmorisset@apple.com>
753
754         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
755         https://bugs.webkit.org/show_bug.cgi?id=194050
756         <rdar://problem/47595592>
757
758         Reviewed by Yusuke Suzuki.
759
760         * stress/object-keys-osr-exit.js: Added.
761         (foo):
762         (catch):
763
764 2019-01-29  Mark Lam  <mark.lam@apple.com>
765
766         ValueRecovery::recover() should purify NaN values it recovers.
767         https://bugs.webkit.org/show_bug.cgi?id=193978
768         <rdar://problem/47625488>
769
770         Reviewed by Saam Barati.
771
772         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
773
774 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
775
776         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
777         https://bugs.webkit.org/show_bug.cgi?id=193713
778
779         * stress/try-get-by-id-should-spill-registers-dfg.js:
780         (let.f.createBuiltin):
781
782 2019-01-28  Mark Lam  <mark.lam@apple.com>
783
784         ToString node actually does GC.
785         https://bugs.webkit.org/show_bug.cgi?id=193920
786         <rdar://problem/46695900>
787
788         Reviewed by Yusuke Suzuki.
789
790         * stress/dfg-to-string-on-int-does-gc.js: Added.
791         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
792         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
793
794 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
795
796         [JSC] NativeErrorConstructor should not have own IsoSubspace
797         https://bugs.webkit.org/show_bug.cgi?id=193713
798
799         Reviewed by Saam Barati.
800
801         Remove @Error use.
802
803         * stress/try-get-by-id-should-spill-registers-dfg.js:
804         (let.f.createBuiltin):
805
806 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
807
808         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
809         https://bugs.webkit.org/show_bug.cgi?id=190693
810
811         Reviewed by Michael Saboff.
812
813         * stress/regress-190693.js: Added.
814         (truth):
815         (assert):
816         (shouldThrowInvalidConstAssignment):
817         (taz):
818
819 2019-01-24  Saam Barati  <sbarati@apple.com>
820
821         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
822         https://bugs.webkit.org/show_bug.cgi?id=193751
823         <rdar://problem/47280215>
824
825         Reviewed by Michael Saboff.
826
827         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
828         (let.thing):
829         (foo.let.hello):
830         (foo):
831
832 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
833
834         [JSC] Reenable baseline JIT on mips
835         https://bugs.webkit.org/show_bug.cgi?id=192983
836
837         Reviewed by Mark Lam.
838
839         Added a new test for a case that was triggering a RELEASE_ASSERT when
840         testing.
841         Disable some slow tests that were already disabled for arm and x86.
842
843         * stress/json-parse-big-object.js: Added.
844         * stress/new-largeish-contiguous-array-with-size.js:
845         * stress/op_add.js:
846         * stress/op_bitand.js:
847         * stress/op_bitor.js:
848         * stress/op_bitxor.js:
849         * stress/op_lshift-ConstVar.js:
850         * stress/op_lshift-VarConst.js:
851         * stress/op_lshift-VarVar.js:
852         * stress/op_mod-ConstVar.js:
853         * stress/op_mod-VarConst.js:
854         * stress/op_mod-VarVar.js:
855         * stress/op_mul-ConstVar.js:
856         * stress/op_mul-VarConst.js:
857         * stress/op_mul-VarVar.js:
858         * stress/op_rshift-ConstVar.js:
859         * stress/op_rshift-VarConst.js:
860         * stress/op_rshift-VarVar.js:
861         * stress/op_sub-ConstVar.js:
862         * stress/op_sub-VarConst.js:
863         * stress/op_sub-VarVar.js:
864         * stress/op_urshift-ConstVar.js:
865         * stress/op_urshift-VarConst.js:
866         * stress/op_urshift-VarVar.js:
867         * stress/sampling-profiler-richards.js:
868         * stress/spread-forward-call-varargs-stack-overflow.js:
869
870 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
871
872         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
873         https://bugs.webkit.org/show_bug.cgi?id=193711
874         <rdar://problem/47250262>
875
876         Reviewed by Saam Barati.
877
878         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
879         (shouldBe):
880         (foo):
881         (bar):
882         (baz):
883
884 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
885
886         Unreviewed, fix initial global lexical binding epoch
887         https://bugs.webkit.org/show_bug.cgi?id=193603
888         <rdar://problem/47380869>
889
890         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
891         (f1.f2.f3.f4):
892         (f1.f2.f3):
893         (f1.f2):
894         (f1):
895
896 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
897
898         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
899         https://bugs.webkit.org/show_bug.cgi?id=193709
900         <rdar://problem/47363838>
901
902         Unreviewed, rollout to watch the tests.
903
904         * stress/object-tostring-changed-proto.js: Removed.
905         * stress/object-tostring-changed.js: Removed.
906         * stress/object-tostring-misc.js: Removed.
907         * stress/object-tostring-other.js: Removed.
908         * stress/object-tostring-untyped.js: Removed.
909
910 2019-01-22  Saam Barati  <sbarati@apple.com>
911
912         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
913
914         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
915         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
916         (testUncheckedLessThanZero):
917         (testUncheckedLessThanOrEqualZero):
918         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
919         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
920
921 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
922
923         [JSC] Invalidate old scope operations using global lexical binding epoch
924         https://bugs.webkit.org/show_bug.cgi?id=193603
925         <rdar://problem/47380869>
926
927         Reviewed by Saam Barati.
928
929         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
930         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
931         (shouldThrow):
932         (bar):
933         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
934         (shouldBe):
935         (get1):
936         (get2):
937         (get1If):
938         (get2If):
939         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
940         (shouldThrow):
941         (foo):
942
943 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
944
945         Unreviewed, roll out r240220 due to date-format-xparb regression
946         https://bugs.webkit.org/show_bug.cgi?id=193603
947
948         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
949         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
950         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
951         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
952
953 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
954
955         DoesGC rule is wrong for nodes with BigIntUse
956         https://bugs.webkit.org/show_bug.cgi?id=193652
957
958         Reviewed by Saam Barati.
959
960         * stress/big-int-value-op-update-gc-rules.js: Added.
961         (assert):
962         (doesGCAdd):
963         (doesGCSub):
964         (doesGCDiv):
965         (doesGCMul):
966         (doesGCBitAnd):
967         (doesGCBitOr):
968         (doesGCBitXor):
969
970 2019-01-20  Saam Barati  <sbarati@apple.com>
971
972         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
973         https://bugs.webkit.org/show_bug.cgi?id=193644
974         <rdar://problem/46209745>
975
976         Reviewed by Yusuke Suzuki.
977
978         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
979         (foo):
980         * stress/data-view-set-intrinsic-undefined-result.js: Added.
981         (foo):
982         (bar):
983
984 2019-01-20  Saam Barati  <sbarati@apple.com>
985
986         MovHint must merge NodeBytecodeUsesAsValue for its child
987         https://bugs.webkit.org/show_bug.cgi?id=186916
988         <rdar://problem/41396612>
989
990         Reviewed by Yusuke Suzuki.
991
992         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
993         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
994
995 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
996
997         [JSC] Invalidate old scope operations using global lexical binding epoch
998         https://bugs.webkit.org/show_bug.cgi?id=193603
999         <rdar://problem/47380869>
1000
1001         Reviewed by Saam Barati.
1002
1003         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1004         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1005         (shouldThrow):
1006         (bar):
1007         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1008         (shouldBe):
1009         (get1):
1010         (get2):
1011         (get1If):
1012         (get2If):
1013         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1014         (shouldThrow):
1015         (foo):
1016
1017 2019-01-17  Saam barati  <sbarati@apple.com>
1018
1019         StringObjectUse should not be a structure check for the original string object structure
1020         https://bugs.webkit.org/show_bug.cgi?id=193483
1021         <rdar://problem/47280522>
1022
1023         Reviewed by Yusuke Suzuki.
1024
1025         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1026         (foo):
1027         (a.valueOf.0):
1028
1029 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1030
1031         [JSC] ToThis omission in DFGByteCodeParser is wrong
1032         https://bugs.webkit.org/show_bug.cgi?id=193513
1033         <rdar://problem/45842236>
1034
1035         Reviewed by Saam Barati.
1036
1037         * stress/to-this-omission-with-different-strict-modes.js: Added.
1038         (thisA):
1039         (thisAStrictWrapper):
1040
1041 2019-01-15  Mark Lam  <mark.lam@apple.com>
1042
1043         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1044         https://bugs.webkit.org/show_bug.cgi?id=193423
1045         <rdar://problem/46209355>
1046
1047         Reviewed by Saam Barati.
1048
1049         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1050         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1051         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1052         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1053
1054 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1055
1056         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1057         https://bugs.webkit.org/show_bug.cgi?id=193438
1058         <rdar://problem/45581249>
1059
1060         Reviewed by Saam Barati and Keith Miller.
1061
1062         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1063         Then, GetByVal(String) crashed.
1064
1065         * stress/string-get-by-val-lowering.js: Added.
1066         (shouldBe):
1067         (test):
1068         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1069         (Hello):
1070         (foo):
1071
1072 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1073
1074         Unreviewed, skip JIT tests if it's not enabled
1075
1076         * stress/bit-op-with-object-returning-int32.js:
1077
1078 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1079
1080         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1081         https://bugs.webkit.org/show_bug.cgi?id=192966
1082
1083         Reviewed by Yusuke Suzuki.
1084
1085         * stress/bit-op-with-object-returning-int32.js: Added.
1086
1087 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1088
1089         Skip a slow test and a flakey test on arm
1090
1091         Unreviewed gardening.
1092
1093         * typeProfiler/getter-richards.js:
1094         this test always times out, it used to be always skipped on arm and
1095         mips, but got accidentally enabled by r237919 now that we have DFG on
1096         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1097
1098 2019-01-14  Keith Miller  <keith_miller@apple.com>
1099
1100         Skip type-check-hoisting-phase-hoist... with no jit
1101         https://bugs.webkit.org/show_bug.cgi?id=193421
1102
1103         Reviewed by Mark Lam.
1104
1105         It's timing out the 32-bit bots and takes 330 seconds
1106         on my machine when run by itself.
1107
1108         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1109
1110 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1111
1112         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1113         https://bugs.webkit.org/show_bug.cgi?id=193413
1114         <rdar://problem/46092389>
1115
1116         Reviewed by Keith Miller.
1117
1118         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1119         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1120         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1121         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1122
1123         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1124         (compareArray):
1125
1126 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1127
1128         [BigInt] Literal parsing is crashing when used inside a Object Literal
1129         https://bugs.webkit.org/show_bug.cgi?id=193404
1130
1131         Reviewed by Yusuke Suzuki.
1132
1133         * stress/big-int-literal-inside-literal-object.js: Added.
1134
1135 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1136
1137         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1138         https://bugs.webkit.org/show_bug.cgi?id=193372
1139
1140         Reviewed by Saam Barati.
1141
1142         * stress/typed-array-array-modes-profile.js: Added.
1143         (foo):
1144
1145 2019-01-14  Mark Lam  <mark.lam@apple.com>
1146
1147         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1148         https://bugs.webkit.org/show_bug.cgi?id=193402
1149         <rdar://problem/46012309>
1150
1151         Reviewed by Keith Miller.
1152
1153         * stress/regexp-compile-oom.js:
1154         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1155           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1156
1157 2019-01-11  Saam barati  <sbarati@apple.com>
1158
1159         DFG combined liveness can be wrong for terminal basic blocks
1160         https://bugs.webkit.org/show_bug.cgi?id=193304
1161         <rdar://problem/45268632>
1162
1163         Reviewed by Yusuke Suzuki.
1164
1165         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1166
1167 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1168
1169         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1170         https://bugs.webkit.org/show_bug.cgi?id=193308
1171         <rdar://problem/45546542>
1172
1173         Reviewed by Saam Barati.
1174
1175         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1176         (shouldThrow):
1177         (shouldBe):
1178         (foo):
1179         (get shouldThrow):
1180         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1181         (shouldThrow):
1182         (shouldBe):
1183         (foo):
1184         (get shouldBe):
1185         (get shouldThrow):
1186         (get return):
1187         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1188         (shouldThrow):
1189         (shouldBe):
1190         (foo):
1191         (get shouldBe):
1192         (get shouldThrow):
1193         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1194         (shouldThrow):
1195         (shouldBe):
1196         (foo):
1197         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1198         (shouldThrow):
1199         (shouldBe):
1200         (foo):
1201         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1202         (shouldThrow):
1203         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1204         (shouldThrow):
1205         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1206         (shouldThrow):
1207         (shouldBe):
1208         (foo):
1209         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1210         (shouldThrow):
1211         (shouldBe):
1212         (foo):
1213         (get shouldBe):
1214         (get shouldThrow):
1215         (get return):
1216         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1217         (shouldThrow):
1218         (shouldBe):
1219         (foo):
1220         (get shouldBe):
1221         (get shouldThrow):
1222         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1223         (shouldThrow):
1224         (shouldBe):
1225         (foo):
1226         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1227         (shouldThrow):
1228         (shouldBe):
1229         (foo):
1230
1231 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1232
1233         Enable DFG on ARM/Linux again
1234         https://bugs.webkit.org/show_bug.cgi?id=192496
1235
1236         Reviewed by Yusuke Suzuki.
1237
1238         Test wasn't really skipped before moving the line with skip
1239         to the top.
1240
1241         * stress/regress-192717.js:
1242
1243 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1244
1245         Unreviewed, rolling out r239825.
1246         https://bugs.webkit.org/show_bug.cgi?id=193330
1247
1248         Broke tests on armv7/linux bots (Requested by guijemont on
1249         #webkit).
1250
1251         Reverted changeset:
1252
1253         "Enable DFG on ARM/Linux again"
1254         https://bugs.webkit.org/show_bug.cgi?id=192496
1255         https://trac.webkit.org/changeset/239825
1256
1257 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1258
1259         Enable DFG on ARM/Linux again
1260         https://bugs.webkit.org/show_bug.cgi?id=192496
1261
1262         Reviewed by Yusuke Suzuki.
1263
1264         Test wasn't really skipped before moving the line with skip
1265         to the top.
1266
1267         * stress/regress-192717.js:
1268
1269 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1270
1271         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1272         https://bugs.webkit.org/show_bug.cgi?id=193127
1273
1274         Reviewed by Saam Barati.
1275
1276         * stress/array-species-create-should-handle-masquerader.js: Added.
1277         (shouldThrow):
1278         * stress/is-undefined-or-null-builtin.js: Added.
1279         (shouldBe):
1280         (isUndefinedOrNull.vm.createBuiltin):
1281
1282 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1283
1284         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1285         https://bugs.webkit.org/show_bug.cgi?id=193221
1286
1287         Reviewed by Mark Lam.
1288
1289         * stress/put-by-id-flags.js: Added.
1290         (f):
1291         (g):
1292         (numberOfDFGCompiles):
1293
1294 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1295
1296         Baseline version of get_by_id may corrupt metadata
1297         https://bugs.webkit.org/show_bug.cgi?id=193085
1298         <rdar://problem/23453006>
1299
1300         Reviewed by Saam Barati.
1301
1302         * stress/get-by-id-change-mode.js: Added.
1303         (forEach):
1304
1305 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1306
1307         [JSC] Optimize Object.prototype.toString
1308         https://bugs.webkit.org/show_bug.cgi?id=193031
1309
1310         Reviewed by Saam Barati.
1311
1312         * stress/object-tostring-changed-proto.js: Added.
1313         (shouldBe):
1314         (test):
1315         * stress/object-tostring-changed.js: Added.
1316         (shouldBe):
1317         (test):
1318         * stress/object-tostring-misc.js: Added.
1319         (shouldBe):
1320         (test):
1321         (i.switch):
1322         * stress/object-tostring-other.js: Added.
1323         (shouldBe):
1324         (test):
1325         * stress/object-tostring-untyped.js: Added.
1326         (shouldBe):
1327         (test):
1328         (i.switch):
1329
1330 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1331
1332         test262-runner misbehaves when test file YAML has a trailing space
1333         https://bugs.webkit.org/show_bug.cgi?id=193053
1334
1335         Reviewed by Yusuke Suzuki.
1336
1337         * test262/expectations.yaml:
1338         Mark two dozen tests as passing (and correct the output of another).
1339
1340 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1341
1342         Unreviewed, JSTests gardening with memoryLimited
1343
1344         * stress/string-overflow-createError.js:
1345
1346 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1347
1348         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1349         https://bugs.webkit.org/show_bug.cgi?id=193050
1350
1351         Reviewed by Yusuke Suzuki.
1352
1353         * test262.yaml:
1354         * test262/expectations.yaml:
1355         Mark 16 tests as passing.
1356
1357 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1358
1359         [BigInt] Support BigInt in JSON.stringify
1360         https://bugs.webkit.org/show_bug.cgi?id=192624
1361
1362         Reviewed by Saam Barati.
1363
1364         * stress/big-int-json-stringify-to-json.js: Added.
1365         (shouldBe):
1366         (shouldThrow):
1367         (BigInt.prototype.toJSON):
1368         (shouldBe.JSON.stringify):
1369         * stress/big-int-json-stringify.js: Added.
1370         (shouldBe):
1371         (shouldThrow):
1372
1373 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1374
1375         [JSC] Implement "well-formed JSON.stringify" proposal
1376         https://bugs.webkit.org/show_bug.cgi?id=191677
1377
1378         Reviewed by Darin Adler.
1379
1380         * stress/json-surrogate-pair.js: Added.
1381         (shouldBe):
1382         * test262/expectations.yaml:
1383
1384 2018-12-20  Keith Miller  <keith_miller@apple.com>
1385
1386         Add support for globalThis
1387         https://bugs.webkit.org/show_bug.cgi?id=165171
1388
1389         Reviewed by Mark Lam.
1390
1391         * test262/config.yaml:
1392
1393 2018-12-19  Keith Miller  <keith_miller@apple.com>
1394
1395         Update test262 configuration to not run tests dependent on ICU version.
1396         https://bugs.webkit.org/show_bug.cgi?id=192920
1397
1398         Reviewed by Saam Barati.
1399
1400         * test262/expectations.yaml:
1401
1402 2018-12-20  Mark Lam  <mark.lam@apple.com>
1403
1404         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1405         https://bugs.webkit.org/show_bug.cgi?id=192939
1406         <rdar://problem/46869516>
1407
1408         Reviewed by Keith Miller.
1409
1410         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1411
1412 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1413
1414         WTF::String and StringImpl overflow MaxLength
1415         https://bugs.webkit.org/show_bug.cgi?id=192853
1416         <rdar://problem/45726906>
1417
1418         Reviewed by Mark Lam.
1419
1420         * stress/string-16bit-repeat-overflow.js: Added.
1421         (catch):
1422
1423 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1424
1425         Unreviewed follow-up to r192914.
1426
1427         * test262/expectations.yaml:
1428         Add the last 20 missing expectations.
1429
1430 2018-12-19  Keith Miller  <keith_miller@apple.com>
1431
1432         Fix test262 expectations
1433         https://bugs.webkit.org/show_bug.cgi?id=192914
1434
1435         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1436
1437         * test262/expectations.yaml:
1438
1439 2018-12-19  Keith Miller  <keith_miller@apple.com>
1440
1441         Update test262 tests.
1442         https://bugs.webkit.org/show_bug.cgi?id=192907
1443
1444         Rubber stamped by Mark Lam.
1445
1446         * test262/*: Omitted because prepare-changelog crashes.
1447
1448 2018-12-19  Mark Lam  <mark.lam@apple.com>
1449
1450         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1451         https://bugs.webkit.org/show_bug.cgi?id=192464
1452         <rdar://problem/46519455>
1453
1454         Reviewed by Saam Barati.
1455
1456         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1457         microbenchmark.
1458
1459         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1460         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1461
1462 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1463
1464         String overflow in JSC::createError results in ASSERT in WTF::makeString
1465         https://bugs.webkit.org/show_bug.cgi?id=192833
1466         <rdar://problem/45706868>
1467
1468         Reviewed by Mark Lam.
1469
1470         * stress/string-overflow-createError.js: Added.
1471
1472 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1473
1474         Error message for `-x ** y` contains a typo.
1475         https://bugs.webkit.org/show_bug.cgi?id=192832
1476
1477         Reviewed by Saam Barati.
1478
1479         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1480         (assert.assert.return.throws):
1481         * stress/pow-expects-update-expression-on-lhs.js:
1482         (throw.new.Error):
1483         Update test expectations which match against the exact error message.
1484
1485 2018-12-18  Mark Lam  <mark.lam@apple.com>
1486
1487         Gardening: test options fix.
1488         https://bugs.webkit.org/show_bug.cgi?id=192822
1489
1490         Unreviewed.
1491
1492         * stress/json-stringify-string-builder-overflow.js:
1493
1494 2018-12-18  Mark Lam  <mark.lam@apple.com>
1495
1496         JSON.stringify() should throw OOM on StringBuilder overflows.
1497         https://bugs.webkit.org/show_bug.cgi?id=192822
1498         <rdar://problem/46670577>
1499
1500         Reviewed by Saam Barati.
1501
1502         * stress/json-stringify-string-builder-overflow.js: Added.
1503
1504 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1505
1506         Redeclaration of var over let/const/class should be a syntax error.
1507         https://bugs.webkit.org/show_bug.cgi?id=192298
1508
1509         Reviewed by Keith Miller.
1510
1511         * test262.yaml:
1512         * test262/expectations.yaml:
1513         Mark 46 tests as passing.
1514
1515         * stress/block-scope-redeclarations.js:
1516         Add some new tests.
1517
1518         * stress/for-in-invalidate-context-weird-assignments.js:
1519         * stress/for-in-tests.js:
1520         Replace tests for outdated behavior with tests for SyntaxError.
1521
1522         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1523         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1524         Update expectations.
1525
1526 2018-12-18  Mark Lam  <mark.lam@apple.com>
1527
1528         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1529         https://bugs.webkit.org/show_bug.cgi?id=191374
1530         <rdar://problem/46525447>
1531
1532         Reviewed by Yusuke Suzuki.
1533
1534         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1535
1536         * stress/elidable-new-object-roflcopter-then-exit.js:
1537
1538 2018-12-17  Mark Lam  <mark.lam@apple.com>
1539
1540         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1541         https://bugs.webkit.org/show_bug.cgi?id=192019
1542         <rdar://problem/46525456>
1543
1544         Reviewed by Yusuke Suzuki.
1545
1546         The test runs too slow on 32-bit.
1547
1548         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1549
1550 2018-12-17  Mark Lam  <mark.lam@apple.com>
1551
1552         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1553         https://bugs.webkit.org/show_bug.cgi?id=191373
1554         <rdar://problem/46525458>
1555
1556         Reviewed by Yusuke Suzuki.
1557
1558         The test is already slow running with a JIT on 64-bit.  It will always timeout
1559         on 32-bit without a JIT.
1560
1561         * stress/materialize-regexp-cyclic-regexp.js:
1562
1563 2018-12-17  Mark Lam  <mark.lam@apple.com>
1564
1565         Array unshift/shift should not race against the AI in the compiler thread.
1566         https://bugs.webkit.org/show_bug.cgi?id=192795
1567         <rdar://problem/46724263>
1568
1569         Reviewed by Saam Barati.
1570
1571         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1572
1573 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1574
1575         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1576         https://bugs.webkit.org/show_bug.cgi?id=190047
1577
1578         Reviewed by Saam Barati.
1579
1580         * stress/object-keys-cached-zero.js: Added.
1581         (shouldBe):
1582         (test):
1583         * stress/object-keys-changed-attribute.js: Added.
1584         (shouldBe):
1585         (test):
1586         * stress/object-keys-changed-index.js: Added.
1587         (shouldBe):
1588         (test):
1589         * stress/object-keys-changed.js: Added.
1590         (shouldBe):
1591         (test):
1592         * stress/object-keys-indexed-non-cache.js: Added.
1593         (shouldBe):
1594         (test):
1595         * stress/object-keys-overrides-get-property-names.js: Added.
1596         (shouldBe):
1597         (test):
1598         (noInline):
1599
1600 2018-12-17  Mark Lam  <mark.lam@apple.com>
1601
1602         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1603         https://bugs.webkit.org/show_bug.cgi?id=192779
1604         <rdar://problem/46775869>
1605
1606         Reviewed by Saam Barati.
1607
1608         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1609
1610 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1611
1612         Unreviewed test gardening, address a syntax error in a new test.
1613
1614         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1615
1616 2018-12-17  Mark Lam  <mark.lam@apple.com>
1617
1618         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1619         https://bugs.webkit.org/show_bug.cgi?id=192776
1620         <rdar://problem/46772368>
1621
1622         Reviewed by Keith Miller.
1623
1624         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1625
1626 2018-12-17  Mark Lam  <mark.lam@apple.com>
1627
1628         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1629         https://bugs.webkit.org/show_bug.cgi?id=192770
1630         <rdar://problem/46449037>
1631
1632         Reviewed by Keith Miller.
1633
1634         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1635
1636 2018-12-14  Mark Lam  <mark.lam@apple.com>
1637
1638         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1639         https://bugs.webkit.org/show_bug.cgi?id=192717
1640         <rdar://problem/46660677>
1641
1642         Reviewed by Saam Barati.
1643
1644         * stress/regress-192717.js: Added.
1645
1646 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1647
1648         Unreviewed, rolling out r239153, r239154, and r239155.
1649         https://bugs.webkit.org/show_bug.cgi?id=192715
1650
1651         Caused flaky GC-related crashes seen with layout tests
1652         (Requested by ryanhaddad on #webkit).
1653
1654         Reverted changesets:
1655
1656         "[JSC] Optimize Object.keys by caching own keys results in
1657         StructureRareData"
1658         https://bugs.webkit.org/show_bug.cgi?id=190047
1659         https://trac.webkit.org/changeset/239153
1660
1661         "Unreviewed, build fix after r239153"
1662         https://bugs.webkit.org/show_bug.cgi?id=190047
1663         https://trac.webkit.org/changeset/239154
1664
1665         "Unreviewed, build fix after r239153, part 2"
1666         https://bugs.webkit.org/show_bug.cgi?id=190047
1667         https://trac.webkit.org/changeset/239155
1668
1669 2018-12-14  Keith Miller  <keith_miller@apple.com>
1670
1671         Callers of JSString::getIndex should check for OOM exceptions
1672         https://bugs.webkit.org/show_bug.cgi?id=192709
1673
1674         Reviewed by Mark Lam.
1675
1676         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1677
1678 2018-12-13  Mark Lam  <mark.lam@apple.com>
1679
1680         Add a missing exception check.
1681         https://bugs.webkit.org/show_bug.cgi?id=192626
1682         <rdar://problem/46662163>
1683
1684         Reviewed by Keith Miller.
1685
1686         * stress/regress-192626.js: Added.
1687
1688 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1689
1690         [BigInt] Add ValueDiv into DFG
1691         https://bugs.webkit.org/show_bug.cgi?id=186178
1692
1693         Reviewed by Yusuke Suzuki.
1694
1695         * stress/big-int-div-jit-osr.js: Added.
1696         * stress/big-int-div-jit-untyped.js: Added.
1697         * stress/value-div-fixup-int32-big-int.js: Added.
1698
1699 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1700
1701         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1702         https://bugs.webkit.org/show_bug.cgi?id=190047
1703
1704         Reviewed by Keith Miller.
1705
1706         * stress/object-keys-cached-zero.js: Added.
1707         (shouldBe):
1708         (test):
1709         * stress/object-keys-changed-attribute.js: Added.
1710         (shouldBe):
1711         (test):
1712         * stress/object-keys-changed-index.js: Added.
1713         (shouldBe):
1714         (test):
1715         * stress/object-keys-changed.js: Added.
1716         (shouldBe):
1717         (test):
1718         * stress/object-keys-indexed-non-cache.js: Added.
1719         (shouldBe):
1720         (test):
1721         * stress/object-keys-overrides-get-property-names.js: Added.
1722         (shouldBe):
1723         (test):
1724         (noInline):
1725
1726 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1727
1728         [DFG][FTL] Add NewSymbol
1729         https://bugs.webkit.org/show_bug.cgi?id=192620
1730
1731         Reviewed by Saam Barati.
1732
1733         * microbenchmarks/symbol-creation.js: Added.
1734         (test):
1735         * stress/symbol-description-identity.js: Added.
1736         (shouldBe):
1737         (test):
1738         * stress/symbol-identity.js: Added.
1739         (shouldBe):
1740         (test):
1741         * stress/symbol-with-description-throw-error.js: Added.
1742         (shouldBe):
1743         (shouldThrow):
1744         (test):
1745         (object.toString):
1746
1747 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1748
1749         [BigInt] Implement DFG/FTL typeof for BigInt
1750         https://bugs.webkit.org/show_bug.cgi?id=192619
1751
1752         Reviewed by Keith Miller.
1753
1754         * stress/big-int-boolean-proven-type.js: Added.
1755         (assert):
1756         (bool):
1757         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1758         (assert):
1759         (typeOf):
1760         (i.switch):
1761         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1762         (assert):
1763         (typeOf):
1764         * stress/big-int-type-of.js:
1765         (typeOf):
1766         (func):
1767
1768 2018-12-10  Mark Lam  <mark.lam@apple.com>
1769
1770         PropertyAttribute needs a CustomValue bit.
1771         https://bugs.webkit.org/show_bug.cgi?id=191993
1772         <rdar://problem/46264467>
1773
1774         Reviewed by Saam Barati.
1775
1776         * stress/regress-191993.js: Added.
1777
1778 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1779
1780         [BigInt] Add ValueMul into DFG
1781         https://bugs.webkit.org/show_bug.cgi?id=186175
1782
1783         Reviewed by Yusuke Suzuki.
1784
1785         * stress/big-int-mul-jit-osr.js: Added.
1786         * stress/big-int-mul-jit-untyped.js: Added.
1787         * stress/value-mul-fixup-int32-big-int.js: Added.
1788
1789 2018-12-06  Keith Miller  <keith_miller@apple.com>
1790
1791         stress/big-wasm-memory tests failing on 32-bit JSC bot
1792         https://bugs.webkit.org/show_bug.cgi?id=192020
1793
1794         Reviewed by Saam Barati.
1795
1796         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1797         the wasm stress tests if the WebAssembly object does not exist.
1798
1799         * stress/big-wasm-memory-grow-no-max.js:
1800         (test.foo):
1801         (test):
1802         (foo): Deleted.
1803         (catch): Deleted.
1804         * stress/big-wasm-memory-grow.js:
1805         (test.foo):
1806         (test):
1807         (foo): Deleted.
1808         (catch): Deleted.
1809         * stress/big-wasm-memory.js:
1810         (test.foo):
1811         (test):
1812         (foo): Deleted.
1813         (catch): Deleted.
1814
1815 2018-12-05  Mark Lam  <mark.lam@apple.com>
1816
1817         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1818         https://bugs.webkit.org/show_bug.cgi?id=192441
1819         <rdar://problem/46480355>
1820
1821         Reviewed by Saam Barati.
1822
1823         * stress/regress-192441.js: Added.
1824
1825 2018-12-04  Mark Lam  <mark.lam@apple.com>
1826
1827         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1828         https://bugs.webkit.org/show_bug.cgi?id=192386
1829         <rdar://problem/46445516>
1830
1831         Reviewed by Saam Barati.
1832
1833         * stress/regress-192386.js: Added.
1834
1835 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1836
1837         [ESNext][BigInt] Support logic operations
1838         https://bugs.webkit.org/show_bug.cgi?id=179903
1839
1840         Reviewed by Yusuke Suzuki.
1841
1842         * stress/big-int-branch-usage.js: Added.
1843         * stress/big-int-logical-and.js: Added.
1844         * stress/big-int-logical-not.js: Added.
1845         * stress/big-int-logical-or.js: Added.
1846
1847 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1848
1849         Unreviewed, rolling out r238833.
1850
1851         Breaks macOS and iOS debug builds.
1852
1853         Reverted changeset:
1854
1855         "[ESNext][BigInt] Support logic operations"
1856         https://bugs.webkit.org/show_bug.cgi?id=179903
1857         https://trac.webkit.org/changeset/238833
1858
1859 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1860
1861         [ESNext][BigInt] Support logic operations
1862         https://bugs.webkit.org/show_bug.cgi?id=179903
1863
1864         Reviewed by Yusuke Suzuki.
1865
1866         * stress/big-int-branch-usage.js: Added.
1867         * stress/big-int-logical-and.js: Added.
1868         * stress/big-int-logical-not.js: Added.
1869         * stress/big-int-logical-or.js: Added.
1870
1871 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1872
1873         [ESNext][BigInt] Implement support for "<<" and ">>"
1874         https://bugs.webkit.org/show_bug.cgi?id=186233
1875
1876         Reviewed by Yusuke Suzuki.
1877
1878         * stress/big-int-left-shift-general.js: Added.
1879         * stress/big-int-left-shift-range-error.js: Added.
1880         * stress/big-int-left-shift-type-error.js: Added.
1881         * stress/big-int-left-shift-wrapped-value.js: Added.
1882         * stress/big-int-right-shift-general.js: Added.
1883         * stress/big-int-right-shift-type-error.js: Added.
1884         * stress/big-int-right-shift-wrapped-value.js: Added.
1885         * stress/left-shift-to-primitive-precedence.js: Added.
1886         * stress/right-shift-to-primitive-precedence.js: Added.
1887
1888 2018-11-30  Dean Jackson  <dino@apple.com>
1889
1890         Add first-class support for .mjs files in jsc binary
1891         https://bugs.webkit.org/show_bug.cgi?id=192190
1892         <rdar://problem/46375715>
1893
1894         Reviewed by Keith Miller.
1895
1896         * stress/simple-module.mjs: Added.
1897         * stress/simple-script.js: Added.
1898
1899 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1900
1901         [BigInt] Implement ValueBitXor into DFG
1902         https://bugs.webkit.org/show_bug.cgi?id=190264
1903
1904         Reviewed by Yusuke Suzuki.
1905
1906         * stress/big-int-bitwise-xor-jit.js: Added.
1907         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1908         * stress/big-int-bitwise-xor-untyped.js: Added.
1909
1910 2018-11-27  Saam barati  <sbarati@apple.com>
1911
1912         r238510 broke scopes of size zero
1913         https://bugs.webkit.org/show_bug.cgi?id=192033
1914         <rdar://problem/46281734>
1915
1916         Reviewed by Keith Miller.
1917
1918         * stress/r238510-bad-loop.js: Added.
1919         (foo):
1920
1921 2018-11-27  Mark Lam  <mark.lam@apple.com>
1922
1923         [Re-landing] NaNs read from Wasm code needs to be be purified.
1924         https://bugs.webkit.org/show_bug.cgi?id=191056
1925         <rdar://problem/45660341>
1926
1927         Reviewed by Filip Pizlo.
1928
1929         * wasm/regress/regress-191056.js: Added.
1930
1931 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1932
1933         Unreviewed, rolling out r238509.
1934
1935         Causes JSC tests to fail on iOS.
1936
1937         Reverted changeset:
1938
1939         "NaNs read from Wasm code needs to be be purified."
1940         https://bugs.webkit.org/show_bug.cgi?id=191056
1941         https://trac.webkit.org/changeset/238509
1942
1943 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1944
1945         Re-introduce op_bitnot
1946         https://bugs.webkit.org/show_bug.cgi?id=190923
1947
1948         Reviewed by Yusuke Suzuki.
1949
1950         * stress/bit-not-must-generate.js: Added.
1951         * stress/bitwise-not-no-int32.js: Added.
1952
1953 2018-11-26  Saam barati  <sbarati@apple.com>
1954
1955         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1956         https://bugs.webkit.org/show_bug.cgi?id=191956
1957         <rdar://problem/45665806>
1958
1959         Reviewed by Yusuke Suzuki.
1960
1961         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1962         (bar):
1963         (foo):
1964
1965 2018-11-26  Saam barati  <sbarati@apple.com>
1966
1967         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1968         https://bugs.webkit.org/show_bug.cgi?id=191958
1969         <rdar://problem/46221877>
1970
1971         Reviewed by Yusuke Suzuki.
1972
1973         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1974         (x):
1975         (foo):
1976
1977 2018-11-26  Mark Lam  <mark.lam@apple.com>
1978
1979         NaNs read from Wasm code needs to be be purified.
1980         https://bugs.webkit.org/show_bug.cgi?id=191056
1981         <rdar://problem/45660341>
1982
1983         Reviewed by Filip Pizlo.
1984
1985         * wasm/regress/regress-191056.js: Added.
1986
1987 2018-11-26  Michael Saboff  <msaboff@apple.com>
1988
1989         32-bit JSC test failure: stress/regexp-compile-oom.js
1990         https://bugs.webkit.org/show_bug.cgi?id=191375
1991
1992         Reviewed by Mark Lam.
1993
1994         Disabled the test for 32 bit platforms.
1995
1996         * stress/regexp-compile-oom.js:
1997
1998 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1999
2000         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2001         https://bugs.webkit.org/show_bug.cgi?id=191716
2002         <rdar://problem/45723878>
2003
2004         Reviewed by Saam Barati.
2005
2006         * stress/regress-187373.js: Added.
2007         (async.fn):
2008
2009 2018-11-21  Saam barati  <sbarati@apple.com>
2010
2011         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2012         https://bugs.webkit.org/show_bug.cgi?id=191897
2013         <rdar://problem/45871998>
2014
2015         Reviewed by Mark Lam.
2016
2017         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2018         (bar):
2019         (foo):
2020
2021 2018-11-21  Saam barati  <sbarati@apple.com>
2022
2023         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2024         https://bugs.webkit.org/show_bug.cgi?id=191895
2025         <rdar://problem/46167406>
2026
2027         Reviewed by Mark Lam.
2028
2029         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2030         (foo):
2031         (bar):
2032
2033 2018-11-21  Mark Lam  <mark.lam@apple.com>
2034
2035         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2036         https://bugs.webkit.org/show_bug.cgi?id=191776
2037         <rdar://problem/46152851>
2038
2039         Reviewed by Saam Barati.
2040
2041         * stress/big-wasm-memory-grow-no-max.js:
2042         * stress/big-wasm-memory-grow.js:
2043         * stress/big-wasm-memory.js:
2044         - updated these to expect an OutOfMemoryError.
2045
2046         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2047         (Binary.prototype.emit_u8):
2048         (Binary.prototype.emit_u32v):
2049         (Binary.prototype.emit_header):
2050         (Binary.prototype.emit_section):
2051         (Binary):
2052         (WasmModuleBuilder):
2053         (WasmModuleBuilder.prototype.addMemory):
2054         (WasmModuleBuilder.prototype.toArray):
2055         (WasmModuleBuilder.prototype.toBuffer):
2056         (WasmModuleBuilder.prototype.instantiate):
2057         (catch):
2058         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2059         (catch):
2060
2061 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2062
2063         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2064         https://bugs.webkit.org/show_bug.cgi?id=190836
2065
2066         Reviewed by Saam Barati and Yusuke Suzuki.
2067
2068         * stress/big-int-out-of-memory-tests.js: Added.
2069
2070 2018-11-20  Mark Lam  <mark.lam@apple.com>
2071
2072         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2073         https://bugs.webkit.org/show_bug.cgi?id=191856
2074         <rdar://problem/46089992>
2075
2076         Reviewed by Yusuke Suzuki.
2077
2078         * stress/regress-191856.js: Added.
2079         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2080
2081 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2082
2083         Enable JIT on ARM/Linux
2084         https://bugs.webkit.org/show_bug.cgi?id=191548
2085
2086         Reviewed by Yusuke Suzuki.
2087
2088         Disable test on system with limited memory. Program was killed by
2089         the OS before the exception was thrown.
2090
2091         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2092
2093 2018-11-20  Saam barati  <sbarati@apple.com>
2094
2095         Merging an IC variant may lead to the IC status containing overlapping structure sets
2096         https://bugs.webkit.org/show_bug.cgi?id=191869
2097         <rdar://problem/45403453>
2098
2099         Reviewed by Mark Lam.
2100
2101         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2102
2103 2018-11-19  Mark Lam  <mark.lam@apple.com>
2104
2105         globalFuncImportModule() should return a promise when it clears exceptions.
2106         https://bugs.webkit.org/show_bug.cgi?id=191792
2107         <rdar://problem/46090763>
2108
2109         Reviewed by Michael Saboff.
2110
2111         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2112
2113 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2114
2115         Skip new memory-hungry tests on memory limited devices
2116
2117         Unreviewed gardening.
2118
2119         * stress/big-wasm-memory-grow-no-max.js:
2120         * stress/big-wasm-memory-grow.js:
2121         * stress/big-wasm-memory.js:
2122
2123 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2124
2125         Unreviewed, rolling in the rest of r237254
2126         https://bugs.webkit.org/show_bug.cgi?id=190340
2127
2128         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2129         * stress/function-cache-with-parameters-end-position.js: Added.
2130         (shouldBe):
2131         (shouldThrow):
2132         (i.anonymous):
2133         * stress/function-constructor-name.js: Added.
2134         (shouldBe):
2135         (GeneratorFunction):
2136         (AsyncFunction.async):
2137         (AsyncGeneratorFunction.async):
2138         (anonymous):
2139         (async.anonymous):
2140         * test262/expectations.yaml:
2141
2142 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2143
2144         All users of ArrayBuffer should agree on the same max size
2145         https://bugs.webkit.org/show_bug.cgi?id=191771
2146
2147         Reviewed by Mark Lam.
2148
2149         * stress/big-wasm-memory-grow-no-max.js: Added.
2150         (foo):
2151         (catch):
2152         * stress/big-wasm-memory-grow.js: Added.
2153         (foo):
2154         (catch):
2155         * stress/big-wasm-memory.js: Added.
2156         (foo):
2157         (catch):
2158
2159 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2160
2161         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2162         run for each JSC config since they're regression tests for runtime bugs.
2163
2164         * stress/json-stringified-overflow-2.js:
2165         * stress/json-stringified-overflow.js:
2166
2167 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2168
2169         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2170         config since they're regression tests for runtime bugs.
2171
2172         * stress/large-unshift-splice.js:
2173         * stress/regress-185888.js:
2174
2175 2018-11-16  Saam Barati  <sbarati@apple.com>
2176
2177         KnownCellUse should also have SpecCellCheck as its type filter
2178         https://bugs.webkit.org/show_bug.cgi?id=191729
2179         <rdar://problem/45872852>
2180
2181         Reviewed by Filip Pizlo.
2182
2183         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2184         (C):
2185
2186 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2187
2188         Fix assertion failure on BytecodeGenerator::recordOpcode
2189         https://bugs.webkit.org/show_bug.cgi?id=191724
2190         <rdar://problem/45724395>
2191
2192         Reviewed by Saam Barati.
2193
2194         * stress/regress-187373-2.js: Added.
2195         (foo):
2196
2197 2018-11-15  Mark Lam  <mark.lam@apple.com>
2198
2199         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2200         https://bugs.webkit.org/show_bug.cgi?id=191730
2201         <rdar://problem/46048517>
2202
2203         Reviewed by Saam Barati.
2204
2205         * stress/regress-187006.js: Removed.
2206           - this test is invalid because its sole purpose is to test for the non-spec
2207             compliant behavior that we just fixed.
2208
2209         * stress/regress-191730.js: Added.
2210
2211 2018-11-15  Mark Lam  <mark.lam@apple.com>
2212
2213         RegExp operations should not take fast patch if lastIndex is not numeric.
2214         https://bugs.webkit.org/show_bug.cgi?id=191731
2215         <rdar://problem/46017305>
2216
2217         Reviewed by Saam Barati.
2218
2219         * stress/regress-191731.js: Added.
2220
2221 2018-11-13  Saam Barati  <sbarati@apple.com>
2222
2223         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2224         https://bugs.webkit.org/show_bug.cgi?id=191600
2225
2226         Reviewed by Mark Lam.
2227
2228         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2229         (foo):
2230         (test):
2231         (bar):
2232
2233 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2234
2235         Unreviewed, rolling out r238132.
2236
2237         The test added with this change is timing out on Debug JSC
2238         bots.
2239
2240         Reverted changeset:
2241
2242         "[BigInt] JSBigInt::createWithLength should throw when length
2243         is greater than JSBigInt::maxLength"
2244         https://bugs.webkit.org/show_bug.cgi?id=190836
2245         https://trac.webkit.org/changeset/238132
2246
2247 2018-11-13  Mark Lam  <mark.lam@apple.com>
2248
2249         Add OOM detection to StringPrototype's substituteBackreferences().
2250         https://bugs.webkit.org/show_bug.cgi?id=191563
2251         <rdar://problem/45720428>
2252
2253         Reviewed by Saam Barati.
2254
2255         * stress/regress-191563.js: Added.
2256
2257 2018-11-13  Mark Lam  <mark.lam@apple.com>
2258
2259         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2260         https://bugs.webkit.org/show_bug.cgi?id=191579
2261         <rdar://problem/45942472>
2262
2263         Reviewed by Saam Barati.
2264
2265         * stress/regress-191579.js: Added.
2266
2267 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2268
2269         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2270         https://bugs.webkit.org/show_bug.cgi?id=190836
2271
2272         Reviewed by Saam Barati.
2273
2274         * stress/big-int-out-of-memory-tests.js: Added.
2275
2276 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2277
2278         U+180E is no longer a whitespace character
2279         https://bugs.webkit.org/show_bug.cgi?id=191415
2280
2281         Reviewed by Saam Barati.
2282
2283         * ChakraCore/test/es5/regexSpace.baseline:
2284         * ChakraCore/test/es6/unicode_whitespace.js:
2285         Update tests to latest version.
2286         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2287
2288         * test262.yaml:
2289         * test262/config.yaml:
2290         * test262/expectations.yaml:
2291         Update expectations.
2292
2293 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2294
2295         [BigInt] Add support to BigInt into ValueAdd
2296         https://bugs.webkit.org/show_bug.cgi?id=186177
2297
2298         Reviewed by Keith Miller.
2299
2300         * stress/big-int-negate-jit.js:
2301         * stress/value-add-big-int-and-string.js: Added.
2302         * stress/value-add-big-int-prediction-propagation.js: Added.
2303         * stress/value-add-big-int-untyped.js: Added.
2304
2305 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2306
2307         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2308         https://bugs.webkit.org/show_bug.cgi?id=191184
2309
2310         Reviewed by Saam Barati.
2311
2312         Most tests were failing due to timeouts, since they are too slow to
2313         run on CLoop. The exceptions are:
2314
2315         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2316         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2317         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2318         to change the stack size since CLoop requires it to be page aligned.
2319
2320         * microbenchmarks/array-push-1.js:
2321         * microbenchmarks/array-push-2.js:
2322         * microbenchmarks/elidable-new-object-dag.js:
2323         * microbenchmarks/elidable-new-object-roflcopter.js:
2324         * microbenchmarks/elidable-new-object-tree.js:
2325         * microbenchmarks/getter-richards.js:
2326         * microbenchmarks/sinkable-new-object-dag.js:
2327         * microbenchmarks/string-concat-long-convert.js:
2328         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2329         * slowMicrobenchmarks/array-push-3.js:
2330         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2331         * slowMicrobenchmarks/spread-small-array.js:
2332         * slowMicrobenchmarks/undefined-property-access.js:
2333         * stress/activation-sink-default-value-tdz-error.js:
2334         * stress/activation-sink-default-value.js:
2335         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2336         * stress/activation-sink-osrexit-default-value.js:
2337         * stress/activation-sink-osrexit.js:
2338         * stress/activation-sink.js:
2339         * stress/allow-math-ic-b3-code-duplication.js:
2340         * stress/array-push-multiple-int32.js:
2341         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2342         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2343         * stress/arrowfunction-lexical-this-activation-sink.js:
2344         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2345         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2346         * stress/elide-new-object-dag-then-exit.js:
2347         * stress/materialize-regexp-cyclic.js:
2348         * stress/new-regex-inline.js:
2349         * stress/op_add.js:
2350         * stress/op_bitand.js:
2351         * stress/op_bitor.js:
2352         * stress/op_bitxor.js:
2353         * stress/op_div-ConstVar.js:
2354         * stress/op_div-VarConst.js:
2355         * stress/op_div-VarVar.js:
2356         * stress/op_lshift-ConstVar.js:
2357         * stress/op_lshift-VarConst.js:
2358         * stress/op_lshift-VarVar.js:
2359         * stress/op_mod-ConstVar.js:
2360         * stress/op_mod-VarConst.js:
2361         * stress/op_mod-VarVar.js:
2362         * stress/op_mul-ConstVar.js:
2363         * stress/op_mul-VarConst.js:
2364         * stress/op_mul-VarVar.js:
2365         * stress/op_rshift-ConstVar.js:
2366         * stress/op_rshift-VarConst.js:
2367         * stress/op_rshift-VarVar.js:
2368         * stress/op_sub-ConstVar.js:
2369         * stress/op_sub-VarConst.js:
2370         * stress/op_sub-VarVar.js:
2371         * stress/op_urshift-ConstVar.js:
2372         * stress/op_urshift-VarConst.js:
2373         * stress/op_urshift-VarVar.js:
2374         * stress/proxy-get-set-correct-receiver.js:
2375         * stress/regress-179562.js:
2376         * stress/rest-parameter-many-arguments.js:
2377         * stress/sampling-profiler-richards.js:
2378         * stress/splay-flash-access-1ms.js:
2379         * stress/tailCallForwardArguments.js:
2380         * stress/typed-array-get-by-val-profiling.js:
2381         * typeProfiler/getter-richards.js:
2382
2383 2018-11-06  Michael Saboff  <msaboff@apple.com>
2384
2385         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2386         https://bugs.webkit.org/show_bug.cgi?id=191271
2387
2388         Reviewed by Saam Barati.
2389
2390         Added more test cases and made all test cases run with the same deeply recursive stack
2391         instead of finding that same point for each test case.
2392
2393         * stress/regexp-compile-oom.js:
2394         (prototype.runTest):
2395         (recurseAndTest):
2396         (testList.push.new.TestAndExpectedException):
2397
2398 2018-11-05  Michael Saboff  <msaboff@apple.com>
2399
2400         Unreviewed build fix for linux.
2401
2402         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2403
2404 2018-11-02  Michael Saboff  <msaboff@apple.com>
2405
2406         Rolling in r237753 with unreviewed build fix.
2407
2408         Fixed issues with DECLARE_THROW_SCOPE placement.
2409
2410 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2411
2412         Unreviewed, rolling out r237753.
2413
2414         Introduced JSC test failures
2415
2416         Reverted changeset:
2417
2418         "Running out of stack space not properly handled in
2419         RegExp::compile() and its callers"
2420         https://bugs.webkit.org/show_bug.cgi?id=191206
2421         https://trac.webkit.org/changeset/237753
2422
2423 2018-11-02  Michael Saboff  <msaboff@apple.com>
2424
2425         Running out of stack space not properly handled in RegExp::compile() and its callers
2426         https://bugs.webkit.org/show_bug.cgi?id=191206
2427
2428         Reviewed by Filip Pizlo.
2429
2430         New regression test.
2431
2432         * stress/regexp-compile-oom.js: Added.
2433         (recurseAndTest):
2434
2435 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2436
2437         Skip tests on arm/mips that time out now we're running on CLoop
2438
2439         Unreviewed gardening.
2440
2441         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2442         time out on the bots and need to be disabled. There's more tests
2443         disabled on arm because the timeout is longer on the mips bot (as the
2444         device is slower to start with), so many of the tests don't time out
2445         there.
2446
2447         * microbenchmarks/getter-richards.js: disable on arm and mips.
2448         * stress/op_add.js: disable on arm.
2449         * stress/op_bitand.js: disable on arm.
2450         * stress/op_bitor.js: disable on arm.
2451         * stress/op_bitxor.js: disable on arm.
2452         * stress/op_lshift-ConstVar.js: disable on arm.
2453         * stress/op_lshift-VarConst.js: disable on arm.
2454         * stress/op_lshift-VarVar.js: disable on arm.
2455         * stress/op_mod-ConstVar.js: disable on arm.
2456         * stress/op_mod-VarConst.js: disable on arm.
2457         * stress/op_mod-VarVar.js: disable on arm.
2458         * stress/op_mul-ConstVar.js: disable on arm.
2459         * stress/op_mul-VarConst.js: disable on arm.
2460         * stress/op_mul-VarVar.js: disable on arm.
2461         * stress/op_rshift-ConstVar.js: disable on arm.
2462         * stress/op_rshift-VarConst.js: disable on arm.
2463         * stress/op_rshift-VarVar.js: disable on arm.
2464         * stress/op_sub-ConstVar.js: disable on arm.
2465         * stress/op_sub-VarConst.js: disable on arm.
2466         * stress/op_sub-VarVar.js: disable on arm.
2467         * stress/op_urshift-ConstVar.js: disable on arm.
2468         * stress/op_urshift-VarConst.js: disable on arm.
2469         * stress/op_urshift-VarVar.js: disable on arm.
2470         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2471         * stress/value-to-boolean.js: disable on arm and mips.
2472
2473 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2474
2475         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2476         https://bugs.webkit.org/show_bug.cgi?id=191108
2477         <rdar://problem/45690700>
2478
2479         Reviewed by Saam Barati.
2480
2481         * stress/wide-op_catch.js: Added.
2482         (catch):
2483
2484 2018-10-29  Mark Lam  <mark.lam@apple.com>
2485
2486         Correctly detect string overflow when using the 'Function' constructor.
2487         https://bugs.webkit.org/show_bug.cgi?id=184883
2488         <rdar://problem/36320331>
2489
2490         Reviewed by Saam Barati.
2491
2492         I've verified that this passes on 32-bit as well.
2493
2494         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2495
2496 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2497
2498         Add support for GetStack FlushedDouble
2499         https://bugs.webkit.org/show_bug.cgi?id=191012
2500         <rdar://problem/45265141>
2501
2502         Reviewed by Saam Barati.
2503
2504         * stress/get-stack-double.js: Added.
2505         (bar):
2506         (noInline):
2507
2508 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2509
2510         New bytecode format for JSC
2511         https://bugs.webkit.org/show_bug.cgi?id=187373
2512         <rdar://problem/44186758>
2513
2514         Reviewed by Filip Pizlo.
2515
2516         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2517
2518         * stress/maximum-inline-capacity.js: Added.
2519         (test1):
2520         (test3.Foo):
2521         (test3):
2522
2523 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2524
2525         Unreviewed, rolling out r237479 and r237484.
2526         https://bugs.webkit.org/show_bug.cgi?id=190978
2527
2528         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2529
2530         Reverted changesets:
2531
2532         "New bytecode format for JSC"
2533         https://bugs.webkit.org/show_bug.cgi?id=187373
2534         https://trac.webkit.org/changeset/237479
2535
2536         "Gardening: Build fix after r237479."
2537         https://bugs.webkit.org/show_bug.cgi?id=187373
2538         https://trac.webkit.org/changeset/237484
2539
2540 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2541
2542         New bytecode format for JSC
2543         https://bugs.webkit.org/show_bug.cgi?id=187373
2544         <rdar://problem/44186758>
2545
2546         Reviewed by Filip Pizlo.
2547
2548         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2549
2550         * stress/maximum-inline-capacity.js: Added.
2551         (test1):
2552         (test3.Foo):
2553         (test3):
2554
2555 2018-10-26  Mark Lam  <mark.lam@apple.com>
2556
2557         Fix missing edge cases with JSGlobalObjects having a bad time.
2558         https://bugs.webkit.org/show_bug.cgi?id=189028
2559         <rdar://problem/45204939>
2560
2561         Reviewed by Saam Barati.
2562
2563         * stress/regress-189028.js: Added.
2564
2565 2018-10-22  Mark Lam  <mark.lam@apple.com>
2566
2567         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2568         https://bugs.webkit.org/show_bug.cgi?id=190515
2569         <rdar://problem/45222379>
2570
2571         Rubber-stamped by Saam Barati.
2572
2573         Adding another test.
2574
2575         * stress/regress-190515-2.js: Added.
2576
2577 2018-10-22  Mark Lam  <mark.lam@apple.com>
2578
2579         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2580         https://bugs.webkit.org/show_bug.cgi?id=190515
2581         <rdar://problem/45222379>
2582
2583         Reviewed by Saam Barati.
2584
2585         * stress/regress-190515.js: Added.
2586
2587 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2588
2589         Unreviewed, rolling out r237254.
2590         https://bugs.webkit.org/show_bug.cgi?id=190760
2591
2592         "It regresses JetStream 2 by 5% on some iOS devices"
2593         (Requested by saamyjoon on #webkit).
2594
2595         Reverted changeset:
2596
2597         "[JSC] JSC should have "parseFunction" to optimize Function
2598         constructor"
2599         https://bugs.webkit.org/show_bug.cgi?id=190340
2600         https://trac.webkit.org/changeset/237254
2601
2602 2018-10-19  Saam Barati  <sbarati@apple.com>
2603
2604         vmCall should check if we exit before emitting an OSR exit due to exceptions
2605         https://bugs.webkit.org/show_bug.cgi?id=190740
2606         <rdar://problem/45220139>
2607
2608         Reviewed by Mark Lam.
2609
2610         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2611         (foo):
2612
2613 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2614
2615         [ESNext][BigInt] Implement support for "^"
2616         https://bugs.webkit.org/show_bug.cgi?id=186235
2617
2618         Reviewed by Yusuke Suzuki.
2619
2620         * stress/big-int-bitwise-xor-general.js: Added.
2621         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2622         * stress/big-int-bitwise-xor-type-error.js: Added.
2623         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2624
2625 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2626
2627         [BigInt] Add ValueSub into DFG
2628         https://bugs.webkit.org/show_bug.cgi?id=186176
2629
2630         Reviewed by Yusuke Suzuki.
2631
2632         * stress/big-int-subtraction-jit.js:
2633         * stress/value-sub-big-int-prediction-propagation.js: Added.
2634         * stress/value-sub-big-int-untyped.js: Added.
2635         * stress/value-sub-spec-none-case.js: Added.
2636
2637 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2638
2639         [JSC] JSC should have "parseFunction" to optimize Function constructor
2640         https://bugs.webkit.org/show_bug.cgi?id=190340
2641
2642         Reviewed by Mark Lam.
2643
2644         This patch fixes the line number of syntax errors raised by the Function constructor,
2645         since we now parse the final code only once. And we no longer use block statement
2646         for Function constructor's parsing.
2647
2648         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2649         * stress/function-cache-with-parameters-end-position.js: Added.
2650         (shouldBe):
2651         (shouldThrow):
2652         (i.anonymous):
2653         * stress/function-constructor-name.js: Added.
2654         (shouldBe):
2655         (GeneratorFunction):
2656         (AsyncFunction.async):
2657         (AsyncGeneratorFunction.async):
2658         (anonymous):
2659         (async.anonymous):
2660         * test262/expectations.yaml:
2661
2662 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2663
2664         Unreviewed, rolling out r237242.
2665         https://bugs.webkit.org/show_bug.cgi?id=190701
2666
2667         it breaks "stress/sampling-profiler-basic.js" (Requested by
2668         caiolima on #webkit).
2669
2670         Reverted changeset:
2671
2672         "[BigInt] Add ValueSub into DFG"
2673         https://bugs.webkit.org/show_bug.cgi?id=186176
2674         https://trac.webkit.org/changeset/237242
2675
2676 2018-10-17  Keith Miller  <keith_miller@apple.com>
2677
2678         AI does not clear Phantom allocation nodes.
2679         https://bugs.webkit.org/show_bug.cgi?id=190694
2680
2681         Reviewed by Saam Barati.
2682
2683         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2684         (Day):
2685         (DaysInYear):
2686         (TimeInYear):
2687         (TimeFromYear):
2688         (DayFromYear):
2689         (InLeapYear):
2690         (YearFromTime):
2691         (WeekDay):
2692         (DaylightSavingTA):
2693         (GetSecondSundayInMarch):
2694         (TimeInMonth):
2695
2696 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2697
2698         [BigInt] Add ValueSub into DFG
2699         https://bugs.webkit.org/show_bug.cgi?id=186176
2700
2701         Reviewed by Yusuke Suzuki.
2702
2703         * stress/big-int-subtraction-jit.js:
2704         * stress/value-sub-big-int-prediction-propagation.js: Added.
2705         * stress/value-sub-big-int-untyped.js: Added.
2706
2707 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2708
2709         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2710         https://bugs.webkit.org/show_bug.cgi?id=190611
2711
2712         Reviewed by Saam Barati.
2713
2714         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2715         to improve test runtime. On ARM/MIPS this test even timed out when running all
2716         tests.
2717
2718         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2719         (test):
2720
2721 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2722
2723         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2724
2725         Unreviewed gardening.
2726
2727         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2728
2729 2018-10-15  Saam barati  <sbarati@apple.com>
2730
2731         Emit fjcvtzs on ARM64E on Darwin
2732         https://bugs.webkit.org/show_bug.cgi?id=184023
2733
2734         Reviewed by Yusuke Suzuki and Filip Pizlo.
2735
2736         * stress/double-to-int32-NaN.js: Added.
2737         (assert):
2738         (foo):
2739
2740 2018-10-15  Saam Barati  <sbarati@apple.com>
2741
2742         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2743         https://bugs.webkit.org/show_bug.cgi?id=190262
2744         <rdar://problem/44986241>
2745
2746         Reviewed by Mark Lam.
2747
2748         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2749         (test):
2750         * stress/slice-array-storage-with-holes.js: Added.
2751         (main):
2752
2753 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2754
2755         Unreviewed, rolling out r237054.
2756         https://bugs.webkit.org/show_bug.cgi?id=190593
2757
2758         "this regressed JetStream 2 by 6% on iOS" (Requested by
2759         saamyjoon on #webkit).
2760
2761         Reverted changeset:
2762
2763         "[JSC] JSC should have "parseFunction" to optimize Function
2764         constructor"
2765         https://bugs.webkit.org/show_bug.cgi?id=190340
2766         https://trac.webkit.org/changeset/237054
2767
2768 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2769
2770         [JSC] JSON.stringify can accept call-with-no-arguments
2771         https://bugs.webkit.org/show_bug.cgi?id=190343
2772
2773         Reviewed by Mark Lam.
2774
2775         * stress/json-stringify-no-arguments.js: Added.
2776         (shouldBe):
2777
2778 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2779
2780         [JSC] JSC should have "parseFunction" to optimize Function constructor
2781         https://bugs.webkit.org/show_bug.cgi?id=190340
2782
2783         Reviewed by Mark Lam.
2784
2785         This patch fixes the line number of syntax errors raised by the Function constructor,
2786         since we now parse the final code only once. And we no longer use block statement
2787         for Function constructor's parsing.
2788
2789         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2790         * stress/function-cache-with-parameters-end-position.js: Added.
2791         (shouldBe):
2792         (shouldThrow):
2793         (i.anonymous):
2794         * stress/function-constructor-name.js: Added.
2795         (shouldBe):
2796         (GeneratorFunction):
2797         (AsyncFunction.async):
2798         (AsyncGeneratorFunction.async):
2799         (anonymous):
2800         (async.anonymous):
2801         * test262/expectations.yaml:
2802
2803 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2804
2805         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2806         https://bugs.webkit.org/show_bug.cgi?id=190426
2807
2808         Unreviewed gardening.
2809
2810         * stress/sampling-profiler-richards.js:
2811
2812 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2813
2814         [ESNext][BigInt] Implement support for "|"
2815         https://bugs.webkit.org/show_bug.cgi?id=186229
2816
2817         Reviewed by Yusuke Suzuki.
2818
2819         * stress/big-int-bitwise-and-jit.js:
2820         * stress/big-int-bitwise-or-general.js: Added.
2821         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2822         * stress/big-int-bitwise-or-jit.js: Added.
2823         * stress/big-int-bitwise-or-memory-stress.js: Added.
2824         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2825         * stress/big-int-bitwise-or-type-error.js: Added.
2826         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2827
2828 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2829
2830         Skip test on systems with limited memory
2831         https://bugs.webkit.org/show_bug.cgi?id=190310
2832
2833         Invoking runDefault adds test to runlist, skipping the test in the next
2834         line does not prevent the test from executing. Change order of lines such
2835         that runDefault is only executed if test is not executed.
2836
2837         Reviewed by Mark Lam.
2838
2839         * stress/regress-190187.js:
2840
2841 2018-10-03  Saam barati  <sbarati@apple.com>
2842
2843         lowXYZ in FTLLower should always filter the type of the incoming edge
2844         https://bugs.webkit.org/show_bug.cgi?id=189939
2845         <rdar://problem/44407030>
2846
2847         Reviewed by Michael Saboff.
2848
2849         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2850         (foo):
2851         (test):
2852
2853 2018-10-03  Mark Lam  <mark.lam@apple.com>
2854
2855         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2856         https://bugs.webkit.org/show_bug.cgi?id=190187
2857         <rdar://problem/42512909>
2858
2859         Reviewed by Michael Saboff.
2860
2861         * stress/regress-190187.js: Added.
2862
2863 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2864
2865         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2866         https://bugs.webkit.org/show_bug.cgi?id=190033
2867
2868         Reviewed by Yusuke Suzuki.
2869
2870         * stress/big-int-to-string.js:
2871
2872 2018-10-01  Mark Lam  <mark.lam@apple.com>
2873
2874         Function.toString() should also copy the source code Functions that are class definitions.
2875         https://bugs.webkit.org/show_bug.cgi?id=190186
2876         <rdar://problem/44733360>
2877
2878         Reviewed by Saam Barati.
2879
2880         * stress/regress-190186.js: Added.
2881
2882 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2883
2884         Split NaN-check into separate test
2885         https://bugs.webkit.org/show_bug.cgi?id=190010
2886
2887         Reviewed by Saam Barati.
2888
2889         DataView exposes NaN-representation, which is not necessarily the same on each
2890         architecture. Therefore move the check of the NaN-representation into its own
2891         file such that we can disable this test on MIPS where NaN-representation can be
2892         different on older CPUs.
2893
2894         * stress/dataview-jit-set-nan.js: Added.
2895         (assert):
2896         (test.storeLittleEndian):
2897         (test.storeBigEndian):
2898         (test.store):
2899         (test):
2900         * stress/dataview-jit-set.js:
2901         (test5):
2902
2903 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2904
2905         Unreviewed, rolling out r236647.
2906         https://bugs.webkit.org/show_bug.cgi?id=190124
2907
2908         Breaking test stress/big-int-to-string.js (Requested by
2909         caiolima_ on #webkit).
2910
2911         Reverted changeset:
2912
2913         "[BigInt] BigInt.proptotype.toString is broken when radix is
2914         power of 2"
2915         https://bugs.webkit.org/show_bug.cgi?id=190033
2916         https://trac.webkit.org/changeset/236647
2917
2918 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2919
2920         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2921         https://bugs.webkit.org/show_bug.cgi?id=190033
2922
2923         Reviewed by Yusuke Suzuki.
2924
2925         * stress/big-int-to-string.js:
2926
2927 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2928
2929         [ESNext][BigInt] Implement support for "&"
2930         https://bugs.webkit.org/show_bug.cgi?id=186228
2931
2932         Reviewed by Yusuke Suzuki.
2933
2934         * stress/big-int-bitwise-and-general.js: Added.
2935         (assert):
2936         (assert.sameValue):
2937         * stress/big-int-bitwise-and-jit.js: Added.
2938         (let.assert.sameValue):
2939         (bigIntBitAnd):
2940         * stress/big-int-bitwise-and-memory-stress.js: Added.
2941         (assert):
2942         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2943         (assert.sameValue):
2944         (let.o.Symbol.toPrimitive):
2945         (catch):
2946         * stress/big-int-bitwise-and-type-error.js: Added.
2947         (assert):
2948         (assertThrowTypeError):
2949         (let.o.valueOf):
2950         (o.valueOf):
2951         (o.toString):
2952         (o.Symbol.toPrimitive):
2953         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2954         (assert.sameValue):
2955         (testBitAnd):
2956         (let.o.Symbol.toPrimitive):
2957         (o.valueOf):
2958         (o.toString):
2959
2960 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2961
2962         JSC test stress/jsc-read.js doesn't support CRLF
2963         https://bugs.webkit.org/show_bug.cgi?id=190063
2964
2965         Reviewed by Yusuke Suzuki.
2966
2967         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2968
2969         * stress/jsc-read.js:
2970         (test):
2971
2972 2018-09-27  Saam barati  <sbarati@apple.com>
2973
2974         Verify the contents of AssemblerBuffer on arm64e
2975         https://bugs.webkit.org/show_bug.cgi?id=190057
2976         <rdar://problem/38916630>
2977
2978         Reviewed by Mark Lam.
2979
2980         * stress/regress-189132.js:
2981
2982 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2983
2984         Disable test without LLInt on ARMv7
2985         https://bugs.webkit.org/show_bug.cgi?id=190037
2986
2987         Reviewed by Mark Lam.
2988
2989         Test runs out of executable memory on ARMv7, do not run
2990         this test without LLInt enabled.
2991
2992         * stress/regress-169445.js:
2993
2994 2018-09-26  Keith Miller  <keith_miller@apple.com>
2995
2996         We should zero unused property storage when rebalancing array storage.
2997         https://bugs.webkit.org/show_bug.cgi?id=188151
2998
2999         Reviewed by Michael Saboff.
3000
3001         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3002
3003 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3004
3005         [JSC] Optimize Array#lastIndexOf
3006         https://bugs.webkit.org/show_bug.cgi?id=189780
3007
3008         Reviewed by Saam Barati.
3009
3010         * stress/array-lastindexof-array-prototype-trap.js: Added.
3011         (shouldBe):
3012         (AncestorArray.prototype.get 2):
3013         (AncestorArray):
3014         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3015         (shouldBe):
3016         * stress/array-lastindexof-hole-nan.js: Added.
3017         (shouldBe):
3018         (throw.new.Error):
3019         * stress/array-lastindexof-infinity.js: Added.
3020         (shouldBe):
3021         (throw.new.Error):
3022         * stress/array-lastindexof-negative-zero.js: Added.
3023         (shouldBe):
3024         (throw.new.Error):
3025         * stress/array-lastindexof-own-getter.js: Added.
3026         (shouldBe):
3027         (throw.new.Error.get array):
3028         (get array):
3029         * stress/array-lastindexof-prototype-trap.js: Added.
3030         (shouldBe):
3031         (DerivedArray.prototype.get 2):
3032         (DerivedArray):
3033
3034 2018-09-25  Saam Barati  <sbarati@apple.com>
3035
3036         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3037         https://bugs.webkit.org/show_bug.cgi?id=189940
3038         <rdar://problem/43640987>
3039
3040         Reviewed by Mark Lam.
3041
3042         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3043
3044 2018-09-24  Saam Barati  <sbarati@apple.com>
3045
3046         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3047         https://bugs.webkit.org/show_bug.cgi?id=189922
3048         <rdar://problem/44651275>
3049
3050         Reviewed by Mark Lam.
3051
3052         * stress/array-indexof-fast-path-effects.js: Added.
3053         * stress/array-indexof-cached-length.js: Added.
3054
3055 2018-09-24  Saam barati  <sbarati@apple.com>
3056
3057         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3058         https://bugs.webkit.org/show_bug.cgi?id=189682
3059         <rdar://problem/43557315>
3060
3061         Reviewed by Mark Lam.
3062
3063         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3064         (foo):
3065
3066 2018-09-22  Saam barati  <sbarati@apple.com>
3067
3068         The sampling should not use Strong<CodeBlock> in its machineLocation field
3069         https://bugs.webkit.org/show_bug.cgi?id=189319
3070
3071         Reviewed by Filip Pizlo.
3072
3073         * stress/sampling-profiler-richards.js: Added.
3074
3075 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3076
3077         [JSC] Optimize Array#indexOf in C++ runtime
3078         https://bugs.webkit.org/show_bug.cgi?id=189507
3079
3080         Reviewed by Saam Barati.
3081
3082         * stress/array-indexof-array-prototype-trap.js: Added.
3083         (shouldBe):
3084         (AncestorArray.prototype.get 2):
3085         (AncestorArray):
3086         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3087         (shouldBe):
3088         * stress/array-indexof-hole-nan.js: Added.
3089         (shouldBe):
3090         (throw.new.Error):
3091         * stress/array-indexof-infinity.js: Added.
3092         (shouldBe):
3093         (throw.new.Error):
3094         * stress/array-indexof-negative-zero.js: Added.
3095         (shouldBe):
3096         (throw.new.Error):
3097         * stress/array-indexof-own-getter.js: Added.
3098         (shouldBe):
3099         (throw.new.Error.get array):
3100         (get array):
3101         * stress/array-indexof-prototype-trap.js: Added.
3102         (shouldBe):
3103         (DerivedArray.prototype.get 2):
3104         (DerivedArray):
3105
3106 2018-09-19  Saam barati  <sbarati@apple.com>
3107
3108         AI rule for MultiPutByOffset executes its effects in the wrong order
3109         https://bugs.webkit.org/show_bug.cgi?id=189757
3110         <rdar://problem/43535257>
3111
3112         Reviewed by Michael Saboff.
3113
3114         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3115         (foo):
3116         (Foo):
3117         (g):
3118
3119 2018-09-17  Mark Lam  <mark.lam@apple.com>
3120
3121         Ensure that ForInContexts are invalidated if their loop local is over-written.
3122         https://bugs.webkit.org/show_bug.cgi?id=189571
3123         <rdar://problem/44402277>
3124
3125         Reviewed by Saam Barati.
3126
3127         * stress/regress-189571.js: Added.
3128
3129 2018-09-17  Saam barati  <sbarati@apple.com>
3130
3131         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3132         https://bugs.webkit.org/show_bug.cgi?id=189676
3133         <rdar://problem/39682897>
3134
3135         Reviewed by Michael Saboff.
3136
3137         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3138         (A):
3139         (K):
3140         (i.catch):
3141
3142 2018-09-14  Saam barati  <sbarati@apple.com>
3143
3144         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3145         https://bugs.webkit.org/show_bug.cgi?id=189628
3146         <rdar://problem/39481690>
3147
3148         Reviewed by Mark Lam.
3149
3150         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3151         (foo):
3152
3153 2018-09-11  Mark Lam  <mark.lam@apple.com>
3154
3155         Test for array initialization in arrayProtoFuncSplice.
3156         https://bugs.webkit.org/show_bug.cgi?id=170253
3157         <rdar://problem/31328773>
3158
3159         Rubber-stamped by Saam Barati.
3160
3161         * stress/regress-170253.js: Added.
3162
3163 2018-09-11  Mark Lam  <mark.lam@apple.com>
3164
3165         Test for IntlObject initialization.
3166         https://bugs.webkit.org/show_bug.cgi?id=170251
3167         <rdar://problem/31328419>
3168
3169         Rubber-stamped by Saam Barati.
3170
3171         * stress/regress-170251.js: Added.
3172
3173 2018-09-11  Mark Lam  <mark.lam@apple.com>
3174
3175         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3176         https://bugs.webkit.org/show_bug.cgi?id=169889
3177         <rdar://problem/31155607>
3178
3179         Reviewed by Saam Barati.
3180
3181         * stress/regress-169889-array-concat.js: Added.
3182         * stress/regress-169889-array-concat1.js: Added.
3183         * stress/regress-169889-array-slice.js: Added.
3184
3185 2018-09-11  Mark Lam  <mark.lam@apple.com>
3186
3187         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3188         https://bugs.webkit.org/show_bug.cgi?id=169445
3189         <rdar://problem/30957435>
3190
3191         Reviewed by Saam Barati.
3192
3193         * stress/regress-169445.js: Added.
3194         (let.gun.eval.A):
3195         (let.gun.eval.B.C):
3196         (let.gun.eval.B.C.prototype.trigger):
3197         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3198         (let.gun.eval.B):
3199         (let.gun.eval):
3200
3201 == Rolled over to ChangeLog-2018-09-11 ==