[JSC] AI should check the given constant's array type when folding GetByVal into...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2
3         [JSC] AI should check the given constant's array type when folding GetByVal into constant
4         https://bugs.webkit.org/show_bug.cgi?id=193413
5         <rdar://problem/46092389>
6
7         Reviewed by Keith Miller.
8
9         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
10         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
11         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
12         but GetByVal does not have appropriate ArrayModes, JSC crashes.
13
14         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
15         (compareArray):
16
17 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
18
19         [BigInt] Literal parsing is crashing when used inside a Object Literal
20         https://bugs.webkit.org/show_bug.cgi?id=193404
21
22         Reviewed by Yusuke Suzuki.
23
24         * stress/big-int-literal-inside-literal-object.js: Added.
25
26 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
27
28         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
29         https://bugs.webkit.org/show_bug.cgi?id=193372
30
31         Reviewed by Saam Barati.
32
33         * stress/typed-array-array-modes-profile.js: Added.
34         (foo):
35
36 2019-01-14  Mark Lam  <mark.lam@apple.com>
37
38         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
39         https://bugs.webkit.org/show_bug.cgi?id=193402
40         <rdar://problem/46012309>
41
42         Reviewed by Keith Miller.
43
44         * stress/regexp-compile-oom.js:
45         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
46           is enabled.  As a result, it will fail on cloop builds though there is no bug.
47
48 2019-01-11  Saam barati  <sbarati@apple.com>
49
50         DFG combined liveness can be wrong for terminal basic blocks
51         https://bugs.webkit.org/show_bug.cgi?id=193304
52         <rdar://problem/45268632>
53
54         Reviewed by Yusuke Suzuki.
55
56         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
57
58 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
59
60         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
61         https://bugs.webkit.org/show_bug.cgi?id=193308
62         <rdar://problem/45546542>
63
64         Reviewed by Saam Barati.
65
66         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
67         (shouldThrow):
68         (shouldBe):
69         (foo):
70         (get shouldThrow):
71         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
72         (shouldThrow):
73         (shouldBe):
74         (foo):
75         (get shouldBe):
76         (get shouldThrow):
77         (get return):
78         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
79         (shouldThrow):
80         (shouldBe):
81         (foo):
82         (get shouldBe):
83         (get shouldThrow):
84         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
85         (shouldThrow):
86         (shouldBe):
87         (foo):
88         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
89         (shouldThrow):
90         (shouldBe):
91         (foo):
92         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
93         (shouldThrow):
94         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
95         (shouldThrow):
96         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
97         (shouldThrow):
98         (shouldBe):
99         (foo):
100         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
101         (shouldThrow):
102         (shouldBe):
103         (foo):
104         (get shouldBe):
105         (get shouldThrow):
106         (get return):
107         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
108         (shouldThrow):
109         (shouldBe):
110         (foo):
111         (get shouldBe):
112         (get shouldThrow):
113         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
114         (shouldThrow):
115         (shouldBe):
116         (foo):
117         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
118         (shouldThrow):
119         (shouldBe):
120         (foo):
121
122 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
123
124         Enable DFG on ARM/Linux again
125         https://bugs.webkit.org/show_bug.cgi?id=192496
126
127         Reviewed by Yusuke Suzuki.
128
129         Test wasn't really skipped before moving the line with skip
130         to the top.
131
132         * stress/regress-192717.js:
133
134 2019-01-10  Commit Queue  <commit-queue@webkit.org>
135
136         Unreviewed, rolling out r239825.
137         https://bugs.webkit.org/show_bug.cgi?id=193330
138
139         Broke tests on armv7/linux bots (Requested by guijemont on
140         #webkit).
141
142         Reverted changeset:
143
144         "Enable DFG on ARM/Linux again"
145         https://bugs.webkit.org/show_bug.cgi?id=192496
146         https://trac.webkit.org/changeset/239825
147
148 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
149
150         Enable DFG on ARM/Linux again
151         https://bugs.webkit.org/show_bug.cgi?id=192496
152
153         Reviewed by Yusuke Suzuki.
154
155         Test wasn't really skipped before moving the line with skip
156         to the top.
157
158         * stress/regress-192717.js:
159
160 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
161
162         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
163         https://bugs.webkit.org/show_bug.cgi?id=193127
164
165         Reviewed by Saam Barati.
166
167         * stress/array-species-create-should-handle-masquerader.js: Added.
168         (shouldThrow):
169         * stress/is-undefined-or-null-builtin.js: Added.
170         (shouldBe):
171         (isUndefinedOrNull.vm.createBuiltin):
172
173 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
174
175         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
176         https://bugs.webkit.org/show_bug.cgi?id=193221
177
178         Reviewed by Mark Lam.
179
180         * stress/put-by-id-flags.js: Added.
181         (f):
182         (g):
183         (numberOfDFGCompiles):
184
185 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
186
187         Baseline version of get_by_id may corrupt metadata
188         https://bugs.webkit.org/show_bug.cgi?id=193085
189         <rdar://problem/23453006>
190
191         Reviewed by Saam Barati.
192
193         * stress/get-by-id-change-mode.js: Added.
194         (forEach):
195
196 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
197
198         [JSC] Optimize Object.prototype.toString
199         https://bugs.webkit.org/show_bug.cgi?id=193031
200
201         Reviewed by Saam Barati.
202
203         * stress/object-tostring-changed-proto.js: Added.
204         (shouldBe):
205         (test):
206         * stress/object-tostring-changed.js: Added.
207         (shouldBe):
208         (test):
209         * stress/object-tostring-misc.js: Added.
210         (shouldBe):
211         (test):
212         (i.switch):
213         * stress/object-tostring-other.js: Added.
214         (shouldBe):
215         (test):
216         * stress/object-tostring-untyped.js: Added.
217         (shouldBe):
218         (test):
219         (i.switch):
220
221 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
222
223         test262-runner misbehaves when test file YAML has a trailing space
224         https://bugs.webkit.org/show_bug.cgi?id=193053
225
226         Reviewed by Yusuke Suzuki.
227
228         * test262/expectations.yaml:
229         Mark two dozen tests as passing (and correct the output of another).
230
231 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
232
233         Unreviewed, JSTests gardening with memoryLimited
234
235         * stress/string-overflow-createError.js:
236
237 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
238
239         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
240         https://bugs.webkit.org/show_bug.cgi?id=193050
241
242         Reviewed by Yusuke Suzuki.
243
244         * test262.yaml:
245         * test262/expectations.yaml:
246         Mark 16 tests as passing.
247
248 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
249
250         [BigInt] Support BigInt in JSON.stringify
251         https://bugs.webkit.org/show_bug.cgi?id=192624
252
253         Reviewed by Saam Barati.
254
255         * stress/big-int-json-stringify-to-json.js: Added.
256         (shouldBe):
257         (shouldThrow):
258         (BigInt.prototype.toJSON):
259         (shouldBe.JSON.stringify):
260         * stress/big-int-json-stringify.js: Added.
261         (shouldBe):
262         (shouldThrow):
263
264 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
265
266         [JSC] Implement "well-formed JSON.stringify" proposal
267         https://bugs.webkit.org/show_bug.cgi?id=191677
268
269         Reviewed by Darin Adler.
270
271         * stress/json-surrogate-pair.js: Added.
272         (shouldBe):
273         * test262/expectations.yaml:
274
275 2018-12-20  Keith Miller  <keith_miller@apple.com>
276
277         Add support for globalThis
278         https://bugs.webkit.org/show_bug.cgi?id=165171
279
280         Reviewed by Mark Lam.
281
282         * test262/config.yaml:
283
284 2018-12-19  Keith Miller  <keith_miller@apple.com>
285
286         Update test262 configuration to not run tests dependent on ICU version.
287         https://bugs.webkit.org/show_bug.cgi?id=192920
288
289         Reviewed by Saam Barati.
290
291         * test262/expectations.yaml:
292
293 2018-12-20  Mark Lam  <mark.lam@apple.com>
294
295         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
296         https://bugs.webkit.org/show_bug.cgi?id=192939
297         <rdar://problem/46869516>
298
299         Reviewed by Keith Miller.
300
301         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
302
303 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
304
305         WTF::String and StringImpl overflow MaxLength
306         https://bugs.webkit.org/show_bug.cgi?id=192853
307         <rdar://problem/45726906>
308
309         Reviewed by Mark Lam.
310
311         * stress/string-16bit-repeat-overflow.js: Added.
312         (catch):
313
314 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
315
316         Unreviewed follow-up to r192914.
317
318         * test262/expectations.yaml:
319         Add the last 20 missing expectations.
320
321 2018-12-19  Keith Miller  <keith_miller@apple.com>
322
323         Fix test262 expectations
324         https://bugs.webkit.org/show_bug.cgi?id=192914
325
326         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
327
328         * test262/expectations.yaml:
329
330 2018-12-19  Keith Miller  <keith_miller@apple.com>
331
332         Update test262 tests.
333         https://bugs.webkit.org/show_bug.cgi?id=192907
334
335         Rubber stamped by Mark Lam.
336
337         * test262/*: Omitted because prepare-changelog crashes.
338
339 2018-12-19  Mark Lam  <mark.lam@apple.com>
340
341         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
342         https://bugs.webkit.org/show_bug.cgi?id=192464
343         <rdar://problem/46519455>
344
345         Reviewed by Saam Barati.
346
347         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
348         microbenchmark.
349
350         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
351         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
352
353 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
354
355         String overflow in JSC::createError results in ASSERT in WTF::makeString
356         https://bugs.webkit.org/show_bug.cgi?id=192833
357         <rdar://problem/45706868>
358
359         Reviewed by Mark Lam.
360
361         * stress/string-overflow-createError.js: Added.
362
363 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
364
365         Error message for `-x ** y` contains a typo.
366         https://bugs.webkit.org/show_bug.cgi?id=192832
367
368         Reviewed by Saam Barati.
369
370         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
371         (assert.assert.return.throws):
372         * stress/pow-expects-update-expression-on-lhs.js:
373         (throw.new.Error):
374         Update test expectations which match against the exact error message.
375
376 2018-12-18  Mark Lam  <mark.lam@apple.com>
377
378         Gardening: test options fix.
379         https://bugs.webkit.org/show_bug.cgi?id=192822
380
381         Unreviewed.
382
383         * stress/json-stringify-string-builder-overflow.js:
384
385 2018-12-18  Mark Lam  <mark.lam@apple.com>
386
387         JSON.stringify() should throw OOM on StringBuilder overflows.
388         https://bugs.webkit.org/show_bug.cgi?id=192822
389         <rdar://problem/46670577>
390
391         Reviewed by Saam Barati.
392
393         * stress/json-stringify-string-builder-overflow.js: Added.
394
395 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
396
397         Redeclaration of var over let/const/class should be a syntax error.
398         https://bugs.webkit.org/show_bug.cgi?id=192298
399
400         Reviewed by Keith Miller.
401
402         * test262.yaml:
403         * test262/expectations.yaml:
404         Mark 46 tests as passing.
405
406         * stress/block-scope-redeclarations.js:
407         Add some new tests.
408
409         * stress/for-in-invalidate-context-weird-assignments.js:
410         * stress/for-in-tests.js:
411         Replace tests for outdated behavior with tests for SyntaxError.
412
413         * ChakraCore/test/LetConst/defer3.baseline-jsc:
414         * ChakraCore/test/LetConst/letvar.baseline-jsc:
415         Update expectations.
416
417 2018-12-18  Mark Lam  <mark.lam@apple.com>
418
419         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
420         https://bugs.webkit.org/show_bug.cgi?id=191374
421         <rdar://problem/46525447>
422
423         Reviewed by Yusuke Suzuki.
424
425         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
426
427         * stress/elidable-new-object-roflcopter-then-exit.js:
428
429 2018-12-17  Mark Lam  <mark.lam@apple.com>
430
431         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
432         https://bugs.webkit.org/show_bug.cgi?id=192019
433         <rdar://problem/46525456>
434
435         Reviewed by Yusuke Suzuki.
436
437         The test runs too slow on 32-bit.
438
439         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
440
441 2018-12-17  Mark Lam  <mark.lam@apple.com>
442
443         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
444         https://bugs.webkit.org/show_bug.cgi?id=191373
445         <rdar://problem/46525458>
446
447         Reviewed by Yusuke Suzuki.
448
449         The test is already slow running with a JIT on 64-bit.  It will always timeout
450         on 32-bit without a JIT.
451
452         * stress/materialize-regexp-cyclic-regexp.js:
453
454 2018-12-17  Mark Lam  <mark.lam@apple.com>
455
456         Array unshift/shift should not race against the AI in the compiler thread.
457         https://bugs.webkit.org/show_bug.cgi?id=192795
458         <rdar://problem/46724263>
459
460         Reviewed by Saam Barati.
461
462         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
463
464 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
465
466         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
467         https://bugs.webkit.org/show_bug.cgi?id=190047
468
469         Reviewed by Saam Barati.
470
471         * stress/object-keys-cached-zero.js: Added.
472         (shouldBe):
473         (test):
474         * stress/object-keys-changed-attribute.js: Added.
475         (shouldBe):
476         (test):
477         * stress/object-keys-changed-index.js: Added.
478         (shouldBe):
479         (test):
480         * stress/object-keys-changed.js: Added.
481         (shouldBe):
482         (test):
483         * stress/object-keys-indexed-non-cache.js: Added.
484         (shouldBe):
485         (test):
486         * stress/object-keys-overrides-get-property-names.js: Added.
487         (shouldBe):
488         (test):
489         (noInline):
490
491 2018-12-17  Mark Lam  <mark.lam@apple.com>
492
493         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
494         https://bugs.webkit.org/show_bug.cgi?id=192779
495         <rdar://problem/46775869>
496
497         Reviewed by Saam Barati.
498
499         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
500
501 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
502
503         Unreviewed test gardening, address a syntax error in a new test.
504
505         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
506
507 2018-12-17  Mark Lam  <mark.lam@apple.com>
508
509         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
510         https://bugs.webkit.org/show_bug.cgi?id=192776
511         <rdar://problem/46772368>
512
513         Reviewed by Keith Miller.
514
515         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
516
517 2018-12-17  Mark Lam  <mark.lam@apple.com>
518
519         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
520         https://bugs.webkit.org/show_bug.cgi?id=192770
521         <rdar://problem/46449037>
522
523         Reviewed by Keith Miller.
524
525         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
526
527 2018-12-14  Mark Lam  <mark.lam@apple.com>
528
529         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
530         https://bugs.webkit.org/show_bug.cgi?id=192717
531         <rdar://problem/46660677>
532
533         Reviewed by Saam Barati.
534
535         * stress/regress-192717.js: Added.
536
537 2018-12-14  Commit Queue  <commit-queue@webkit.org>
538
539         Unreviewed, rolling out r239153, r239154, and r239155.
540         https://bugs.webkit.org/show_bug.cgi?id=192715
541
542         Caused flaky GC-related crashes seen with layout tests
543         (Requested by ryanhaddad on #webkit).
544
545         Reverted changesets:
546
547         "[JSC] Optimize Object.keys by caching own keys results in
548         StructureRareData"
549         https://bugs.webkit.org/show_bug.cgi?id=190047
550         https://trac.webkit.org/changeset/239153
551
552         "Unreviewed, build fix after r239153"
553         https://bugs.webkit.org/show_bug.cgi?id=190047
554         https://trac.webkit.org/changeset/239154
555
556         "Unreviewed, build fix after r239153, part 2"
557         https://bugs.webkit.org/show_bug.cgi?id=190047
558         https://trac.webkit.org/changeset/239155
559
560 2018-12-14  Keith Miller  <keith_miller@apple.com>
561
562         Callers of JSString::getIndex should check for OOM exceptions
563         https://bugs.webkit.org/show_bug.cgi?id=192709
564
565         Reviewed by Mark Lam.
566
567         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
568
569 2018-12-13  Mark Lam  <mark.lam@apple.com>
570
571         Add a missing exception check.
572         https://bugs.webkit.org/show_bug.cgi?id=192626
573         <rdar://problem/46662163>
574
575         Reviewed by Keith Miller.
576
577         * stress/regress-192626.js: Added.
578
579 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
580
581         [BigInt] Add ValueDiv into DFG
582         https://bugs.webkit.org/show_bug.cgi?id=186178
583
584         Reviewed by Yusuke Suzuki.
585
586         * stress/big-int-div-jit-osr.js: Added.
587         * stress/big-int-div-jit-untyped.js: Added.
588         * stress/value-div-fixup-int32-big-int.js: Added.
589
590 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
591
592         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
593         https://bugs.webkit.org/show_bug.cgi?id=190047
594
595         Reviewed by Keith Miller.
596
597         * stress/object-keys-cached-zero.js: Added.
598         (shouldBe):
599         (test):
600         * stress/object-keys-changed-attribute.js: Added.
601         (shouldBe):
602         (test):
603         * stress/object-keys-changed-index.js: Added.
604         (shouldBe):
605         (test):
606         * stress/object-keys-changed.js: Added.
607         (shouldBe):
608         (test):
609         * stress/object-keys-indexed-non-cache.js: Added.
610         (shouldBe):
611         (test):
612         * stress/object-keys-overrides-get-property-names.js: Added.
613         (shouldBe):
614         (test):
615         (noInline):
616
617 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
618
619         [DFG][FTL] Add NewSymbol
620         https://bugs.webkit.org/show_bug.cgi?id=192620
621
622         Reviewed by Saam Barati.
623
624         * microbenchmarks/symbol-creation.js: Added.
625         (test):
626         * stress/symbol-description-identity.js: Added.
627         (shouldBe):
628         (test):
629         * stress/symbol-identity.js: Added.
630         (shouldBe):
631         (test):
632         * stress/symbol-with-description-throw-error.js: Added.
633         (shouldBe):
634         (shouldThrow):
635         (test):
636         (object.toString):
637
638 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
639
640         [BigInt] Implement DFG/FTL typeof for BigInt
641         https://bugs.webkit.org/show_bug.cgi?id=192619
642
643         Reviewed by Keith Miller.
644
645         * stress/big-int-boolean-proven-type.js: Added.
646         (assert):
647         (bool):
648         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
649         (assert):
650         (typeOf):
651         (i.switch):
652         * stress/big-int-type-of-proven-type-non-constant.js: Added.
653         (assert):
654         (typeOf):
655         * stress/big-int-type-of.js:
656         (typeOf):
657         (func):
658
659 2018-12-10  Mark Lam  <mark.lam@apple.com>
660
661         PropertyAttribute needs a CustomValue bit.
662         https://bugs.webkit.org/show_bug.cgi?id=191993
663         <rdar://problem/46264467>
664
665         Reviewed by Saam Barati.
666
667         * stress/regress-191993.js: Added.
668
669 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
670
671         [BigInt] Add ValueMul into DFG
672         https://bugs.webkit.org/show_bug.cgi?id=186175
673
674         Reviewed by Yusuke Suzuki.
675
676         * stress/big-int-mul-jit-osr.js: Added.
677         * stress/big-int-mul-jit-untyped.js: Added.
678         * stress/value-mul-fixup-int32-big-int.js: Added.
679
680 2018-12-06  Keith Miller  <keith_miller@apple.com>
681
682         stress/big-wasm-memory tests failing on 32-bit JSC bot
683         https://bugs.webkit.org/show_bug.cgi?id=192020
684
685         Reviewed by Saam Barati.
686
687         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
688         the wasm stress tests if the WebAssembly object does not exist.
689
690         * stress/big-wasm-memory-grow-no-max.js:
691         (test.foo):
692         (test):
693         (foo): Deleted.
694         (catch): Deleted.
695         * stress/big-wasm-memory-grow.js:
696         (test.foo):
697         (test):
698         (foo): Deleted.
699         (catch): Deleted.
700         * stress/big-wasm-memory.js:
701         (test.foo):
702         (test):
703         (foo): Deleted.
704         (catch): Deleted.
705
706 2018-12-05  Mark Lam  <mark.lam@apple.com>
707
708         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
709         https://bugs.webkit.org/show_bug.cgi?id=192441
710         <rdar://problem/46480355>
711
712         Reviewed by Saam Barati.
713
714         * stress/regress-192441.js: Added.
715
716 2018-12-04  Mark Lam  <mark.lam@apple.com>
717
718         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
719         https://bugs.webkit.org/show_bug.cgi?id=192386
720         <rdar://problem/46445516>
721
722         Reviewed by Saam Barati.
723
724         * stress/regress-192386.js: Added.
725
726 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
727
728         [ESNext][BigInt] Support logic operations
729         https://bugs.webkit.org/show_bug.cgi?id=179903
730
731         Reviewed by Yusuke Suzuki.
732
733         * stress/big-int-branch-usage.js: Added.
734         * stress/big-int-logical-and.js: Added.
735         * stress/big-int-logical-not.js: Added.
736         * stress/big-int-logical-or.js: Added.
737
738 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
739
740         Unreviewed, rolling out r238833.
741
742         Breaks macOS and iOS debug builds.
743
744         Reverted changeset:
745
746         "[ESNext][BigInt] Support logic operations"
747         https://bugs.webkit.org/show_bug.cgi?id=179903
748         https://trac.webkit.org/changeset/238833
749
750 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
751
752         [ESNext][BigInt] Support logic operations
753         https://bugs.webkit.org/show_bug.cgi?id=179903
754
755         Reviewed by Yusuke Suzuki.
756
757         * stress/big-int-branch-usage.js: Added.
758         * stress/big-int-logical-and.js: Added.
759         * stress/big-int-logical-not.js: Added.
760         * stress/big-int-logical-or.js: Added.
761
762 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
763
764         [ESNext][BigInt] Implement support for "<<" and ">>"
765         https://bugs.webkit.org/show_bug.cgi?id=186233
766
767         Reviewed by Yusuke Suzuki.
768
769         * stress/big-int-left-shift-general.js: Added.
770         * stress/big-int-left-shift-range-error.js: Added.
771         * stress/big-int-left-shift-type-error.js: Added.
772         * stress/big-int-left-shift-wrapped-value.js: Added.
773         * stress/big-int-right-shift-general.js: Added.
774         * stress/big-int-right-shift-type-error.js: Added.
775         * stress/big-int-right-shift-wrapped-value.js: Added.
776         * stress/left-shift-to-primitive-precedence.js: Added.
777         * stress/right-shift-to-primitive-precedence.js: Added.
778
779 2018-11-30  Dean Jackson  <dino@apple.com>
780
781         Add first-class support for .mjs files in jsc binary
782         https://bugs.webkit.org/show_bug.cgi?id=192190
783         <rdar://problem/46375715>
784
785         Reviewed by Keith Miller.
786
787         * stress/simple-module.mjs: Added.
788         * stress/simple-script.js: Added.
789
790 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
791
792         [BigInt] Implement ValueBitXor into DFG
793         https://bugs.webkit.org/show_bug.cgi?id=190264
794
795         Reviewed by Yusuke Suzuki.
796
797         * stress/big-int-bitwise-xor-jit.js: Added.
798         * stress/big-int-bitwise-xor-memory-stress.js: Added.
799         * stress/big-int-bitwise-xor-untyped.js: Added.
800
801 2018-11-27  Saam barati  <sbarati@apple.com>
802
803         r238510 broke scopes of size zero
804         https://bugs.webkit.org/show_bug.cgi?id=192033
805         <rdar://problem/46281734>
806
807         Reviewed by Keith Miller.
808
809         * stress/r238510-bad-loop.js: Added.
810         (foo):
811
812 2018-11-27  Mark Lam  <mark.lam@apple.com>
813
814         [Re-landing] NaNs read from Wasm code needs to be be purified.
815         https://bugs.webkit.org/show_bug.cgi?id=191056
816         <rdar://problem/45660341>
817
818         Reviewed by Filip Pizlo.
819
820         * wasm/regress/regress-191056.js: Added.
821
822 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
823
824         Unreviewed, rolling out r238509.
825
826         Causes JSC tests to fail on iOS.
827
828         Reverted changeset:
829
830         "NaNs read from Wasm code needs to be be purified."
831         https://bugs.webkit.org/show_bug.cgi?id=191056
832         https://trac.webkit.org/changeset/238509
833
834 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
835
836         Re-introduce op_bitnot
837         https://bugs.webkit.org/show_bug.cgi?id=190923
838
839         Reviewed by Yusuke Suzuki.
840
841         * stress/bit-not-must-generate.js: Added.
842         * stress/bitwise-not-no-int32.js: Added.
843
844 2018-11-26  Saam barati  <sbarati@apple.com>
845
846         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
847         https://bugs.webkit.org/show_bug.cgi?id=191956
848         <rdar://problem/45665806>
849
850         Reviewed by Yusuke Suzuki.
851
852         * stress/end-basic-block-set-local-should-filter-type.js: Added.
853         (bar):
854         (foo):
855
856 2018-11-26  Saam barati  <sbarati@apple.com>
857
858         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
859         https://bugs.webkit.org/show_bug.cgi?id=191958
860         <rdar://problem/46221877>
861
862         Reviewed by Yusuke Suzuki.
863
864         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
865         (x):
866         (foo):
867
868 2018-11-26  Mark Lam  <mark.lam@apple.com>
869
870         NaNs read from Wasm code needs to be be purified.
871         https://bugs.webkit.org/show_bug.cgi?id=191056
872         <rdar://problem/45660341>
873
874         Reviewed by Filip Pizlo.
875
876         * wasm/regress/regress-191056.js: Added.
877
878 2018-11-26  Michael Saboff  <msaboff@apple.com>
879
880         32-bit JSC test failure: stress/regexp-compile-oom.js
881         https://bugs.webkit.org/show_bug.cgi?id=191375
882
883         Reviewed by Mark Lam.
884
885         Disabled the test for 32 bit platforms.
886
887         * stress/regexp-compile-oom.js:
888
889 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
890
891         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
892         https://bugs.webkit.org/show_bug.cgi?id=191716
893         <rdar://problem/45723878>
894
895         Reviewed by Saam Barati.
896
897         * stress/regress-187373.js: Added.
898         (async.fn):
899
900 2018-11-21  Saam barati  <sbarati@apple.com>
901
902         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
903         https://bugs.webkit.org/show_bug.cgi?id=191897
904         <rdar://problem/45871998>
905
906         Reviewed by Mark Lam.
907
908         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
909         (bar):
910         (foo):
911
912 2018-11-21  Saam barati  <sbarati@apple.com>
913
914         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
915         https://bugs.webkit.org/show_bug.cgi?id=191895
916         <rdar://problem/46167406>
917
918         Reviewed by Mark Lam.
919
920         * stress/known-cell-use-needs-type-check-assertion.js: Added.
921         (foo):
922         (bar):
923
924 2018-11-21  Mark Lam  <mark.lam@apple.com>
925
926         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
927         https://bugs.webkit.org/show_bug.cgi?id=191776
928         <rdar://problem/46152851>
929
930         Reviewed by Saam Barati.
931
932         * stress/big-wasm-memory-grow-no-max.js:
933         * stress/big-wasm-memory-grow.js:
934         * stress/big-wasm-memory.js:
935         - updated these to expect an OutOfMemoryError.
936
937         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
938         (Binary.prototype.emit_u8):
939         (Binary.prototype.emit_u32v):
940         (Binary.prototype.emit_header):
941         (Binary.prototype.emit_section):
942         (Binary):
943         (WasmModuleBuilder):
944         (WasmModuleBuilder.prototype.addMemory):
945         (WasmModuleBuilder.prototype.toArray):
946         (WasmModuleBuilder.prototype.toBuffer):
947         (WasmModuleBuilder.prototype.instantiate):
948         (catch):
949         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
950         (catch):
951
952 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
953
954         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
955         https://bugs.webkit.org/show_bug.cgi?id=190836
956
957         Reviewed by Saam Barati and Yusuke Suzuki.
958
959         * stress/big-int-out-of-memory-tests.js: Added.
960
961 2018-11-20  Mark Lam  <mark.lam@apple.com>
962
963         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
964         https://bugs.webkit.org/show_bug.cgi?id=191856
965         <rdar://problem/46089992>
966
967         Reviewed by Yusuke Suzuki.
968
969         * stress/regress-191856.js: Added.
970         - this test is skipped for now until we have a fix for webkit.org/b/191855.
971
972 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
973
974         Enable JIT on ARM/Linux
975         https://bugs.webkit.org/show_bug.cgi?id=191548
976
977         Reviewed by Yusuke Suzuki.
978
979         Disable test on system with limited memory. Program was killed by
980         the OS before the exception was thrown.
981
982         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
983
984 2018-11-20  Saam barati  <sbarati@apple.com>
985
986         Merging an IC variant may lead to the IC status containing overlapping structure sets
987         https://bugs.webkit.org/show_bug.cgi?id=191869
988         <rdar://problem/45403453>
989
990         Reviewed by Mark Lam.
991
992         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
993
994 2018-11-19  Mark Lam  <mark.lam@apple.com>
995
996         globalFuncImportModule() should return a promise when it clears exceptions.
997         https://bugs.webkit.org/show_bug.cgi?id=191792
998         <rdar://problem/46090763>
999
1000         Reviewed by Michael Saboff.
1001
1002         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1003
1004 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1005
1006         Skip new memory-hungry tests on memory limited devices
1007
1008         Unreviewed gardening.
1009
1010         * stress/big-wasm-memory-grow-no-max.js:
1011         * stress/big-wasm-memory-grow.js:
1012         * stress/big-wasm-memory.js:
1013
1014 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1015
1016         Unreviewed, rolling in the rest of r237254
1017         https://bugs.webkit.org/show_bug.cgi?id=190340
1018
1019         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1020         * stress/function-cache-with-parameters-end-position.js: Added.
1021         (shouldBe):
1022         (shouldThrow):
1023         (i.anonymous):
1024         * stress/function-constructor-name.js: Added.
1025         (shouldBe):
1026         (GeneratorFunction):
1027         (AsyncFunction.async):
1028         (AsyncGeneratorFunction.async):
1029         (anonymous):
1030         (async.anonymous):
1031         * test262/expectations.yaml:
1032
1033 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1034
1035         All users of ArrayBuffer should agree on the same max size
1036         https://bugs.webkit.org/show_bug.cgi?id=191771
1037
1038         Reviewed by Mark Lam.
1039
1040         * stress/big-wasm-memory-grow-no-max.js: Added.
1041         (foo):
1042         (catch):
1043         * stress/big-wasm-memory-grow.js: Added.
1044         (foo):
1045         (catch):
1046         * stress/big-wasm-memory.js: Added.
1047         (foo):
1048         (catch):
1049
1050 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1051
1052         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1053         run for each JSC config since they're regression tests for runtime bugs.
1054
1055         * stress/json-stringified-overflow-2.js:
1056         * stress/json-stringified-overflow.js:
1057
1058 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1059
1060         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1061         config since they're regression tests for runtime bugs.
1062
1063         * stress/large-unshift-splice.js:
1064         * stress/regress-185888.js:
1065
1066 2018-11-16  Saam Barati  <sbarati@apple.com>
1067
1068         KnownCellUse should also have SpecCellCheck as its type filter
1069         https://bugs.webkit.org/show_bug.cgi?id=191729
1070         <rdar://problem/45872852>
1071
1072         Reviewed by Filip Pizlo.
1073
1074         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1075         (C):
1076
1077 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1078
1079         Fix assertion failure on BytecodeGenerator::recordOpcode
1080         https://bugs.webkit.org/show_bug.cgi?id=191724
1081         <rdar://problem/45724395>
1082
1083         Reviewed by Saam Barati.
1084
1085         * stress/regress-187373-2.js: Added.
1086         (foo):
1087
1088 2018-11-15  Mark Lam  <mark.lam@apple.com>
1089
1090         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1091         https://bugs.webkit.org/show_bug.cgi?id=191730
1092         <rdar://problem/46048517>
1093
1094         Reviewed by Saam Barati.
1095
1096         * stress/regress-187006.js: Removed.
1097           - this test is invalid because its sole purpose is to test for the non-spec
1098             compliant behavior that we just fixed.
1099
1100         * stress/regress-191730.js: Added.
1101
1102 2018-11-15  Mark Lam  <mark.lam@apple.com>
1103
1104         RegExp operations should not take fast patch if lastIndex is not numeric.
1105         https://bugs.webkit.org/show_bug.cgi?id=191731
1106         <rdar://problem/46017305>
1107
1108         Reviewed by Saam Barati.
1109
1110         * stress/regress-191731.js: Added.
1111
1112 2018-11-13  Saam Barati  <sbarati@apple.com>
1113
1114         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1115         https://bugs.webkit.org/show_bug.cgi?id=191600
1116
1117         Reviewed by Mark Lam.
1118
1119         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1120         (foo):
1121         (test):
1122         (bar):
1123
1124 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1125
1126         Unreviewed, rolling out r238132.
1127
1128         The test added with this change is timing out on Debug JSC
1129         bots.
1130
1131         Reverted changeset:
1132
1133         "[BigInt] JSBigInt::createWithLength should throw when length
1134         is greater than JSBigInt::maxLength"
1135         https://bugs.webkit.org/show_bug.cgi?id=190836
1136         https://trac.webkit.org/changeset/238132
1137
1138 2018-11-13  Mark Lam  <mark.lam@apple.com>
1139
1140         Add OOM detection to StringPrototype's substituteBackreferences().
1141         https://bugs.webkit.org/show_bug.cgi?id=191563
1142         <rdar://problem/45720428>
1143
1144         Reviewed by Saam Barati.
1145
1146         * stress/regress-191563.js: Added.
1147
1148 2018-11-13  Mark Lam  <mark.lam@apple.com>
1149
1150         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1151         https://bugs.webkit.org/show_bug.cgi?id=191579
1152         <rdar://problem/45942472>
1153
1154         Reviewed by Saam Barati.
1155
1156         * stress/regress-191579.js: Added.
1157
1158 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1159
1160         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1161         https://bugs.webkit.org/show_bug.cgi?id=190836
1162
1163         Reviewed by Saam Barati.
1164
1165         * stress/big-int-out-of-memory-tests.js: Added.
1166
1167 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1168
1169         U+180E is no longer a whitespace character
1170         https://bugs.webkit.org/show_bug.cgi?id=191415
1171
1172         Reviewed by Saam Barati.
1173
1174         * ChakraCore/test/es5/regexSpace.baseline:
1175         * ChakraCore/test/es6/unicode_whitespace.js:
1176         Update tests to latest version.
1177         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1178
1179         * test262.yaml:
1180         * test262/config.yaml:
1181         * test262/expectations.yaml:
1182         Update expectations.
1183
1184 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1185
1186         [BigInt] Add support to BigInt into ValueAdd
1187         https://bugs.webkit.org/show_bug.cgi?id=186177
1188
1189         Reviewed by Keith Miller.
1190
1191         * stress/big-int-negate-jit.js:
1192         * stress/value-add-big-int-and-string.js: Added.
1193         * stress/value-add-big-int-prediction-propagation.js: Added.
1194         * stress/value-add-big-int-untyped.js: Added.
1195
1196 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1197
1198         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1199         https://bugs.webkit.org/show_bug.cgi?id=191184
1200
1201         Reviewed by Saam Barati.
1202
1203         Most tests were failing due to timeouts, since they are too slow to
1204         run on CLoop. The exceptions are:
1205
1206         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1207         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1208         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1209         to change the stack size since CLoop requires it to be page aligned.
1210
1211         * microbenchmarks/array-push-1.js:
1212         * microbenchmarks/array-push-2.js:
1213         * microbenchmarks/elidable-new-object-dag.js:
1214         * microbenchmarks/elidable-new-object-roflcopter.js:
1215         * microbenchmarks/elidable-new-object-tree.js:
1216         * microbenchmarks/getter-richards.js:
1217         * microbenchmarks/sinkable-new-object-dag.js:
1218         * microbenchmarks/string-concat-long-convert.js:
1219         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1220         * slowMicrobenchmarks/array-push-3.js:
1221         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1222         * slowMicrobenchmarks/spread-small-array.js:
1223         * slowMicrobenchmarks/undefined-property-access.js:
1224         * stress/activation-sink-default-value-tdz-error.js:
1225         * stress/activation-sink-default-value.js:
1226         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1227         * stress/activation-sink-osrexit-default-value.js:
1228         * stress/activation-sink-osrexit.js:
1229         * stress/activation-sink.js:
1230         * stress/allow-math-ic-b3-code-duplication.js:
1231         * stress/array-push-multiple-int32.js:
1232         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1233         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1234         * stress/arrowfunction-lexical-this-activation-sink.js:
1235         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1236         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1237         * stress/elide-new-object-dag-then-exit.js:
1238         * stress/materialize-regexp-cyclic.js:
1239         * stress/new-regex-inline.js:
1240         * stress/op_add.js:
1241         * stress/op_bitand.js:
1242         * stress/op_bitor.js:
1243         * stress/op_bitxor.js:
1244         * stress/op_div-ConstVar.js:
1245         * stress/op_div-VarConst.js:
1246         * stress/op_div-VarVar.js:
1247         * stress/op_lshift-ConstVar.js:
1248         * stress/op_lshift-VarConst.js:
1249         * stress/op_lshift-VarVar.js:
1250         * stress/op_mod-ConstVar.js:
1251         * stress/op_mod-VarConst.js:
1252         * stress/op_mod-VarVar.js:
1253         * stress/op_mul-ConstVar.js:
1254         * stress/op_mul-VarConst.js:
1255         * stress/op_mul-VarVar.js:
1256         * stress/op_rshift-ConstVar.js:
1257         * stress/op_rshift-VarConst.js:
1258         * stress/op_rshift-VarVar.js:
1259         * stress/op_sub-ConstVar.js:
1260         * stress/op_sub-VarConst.js:
1261         * stress/op_sub-VarVar.js:
1262         * stress/op_urshift-ConstVar.js:
1263         * stress/op_urshift-VarConst.js:
1264         * stress/op_urshift-VarVar.js:
1265         * stress/proxy-get-set-correct-receiver.js:
1266         * stress/regress-179562.js:
1267         * stress/rest-parameter-many-arguments.js:
1268         * stress/sampling-profiler-richards.js:
1269         * stress/splay-flash-access-1ms.js:
1270         * stress/tailCallForwardArguments.js:
1271         * stress/typed-array-get-by-val-profiling.js:
1272         * typeProfiler/getter-richards.js:
1273
1274 2018-11-06  Michael Saboff  <msaboff@apple.com>
1275
1276         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1277         https://bugs.webkit.org/show_bug.cgi?id=191271
1278
1279         Reviewed by Saam Barati.
1280
1281         Added more test cases and made all test cases run with the same deeply recursive stack
1282         instead of finding that same point for each test case.
1283
1284         * stress/regexp-compile-oom.js:
1285         (prototype.runTest):
1286         (recurseAndTest):
1287         (testList.push.new.TestAndExpectedException):
1288
1289 2018-11-05  Michael Saboff  <msaboff@apple.com>
1290
1291         Unreviewed build fix for linux.
1292
1293         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1294
1295 2018-11-02  Michael Saboff  <msaboff@apple.com>
1296
1297         Rolling in r237753 with unreviewed build fix.
1298
1299         Fixed issues with DECLARE_THROW_SCOPE placement.
1300
1301 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1302
1303         Unreviewed, rolling out r237753.
1304
1305         Introduced JSC test failures
1306
1307         Reverted changeset:
1308
1309         "Running out of stack space not properly handled in
1310         RegExp::compile() and its callers"
1311         https://bugs.webkit.org/show_bug.cgi?id=191206
1312         https://trac.webkit.org/changeset/237753
1313
1314 2018-11-02  Michael Saboff  <msaboff@apple.com>
1315
1316         Running out of stack space not properly handled in RegExp::compile() and its callers
1317         https://bugs.webkit.org/show_bug.cgi?id=191206
1318
1319         Reviewed by Filip Pizlo.
1320
1321         New regression test.
1322
1323         * stress/regexp-compile-oom.js: Added.
1324         (recurseAndTest):
1325
1326 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1327
1328         Skip tests on arm/mips that time out now we're running on CLoop
1329
1330         Unreviewed gardening.
1331
1332         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1333         time out on the bots and need to be disabled. There's more tests
1334         disabled on arm because the timeout is longer on the mips bot (as the
1335         device is slower to start with), so many of the tests don't time out
1336         there.
1337
1338         * microbenchmarks/getter-richards.js: disable on arm and mips.
1339         * stress/op_add.js: disable on arm.
1340         * stress/op_bitand.js: disable on arm.
1341         * stress/op_bitor.js: disable on arm.
1342         * stress/op_bitxor.js: disable on arm.
1343         * stress/op_lshift-ConstVar.js: disable on arm.
1344         * stress/op_lshift-VarConst.js: disable on arm.
1345         * stress/op_lshift-VarVar.js: disable on arm.
1346         * stress/op_mod-ConstVar.js: disable on arm.
1347         * stress/op_mod-VarConst.js: disable on arm.
1348         * stress/op_mod-VarVar.js: disable on arm.
1349         * stress/op_mul-ConstVar.js: disable on arm.
1350         * stress/op_mul-VarConst.js: disable on arm.
1351         * stress/op_mul-VarVar.js: disable on arm.
1352         * stress/op_rshift-ConstVar.js: disable on arm.
1353         * stress/op_rshift-VarConst.js: disable on arm.
1354         * stress/op_rshift-VarVar.js: disable on arm.
1355         * stress/op_sub-ConstVar.js: disable on arm.
1356         * stress/op_sub-VarConst.js: disable on arm.
1357         * stress/op_sub-VarVar.js: disable on arm.
1358         * stress/op_urshift-ConstVar.js: disable on arm.
1359         * stress/op_urshift-VarConst.js: disable on arm.
1360         * stress/op_urshift-VarVar.js: disable on arm.
1361         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1362         * stress/value-to-boolean.js: disable on arm and mips.
1363
1364 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1365
1366         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1367         https://bugs.webkit.org/show_bug.cgi?id=191108
1368         <rdar://problem/45690700>
1369
1370         Reviewed by Saam Barati.
1371
1372         * stress/wide-op_catch.js: Added.
1373         (catch):
1374
1375 2018-10-29  Mark Lam  <mark.lam@apple.com>
1376
1377         Correctly detect string overflow when using the 'Function' constructor.
1378         https://bugs.webkit.org/show_bug.cgi?id=184883
1379         <rdar://problem/36320331>
1380
1381         Reviewed by Saam Barati.
1382
1383         I've verified that this passes on 32-bit as well.
1384
1385         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1386
1387 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1388
1389         Add support for GetStack FlushedDouble
1390         https://bugs.webkit.org/show_bug.cgi?id=191012
1391         <rdar://problem/45265141>
1392
1393         Reviewed by Saam Barati.
1394
1395         * stress/get-stack-double.js: Added.
1396         (bar):
1397         (noInline):
1398
1399 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1400
1401         New bytecode format for JSC
1402         https://bugs.webkit.org/show_bug.cgi?id=187373
1403         <rdar://problem/44186758>
1404
1405         Reviewed by Filip Pizlo.
1406
1407         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1408
1409         * stress/maximum-inline-capacity.js: Added.
1410         (test1):
1411         (test3.Foo):
1412         (test3):
1413
1414 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1415
1416         Unreviewed, rolling out r237479 and r237484.
1417         https://bugs.webkit.org/show_bug.cgi?id=190978
1418
1419         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1420
1421         Reverted changesets:
1422
1423         "New bytecode format for JSC"
1424         https://bugs.webkit.org/show_bug.cgi?id=187373
1425         https://trac.webkit.org/changeset/237479
1426
1427         "Gardening: Build fix after r237479."
1428         https://bugs.webkit.org/show_bug.cgi?id=187373
1429         https://trac.webkit.org/changeset/237484
1430
1431 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1432
1433         New bytecode format for JSC
1434         https://bugs.webkit.org/show_bug.cgi?id=187373
1435         <rdar://problem/44186758>
1436
1437         Reviewed by Filip Pizlo.
1438
1439         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1440
1441         * stress/maximum-inline-capacity.js: Added.
1442         (test1):
1443         (test3.Foo):
1444         (test3):
1445
1446 2018-10-26  Mark Lam  <mark.lam@apple.com>
1447
1448         Fix missing edge cases with JSGlobalObjects having a bad time.
1449         https://bugs.webkit.org/show_bug.cgi?id=189028
1450         <rdar://problem/45204939>
1451
1452         Reviewed by Saam Barati.
1453
1454         * stress/regress-189028.js: Added.
1455
1456 2018-10-22  Mark Lam  <mark.lam@apple.com>
1457
1458         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1459         https://bugs.webkit.org/show_bug.cgi?id=190515
1460         <rdar://problem/45222379>
1461
1462         Rubber-stamped by Saam Barati.
1463
1464         Adding another test.
1465
1466         * stress/regress-190515-2.js: Added.
1467
1468 2018-10-22  Mark Lam  <mark.lam@apple.com>
1469
1470         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1471         https://bugs.webkit.org/show_bug.cgi?id=190515
1472         <rdar://problem/45222379>
1473
1474         Reviewed by Saam Barati.
1475
1476         * stress/regress-190515.js: Added.
1477
1478 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1479
1480         Unreviewed, rolling out r237254.
1481         https://bugs.webkit.org/show_bug.cgi?id=190760
1482
1483         "It regresses JetStream 2 by 5% on some iOS devices"
1484         (Requested by saamyjoon on #webkit).
1485
1486         Reverted changeset:
1487
1488         "[JSC] JSC should have "parseFunction" to optimize Function
1489         constructor"
1490         https://bugs.webkit.org/show_bug.cgi?id=190340
1491         https://trac.webkit.org/changeset/237254
1492
1493 2018-10-19  Saam Barati  <sbarati@apple.com>
1494
1495         vmCall should check if we exit before emitting an OSR exit due to exceptions
1496         https://bugs.webkit.org/show_bug.cgi?id=190740
1497         <rdar://problem/45220139>
1498
1499         Reviewed by Mark Lam.
1500
1501         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1502         (foo):
1503
1504 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1505
1506         [ESNext][BigInt] Implement support for "^"
1507         https://bugs.webkit.org/show_bug.cgi?id=186235
1508
1509         Reviewed by Yusuke Suzuki.
1510
1511         * stress/big-int-bitwise-xor-general.js: Added.
1512         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1513         * stress/big-int-bitwise-xor-type-error.js: Added.
1514         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1515
1516 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1517
1518         [BigInt] Add ValueSub into DFG
1519         https://bugs.webkit.org/show_bug.cgi?id=186176
1520
1521         Reviewed by Yusuke Suzuki.
1522
1523         * stress/big-int-subtraction-jit.js:
1524         * stress/value-sub-big-int-prediction-propagation.js: Added.
1525         * stress/value-sub-big-int-untyped.js: Added.
1526         * stress/value-sub-spec-none-case.js: Added.
1527
1528 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1529
1530         [JSC] JSC should have "parseFunction" to optimize Function constructor
1531         https://bugs.webkit.org/show_bug.cgi?id=190340
1532
1533         Reviewed by Mark Lam.
1534
1535         This patch fixes the line number of syntax errors raised by the Function constructor,
1536         since we now parse the final code only once. And we no longer use block statement
1537         for Function constructor's parsing.
1538
1539         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1540         * stress/function-cache-with-parameters-end-position.js: Added.
1541         (shouldBe):
1542         (shouldThrow):
1543         (i.anonymous):
1544         * stress/function-constructor-name.js: Added.
1545         (shouldBe):
1546         (GeneratorFunction):
1547         (AsyncFunction.async):
1548         (AsyncGeneratorFunction.async):
1549         (anonymous):
1550         (async.anonymous):
1551         * test262/expectations.yaml:
1552
1553 2018-10-18  Commit Queue  <commit-queue@webkit.org>
1554
1555         Unreviewed, rolling out r237242.
1556         https://bugs.webkit.org/show_bug.cgi?id=190701
1557
1558         it breaks "stress/sampling-profiler-basic.js" (Requested by
1559         caiolima on #webkit).
1560
1561         Reverted changeset:
1562
1563         "[BigInt] Add ValueSub into DFG"
1564         https://bugs.webkit.org/show_bug.cgi?id=186176
1565         https://trac.webkit.org/changeset/237242
1566
1567 2018-10-17  Keith Miller  <keith_miller@apple.com>
1568
1569         AI does not clear Phantom allocation nodes.
1570         https://bugs.webkit.org/show_bug.cgi?id=190694
1571
1572         Reviewed by Saam Barati.
1573
1574         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1575         (Day):
1576         (DaysInYear):
1577         (TimeInYear):
1578         (TimeFromYear):
1579         (DayFromYear):
1580         (InLeapYear):
1581         (YearFromTime):
1582         (WeekDay):
1583         (DaylightSavingTA):
1584         (GetSecondSundayInMarch):
1585         (TimeInMonth):
1586
1587 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1588
1589         [BigInt] Add ValueSub into DFG
1590         https://bugs.webkit.org/show_bug.cgi?id=186176
1591
1592         Reviewed by Yusuke Suzuki.
1593
1594         * stress/big-int-subtraction-jit.js:
1595         * stress/value-sub-big-int-prediction-propagation.js: Added.
1596         * stress/value-sub-big-int-untyped.js: Added.
1597
1598 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1599
1600         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1601         https://bugs.webkit.org/show_bug.cgi?id=190611
1602
1603         Reviewed by Saam Barati.
1604
1605         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1606         to improve test runtime. On ARM/MIPS this test even timed out when running all
1607         tests.
1608
1609         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1610         (test):
1611
1612 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1613
1614         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1615
1616         Unreviewed gardening.
1617
1618         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1619
1620 2018-10-15  Saam barati  <sbarati@apple.com>
1621
1622         Emit fjcvtzs on ARM64E on Darwin
1623         https://bugs.webkit.org/show_bug.cgi?id=184023
1624
1625         Reviewed by Yusuke Suzuki and Filip Pizlo.
1626
1627         * stress/double-to-int32-NaN.js: Added.
1628         (assert):
1629         (foo):
1630
1631 2018-10-15  Saam Barati  <sbarati@apple.com>
1632
1633         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1634         https://bugs.webkit.org/show_bug.cgi?id=190262
1635         <rdar://problem/44986241>
1636
1637         Reviewed by Mark Lam.
1638
1639         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1640         (test):
1641         * stress/slice-array-storage-with-holes.js: Added.
1642         (main):
1643
1644 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1645
1646         Unreviewed, rolling out r237054.
1647         https://bugs.webkit.org/show_bug.cgi?id=190593
1648
1649         "this regressed JetStream 2 by 6% on iOS" (Requested by
1650         saamyjoon on #webkit).
1651
1652         Reverted changeset:
1653
1654         "[JSC] JSC should have "parseFunction" to optimize Function
1655         constructor"
1656         https://bugs.webkit.org/show_bug.cgi?id=190340
1657         https://trac.webkit.org/changeset/237054
1658
1659 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1660
1661         [JSC] JSON.stringify can accept call-with-no-arguments
1662         https://bugs.webkit.org/show_bug.cgi?id=190343
1663
1664         Reviewed by Mark Lam.
1665
1666         * stress/json-stringify-no-arguments.js: Added.
1667         (shouldBe):
1668
1669 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1670
1671         [JSC] JSC should have "parseFunction" to optimize Function constructor
1672         https://bugs.webkit.org/show_bug.cgi?id=190340
1673
1674         Reviewed by Mark Lam.
1675
1676         This patch fixes the line number of syntax errors raised by the Function constructor,
1677         since we now parse the final code only once. And we no longer use block statement
1678         for Function constructor's parsing.
1679
1680         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1681         * stress/function-cache-with-parameters-end-position.js: Added.
1682         (shouldBe):
1683         (shouldThrow):
1684         (i.anonymous):
1685         * stress/function-constructor-name.js: Added.
1686         (shouldBe):
1687         (GeneratorFunction):
1688         (AsyncFunction.async):
1689         (AsyncGeneratorFunction.async):
1690         (anonymous):
1691         (async.anonymous):
1692         * test262/expectations.yaml:
1693
1694 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
1695
1696         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
1697         https://bugs.webkit.org/show_bug.cgi?id=190426
1698
1699         Unreviewed gardening.
1700
1701         * stress/sampling-profiler-richards.js:
1702
1703 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
1704
1705         [ESNext][BigInt] Implement support for "|"
1706         https://bugs.webkit.org/show_bug.cgi?id=186229
1707
1708         Reviewed by Yusuke Suzuki.
1709
1710         * stress/big-int-bitwise-and-jit.js:
1711         * stress/big-int-bitwise-or-general.js: Added.
1712         * stress/big-int-bitwise-or-jit-untyped.js: Added.
1713         * stress/big-int-bitwise-or-jit.js: Added.
1714         * stress/big-int-bitwise-or-memory-stress.js: Added.
1715         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
1716         * stress/big-int-bitwise-or-type-error.js: Added.
1717         * stress/big-int-bitwise-or-wrapped-value.js: Added.
1718
1719 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
1720
1721         Skip test on systems with limited memory
1722         https://bugs.webkit.org/show_bug.cgi?id=190310
1723
1724         Invoking runDefault adds test to runlist, skipping the test in the next
1725         line does not prevent the test from executing. Change order of lines such
1726         that runDefault is only executed if test is not executed.
1727
1728         Reviewed by Mark Lam.
1729
1730         * stress/regress-190187.js:
1731
1732 2018-10-03  Saam barati  <sbarati@apple.com>
1733
1734         lowXYZ in FTLLower should always filter the type of the incoming edge
1735         https://bugs.webkit.org/show_bug.cgi?id=189939
1736         <rdar://problem/44407030>
1737
1738         Reviewed by Michael Saboff.
1739
1740         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
1741         (foo):
1742         (test):
1743
1744 2018-10-03  Mark Lam  <mark.lam@apple.com>
1745
1746         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1747         https://bugs.webkit.org/show_bug.cgi?id=190187
1748         <rdar://problem/42512909>
1749
1750         Reviewed by Michael Saboff.
1751
1752         * stress/regress-190187.js: Added.
1753
1754 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1755
1756         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1757         https://bugs.webkit.org/show_bug.cgi?id=190033
1758
1759         Reviewed by Yusuke Suzuki.
1760
1761         * stress/big-int-to-string.js:
1762
1763 2018-10-01  Mark Lam  <mark.lam@apple.com>
1764
1765         Function.toString() should also copy the source code Functions that are class definitions.
1766         https://bugs.webkit.org/show_bug.cgi?id=190186
1767         <rdar://problem/44733360>
1768
1769         Reviewed by Saam Barati.
1770
1771         * stress/regress-190186.js: Added.
1772
1773 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
1774
1775         Split NaN-check into separate test
1776         https://bugs.webkit.org/show_bug.cgi?id=190010
1777
1778         Reviewed by Saam Barati.
1779
1780         DataView exposes NaN-representation, which is not necessarily the same on each
1781         architecture. Therefore move the check of the NaN-representation into its own
1782         file such that we can disable this test on MIPS where NaN-representation can be
1783         different on older CPUs.
1784
1785         * stress/dataview-jit-set-nan.js: Added.
1786         (assert):
1787         (test.storeLittleEndian):
1788         (test.storeBigEndian):
1789         (test.store):
1790         (test):
1791         * stress/dataview-jit-set.js:
1792         (test5):
1793
1794 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1795
1796         Unreviewed, rolling out r236647.
1797         https://bugs.webkit.org/show_bug.cgi?id=190124
1798
1799         Breaking test stress/big-int-to-string.js (Requested by
1800         caiolima_ on #webkit).
1801
1802         Reverted changeset:
1803
1804         "[BigInt] BigInt.proptotype.toString is broken when radix is
1805         power of 2"
1806         https://bugs.webkit.org/show_bug.cgi?id=190033
1807         https://trac.webkit.org/changeset/236647
1808
1809 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1810
1811         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1812         https://bugs.webkit.org/show_bug.cgi?id=190033
1813
1814         Reviewed by Yusuke Suzuki.
1815
1816         * stress/big-int-to-string.js:
1817
1818 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1819
1820         [ESNext][BigInt] Implement support for "&"
1821         https://bugs.webkit.org/show_bug.cgi?id=186228
1822
1823         Reviewed by Yusuke Suzuki.
1824
1825         * stress/big-int-bitwise-and-general.js: Added.
1826         (assert):
1827         (assert.sameValue):
1828         * stress/big-int-bitwise-and-jit.js: Added.
1829         (let.assert.sameValue):
1830         (bigIntBitAnd):
1831         * stress/big-int-bitwise-and-memory-stress.js: Added.
1832         (assert):
1833         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
1834         (assert.sameValue):
1835         (let.o.Symbol.toPrimitive):
1836         (catch):
1837         * stress/big-int-bitwise-and-type-error.js: Added.
1838         (assert):
1839         (assertThrowTypeError):
1840         (let.o.valueOf):
1841         (o.valueOf):
1842         (o.toString):
1843         (o.Symbol.toPrimitive):
1844         * stress/big-int-bitwise-and-wrapped-value.js: Added.
1845         (assert.sameValue):
1846         (testBitAnd):
1847         (let.o.Symbol.toPrimitive):
1848         (o.valueOf):
1849         (o.toString):
1850
1851 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
1852
1853         JSC test stress/jsc-read.js doesn't support CRLF
1854         https://bugs.webkit.org/show_bug.cgi?id=190063
1855
1856         Reviewed by Yusuke Suzuki.
1857
1858         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
1859
1860         * stress/jsc-read.js:
1861         (test):
1862
1863 2018-09-27  Saam barati  <sbarati@apple.com>
1864
1865         Verify the contents of AssemblerBuffer on arm64e
1866         https://bugs.webkit.org/show_bug.cgi?id=190057
1867         <rdar://problem/38916630>
1868
1869         Reviewed by Mark Lam.
1870
1871         * stress/regress-189132.js:
1872
1873 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
1874
1875         Disable test without LLInt on ARMv7
1876         https://bugs.webkit.org/show_bug.cgi?id=190037
1877
1878         Reviewed by Mark Lam.
1879
1880         Test runs out of executable memory on ARMv7, do not run
1881         this test without LLInt enabled.
1882
1883         * stress/regress-169445.js:
1884
1885 2018-09-26  Keith Miller  <keith_miller@apple.com>
1886
1887         We should zero unused property storage when rebalancing array storage.
1888         https://bugs.webkit.org/show_bug.cgi?id=188151
1889
1890         Reviewed by Michael Saboff.
1891
1892         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
1893
1894 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1895
1896         [JSC] Optimize Array#lastIndexOf
1897         https://bugs.webkit.org/show_bug.cgi?id=189780
1898
1899         Reviewed by Saam Barati.
1900
1901         * stress/array-lastindexof-array-prototype-trap.js: Added.
1902         (shouldBe):
1903         (AncestorArray.prototype.get 2):
1904         (AncestorArray):
1905         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
1906         (shouldBe):
1907         * stress/array-lastindexof-hole-nan.js: Added.
1908         (shouldBe):
1909         (throw.new.Error):
1910         * stress/array-lastindexof-infinity.js: Added.
1911         (shouldBe):
1912         (throw.new.Error):
1913         * stress/array-lastindexof-negative-zero.js: Added.
1914         (shouldBe):
1915         (throw.new.Error):
1916         * stress/array-lastindexof-own-getter.js: Added.
1917         (shouldBe):
1918         (throw.new.Error.get array):
1919         (get array):
1920         * stress/array-lastindexof-prototype-trap.js: Added.
1921         (shouldBe):
1922         (DerivedArray.prototype.get 2):
1923         (DerivedArray):
1924
1925 2018-09-25  Saam Barati  <sbarati@apple.com>
1926
1927         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
1928         https://bugs.webkit.org/show_bug.cgi?id=189940
1929         <rdar://problem/43640987>
1930
1931         Reviewed by Mark Lam.
1932
1933         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
1934
1935 2018-09-24  Saam Barati  <sbarati@apple.com>
1936
1937         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
1938         https://bugs.webkit.org/show_bug.cgi?id=189922
1939         <rdar://problem/44651275>
1940
1941         Reviewed by Mark Lam.
1942
1943         * stress/array-indexof-fast-path-effects.js: Added.
1944         * stress/array-indexof-cached-length.js: Added.
1945
1946 2018-09-24  Saam barati  <sbarati@apple.com>
1947
1948         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
1949         https://bugs.webkit.org/show_bug.cgi?id=189682
1950         <rdar://problem/43557315>
1951
1952         Reviewed by Mark Lam.
1953
1954         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
1955         (foo):
1956
1957 2018-09-22  Saam barati  <sbarati@apple.com>
1958
1959         The sampling should not use Strong<CodeBlock> in its machineLocation field
1960         https://bugs.webkit.org/show_bug.cgi?id=189319
1961
1962         Reviewed by Filip Pizlo.
1963
1964         * stress/sampling-profiler-richards.js: Added.
1965
1966 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1967
1968         [JSC] Optimize Array#indexOf in C++ runtime
1969         https://bugs.webkit.org/show_bug.cgi?id=189507
1970
1971         Reviewed by Saam Barati.
1972
1973         * stress/array-indexof-array-prototype-trap.js: Added.
1974         (shouldBe):
1975         (AncestorArray.prototype.get 2):
1976         (AncestorArray):
1977         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
1978         (shouldBe):
1979         * stress/array-indexof-hole-nan.js: Added.
1980         (shouldBe):
1981         (throw.new.Error):
1982         * stress/array-indexof-infinity.js: Added.
1983         (shouldBe):
1984         (throw.new.Error):
1985         * stress/array-indexof-negative-zero.js: Added.
1986         (shouldBe):
1987         (throw.new.Error):
1988         * stress/array-indexof-own-getter.js: Added.
1989         (shouldBe):
1990         (throw.new.Error.get array):
1991         (get array):
1992         * stress/array-indexof-prototype-trap.js: Added.
1993         (shouldBe):
1994         (DerivedArray.prototype.get 2):
1995         (DerivedArray):
1996
1997 2018-09-19  Saam barati  <sbarati@apple.com>
1998
1999         AI rule for MultiPutByOffset executes its effects in the wrong order
2000         https://bugs.webkit.org/show_bug.cgi?id=189757
2001         <rdar://problem/43535257>
2002
2003         Reviewed by Michael Saboff.
2004
2005         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2006         (foo):
2007         (Foo):
2008         (g):
2009
2010 2018-09-17  Mark Lam  <mark.lam@apple.com>
2011
2012         Ensure that ForInContexts are invalidated if their loop local is over-written.
2013         https://bugs.webkit.org/show_bug.cgi?id=189571
2014         <rdar://problem/44402277>
2015
2016         Reviewed by Saam Barati.
2017
2018         * stress/regress-189571.js: Added.
2019
2020 2018-09-17  Saam barati  <sbarati@apple.com>
2021
2022         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2023         https://bugs.webkit.org/show_bug.cgi?id=189676
2024         <rdar://problem/39682897>
2025
2026         Reviewed by Michael Saboff.
2027
2028         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2029         (A):
2030         (K):
2031         (i.catch):
2032
2033 2018-09-14  Saam barati  <sbarati@apple.com>
2034
2035         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2036         https://bugs.webkit.org/show_bug.cgi?id=189628
2037         <rdar://problem/39481690>
2038
2039         Reviewed by Mark Lam.
2040
2041         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2042         (foo):
2043
2044 2018-09-11  Mark Lam  <mark.lam@apple.com>
2045
2046         Test for array initialization in arrayProtoFuncSplice.
2047         https://bugs.webkit.org/show_bug.cgi?id=170253
2048         <rdar://problem/31328773>
2049
2050         Rubber-stamped by Saam Barati.
2051
2052         * stress/regress-170253.js: Added.
2053
2054 2018-09-11  Mark Lam  <mark.lam@apple.com>
2055
2056         Test for IntlObject initialization.
2057         https://bugs.webkit.org/show_bug.cgi?id=170251
2058         <rdar://problem/31328419>
2059
2060         Rubber-stamped by Saam Barati.
2061
2062         * stress/regress-170251.js: Added.
2063
2064 2018-09-11  Mark Lam  <mark.lam@apple.com>
2065
2066         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2067         https://bugs.webkit.org/show_bug.cgi?id=169889
2068         <rdar://problem/31155607>
2069
2070         Reviewed by Saam Barati.
2071
2072         * stress/regress-169889-array-concat.js: Added.
2073         * stress/regress-169889-array-concat1.js: Added.
2074         * stress/regress-169889-array-slice.js: Added.
2075
2076 2018-09-11  Mark Lam  <mark.lam@apple.com>
2077
2078         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2079         https://bugs.webkit.org/show_bug.cgi?id=169445
2080         <rdar://problem/30957435>
2081
2082         Reviewed by Saam Barati.
2083
2084         * stress/regress-169445.js: Added.
2085         (let.gun.eval.A):
2086         (let.gun.eval.B.C):
2087         (let.gun.eval.B.C.prototype.trigger):
2088         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2089         (let.gun.eval.B):
2090         (let.gun.eval):
2091
2092 == Rolled over to ChangeLog-2018-09-11 ==