a1f2bedbd71ab2ea6debec21e1b8f8756eece640
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-05  Caitlin Potter  <caitp@igalia.com>
2
3         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
4         https://bugs.webkit.org/show_bug.cgi?id=185211
5
6         Reviewed by Saam Barati.
7
8         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
9
10         This changes several assertions to expect a TypeError to be thrown (in some cases,
11         changing thee expected message).
12
13         * es6/Proxy_ownKeys_duplicates.js:
14         (handler):
15         (shouldThrow):
16         (test):
17         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
18         (shouldThrow):
19         * stress/proxy-own-keys.js:
20         (i.catch):
21         (assert):
22
23 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
24
25         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
26         https://bugs.webkit.org/show_bug.cgi?id=196631
27
28         Reviewed by Saam Barati.
29
30         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
31         (assert):
32         (test):
33         (foo):
34
35 2019-04-04  Saam Barati  <sbarati@apple.com>
36
37         Unreviewed. Make the test from r243906 catch the thrown exceptions.
38
39         * stress/inferred-types-regex-matches-array.js:
40
41 2019-04-04  Saam Barati  <sbarati@apple.com>
42
43         createRegExpMatchesArray does not respect inferred types
44         https://bugs.webkit.org/show_bug.cgi?id=193287
45
46         Reviewed by Yusuke Suzuki.
47
48         This checks in the test case for 193287. This issue was discovered by
49         Samuel GroƟ of Google Project Zero.
50
51         * stress/inferred-types-regex-matches-array.js: Added.
52
53 2019-04-04  Saam barati  <sbarati@apple.com>
54
55         Teach Call ICs how to call Wasm
56         https://bugs.webkit.org/show_bug.cgi?id=196387
57
58         Reviewed by Filip Pizlo.
59
60         * wasm/function-tests/stack-trace.js:
61
62 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
63
64         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
65         https://bugs.webkit.org/show_bug.cgi?id=194944
66
67         Reviewed by Keith Miller.
68
69         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
70
71 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
72
73         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
74         https://bugs.webkit.org/show_bug.cgi?id=196409
75
76         Reviewed by Saam Barati.
77
78         * stress/bytecode-cache-cached-string-impl.js: Added.
79         (f):
80         (g):
81         * stress/bytecode-cache-run-string.js: Added.
82
83 2019-04-03  Robin Morisset  <rmorisset@apple.com>
84
85         B3 should use associativity to optimize expression trees
86         https://bugs.webkit.org/show_bug.cgi?id=194081
87
88         Reviewed by Filip Pizlo.
89
90         Added three microbenchmarks:
91         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
92         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
93           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
94         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
95
96         * microbenchmarks/add-tree.js: Added.
97         * microbenchmarks/bit-or-tree.js: Added.
98         * microbenchmarks/bit-xor-tree.js: Added.
99
100 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
101
102         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
103         https://bugs.webkit.org/show_bug.cgi?id=196574
104
105         Reviewed by Saam Barati.
106
107         * stress/string-index-of-exception-check.js: Added.
108         (blurType):
109         (1.forEach):
110
111 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
112
113         Assertion failed in JSC::createError
114         https://bugs.webkit.org/show_bug.cgi?id=196305
115         <rdar://problem/49387382>
116
117         Reviewed by Saam Barati.
118
119         * stress/create-error-out-of-memory-rope-string-2.js: Added.
120         (assert):
121         (catch):
122
123 2019-03-28  Saam Barati  <sbarati@apple.com>
124
125         BackwardsGraph needs to consider back edges as the backward's root successor
126         https://bugs.webkit.org/show_bug.cgi?id=195991
127
128         Reviewed by Filip Pizlo.
129
130         * stress/map-b3-licm-infinite-loop.js: Added.
131
132 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
133
134         CodeBlock::jettison() should disallow repatching its own calls
135         https://bugs.webkit.org/show_bug.cgi?id=196359
136         <rdar://problem/48973663>
137
138         Reviewed by Saam Barati.
139
140         * stress/call-link-info-osrexit-repatch.js: Added.
141         (foo):
142
143 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
144
145         [JSC] imports-oom.js intermittently fails
146         https://bugs.webkit.org/show_bug.cgi?id=196373
147
148         Reviewed by Saam Barati.
149
150         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
151         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
152         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
153         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
154         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
155
156         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
157         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
158
159         * wasm/lowExecutableMemory/imports-oom.js:
160
161 2019-03-27  Saam Barati  <sbarati@apple.com>
162
163         validateOSREntryValue with Int52 should box the value being checked into double format
164         https://bugs.webkit.org/show_bug.cgi?id=196313
165         <rdar://problem/49306703>
166
167         Reviewed by Yusuke Suzuki.
168
169         * stress/validate-int-52-ai-state.js: Added.
170
171 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
172
173         [JSC] Owner of watchpoints should validate at GC finalizing phase
174         https://bugs.webkit.org/show_bug.cgi?id=195827
175
176         Reviewed by Filip Pizlo.
177
178         * stress/gc-should-reap-dead-watchpoints.js: Added.
179         (foo):
180         (A.prototype.y):
181         (A):
182
183 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
184
185         Skip WebAssembly test on 32-bit systems
186         https://bugs.webkit.org/show_bug.cgi?id=196206
187
188         Reviewed by Saam Barati.
189
190         Invoking runDefault executes test immediately even though
191         that test should be skipped due to missing WASM support.
192         Therefore remove runDefault.
193
194         * wasm/regress/web-assembly-link-error-exception-check.js:
195
196 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
197
198         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
199         https://bugs.webkit.org/show_bug.cgi?id=196217
200
201         Reviewed by Saam Barati.
202
203         Re-enable all NaN tests for f32.min, f64.min and f64.max.
204
205         * wasm/spec-tests/f32.wast.js:
206         * wasm/spec-tests/f64.wast.js:
207         * wasm/wasm.json:
208
209 2019-03-25  Keith Miller  <keith_miller@apple.com>
210
211         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
212         https://bugs.webkit.org/show_bug.cgi?id=196176
213
214         Reviewed by Saam Barati.
215
216         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
217         (main.v10):
218         (main):
219
220 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
221
222         WebAssembly: f32.max with NaN generates incorrect result
223         https://bugs.webkit.org/show_bug.cgi?id=175691
224         <rdar://problem/33952228>
225
226         Reviewed by Saam Barati.
227
228         Enable all f32.max NaN tests
229
230         * wasm/spec-tests/f32.wast.js:
231         * wasm/wasm.json:
232
233 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
234
235         [JSC] Move test into directory for WASM tests
236         https://bugs.webkit.org/show_bug.cgi?id=196187
237
238         Reviewed by Mark Lam.
239
240         Move Test into wasm-directory. Otherwise this test
241         is also executed on systems without WASM support.
242
243         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
244
245 2019-03-23  Mark Lam  <mark.lam@apple.com>
246
247         Rolling out r243032 and r243071 because the fix is incorrect.
248         https://bugs.webkit.org/show_bug.cgi?id=195892
249         <rdar://problem/48981239>
250
251         Not reviewed.
252
253         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
254
255 2019-03-22  Mark Lam  <mark.lam@apple.com>
256
257         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
258         https://bugs.webkit.org/show_bug.cgi?id=196154
259         <rdar://problem/49145307>
260
261         Reviewed by Filip Pizlo.
262
263         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
264         There's no need to run this test on more than 1 test configuration.
265
266         * stress/typed-array-lastIndexOf-exception-check.js: Added.
267         * stress/web-assembly-link-error-exception-check.js:
268
269 2019-03-22  Mark Lam  <mark.lam@apple.com>
270
271         Placate exception check validation in constructJSWebAssemblyLinkError().
272         https://bugs.webkit.org/show_bug.cgi?id=196152
273         <rdar://problem/49145257>
274
275         Reviewed by Michael Saboff.
276
277         * stress/web-assembly-link-error-exception-check.js: Added.
278
279 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
280
281         Skip tests running out of memory on ARM/MIPS
282         https://bugs.webkit.org/show_bug.cgi?id=196131
283
284         Unreviewed. Skip test if memory is limited.
285
286         * microbenchmarks/put-by-val-direct-large-index.js:
287
288 2019-03-21  Mark Lam  <mark.lam@apple.com>
289
290         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
291         https://bugs.webkit.org/show_bug.cgi?id=196116
292         <rdar://problem/48976951>
293
294         Reviewed by Filip Pizlo.
295
296         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
297
298 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
299
300         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
301         https://bugs.webkit.org/show_bug.cgi?id=196078
302         <rdar://problem/35925380>
303
304         Reviewed by Mark Lam.
305
306         Add a new benchmark that allocates several objects and invokes put_by_val_direct
307         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
308
309         * microbenchmarks/put-by-val-direct-large-index.js: Added.
310
311 2019-03-21  Mark Lam  <mark.lam@apple.com>
312
313         Placate exception check validation in operationArrayIndexOfString().
314         https://bugs.webkit.org/show_bug.cgi?id=196067
315         <rdar://problem/49056572>
316
317         Reviewed by Michael Saboff.
318
319         * stress/string-equal-exception-check.js: Added.
320
321 2019-03-21  Mark Lam  <mark.lam@apple.com>
322
323         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
324         https://bugs.webkit.org/show_bug.cgi?id=196055
325         <rdar://problem/49067448>
326
327         Reviewed by Yusuke Suzuki.
328
329         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
330
331 2019-03-20  Saam Barati  <sbarati@apple.com>
332
333         typeOfDoubleSum is wrong for when NaN can be produced
334         https://bugs.webkit.org/show_bug.cgi?id=196030
335
336         Reviewed by Filip Pizlo.
337
338         * stress/double-add-sub-mul-can-produce-nan.js: Added.
339         (assert):
340         (noInline.sub):
341         (noInline):
342         (assert.mul):
343         (assert.add):
344
345 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
346
347         Update the test to ensure OutOfMemoryError is thrown as intended
348         https://bugs.webkit.org/show_bug.cgi?id=196032
349         <rdar://problem/46842740>
350
351         Rubber stamped by Saam Barati.
352
353         * stress/create-error-out-of-memory-rope-string.js:
354         (assert):
355         (catch):
356
357 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
358
359         JSC::createError needs to check for OOM in errorDescriptionForValue
360         https://bugs.webkit.org/show_bug.cgi?id=196032
361         <rdar://problem/46842740>
362
363         Reviewed by Mark Lam.
364
365         * stress/create-error-out-of-memory-rope-string.js: Added.
366
367 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
368
369         Unreviewed, reduce # of iterations to avoid timing out after r242991
370         https://bugs.webkit.org/show_bug.cgi?id=195791
371
372         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
373
374         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
375
376 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
377
378         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
379         https://bugs.webkit.org/show_bug.cgi?id=195950
380
381         Unreviewed, reducing the amount of memory used on this test to avoid
382         OOM on devices with memory restrictions.
383
384         * microbenchmarks/generate-multiple-llint-entrypoints.js:
385
386 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
387
388         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
389         https://bugs.webkit.org/show_bug.cgi?id=194648
390
391         Reviewed by Keith Miller.
392
393         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
394
395 2019-03-18  Mark Lam  <mark.lam@apple.com>
396
397         Missing a ThrowScope release in JSObject::toString().
398         https://bugs.webkit.org/show_bug.cgi?id=195893
399         <rdar://problem/48970986>
400
401         Reviewed by Michael Saboff.
402
403         * stress/to-string-exception-check-release.js: Added.
404
405 2019-03-18  Mark Lam  <mark.lam@apple.com>
406
407         Structure::flattenDictionary() should clear unused property slots.
408         https://bugs.webkit.org/show_bug.cgi?id=195871
409         <rdar://problem/48959497>
410
411         Reviewed by Michael Saboff.
412
413         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
414
415 2019-03-15  Mark Lam  <mark.lam@apple.com>
416
417         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
418         https://bugs.webkit.org/show_bug.cgi?id=195827
419         <rdar://problem/48845513>
420
421         Reviewed by Filip Pizlo.
422
423         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
424
425 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
426
427         [ARM,MIPS] Skip slow tests
428         https://bugs.webkit.org/show_bug.cgi?id=195799
429
430         Unreviewed, test does not finish on ARM and MIPS within the
431         timeout limit.
432
433         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
434
435 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
436
437         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
438         https://bugs.webkit.org/show_bug.cgi?id=195791
439         <rdar://problem/48806130>
440
441         Reviewed by Mark Lam.
442
443         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
444         (foo):
445
446 2019-03-14  Saam barati  <sbarati@apple.com>
447
448         We can't remove code after ForceOSRExit until after FixupPhase
449         https://bugs.webkit.org/show_bug.cgi?id=186916
450         <rdar://problem/41396612>
451
452         Reviewed by Yusuke Suzuki.
453
454         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
455         (foo):
456         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
457         (foo):
458
459 2019-03-13  Michael Saboff  <msaboff@apple.com>
460
461         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
462         https://bugs.webkit.org/show_bug.cgi?id=195735
463
464         Reviewed by Mark Lam.
465
466         New regression test.
467
468         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
469         (foo):
470         (bar):
471
472 2019-03-14  Saam barati  <sbarati@apple.com>
473
474         Fixup uses KnownInt32 incorrectly in some nodes
475         https://bugs.webkit.org/show_bug.cgi?id=195279
476         <rdar://problem/47915654>
477
478         Reviewed by Yusuke Suzuki.
479
480         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
481         (foo):
482
483 2019-03-14  Keith Miller  <keith_miller@apple.com>
484
485         DFG liveness can't skip tail caller inline frames
486         https://bugs.webkit.org/show_bug.cgi?id=195715
487
488         Reviewed by Saam Barati.
489
490         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
491         (i.foo):
492
493 2019-03-13  Mark Lam  <mark.lam@apple.com>
494
495         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
496         https://bugs.webkit.org/show_bug.cgi?id=195415
497
498         Not reviewed.
499
500         Changed these tests to only run the default configuration.
501         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
502         There's no strong need to run this test on that variant.
503
504         * stress/dfg-to-string-on-int-does-gc.js:
505         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
506
507 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
508
509         String overflow when using StringBuilder in JSC::createError
510         https://bugs.webkit.org/show_bug.cgi?id=194957
511
512         Reviewed by Mark Lam.
513
514         Add test string-overflow-createError-bulder.js that overflows
515         StringBuilder in notAFunctionSourceAppender. The second new test
516         string-overflow-createError-fit.js has an error message that doesn't
517         overflow, it still failed since the String's capacity can't be doubled.
518         Run test string-overflow-createError.js only in the default
519         configuration to reduce memory consumption when running the test
520         in all configurations on multiple CPUs in parallel.
521
522         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
523         (catch):
524         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
525         (catch):
526         * stress/string-overflow-createError.js:
527
528 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
529
530         [JSC] OSR entry should respect abstract values in addition to flush formats
531         https://bugs.webkit.org/show_bug.cgi?id=195653
532
533         Reviewed by Mark Lam.
534
535         * stress/osr-entry-locals-none.js: Added.
536
537 2019-03-12  Michael Saboff  <msaboff@apple.com>
538
539         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
540         https://bugs.webkit.org/show_bug.cgi?id=195613
541
542         Reviewed by Mark Lam.
543
544         New regression test.
545
546         * stress/regexp-backref-inbounds.js: Added.
547         (testRegExp):
548
549 2019-03-12  Mark Lam  <mark.lam@apple.com>
550
551         The HasIndexedProperty node does GC.
552         https://bugs.webkit.org/show_bug.cgi?id=195559
553         <rdar://problem/48767923>
554
555         Reviewed by Yusuke Suzuki.
556
557         * stress/HasIndexedProperty-does-gc.js: Added.
558
559 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
560
561         [ESNext][BigInt] Implement "~" unary operation
562         https://bugs.webkit.org/show_bug.cgi?id=182216
563
564         Reviewed by Keith Miller.
565
566         * stress/big-int-bit-not-general.js: Added.
567         * stress/big-int-bitwise-not-jit.js: Added.
568         * stress/big-int-bitwise-not-wrapped-value.js: Added.
569         * stress/bit-op-with-object-returning-int32.js:
570         * stress/bitwise-not-fixup-rules.js: Added.
571         * stress/value-bit-not-ai-rule.js: Added.
572
573 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
574
575         Invalid flags in a RegExp literal should be an early SyntaxError
576         https://bugs.webkit.org/show_bug.cgi?id=195514
577
578         Reviewed by Darin Adler.
579
580         * test262/expectations.yaml:
581         Mark 4 test cases as passing.
582
583         * stress/regexp-syntax-error-invalid-flags.js:
584         * stress/regress-161995.js: Removed.
585         Update existing test, merging in an older test for the same behavior.
586
587 2019-03-08  Mark Lam  <mark.lam@apple.com>
588
589         Stack overflow crash in JSC::JSObject::hasInstance.
590         https://bugs.webkit.org/show_bug.cgi?id=195458
591         <rdar://problem/48710195>
592
593         Reviewed by Yusuke Suzuki.
594
595         * stress/stack-overflow-in-custom-hasInstance.js: Added.
596
597 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
598
599         op_check_tdz does not def its argument
600         https://bugs.webkit.org/show_bug.cgi?id=192880
601         <rdar://problem/46221598>
602
603         Reviewed by Saam Barati.
604
605         * microbenchmarks/let-for-in.js: Added.
606         (foo):
607
608 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
609
610         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
611         https://bugs.webkit.org/show_bug.cgi?id=195429
612
613         Reviewed by Saam Barati.
614
615         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
616         (foo):
617         * stress/string-from-char-code-255.js: Added.
618
619 2019-03-06  Mark Lam  <mark.lam@apple.com>
620
621         Fix incorrect handling of try-finally completion values.
622         https://bugs.webkit.org/show_bug.cgi?id=195131
623         <rdar://problem/46222079>
624
625         Reviewed by Saam Barati and Yusuke Suzuki.
626
627         Added many permutations of new test case to test-finally.js.  test-finally.js has
628         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
629         tests passes there as well.
630
631         * stress/test-finally.js:
632
633 2019-03-06  Saam Barati  <sbarati@apple.com>
634
635         Air::reportUsedRegisters must padInterference
636         https://bugs.webkit.org/show_bug.cgi?id=195303
637         <rdar://problem/48270343>
638
639         Reviewed by Keith Miller.
640
641         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
642
643 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
644
645         [JSC] AI should not propagate AbstractValue relying on constant folding phase
646         https://bugs.webkit.org/show_bug.cgi?id=195375
647
648         Reviewed by Saam Barati.
649
650         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
651         (let.array):
652
653 2019-03-05  Saam barati  <sbarati@apple.com>
654
655         op_switch_char broken for rope strings after JSRopeString layout rewrite
656         https://bugs.webkit.org/show_bug.cgi?id=195339
657         <rdar://problem/48592545>
658
659         Reviewed by Yusuke Suzuki.
660
661         * stress/switch-on-char-llint-rope.js: Added.
662
663 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
664
665         [JSC] Store bits for JSRopeString in 3 stores
666         https://bugs.webkit.org/show_bug.cgi?id=195234
667
668         Reviewed by Saam Barati.
669
670         * stress/null-rope-and-collectors.js: Added.
671
672 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
673
674         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
675         https://bugs.webkit.org/show_bug.cgi?id=195207
676
677         Unreviewed. After test runtime was reduced in r242213, test can be
678         run again on ARM/MIPS.
679
680         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
681
682 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
683
684         [JSC] sizeof(JSString) should be 16
685         https://bugs.webkit.org/show_bug.cgi?id=194375
686
687         Reviewed by Saam Barati.
688
689         * microbenchmarks/make-rope.js: Added.
690         (makeRope):
691         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
692         (returnRope.helper): Deleted.
693         (returnRope): Deleted.
694
695 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
696
697         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
698         https://bugs.webkit.org/show_bug.cgi?id=195144
699
700         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
701         Change the number from 1e8 to 1e5.
702
703         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
704         (foo):
705
706 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
707
708         Test times out on ARM/MIPS
709         https://bugs.webkit.org/show_bug.cgi?id=195168
710
711         Unreviewed. Skip test on ARM/MIPS.
712
713         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
714
715 2019-02-27  Mark Lam  <mark.lam@apple.com>
716
717         The parser is failing to record the token location of new in new.target.
718         https://bugs.webkit.org/show_bug.cgi?id=195127
719         <rdar://problem/39645578>
720
721         Reviewed by Yusuke Suzuki.
722
723         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
724
725 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
726
727         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
728         https://bugs.webkit.org/show_bug.cgi?id=195144
729         <rdar://problem/47595961>
730
731         Reviewed by Mark Lam.
732
733         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
734         (bar):
735         (foo):
736         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
737         (bar):
738         (foo):
739
740 2019-02-27  Robin Morisset  <rmorisset@apple.com>
741
742         DFG: Loop-invariant code motion (LICM) should not hoist dead code
743         https://bugs.webkit.org/show_bug.cgi?id=194945
744         <rdar://problem/48311657>
745
746         Reviewed by Mark Lam.
747
748         * stress/licm-dead-code.js: Added.
749
750 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
751
752         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
753         https://bugs.webkit.org/show_bug.cgi?id=194677
754         <rdar://problem/48112492>
755
756         Reviewed by Mark Lam.
757
758         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
759         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
760         it immediately fails due the large size.
761
762         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
763         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
764         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
765         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
766
767         This patch changes the test to produce 16bit string from String.fromCharCode.
768
769         * stress/regress-178386.js:
770
771 2019-02-26  Mark Lam  <mark.lam@apple.com>
772
773         wasmToJS() should purify incoming NaNs.
774         https://bugs.webkit.org/show_bug.cgi?id=194807
775         <rdar://problem/48189132>
776
777         Reviewed by Saam Barati.
778
779         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
780
781 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
782
783         [JSC] Repeat string created from Array.prototype.join() take too much memory
784         https://bugs.webkit.org/show_bug.cgi?id=193912
785
786         Reviewed by Saam Barati.
787
788         Added a test and a microbenchmark for corner cases of
789         Array.prototype.join() with an uninitialized array.
790
791         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
792         * stress/array-prototype-join-uninitialized.js: Added.
793         (testArray):
794         (testABC):
795         (B):
796         (C):
797
798 2019-02-22  Robin Morisset  <rmorisset@apple.com>
799
800         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
801         https://bugs.webkit.org/show_bug.cgi?id=194953
802         <rdar://problem/47595253>
803
804         Reviewed by Saam Barati.
805
806         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
807
808         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
809
810 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
811
812         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
813         https://bugs.webkit.org/show_bug.cgi?id=172848
814         <rdar://problem/25709212>
815
816         Reviewed by Mark Lam.
817
818         * typeProfiler/inheritance.js:
819         Rewrite the test slightly for clarity. The hoisting was confusing.
820
821         * heapProfiler/class-names.js: Added.
822         (MyES5Class):
823         (MyES6Class):
824         (MyES6Subclass):
825         Test object types and improved class names.
826
827         * heapProfiler/driver/driver.js:
828         (CheapHeapSnapshotNode):
829         (CheapHeapSnapshot):
830         (createCheapHeapSnapshot):
831         (HeapSnapshot):
832         (createHeapSnapshot):
833         Update snapshot parsing from version 1 to version 2.
834
835 2019-02-19  Truitt Savell  <tsavell@apple.com>
836
837         Unreviewed, rolling out r241784.
838
839         Broke all OpenSource builds.
840
841         Reverted changeset:
842
843         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
844         instances view"
845         https://bugs.webkit.org/show_bug.cgi?id=172848
846         https://trac.webkit.org/changeset/241784
847
848 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
849
850         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
851         https://bugs.webkit.org/show_bug.cgi?id=172848
852         <rdar://problem/25709212>
853
854         Reviewed by Mark Lam.
855
856         * typeProfiler/inheritance.js:
857         Rewrite the test slightly for clarity. The hoisting was confusing.
858
859         * heapProfiler/class-names.js: Added.
860         (MyES5Class):
861         (MyES6Class):
862         (MyES6Subclass):
863         Test object types and improved class names.
864
865         * heapProfiler/driver/driver.js:
866         (CheapHeapSnapshotNode):
867         (CheapHeapSnapshot):
868         (createCheapHeapSnapshot):
869         (HeapSnapshot):
870         (createHeapSnapshot):
871         Update snapshot parsing from version 1 to version 2.
872
873 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
874
875         [ARM] Fix crash with sampling profiler
876         https://bugs.webkit.org/show_bug.cgi?id=194772
877
878         Reviewed by Mark Lam.
879
880         Do not skip test since crash with sampling profiler is now fixed.
881
882         * stress/sampling-profiler-richards.js:
883
884 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
885
886         [JSC] Add LazyClassStructure::getInitializedOnMainThread
887         https://bugs.webkit.org/show_bug.cgi?id=194784
888         <rdar://problem/48154820>
889
890         Reviewed by Mark Lam.
891
892         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
893         (getProperties):
894         (getRandomProperty):
895         (i.catch):
896
897 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
898
899         [ARM] Test gardening: Test running out of executable memory
900         https://bugs.webkit.org/show_bug.cgi?id=194771
901
902         Unreviewed. Do not run test without LLInt, test is running out of executable
903         memory on ARM otherwise.
904
905         * stress/tagged-template-object-collect.js:
906
907 2019-02-18  Tomas Popela  <tpopela@redhat.com>
908
909         Unreviewed, skip the test on platforms without sampling profiler
910
911         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
912         (platformSupportsSamplingProfiler.foo):
913         (platformSupportsSamplingProfiler.test):
914         (platformSupportsSamplingProfiler):
915         (foo): Deleted.
916         (test): Deleted.
917
918 2019-02-17  Saam Barati  <sbarati@apple.com>
919
920         Deadlock when adding a Structure property transition and then doing incremental marking
921         https://bugs.webkit.org/show_bug.cgi?id=194767
922
923         Reviewed by Mark Lam.
924
925         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
926
927 2019-02-15  Michael Saboff  <msaboff@apple.com>
928
929         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
930         https://bugs.webkit.org/show_bug.cgi?id=194558
931
932         Reviewed by Saam Barati.
933
934         New regression test.
935
936         * stress/regexp-unicode-within-string.js: Added.
937
938 2019-02-15  Mark Lam  <mark.lam@apple.com>
939
940         SamplingProfiler::stackTracesAsJSON() should escape strings.
941         https://bugs.webkit.org/show_bug.cgi?id=194649
942         <rdar://problem/48072386>
943
944         Reviewed by Saam Barati.
945
946         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
947         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
948         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
949         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
950
951 2019-02-15  Robin Morisset  <rmorisset@apple.com>
952         CodeBlock::jettison should clear related watchpoints
953         https://bugs.webkit.org/show_bug.cgi?id=194544
954
955         Reviewed by Mark Lam.
956
957         * stress/regexp-replace-double-watchpoint.js: Added.
958         (foo):
959
960 2019-02-15  Saam barati  <sbarati@apple.com>
961
962         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
963         https://bugs.webkit.org/show_bug.cgi?id=194036
964
965         Reviewed by Yusuke Suzuki.
966
967         * stress/tail-call-many-arguments.js: Added.
968         (foo):
969         (bar):
970
971 2019-02-14  Saam Barati  <sbarati@apple.com>
972
973         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
974         https://bugs.webkit.org/show_bug.cgi?id=194583
975         <rdar://problem/48028140>
976
977         Reviewed by Yusuke Suzuki.
978
979         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
980
981 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
982
983         [JSC] String.fromCharCode's slow path always generates 16bit string
984         https://bugs.webkit.org/show_bug.cgi?id=194466
985
986         Reviewed by Keith Miller.
987
988         * stress/string-from-char-code-slow-path.js: Added.
989         (shouldBe):
990         (testWithLength):
991
992 2019-02-08  Saam barati  <sbarati@apple.com>
993
994         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
995         https://bugs.webkit.org/show_bug.cgi?id=194334
996         <rdar://problem/47844327>
997
998         Reviewed by Mark Lam.
999
1000         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1001         (func):
1002
1003 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1004
1005         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1006         https://bugs.webkit.org/show_bug.cgi?id=194369
1007         <rdar://problem/47813087>
1008
1009         Reviewed by Saam Barati.
1010
1011         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1012         (A):
1013
1014 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1015
1016         [JSC] PrivateName to PublicName hash table is wasteful
1017         https://bugs.webkit.org/show_bug.cgi?id=194277
1018
1019         Reviewed by Michael Saboff.
1020
1021         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1022
1023         * ChakraCore.yaml:
1024
1025 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1026
1027         [ARM] Test running out of executable memory
1028         https://bugs.webkit.org/show_bug.cgi?id=194285
1029
1030         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1031         executable memory otherwise.
1032
1033         * stress/class-subclassing-function.js:
1034
1035 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1036
1037         when lowering AssertNotEmpty, create the value before creating the patchpoint
1038         https://bugs.webkit.org/show_bug.cgi?id=194231
1039
1040         Reviewed by Saam Barati.
1041
1042         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1043         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1044         So even tiny changes to this test can change the path code taken.
1045
1046         * stress/assert-not-empty.js: Added.
1047         (foo):
1048
1049 2019-02-01  Mark Lam  <mark.lam@apple.com>
1050
1051         Remove invalid assertion in DFG's compileDoubleRep().
1052         https://bugs.webkit.org/show_bug.cgi?id=194130
1053         <rdar://problem/47699474>
1054
1055         Reviewed by Saam Barati.
1056
1057         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1058
1059 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1060
1061         Import latest Test262 updates.
1062
1063         Rubber-stamped by Keith Miller.
1064
1065         * test262.yaml: Deleted.
1066         * test262/config.yaml:
1067         * test262/expectations.yaml:
1068         * test262/latest-changes-summary.txt:
1069         * test262/test/:
1070         * test262/test262-Revision.txt:
1071
1072 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1073
1074         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1075         https://bugs.webkit.org/show_bug.cgi?id=194050
1076         <rdar://problem/47595592>
1077
1078         Reviewed by Yusuke Suzuki.
1079
1080         * stress/object-keys-osr-exit.js: Added.
1081         (foo):
1082         (catch):
1083
1084 2019-01-29  Mark Lam  <mark.lam@apple.com>
1085
1086         ValueRecovery::recover() should purify NaN values it recovers.
1087         https://bugs.webkit.org/show_bug.cgi?id=193978
1088         <rdar://problem/47625488>
1089
1090         Reviewed by Saam Barati.
1091
1092         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1093
1094 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1095
1096         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1097         https://bugs.webkit.org/show_bug.cgi?id=193713
1098
1099         * stress/try-get-by-id-should-spill-registers-dfg.js:
1100         (let.f.createBuiltin):
1101
1102 2019-01-28  Mark Lam  <mark.lam@apple.com>
1103
1104         ToString node actually does GC.
1105         https://bugs.webkit.org/show_bug.cgi?id=193920
1106         <rdar://problem/46695900>
1107
1108         Reviewed by Yusuke Suzuki.
1109
1110         * stress/dfg-to-string-on-int-does-gc.js: Added.
1111         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1112         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1113
1114 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1115
1116         [JSC] NativeErrorConstructor should not have own IsoSubspace
1117         https://bugs.webkit.org/show_bug.cgi?id=193713
1118
1119         Reviewed by Saam Barati.
1120
1121         Remove @Error use.
1122
1123         * stress/try-get-by-id-should-spill-registers-dfg.js:
1124         (let.f.createBuiltin):
1125
1126 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1127
1128         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1129         https://bugs.webkit.org/show_bug.cgi?id=190693
1130
1131         Reviewed by Michael Saboff.
1132
1133         * stress/regress-190693.js: Added.
1134         (truth):
1135         (assert):
1136         (shouldThrowInvalidConstAssignment):
1137         (taz):
1138
1139 2019-01-24  Saam Barati  <sbarati@apple.com>
1140
1141         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1142         https://bugs.webkit.org/show_bug.cgi?id=193751
1143         <rdar://problem/47280215>
1144
1145         Reviewed by Michael Saboff.
1146
1147         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1148         (let.thing):
1149         (foo.let.hello):
1150         (foo):
1151
1152 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1153
1154         [JSC] Reenable baseline JIT on mips
1155         https://bugs.webkit.org/show_bug.cgi?id=192983
1156
1157         Reviewed by Mark Lam.
1158
1159         Added a new test for a case that was triggering a RELEASE_ASSERT when
1160         testing.
1161         Disable some slow tests that were already disabled for arm and x86.
1162
1163         * stress/json-parse-big-object.js: Added.
1164         * stress/new-largeish-contiguous-array-with-size.js:
1165         * stress/op_add.js:
1166         * stress/op_bitand.js:
1167         * stress/op_bitor.js:
1168         * stress/op_bitxor.js:
1169         * stress/op_lshift-ConstVar.js:
1170         * stress/op_lshift-VarConst.js:
1171         * stress/op_lshift-VarVar.js:
1172         * stress/op_mod-ConstVar.js:
1173         * stress/op_mod-VarConst.js:
1174         * stress/op_mod-VarVar.js:
1175         * stress/op_mul-ConstVar.js:
1176         * stress/op_mul-VarConst.js:
1177         * stress/op_mul-VarVar.js:
1178         * stress/op_rshift-ConstVar.js:
1179         * stress/op_rshift-VarConst.js:
1180         * stress/op_rshift-VarVar.js:
1181         * stress/op_sub-ConstVar.js:
1182         * stress/op_sub-VarConst.js:
1183         * stress/op_sub-VarVar.js:
1184         * stress/op_urshift-ConstVar.js:
1185         * stress/op_urshift-VarConst.js:
1186         * stress/op_urshift-VarVar.js:
1187         * stress/sampling-profiler-richards.js:
1188         * stress/spread-forward-call-varargs-stack-overflow.js:
1189
1190 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1191
1192         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1193         https://bugs.webkit.org/show_bug.cgi?id=193711
1194         <rdar://problem/47250262>
1195
1196         Reviewed by Saam Barati.
1197
1198         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1199         (shouldBe):
1200         (foo):
1201         (bar):
1202         (baz):
1203
1204 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1205
1206         Unreviewed, fix initial global lexical binding epoch
1207         https://bugs.webkit.org/show_bug.cgi?id=193603
1208         <rdar://problem/47380869>
1209
1210         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1211         (f1.f2.f3.f4):
1212         (f1.f2.f3):
1213         (f1.f2):
1214         (f1):
1215
1216 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1217
1218         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1219         https://bugs.webkit.org/show_bug.cgi?id=193709
1220         <rdar://problem/47363838>
1221
1222         Unreviewed, rollout to watch the tests.
1223
1224         * stress/object-tostring-changed-proto.js: Removed.
1225         * stress/object-tostring-changed.js: Removed.
1226         * stress/object-tostring-misc.js: Removed.
1227         * stress/object-tostring-other.js: Removed.
1228         * stress/object-tostring-untyped.js: Removed.
1229
1230 2019-01-22  Saam Barati  <sbarati@apple.com>
1231
1232         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1233
1234         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1235         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1236         (testUncheckedLessThanZero):
1237         (testUncheckedLessThanOrEqualZero):
1238         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1239         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1240
1241 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1242
1243         [JSC] Invalidate old scope operations using global lexical binding epoch
1244         https://bugs.webkit.org/show_bug.cgi?id=193603
1245         <rdar://problem/47380869>
1246
1247         Reviewed by Saam Barati.
1248
1249         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1250         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1251         (shouldThrow):
1252         (bar):
1253         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1254         (shouldBe):
1255         (get1):
1256         (get2):
1257         (get1If):
1258         (get2If):
1259         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1260         (shouldThrow):
1261         (foo):
1262
1263 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1264
1265         Unreviewed, roll out r240220 due to date-format-xparb regression
1266         https://bugs.webkit.org/show_bug.cgi?id=193603
1267
1268         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1269         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1270         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1271         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1272
1273 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1274
1275         DoesGC rule is wrong for nodes with BigIntUse
1276         https://bugs.webkit.org/show_bug.cgi?id=193652
1277
1278         Reviewed by Saam Barati.
1279
1280         * stress/big-int-value-op-update-gc-rules.js: Added.
1281         (assert):
1282         (doesGCAdd):
1283         (doesGCSub):
1284         (doesGCDiv):
1285         (doesGCMul):
1286         (doesGCBitAnd):
1287         (doesGCBitOr):
1288         (doesGCBitXor):
1289
1290 2019-01-20  Saam Barati  <sbarati@apple.com>
1291
1292         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1293         https://bugs.webkit.org/show_bug.cgi?id=193644
1294         <rdar://problem/46209745>
1295
1296         Reviewed by Yusuke Suzuki.
1297
1298         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1299         (foo):
1300         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1301         (foo):
1302         (bar):
1303
1304 2019-01-20  Saam Barati  <sbarati@apple.com>
1305
1306         MovHint must merge NodeBytecodeUsesAsValue for its child
1307         https://bugs.webkit.org/show_bug.cgi?id=186916
1308         <rdar://problem/41396612>
1309
1310         Reviewed by Yusuke Suzuki.
1311
1312         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1313         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1314
1315 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1316
1317         [JSC] Invalidate old scope operations using global lexical binding epoch
1318         https://bugs.webkit.org/show_bug.cgi?id=193603
1319         <rdar://problem/47380869>
1320
1321         Reviewed by Saam Barati.
1322
1323         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1324         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1325         (shouldThrow):
1326         (bar):
1327         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1328         (shouldBe):
1329         (get1):
1330         (get2):
1331         (get1If):
1332         (get2If):
1333         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1334         (shouldThrow):
1335         (foo):
1336
1337 2019-01-17  Saam barati  <sbarati@apple.com>
1338
1339         StringObjectUse should not be a structure check for the original string object structure
1340         https://bugs.webkit.org/show_bug.cgi?id=193483
1341         <rdar://problem/47280522>
1342
1343         Reviewed by Yusuke Suzuki.
1344
1345         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1346         (foo):
1347         (a.valueOf.0):
1348
1349 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1350
1351         [JSC] ToThis omission in DFGByteCodeParser is wrong
1352         https://bugs.webkit.org/show_bug.cgi?id=193513
1353         <rdar://problem/45842236>
1354
1355         Reviewed by Saam Barati.
1356
1357         * stress/to-this-omission-with-different-strict-modes.js: Added.
1358         (thisA):
1359         (thisAStrictWrapper):
1360
1361 2019-01-15  Mark Lam  <mark.lam@apple.com>
1362
1363         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1364         https://bugs.webkit.org/show_bug.cgi?id=193423
1365         <rdar://problem/46209355>
1366
1367         Reviewed by Saam Barati.
1368
1369         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1370         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1371         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1372         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1373
1374 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1375
1376         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1377         https://bugs.webkit.org/show_bug.cgi?id=193438
1378         <rdar://problem/45581249>
1379
1380         Reviewed by Saam Barati and Keith Miller.
1381
1382         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1383         Then, GetByVal(String) crashed.
1384
1385         * stress/string-get-by-val-lowering.js: Added.
1386         (shouldBe):
1387         (test):
1388         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1389         (Hello):
1390         (foo):
1391
1392 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1393
1394         Unreviewed, skip JIT tests if it's not enabled
1395
1396         * stress/bit-op-with-object-returning-int32.js:
1397
1398 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1399
1400         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1401         https://bugs.webkit.org/show_bug.cgi?id=192966
1402
1403         Reviewed by Yusuke Suzuki.
1404
1405         * stress/bit-op-with-object-returning-int32.js: Added.
1406
1407 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1408
1409         Skip a slow test and a flakey test on arm
1410
1411         Unreviewed gardening.
1412
1413         * typeProfiler/getter-richards.js:
1414         this test always times out, it used to be always skipped on arm and
1415         mips, but got accidentally enabled by r237919 now that we have DFG on
1416         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1417
1418 2019-01-14  Keith Miller  <keith_miller@apple.com>
1419
1420         Skip type-check-hoisting-phase-hoist... with no jit
1421         https://bugs.webkit.org/show_bug.cgi?id=193421
1422
1423         Reviewed by Mark Lam.
1424
1425         It's timing out the 32-bit bots and takes 330 seconds
1426         on my machine when run by itself.
1427
1428         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1429
1430 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1431
1432         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1433         https://bugs.webkit.org/show_bug.cgi?id=193413
1434         <rdar://problem/46092389>
1435
1436         Reviewed by Keith Miller.
1437
1438         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1439         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1440         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1441         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1442
1443         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1444         (compareArray):
1445
1446 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1447
1448         [BigInt] Literal parsing is crashing when used inside a Object Literal
1449         https://bugs.webkit.org/show_bug.cgi?id=193404
1450
1451         Reviewed by Yusuke Suzuki.
1452
1453         * stress/big-int-literal-inside-literal-object.js: Added.
1454
1455 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1456
1457         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1458         https://bugs.webkit.org/show_bug.cgi?id=193372
1459
1460         Reviewed by Saam Barati.
1461
1462         * stress/typed-array-array-modes-profile.js: Added.
1463         (foo):
1464
1465 2019-01-14  Mark Lam  <mark.lam@apple.com>
1466
1467         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1468         https://bugs.webkit.org/show_bug.cgi?id=193402
1469         <rdar://problem/46012309>
1470
1471         Reviewed by Keith Miller.
1472
1473         * stress/regexp-compile-oom.js:
1474         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1475           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1476
1477 2019-01-11  Saam barati  <sbarati@apple.com>
1478
1479         DFG combined liveness can be wrong for terminal basic blocks
1480         https://bugs.webkit.org/show_bug.cgi?id=193304
1481         <rdar://problem/45268632>
1482
1483         Reviewed by Yusuke Suzuki.
1484
1485         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1486
1487 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1488
1489         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1490         https://bugs.webkit.org/show_bug.cgi?id=193308
1491         <rdar://problem/45546542>
1492
1493         Reviewed by Saam Barati.
1494
1495         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1496         (shouldThrow):
1497         (shouldBe):
1498         (foo):
1499         (get shouldThrow):
1500         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1501         (shouldThrow):
1502         (shouldBe):
1503         (foo):
1504         (get shouldBe):
1505         (get shouldThrow):
1506         (get return):
1507         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1508         (shouldThrow):
1509         (shouldBe):
1510         (foo):
1511         (get shouldBe):
1512         (get shouldThrow):
1513         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1514         (shouldThrow):
1515         (shouldBe):
1516         (foo):
1517         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1518         (shouldThrow):
1519         (shouldBe):
1520         (foo):
1521         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1522         (shouldThrow):
1523         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1524         (shouldThrow):
1525         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1526         (shouldThrow):
1527         (shouldBe):
1528         (foo):
1529         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1530         (shouldThrow):
1531         (shouldBe):
1532         (foo):
1533         (get shouldBe):
1534         (get shouldThrow):
1535         (get return):
1536         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1537         (shouldThrow):
1538         (shouldBe):
1539         (foo):
1540         (get shouldBe):
1541         (get shouldThrow):
1542         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1543         (shouldThrow):
1544         (shouldBe):
1545         (foo):
1546         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1547         (shouldThrow):
1548         (shouldBe):
1549         (foo):
1550
1551 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1552
1553         Enable DFG on ARM/Linux again
1554         https://bugs.webkit.org/show_bug.cgi?id=192496
1555
1556         Reviewed by Yusuke Suzuki.
1557
1558         Test wasn't really skipped before moving the line with skip
1559         to the top.
1560
1561         * stress/regress-192717.js:
1562
1563 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1564
1565         Unreviewed, rolling out r239825.
1566         https://bugs.webkit.org/show_bug.cgi?id=193330
1567
1568         Broke tests on armv7/linux bots (Requested by guijemont on
1569         #webkit).
1570
1571         Reverted changeset:
1572
1573         "Enable DFG on ARM/Linux again"
1574         https://bugs.webkit.org/show_bug.cgi?id=192496
1575         https://trac.webkit.org/changeset/239825
1576
1577 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1578
1579         Enable DFG on ARM/Linux again
1580         https://bugs.webkit.org/show_bug.cgi?id=192496
1581
1582         Reviewed by Yusuke Suzuki.
1583
1584         Test wasn't really skipped before moving the line with skip
1585         to the top.
1586
1587         * stress/regress-192717.js:
1588
1589 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1590
1591         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1592         https://bugs.webkit.org/show_bug.cgi?id=193127
1593
1594         Reviewed by Saam Barati.
1595
1596         * stress/array-species-create-should-handle-masquerader.js: Added.
1597         (shouldThrow):
1598         * stress/is-undefined-or-null-builtin.js: Added.
1599         (shouldBe):
1600         (isUndefinedOrNull.vm.createBuiltin):
1601
1602 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1603
1604         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1605         https://bugs.webkit.org/show_bug.cgi?id=193221
1606
1607         Reviewed by Mark Lam.
1608
1609         * stress/put-by-id-flags.js: Added.
1610         (f):
1611         (g):
1612         (numberOfDFGCompiles):
1613
1614 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1615
1616         Baseline version of get_by_id may corrupt metadata
1617         https://bugs.webkit.org/show_bug.cgi?id=193085
1618         <rdar://problem/23453006>
1619
1620         Reviewed by Saam Barati.
1621
1622         * stress/get-by-id-change-mode.js: Added.
1623         (forEach):
1624
1625 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1626
1627         [JSC] Optimize Object.prototype.toString
1628         https://bugs.webkit.org/show_bug.cgi?id=193031
1629
1630         Reviewed by Saam Barati.
1631
1632         * stress/object-tostring-changed-proto.js: Added.
1633         (shouldBe):
1634         (test):
1635         * stress/object-tostring-changed.js: Added.
1636         (shouldBe):
1637         (test):
1638         * stress/object-tostring-misc.js: Added.
1639         (shouldBe):
1640         (test):
1641         (i.switch):
1642         * stress/object-tostring-other.js: Added.
1643         (shouldBe):
1644         (test):
1645         * stress/object-tostring-untyped.js: Added.
1646         (shouldBe):
1647         (test):
1648         (i.switch):
1649
1650 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1651
1652         test262-runner misbehaves when test file YAML has a trailing space
1653         https://bugs.webkit.org/show_bug.cgi?id=193053
1654
1655         Reviewed by Yusuke Suzuki.
1656
1657         * test262/expectations.yaml:
1658         Mark two dozen tests as passing (and correct the output of another).
1659
1660 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1661
1662         Unreviewed, JSTests gardening with memoryLimited
1663
1664         * stress/string-overflow-createError.js:
1665
1666 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1667
1668         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1669         https://bugs.webkit.org/show_bug.cgi?id=193050
1670
1671         Reviewed by Yusuke Suzuki.
1672
1673         * test262.yaml:
1674         * test262/expectations.yaml:
1675         Mark 16 tests as passing.
1676
1677 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1678
1679         [BigInt] Support BigInt in JSON.stringify
1680         https://bugs.webkit.org/show_bug.cgi?id=192624
1681
1682         Reviewed by Saam Barati.
1683
1684         * stress/big-int-json-stringify-to-json.js: Added.
1685         (shouldBe):
1686         (shouldThrow):
1687         (BigInt.prototype.toJSON):
1688         (shouldBe.JSON.stringify):
1689         * stress/big-int-json-stringify.js: Added.
1690         (shouldBe):
1691         (shouldThrow):
1692
1693 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1694
1695         [JSC] Implement "well-formed JSON.stringify" proposal
1696         https://bugs.webkit.org/show_bug.cgi?id=191677
1697
1698         Reviewed by Darin Adler.
1699
1700         * stress/json-surrogate-pair.js: Added.
1701         (shouldBe):
1702         * test262/expectations.yaml:
1703
1704 2018-12-20  Keith Miller  <keith_miller@apple.com>
1705
1706         Add support for globalThis
1707         https://bugs.webkit.org/show_bug.cgi?id=165171
1708
1709         Reviewed by Mark Lam.
1710
1711         * test262/config.yaml:
1712
1713 2018-12-19  Keith Miller  <keith_miller@apple.com>
1714
1715         Update test262 configuration to not run tests dependent on ICU version.
1716         https://bugs.webkit.org/show_bug.cgi?id=192920
1717
1718         Reviewed by Saam Barati.
1719
1720         * test262/expectations.yaml:
1721
1722 2018-12-20  Mark Lam  <mark.lam@apple.com>
1723
1724         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1725         https://bugs.webkit.org/show_bug.cgi?id=192939
1726         <rdar://problem/46869516>
1727
1728         Reviewed by Keith Miller.
1729
1730         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1731
1732 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1733
1734         WTF::String and StringImpl overflow MaxLength
1735         https://bugs.webkit.org/show_bug.cgi?id=192853
1736         <rdar://problem/45726906>
1737
1738         Reviewed by Mark Lam.
1739
1740         * stress/string-16bit-repeat-overflow.js: Added.
1741         (catch):
1742
1743 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1744
1745         Unreviewed follow-up to r192914.
1746
1747         * test262/expectations.yaml:
1748         Add the last 20 missing expectations.
1749
1750 2018-12-19  Keith Miller  <keith_miller@apple.com>
1751
1752         Fix test262 expectations
1753         https://bugs.webkit.org/show_bug.cgi?id=192914
1754
1755         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1756
1757         * test262/expectations.yaml:
1758
1759 2018-12-19  Keith Miller  <keith_miller@apple.com>
1760
1761         Update test262 tests.
1762         https://bugs.webkit.org/show_bug.cgi?id=192907
1763
1764         Rubber stamped by Mark Lam.
1765
1766         * test262/*: Omitted because prepare-changelog crashes.
1767
1768 2018-12-19  Mark Lam  <mark.lam@apple.com>
1769
1770         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1771         https://bugs.webkit.org/show_bug.cgi?id=192464
1772         <rdar://problem/46519455>
1773
1774         Reviewed by Saam Barati.
1775
1776         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1777         microbenchmark.
1778
1779         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1780         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1781
1782 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1783
1784         String overflow in JSC::createError results in ASSERT in WTF::makeString
1785         https://bugs.webkit.org/show_bug.cgi?id=192833
1786         <rdar://problem/45706868>
1787
1788         Reviewed by Mark Lam.
1789
1790         * stress/string-overflow-createError.js: Added.
1791
1792 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1793
1794         Error message for `-x ** y` contains a typo.
1795         https://bugs.webkit.org/show_bug.cgi?id=192832
1796
1797         Reviewed by Saam Barati.
1798
1799         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1800         (assert.assert.return.throws):
1801         * stress/pow-expects-update-expression-on-lhs.js:
1802         (throw.new.Error):
1803         Update test expectations which match against the exact error message.
1804
1805 2018-12-18  Mark Lam  <mark.lam@apple.com>
1806
1807         Gardening: test options fix.
1808         https://bugs.webkit.org/show_bug.cgi?id=192822
1809
1810         Unreviewed.
1811
1812         * stress/json-stringify-string-builder-overflow.js:
1813
1814 2018-12-18  Mark Lam  <mark.lam@apple.com>
1815
1816         JSON.stringify() should throw OOM on StringBuilder overflows.
1817         https://bugs.webkit.org/show_bug.cgi?id=192822
1818         <rdar://problem/46670577>
1819
1820         Reviewed by Saam Barati.
1821
1822         * stress/json-stringify-string-builder-overflow.js: Added.
1823
1824 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1825
1826         Redeclaration of var over let/const/class should be a syntax error.
1827         https://bugs.webkit.org/show_bug.cgi?id=192298
1828
1829         Reviewed by Keith Miller.
1830
1831         * test262.yaml:
1832         * test262/expectations.yaml:
1833         Mark 46 tests as passing.
1834
1835         * stress/block-scope-redeclarations.js:
1836         Add some new tests.
1837
1838         * stress/for-in-invalidate-context-weird-assignments.js:
1839         * stress/for-in-tests.js:
1840         Replace tests for outdated behavior with tests for SyntaxError.
1841
1842         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1843         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1844         Update expectations.
1845
1846 2018-12-18  Mark Lam  <mark.lam@apple.com>
1847
1848         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1849         https://bugs.webkit.org/show_bug.cgi?id=191374
1850         <rdar://problem/46525447>
1851
1852         Reviewed by Yusuke Suzuki.
1853
1854         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1855
1856         * stress/elidable-new-object-roflcopter-then-exit.js:
1857
1858 2018-12-17  Mark Lam  <mark.lam@apple.com>
1859
1860         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1861         https://bugs.webkit.org/show_bug.cgi?id=192019
1862         <rdar://problem/46525456>
1863
1864         Reviewed by Yusuke Suzuki.
1865
1866         The test runs too slow on 32-bit.
1867
1868         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1869
1870 2018-12-17  Mark Lam  <mark.lam@apple.com>
1871
1872         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1873         https://bugs.webkit.org/show_bug.cgi?id=191373
1874         <rdar://problem/46525458>
1875
1876         Reviewed by Yusuke Suzuki.
1877
1878         The test is already slow running with a JIT on 64-bit.  It will always timeout
1879         on 32-bit without a JIT.
1880
1881         * stress/materialize-regexp-cyclic-regexp.js:
1882
1883 2018-12-17  Mark Lam  <mark.lam@apple.com>
1884
1885         Array unshift/shift should not race against the AI in the compiler thread.
1886         https://bugs.webkit.org/show_bug.cgi?id=192795
1887         <rdar://problem/46724263>
1888
1889         Reviewed by Saam Barati.
1890
1891         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1892
1893 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1894
1895         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1896         https://bugs.webkit.org/show_bug.cgi?id=190047
1897
1898         Reviewed by Saam Barati.
1899
1900         * stress/object-keys-cached-zero.js: Added.
1901         (shouldBe):
1902         (test):
1903         * stress/object-keys-changed-attribute.js: Added.
1904         (shouldBe):
1905         (test):
1906         * stress/object-keys-changed-index.js: Added.
1907         (shouldBe):
1908         (test):
1909         * stress/object-keys-changed.js: Added.
1910         (shouldBe):
1911         (test):
1912         * stress/object-keys-indexed-non-cache.js: Added.
1913         (shouldBe):
1914         (test):
1915         * stress/object-keys-overrides-get-property-names.js: Added.
1916         (shouldBe):
1917         (test):
1918         (noInline):
1919
1920 2018-12-17  Mark Lam  <mark.lam@apple.com>
1921
1922         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1923         https://bugs.webkit.org/show_bug.cgi?id=192779
1924         <rdar://problem/46775869>
1925
1926         Reviewed by Saam Barati.
1927
1928         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1929
1930 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1931
1932         Unreviewed test gardening, address a syntax error in a new test.
1933
1934         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1935
1936 2018-12-17  Mark Lam  <mark.lam@apple.com>
1937
1938         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1939         https://bugs.webkit.org/show_bug.cgi?id=192776
1940         <rdar://problem/46772368>
1941
1942         Reviewed by Keith Miller.
1943
1944         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1945
1946 2018-12-17  Mark Lam  <mark.lam@apple.com>
1947
1948         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1949         https://bugs.webkit.org/show_bug.cgi?id=192770
1950         <rdar://problem/46449037>
1951
1952         Reviewed by Keith Miller.
1953
1954         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1955
1956 2018-12-14  Mark Lam  <mark.lam@apple.com>
1957
1958         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1959         https://bugs.webkit.org/show_bug.cgi?id=192717
1960         <rdar://problem/46660677>
1961
1962         Reviewed by Saam Barati.
1963
1964         * stress/regress-192717.js: Added.
1965
1966 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1967
1968         Unreviewed, rolling out r239153, r239154, and r239155.
1969         https://bugs.webkit.org/show_bug.cgi?id=192715
1970
1971         Caused flaky GC-related crashes seen with layout tests
1972         (Requested by ryanhaddad on #webkit).
1973
1974         Reverted changesets:
1975
1976         "[JSC] Optimize Object.keys by caching own keys results in
1977         StructureRareData"
1978         https://bugs.webkit.org/show_bug.cgi?id=190047
1979         https://trac.webkit.org/changeset/239153
1980
1981         "Unreviewed, build fix after r239153"
1982         https://bugs.webkit.org/show_bug.cgi?id=190047
1983         https://trac.webkit.org/changeset/239154
1984
1985         "Unreviewed, build fix after r239153, part 2"
1986         https://bugs.webkit.org/show_bug.cgi?id=190047
1987         https://trac.webkit.org/changeset/239155
1988
1989 2018-12-14  Keith Miller  <keith_miller@apple.com>
1990
1991         Callers of JSString::getIndex should check for OOM exceptions
1992         https://bugs.webkit.org/show_bug.cgi?id=192709
1993
1994         Reviewed by Mark Lam.
1995
1996         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1997
1998 2018-12-13  Mark Lam  <mark.lam@apple.com>
1999
2000         Add a missing exception check.
2001         https://bugs.webkit.org/show_bug.cgi?id=192626
2002         <rdar://problem/46662163>
2003
2004         Reviewed by Keith Miller.
2005
2006         * stress/regress-192626.js: Added.
2007
2008 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2009
2010         [BigInt] Add ValueDiv into DFG
2011         https://bugs.webkit.org/show_bug.cgi?id=186178
2012
2013         Reviewed by Yusuke Suzuki.
2014
2015         * stress/big-int-div-jit-osr.js: Added.
2016         * stress/big-int-div-jit-untyped.js: Added.
2017         * stress/value-div-fixup-int32-big-int.js: Added.
2018
2019 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2020
2021         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2022         https://bugs.webkit.org/show_bug.cgi?id=190047
2023
2024         Reviewed by Keith Miller.
2025
2026         * stress/object-keys-cached-zero.js: Added.
2027         (shouldBe):
2028         (test):
2029         * stress/object-keys-changed-attribute.js: Added.
2030         (shouldBe):
2031         (test):
2032         * stress/object-keys-changed-index.js: Added.
2033         (shouldBe):
2034         (test):
2035         * stress/object-keys-changed.js: Added.
2036         (shouldBe):
2037         (test):
2038         * stress/object-keys-indexed-non-cache.js: Added.
2039         (shouldBe):
2040         (test):
2041         * stress/object-keys-overrides-get-property-names.js: Added.
2042         (shouldBe):
2043         (test):
2044         (noInline):
2045
2046 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2047
2048         [DFG][FTL] Add NewSymbol
2049         https://bugs.webkit.org/show_bug.cgi?id=192620
2050
2051         Reviewed by Saam Barati.
2052
2053         * microbenchmarks/symbol-creation.js: Added.
2054         (test):
2055         * stress/symbol-description-identity.js: Added.
2056         (shouldBe):
2057         (test):
2058         * stress/symbol-identity.js: Added.
2059         (shouldBe):
2060         (test):
2061         * stress/symbol-with-description-throw-error.js: Added.
2062         (shouldBe):
2063         (shouldThrow):
2064         (test):
2065         (object.toString):
2066
2067 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2068
2069         [BigInt] Implement DFG/FTL typeof for BigInt
2070         https://bugs.webkit.org/show_bug.cgi?id=192619
2071
2072         Reviewed by Keith Miller.
2073
2074         * stress/big-int-boolean-proven-type.js: Added.
2075         (assert):
2076         (bool):
2077         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2078         (assert):
2079         (typeOf):
2080         (i.switch):
2081         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2082         (assert):
2083         (typeOf):
2084         * stress/big-int-type-of.js:
2085         (typeOf):
2086         (func):
2087
2088 2018-12-10  Mark Lam  <mark.lam@apple.com>
2089
2090         PropertyAttribute needs a CustomValue bit.
2091         https://bugs.webkit.org/show_bug.cgi?id=191993
2092         <rdar://problem/46264467>
2093
2094         Reviewed by Saam Barati.
2095
2096         * stress/regress-191993.js: Added.
2097
2098 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2099
2100         [BigInt] Add ValueMul into DFG
2101         https://bugs.webkit.org/show_bug.cgi?id=186175
2102
2103         Reviewed by Yusuke Suzuki.
2104
2105         * stress/big-int-mul-jit-osr.js: Added.
2106         * stress/big-int-mul-jit-untyped.js: Added.
2107         * stress/value-mul-fixup-int32-big-int.js: Added.
2108
2109 2018-12-06  Keith Miller  <keith_miller@apple.com>
2110
2111         stress/big-wasm-memory tests failing on 32-bit JSC bot
2112         https://bugs.webkit.org/show_bug.cgi?id=192020
2113
2114         Reviewed by Saam Barati.
2115
2116         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2117         the wasm stress tests if the WebAssembly object does not exist.
2118
2119         * stress/big-wasm-memory-grow-no-max.js:
2120         (test.foo):
2121         (test):
2122         (foo): Deleted.
2123         (catch): Deleted.
2124         * stress/big-wasm-memory-grow.js:
2125         (test.foo):
2126         (test):
2127         (foo): Deleted.
2128         (catch): Deleted.
2129         * stress/big-wasm-memory.js:
2130         (test.foo):
2131         (test):
2132         (foo): Deleted.
2133         (catch): Deleted.
2134
2135 2018-12-05  Mark Lam  <mark.lam@apple.com>
2136
2137         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2138         https://bugs.webkit.org/show_bug.cgi?id=192441
2139         <rdar://problem/46480355>
2140
2141         Reviewed by Saam Barati.
2142
2143         * stress/regress-192441.js: Added.
2144
2145 2018-12-04  Mark Lam  <mark.lam@apple.com>
2146
2147         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2148         https://bugs.webkit.org/show_bug.cgi?id=192386
2149         <rdar://problem/46445516>
2150
2151         Reviewed by Saam Barati.
2152
2153         * stress/regress-192386.js: Added.
2154
2155 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2156
2157         [ESNext][BigInt] Support logic operations
2158         https://bugs.webkit.org/show_bug.cgi?id=179903
2159
2160         Reviewed by Yusuke Suzuki.
2161
2162         * stress/big-int-branch-usage.js: Added.
2163         * stress/big-int-logical-and.js: Added.
2164         * stress/big-int-logical-not.js: Added.
2165         * stress/big-int-logical-or.js: Added.
2166
2167 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2168
2169         Unreviewed, rolling out r238833.
2170
2171         Breaks macOS and iOS debug builds.
2172
2173         Reverted changeset:
2174
2175         "[ESNext][BigInt] Support logic operations"
2176         https://bugs.webkit.org/show_bug.cgi?id=179903
2177         https://trac.webkit.org/changeset/238833
2178
2179 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2180
2181         [ESNext][BigInt] Support logic operations
2182         https://bugs.webkit.org/show_bug.cgi?id=179903
2183
2184         Reviewed by Yusuke Suzuki.
2185
2186         * stress/big-int-branch-usage.js: Added.
2187         * stress/big-int-logical-and.js: Added.
2188         * stress/big-int-logical-not.js: Added.
2189         * stress/big-int-logical-or.js: Added.
2190
2191 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2192
2193         [ESNext][BigInt] Implement support for "<<" and ">>"
2194         https://bugs.webkit.org/show_bug.cgi?id=186233
2195
2196         Reviewed by Yusuke Suzuki.
2197
2198         * stress/big-int-left-shift-general.js: Added.
2199         * stress/big-int-left-shift-range-error.js: Added.
2200         * stress/big-int-left-shift-type-error.js: Added.
2201         * stress/big-int-left-shift-wrapped-value.js: Added.
2202         * stress/big-int-right-shift-general.js: Added.
2203         * stress/big-int-right-shift-type-error.js: Added.
2204         * stress/big-int-right-shift-wrapped-value.js: Added.
2205         * stress/left-shift-to-primitive-precedence.js: Added.
2206         * stress/right-shift-to-primitive-precedence.js: Added.
2207
2208 2018-11-30  Dean Jackson  <dino@apple.com>
2209
2210         Add first-class support for .mjs files in jsc binary
2211         https://bugs.webkit.org/show_bug.cgi?id=192190
2212         <rdar://problem/46375715>
2213
2214         Reviewed by Keith Miller.
2215
2216         * stress/simple-module.mjs: Added.
2217         * stress/simple-script.js: Added.
2218
2219 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2220
2221         [BigInt] Implement ValueBitXor into DFG
2222         https://bugs.webkit.org/show_bug.cgi?id=190264
2223
2224         Reviewed by Yusuke Suzuki.
2225
2226         * stress/big-int-bitwise-xor-jit.js: Added.
2227         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2228         * stress/big-int-bitwise-xor-untyped.js: Added.
2229
2230 2018-11-27  Saam barati  <sbarati@apple.com>
2231
2232         r238510 broke scopes of size zero
2233         https://bugs.webkit.org/show_bug.cgi?id=192033
2234         <rdar://problem/46281734>
2235
2236         Reviewed by Keith Miller.
2237
2238         * stress/r238510-bad-loop.js: Added.
2239         (foo):
2240
2241 2018-11-27  Mark Lam  <mark.lam@apple.com>
2242
2243         [Re-landing] NaNs read from Wasm code needs to be be purified.
2244         https://bugs.webkit.org/show_bug.cgi?id=191056
2245         <rdar://problem/45660341>
2246
2247         Reviewed by Filip Pizlo.
2248
2249         * wasm/regress/regress-191056.js: Added.
2250
2251 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2252
2253         Unreviewed, rolling out r238509.
2254
2255         Causes JSC tests to fail on iOS.
2256
2257         Reverted changeset:
2258
2259         "NaNs read from Wasm code needs to be be purified."
2260         https://bugs.webkit.org/show_bug.cgi?id=191056
2261         https://trac.webkit.org/changeset/238509
2262
2263 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2264
2265         Re-introduce op_bitnot
2266         https://bugs.webkit.org/show_bug.cgi?id=190923
2267
2268         Reviewed by Yusuke Suzuki.
2269
2270         * stress/bit-not-must-generate.js: Added.
2271         * stress/bitwise-not-no-int32.js: Added.
2272
2273 2018-11-26  Saam barati  <sbarati@apple.com>
2274
2275         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2276         https://bugs.webkit.org/show_bug.cgi?id=191956
2277         <rdar://problem/45665806>
2278
2279         Reviewed by Yusuke Suzuki.
2280
2281         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2282         (bar):
2283         (foo):
2284
2285 2018-11-26  Saam barati  <sbarati@apple.com>
2286
2287         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2288         https://bugs.webkit.org/show_bug.cgi?id=191958
2289         <rdar://problem/46221877>
2290
2291         Reviewed by Yusuke Suzuki.
2292
2293         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2294         (x):
2295         (foo):
2296
2297 2018-11-26  Mark Lam  <mark.lam@apple.com>
2298
2299         NaNs read from Wasm code needs to be be purified.
2300         https://bugs.webkit.org/show_bug.cgi?id=191056
2301         <rdar://problem/45660341>
2302
2303         Reviewed by Filip Pizlo.
2304
2305         * wasm/regress/regress-191056.js: Added.
2306
2307 2018-11-26  Michael Saboff  <msaboff@apple.com>
2308
2309         32-bit JSC test failure: stress/regexp-compile-oom.js
2310         https://bugs.webkit.org/show_bug.cgi?id=191375
2311
2312         Reviewed by Mark Lam.
2313
2314         Disabled the test for 32 bit platforms.
2315
2316         * stress/regexp-compile-oom.js:
2317
2318 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2319
2320         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2321         https://bugs.webkit.org/show_bug.cgi?id=191716
2322         <rdar://problem/45723878>
2323
2324         Reviewed by Saam Barati.
2325
2326         * stress/regress-187373.js: Added.
2327         (async.fn):
2328
2329 2018-11-21  Saam barati  <sbarati@apple.com>
2330
2331         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2332         https://bugs.webkit.org/show_bug.cgi?id=191897
2333         <rdar://problem/45871998>
2334
2335         Reviewed by Mark Lam.
2336
2337         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2338         (bar):
2339         (foo):
2340
2341 2018-11-21  Saam barati  <sbarati@apple.com>
2342
2343         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2344         https://bugs.webkit.org/show_bug.cgi?id=191895
2345         <rdar://problem/46167406>
2346
2347         Reviewed by Mark Lam.
2348
2349         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2350         (foo):
2351         (bar):
2352
2353 2018-11-21  Mark Lam  <mark.lam@apple.com>
2354
2355         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2356         https://bugs.webkit.org/show_bug.cgi?id=191776
2357         <rdar://problem/46152851>
2358
2359         Reviewed by Saam Barati.
2360
2361         * stress/big-wasm-memory-grow-no-max.js:
2362         * stress/big-wasm-memory-grow.js:
2363         * stress/big-wasm-memory.js:
2364         - updated these to expect an OutOfMemoryError.
2365
2366         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2367         (Binary.prototype.emit_u8):
2368         (Binary.prototype.emit_u32v):
2369         (Binary.prototype.emit_header):
2370         (Binary.prototype.emit_section):
2371         (Binary):
2372         (WasmModuleBuilder):
2373         (WasmModuleBuilder.prototype.addMemory):
2374         (WasmModuleBuilder.prototype.toArray):
2375         (WasmModuleBuilder.prototype.toBuffer):
2376         (WasmModuleBuilder.prototype.instantiate):
2377         (catch):
2378         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2379         (catch):
2380
2381 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2382
2383         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2384         https://bugs.webkit.org/show_bug.cgi?id=190836
2385
2386         Reviewed by Saam Barati and Yusuke Suzuki.
2387
2388         * stress/big-int-out-of-memory-tests.js: Added.
2389
2390 2018-11-20  Mark Lam  <mark.lam@apple.com>
2391
2392         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2393         https://bugs.webkit.org/show_bug.cgi?id=191856
2394         <rdar://problem/46089992>
2395
2396         Reviewed by Yusuke Suzuki.
2397
2398         * stress/regress-191856.js: Added.
2399         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2400
2401 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2402
2403         Enable JIT on ARM/Linux
2404         https://bugs.webkit.org/show_bug.cgi?id=191548
2405
2406         Reviewed by Yusuke Suzuki.
2407
2408         Disable test on system with limited memory. Program was killed by
2409         the OS before the exception was thrown.
2410
2411         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2412
2413 2018-11-20  Saam barati  <sbarati@apple.com>
2414
2415         Merging an IC variant may lead to the IC status containing overlapping structure sets
2416         https://bugs.webkit.org/show_bug.cgi?id=191869
2417         <rdar://problem/45403453>
2418
2419         Reviewed by Mark Lam.
2420
2421         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2422
2423 2018-11-19  Mark Lam  <mark.lam@apple.com>
2424
2425         globalFuncImportModule() should return a promise when it clears exceptions.
2426         https://bugs.webkit.org/show_bug.cgi?id=191792
2427         <rdar://problem/46090763>
2428
2429         Reviewed by Michael Saboff.
2430
2431         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2432
2433 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2434
2435         Skip new memory-hungry tests on memory limited devices
2436
2437         Unreviewed gardening.
2438
2439         * stress/big-wasm-memory-grow-no-max.js:
2440         * stress/big-wasm-memory-grow.js:
2441         * stress/big-wasm-memory.js:
2442
2443 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2444
2445         Unreviewed, rolling in the rest of r237254
2446         https://bugs.webkit.org/show_bug.cgi?id=190340
2447
2448         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2449         * stress/function-cache-with-parameters-end-position.js: Added.
2450         (shouldBe):
2451         (shouldThrow):
2452         (i.anonymous):
2453         * stress/function-constructor-name.js: Added.
2454         (shouldBe):
2455         (GeneratorFunction):
2456         (AsyncFunction.async):
2457         (AsyncGeneratorFunction.async):
2458         (anonymous):
2459         (async.anonymous):
2460         * test262/expectations.yaml:
2461
2462 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2463
2464         All users of ArrayBuffer should agree on the same max size
2465         https://bugs.webkit.org/show_bug.cgi?id=191771
2466
2467         Reviewed by Mark Lam.
2468
2469         * stress/big-wasm-memory-grow-no-max.js: Added.
2470         (foo):
2471         (catch):
2472         * stress/big-wasm-memory-grow.js: Added.
2473         (foo):
2474         (catch):
2475         * stress/big-wasm-memory.js: Added.
2476         (foo):
2477         (catch):
2478
2479 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2480
2481         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2482         run for each JSC config since they're regression tests for runtime bugs.
2483
2484         * stress/json-stringified-overflow-2.js:
2485         * stress/json-stringified-overflow.js:
2486
2487 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2488
2489         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2490         config since they're regression tests for runtime bugs.
2491
2492         * stress/large-unshift-splice.js:
2493         * stress/regress-185888.js:
2494
2495 2018-11-16  Saam Barati  <sbarati@apple.com>
2496
2497         KnownCellUse should also have SpecCellCheck as its type filter
2498         https://bugs.webkit.org/show_bug.cgi?id=191729
2499         <rdar://problem/45872852>
2500
2501         Reviewed by Filip Pizlo.
2502
2503         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2504         (C):
2505
2506 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2507
2508         Fix assertion failure on BytecodeGenerator::recordOpcode
2509         https://bugs.webkit.org/show_bug.cgi?id=191724
2510         <rdar://problem/45724395>
2511
2512         Reviewed by Saam Barati.
2513
2514         * stress/regress-187373-2.js: Added.
2515         (foo):
2516
2517 2018-11-15  Mark Lam  <mark.lam@apple.com>
2518
2519         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2520         https://bugs.webkit.org/show_bug.cgi?id=191730
2521         <rdar://problem/46048517>
2522
2523         Reviewed by Saam Barati.
2524
2525         * stress/regress-187006.js: Removed.
2526           - this test is invalid because its sole purpose is to test for the non-spec
2527             compliant behavior that we just fixed.
2528
2529         * stress/regress-191730.js: Added.
2530
2531 2018-11-15  Mark Lam  <mark.lam@apple.com>
2532
2533         RegExp operations should not take fast patch if lastIndex is not numeric.
2534         https://bugs.webkit.org/show_bug.cgi?id=191731
2535         <rdar://problem/46017305>
2536
2537         Reviewed by Saam Barati.
2538
2539         * stress/regress-191731.js: Added.
2540
2541 2018-11-13  Saam Barati  <sbarati@apple.com>
2542
2543         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2544         https://bugs.webkit.org/show_bug.cgi?id=191600
2545
2546         Reviewed by Mark Lam.
2547
2548         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2549         (foo):
2550         (test):
2551         (bar):
2552
2553 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2554
2555         Unreviewed, rolling out r238132.
2556
2557         The test added with this change is timing out on Debug JSC
2558         bots.
2559
2560         Reverted changeset:
2561
2562         "[BigInt] JSBigInt::createWithLength should throw when length
2563         is greater than JSBigInt::maxLength"
2564         https://bugs.webkit.org/show_bug.cgi?id=190836
2565         https://trac.webkit.org/changeset/238132
2566
2567 2018-11-13  Mark Lam  <mark.lam@apple.com>
2568
2569         Add OOM detection to StringPrototype's substituteBackreferences().
2570         https://bugs.webkit.org/show_bug.cgi?id=191563
2571         <rdar://problem/45720428>
2572
2573         Reviewed by Saam Barati.
2574
2575         * stress/regress-191563.js: Added.
2576
2577 2018-11-13  Mark Lam  <mark.lam@apple.com>
2578
2579         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2580         https://bugs.webkit.org/show_bug.cgi?id=191579
2581         <rdar://problem/45942472>
2582
2583         Reviewed by Saam Barati.
2584
2585         * stress/regress-191579.js: Added.
2586
2587 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2588
2589         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2590         https://bugs.webkit.org/show_bug.cgi?id=190836
2591
2592         Reviewed by Saam Barati.
2593
2594         * stress/big-int-out-of-memory-tests.js: Added.
2595
2596 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2597
2598         U+180E is no longer a whitespace character
2599         https://bugs.webkit.org/show_bug.cgi?id=191415
2600
2601         Reviewed by Saam Barati.
2602
2603         * ChakraCore/test/es5/regexSpace.baseline:
2604         * ChakraCore/test/es6/unicode_whitespace.js:
2605         Update tests to latest version.
2606         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2607
2608         * test262.yaml:
2609         * test262/config.yaml:
2610         * test262/expectations.yaml:
2611         Update expectations.
2612
2613 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2614
2615         [BigInt] Add support to BigInt into ValueAdd
2616         https://bugs.webkit.org/show_bug.cgi?id=186177
2617
2618         Reviewed by Keith Miller.
2619
2620         * stress/big-int-negate-jit.js:
2621         * stress/value-add-big-int-and-string.js: Added.
2622         * stress/value-add-big-int-prediction-propagation.js: Added.
2623         * stress/value-add-big-int-untyped.js: Added.
2624
2625 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2626
2627         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2628         https://bugs.webkit.org/show_bug.cgi?id=191184
2629
2630         Reviewed by Saam Barati.
2631
2632         Most tests were failing due to timeouts, since they are too slow to
2633         run on CLoop. The exceptions are:
2634
2635         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2636         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2637         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2638         to change the stack size since CLoop requires it to be page aligned.
2639
2640         * microbenchmarks/array-push-1.js:
2641         * microbenchmarks/array-push-2.js:
2642         * microbenchmarks/elidable-new-object-dag.js:
2643         * microbenchmarks/elidable-new-object-roflcopter.js:
2644         * microbenchmarks/elidable-new-object-tree.js:
2645         * microbenchmarks/getter-richards.js:
2646         * microbenchmarks/sinkable-new-object-dag.js:
2647         * microbenchmarks/string-concat-long-convert.js:
2648         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2649         * slowMicrobenchmarks/array-push-3.js:
2650         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2651         * slowMicrobenchmarks/spread-small-array.js:
2652         * slowMicrobenchmarks/undefined-property-access.js:
2653         * stress/activation-sink-default-value-tdz-error.js:
2654         * stress/activation-sink-default-value.js:
2655         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2656         * stress/activation-sink-osrexit-default-value.js:
2657         * stress/activation-sink-osrexit.js:
2658         * stress/activation-sink.js:
2659         * stress/allow-math-ic-b3-code-duplication.js:
2660         * stress/array-push-multiple-int32.js:
2661         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2662         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2663         * stress/arrowfunction-lexical-this-activation-sink.js:
2664         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2665         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2666         * stress/elide-new-object-dag-then-exit.js:
2667         * stress/materialize-regexp-cyclic.js:
2668         * stress/new-regex-inline.js:
2669         * stress/op_add.js:
2670         * stress/op_bitand.js:
2671         * stress/op_bitor.js:
2672         * stress/op_bitxor.js:
2673         * stress/op_div-ConstVar.js:
2674         * stress/op_div-VarConst.js:
2675         * stress/op_div-VarVar.js:
2676         * stress/op_lshift-ConstVar.js:
2677         * stress/op_lshift-VarConst.js:
2678         * stress/op_lshift-VarVar.js:
2679         * stress/op_mod-ConstVar.js:
2680         * stress/op_mod-VarConst.js:
2681         * stress/op_mod-VarVar.js:
2682         * stress/op_mul-ConstVar.js:
2683         * stress/op_mul-VarConst.js:
2684         * stress/op_mul-VarVar.js:
2685         * stress/op_rshift-ConstVar.js:
2686         * stress/op_rshift-VarConst.js:
2687         * stress/op_rshift-VarVar.js:
2688         * stress/op_sub-ConstVar.js:
2689         * stress/op_sub-VarConst.js:
2690         * stress/op_sub-VarVar.js:
2691         * stress/op_urshift-ConstVar.js:
2692         * stress/op_urshift-VarConst.js:
2693         * stress/op_urshift-VarVar.js:
2694         * stress/proxy-get-set-correct-receiver.js:
2695         * stress/regress-179562.js:
2696         * stress/rest-parameter-many-arguments.js:
2697         * stress/sampling-profiler-richards.js:
2698         * stress/splay-flash-access-1ms.js:
2699         * stress/tailCallForwardArguments.js:
2700         * stress/typed-array-get-by-val-profiling.js:
2701         * typeProfiler/getter-richards.js:
2702
2703 2018-11-06  Michael Saboff  <msaboff@apple.com>
2704
2705         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2706         https://bugs.webkit.org/show_bug.cgi?id=191271
2707
2708         Reviewed by Saam Barati.
2709
2710         Added more test cases and made all test cases run with the same deeply recursive stack
2711         instead of finding that same point for each test case.
2712
2713         * stress/regexp-compile-oom.js:
2714         (prototype.runTest):
2715         (recurseAndTest):
2716         (testList.push.new.TestAndExpectedException):
2717
2718 2018-11-05  Michael Saboff  <msaboff@apple.com>
2719
2720         Unreviewed build fix for linux.
2721
2722         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2723
2724 2018-11-02  Michael Saboff  <msaboff@apple.com>
2725
2726         Rolling in r237753 with unreviewed build fix.
2727
2728         Fixed issues with DECLARE_THROW_SCOPE placement.
2729
2730 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2731
2732         Unreviewed, rolling out r237753.
2733
2734         Introduced JSC test failures
2735
2736         Reverted changeset:
2737
2738         "Running out of stack space not properly handled in
2739         RegExp::compile() and its callers"
2740         https://bugs.webkit.org/show_bug.cgi?id=191206
2741         https://trac.webkit.org/changeset/237753
2742
2743 2018-11-02  Michael Saboff  <msaboff@apple.com>
2744
2745         Running out of stack space not properly handled in RegExp::compile() and its callers
2746         https://bugs.webkit.org/show_bug.cgi?id=191206
2747
2748         Reviewed by Filip Pizlo.
2749
2750         New regression test.
2751
2752         * stress/regexp-compile-oom.js: Added.
2753         (recurseAndTest):
2754
2755 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2756
2757         Skip tests on arm/mips that time out now we're running on CLoop
2758
2759         Unreviewed gardening.
2760
2761         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2762         time out on the bots and need to be disabled. There's more tests
2763         disabled on arm because the timeout is longer on the mips bot (as the
2764         device is slower to start with), so many of the tests don't time out
2765         there.
2766
2767         * microbenchmarks/getter-richards.js: disable on arm and mips.
2768         * stress/op_add.js: disable on arm.
2769         * stress/op_bitand.js: disable on arm.
2770         * stress/op_bitor.js: disable on arm.
2771         * stress/op_bitxor.js: disable on arm.
2772         * stress/op_lshift-ConstVar.js: disable on arm.
2773         * stress/op_lshift-VarConst.js: disable on arm.
2774         * stress/op_lshift-VarVar.js: disable on arm.
2775         * stress/op_mod-ConstVar.js: disable on arm.
2776         * stress/op_mod-VarConst.js: disable on arm.
2777         * stress/op_mod-VarVar.js: disable on arm.
2778         * stress/op_mul-ConstVar.js: disable on arm.
2779         * stress/op_mul-VarConst.js: disable on arm.
2780         * stress/op_mul-VarVar.js: disable on arm.
2781         * stress/op_rshift-ConstVar.js: disable on arm.
2782         * stress/op_rshift-VarConst.js: disable on arm.
2783         * stress/op_rshift-VarVar.js: disable on arm.
2784         * stress/op_sub-ConstVar.js: disable on arm.
2785         * stress/op_sub-VarConst.js: disable on arm.
2786         * stress/op_sub-VarVar.js: disable on arm.
2787         * stress/op_urshift-ConstVar.js: disable on arm.
2788         * stress/op_urshift-VarConst.js: disable on arm.
2789         * stress/op_urshift-VarVar.js: disable on arm.
2790         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2791         * stress/value-to-boolean.js: disable on arm and mips.
2792
2793 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2794
2795         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2796         https://bugs.webkit.org/show_bug.cgi?id=191108
2797         <rdar://problem/45690700>
2798
2799         Reviewed by Saam Barati.
2800
2801         * stress/wide-op_catch.js: Added.
2802         (catch):
2803
2804 2018-10-29  Mark Lam  <mark.lam@apple.com>
2805
2806         Correctly detect string overflow when using the 'Function' constructor.
2807         https://bugs.webkit.org/show_bug.cgi?id=184883
2808         <rdar://problem/36320331>
2809
2810         Reviewed by Saam Barati.
2811
2812         I've verified that this passes on 32-bit as well.
2813
2814         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2815
2816 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2817
2818         Add support for GetStack FlushedDouble
2819         https://bugs.webkit.org/show_bug.cgi?id=191012
2820         <rdar://problem/45265141>
2821
2822         Reviewed by Saam Barati.
2823
2824         * stress/get-stack-double.js: Added.
2825         (bar):
2826         (noInline):
2827
2828 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2829
2830         New bytecode format for JSC
2831         https://bugs.webkit.org/show_bug.cgi?id=187373
2832         <rdar://problem/44186758>
2833
2834         Reviewed by Filip Pizlo.
2835
2836         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2837
2838         * stress/maximum-inline-capacity.js: Added.
2839         (test1):
2840         (test3.Foo):
2841         (test3):
2842
2843 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2844
2845         Unreviewed, rolling out r237479 and r237484.
2846         https://bugs.webkit.org/show_bug.cgi?id=190978
2847
2848         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2849
2850         Reverted changesets:
2851
2852         "New bytecode format for JSC"
2853         https://bugs.webkit.org/show_bug.cgi?id=187373
2854         https://trac.webkit.org/changeset/237479
2855
2856         "Gardening: Build fix after r237479."
2857         https://bugs.webkit.org/show_bug.cgi?id=187373
2858         https://trac.webkit.org/changeset/237484
2859
2860 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2861
2862         New bytecode format for JSC
2863         https://bugs.webkit.org/show_bug.cgi?id=187373
2864         <rdar://problem/44186758>
2865
2866         Reviewed by Filip Pizlo.
2867
2868         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2869
2870         * stress/maximum-inline-capacity.js: Added.
2871         (test1):
2872         (test3.Foo):
2873         (test3):
2874
2875 2018-10-26  Mark Lam  <mark.lam@apple.com>
2876
2877         Fix missing edge cases with JSGlobalObjects having a bad time.
2878         https://bugs.webkit.org/show_bug.cgi?id=189028
2879         <rdar://problem/45204939>
2880
2881         Reviewed by Saam Barati.
2882
2883         * stress/regress-189028.js: Added.
2884
2885 2018-10-22  Mark Lam  <mark.lam@apple.com>
2886
2887         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2888         https://bugs.webkit.org/show_bug.cgi?id=190515
2889         <rdar://problem/45222379>
2890
2891         Rubber-stamped by Saam Barati.
2892
2893         Adding another test.
2894
2895         * stress/regress-190515-2.js: Added.
2896
2897 2018-10-22  Mark Lam  <mark.lam@apple.com>
2898
2899         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2900         https://bugs.webkit.org/show_bug.cgi?id=190515
2901         <rdar://problem/45222379>
2902
2903         Reviewed by Saam Barati.
2904
2905         * stress/regress-190515.js: Added.
2906
2907 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2908
2909         Unreviewed, rolling out r237254.
2910         https://bugs.webkit.org/show_bug.cgi?id=190760
2911
2912         "It regresses JetStream 2 by 5% on some iOS devices"
2913         (Requested by saamyjoon on #webkit).
2914
2915         Reverted changeset:
2916
2917         "[JSC] JSC should have "parseFunction" to optimize Function
2918         constructor"
2919         https://bugs.webkit.org/show_bug.cgi?id=190340
2920         https://trac.webkit.org/changeset/237254
2921
2922 2018-10-19  Saam Barati  <sbarati@apple.com>
2923
2924         vmCall should check if we exit before emitting an OSR exit due to exceptions
2925         https://bugs.webkit.org/show_bug.cgi?id=190740
2926         <rdar://problem/45220139>
2927
2928         Reviewed by Mark Lam.
2929
2930         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2931         (foo):
2932
2933 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2934
2935         [ESNext][BigInt] Implement support for "^"
2936         https://bugs.webkit.org/show_bug.cgi?id=186235
2937
2938         Reviewed by Yusuke Suzuki.
2939
2940         * stress/big-int-bitwise-xor-general.js: Added.
2941         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2942         * stress/big-int-bitwise-xor-type-error.js: Added.
2943         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2944
2945 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2946
2947         [BigInt] Add ValueSub into DFG
2948         https://bugs.webkit.org/show_bug.cgi?id=186176
2949
2950         Reviewed by Yusuke Suzuki.
2951
2952         * stress/big-int-subtraction-jit.js:
2953         * stress/value-sub-big-int-prediction-propagation.js: Added.
2954         * stress/value-sub-big-int-untyped.js: Added.
2955         * stress/value-sub-spec-none-case.js: Added.
2956
2957 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2958
2959         [JSC] JSC should have "parseFunction" to optimize Function constructor
2960         https://bugs.webkit.org/show_bug.cgi?id=190340
2961
2962         Reviewed by Mark Lam.
2963
2964         This patch fixes the line number of syntax errors raised by the Function constructor,
2965         since we now parse the final code only once. And we no longer use block statement
2966         for Function constructor's parsing.
2967
2968         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2969         * stress/function-cache-with-parameters-end-position.js: Added.
2970         (shouldBe):
2971         (shouldThrow):
2972         (i.anonymous):
2973         * stress/function-constructor-name.js: Added.
2974         (shouldBe):
2975         (GeneratorFunction):
2976         (AsyncFunction.async):
2977         (AsyncGeneratorFunction.async):
2978         (anonymous):
2979         (async.anonymous):
2980         * test262/expectations.yaml:
2981
2982 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2983
2984         Unreviewed, rolling out r237242.
2985         https://bugs.webkit.org/show_bug.cgi?id=190701
2986
2987         it breaks "stress/sampling-profiler-basic.js" (Requested by
2988         caiolima on #webkit).
2989
2990         Reverted changeset:
2991
2992         "[BigInt] Add ValueSub into DFG"
2993         https://bugs.webkit.org/show_bug.cgi?id=186176
2994         https://trac.webkit.org/changeset/237242
2995
2996 2018-10-17  Keith Miller  <keith_miller@apple.com>
2997
2998         AI does not clear Phantom allocation nodes.
2999         https://bugs.webkit.org/show_bug.cgi?id=190694
3000
3001         Reviewed by Saam Barati.
3002
3003         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3004         (Day):
3005         (DaysInYear):
3006         (TimeInYear):
3007         (TimeFromYear):
3008         (DayFromYear):
3009         (InLeapYear):
3010         (YearFromTime):
3011         (WeekDay):
3012         (DaylightSavingTA):
3013         (GetSecondSundayInMarch):
3014         (TimeInMonth):
3015
3016 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3017
3018         [BigInt] Add ValueSub into DFG
3019         https://bugs.webkit.org/show_bug.cgi?id=186176
3020
3021         Reviewed by Yusuke Suzuki.
3022
3023         * stress/big-int-subtraction-jit.js:
3024         * stress/value-sub-big-int-prediction-propagation.js: Added.
3025         * stress/value-sub-big-int-untyped.js: Added.
3026
3027 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3028
3029         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3030         https://bugs.webkit.org/show_bug.cgi?id=190611
3031
3032         Reviewed by Saam Barati.
3033
3034         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3035         to improve test runtime. On ARM/MIPS this test even timed out when running all
3036         tests.
3037
3038         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3039         (test):
3040
3041 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3042
3043         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3044
3045         Unreviewed gardening.
3046
3047         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3048
3049 2018-10-15  Saam barati  <sbarati@apple.com>
3050
3051         Emit fjcvtzs on ARM64E on Darwin
3052         https://bugs.webkit.org/show_bug.cgi?id=184023
3053
3054         Reviewed by Yusuke Suzuki and Filip Pizlo.
3055
3056         * stress/double-to-int32-NaN.js: Added.
3057         (assert):
3058         (foo):
3059
3060 2018-10-15  Saam Barati  <sbarati@apple.com>
3061
3062         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3063         https://bugs.webkit.org/show_bug.cgi?id=190262
3064         <rdar://problem/44986241>
3065
3066         Reviewed by Mark Lam.
3067
3068         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3069         (test):
3070         * stress/slice-array-storage-with-holes.js: Added.
3071         (main):
3072
3073 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3074
3075         Unreviewed, rolling out r237054.
3076         https://bugs.webkit.org/show_bug.cgi?id=190593
3077
3078         "this regressed JetStream 2 by 6% on iOS" (Requested by
3079         saamyjoon on #webkit).
3080
3081         Reverted changeset:
3082
3083         "[JSC] JSC should have "parseFunction" to optimize Function
3084         constructor"
3085         https://bugs.webkit.org/show_bug.cgi?id=190340
3086         https://trac.webkit.org/changeset/237054
3087
3088 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3089
3090         [JSC] JSON.stringify can accept call-with-no-arguments
3091         https://bugs.webkit.org/show_bug.cgi?id=190343
3092
3093         Reviewed by Mark Lam.
3094
3095         * stress/json-stringify-no-arguments.js: Added.
3096         (shouldBe):
3097
3098 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3099
3100         [JSC] JSC should have "parseFunction" to optimize Function constructor
3101         https://bugs.webkit.org/show_bug.cgi?id=190340
3102
3103         Reviewed by Mark Lam.
3104
3105         This patch fixes the line number of syntax errors raised by the Function constructor,
3106         since we now parse the final code only once. And we no longer use block statement
3107         for Function constructor's parsing.
3108
3109         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3110         * stress/function-cache-with-parameters-end-position.js: Added.
3111         (shouldBe):
3112         (shouldThrow):
3113         (i.anonymous):
3114         * stress/function-constructor-name.js: Added.
3115         (shouldBe):
3116         (GeneratorFunction):
3117         (AsyncFunction.async):
3118         (AsyncGeneratorFunction.async):
3119         (anonymous):
3120         (async.anonymous):
3121         * test262/expectations.yaml:
3122
3123 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3124
3125         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3126         https://bugs.webkit.org/show_bug.cgi?id=190426
3127
3128         Unreviewed gardening.
3129
3130         * stress/sampling-profiler-richards.js:
3131
3132 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3133
3134         [ESNext][BigInt] Implement support for "|"
3135         https://bugs.webkit.org/show_bug.cgi?id=186229
3136
3137         Reviewed by Yusuke Suzuki.
3138
3139         * stress/big-int-bitwise-and-jit.js:
3140         * stress/big-int-bitwise-or-general.js: Added.
3141         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3142         * stress/big-int-bitwise-or-jit.js: Added.
3143         * stress/big-int-bitwise-or-memory-stress.js: Added.
3144         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3145         * stress/big-int-bitwise-or-type-error.js: Added.
3146         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3147
3148 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3149
3150         Skip test on systems with limited memory
3151         https://bugs.webkit.org/show_bug.cgi?id=190310
3152
3153         Invoking runDefault adds test to runlist, skipping the test in the next
3154         line does not prevent the test from executing. Change order of lines such
3155         that runDefault is only executed if test is not executed.
3156
3157         Reviewed by Mark Lam.
3158
3159         * stress/regress-190187.js:
3160
3161 2018-10-03  Saam barati  <sbarati@apple.com>
3162
3163         lowXYZ in FTLLower should always filter the type of the incoming edge
3164         https://bugs.webkit.org/show_bug.cgi?id=189939
3165         <rdar://problem/44407030>
3166
3167         Reviewed by Michael Saboff.
3168
3169         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3170         (foo):
3171         (test):
3172
3173 2018-10-03  Mark Lam  <mark.lam@apple.com>
3174
3175         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3176         https://bugs.webkit.org/show_bug.cgi?id=190187
3177         <rdar://problem/42512909>
3178
3179         Reviewed by Michael Saboff.
3180
3181         * stress/regress-190187.js: Added.
3182
3183 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3184
3185         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3186         https://bugs.webkit.org/show_bug.cgi?id=190033
3187
3188         Reviewed by Yusuke Suzuki.
3189
3190         * stress/big-int-to-string.js:
3191
3192 2018-10-01  Mark Lam  <mark.lam@apple.com>
3193
3194         Function.toString() should also copy the source code Functions that are class definitions.
3195         https://bugs.webkit.org/show_bug.cgi?id=190186
3196         <rdar://problem/44733360>
3197
3198         Reviewed by Saam Barati.
3199
3200         * stress/regress-190186.js: Added.
3201
3202 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3203
3204         Split NaN-check into separate test
3205         https://bugs.webkit.org/show_bug.cgi?id=190010
3206
3207         Reviewed by Saam Barati.
3208
3209         DataView exposes NaN-representation, which is not necessarily the same on each
3210         architecture. Therefore move the check of the NaN-representation into its own
3211         file such that we can disable this test on MIPS where NaN-representation can be
3212         different on older CPUs.
3213
3214         * stress/dataview-jit-set-nan.js: Added.
3215         (assert):
3216         (test.storeLittleEndian):
3217         (test.storeBigEndian):
3218         (test.store):
3219         (test):
3220         * stress/dataview-jit-set.js:
3221         (test5):
3222
3223 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3224
3225         Unreviewed, rolling out r236647.
3226         https://bugs.webkit.org/show_bug.cgi?id=190124
3227
3228         Breaking test stress/big-int-to-string.js (Requested by
3229         caiolima_ on #webkit).
3230
3231         Reverted changeset:
3232
3233         "[BigInt] BigInt.proptotype.toString is broken when radix is
3234         power of 2"
3235         https://bugs.webkit.org/show_bug.cgi?id=190033
3236         https://trac.webkit.org/changeset/236647
3237
3238 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3239
3240         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3241         https://bugs.webkit.org/show_bug.cgi?id=190033
3242
3243         Reviewed by Yusuke Suzuki.
3244
3245         * stress/big-int-to-string.js:
3246
3247 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3248
3249         [ESNext][BigInt] Implement support for "&"
3250         https://bugs.webkit.org/show_bug.cgi?id=186228
3251
3252         Reviewed by Yusuke Suzuki.
3253
3254         * stress/big-int-bitwise-and-general.js: Added.
3255         (assert):
3256         (assert.sameValue):
3257         * stress/big-int-bitwise-and-jit.js: Added.
3258         (let.assert.sameValue):
3259         (bigIntBitAnd):
3260         * stress/big-int-bitwise-and-memory-stress.js: Added.
3261         (assert):
3262         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3263         (assert.sameValue):
3264         (let.o.Symbol.toPrimitive):
3265         (catch):
3266         * stress/big-int-bitwise-and-type-error.js: Added.
3267         (assert):
3268         (assertThrowTypeError):
3269         (let.o.valueOf):
3270         (o.valueOf):
3271         (o.toString):
3272         (o.Symbol.toPrimitive):
3273         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3274         (assert.sameValue):
3275         (testBitAnd):
3276         (let.o.Symbol.toPrimitive):
3277         (o.valueOf):
3278         (o.toString):
3279
3280 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3281
3282         JSC test stress/jsc-read.js doesn't support CRLF
3283         https://bugs.webkit.org/show_bug.cgi?id=190063
3284
3285         Reviewed by Yusuke Suzuki.
3286
3287         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3288
3289         * stress/jsc-read.js:
3290         (test):
3291
3292 2018-09-27  Saam barati  <sbarati@apple.com>
3293
3294         Verify the contents of AssemblerBuffer on arm64e
3295         https://bugs.webkit.org/show_bug.cgi?id=190057
3296         <rdar://problem/38916630>
3297
3298         Reviewed by Mark Lam.
3299
3300         * stress/regress-189132.js:
3301
3302 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3303
3304         Disable test without LLInt on ARMv7
3305         https://bugs.webkit.org/show_bug.cgi?id=190037
3306
3307         Reviewed by Mark Lam.
3308
3309         Test runs out of executable memory on ARMv7, do not run
3310         this test without LLInt enabled.
3311
3312         * stress/regress-169445.js:
3313
3314 2018-09-26  Keith Miller  <keith_miller@apple.com>
3315
3316         We should zero unused property storage when rebalancing array storage.
3317         https://bugs.webkit.org/show_bug.cgi?id=188151
3318
3319         Reviewed by Michael Saboff.
3320
3321         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3322
3323 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3324
3325         [JSC] Optimize Array#lastIndexOf
3326         https://bugs.webkit.org/show_bug.cgi?id=189780
3327
3328         Reviewed by Saam Barati.
3329
3330         * stress/array-lastindexof-array-prototype-trap.js: Added.
3331         (shouldBe):
3332         (AncestorArray.prototype.get 2):
3333         (AncestorArray):
3334         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3335         (shouldBe):
3336         * stress/array-lastindexof-hole-nan.js: Added.
3337         (shouldBe):
3338         (throw.new.Error):
3339         * stress/array-lastindexof-infinity.js: Added.
3340         (shouldBe):
3341         (throw.new.Error):
3342         * stress/array-lastindexof-negative-zero.js: Added.
3343         (shouldBe):
3344         (throw.new.Error):
3345         * stress/array-lastindexof-own-getter.js: Added.
3346         (shouldBe):
3347         (throw.new.Error.get array):
3348         (get array):
3349         * stress/array-lastindexof-prototype-trap.js: Added.
3350         (shouldBe):
3351         (DerivedArray.prototype.get 2):
3352         (DerivedArray):
3353
3354 2018-09-25  Saam Barati  <sbarati@apple.com>
3355
3356         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3357         https://bugs.webkit.org/show_bug.cgi?id=189940
3358         <rdar://problem/43640987>
3359
3360         Reviewed by Mark Lam.
3361
3362         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3363
3364 2018-09-24  Saam Barati  <sbarati@apple.com>
3365
3366         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3367         https://bugs.webkit.org/show_bug.cgi?id=189922
3368         <rdar://problem/44651275>
3369
3370         Reviewed by Mark Lam.
3371
3372         * stress/array-indexof-fast-path-effects.js: Added.
3373         * stress/array-indexof-cached-length.js: Added.
3374
3375 2018-09-24  Saam barati  <sbarati@apple.com>
3376
3377         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3378         https://bugs.webkit.org/show_bug.cgi?id=189682
3379         <rdar://problem/43557315>
3380
3381         Reviewed by Mark Lam.
3382
3383         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3384         (foo):
3385
3386 2018-09-22  Saam barati  <sbarati@apple.com>
3387
3388         The sampling should not use Strong<CodeBlock> in its machineLocation field
3389         https://bugs.webkit.org/show_bug.cgi?id=189319
3390
3391         Reviewed by Filip Pizlo.
3392
3393         * stress/sampling-profiler-richards.js: Added.
3394
3395 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3396
3397         [JSC] Optimize Array#indexOf in C++ runtime
3398         https://bugs.webkit.org/show_bug.cgi?id=189507
3399
3400         Reviewed by Saam Barati.
3401
3402         * stress/array-indexof-array-prototype-trap.js: Added.
3403         (shouldBe):
3404         (AncestorArray.prototype.get 2):
3405         (AncestorArray):
3406         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3407         (shouldBe):
3408         * stress/array-indexof-hole-nan.js: Added.
3409         (shouldBe):
3410         (throw.new.Error):
3411         * stress/array-indexof-infinity.js: Added.
3412         (shouldBe):
3413         (throw.new.Error):
3414         * stress/array-indexof-negative-zero.js: Added.
3415         (shouldBe):
3416         (throw.new.Error):
3417         * stress/array-indexof-own-getter.js: Added.
3418         (shouldBe):
3419         (throw.new.Error.get array):
3420         (get array):
3421         * stress/array-indexof-prototype-trap.js: Added.
3422         (shouldBe):
3423         (DerivedArray.prototype.get 2):
3424         (DerivedArray):
3425
3426 2018-09-19  Saam barati  <sbarati@apple.com>
3427
3428         AI rule for MultiPutByOffset executes its effects in the wrong order
3429         https://bugs.webkit.org/show_bug.cgi?id=189757
3430         <rdar://problem/43535257>
3431
3432         Reviewed by Michael Saboff.
3433
3434         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3435         (foo):
3436         (Foo):
3437         (g):
3438
3439 2018-09-17  Mark Lam  <mark.lam@apple.com>
3440
3441         Ensure that ForInContexts are invalidated if their loop local is over-written.
3442         https://bugs.webkit.org/show_bug.cgi?id=189571
3443         <rdar://problem/44402277>
3444
3445         Reviewed by Saam Barati.
3446
3447         * stress/regress-189571.js: Added.
3448
3449 2018-09-17  Saam barati  <sbarati@apple.com>
3450
3451         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3452         https://bugs.webkit.org/show_bug.cgi?id=189676
3453         <rdar://problem/39682897>
3454
3455         Reviewed by Michael Saboff.
3456
3457         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3458         (A):
3459         (K):
3460         (i.catch):
3461
3462 2018-09-14  Saam barati  <sbarati@apple.com>
3463
3464         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3465         https://bugs.webkit.org/show_bug.cgi?id=189628
3466         <rdar://problem/39481690>
3467
3468         Reviewed by Mark Lam.
3469
3470         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3471         (foo):
3472
3473 2018-09-11  Mark Lam  <mark.lam@apple.com>
3474
3475         Test for array initialization in arrayProtoFuncSplice.
3476         https://bugs.webkit.org/show_bug.cgi?id=170253
3477         <rdar://problem/31328773>
3478
3479         Rubber-stamped by Saam Barati.
3480
3481         * stress/regress-170253.js: Added.
3482
3483 2018-09-11  Mark Lam  <mark.lam@apple.com>
3484
3485         Test for IntlObject initialization.
3486         https://bugs.webkit.org/show_bug.cgi?id=170251
3487         <rdar://problem/31328419>
3488
3489         Rubber-stamped by Saam Barati.
3490
3491         * stress/regress-170251.js: Added.
3492
3493 2018-09-11  Mark Lam  <mark.lam@apple.com>
3494
3495         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3496         https://bugs.webkit.org/show_bug.cgi?id=169889
3497         <rdar://problem/31155607>
3498
3499         Reviewed by Saam Barati.
3500
3501         * stress/regress-169889-array-concat.js: Added.
3502         * stress/regress-169889-array-concat1.js: Added.
3503         * stress/regress-169889-array-slice.js: Added.
3504
3505 2018-09-11  Mark Lam  <mark.lam@apple.com>
3506
3507         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3508         https://bugs.webkit.org/show_bug.cgi?id=169445
3509         <rdar://problem/30957435>
3510
3511         Reviewed by Saam Barati.
3512
3513         * stress/regress-169445.js: Added.
3514         (let.gun.eval.A):
3515         (let.gun.eval.B.C):
3516         (let.gun.eval.B.C.prototype.trigger):
3517         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3518         (let.gun.eval.B):
3519         (let.gun.eval):
3520
3521 == Rolled over to ChangeLog-2018-09-11 ==