[ARM,MIPS] Skip slow tests
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
2
3         [ARM,MIPS] Skip slow tests
4         https://bugs.webkit.org/show_bug.cgi?id=195799
5
6         Unreviewed, test does not finish on ARM and MIPS within the
7         timeout limit.
8
9         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
10
11 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
12
13         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
14         https://bugs.webkit.org/show_bug.cgi?id=195791
15         <rdar://problem/48806130>
16
17         Reviewed by Mark Lam.
18
19         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
20         (foo):
21
22 2019-03-14  Saam barati  <sbarati@apple.com>
23
24         We can't remove code after ForceOSRExit until after FixupPhase
25         https://bugs.webkit.org/show_bug.cgi?id=186916
26         <rdar://problem/41396612>
27
28         Reviewed by Yusuke Suzuki.
29
30         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
31         (foo):
32         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
33         (foo):
34
35 2019-03-13  Michael Saboff  <msaboff@apple.com>
36
37         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
38         https://bugs.webkit.org/show_bug.cgi?id=195735
39
40         Reviewed by Mark Lam.
41
42         New regression test.
43
44         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
45         (foo):
46         (bar):
47
48 2019-03-14  Saam barati  <sbarati@apple.com>
49
50         Fixup uses KnownInt32 incorrectly in some nodes
51         https://bugs.webkit.org/show_bug.cgi?id=195279
52         <rdar://problem/47915654>
53
54         Reviewed by Yusuke Suzuki.
55
56         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
57         (foo):
58
59 2019-03-14  Keith Miller  <keith_miller@apple.com>
60
61         DFG liveness can't skip tail caller inline frames
62         https://bugs.webkit.org/show_bug.cgi?id=195715
63
64         Reviewed by Saam Barati.
65
66         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
67         (i.foo):
68
69 2019-03-13  Mark Lam  <mark.lam@apple.com>
70
71         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
72         https://bugs.webkit.org/show_bug.cgi?id=195415
73
74         Not reviewed.
75
76         Changed these tests to only run the default configuration.
77         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
78         There's no strong need to run this test on that variant.
79
80         * stress/dfg-to-string-on-int-does-gc.js:
81         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
82
83 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
84
85         String overflow when using StringBuilder in JSC::createError
86         https://bugs.webkit.org/show_bug.cgi?id=194957
87
88         Reviewed by Mark Lam.
89
90         Add test string-overflow-createError-bulder.js that overflows
91         StringBuilder in notAFunctionSourceAppender. The second new test
92         string-overflow-createError-fit.js has an error message that doesn't
93         overflow, it still failed since the String's capacity can't be doubled.
94         Run test string-overflow-createError.js only in the default
95         configuration to reduce memory consumption when running the test
96         in all configurations on multiple CPUs in parallel.
97
98         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
99         (catch):
100         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
101         (catch):
102         * stress/string-overflow-createError.js:
103
104 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
105
106         [JSC] OSR entry should respect abstract values in addition to flush formats
107         https://bugs.webkit.org/show_bug.cgi?id=195653
108
109         Reviewed by Mark Lam.
110
111         * stress/osr-entry-locals-none.js: Added.
112
113 2019-03-12  Michael Saboff  <msaboff@apple.com>
114
115         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
116         https://bugs.webkit.org/show_bug.cgi?id=195613
117
118         Reviewed by Mark Lam.
119
120         New regression test.
121
122         * stress/regexp-backref-inbounds.js: Added.
123         (testRegExp):
124
125 2019-03-12  Mark Lam  <mark.lam@apple.com>
126
127         The HasIndexedProperty node does GC.
128         https://bugs.webkit.org/show_bug.cgi?id=195559
129         <rdar://problem/48767923>
130
131         Reviewed by Yusuke Suzuki.
132
133         * stress/HasIndexedProperty-does-gc.js: Added.
134
135 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
136
137         [ESNext][BigInt] Implement "~" unary operation
138         https://bugs.webkit.org/show_bug.cgi?id=182216
139
140         Reviewed by Keith Miller.
141
142         * stress/big-int-bit-not-general.js: Added.
143         * stress/big-int-bitwise-not-jit.js: Added.
144         * stress/big-int-bitwise-not-wrapped-value.js: Added.
145         * stress/bit-op-with-object-returning-int32.js:
146         * stress/bitwise-not-fixup-rules.js: Added.
147         * stress/value-bit-not-ai-rule.js: Added.
148
149 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
150
151         Invalid flags in a RegExp literal should be an early SyntaxError
152         https://bugs.webkit.org/show_bug.cgi?id=195514
153
154         Reviewed by Darin Adler.
155
156         * test262/expectations.yaml:
157         Mark 4 test cases as passing.
158
159         * stress/regexp-syntax-error-invalid-flags.js:
160         * stress/regress-161995.js: Removed.
161         Update existing test, merging in an older test for the same behavior.
162
163 2019-03-08  Mark Lam  <mark.lam@apple.com>
164
165         Stack overflow crash in JSC::JSObject::hasInstance.
166         https://bugs.webkit.org/show_bug.cgi?id=195458
167         <rdar://problem/48710195>
168
169         Reviewed by Yusuke Suzuki.
170
171         * stress/stack-overflow-in-custom-hasInstance.js: Added.
172
173 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
174
175         op_check_tdz does not def its argument
176         https://bugs.webkit.org/show_bug.cgi?id=192880
177         <rdar://problem/46221598>
178
179         Reviewed by Saam Barati.
180
181         * microbenchmarks/let-for-in.js: Added.
182         (foo):
183
184 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
185
186         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
187         https://bugs.webkit.org/show_bug.cgi?id=195429
188
189         Reviewed by Saam Barati.
190
191         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
192         (foo):
193         * stress/string-from-char-code-255.js: Added.
194
195 2019-03-06  Mark Lam  <mark.lam@apple.com>
196
197         Fix incorrect handling of try-finally completion values.
198         https://bugs.webkit.org/show_bug.cgi?id=195131
199         <rdar://problem/46222079>
200
201         Reviewed by Saam Barati and Yusuke Suzuki.
202
203         Added many permutations of new test case to test-finally.js.  test-finally.js has
204         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
205         tests passes there as well.
206
207         * stress/test-finally.js:
208
209 2019-03-06  Saam Barati  <sbarati@apple.com>
210
211         Air::reportUsedRegisters must padInterference
212         https://bugs.webkit.org/show_bug.cgi?id=195303
213         <rdar://problem/48270343>
214
215         Reviewed by Keith Miller.
216
217         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
218
219 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
220
221         [JSC] AI should not propagate AbstractValue relying on constant folding phase
222         https://bugs.webkit.org/show_bug.cgi?id=195375
223
224         Reviewed by Saam Barati.
225
226         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
227         (let.array):
228
229 2019-03-05  Saam barati  <sbarati@apple.com>
230
231         op_switch_char broken for rope strings after JSRopeString layout rewrite
232         https://bugs.webkit.org/show_bug.cgi?id=195339
233         <rdar://problem/48592545>
234
235         Reviewed by Yusuke Suzuki.
236
237         * stress/switch-on-char-llint-rope.js: Added.
238
239 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
240
241         [JSC] Store bits for JSRopeString in 3 stores
242         https://bugs.webkit.org/show_bug.cgi?id=195234
243
244         Reviewed by Saam Barati.
245
246         * stress/null-rope-and-collectors.js: Added.
247
248 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
249
250         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
251         https://bugs.webkit.org/show_bug.cgi?id=195207
252
253         Unreviewed. After test runtime was reduced in r242213, test can be
254         run again on ARM/MIPS.
255
256         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
257
258 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
259
260         [JSC] sizeof(JSString) should be 16
261         https://bugs.webkit.org/show_bug.cgi?id=194375
262
263         Reviewed by Saam Barati.
264
265         * microbenchmarks/make-rope.js: Added.
266         (makeRope):
267         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
268         (returnRope.helper): Deleted.
269         (returnRope): Deleted.
270
271 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
272
273         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
274         https://bugs.webkit.org/show_bug.cgi?id=195144
275
276         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
277         Change the number from 1e8 to 1e5.
278
279         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
280         (foo):
281
282 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
283
284         Test times out on ARM/MIPS
285         https://bugs.webkit.org/show_bug.cgi?id=195168
286
287         Unreviewed. Skip test on ARM/MIPS.
288
289         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
290
291 2019-02-27  Mark Lam  <mark.lam@apple.com>
292
293         The parser is failing to record the token location of new in new.target.
294         https://bugs.webkit.org/show_bug.cgi?id=195127
295         <rdar://problem/39645578>
296
297         Reviewed by Yusuke Suzuki.
298
299         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
300
301 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
302
303         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
304         https://bugs.webkit.org/show_bug.cgi?id=195144
305         <rdar://problem/47595961>
306
307         Reviewed by Mark Lam.
308
309         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
310         (bar):
311         (foo):
312         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
313         (bar):
314         (foo):
315
316 2019-02-27  Robin Morisset  <rmorisset@apple.com>
317
318         DFG: Loop-invariant code motion (LICM) should not hoist dead code
319         https://bugs.webkit.org/show_bug.cgi?id=194945
320         <rdar://problem/48311657>
321
322         Reviewed by Mark Lam.
323
324         * stress/licm-dead-code.js: Added.
325
326 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
327
328         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
329         https://bugs.webkit.org/show_bug.cgi?id=194677
330         <rdar://problem/48112492>
331
332         Reviewed by Mark Lam.
333
334         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
335         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
336         it immediately fails due the large size.
337
338         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
339         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
340         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
341         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
342
343         This patch changes the test to produce 16bit string from String.fromCharCode.
344
345         * stress/regress-178386.js:
346
347 2019-02-26  Mark Lam  <mark.lam@apple.com>
348
349         wasmToJS() should purify incoming NaNs.
350         https://bugs.webkit.org/show_bug.cgi?id=194807
351         <rdar://problem/48189132>
352
353         Reviewed by Saam Barati.
354
355         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
356
357 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
358
359         [JSC] Repeat string created from Array.prototype.join() take too much memory
360         https://bugs.webkit.org/show_bug.cgi?id=193912
361
362         Reviewed by Saam Barati.
363
364         Added a test and a microbenchmark for corner cases of
365         Array.prototype.join() with an uninitialized array.
366
367         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
368         * stress/array-prototype-join-uninitialized.js: Added.
369         (testArray):
370         (testABC):
371         (B):
372         (C):
373
374 2019-02-22  Robin Morisset  <rmorisset@apple.com>
375
376         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
377         https://bugs.webkit.org/show_bug.cgi?id=194953
378         <rdar://problem/47595253>
379
380         Reviewed by Saam Barati.
381
382         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
383
384         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
385
386 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
387
388         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
389         https://bugs.webkit.org/show_bug.cgi?id=172848
390         <rdar://problem/25709212>
391
392         Reviewed by Mark Lam.
393
394         * typeProfiler/inheritance.js:
395         Rewrite the test slightly for clarity. The hoisting was confusing.
396
397         * heapProfiler/class-names.js: Added.
398         (MyES5Class):
399         (MyES6Class):
400         (MyES6Subclass):
401         Test object types and improved class names.
402
403         * heapProfiler/driver/driver.js:
404         (CheapHeapSnapshotNode):
405         (CheapHeapSnapshot):
406         (createCheapHeapSnapshot):
407         (HeapSnapshot):
408         (createHeapSnapshot):
409         Update snapshot parsing from version 1 to version 2.
410
411 2019-02-19  Truitt Savell  <tsavell@apple.com>
412
413         Unreviewed, rolling out r241784.
414
415         Broke all OpenSource builds.
416
417         Reverted changeset:
418
419         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
420         instances view"
421         https://bugs.webkit.org/show_bug.cgi?id=172848
422         https://trac.webkit.org/changeset/241784
423
424 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
425
426         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
427         https://bugs.webkit.org/show_bug.cgi?id=172848
428         <rdar://problem/25709212>
429
430         Reviewed by Mark Lam.
431
432         * typeProfiler/inheritance.js:
433         Rewrite the test slightly for clarity. The hoisting was confusing.
434
435         * heapProfiler/class-names.js: Added.
436         (MyES5Class):
437         (MyES6Class):
438         (MyES6Subclass):
439         Test object types and improved class names.
440
441         * heapProfiler/driver/driver.js:
442         (CheapHeapSnapshotNode):
443         (CheapHeapSnapshot):
444         (createCheapHeapSnapshot):
445         (HeapSnapshot):
446         (createHeapSnapshot):
447         Update snapshot parsing from version 1 to version 2.
448
449 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
450
451         [ARM] Fix crash with sampling profiler
452         https://bugs.webkit.org/show_bug.cgi?id=194772
453
454         Reviewed by Mark Lam.
455
456         Do not skip test since crash with sampling profiler is now fixed.
457
458         * stress/sampling-profiler-richards.js:
459
460 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
461
462         [JSC] Add LazyClassStructure::getInitializedOnMainThread
463         https://bugs.webkit.org/show_bug.cgi?id=194784
464         <rdar://problem/48154820>
465
466         Reviewed by Mark Lam.
467
468         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
469         (getProperties):
470         (getRandomProperty):
471         (i.catch):
472
473 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
474
475         [ARM] Test gardening: Test running out of executable memory
476         https://bugs.webkit.org/show_bug.cgi?id=194771
477
478         Unreviewed. Do not run test without LLInt, test is running out of executable
479         memory on ARM otherwise.
480
481         * stress/tagged-template-object-collect.js:
482
483 2019-02-18  Tomas Popela  <tpopela@redhat.com>
484
485         Unreviewed, skip the test on platforms without sampling profiler
486
487         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
488         (platformSupportsSamplingProfiler.foo):
489         (platformSupportsSamplingProfiler.test):
490         (platformSupportsSamplingProfiler):
491         (foo): Deleted.
492         (test): Deleted.
493
494 2019-02-17  Saam Barati  <sbarati@apple.com>
495
496         Deadlock when adding a Structure property transition and then doing incremental marking
497         https://bugs.webkit.org/show_bug.cgi?id=194767
498
499         Reviewed by Mark Lam.
500
501         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
502
503 2019-02-15  Michael Saboff  <msaboff@apple.com>
504
505         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
506         https://bugs.webkit.org/show_bug.cgi?id=194558
507
508         Reviewed by Saam Barati.
509
510         New regression test.
511
512         * stress/regexp-unicode-within-string.js: Added.
513
514 2019-02-15  Mark Lam  <mark.lam@apple.com>
515
516         SamplingProfiler::stackTracesAsJSON() should escape strings.
517         https://bugs.webkit.org/show_bug.cgi?id=194649
518         <rdar://problem/48072386>
519
520         Reviewed by Saam Barati.
521
522         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
523         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
524         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
525         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
526
527 2019-02-15  Robin Morisset  <rmorisset@apple.com>
528         CodeBlock::jettison should clear related watchpoints
529         https://bugs.webkit.org/show_bug.cgi?id=194544
530
531         Reviewed by Mark Lam.
532
533         * stress/regexp-replace-double-watchpoint.js: Added.
534         (foo):
535
536 2019-02-15  Saam barati  <sbarati@apple.com>
537
538         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
539         https://bugs.webkit.org/show_bug.cgi?id=194036
540
541         Reviewed by Yusuke Suzuki.
542
543         * stress/tail-call-many-arguments.js: Added.
544         (foo):
545         (bar):
546
547 2019-02-14  Saam Barati  <sbarati@apple.com>
548
549         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
550         https://bugs.webkit.org/show_bug.cgi?id=194583
551         <rdar://problem/48028140>
552
553         Reviewed by Yusuke Suzuki.
554
555         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
556
557 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
558
559         [JSC] String.fromCharCode's slow path always generates 16bit string
560         https://bugs.webkit.org/show_bug.cgi?id=194466
561
562         Reviewed by Keith Miller.
563
564         * stress/string-from-char-code-slow-path.js: Added.
565         (shouldBe):
566         (testWithLength):
567
568 2019-02-08  Saam barati  <sbarati@apple.com>
569
570         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
571         https://bugs.webkit.org/show_bug.cgi?id=194334
572         <rdar://problem/47844327>
573
574         Reviewed by Mark Lam.
575
576         * stress/check-in-bounds-should-be-a-child-use.js: Added.
577         (func):
578
579 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
580
581         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
582         https://bugs.webkit.org/show_bug.cgi?id=194369
583         <rdar://problem/47813087>
584
585         Reviewed by Saam Barati.
586
587         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
588         (A):
589
590 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
591
592         [JSC] PrivateName to PublicName hash table is wasteful
593         https://bugs.webkit.org/show_bug.cgi?id=194277
594
595         Reviewed by Michael Saboff.
596
597         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
598
599         * ChakraCore.yaml:
600
601 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
602
603         [ARM] Test running out of executable memory
604         https://bugs.webkit.org/show_bug.cgi?id=194285
605
606         Unreviewed. Do no execute test with LLInt disabled, test runs out of
607         executable memory otherwise.
608
609         * stress/class-subclassing-function.js:
610
611 2019-02-04  Robin Morisset  <rmorisset@apple.com>
612
613         when lowering AssertNotEmpty, create the value before creating the patchpoint
614         https://bugs.webkit.org/show_bug.cgi?id=194231
615
616         Reviewed by Saam Barati.
617
618         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
619         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
620         So even tiny changes to this test can change the path code taken.
621
622         * stress/assert-not-empty.js: Added.
623         (foo):
624
625 2019-02-01  Mark Lam  <mark.lam@apple.com>
626
627         Remove invalid assertion in DFG's compileDoubleRep().
628         https://bugs.webkit.org/show_bug.cgi?id=194130
629         <rdar://problem/47699474>
630
631         Reviewed by Saam Barati.
632
633         * stress/constant-fold-double-rep-into-double-constant.js: Added.
634
635 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
636
637         Import latest Test262 updates.
638
639         Rubber-stamped by Keith Miller.
640
641         * test262.yaml: Deleted.
642         * test262/config.yaml:
643         * test262/expectations.yaml:
644         * test262/latest-changes-summary.txt:
645         * test262/test/:
646         * test262/test262-Revision.txt:
647
648 2019-01-30  Robin Morisset  <rmorisset@apple.com>
649
650         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
651         https://bugs.webkit.org/show_bug.cgi?id=194050
652         <rdar://problem/47595592>
653
654         Reviewed by Yusuke Suzuki.
655
656         * stress/object-keys-osr-exit.js: Added.
657         (foo):
658         (catch):
659
660 2019-01-29  Mark Lam  <mark.lam@apple.com>
661
662         ValueRecovery::recover() should purify NaN values it recovers.
663         https://bugs.webkit.org/show_bug.cgi?id=193978
664         <rdar://problem/47625488>
665
666         Reviewed by Saam Barati.
667
668         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
669
670 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
671
672         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
673         https://bugs.webkit.org/show_bug.cgi?id=193713
674
675         * stress/try-get-by-id-should-spill-registers-dfg.js:
676         (let.f.createBuiltin):
677
678 2019-01-28  Mark Lam  <mark.lam@apple.com>
679
680         ToString node actually does GC.
681         https://bugs.webkit.org/show_bug.cgi?id=193920
682         <rdar://problem/46695900>
683
684         Reviewed by Yusuke Suzuki.
685
686         * stress/dfg-to-string-on-int-does-gc.js: Added.
687         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
688         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
689
690 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
691
692         [JSC] NativeErrorConstructor should not have own IsoSubspace
693         https://bugs.webkit.org/show_bug.cgi?id=193713
694
695         Reviewed by Saam Barati.
696
697         Remove @Error use.
698
699         * stress/try-get-by-id-should-spill-registers-dfg.js:
700         (let.f.createBuiltin):
701
702 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
703
704         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
705         https://bugs.webkit.org/show_bug.cgi?id=190693
706
707         Reviewed by Michael Saboff.
708
709         * stress/regress-190693.js: Added.
710         (truth):
711         (assert):
712         (shouldThrowInvalidConstAssignment):
713         (taz):
714
715 2019-01-24  Saam Barati  <sbarati@apple.com>
716
717         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
718         https://bugs.webkit.org/show_bug.cgi?id=193751
719         <rdar://problem/47280215>
720
721         Reviewed by Michael Saboff.
722
723         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
724         (let.thing):
725         (foo.let.hello):
726         (foo):
727
728 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
729
730         [JSC] Reenable baseline JIT on mips
731         https://bugs.webkit.org/show_bug.cgi?id=192983
732
733         Reviewed by Mark Lam.
734
735         Added a new test for a case that was triggering a RELEASE_ASSERT when
736         testing.
737         Disable some slow tests that were already disabled for arm and x86.
738
739         * stress/json-parse-big-object.js: Added.
740         * stress/new-largeish-contiguous-array-with-size.js:
741         * stress/op_add.js:
742         * stress/op_bitand.js:
743         * stress/op_bitor.js:
744         * stress/op_bitxor.js:
745         * stress/op_lshift-ConstVar.js:
746         * stress/op_lshift-VarConst.js:
747         * stress/op_lshift-VarVar.js:
748         * stress/op_mod-ConstVar.js:
749         * stress/op_mod-VarConst.js:
750         * stress/op_mod-VarVar.js:
751         * stress/op_mul-ConstVar.js:
752         * stress/op_mul-VarConst.js:
753         * stress/op_mul-VarVar.js:
754         * stress/op_rshift-ConstVar.js:
755         * stress/op_rshift-VarConst.js:
756         * stress/op_rshift-VarVar.js:
757         * stress/op_sub-ConstVar.js:
758         * stress/op_sub-VarConst.js:
759         * stress/op_sub-VarVar.js:
760         * stress/op_urshift-ConstVar.js:
761         * stress/op_urshift-VarConst.js:
762         * stress/op_urshift-VarVar.js:
763         * stress/sampling-profiler-richards.js:
764         * stress/spread-forward-call-varargs-stack-overflow.js:
765
766 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
767
768         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
769         https://bugs.webkit.org/show_bug.cgi?id=193711
770         <rdar://problem/47250262>
771
772         Reviewed by Saam Barati.
773
774         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
775         (shouldBe):
776         (foo):
777         (bar):
778         (baz):
779
780 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
781
782         Unreviewed, fix initial global lexical binding epoch
783         https://bugs.webkit.org/show_bug.cgi?id=193603
784         <rdar://problem/47380869>
785
786         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
787         (f1.f2.f3.f4):
788         (f1.f2.f3):
789         (f1.f2):
790         (f1):
791
792 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
793
794         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
795         https://bugs.webkit.org/show_bug.cgi?id=193709
796         <rdar://problem/47363838>
797
798         Unreviewed, rollout to watch the tests.
799
800         * stress/object-tostring-changed-proto.js: Removed.
801         * stress/object-tostring-changed.js: Removed.
802         * stress/object-tostring-misc.js: Removed.
803         * stress/object-tostring-other.js: Removed.
804         * stress/object-tostring-untyped.js: Removed.
805
806 2019-01-22  Saam Barati  <sbarati@apple.com>
807
808         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
809
810         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
811         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
812         (testUncheckedLessThanZero):
813         (testUncheckedLessThanOrEqualZero):
814         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
815         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
816
817 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
818
819         [JSC] Invalidate old scope operations using global lexical binding epoch
820         https://bugs.webkit.org/show_bug.cgi?id=193603
821         <rdar://problem/47380869>
822
823         Reviewed by Saam Barati.
824
825         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
826         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
827         (shouldThrow):
828         (bar):
829         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
830         (shouldBe):
831         (get1):
832         (get2):
833         (get1If):
834         (get2If):
835         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
836         (shouldThrow):
837         (foo):
838
839 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
840
841         Unreviewed, roll out r240220 due to date-format-xparb regression
842         https://bugs.webkit.org/show_bug.cgi?id=193603
843
844         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
845         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
846         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
847         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
848
849 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
850
851         DoesGC rule is wrong for nodes with BigIntUse
852         https://bugs.webkit.org/show_bug.cgi?id=193652
853
854         Reviewed by Saam Barati.
855
856         * stress/big-int-value-op-update-gc-rules.js: Added.
857         (assert):
858         (doesGCAdd):
859         (doesGCSub):
860         (doesGCDiv):
861         (doesGCMul):
862         (doesGCBitAnd):
863         (doesGCBitOr):
864         (doesGCBitXor):
865
866 2019-01-20  Saam Barati  <sbarati@apple.com>
867
868         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
869         https://bugs.webkit.org/show_bug.cgi?id=193644
870         <rdar://problem/46209745>
871
872         Reviewed by Yusuke Suzuki.
873
874         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
875         (foo):
876         * stress/data-view-set-intrinsic-undefined-result.js: Added.
877         (foo):
878         (bar):
879
880 2019-01-20  Saam Barati  <sbarati@apple.com>
881
882         MovHint must merge NodeBytecodeUsesAsValue for its child
883         https://bugs.webkit.org/show_bug.cgi?id=186916
884         <rdar://problem/41396612>
885
886         Reviewed by Yusuke Suzuki.
887
888         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
889         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
890
891 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
892
893         [JSC] Invalidate old scope operations using global lexical binding epoch
894         https://bugs.webkit.org/show_bug.cgi?id=193603
895         <rdar://problem/47380869>
896
897         Reviewed by Saam Barati.
898
899         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
900         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
901         (shouldThrow):
902         (bar):
903         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
904         (shouldBe):
905         (get1):
906         (get2):
907         (get1If):
908         (get2If):
909         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
910         (shouldThrow):
911         (foo):
912
913 2019-01-17  Saam barati  <sbarati@apple.com>
914
915         StringObjectUse should not be a structure check for the original string object structure
916         https://bugs.webkit.org/show_bug.cgi?id=193483
917         <rdar://problem/47280522>
918
919         Reviewed by Yusuke Suzuki.
920
921         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
922         (foo):
923         (a.valueOf.0):
924
925 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
926
927         [JSC] ToThis omission in DFGByteCodeParser is wrong
928         https://bugs.webkit.org/show_bug.cgi?id=193513
929         <rdar://problem/45842236>
930
931         Reviewed by Saam Barati.
932
933         * stress/to-this-omission-with-different-strict-modes.js: Added.
934         (thisA):
935         (thisAStrictWrapper):
936
937 2019-01-15  Mark Lam  <mark.lam@apple.com>
938
939         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
940         https://bugs.webkit.org/show_bug.cgi?id=193423
941         <rdar://problem/46209355>
942
943         Reviewed by Saam Barati.
944
945         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
946         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
947         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
948         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
949
950 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
951
952         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
953         https://bugs.webkit.org/show_bug.cgi?id=193438
954         <rdar://problem/45581249>
955
956         Reviewed by Saam Barati and Keith Miller.
957
958         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
959         Then, GetByVal(String) crashed.
960
961         * stress/string-get-by-val-lowering.js: Added.
962         (shouldBe):
963         (test):
964         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
965         (Hello):
966         (foo):
967
968 2019-01-15  Tomas Popela  <tpopela@redhat.com>
969
970         Unreviewed, skip JIT tests if it's not enabled
971
972         * stress/bit-op-with-object-returning-int32.js:
973
974 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
975
976         DFGByteCodeParser rules for bitwise operations should consider type of their operands
977         https://bugs.webkit.org/show_bug.cgi?id=192966
978
979         Reviewed by Yusuke Suzuki.
980
981         * stress/bit-op-with-object-returning-int32.js: Added.
982
983 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
984
985         Skip a slow test and a flakey test on arm
986
987         Unreviewed gardening.
988
989         * typeProfiler/getter-richards.js:
990         this test always times out, it used to be always skipped on arm and
991         mips, but got accidentally enabled by r237919 now that we have DFG on
992         arm. Also skipping on mips as we plan to soon enable DFG for it too.
993
994 2019-01-14  Keith Miller  <keith_miller@apple.com>
995
996         Skip type-check-hoisting-phase-hoist... with no jit
997         https://bugs.webkit.org/show_bug.cgi?id=193421
998
999         Reviewed by Mark Lam.
1000
1001         It's timing out the 32-bit bots and takes 330 seconds
1002         on my machine when run by itself.
1003
1004         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1005
1006 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1007
1008         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1009         https://bugs.webkit.org/show_bug.cgi?id=193413
1010         <rdar://problem/46092389>
1011
1012         Reviewed by Keith Miller.
1013
1014         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1015         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1016         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1017         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1018
1019         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1020         (compareArray):
1021
1022 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1023
1024         [BigInt] Literal parsing is crashing when used inside a Object Literal
1025         https://bugs.webkit.org/show_bug.cgi?id=193404
1026
1027         Reviewed by Yusuke Suzuki.
1028
1029         * stress/big-int-literal-inside-literal-object.js: Added.
1030
1031 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1032
1033         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1034         https://bugs.webkit.org/show_bug.cgi?id=193372
1035
1036         Reviewed by Saam Barati.
1037
1038         * stress/typed-array-array-modes-profile.js: Added.
1039         (foo):
1040
1041 2019-01-14  Mark Lam  <mark.lam@apple.com>
1042
1043         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1044         https://bugs.webkit.org/show_bug.cgi?id=193402
1045         <rdar://problem/46012309>
1046
1047         Reviewed by Keith Miller.
1048
1049         * stress/regexp-compile-oom.js:
1050         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1051           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1052
1053 2019-01-11  Saam barati  <sbarati@apple.com>
1054
1055         DFG combined liveness can be wrong for terminal basic blocks
1056         https://bugs.webkit.org/show_bug.cgi?id=193304
1057         <rdar://problem/45268632>
1058
1059         Reviewed by Yusuke Suzuki.
1060
1061         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1062
1063 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1064
1065         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1066         https://bugs.webkit.org/show_bug.cgi?id=193308
1067         <rdar://problem/45546542>
1068
1069         Reviewed by Saam Barati.
1070
1071         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1072         (shouldThrow):
1073         (shouldBe):
1074         (foo):
1075         (get shouldThrow):
1076         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1077         (shouldThrow):
1078         (shouldBe):
1079         (foo):
1080         (get shouldBe):
1081         (get shouldThrow):
1082         (get return):
1083         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1084         (shouldThrow):
1085         (shouldBe):
1086         (foo):
1087         (get shouldBe):
1088         (get shouldThrow):
1089         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1090         (shouldThrow):
1091         (shouldBe):
1092         (foo):
1093         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1094         (shouldThrow):
1095         (shouldBe):
1096         (foo):
1097         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1098         (shouldThrow):
1099         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1100         (shouldThrow):
1101         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1102         (shouldThrow):
1103         (shouldBe):
1104         (foo):
1105         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1106         (shouldThrow):
1107         (shouldBe):
1108         (foo):
1109         (get shouldBe):
1110         (get shouldThrow):
1111         (get return):
1112         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1113         (shouldThrow):
1114         (shouldBe):
1115         (foo):
1116         (get shouldBe):
1117         (get shouldThrow):
1118         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1119         (shouldThrow):
1120         (shouldBe):
1121         (foo):
1122         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1123         (shouldThrow):
1124         (shouldBe):
1125         (foo):
1126
1127 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1128
1129         Enable DFG on ARM/Linux again
1130         https://bugs.webkit.org/show_bug.cgi?id=192496
1131
1132         Reviewed by Yusuke Suzuki.
1133
1134         Test wasn't really skipped before moving the line with skip
1135         to the top.
1136
1137         * stress/regress-192717.js:
1138
1139 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1140
1141         Unreviewed, rolling out r239825.
1142         https://bugs.webkit.org/show_bug.cgi?id=193330
1143
1144         Broke tests on armv7/linux bots (Requested by guijemont on
1145         #webkit).
1146
1147         Reverted changeset:
1148
1149         "Enable DFG on ARM/Linux again"
1150         https://bugs.webkit.org/show_bug.cgi?id=192496
1151         https://trac.webkit.org/changeset/239825
1152
1153 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1154
1155         Enable DFG on ARM/Linux again
1156         https://bugs.webkit.org/show_bug.cgi?id=192496
1157
1158         Reviewed by Yusuke Suzuki.
1159
1160         Test wasn't really skipped before moving the line with skip
1161         to the top.
1162
1163         * stress/regress-192717.js:
1164
1165 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1166
1167         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1168         https://bugs.webkit.org/show_bug.cgi?id=193127
1169
1170         Reviewed by Saam Barati.
1171
1172         * stress/array-species-create-should-handle-masquerader.js: Added.
1173         (shouldThrow):
1174         * stress/is-undefined-or-null-builtin.js: Added.
1175         (shouldBe):
1176         (isUndefinedOrNull.vm.createBuiltin):
1177
1178 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1179
1180         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1181         https://bugs.webkit.org/show_bug.cgi?id=193221
1182
1183         Reviewed by Mark Lam.
1184
1185         * stress/put-by-id-flags.js: Added.
1186         (f):
1187         (g):
1188         (numberOfDFGCompiles):
1189
1190 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1191
1192         Baseline version of get_by_id may corrupt metadata
1193         https://bugs.webkit.org/show_bug.cgi?id=193085
1194         <rdar://problem/23453006>
1195
1196         Reviewed by Saam Barati.
1197
1198         * stress/get-by-id-change-mode.js: Added.
1199         (forEach):
1200
1201 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1202
1203         [JSC] Optimize Object.prototype.toString
1204         https://bugs.webkit.org/show_bug.cgi?id=193031
1205
1206         Reviewed by Saam Barati.
1207
1208         * stress/object-tostring-changed-proto.js: Added.
1209         (shouldBe):
1210         (test):
1211         * stress/object-tostring-changed.js: Added.
1212         (shouldBe):
1213         (test):
1214         * stress/object-tostring-misc.js: Added.
1215         (shouldBe):
1216         (test):
1217         (i.switch):
1218         * stress/object-tostring-other.js: Added.
1219         (shouldBe):
1220         (test):
1221         * stress/object-tostring-untyped.js: Added.
1222         (shouldBe):
1223         (test):
1224         (i.switch):
1225
1226 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1227
1228         test262-runner misbehaves when test file YAML has a trailing space
1229         https://bugs.webkit.org/show_bug.cgi?id=193053
1230
1231         Reviewed by Yusuke Suzuki.
1232
1233         * test262/expectations.yaml:
1234         Mark two dozen tests as passing (and correct the output of another).
1235
1236 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1237
1238         Unreviewed, JSTests gardening with memoryLimited
1239
1240         * stress/string-overflow-createError.js:
1241
1242 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1243
1244         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1245         https://bugs.webkit.org/show_bug.cgi?id=193050
1246
1247         Reviewed by Yusuke Suzuki.
1248
1249         * test262.yaml:
1250         * test262/expectations.yaml:
1251         Mark 16 tests as passing.
1252
1253 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1254
1255         [BigInt] Support BigInt in JSON.stringify
1256         https://bugs.webkit.org/show_bug.cgi?id=192624
1257
1258         Reviewed by Saam Barati.
1259
1260         * stress/big-int-json-stringify-to-json.js: Added.
1261         (shouldBe):
1262         (shouldThrow):
1263         (BigInt.prototype.toJSON):
1264         (shouldBe.JSON.stringify):
1265         * stress/big-int-json-stringify.js: Added.
1266         (shouldBe):
1267         (shouldThrow):
1268
1269 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1270
1271         [JSC] Implement "well-formed JSON.stringify" proposal
1272         https://bugs.webkit.org/show_bug.cgi?id=191677
1273
1274         Reviewed by Darin Adler.
1275
1276         * stress/json-surrogate-pair.js: Added.
1277         (shouldBe):
1278         * test262/expectations.yaml:
1279
1280 2018-12-20  Keith Miller  <keith_miller@apple.com>
1281
1282         Add support for globalThis
1283         https://bugs.webkit.org/show_bug.cgi?id=165171
1284
1285         Reviewed by Mark Lam.
1286
1287         * test262/config.yaml:
1288
1289 2018-12-19  Keith Miller  <keith_miller@apple.com>
1290
1291         Update test262 configuration to not run tests dependent on ICU version.
1292         https://bugs.webkit.org/show_bug.cgi?id=192920
1293
1294         Reviewed by Saam Barati.
1295
1296         * test262/expectations.yaml:
1297
1298 2018-12-20  Mark Lam  <mark.lam@apple.com>
1299
1300         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1301         https://bugs.webkit.org/show_bug.cgi?id=192939
1302         <rdar://problem/46869516>
1303
1304         Reviewed by Keith Miller.
1305
1306         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1307
1308 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1309
1310         WTF::String and StringImpl overflow MaxLength
1311         https://bugs.webkit.org/show_bug.cgi?id=192853
1312         <rdar://problem/45726906>
1313
1314         Reviewed by Mark Lam.
1315
1316         * stress/string-16bit-repeat-overflow.js: Added.
1317         (catch):
1318
1319 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1320
1321         Unreviewed follow-up to r192914.
1322
1323         * test262/expectations.yaml:
1324         Add the last 20 missing expectations.
1325
1326 2018-12-19  Keith Miller  <keith_miller@apple.com>
1327
1328         Fix test262 expectations
1329         https://bugs.webkit.org/show_bug.cgi?id=192914
1330
1331         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1332
1333         * test262/expectations.yaml:
1334
1335 2018-12-19  Keith Miller  <keith_miller@apple.com>
1336
1337         Update test262 tests.
1338         https://bugs.webkit.org/show_bug.cgi?id=192907
1339
1340         Rubber stamped by Mark Lam.
1341
1342         * test262/*: Omitted because prepare-changelog crashes.
1343
1344 2018-12-19  Mark Lam  <mark.lam@apple.com>
1345
1346         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1347         https://bugs.webkit.org/show_bug.cgi?id=192464
1348         <rdar://problem/46519455>
1349
1350         Reviewed by Saam Barati.
1351
1352         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1353         microbenchmark.
1354
1355         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1356         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1357
1358 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1359
1360         String overflow in JSC::createError results in ASSERT in WTF::makeString
1361         https://bugs.webkit.org/show_bug.cgi?id=192833
1362         <rdar://problem/45706868>
1363
1364         Reviewed by Mark Lam.
1365
1366         * stress/string-overflow-createError.js: Added.
1367
1368 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1369
1370         Error message for `-x ** y` contains a typo.
1371         https://bugs.webkit.org/show_bug.cgi?id=192832
1372
1373         Reviewed by Saam Barati.
1374
1375         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1376         (assert.assert.return.throws):
1377         * stress/pow-expects-update-expression-on-lhs.js:
1378         (throw.new.Error):
1379         Update test expectations which match against the exact error message.
1380
1381 2018-12-18  Mark Lam  <mark.lam@apple.com>
1382
1383         Gardening: test options fix.
1384         https://bugs.webkit.org/show_bug.cgi?id=192822
1385
1386         Unreviewed.
1387
1388         * stress/json-stringify-string-builder-overflow.js:
1389
1390 2018-12-18  Mark Lam  <mark.lam@apple.com>
1391
1392         JSON.stringify() should throw OOM on StringBuilder overflows.
1393         https://bugs.webkit.org/show_bug.cgi?id=192822
1394         <rdar://problem/46670577>
1395
1396         Reviewed by Saam Barati.
1397
1398         * stress/json-stringify-string-builder-overflow.js: Added.
1399
1400 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1401
1402         Redeclaration of var over let/const/class should be a syntax error.
1403         https://bugs.webkit.org/show_bug.cgi?id=192298
1404
1405         Reviewed by Keith Miller.
1406
1407         * test262.yaml:
1408         * test262/expectations.yaml:
1409         Mark 46 tests as passing.
1410
1411         * stress/block-scope-redeclarations.js:
1412         Add some new tests.
1413
1414         * stress/for-in-invalidate-context-weird-assignments.js:
1415         * stress/for-in-tests.js:
1416         Replace tests for outdated behavior with tests for SyntaxError.
1417
1418         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1419         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1420         Update expectations.
1421
1422 2018-12-18  Mark Lam  <mark.lam@apple.com>
1423
1424         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1425         https://bugs.webkit.org/show_bug.cgi?id=191374
1426         <rdar://problem/46525447>
1427
1428         Reviewed by Yusuke Suzuki.
1429
1430         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1431
1432         * stress/elidable-new-object-roflcopter-then-exit.js:
1433
1434 2018-12-17  Mark Lam  <mark.lam@apple.com>
1435
1436         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1437         https://bugs.webkit.org/show_bug.cgi?id=192019
1438         <rdar://problem/46525456>
1439
1440         Reviewed by Yusuke Suzuki.
1441
1442         The test runs too slow on 32-bit.
1443
1444         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1445
1446 2018-12-17  Mark Lam  <mark.lam@apple.com>
1447
1448         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1449         https://bugs.webkit.org/show_bug.cgi?id=191373
1450         <rdar://problem/46525458>
1451
1452         Reviewed by Yusuke Suzuki.
1453
1454         The test is already slow running with a JIT on 64-bit.  It will always timeout
1455         on 32-bit without a JIT.
1456
1457         * stress/materialize-regexp-cyclic-regexp.js:
1458
1459 2018-12-17  Mark Lam  <mark.lam@apple.com>
1460
1461         Array unshift/shift should not race against the AI in the compiler thread.
1462         https://bugs.webkit.org/show_bug.cgi?id=192795
1463         <rdar://problem/46724263>
1464
1465         Reviewed by Saam Barati.
1466
1467         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1468
1469 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1470
1471         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1472         https://bugs.webkit.org/show_bug.cgi?id=190047
1473
1474         Reviewed by Saam Barati.
1475
1476         * stress/object-keys-cached-zero.js: Added.
1477         (shouldBe):
1478         (test):
1479         * stress/object-keys-changed-attribute.js: Added.
1480         (shouldBe):
1481         (test):
1482         * stress/object-keys-changed-index.js: Added.
1483         (shouldBe):
1484         (test):
1485         * stress/object-keys-changed.js: Added.
1486         (shouldBe):
1487         (test):
1488         * stress/object-keys-indexed-non-cache.js: Added.
1489         (shouldBe):
1490         (test):
1491         * stress/object-keys-overrides-get-property-names.js: Added.
1492         (shouldBe):
1493         (test):
1494         (noInline):
1495
1496 2018-12-17  Mark Lam  <mark.lam@apple.com>
1497
1498         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1499         https://bugs.webkit.org/show_bug.cgi?id=192779
1500         <rdar://problem/46775869>
1501
1502         Reviewed by Saam Barati.
1503
1504         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1505
1506 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1507
1508         Unreviewed test gardening, address a syntax error in a new test.
1509
1510         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1511
1512 2018-12-17  Mark Lam  <mark.lam@apple.com>
1513
1514         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1515         https://bugs.webkit.org/show_bug.cgi?id=192776
1516         <rdar://problem/46772368>
1517
1518         Reviewed by Keith Miller.
1519
1520         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1521
1522 2018-12-17  Mark Lam  <mark.lam@apple.com>
1523
1524         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1525         https://bugs.webkit.org/show_bug.cgi?id=192770
1526         <rdar://problem/46449037>
1527
1528         Reviewed by Keith Miller.
1529
1530         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1531
1532 2018-12-14  Mark Lam  <mark.lam@apple.com>
1533
1534         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1535         https://bugs.webkit.org/show_bug.cgi?id=192717
1536         <rdar://problem/46660677>
1537
1538         Reviewed by Saam Barati.
1539
1540         * stress/regress-192717.js: Added.
1541
1542 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1543
1544         Unreviewed, rolling out r239153, r239154, and r239155.
1545         https://bugs.webkit.org/show_bug.cgi?id=192715
1546
1547         Caused flaky GC-related crashes seen with layout tests
1548         (Requested by ryanhaddad on #webkit).
1549
1550         Reverted changesets:
1551
1552         "[JSC] Optimize Object.keys by caching own keys results in
1553         StructureRareData"
1554         https://bugs.webkit.org/show_bug.cgi?id=190047
1555         https://trac.webkit.org/changeset/239153
1556
1557         "Unreviewed, build fix after r239153"
1558         https://bugs.webkit.org/show_bug.cgi?id=190047
1559         https://trac.webkit.org/changeset/239154
1560
1561         "Unreviewed, build fix after r239153, part 2"
1562         https://bugs.webkit.org/show_bug.cgi?id=190047
1563         https://trac.webkit.org/changeset/239155
1564
1565 2018-12-14  Keith Miller  <keith_miller@apple.com>
1566
1567         Callers of JSString::getIndex should check for OOM exceptions
1568         https://bugs.webkit.org/show_bug.cgi?id=192709
1569
1570         Reviewed by Mark Lam.
1571
1572         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1573
1574 2018-12-13  Mark Lam  <mark.lam@apple.com>
1575
1576         Add a missing exception check.
1577         https://bugs.webkit.org/show_bug.cgi?id=192626
1578         <rdar://problem/46662163>
1579
1580         Reviewed by Keith Miller.
1581
1582         * stress/regress-192626.js: Added.
1583
1584 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1585
1586         [BigInt] Add ValueDiv into DFG
1587         https://bugs.webkit.org/show_bug.cgi?id=186178
1588
1589         Reviewed by Yusuke Suzuki.
1590
1591         * stress/big-int-div-jit-osr.js: Added.
1592         * stress/big-int-div-jit-untyped.js: Added.
1593         * stress/value-div-fixup-int32-big-int.js: Added.
1594
1595 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1596
1597         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1598         https://bugs.webkit.org/show_bug.cgi?id=190047
1599
1600         Reviewed by Keith Miller.
1601
1602         * stress/object-keys-cached-zero.js: Added.
1603         (shouldBe):
1604         (test):
1605         * stress/object-keys-changed-attribute.js: Added.
1606         (shouldBe):
1607         (test):
1608         * stress/object-keys-changed-index.js: Added.
1609         (shouldBe):
1610         (test):
1611         * stress/object-keys-changed.js: Added.
1612         (shouldBe):
1613         (test):
1614         * stress/object-keys-indexed-non-cache.js: Added.
1615         (shouldBe):
1616         (test):
1617         * stress/object-keys-overrides-get-property-names.js: Added.
1618         (shouldBe):
1619         (test):
1620         (noInline):
1621
1622 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1623
1624         [DFG][FTL] Add NewSymbol
1625         https://bugs.webkit.org/show_bug.cgi?id=192620
1626
1627         Reviewed by Saam Barati.
1628
1629         * microbenchmarks/symbol-creation.js: Added.
1630         (test):
1631         * stress/symbol-description-identity.js: Added.
1632         (shouldBe):
1633         (test):
1634         * stress/symbol-identity.js: Added.
1635         (shouldBe):
1636         (test):
1637         * stress/symbol-with-description-throw-error.js: Added.
1638         (shouldBe):
1639         (shouldThrow):
1640         (test):
1641         (object.toString):
1642
1643 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1644
1645         [BigInt] Implement DFG/FTL typeof for BigInt
1646         https://bugs.webkit.org/show_bug.cgi?id=192619
1647
1648         Reviewed by Keith Miller.
1649
1650         * stress/big-int-boolean-proven-type.js: Added.
1651         (assert):
1652         (bool):
1653         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1654         (assert):
1655         (typeOf):
1656         (i.switch):
1657         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1658         (assert):
1659         (typeOf):
1660         * stress/big-int-type-of.js:
1661         (typeOf):
1662         (func):
1663
1664 2018-12-10  Mark Lam  <mark.lam@apple.com>
1665
1666         PropertyAttribute needs a CustomValue bit.
1667         https://bugs.webkit.org/show_bug.cgi?id=191993
1668         <rdar://problem/46264467>
1669
1670         Reviewed by Saam Barati.
1671
1672         * stress/regress-191993.js: Added.
1673
1674 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1675
1676         [BigInt] Add ValueMul into DFG
1677         https://bugs.webkit.org/show_bug.cgi?id=186175
1678
1679         Reviewed by Yusuke Suzuki.
1680
1681         * stress/big-int-mul-jit-osr.js: Added.
1682         * stress/big-int-mul-jit-untyped.js: Added.
1683         * stress/value-mul-fixup-int32-big-int.js: Added.
1684
1685 2018-12-06  Keith Miller  <keith_miller@apple.com>
1686
1687         stress/big-wasm-memory tests failing on 32-bit JSC bot
1688         https://bugs.webkit.org/show_bug.cgi?id=192020
1689
1690         Reviewed by Saam Barati.
1691
1692         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1693         the wasm stress tests if the WebAssembly object does not exist.
1694
1695         * stress/big-wasm-memory-grow-no-max.js:
1696         (test.foo):
1697         (test):
1698         (foo): Deleted.
1699         (catch): Deleted.
1700         * stress/big-wasm-memory-grow.js:
1701         (test.foo):
1702         (test):
1703         (foo): Deleted.
1704         (catch): Deleted.
1705         * stress/big-wasm-memory.js:
1706         (test.foo):
1707         (test):
1708         (foo): Deleted.
1709         (catch): Deleted.
1710
1711 2018-12-05  Mark Lam  <mark.lam@apple.com>
1712
1713         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1714         https://bugs.webkit.org/show_bug.cgi?id=192441
1715         <rdar://problem/46480355>
1716
1717         Reviewed by Saam Barati.
1718
1719         * stress/regress-192441.js: Added.
1720
1721 2018-12-04  Mark Lam  <mark.lam@apple.com>
1722
1723         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1724         https://bugs.webkit.org/show_bug.cgi?id=192386
1725         <rdar://problem/46445516>
1726
1727         Reviewed by Saam Barati.
1728
1729         * stress/regress-192386.js: Added.
1730
1731 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1732
1733         [ESNext][BigInt] Support logic operations
1734         https://bugs.webkit.org/show_bug.cgi?id=179903
1735
1736         Reviewed by Yusuke Suzuki.
1737
1738         * stress/big-int-branch-usage.js: Added.
1739         * stress/big-int-logical-and.js: Added.
1740         * stress/big-int-logical-not.js: Added.
1741         * stress/big-int-logical-or.js: Added.
1742
1743 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1744
1745         Unreviewed, rolling out r238833.
1746
1747         Breaks macOS and iOS debug builds.
1748
1749         Reverted changeset:
1750
1751         "[ESNext][BigInt] Support logic operations"
1752         https://bugs.webkit.org/show_bug.cgi?id=179903
1753         https://trac.webkit.org/changeset/238833
1754
1755 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1756
1757         [ESNext][BigInt] Support logic operations
1758         https://bugs.webkit.org/show_bug.cgi?id=179903
1759
1760         Reviewed by Yusuke Suzuki.
1761
1762         * stress/big-int-branch-usage.js: Added.
1763         * stress/big-int-logical-and.js: Added.
1764         * stress/big-int-logical-not.js: Added.
1765         * stress/big-int-logical-or.js: Added.
1766
1767 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1768
1769         [ESNext][BigInt] Implement support for "<<" and ">>"
1770         https://bugs.webkit.org/show_bug.cgi?id=186233
1771
1772         Reviewed by Yusuke Suzuki.
1773
1774         * stress/big-int-left-shift-general.js: Added.
1775         * stress/big-int-left-shift-range-error.js: Added.
1776         * stress/big-int-left-shift-type-error.js: Added.
1777         * stress/big-int-left-shift-wrapped-value.js: Added.
1778         * stress/big-int-right-shift-general.js: Added.
1779         * stress/big-int-right-shift-type-error.js: Added.
1780         * stress/big-int-right-shift-wrapped-value.js: Added.
1781         * stress/left-shift-to-primitive-precedence.js: Added.
1782         * stress/right-shift-to-primitive-precedence.js: Added.
1783
1784 2018-11-30  Dean Jackson  <dino@apple.com>
1785
1786         Add first-class support for .mjs files in jsc binary
1787         https://bugs.webkit.org/show_bug.cgi?id=192190
1788         <rdar://problem/46375715>
1789
1790         Reviewed by Keith Miller.
1791
1792         * stress/simple-module.mjs: Added.
1793         * stress/simple-script.js: Added.
1794
1795 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1796
1797         [BigInt] Implement ValueBitXor into DFG
1798         https://bugs.webkit.org/show_bug.cgi?id=190264
1799
1800         Reviewed by Yusuke Suzuki.
1801
1802         * stress/big-int-bitwise-xor-jit.js: Added.
1803         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1804         * stress/big-int-bitwise-xor-untyped.js: Added.
1805
1806 2018-11-27  Saam barati  <sbarati@apple.com>
1807
1808         r238510 broke scopes of size zero
1809         https://bugs.webkit.org/show_bug.cgi?id=192033
1810         <rdar://problem/46281734>
1811
1812         Reviewed by Keith Miller.
1813
1814         * stress/r238510-bad-loop.js: Added.
1815         (foo):
1816
1817 2018-11-27  Mark Lam  <mark.lam@apple.com>
1818
1819         [Re-landing] NaNs read from Wasm code needs to be be purified.
1820         https://bugs.webkit.org/show_bug.cgi?id=191056
1821         <rdar://problem/45660341>
1822
1823         Reviewed by Filip Pizlo.
1824
1825         * wasm/regress/regress-191056.js: Added.
1826
1827 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1828
1829         Unreviewed, rolling out r238509.
1830
1831         Causes JSC tests to fail on iOS.
1832
1833         Reverted changeset:
1834
1835         "NaNs read from Wasm code needs to be be purified."
1836         https://bugs.webkit.org/show_bug.cgi?id=191056
1837         https://trac.webkit.org/changeset/238509
1838
1839 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1840
1841         Re-introduce op_bitnot
1842         https://bugs.webkit.org/show_bug.cgi?id=190923
1843
1844         Reviewed by Yusuke Suzuki.
1845
1846         * stress/bit-not-must-generate.js: Added.
1847         * stress/bitwise-not-no-int32.js: Added.
1848
1849 2018-11-26  Saam barati  <sbarati@apple.com>
1850
1851         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1852         https://bugs.webkit.org/show_bug.cgi?id=191956
1853         <rdar://problem/45665806>
1854
1855         Reviewed by Yusuke Suzuki.
1856
1857         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1858         (bar):
1859         (foo):
1860
1861 2018-11-26  Saam barati  <sbarati@apple.com>
1862
1863         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1864         https://bugs.webkit.org/show_bug.cgi?id=191958
1865         <rdar://problem/46221877>
1866
1867         Reviewed by Yusuke Suzuki.
1868
1869         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1870         (x):
1871         (foo):
1872
1873 2018-11-26  Mark Lam  <mark.lam@apple.com>
1874
1875         NaNs read from Wasm code needs to be be purified.
1876         https://bugs.webkit.org/show_bug.cgi?id=191056
1877         <rdar://problem/45660341>
1878
1879         Reviewed by Filip Pizlo.
1880
1881         * wasm/regress/regress-191056.js: Added.
1882
1883 2018-11-26  Michael Saboff  <msaboff@apple.com>
1884
1885         32-bit JSC test failure: stress/regexp-compile-oom.js
1886         https://bugs.webkit.org/show_bug.cgi?id=191375
1887
1888         Reviewed by Mark Lam.
1889
1890         Disabled the test for 32 bit platforms.
1891
1892         * stress/regexp-compile-oom.js:
1893
1894 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1895
1896         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1897         https://bugs.webkit.org/show_bug.cgi?id=191716
1898         <rdar://problem/45723878>
1899
1900         Reviewed by Saam Barati.
1901
1902         * stress/regress-187373.js: Added.
1903         (async.fn):
1904
1905 2018-11-21  Saam barati  <sbarati@apple.com>
1906
1907         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1908         https://bugs.webkit.org/show_bug.cgi?id=191897
1909         <rdar://problem/45871998>
1910
1911         Reviewed by Mark Lam.
1912
1913         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1914         (bar):
1915         (foo):
1916
1917 2018-11-21  Saam barati  <sbarati@apple.com>
1918
1919         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1920         https://bugs.webkit.org/show_bug.cgi?id=191895
1921         <rdar://problem/46167406>
1922
1923         Reviewed by Mark Lam.
1924
1925         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1926         (foo):
1927         (bar):
1928
1929 2018-11-21  Mark Lam  <mark.lam@apple.com>
1930
1931         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1932         https://bugs.webkit.org/show_bug.cgi?id=191776
1933         <rdar://problem/46152851>
1934
1935         Reviewed by Saam Barati.
1936
1937         * stress/big-wasm-memory-grow-no-max.js:
1938         * stress/big-wasm-memory-grow.js:
1939         * stress/big-wasm-memory.js:
1940         - updated these to expect an OutOfMemoryError.
1941
1942         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1943         (Binary.prototype.emit_u8):
1944         (Binary.prototype.emit_u32v):
1945         (Binary.prototype.emit_header):
1946         (Binary.prototype.emit_section):
1947         (Binary):
1948         (WasmModuleBuilder):
1949         (WasmModuleBuilder.prototype.addMemory):
1950         (WasmModuleBuilder.prototype.toArray):
1951         (WasmModuleBuilder.prototype.toBuffer):
1952         (WasmModuleBuilder.prototype.instantiate):
1953         (catch):
1954         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1955         (catch):
1956
1957 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1958
1959         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1960         https://bugs.webkit.org/show_bug.cgi?id=190836
1961
1962         Reviewed by Saam Barati and Yusuke Suzuki.
1963
1964         * stress/big-int-out-of-memory-tests.js: Added.
1965
1966 2018-11-20  Mark Lam  <mark.lam@apple.com>
1967
1968         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1969         https://bugs.webkit.org/show_bug.cgi?id=191856
1970         <rdar://problem/46089992>
1971
1972         Reviewed by Yusuke Suzuki.
1973
1974         * stress/regress-191856.js: Added.
1975         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1976
1977 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1978
1979         Enable JIT on ARM/Linux
1980         https://bugs.webkit.org/show_bug.cgi?id=191548
1981
1982         Reviewed by Yusuke Suzuki.
1983
1984         Disable test on system with limited memory. Program was killed by
1985         the OS before the exception was thrown.
1986
1987         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1988
1989 2018-11-20  Saam barati  <sbarati@apple.com>
1990
1991         Merging an IC variant may lead to the IC status containing overlapping structure sets
1992         https://bugs.webkit.org/show_bug.cgi?id=191869
1993         <rdar://problem/45403453>
1994
1995         Reviewed by Mark Lam.
1996
1997         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1998
1999 2018-11-19  Mark Lam  <mark.lam@apple.com>
2000
2001         globalFuncImportModule() should return a promise when it clears exceptions.
2002         https://bugs.webkit.org/show_bug.cgi?id=191792
2003         <rdar://problem/46090763>
2004
2005         Reviewed by Michael Saboff.
2006
2007         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2008
2009 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2010
2011         Skip new memory-hungry tests on memory limited devices
2012
2013         Unreviewed gardening.
2014
2015         * stress/big-wasm-memory-grow-no-max.js:
2016         * stress/big-wasm-memory-grow.js:
2017         * stress/big-wasm-memory.js:
2018
2019 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2020
2021         Unreviewed, rolling in the rest of r237254
2022         https://bugs.webkit.org/show_bug.cgi?id=190340
2023
2024         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2025         * stress/function-cache-with-parameters-end-position.js: Added.
2026         (shouldBe):
2027         (shouldThrow):
2028         (i.anonymous):
2029         * stress/function-constructor-name.js: Added.
2030         (shouldBe):
2031         (GeneratorFunction):
2032         (AsyncFunction.async):
2033         (AsyncGeneratorFunction.async):
2034         (anonymous):
2035         (async.anonymous):
2036         * test262/expectations.yaml:
2037
2038 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2039
2040         All users of ArrayBuffer should agree on the same max size
2041         https://bugs.webkit.org/show_bug.cgi?id=191771
2042
2043         Reviewed by Mark Lam.
2044
2045         * stress/big-wasm-memory-grow-no-max.js: Added.
2046         (foo):
2047         (catch):
2048         * stress/big-wasm-memory-grow.js: Added.
2049         (foo):
2050         (catch):
2051         * stress/big-wasm-memory.js: Added.
2052         (foo):
2053         (catch):
2054
2055 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2056
2057         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2058         run for each JSC config since they're regression tests for runtime bugs.
2059
2060         * stress/json-stringified-overflow-2.js:
2061         * stress/json-stringified-overflow.js:
2062
2063 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2064
2065         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2066         config since they're regression tests for runtime bugs.
2067
2068         * stress/large-unshift-splice.js:
2069         * stress/regress-185888.js:
2070
2071 2018-11-16  Saam Barati  <sbarati@apple.com>
2072
2073         KnownCellUse should also have SpecCellCheck as its type filter
2074         https://bugs.webkit.org/show_bug.cgi?id=191729
2075         <rdar://problem/45872852>
2076
2077         Reviewed by Filip Pizlo.
2078
2079         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2080         (C):
2081
2082 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2083
2084         Fix assertion failure on BytecodeGenerator::recordOpcode
2085         https://bugs.webkit.org/show_bug.cgi?id=191724
2086         <rdar://problem/45724395>
2087
2088         Reviewed by Saam Barati.
2089
2090         * stress/regress-187373-2.js: Added.
2091         (foo):
2092
2093 2018-11-15  Mark Lam  <mark.lam@apple.com>
2094
2095         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2096         https://bugs.webkit.org/show_bug.cgi?id=191730
2097         <rdar://problem/46048517>
2098
2099         Reviewed by Saam Barati.
2100
2101         * stress/regress-187006.js: Removed.
2102           - this test is invalid because its sole purpose is to test for the non-spec
2103             compliant behavior that we just fixed.
2104
2105         * stress/regress-191730.js: Added.
2106
2107 2018-11-15  Mark Lam  <mark.lam@apple.com>
2108
2109         RegExp operations should not take fast patch if lastIndex is not numeric.
2110         https://bugs.webkit.org/show_bug.cgi?id=191731
2111         <rdar://problem/46017305>
2112
2113         Reviewed by Saam Barati.
2114
2115         * stress/regress-191731.js: Added.
2116
2117 2018-11-13  Saam Barati  <sbarati@apple.com>
2118
2119         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2120         https://bugs.webkit.org/show_bug.cgi?id=191600
2121
2122         Reviewed by Mark Lam.
2123
2124         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2125         (foo):
2126         (test):
2127         (bar):
2128
2129 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2130
2131         Unreviewed, rolling out r238132.
2132
2133         The test added with this change is timing out on Debug JSC
2134         bots.
2135
2136         Reverted changeset:
2137
2138         "[BigInt] JSBigInt::createWithLength should throw when length
2139         is greater than JSBigInt::maxLength"
2140         https://bugs.webkit.org/show_bug.cgi?id=190836
2141         https://trac.webkit.org/changeset/238132
2142
2143 2018-11-13  Mark Lam  <mark.lam@apple.com>
2144
2145         Add OOM detection to StringPrototype's substituteBackreferences().
2146         https://bugs.webkit.org/show_bug.cgi?id=191563
2147         <rdar://problem/45720428>
2148
2149         Reviewed by Saam Barati.
2150
2151         * stress/regress-191563.js: Added.
2152
2153 2018-11-13  Mark Lam  <mark.lam@apple.com>
2154
2155         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2156         https://bugs.webkit.org/show_bug.cgi?id=191579
2157         <rdar://problem/45942472>
2158
2159         Reviewed by Saam Barati.
2160
2161         * stress/regress-191579.js: Added.
2162
2163 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2164
2165         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2166         https://bugs.webkit.org/show_bug.cgi?id=190836
2167
2168         Reviewed by Saam Barati.
2169
2170         * stress/big-int-out-of-memory-tests.js: Added.
2171
2172 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2173
2174         U+180E is no longer a whitespace character
2175         https://bugs.webkit.org/show_bug.cgi?id=191415
2176
2177         Reviewed by Saam Barati.
2178
2179         * ChakraCore/test/es5/regexSpace.baseline:
2180         * ChakraCore/test/es6/unicode_whitespace.js:
2181         Update tests to latest version.
2182         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2183
2184         * test262.yaml:
2185         * test262/config.yaml:
2186         * test262/expectations.yaml:
2187         Update expectations.
2188
2189 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2190
2191         [BigInt] Add support to BigInt into ValueAdd
2192         https://bugs.webkit.org/show_bug.cgi?id=186177
2193
2194         Reviewed by Keith Miller.
2195
2196         * stress/big-int-negate-jit.js:
2197         * stress/value-add-big-int-and-string.js: Added.
2198         * stress/value-add-big-int-prediction-propagation.js: Added.
2199         * stress/value-add-big-int-untyped.js: Added.
2200
2201 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2202
2203         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2204         https://bugs.webkit.org/show_bug.cgi?id=191184
2205
2206         Reviewed by Saam Barati.
2207
2208         Most tests were failing due to timeouts, since they are too slow to
2209         run on CLoop. The exceptions are:
2210
2211         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2212         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2213         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2214         to change the stack size since CLoop requires it to be page aligned.
2215
2216         * microbenchmarks/array-push-1.js:
2217         * microbenchmarks/array-push-2.js:
2218         * microbenchmarks/elidable-new-object-dag.js:
2219         * microbenchmarks/elidable-new-object-roflcopter.js:
2220         * microbenchmarks/elidable-new-object-tree.js:
2221         * microbenchmarks/getter-richards.js:
2222         * microbenchmarks/sinkable-new-object-dag.js:
2223         * microbenchmarks/string-concat-long-convert.js:
2224         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2225         * slowMicrobenchmarks/array-push-3.js:
2226         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2227         * slowMicrobenchmarks/spread-small-array.js:
2228         * slowMicrobenchmarks/undefined-property-access.js:
2229         * stress/activation-sink-default-value-tdz-error.js:
2230         * stress/activation-sink-default-value.js:
2231         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2232         * stress/activation-sink-osrexit-default-value.js:
2233         * stress/activation-sink-osrexit.js:
2234         * stress/activation-sink.js:
2235         * stress/allow-math-ic-b3-code-duplication.js:
2236         * stress/array-push-multiple-int32.js:
2237         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2238         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2239         * stress/arrowfunction-lexical-this-activation-sink.js:
2240         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2241         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2242         * stress/elide-new-object-dag-then-exit.js:
2243         * stress/materialize-regexp-cyclic.js:
2244         * stress/new-regex-inline.js:
2245         * stress/op_add.js:
2246         * stress/op_bitand.js:
2247         * stress/op_bitor.js:
2248         * stress/op_bitxor.js:
2249         * stress/op_div-ConstVar.js:
2250         * stress/op_div-VarConst.js:
2251         * stress/op_div-VarVar.js:
2252         * stress/op_lshift-ConstVar.js:
2253         * stress/op_lshift-VarConst.js:
2254         * stress/op_lshift-VarVar.js:
2255         * stress/op_mod-ConstVar.js:
2256         * stress/op_mod-VarConst.js:
2257         * stress/op_mod-VarVar.js:
2258         * stress/op_mul-ConstVar.js:
2259         * stress/op_mul-VarConst.js:
2260         * stress/op_mul-VarVar.js:
2261         * stress/op_rshift-ConstVar.js:
2262         * stress/op_rshift-VarConst.js:
2263         * stress/op_rshift-VarVar.js:
2264         * stress/op_sub-ConstVar.js:
2265         * stress/op_sub-VarConst.js:
2266         * stress/op_sub-VarVar.js:
2267         * stress/op_urshift-ConstVar.js:
2268         * stress/op_urshift-VarConst.js:
2269         * stress/op_urshift-VarVar.js:
2270         * stress/proxy-get-set-correct-receiver.js:
2271         * stress/regress-179562.js:
2272         * stress/rest-parameter-many-arguments.js:
2273         * stress/sampling-profiler-richards.js:
2274         * stress/splay-flash-access-1ms.js:
2275         * stress/tailCallForwardArguments.js:
2276         * stress/typed-array-get-by-val-profiling.js:
2277         * typeProfiler/getter-richards.js:
2278
2279 2018-11-06  Michael Saboff  <msaboff@apple.com>
2280
2281         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2282         https://bugs.webkit.org/show_bug.cgi?id=191271
2283
2284         Reviewed by Saam Barati.
2285
2286         Added more test cases and made all test cases run with the same deeply recursive stack
2287         instead of finding that same point for each test case.
2288
2289         * stress/regexp-compile-oom.js:
2290         (prototype.runTest):
2291         (recurseAndTest):
2292         (testList.push.new.TestAndExpectedException):
2293
2294 2018-11-05  Michael Saboff  <msaboff@apple.com>
2295
2296         Unreviewed build fix for linux.
2297
2298         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2299
2300 2018-11-02  Michael Saboff  <msaboff@apple.com>
2301
2302         Rolling in r237753 with unreviewed build fix.
2303
2304         Fixed issues with DECLARE_THROW_SCOPE placement.
2305
2306 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2307
2308         Unreviewed, rolling out r237753.
2309
2310         Introduced JSC test failures
2311
2312         Reverted changeset:
2313
2314         "Running out of stack space not properly handled in
2315         RegExp::compile() and its callers"
2316         https://bugs.webkit.org/show_bug.cgi?id=191206
2317         https://trac.webkit.org/changeset/237753
2318
2319 2018-11-02  Michael Saboff  <msaboff@apple.com>
2320
2321         Running out of stack space not properly handled in RegExp::compile() and its callers
2322         https://bugs.webkit.org/show_bug.cgi?id=191206
2323
2324         Reviewed by Filip Pizlo.
2325
2326         New regression test.
2327
2328         * stress/regexp-compile-oom.js: Added.
2329         (recurseAndTest):
2330
2331 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2332
2333         Skip tests on arm/mips that time out now we're running on CLoop
2334
2335         Unreviewed gardening.
2336
2337         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2338         time out on the bots and need to be disabled. There's more tests
2339         disabled on arm because the timeout is longer on the mips bot (as the
2340         device is slower to start with), so many of the tests don't time out
2341         there.
2342
2343         * microbenchmarks/getter-richards.js: disable on arm and mips.
2344         * stress/op_add.js: disable on arm.
2345         * stress/op_bitand.js: disable on arm.
2346         * stress/op_bitor.js: disable on arm.
2347         * stress/op_bitxor.js: disable on arm.
2348         * stress/op_lshift-ConstVar.js: disable on arm.
2349         * stress/op_lshift-VarConst.js: disable on arm.
2350         * stress/op_lshift-VarVar.js: disable on arm.
2351         * stress/op_mod-ConstVar.js: disable on arm.
2352         * stress/op_mod-VarConst.js: disable on arm.
2353         * stress/op_mod-VarVar.js: disable on arm.
2354         * stress/op_mul-ConstVar.js: disable on arm.
2355         * stress/op_mul-VarConst.js: disable on arm.
2356         * stress/op_mul-VarVar.js: disable on arm.
2357         * stress/op_rshift-ConstVar.js: disable on arm.
2358         * stress/op_rshift-VarConst.js: disable on arm.
2359         * stress/op_rshift-VarVar.js: disable on arm.
2360         * stress/op_sub-ConstVar.js: disable on arm.
2361         * stress/op_sub-VarConst.js: disable on arm.
2362         * stress/op_sub-VarVar.js: disable on arm.
2363         * stress/op_urshift-ConstVar.js: disable on arm.
2364         * stress/op_urshift-VarConst.js: disable on arm.
2365         * stress/op_urshift-VarVar.js: disable on arm.
2366         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2367         * stress/value-to-boolean.js: disable on arm and mips.
2368
2369 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2370
2371         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2372         https://bugs.webkit.org/show_bug.cgi?id=191108
2373         <rdar://problem/45690700>
2374
2375         Reviewed by Saam Barati.
2376
2377         * stress/wide-op_catch.js: Added.
2378         (catch):
2379
2380 2018-10-29  Mark Lam  <mark.lam@apple.com>
2381
2382         Correctly detect string overflow when using the 'Function' constructor.
2383         https://bugs.webkit.org/show_bug.cgi?id=184883
2384         <rdar://problem/36320331>
2385
2386         Reviewed by Saam Barati.
2387
2388         I've verified that this passes on 32-bit as well.
2389
2390         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2391
2392 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2393
2394         Add support for GetStack FlushedDouble
2395         https://bugs.webkit.org/show_bug.cgi?id=191012
2396         <rdar://problem/45265141>
2397
2398         Reviewed by Saam Barati.
2399
2400         * stress/get-stack-double.js: Added.
2401         (bar):
2402         (noInline):
2403
2404 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2405
2406         New bytecode format for JSC
2407         https://bugs.webkit.org/show_bug.cgi?id=187373
2408         <rdar://problem/44186758>
2409
2410         Reviewed by Filip Pizlo.
2411
2412         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2413
2414         * stress/maximum-inline-capacity.js: Added.
2415         (test1):
2416         (test3.Foo):
2417         (test3):
2418
2419 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2420
2421         Unreviewed, rolling out r237479 and r237484.
2422         https://bugs.webkit.org/show_bug.cgi?id=190978
2423
2424         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2425
2426         Reverted changesets:
2427
2428         "New bytecode format for JSC"
2429         https://bugs.webkit.org/show_bug.cgi?id=187373
2430         https://trac.webkit.org/changeset/237479
2431
2432         "Gardening: Build fix after r237479."
2433         https://bugs.webkit.org/show_bug.cgi?id=187373
2434         https://trac.webkit.org/changeset/237484
2435
2436 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2437
2438         New bytecode format for JSC
2439         https://bugs.webkit.org/show_bug.cgi?id=187373
2440         <rdar://problem/44186758>
2441
2442         Reviewed by Filip Pizlo.
2443
2444         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2445
2446         * stress/maximum-inline-capacity.js: Added.
2447         (test1):
2448         (test3.Foo):
2449         (test3):
2450
2451 2018-10-26  Mark Lam  <mark.lam@apple.com>
2452
2453         Fix missing edge cases with JSGlobalObjects having a bad time.
2454         https://bugs.webkit.org/show_bug.cgi?id=189028
2455         <rdar://problem/45204939>
2456
2457         Reviewed by Saam Barati.
2458
2459         * stress/regress-189028.js: Added.
2460
2461 2018-10-22  Mark Lam  <mark.lam@apple.com>
2462
2463         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2464         https://bugs.webkit.org/show_bug.cgi?id=190515
2465         <rdar://problem/45222379>
2466
2467         Rubber-stamped by Saam Barati.
2468
2469         Adding another test.
2470
2471         * stress/regress-190515-2.js: Added.
2472
2473 2018-10-22  Mark Lam  <mark.lam@apple.com>
2474
2475         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2476         https://bugs.webkit.org/show_bug.cgi?id=190515
2477         <rdar://problem/45222379>
2478
2479         Reviewed by Saam Barati.
2480
2481         * stress/regress-190515.js: Added.
2482
2483 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2484
2485         Unreviewed, rolling out r237254.
2486         https://bugs.webkit.org/show_bug.cgi?id=190760
2487
2488         "It regresses JetStream 2 by 5% on some iOS devices"
2489         (Requested by saamyjoon on #webkit).
2490
2491         Reverted changeset:
2492
2493         "[JSC] JSC should have "parseFunction" to optimize Function
2494         constructor"
2495         https://bugs.webkit.org/show_bug.cgi?id=190340
2496         https://trac.webkit.org/changeset/237254
2497
2498 2018-10-19  Saam Barati  <sbarati@apple.com>
2499
2500         vmCall should check if we exit before emitting an OSR exit due to exceptions
2501         https://bugs.webkit.org/show_bug.cgi?id=190740
2502         <rdar://problem/45220139>
2503
2504         Reviewed by Mark Lam.
2505
2506         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2507         (foo):
2508
2509 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2510
2511         [ESNext][BigInt] Implement support for "^"
2512         https://bugs.webkit.org/show_bug.cgi?id=186235
2513
2514         Reviewed by Yusuke Suzuki.
2515
2516         * stress/big-int-bitwise-xor-general.js: Added.
2517         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2518         * stress/big-int-bitwise-xor-type-error.js: Added.
2519         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2520
2521 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2522
2523         [BigInt] Add ValueSub into DFG
2524         https://bugs.webkit.org/show_bug.cgi?id=186176
2525
2526         Reviewed by Yusuke Suzuki.
2527
2528         * stress/big-int-subtraction-jit.js:
2529         * stress/value-sub-big-int-prediction-propagation.js: Added.
2530         * stress/value-sub-big-int-untyped.js: Added.
2531         * stress/value-sub-spec-none-case.js: Added.
2532
2533 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2534
2535         [JSC] JSC should have "parseFunction" to optimize Function constructor
2536         https://bugs.webkit.org/show_bug.cgi?id=190340
2537
2538         Reviewed by Mark Lam.
2539
2540         This patch fixes the line number of syntax errors raised by the Function constructor,
2541         since we now parse the final code only once. And we no longer use block statement
2542         for Function constructor's parsing.
2543
2544         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2545         * stress/function-cache-with-parameters-end-position.js: Added.
2546         (shouldBe):
2547         (shouldThrow):
2548         (i.anonymous):
2549         * stress/function-constructor-name.js: Added.
2550         (shouldBe):
2551         (GeneratorFunction):
2552         (AsyncFunction.async):
2553         (AsyncGeneratorFunction.async):
2554         (anonymous):
2555         (async.anonymous):
2556         * test262/expectations.yaml:
2557
2558 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2559
2560         Unreviewed, rolling out r237242.
2561         https://bugs.webkit.org/show_bug.cgi?id=190701
2562
2563         it breaks "stress/sampling-profiler-basic.js" (Requested by
2564         caiolima on #webkit).
2565
2566         Reverted changeset:
2567
2568         "[BigInt] Add ValueSub into DFG"
2569         https://bugs.webkit.org/show_bug.cgi?id=186176
2570         https://trac.webkit.org/changeset/237242
2571
2572 2018-10-17  Keith Miller  <keith_miller@apple.com>
2573
2574         AI does not clear Phantom allocation nodes.
2575         https://bugs.webkit.org/show_bug.cgi?id=190694
2576
2577         Reviewed by Saam Barati.
2578
2579         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2580         (Day):
2581         (DaysInYear):
2582         (TimeInYear):
2583         (TimeFromYear):
2584         (DayFromYear):
2585         (InLeapYear):
2586         (YearFromTime):
2587         (WeekDay):
2588         (DaylightSavingTA):
2589         (GetSecondSundayInMarch):
2590         (TimeInMonth):
2591
2592 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2593
2594         [BigInt] Add ValueSub into DFG
2595         https://bugs.webkit.org/show_bug.cgi?id=186176
2596
2597         Reviewed by Yusuke Suzuki.
2598
2599         * stress/big-int-subtraction-jit.js:
2600         * stress/value-sub-big-int-prediction-propagation.js: Added.
2601         * stress/value-sub-big-int-untyped.js: Added.
2602
2603 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2604
2605         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2606         https://bugs.webkit.org/show_bug.cgi?id=190611
2607
2608         Reviewed by Saam Barati.
2609
2610         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2611         to improve test runtime. On ARM/MIPS this test even timed out when running all
2612         tests.
2613
2614         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2615         (test):
2616
2617 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2618
2619         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2620
2621         Unreviewed gardening.
2622
2623         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2624
2625 2018-10-15  Saam barati  <sbarati@apple.com>
2626
2627         Emit fjcvtzs on ARM64E on Darwin
2628         https://bugs.webkit.org/show_bug.cgi?id=184023
2629
2630         Reviewed by Yusuke Suzuki and Filip Pizlo.
2631
2632         * stress/double-to-int32-NaN.js: Added.
2633         (assert):
2634         (foo):
2635
2636 2018-10-15  Saam Barati  <sbarati@apple.com>
2637
2638         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2639         https://bugs.webkit.org/show_bug.cgi?id=190262
2640         <rdar://problem/44986241>
2641
2642         Reviewed by Mark Lam.
2643
2644         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2645         (test):
2646         * stress/slice-array-storage-with-holes.js: Added.
2647         (main):
2648
2649 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2650
2651         Unreviewed, rolling out r237054.
2652         https://bugs.webkit.org/show_bug.cgi?id=190593
2653
2654         "this regressed JetStream 2 by 6% on iOS" (Requested by
2655         saamyjoon on #webkit).
2656
2657         Reverted changeset:
2658
2659         "[JSC] JSC should have "parseFunction" to optimize Function
2660         constructor"
2661         https://bugs.webkit.org/show_bug.cgi?id=190340
2662         https://trac.webkit.org/changeset/237054
2663
2664 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2665
2666         [JSC] JSON.stringify can accept call-with-no-arguments
2667         https://bugs.webkit.org/show_bug.cgi?id=190343
2668
2669         Reviewed by Mark Lam.
2670
2671         * stress/json-stringify-no-arguments.js: Added.
2672         (shouldBe):
2673
2674 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2675
2676         [JSC] JSC should have "parseFunction" to optimize Function constructor
2677         https://bugs.webkit.org/show_bug.cgi?id=190340
2678
2679         Reviewed by Mark Lam.
2680
2681         This patch fixes the line number of syntax errors raised by the Function constructor,
2682         since we now parse the final code only once. And we no longer use block statement
2683         for Function constructor's parsing.
2684
2685         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2686         * stress/function-cache-with-parameters-end-position.js: Added.
2687         (shouldBe):
2688         (shouldThrow):
2689         (i.anonymous):
2690         * stress/function-constructor-name.js: Added.
2691         (shouldBe):
2692         (GeneratorFunction):
2693         (AsyncFunction.async):
2694         (AsyncGeneratorFunction.async):
2695         (anonymous):
2696         (async.anonymous):
2697         * test262/expectations.yaml:
2698
2699 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2700
2701         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2702         https://bugs.webkit.org/show_bug.cgi?id=190426
2703
2704         Unreviewed gardening.
2705
2706         * stress/sampling-profiler-richards.js:
2707
2708 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2709
2710         [ESNext][BigInt] Implement support for "|"
2711         https://bugs.webkit.org/show_bug.cgi?id=186229
2712
2713         Reviewed by Yusuke Suzuki.
2714
2715         * stress/big-int-bitwise-and-jit.js:
2716         * stress/big-int-bitwise-or-general.js: Added.
2717         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2718         * stress/big-int-bitwise-or-jit.js: Added.
2719         * stress/big-int-bitwise-or-memory-stress.js: Added.
2720         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2721         * stress/big-int-bitwise-or-type-error.js: Added.
2722         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2723
2724 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2725
2726         Skip test on systems with limited memory
2727         https://bugs.webkit.org/show_bug.cgi?id=190310
2728
2729         Invoking runDefault adds test to runlist, skipping the test in the next
2730         line does not prevent the test from executing. Change order of lines such
2731         that runDefault is only executed if test is not executed.
2732
2733         Reviewed by Mark Lam.
2734
2735         * stress/regress-190187.js:
2736
2737 2018-10-03  Saam barati  <sbarati@apple.com>
2738
2739         lowXYZ in FTLLower should always filter the type of the incoming edge
2740         https://bugs.webkit.org/show_bug.cgi?id=189939
2741         <rdar://problem/44407030>
2742
2743         Reviewed by Michael Saboff.
2744
2745         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2746         (foo):
2747         (test):
2748
2749 2018-10-03  Mark Lam  <mark.lam@apple.com>
2750
2751         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2752         https://bugs.webkit.org/show_bug.cgi?id=190187
2753         <rdar://problem/42512909>
2754
2755         Reviewed by Michael Saboff.
2756
2757         * stress/regress-190187.js: Added.
2758
2759 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2760
2761         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2762         https://bugs.webkit.org/show_bug.cgi?id=190033
2763
2764         Reviewed by Yusuke Suzuki.
2765
2766         * stress/big-int-to-string.js:
2767
2768 2018-10-01  Mark Lam  <mark.lam@apple.com>
2769
2770         Function.toString() should also copy the source code Functions that are class definitions.
2771         https://bugs.webkit.org/show_bug.cgi?id=190186
2772         <rdar://problem/44733360>
2773
2774         Reviewed by Saam Barati.
2775
2776         * stress/regress-190186.js: Added.
2777
2778 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2779
2780         Split NaN-check into separate test
2781         https://bugs.webkit.org/show_bug.cgi?id=190010
2782
2783         Reviewed by Saam Barati.
2784
2785         DataView exposes NaN-representation, which is not necessarily the same on each
2786         architecture. Therefore move the check of the NaN-representation into its own
2787         file such that we can disable this test on MIPS where NaN-representation can be
2788         different on older CPUs.
2789
2790         * stress/dataview-jit-set-nan.js: Added.
2791         (assert):
2792         (test.storeLittleEndian):
2793         (test.storeBigEndian):
2794         (test.store):
2795         (test):
2796         * stress/dataview-jit-set.js:
2797         (test5):
2798
2799 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2800
2801         Unreviewed, rolling out r236647.
2802         https://bugs.webkit.org/show_bug.cgi?id=190124
2803
2804         Breaking test stress/big-int-to-string.js (Requested by
2805         caiolima_ on #webkit).
2806
2807         Reverted changeset:
2808
2809         "[BigInt] BigInt.proptotype.toString is broken when radix is
2810         power of 2"
2811         https://bugs.webkit.org/show_bug.cgi?id=190033
2812         https://trac.webkit.org/changeset/236647
2813
2814 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2815
2816         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2817         https://bugs.webkit.org/show_bug.cgi?id=190033
2818
2819         Reviewed by Yusuke Suzuki.
2820
2821         * stress/big-int-to-string.js:
2822
2823 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2824
2825         [ESNext][BigInt] Implement support for "&"
2826         https://bugs.webkit.org/show_bug.cgi?id=186228
2827
2828         Reviewed by Yusuke Suzuki.
2829
2830         * stress/big-int-bitwise-and-general.js: Added.
2831         (assert):
2832         (assert.sameValue):
2833         * stress/big-int-bitwise-and-jit.js: Added.
2834         (let.assert.sameValue):
2835         (bigIntBitAnd):
2836         * stress/big-int-bitwise-and-memory-stress.js: Added.
2837         (assert):
2838         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2839         (assert.sameValue):
2840         (let.o.Symbol.toPrimitive):
2841         (catch):
2842         * stress/big-int-bitwise-and-type-error.js: Added.
2843         (assert):
2844         (assertThrowTypeError):
2845         (let.o.valueOf):
2846         (o.valueOf):
2847         (o.toString):
2848         (o.Symbol.toPrimitive):
2849         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2850         (assert.sameValue):
2851         (testBitAnd):
2852         (let.o.Symbol.toPrimitive):
2853         (o.valueOf):
2854         (o.toString):
2855
2856 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2857
2858         JSC test stress/jsc-read.js doesn't support CRLF
2859         https://bugs.webkit.org/show_bug.cgi?id=190063
2860
2861         Reviewed by Yusuke Suzuki.
2862
2863         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2864
2865         * stress/jsc-read.js:
2866         (test):
2867
2868 2018-09-27  Saam barati  <sbarati@apple.com>
2869
2870         Verify the contents of AssemblerBuffer on arm64e
2871         https://bugs.webkit.org/show_bug.cgi?id=190057
2872         <rdar://problem/38916630>
2873
2874         Reviewed by Mark Lam.
2875
2876         * stress/regress-189132.js:
2877
2878 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2879
2880         Disable test without LLInt on ARMv7
2881         https://bugs.webkit.org/show_bug.cgi?id=190037
2882
2883         Reviewed by Mark Lam.
2884
2885         Test runs out of executable memory on ARMv7, do not run
2886         this test without LLInt enabled.
2887
2888         * stress/regress-169445.js:
2889
2890 2018-09-26  Keith Miller  <keith_miller@apple.com>
2891
2892         We should zero unused property storage when rebalancing array storage.
2893         https://bugs.webkit.org/show_bug.cgi?id=188151
2894
2895         Reviewed by Michael Saboff.
2896
2897         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2898
2899 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2900
2901         [JSC] Optimize Array#lastIndexOf
2902         https://bugs.webkit.org/show_bug.cgi?id=189780
2903
2904         Reviewed by Saam Barati.
2905
2906         * stress/array-lastindexof-array-prototype-trap.js: Added.
2907         (shouldBe):
2908         (AncestorArray.prototype.get 2):
2909         (AncestorArray):
2910         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2911         (shouldBe):
2912         * stress/array-lastindexof-hole-nan.js: Added.
2913         (shouldBe):
2914         (throw.new.Error):
2915         * stress/array-lastindexof-infinity.js: Added.
2916         (shouldBe):
2917         (throw.new.Error):
2918         * stress/array-lastindexof-negative-zero.js: Added.
2919         (shouldBe):
2920         (throw.new.Error):
2921         * stress/array-lastindexof-own-getter.js: Added.
2922         (shouldBe):
2923         (throw.new.Error.get array):
2924         (get array):
2925         * stress/array-lastindexof-prototype-trap.js: Added.
2926         (shouldBe):
2927         (DerivedArray.prototype.get 2):
2928         (DerivedArray):
2929
2930 2018-09-25  Saam Barati  <sbarati@apple.com>
2931
2932         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2933         https://bugs.webkit.org/show_bug.cgi?id=189940
2934         <rdar://problem/43640987>
2935
2936         Reviewed by Mark Lam.
2937
2938         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2939
2940 2018-09-24  Saam Barati  <sbarati@apple.com>
2941
2942         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2943         https://bugs.webkit.org/show_bug.cgi?id=189922
2944         <rdar://problem/44651275>
2945
2946         Reviewed by Mark Lam.
2947
2948         * stress/array-indexof-fast-path-effects.js: Added.
2949         * stress/array-indexof-cached-length.js: Added.
2950
2951 2018-09-24  Saam barati  <sbarati@apple.com>
2952
2953         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2954         https://bugs.webkit.org/show_bug.cgi?id=189682
2955         <rdar://problem/43557315>
2956
2957         Reviewed by Mark Lam.
2958
2959         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2960         (foo):
2961
2962 2018-09-22  Saam barati  <sbarati@apple.com>
2963
2964         The sampling should not use Strong<CodeBlock> in its machineLocation field
2965         https://bugs.webkit.org/show_bug.cgi?id=189319
2966
2967         Reviewed by Filip Pizlo.
2968
2969         * stress/sampling-profiler-richards.js: Added.
2970
2971 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2972
2973         [JSC] Optimize Array#indexOf in C++ runtime
2974         https://bugs.webkit.org/show_bug.cgi?id=189507
2975
2976         Reviewed by Saam Barati.
2977
2978         * stress/array-indexof-array-prototype-trap.js: Added.
2979         (shouldBe):
2980         (AncestorArray.prototype.get 2):
2981         (AncestorArray):
2982         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2983         (shouldBe):
2984         * stress/array-indexof-hole-nan.js: Added.
2985         (shouldBe):
2986         (throw.new.Error):
2987         * stress/array-indexof-infinity.js: Added.
2988         (shouldBe):
2989         (throw.new.Error):
2990         * stress/array-indexof-negative-zero.js: Added.
2991         (shouldBe):
2992         (throw.new.Error):
2993         * stress/array-indexof-own-getter.js: Added.
2994         (shouldBe):
2995         (throw.new.Error.get array):
2996         (get array):
2997         * stress/array-indexof-prototype-trap.js: Added.
2998         (shouldBe):
2999         (DerivedArray.prototype.get 2):
3000         (DerivedArray):
3001
3002 2018-09-19  Saam barati  <sbarati@apple.com>
3003
3004         AI rule for MultiPutByOffset executes its effects in the wrong order
3005         https://bugs.webkit.org/show_bug.cgi?id=189757
3006         <rdar://problem/43535257>
3007
3008         Reviewed by Michael Saboff.
3009
3010         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3011         (foo):
3012         (Foo):
3013         (g):
3014
3015 2018-09-17  Mark Lam  <mark.lam@apple.com>
3016
3017         Ensure that ForInContexts are invalidated if their loop local is over-written.
3018         https://bugs.webkit.org/show_bug.cgi?id=189571
3019         <rdar://problem/44402277>
3020
3021         Reviewed by Saam Barati.
3022
3023         * stress/regress-189571.js: Added.
3024
3025 2018-09-17  Saam barati  <sbarati@apple.com>
3026
3027         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3028         https://bugs.webkit.org/show_bug.cgi?id=189676
3029         <rdar://problem/39682897>
3030
3031         Reviewed by Michael Saboff.
3032
3033         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3034         (A):
3035         (K):
3036         (i.catch):
3037
3038 2018-09-14  Saam barati  <sbarati@apple.com>
3039
3040         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3041         https://bugs.webkit.org/show_bug.cgi?id=189628
3042         <rdar://problem/39481690>
3043
3044         Reviewed by Mark Lam.
3045
3046         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3047         (foo):
3048
3049 2018-09-11  Mark Lam  <mark.lam@apple.com>
3050
3051         Test for array initialization in arrayProtoFuncSplice.
3052         https://bugs.webkit.org/show_bug.cgi?id=170253
3053         <rdar://problem/31328773>
3054
3055         Rubber-stamped by Saam Barati.
3056
3057         * stress/regress-170253.js: Added.
3058
3059 2018-09-11  Mark Lam  <mark.lam@apple.com>
3060
3061         Test for IntlObject initialization.
3062         https://bugs.webkit.org/show_bug.cgi?id=170251
3063         <rdar://problem/31328419>
3064
3065         Rubber-stamped by Saam Barati.
3066
3067         * stress/regress-170251.js: Added.
3068
3069 2018-09-11  Mark Lam  <mark.lam@apple.com>
3070
3071         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3072         https://bugs.webkit.org/show_bug.cgi?id=169889
3073         <rdar://problem/31155607>
3074
3075         Reviewed by Saam Barati.
3076
3077         * stress/regress-169889-array-concat.js: Added.
3078         * stress/regress-169889-array-concat1.js: Added.
3079         * stress/regress-169889-array-slice.js: Added.
3080
3081 2018-09-11  Mark Lam  <mark.lam@apple.com>
3082
3083         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3084         https://bugs.webkit.org/show_bug.cgi?id=169445
3085         <rdar://problem/30957435>
3086
3087         Reviewed by Saam Barati.
3088
3089         * stress/regress-169445.js: Added.
3090         (let.gun.eval.A):
3091         (let.gun.eval.B.C):
3092         (let.gun.eval.B.C.prototype.trigger):
3093         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3094         (let.gun.eval.B):
3095         (let.gun.eval):
3096
3097 == Rolled over to ChangeLog-2018-09-11 ==