b240f6febd148a9f4b79e0417d22563917248427
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
2
3         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
4         https://bugs.webkit.org/show_bug.cgi?id=194944
5
6         Reviewed by Keith Miller.
7
8         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
9
10 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
11
12         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
13         https://bugs.webkit.org/show_bug.cgi?id=196409
14
15         Reviewed by Saam Barati.
16
17         * stress/bytecode-cache-cached-string-impl.js: Added.
18         (f):
19         (g):
20         * stress/bytecode-cache-run-string.js: Added.
21
22 2019-04-03  Robin Morisset  <rmorisset@apple.com>
23
24         B3 should use associativity to optimize expression trees
25         https://bugs.webkit.org/show_bug.cgi?id=194081
26
27         Reviewed by Filip Pizlo.
28
29         Added three microbenchmarks:
30         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
31         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
32           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
33         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
34
35         * microbenchmarks/add-tree.js: Added.
36         * microbenchmarks/bit-or-tree.js: Added.
37         * microbenchmarks/bit-xor-tree.js: Added.
38
39 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
40
41         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
42         https://bugs.webkit.org/show_bug.cgi?id=196574
43
44         Reviewed by Saam Barati.
45
46         * stress/string-index-of-exception-check.js: Added.
47         (blurType):
48         (1.forEach):
49
50 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
51
52         Assertion failed in JSC::createError
53         https://bugs.webkit.org/show_bug.cgi?id=196305
54         <rdar://problem/49387382>
55
56         Reviewed by Saam Barati.
57
58         * stress/create-error-out-of-memory-rope-string-2.js: Added.
59         (assert):
60         (catch):
61
62 2019-03-28  Saam Barati  <sbarati@apple.com>
63
64         BackwardsGraph needs to consider back edges as the backward's root successor
65         https://bugs.webkit.org/show_bug.cgi?id=195991
66
67         Reviewed by Filip Pizlo.
68
69         * stress/map-b3-licm-infinite-loop.js: Added.
70
71 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
72
73         CodeBlock::jettison() should disallow repatching its own calls
74         https://bugs.webkit.org/show_bug.cgi?id=196359
75         <rdar://problem/48973663>
76
77         Reviewed by Saam Barati.
78
79         * stress/call-link-info-osrexit-repatch.js: Added.
80         (foo):
81
82 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
83
84         [JSC] imports-oom.js intermittently fails
85         https://bugs.webkit.org/show_bug.cgi?id=196373
86
87         Reviewed by Saam Barati.
88
89         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
90         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
91         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
92         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
93         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
94
95         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
96         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
97
98         * wasm/lowExecutableMemory/imports-oom.js:
99
100 2019-03-27  Saam Barati  <sbarati@apple.com>
101
102         validateOSREntryValue with Int52 should box the value being checked into double format
103         https://bugs.webkit.org/show_bug.cgi?id=196313
104         <rdar://problem/49306703>
105
106         Reviewed by Yusuke Suzuki.
107
108         * stress/validate-int-52-ai-state.js: Added.
109
110 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
111
112         [JSC] Owner of watchpoints should validate at GC finalizing phase
113         https://bugs.webkit.org/show_bug.cgi?id=195827
114
115         Reviewed by Filip Pizlo.
116
117         * stress/gc-should-reap-dead-watchpoints.js: Added.
118         (foo):
119         (A.prototype.y):
120         (A):
121
122 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
123
124         Skip WebAssembly test on 32-bit systems
125         https://bugs.webkit.org/show_bug.cgi?id=196206
126
127         Reviewed by Saam Barati.
128
129         Invoking runDefault executes test immediately even though
130         that test should be skipped due to missing WASM support.
131         Therefore remove runDefault.
132
133         * wasm/regress/web-assembly-link-error-exception-check.js:
134
135 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
136
137         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
138         https://bugs.webkit.org/show_bug.cgi?id=196217
139
140         Reviewed by Saam Barati.
141
142         Re-enable all NaN tests for f32.min, f64.min and f64.max.
143
144         * wasm/spec-tests/f32.wast.js:
145         * wasm/spec-tests/f64.wast.js:
146         * wasm/wasm.json:
147
148 2019-03-25  Keith Miller  <keith_miller@apple.com>
149
150         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
151         https://bugs.webkit.org/show_bug.cgi?id=196176
152
153         Reviewed by Saam Barati.
154
155         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
156         (main.v10):
157         (main):
158
159 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
160
161         WebAssembly: f32.max with NaN generates incorrect result
162         https://bugs.webkit.org/show_bug.cgi?id=175691
163         <rdar://problem/33952228>
164
165         Reviewed by Saam Barati.
166
167         Enable all f32.max NaN tests
168
169         * wasm/spec-tests/f32.wast.js:
170         * wasm/wasm.json:
171
172 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
173
174         [JSC] Move test into directory for WASM tests
175         https://bugs.webkit.org/show_bug.cgi?id=196187
176
177         Reviewed by Mark Lam.
178
179         Move Test into wasm-directory. Otherwise this test
180         is also executed on systems without WASM support.
181
182         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
183
184 2019-03-23  Mark Lam  <mark.lam@apple.com>
185
186         Rolling out r243032 and r243071 because the fix is incorrect.
187         https://bugs.webkit.org/show_bug.cgi?id=195892
188         <rdar://problem/48981239>
189
190         Not reviewed.
191
192         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
193
194 2019-03-22  Mark Lam  <mark.lam@apple.com>
195
196         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
197         https://bugs.webkit.org/show_bug.cgi?id=196154
198         <rdar://problem/49145307>
199
200         Reviewed by Filip Pizlo.
201
202         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
203         There's no need to run this test on more than 1 test configuration.
204
205         * stress/typed-array-lastIndexOf-exception-check.js: Added.
206         * stress/web-assembly-link-error-exception-check.js:
207
208 2019-03-22  Mark Lam  <mark.lam@apple.com>
209
210         Placate exception check validation in constructJSWebAssemblyLinkError().
211         https://bugs.webkit.org/show_bug.cgi?id=196152
212         <rdar://problem/49145257>
213
214         Reviewed by Michael Saboff.
215
216         * stress/web-assembly-link-error-exception-check.js: Added.
217
218 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
219
220         Skip tests running out of memory on ARM/MIPS
221         https://bugs.webkit.org/show_bug.cgi?id=196131
222
223         Unreviewed. Skip test if memory is limited.
224
225         * microbenchmarks/put-by-val-direct-large-index.js:
226
227 2019-03-21  Mark Lam  <mark.lam@apple.com>
228
229         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
230         https://bugs.webkit.org/show_bug.cgi?id=196116
231         <rdar://problem/48976951>
232
233         Reviewed by Filip Pizlo.
234
235         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
236
237 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
238
239         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
240         https://bugs.webkit.org/show_bug.cgi?id=196078
241         <rdar://problem/35925380>
242
243         Reviewed by Mark Lam.
244
245         Add a new benchmark that allocates several objects and invokes put_by_val_direct
246         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
247
248         * microbenchmarks/put-by-val-direct-large-index.js: Added.
249
250 2019-03-21  Mark Lam  <mark.lam@apple.com>
251
252         Placate exception check validation in operationArrayIndexOfString().
253         https://bugs.webkit.org/show_bug.cgi?id=196067
254         <rdar://problem/49056572>
255
256         Reviewed by Michael Saboff.
257
258         * stress/string-equal-exception-check.js: Added.
259
260 2019-03-21  Mark Lam  <mark.lam@apple.com>
261
262         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
263         https://bugs.webkit.org/show_bug.cgi?id=196055
264         <rdar://problem/49067448>
265
266         Reviewed by Yusuke Suzuki.
267
268         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
269
270 2019-03-20  Saam Barati  <sbarati@apple.com>
271
272         typeOfDoubleSum is wrong for when NaN can be produced
273         https://bugs.webkit.org/show_bug.cgi?id=196030
274
275         Reviewed by Filip Pizlo.
276
277         * stress/double-add-sub-mul-can-produce-nan.js: Added.
278         (assert):
279         (noInline.sub):
280         (noInline):
281         (assert.mul):
282         (assert.add):
283
284 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
285
286         Update the test to ensure OutOfMemoryError is thrown as intended
287         https://bugs.webkit.org/show_bug.cgi?id=196032
288         <rdar://problem/46842740>
289
290         Rubber stamped by Saam Barati.
291
292         * stress/create-error-out-of-memory-rope-string.js:
293         (assert):
294         (catch):
295
296 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
297
298         JSC::createError needs to check for OOM in errorDescriptionForValue
299         https://bugs.webkit.org/show_bug.cgi?id=196032
300         <rdar://problem/46842740>
301
302         Reviewed by Mark Lam.
303
304         * stress/create-error-out-of-memory-rope-string.js: Added.
305
306 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
307
308         Unreviewed, reduce # of iterations to avoid timing out after r242991
309         https://bugs.webkit.org/show_bug.cgi?id=195791
310
311         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
312
313         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
314
315 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
316
317         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
318         https://bugs.webkit.org/show_bug.cgi?id=195950
319
320         Unreviewed, reducing the amount of memory used on this test to avoid
321         OOM on devices with memory restrictions.
322
323         * microbenchmarks/generate-multiple-llint-entrypoints.js:
324
325 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
326
327         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
328         https://bugs.webkit.org/show_bug.cgi?id=194648
329
330         Reviewed by Keith Miller.
331
332         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
333
334 2019-03-18  Mark Lam  <mark.lam@apple.com>
335
336         Missing a ThrowScope release in JSObject::toString().
337         https://bugs.webkit.org/show_bug.cgi?id=195893
338         <rdar://problem/48970986>
339
340         Reviewed by Michael Saboff.
341
342         * stress/to-string-exception-check-release.js: Added.
343
344 2019-03-18  Mark Lam  <mark.lam@apple.com>
345
346         Structure::flattenDictionary() should clear unused property slots.
347         https://bugs.webkit.org/show_bug.cgi?id=195871
348         <rdar://problem/48959497>
349
350         Reviewed by Michael Saboff.
351
352         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
353
354 2019-03-15  Mark Lam  <mark.lam@apple.com>
355
356         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
357         https://bugs.webkit.org/show_bug.cgi?id=195827
358         <rdar://problem/48845513>
359
360         Reviewed by Filip Pizlo.
361
362         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
363
364 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
365
366         [ARM,MIPS] Skip slow tests
367         https://bugs.webkit.org/show_bug.cgi?id=195799
368
369         Unreviewed, test does not finish on ARM and MIPS within the
370         timeout limit.
371
372         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
373
374 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
375
376         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
377         https://bugs.webkit.org/show_bug.cgi?id=195791
378         <rdar://problem/48806130>
379
380         Reviewed by Mark Lam.
381
382         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
383         (foo):
384
385 2019-03-14  Saam barati  <sbarati@apple.com>
386
387         We can't remove code after ForceOSRExit until after FixupPhase
388         https://bugs.webkit.org/show_bug.cgi?id=186916
389         <rdar://problem/41396612>
390
391         Reviewed by Yusuke Suzuki.
392
393         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
394         (foo):
395         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
396         (foo):
397
398 2019-03-13  Michael Saboff  <msaboff@apple.com>
399
400         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
401         https://bugs.webkit.org/show_bug.cgi?id=195735
402
403         Reviewed by Mark Lam.
404
405         New regression test.
406
407         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
408         (foo):
409         (bar):
410
411 2019-03-14  Saam barati  <sbarati@apple.com>
412
413         Fixup uses KnownInt32 incorrectly in some nodes
414         https://bugs.webkit.org/show_bug.cgi?id=195279
415         <rdar://problem/47915654>
416
417         Reviewed by Yusuke Suzuki.
418
419         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
420         (foo):
421
422 2019-03-14  Keith Miller  <keith_miller@apple.com>
423
424         DFG liveness can't skip tail caller inline frames
425         https://bugs.webkit.org/show_bug.cgi?id=195715
426
427         Reviewed by Saam Barati.
428
429         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
430         (i.foo):
431
432 2019-03-13  Mark Lam  <mark.lam@apple.com>
433
434         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
435         https://bugs.webkit.org/show_bug.cgi?id=195415
436
437         Not reviewed.
438
439         Changed these tests to only run the default configuration.
440         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
441         There's no strong need to run this test on that variant.
442
443         * stress/dfg-to-string-on-int-does-gc.js:
444         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
445
446 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
447
448         String overflow when using StringBuilder in JSC::createError
449         https://bugs.webkit.org/show_bug.cgi?id=194957
450
451         Reviewed by Mark Lam.
452
453         Add test string-overflow-createError-bulder.js that overflows
454         StringBuilder in notAFunctionSourceAppender. The second new test
455         string-overflow-createError-fit.js has an error message that doesn't
456         overflow, it still failed since the String's capacity can't be doubled.
457         Run test string-overflow-createError.js only in the default
458         configuration to reduce memory consumption when running the test
459         in all configurations on multiple CPUs in parallel.
460
461         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
462         (catch):
463         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
464         (catch):
465         * stress/string-overflow-createError.js:
466
467 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
468
469         [JSC] OSR entry should respect abstract values in addition to flush formats
470         https://bugs.webkit.org/show_bug.cgi?id=195653
471
472         Reviewed by Mark Lam.
473
474         * stress/osr-entry-locals-none.js: Added.
475
476 2019-03-12  Michael Saboff  <msaboff@apple.com>
477
478         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
479         https://bugs.webkit.org/show_bug.cgi?id=195613
480
481         Reviewed by Mark Lam.
482
483         New regression test.
484
485         * stress/regexp-backref-inbounds.js: Added.
486         (testRegExp):
487
488 2019-03-12  Mark Lam  <mark.lam@apple.com>
489
490         The HasIndexedProperty node does GC.
491         https://bugs.webkit.org/show_bug.cgi?id=195559
492         <rdar://problem/48767923>
493
494         Reviewed by Yusuke Suzuki.
495
496         * stress/HasIndexedProperty-does-gc.js: Added.
497
498 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
499
500         [ESNext][BigInt] Implement "~" unary operation
501         https://bugs.webkit.org/show_bug.cgi?id=182216
502
503         Reviewed by Keith Miller.
504
505         * stress/big-int-bit-not-general.js: Added.
506         * stress/big-int-bitwise-not-jit.js: Added.
507         * stress/big-int-bitwise-not-wrapped-value.js: Added.
508         * stress/bit-op-with-object-returning-int32.js:
509         * stress/bitwise-not-fixup-rules.js: Added.
510         * stress/value-bit-not-ai-rule.js: Added.
511
512 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
513
514         Invalid flags in a RegExp literal should be an early SyntaxError
515         https://bugs.webkit.org/show_bug.cgi?id=195514
516
517         Reviewed by Darin Adler.
518
519         * test262/expectations.yaml:
520         Mark 4 test cases as passing.
521
522         * stress/regexp-syntax-error-invalid-flags.js:
523         * stress/regress-161995.js: Removed.
524         Update existing test, merging in an older test for the same behavior.
525
526 2019-03-08  Mark Lam  <mark.lam@apple.com>
527
528         Stack overflow crash in JSC::JSObject::hasInstance.
529         https://bugs.webkit.org/show_bug.cgi?id=195458
530         <rdar://problem/48710195>
531
532         Reviewed by Yusuke Suzuki.
533
534         * stress/stack-overflow-in-custom-hasInstance.js: Added.
535
536 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
537
538         op_check_tdz does not def its argument
539         https://bugs.webkit.org/show_bug.cgi?id=192880
540         <rdar://problem/46221598>
541
542         Reviewed by Saam Barati.
543
544         * microbenchmarks/let-for-in.js: Added.
545         (foo):
546
547 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
548
549         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
550         https://bugs.webkit.org/show_bug.cgi?id=195429
551
552         Reviewed by Saam Barati.
553
554         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
555         (foo):
556         * stress/string-from-char-code-255.js: Added.
557
558 2019-03-06  Mark Lam  <mark.lam@apple.com>
559
560         Fix incorrect handling of try-finally completion values.
561         https://bugs.webkit.org/show_bug.cgi?id=195131
562         <rdar://problem/46222079>
563
564         Reviewed by Saam Barati and Yusuke Suzuki.
565
566         Added many permutations of new test case to test-finally.js.  test-finally.js has
567         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
568         tests passes there as well.
569
570         * stress/test-finally.js:
571
572 2019-03-06  Saam Barati  <sbarati@apple.com>
573
574         Air::reportUsedRegisters must padInterference
575         https://bugs.webkit.org/show_bug.cgi?id=195303
576         <rdar://problem/48270343>
577
578         Reviewed by Keith Miller.
579
580         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
581
582 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
583
584         [JSC] AI should not propagate AbstractValue relying on constant folding phase
585         https://bugs.webkit.org/show_bug.cgi?id=195375
586
587         Reviewed by Saam Barati.
588
589         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
590         (let.array):
591
592 2019-03-05  Saam barati  <sbarati@apple.com>
593
594         op_switch_char broken for rope strings after JSRopeString layout rewrite
595         https://bugs.webkit.org/show_bug.cgi?id=195339
596         <rdar://problem/48592545>
597
598         Reviewed by Yusuke Suzuki.
599
600         * stress/switch-on-char-llint-rope.js: Added.
601
602 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
603
604         [JSC] Store bits for JSRopeString in 3 stores
605         https://bugs.webkit.org/show_bug.cgi?id=195234
606
607         Reviewed by Saam Barati.
608
609         * stress/null-rope-and-collectors.js: Added.
610
611 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
612
613         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
614         https://bugs.webkit.org/show_bug.cgi?id=195207
615
616         Unreviewed. After test runtime was reduced in r242213, test can be
617         run again on ARM/MIPS.
618
619         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
620
621 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
622
623         [JSC] sizeof(JSString) should be 16
624         https://bugs.webkit.org/show_bug.cgi?id=194375
625
626         Reviewed by Saam Barati.
627
628         * microbenchmarks/make-rope.js: Added.
629         (makeRope):
630         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
631         (returnRope.helper): Deleted.
632         (returnRope): Deleted.
633
634 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
635
636         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
637         https://bugs.webkit.org/show_bug.cgi?id=195144
638
639         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
640         Change the number from 1e8 to 1e5.
641
642         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
643         (foo):
644
645 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
646
647         Test times out on ARM/MIPS
648         https://bugs.webkit.org/show_bug.cgi?id=195168
649
650         Unreviewed. Skip test on ARM/MIPS.
651
652         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
653
654 2019-02-27  Mark Lam  <mark.lam@apple.com>
655
656         The parser is failing to record the token location of new in new.target.
657         https://bugs.webkit.org/show_bug.cgi?id=195127
658         <rdar://problem/39645578>
659
660         Reviewed by Yusuke Suzuki.
661
662         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
663
664 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
665
666         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
667         https://bugs.webkit.org/show_bug.cgi?id=195144
668         <rdar://problem/47595961>
669
670         Reviewed by Mark Lam.
671
672         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
673         (bar):
674         (foo):
675         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
676         (bar):
677         (foo):
678
679 2019-02-27  Robin Morisset  <rmorisset@apple.com>
680
681         DFG: Loop-invariant code motion (LICM) should not hoist dead code
682         https://bugs.webkit.org/show_bug.cgi?id=194945
683         <rdar://problem/48311657>
684
685         Reviewed by Mark Lam.
686
687         * stress/licm-dead-code.js: Added.
688
689 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
690
691         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
692         https://bugs.webkit.org/show_bug.cgi?id=194677
693         <rdar://problem/48112492>
694
695         Reviewed by Mark Lam.
696
697         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
698         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
699         it immediately fails due the large size.
700
701         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
702         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
703         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
704         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
705
706         This patch changes the test to produce 16bit string from String.fromCharCode.
707
708         * stress/regress-178386.js:
709
710 2019-02-26  Mark Lam  <mark.lam@apple.com>
711
712         wasmToJS() should purify incoming NaNs.
713         https://bugs.webkit.org/show_bug.cgi?id=194807
714         <rdar://problem/48189132>
715
716         Reviewed by Saam Barati.
717
718         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
719
720 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
721
722         [JSC] Repeat string created from Array.prototype.join() take too much memory
723         https://bugs.webkit.org/show_bug.cgi?id=193912
724
725         Reviewed by Saam Barati.
726
727         Added a test and a microbenchmark for corner cases of
728         Array.prototype.join() with an uninitialized array.
729
730         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
731         * stress/array-prototype-join-uninitialized.js: Added.
732         (testArray):
733         (testABC):
734         (B):
735         (C):
736
737 2019-02-22  Robin Morisset  <rmorisset@apple.com>
738
739         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
740         https://bugs.webkit.org/show_bug.cgi?id=194953
741         <rdar://problem/47595253>
742
743         Reviewed by Saam Barati.
744
745         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
746
747         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
748
749 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
750
751         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
752         https://bugs.webkit.org/show_bug.cgi?id=172848
753         <rdar://problem/25709212>
754
755         Reviewed by Mark Lam.
756
757         * typeProfiler/inheritance.js:
758         Rewrite the test slightly for clarity. The hoisting was confusing.
759
760         * heapProfiler/class-names.js: Added.
761         (MyES5Class):
762         (MyES6Class):
763         (MyES6Subclass):
764         Test object types and improved class names.
765
766         * heapProfiler/driver/driver.js:
767         (CheapHeapSnapshotNode):
768         (CheapHeapSnapshot):
769         (createCheapHeapSnapshot):
770         (HeapSnapshot):
771         (createHeapSnapshot):
772         Update snapshot parsing from version 1 to version 2.
773
774 2019-02-19  Truitt Savell  <tsavell@apple.com>
775
776         Unreviewed, rolling out r241784.
777
778         Broke all OpenSource builds.
779
780         Reverted changeset:
781
782         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
783         instances view"
784         https://bugs.webkit.org/show_bug.cgi?id=172848
785         https://trac.webkit.org/changeset/241784
786
787 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
788
789         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
790         https://bugs.webkit.org/show_bug.cgi?id=172848
791         <rdar://problem/25709212>
792
793         Reviewed by Mark Lam.
794
795         * typeProfiler/inheritance.js:
796         Rewrite the test slightly for clarity. The hoisting was confusing.
797
798         * heapProfiler/class-names.js: Added.
799         (MyES5Class):
800         (MyES6Class):
801         (MyES6Subclass):
802         Test object types and improved class names.
803
804         * heapProfiler/driver/driver.js:
805         (CheapHeapSnapshotNode):
806         (CheapHeapSnapshot):
807         (createCheapHeapSnapshot):
808         (HeapSnapshot):
809         (createHeapSnapshot):
810         Update snapshot parsing from version 1 to version 2.
811
812 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
813
814         [ARM] Fix crash with sampling profiler
815         https://bugs.webkit.org/show_bug.cgi?id=194772
816
817         Reviewed by Mark Lam.
818
819         Do not skip test since crash with sampling profiler is now fixed.
820
821         * stress/sampling-profiler-richards.js:
822
823 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
824
825         [JSC] Add LazyClassStructure::getInitializedOnMainThread
826         https://bugs.webkit.org/show_bug.cgi?id=194784
827         <rdar://problem/48154820>
828
829         Reviewed by Mark Lam.
830
831         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
832         (getProperties):
833         (getRandomProperty):
834         (i.catch):
835
836 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
837
838         [ARM] Test gardening: Test running out of executable memory
839         https://bugs.webkit.org/show_bug.cgi?id=194771
840
841         Unreviewed. Do not run test without LLInt, test is running out of executable
842         memory on ARM otherwise.
843
844         * stress/tagged-template-object-collect.js:
845
846 2019-02-18  Tomas Popela  <tpopela@redhat.com>
847
848         Unreviewed, skip the test on platforms without sampling profiler
849
850         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
851         (platformSupportsSamplingProfiler.foo):
852         (platformSupportsSamplingProfiler.test):
853         (platformSupportsSamplingProfiler):
854         (foo): Deleted.
855         (test): Deleted.
856
857 2019-02-17  Saam Barati  <sbarati@apple.com>
858
859         Deadlock when adding a Structure property transition and then doing incremental marking
860         https://bugs.webkit.org/show_bug.cgi?id=194767
861
862         Reviewed by Mark Lam.
863
864         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
865
866 2019-02-15  Michael Saboff  <msaboff@apple.com>
867
868         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
869         https://bugs.webkit.org/show_bug.cgi?id=194558
870
871         Reviewed by Saam Barati.
872
873         New regression test.
874
875         * stress/regexp-unicode-within-string.js: Added.
876
877 2019-02-15  Mark Lam  <mark.lam@apple.com>
878
879         SamplingProfiler::stackTracesAsJSON() should escape strings.
880         https://bugs.webkit.org/show_bug.cgi?id=194649
881         <rdar://problem/48072386>
882
883         Reviewed by Saam Barati.
884
885         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
886         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
887         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
888         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
889
890 2019-02-15  Robin Morisset  <rmorisset@apple.com>
891         CodeBlock::jettison should clear related watchpoints
892         https://bugs.webkit.org/show_bug.cgi?id=194544
893
894         Reviewed by Mark Lam.
895
896         * stress/regexp-replace-double-watchpoint.js: Added.
897         (foo):
898
899 2019-02-15  Saam barati  <sbarati@apple.com>
900
901         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
902         https://bugs.webkit.org/show_bug.cgi?id=194036
903
904         Reviewed by Yusuke Suzuki.
905
906         * stress/tail-call-many-arguments.js: Added.
907         (foo):
908         (bar):
909
910 2019-02-14  Saam Barati  <sbarati@apple.com>
911
912         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
913         https://bugs.webkit.org/show_bug.cgi?id=194583
914         <rdar://problem/48028140>
915
916         Reviewed by Yusuke Suzuki.
917
918         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
919
920 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
921
922         [JSC] String.fromCharCode's slow path always generates 16bit string
923         https://bugs.webkit.org/show_bug.cgi?id=194466
924
925         Reviewed by Keith Miller.
926
927         * stress/string-from-char-code-slow-path.js: Added.
928         (shouldBe):
929         (testWithLength):
930
931 2019-02-08  Saam barati  <sbarati@apple.com>
932
933         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
934         https://bugs.webkit.org/show_bug.cgi?id=194334
935         <rdar://problem/47844327>
936
937         Reviewed by Mark Lam.
938
939         * stress/check-in-bounds-should-be-a-child-use.js: Added.
940         (func):
941
942 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
943
944         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
945         https://bugs.webkit.org/show_bug.cgi?id=194369
946         <rdar://problem/47813087>
947
948         Reviewed by Saam Barati.
949
950         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
951         (A):
952
953 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
954
955         [JSC] PrivateName to PublicName hash table is wasteful
956         https://bugs.webkit.org/show_bug.cgi?id=194277
957
958         Reviewed by Michael Saboff.
959
960         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
961
962         * ChakraCore.yaml:
963
964 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
965
966         [ARM] Test running out of executable memory
967         https://bugs.webkit.org/show_bug.cgi?id=194285
968
969         Unreviewed. Do no execute test with LLInt disabled, test runs out of
970         executable memory otherwise.
971
972         * stress/class-subclassing-function.js:
973
974 2019-02-04  Robin Morisset  <rmorisset@apple.com>
975
976         when lowering AssertNotEmpty, create the value before creating the patchpoint
977         https://bugs.webkit.org/show_bug.cgi?id=194231
978
979         Reviewed by Saam Barati.
980
981         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
982         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
983         So even tiny changes to this test can change the path code taken.
984
985         * stress/assert-not-empty.js: Added.
986         (foo):
987
988 2019-02-01  Mark Lam  <mark.lam@apple.com>
989
990         Remove invalid assertion in DFG's compileDoubleRep().
991         https://bugs.webkit.org/show_bug.cgi?id=194130
992         <rdar://problem/47699474>
993
994         Reviewed by Saam Barati.
995
996         * stress/constant-fold-double-rep-into-double-constant.js: Added.
997
998 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
999
1000         Import latest Test262 updates.
1001
1002         Rubber-stamped by Keith Miller.
1003
1004         * test262.yaml: Deleted.
1005         * test262/config.yaml:
1006         * test262/expectations.yaml:
1007         * test262/latest-changes-summary.txt:
1008         * test262/test/:
1009         * test262/test262-Revision.txt:
1010
1011 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1012
1013         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1014         https://bugs.webkit.org/show_bug.cgi?id=194050
1015         <rdar://problem/47595592>
1016
1017         Reviewed by Yusuke Suzuki.
1018
1019         * stress/object-keys-osr-exit.js: Added.
1020         (foo):
1021         (catch):
1022
1023 2019-01-29  Mark Lam  <mark.lam@apple.com>
1024
1025         ValueRecovery::recover() should purify NaN values it recovers.
1026         https://bugs.webkit.org/show_bug.cgi?id=193978
1027         <rdar://problem/47625488>
1028
1029         Reviewed by Saam Barati.
1030
1031         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1032
1033 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1034
1035         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1036         https://bugs.webkit.org/show_bug.cgi?id=193713
1037
1038         * stress/try-get-by-id-should-spill-registers-dfg.js:
1039         (let.f.createBuiltin):
1040
1041 2019-01-28  Mark Lam  <mark.lam@apple.com>
1042
1043         ToString node actually does GC.
1044         https://bugs.webkit.org/show_bug.cgi?id=193920
1045         <rdar://problem/46695900>
1046
1047         Reviewed by Yusuke Suzuki.
1048
1049         * stress/dfg-to-string-on-int-does-gc.js: Added.
1050         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1051         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1052
1053 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1054
1055         [JSC] NativeErrorConstructor should not have own IsoSubspace
1056         https://bugs.webkit.org/show_bug.cgi?id=193713
1057
1058         Reviewed by Saam Barati.
1059
1060         Remove @Error use.
1061
1062         * stress/try-get-by-id-should-spill-registers-dfg.js:
1063         (let.f.createBuiltin):
1064
1065 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1066
1067         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1068         https://bugs.webkit.org/show_bug.cgi?id=190693
1069
1070         Reviewed by Michael Saboff.
1071
1072         * stress/regress-190693.js: Added.
1073         (truth):
1074         (assert):
1075         (shouldThrowInvalidConstAssignment):
1076         (taz):
1077
1078 2019-01-24  Saam Barati  <sbarati@apple.com>
1079
1080         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1081         https://bugs.webkit.org/show_bug.cgi?id=193751
1082         <rdar://problem/47280215>
1083
1084         Reviewed by Michael Saboff.
1085
1086         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1087         (let.thing):
1088         (foo.let.hello):
1089         (foo):
1090
1091 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1092
1093         [JSC] Reenable baseline JIT on mips
1094         https://bugs.webkit.org/show_bug.cgi?id=192983
1095
1096         Reviewed by Mark Lam.
1097
1098         Added a new test for a case that was triggering a RELEASE_ASSERT when
1099         testing.
1100         Disable some slow tests that were already disabled for arm and x86.
1101
1102         * stress/json-parse-big-object.js: Added.
1103         * stress/new-largeish-contiguous-array-with-size.js:
1104         * stress/op_add.js:
1105         * stress/op_bitand.js:
1106         * stress/op_bitor.js:
1107         * stress/op_bitxor.js:
1108         * stress/op_lshift-ConstVar.js:
1109         * stress/op_lshift-VarConst.js:
1110         * stress/op_lshift-VarVar.js:
1111         * stress/op_mod-ConstVar.js:
1112         * stress/op_mod-VarConst.js:
1113         * stress/op_mod-VarVar.js:
1114         * stress/op_mul-ConstVar.js:
1115         * stress/op_mul-VarConst.js:
1116         * stress/op_mul-VarVar.js:
1117         * stress/op_rshift-ConstVar.js:
1118         * stress/op_rshift-VarConst.js:
1119         * stress/op_rshift-VarVar.js:
1120         * stress/op_sub-ConstVar.js:
1121         * stress/op_sub-VarConst.js:
1122         * stress/op_sub-VarVar.js:
1123         * stress/op_urshift-ConstVar.js:
1124         * stress/op_urshift-VarConst.js:
1125         * stress/op_urshift-VarVar.js:
1126         * stress/sampling-profiler-richards.js:
1127         * stress/spread-forward-call-varargs-stack-overflow.js:
1128
1129 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1130
1131         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1132         https://bugs.webkit.org/show_bug.cgi?id=193711
1133         <rdar://problem/47250262>
1134
1135         Reviewed by Saam Barati.
1136
1137         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1138         (shouldBe):
1139         (foo):
1140         (bar):
1141         (baz):
1142
1143 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1144
1145         Unreviewed, fix initial global lexical binding epoch
1146         https://bugs.webkit.org/show_bug.cgi?id=193603
1147         <rdar://problem/47380869>
1148
1149         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1150         (f1.f2.f3.f4):
1151         (f1.f2.f3):
1152         (f1.f2):
1153         (f1):
1154
1155 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1156
1157         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1158         https://bugs.webkit.org/show_bug.cgi?id=193709
1159         <rdar://problem/47363838>
1160
1161         Unreviewed, rollout to watch the tests.
1162
1163         * stress/object-tostring-changed-proto.js: Removed.
1164         * stress/object-tostring-changed.js: Removed.
1165         * stress/object-tostring-misc.js: Removed.
1166         * stress/object-tostring-other.js: Removed.
1167         * stress/object-tostring-untyped.js: Removed.
1168
1169 2019-01-22  Saam Barati  <sbarati@apple.com>
1170
1171         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1172
1173         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1174         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1175         (testUncheckedLessThanZero):
1176         (testUncheckedLessThanOrEqualZero):
1177         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1178         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1179
1180 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1181
1182         [JSC] Invalidate old scope operations using global lexical binding epoch
1183         https://bugs.webkit.org/show_bug.cgi?id=193603
1184         <rdar://problem/47380869>
1185
1186         Reviewed by Saam Barati.
1187
1188         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1189         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1190         (shouldThrow):
1191         (bar):
1192         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1193         (shouldBe):
1194         (get1):
1195         (get2):
1196         (get1If):
1197         (get2If):
1198         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1199         (shouldThrow):
1200         (foo):
1201
1202 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1203
1204         Unreviewed, roll out r240220 due to date-format-xparb regression
1205         https://bugs.webkit.org/show_bug.cgi?id=193603
1206
1207         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1208         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1209         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1210         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1211
1212 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1213
1214         DoesGC rule is wrong for nodes with BigIntUse
1215         https://bugs.webkit.org/show_bug.cgi?id=193652
1216
1217         Reviewed by Saam Barati.
1218
1219         * stress/big-int-value-op-update-gc-rules.js: Added.
1220         (assert):
1221         (doesGCAdd):
1222         (doesGCSub):
1223         (doesGCDiv):
1224         (doesGCMul):
1225         (doesGCBitAnd):
1226         (doesGCBitOr):
1227         (doesGCBitXor):
1228
1229 2019-01-20  Saam Barati  <sbarati@apple.com>
1230
1231         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1232         https://bugs.webkit.org/show_bug.cgi?id=193644
1233         <rdar://problem/46209745>
1234
1235         Reviewed by Yusuke Suzuki.
1236
1237         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1238         (foo):
1239         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1240         (foo):
1241         (bar):
1242
1243 2019-01-20  Saam Barati  <sbarati@apple.com>
1244
1245         MovHint must merge NodeBytecodeUsesAsValue for its child
1246         https://bugs.webkit.org/show_bug.cgi?id=186916
1247         <rdar://problem/41396612>
1248
1249         Reviewed by Yusuke Suzuki.
1250
1251         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1252         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1253
1254 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1255
1256         [JSC] Invalidate old scope operations using global lexical binding epoch
1257         https://bugs.webkit.org/show_bug.cgi?id=193603
1258         <rdar://problem/47380869>
1259
1260         Reviewed by Saam Barati.
1261
1262         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1263         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1264         (shouldThrow):
1265         (bar):
1266         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1267         (shouldBe):
1268         (get1):
1269         (get2):
1270         (get1If):
1271         (get2If):
1272         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1273         (shouldThrow):
1274         (foo):
1275
1276 2019-01-17  Saam barati  <sbarati@apple.com>
1277
1278         StringObjectUse should not be a structure check for the original string object structure
1279         https://bugs.webkit.org/show_bug.cgi?id=193483
1280         <rdar://problem/47280522>
1281
1282         Reviewed by Yusuke Suzuki.
1283
1284         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1285         (foo):
1286         (a.valueOf.0):
1287
1288 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1289
1290         [JSC] ToThis omission in DFGByteCodeParser is wrong
1291         https://bugs.webkit.org/show_bug.cgi?id=193513
1292         <rdar://problem/45842236>
1293
1294         Reviewed by Saam Barati.
1295
1296         * stress/to-this-omission-with-different-strict-modes.js: Added.
1297         (thisA):
1298         (thisAStrictWrapper):
1299
1300 2019-01-15  Mark Lam  <mark.lam@apple.com>
1301
1302         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1303         https://bugs.webkit.org/show_bug.cgi?id=193423
1304         <rdar://problem/46209355>
1305
1306         Reviewed by Saam Barati.
1307
1308         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1309         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1310         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1311         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1312
1313 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1314
1315         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1316         https://bugs.webkit.org/show_bug.cgi?id=193438
1317         <rdar://problem/45581249>
1318
1319         Reviewed by Saam Barati and Keith Miller.
1320
1321         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1322         Then, GetByVal(String) crashed.
1323
1324         * stress/string-get-by-val-lowering.js: Added.
1325         (shouldBe):
1326         (test):
1327         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1328         (Hello):
1329         (foo):
1330
1331 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1332
1333         Unreviewed, skip JIT tests if it's not enabled
1334
1335         * stress/bit-op-with-object-returning-int32.js:
1336
1337 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1338
1339         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1340         https://bugs.webkit.org/show_bug.cgi?id=192966
1341
1342         Reviewed by Yusuke Suzuki.
1343
1344         * stress/bit-op-with-object-returning-int32.js: Added.
1345
1346 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1347
1348         Skip a slow test and a flakey test on arm
1349
1350         Unreviewed gardening.
1351
1352         * typeProfiler/getter-richards.js:
1353         this test always times out, it used to be always skipped on arm and
1354         mips, but got accidentally enabled by r237919 now that we have DFG on
1355         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1356
1357 2019-01-14  Keith Miller  <keith_miller@apple.com>
1358
1359         Skip type-check-hoisting-phase-hoist... with no jit
1360         https://bugs.webkit.org/show_bug.cgi?id=193421
1361
1362         Reviewed by Mark Lam.
1363
1364         It's timing out the 32-bit bots and takes 330 seconds
1365         on my machine when run by itself.
1366
1367         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1368
1369 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1370
1371         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1372         https://bugs.webkit.org/show_bug.cgi?id=193413
1373         <rdar://problem/46092389>
1374
1375         Reviewed by Keith Miller.
1376
1377         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1378         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1379         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1380         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1381
1382         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1383         (compareArray):
1384
1385 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1386
1387         [BigInt] Literal parsing is crashing when used inside a Object Literal
1388         https://bugs.webkit.org/show_bug.cgi?id=193404
1389
1390         Reviewed by Yusuke Suzuki.
1391
1392         * stress/big-int-literal-inside-literal-object.js: Added.
1393
1394 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1395
1396         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1397         https://bugs.webkit.org/show_bug.cgi?id=193372
1398
1399         Reviewed by Saam Barati.
1400
1401         * stress/typed-array-array-modes-profile.js: Added.
1402         (foo):
1403
1404 2019-01-14  Mark Lam  <mark.lam@apple.com>
1405
1406         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1407         https://bugs.webkit.org/show_bug.cgi?id=193402
1408         <rdar://problem/46012309>
1409
1410         Reviewed by Keith Miller.
1411
1412         * stress/regexp-compile-oom.js:
1413         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1414           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1415
1416 2019-01-11  Saam barati  <sbarati@apple.com>
1417
1418         DFG combined liveness can be wrong for terminal basic blocks
1419         https://bugs.webkit.org/show_bug.cgi?id=193304
1420         <rdar://problem/45268632>
1421
1422         Reviewed by Yusuke Suzuki.
1423
1424         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1425
1426 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1427
1428         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1429         https://bugs.webkit.org/show_bug.cgi?id=193308
1430         <rdar://problem/45546542>
1431
1432         Reviewed by Saam Barati.
1433
1434         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1435         (shouldThrow):
1436         (shouldBe):
1437         (foo):
1438         (get shouldThrow):
1439         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1440         (shouldThrow):
1441         (shouldBe):
1442         (foo):
1443         (get shouldBe):
1444         (get shouldThrow):
1445         (get return):
1446         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1447         (shouldThrow):
1448         (shouldBe):
1449         (foo):
1450         (get shouldBe):
1451         (get shouldThrow):
1452         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1453         (shouldThrow):
1454         (shouldBe):
1455         (foo):
1456         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1457         (shouldThrow):
1458         (shouldBe):
1459         (foo):
1460         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1461         (shouldThrow):
1462         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1463         (shouldThrow):
1464         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1465         (shouldThrow):
1466         (shouldBe):
1467         (foo):
1468         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1469         (shouldThrow):
1470         (shouldBe):
1471         (foo):
1472         (get shouldBe):
1473         (get shouldThrow):
1474         (get return):
1475         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1476         (shouldThrow):
1477         (shouldBe):
1478         (foo):
1479         (get shouldBe):
1480         (get shouldThrow):
1481         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1482         (shouldThrow):
1483         (shouldBe):
1484         (foo):
1485         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1486         (shouldThrow):
1487         (shouldBe):
1488         (foo):
1489
1490 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1491
1492         Enable DFG on ARM/Linux again
1493         https://bugs.webkit.org/show_bug.cgi?id=192496
1494
1495         Reviewed by Yusuke Suzuki.
1496
1497         Test wasn't really skipped before moving the line with skip
1498         to the top.
1499
1500         * stress/regress-192717.js:
1501
1502 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1503
1504         Unreviewed, rolling out r239825.
1505         https://bugs.webkit.org/show_bug.cgi?id=193330
1506
1507         Broke tests on armv7/linux bots (Requested by guijemont on
1508         #webkit).
1509
1510         Reverted changeset:
1511
1512         "Enable DFG on ARM/Linux again"
1513         https://bugs.webkit.org/show_bug.cgi?id=192496
1514         https://trac.webkit.org/changeset/239825
1515
1516 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1517
1518         Enable DFG on ARM/Linux again
1519         https://bugs.webkit.org/show_bug.cgi?id=192496
1520
1521         Reviewed by Yusuke Suzuki.
1522
1523         Test wasn't really skipped before moving the line with skip
1524         to the top.
1525
1526         * stress/regress-192717.js:
1527
1528 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1529
1530         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1531         https://bugs.webkit.org/show_bug.cgi?id=193127
1532
1533         Reviewed by Saam Barati.
1534
1535         * stress/array-species-create-should-handle-masquerader.js: Added.
1536         (shouldThrow):
1537         * stress/is-undefined-or-null-builtin.js: Added.
1538         (shouldBe):
1539         (isUndefinedOrNull.vm.createBuiltin):
1540
1541 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1542
1543         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1544         https://bugs.webkit.org/show_bug.cgi?id=193221
1545
1546         Reviewed by Mark Lam.
1547
1548         * stress/put-by-id-flags.js: Added.
1549         (f):
1550         (g):
1551         (numberOfDFGCompiles):
1552
1553 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1554
1555         Baseline version of get_by_id may corrupt metadata
1556         https://bugs.webkit.org/show_bug.cgi?id=193085
1557         <rdar://problem/23453006>
1558
1559         Reviewed by Saam Barati.
1560
1561         * stress/get-by-id-change-mode.js: Added.
1562         (forEach):
1563
1564 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1565
1566         [JSC] Optimize Object.prototype.toString
1567         https://bugs.webkit.org/show_bug.cgi?id=193031
1568
1569         Reviewed by Saam Barati.
1570
1571         * stress/object-tostring-changed-proto.js: Added.
1572         (shouldBe):
1573         (test):
1574         * stress/object-tostring-changed.js: Added.
1575         (shouldBe):
1576         (test):
1577         * stress/object-tostring-misc.js: Added.
1578         (shouldBe):
1579         (test):
1580         (i.switch):
1581         * stress/object-tostring-other.js: Added.
1582         (shouldBe):
1583         (test):
1584         * stress/object-tostring-untyped.js: Added.
1585         (shouldBe):
1586         (test):
1587         (i.switch):
1588
1589 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1590
1591         test262-runner misbehaves when test file YAML has a trailing space
1592         https://bugs.webkit.org/show_bug.cgi?id=193053
1593
1594         Reviewed by Yusuke Suzuki.
1595
1596         * test262/expectations.yaml:
1597         Mark two dozen tests as passing (and correct the output of another).
1598
1599 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1600
1601         Unreviewed, JSTests gardening with memoryLimited
1602
1603         * stress/string-overflow-createError.js:
1604
1605 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1606
1607         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1608         https://bugs.webkit.org/show_bug.cgi?id=193050
1609
1610         Reviewed by Yusuke Suzuki.
1611
1612         * test262.yaml:
1613         * test262/expectations.yaml:
1614         Mark 16 tests as passing.
1615
1616 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1617
1618         [BigInt] Support BigInt in JSON.stringify
1619         https://bugs.webkit.org/show_bug.cgi?id=192624
1620
1621         Reviewed by Saam Barati.
1622
1623         * stress/big-int-json-stringify-to-json.js: Added.
1624         (shouldBe):
1625         (shouldThrow):
1626         (BigInt.prototype.toJSON):
1627         (shouldBe.JSON.stringify):
1628         * stress/big-int-json-stringify.js: Added.
1629         (shouldBe):
1630         (shouldThrow):
1631
1632 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1633
1634         [JSC] Implement "well-formed JSON.stringify" proposal
1635         https://bugs.webkit.org/show_bug.cgi?id=191677
1636
1637         Reviewed by Darin Adler.
1638
1639         * stress/json-surrogate-pair.js: Added.
1640         (shouldBe):
1641         * test262/expectations.yaml:
1642
1643 2018-12-20  Keith Miller  <keith_miller@apple.com>
1644
1645         Add support for globalThis
1646         https://bugs.webkit.org/show_bug.cgi?id=165171
1647
1648         Reviewed by Mark Lam.
1649
1650         * test262/config.yaml:
1651
1652 2018-12-19  Keith Miller  <keith_miller@apple.com>
1653
1654         Update test262 configuration to not run tests dependent on ICU version.
1655         https://bugs.webkit.org/show_bug.cgi?id=192920
1656
1657         Reviewed by Saam Barati.
1658
1659         * test262/expectations.yaml:
1660
1661 2018-12-20  Mark Lam  <mark.lam@apple.com>
1662
1663         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1664         https://bugs.webkit.org/show_bug.cgi?id=192939
1665         <rdar://problem/46869516>
1666
1667         Reviewed by Keith Miller.
1668
1669         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1670
1671 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1672
1673         WTF::String and StringImpl overflow MaxLength
1674         https://bugs.webkit.org/show_bug.cgi?id=192853
1675         <rdar://problem/45726906>
1676
1677         Reviewed by Mark Lam.
1678
1679         * stress/string-16bit-repeat-overflow.js: Added.
1680         (catch):
1681
1682 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1683
1684         Unreviewed follow-up to r192914.
1685
1686         * test262/expectations.yaml:
1687         Add the last 20 missing expectations.
1688
1689 2018-12-19  Keith Miller  <keith_miller@apple.com>
1690
1691         Fix test262 expectations
1692         https://bugs.webkit.org/show_bug.cgi?id=192914
1693
1694         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1695
1696         * test262/expectations.yaml:
1697
1698 2018-12-19  Keith Miller  <keith_miller@apple.com>
1699
1700         Update test262 tests.
1701         https://bugs.webkit.org/show_bug.cgi?id=192907
1702
1703         Rubber stamped by Mark Lam.
1704
1705         * test262/*: Omitted because prepare-changelog crashes.
1706
1707 2018-12-19  Mark Lam  <mark.lam@apple.com>
1708
1709         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1710         https://bugs.webkit.org/show_bug.cgi?id=192464
1711         <rdar://problem/46519455>
1712
1713         Reviewed by Saam Barati.
1714
1715         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1716         microbenchmark.
1717
1718         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1719         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1720
1721 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1722
1723         String overflow in JSC::createError results in ASSERT in WTF::makeString
1724         https://bugs.webkit.org/show_bug.cgi?id=192833
1725         <rdar://problem/45706868>
1726
1727         Reviewed by Mark Lam.
1728
1729         * stress/string-overflow-createError.js: Added.
1730
1731 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1732
1733         Error message for `-x ** y` contains a typo.
1734         https://bugs.webkit.org/show_bug.cgi?id=192832
1735
1736         Reviewed by Saam Barati.
1737
1738         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1739         (assert.assert.return.throws):
1740         * stress/pow-expects-update-expression-on-lhs.js:
1741         (throw.new.Error):
1742         Update test expectations which match against the exact error message.
1743
1744 2018-12-18  Mark Lam  <mark.lam@apple.com>
1745
1746         Gardening: test options fix.
1747         https://bugs.webkit.org/show_bug.cgi?id=192822
1748
1749         Unreviewed.
1750
1751         * stress/json-stringify-string-builder-overflow.js:
1752
1753 2018-12-18  Mark Lam  <mark.lam@apple.com>
1754
1755         JSON.stringify() should throw OOM on StringBuilder overflows.
1756         https://bugs.webkit.org/show_bug.cgi?id=192822
1757         <rdar://problem/46670577>
1758
1759         Reviewed by Saam Barati.
1760
1761         * stress/json-stringify-string-builder-overflow.js: Added.
1762
1763 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1764
1765         Redeclaration of var over let/const/class should be a syntax error.
1766         https://bugs.webkit.org/show_bug.cgi?id=192298
1767
1768         Reviewed by Keith Miller.
1769
1770         * test262.yaml:
1771         * test262/expectations.yaml:
1772         Mark 46 tests as passing.
1773
1774         * stress/block-scope-redeclarations.js:
1775         Add some new tests.
1776
1777         * stress/for-in-invalidate-context-weird-assignments.js:
1778         * stress/for-in-tests.js:
1779         Replace tests for outdated behavior with tests for SyntaxError.
1780
1781         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1782         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1783         Update expectations.
1784
1785 2018-12-18  Mark Lam  <mark.lam@apple.com>
1786
1787         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1788         https://bugs.webkit.org/show_bug.cgi?id=191374
1789         <rdar://problem/46525447>
1790
1791         Reviewed by Yusuke Suzuki.
1792
1793         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1794
1795         * stress/elidable-new-object-roflcopter-then-exit.js:
1796
1797 2018-12-17  Mark Lam  <mark.lam@apple.com>
1798
1799         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1800         https://bugs.webkit.org/show_bug.cgi?id=192019
1801         <rdar://problem/46525456>
1802
1803         Reviewed by Yusuke Suzuki.
1804
1805         The test runs too slow on 32-bit.
1806
1807         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1808
1809 2018-12-17  Mark Lam  <mark.lam@apple.com>
1810
1811         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1812         https://bugs.webkit.org/show_bug.cgi?id=191373
1813         <rdar://problem/46525458>
1814
1815         Reviewed by Yusuke Suzuki.
1816
1817         The test is already slow running with a JIT on 64-bit.  It will always timeout
1818         on 32-bit without a JIT.
1819
1820         * stress/materialize-regexp-cyclic-regexp.js:
1821
1822 2018-12-17  Mark Lam  <mark.lam@apple.com>
1823
1824         Array unshift/shift should not race against the AI in the compiler thread.
1825         https://bugs.webkit.org/show_bug.cgi?id=192795
1826         <rdar://problem/46724263>
1827
1828         Reviewed by Saam Barati.
1829
1830         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1831
1832 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1833
1834         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1835         https://bugs.webkit.org/show_bug.cgi?id=190047
1836
1837         Reviewed by Saam Barati.
1838
1839         * stress/object-keys-cached-zero.js: Added.
1840         (shouldBe):
1841         (test):
1842         * stress/object-keys-changed-attribute.js: Added.
1843         (shouldBe):
1844         (test):
1845         * stress/object-keys-changed-index.js: Added.
1846         (shouldBe):
1847         (test):
1848         * stress/object-keys-changed.js: Added.
1849         (shouldBe):
1850         (test):
1851         * stress/object-keys-indexed-non-cache.js: Added.
1852         (shouldBe):
1853         (test):
1854         * stress/object-keys-overrides-get-property-names.js: Added.
1855         (shouldBe):
1856         (test):
1857         (noInline):
1858
1859 2018-12-17  Mark Lam  <mark.lam@apple.com>
1860
1861         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1862         https://bugs.webkit.org/show_bug.cgi?id=192779
1863         <rdar://problem/46775869>
1864
1865         Reviewed by Saam Barati.
1866
1867         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1868
1869 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1870
1871         Unreviewed test gardening, address a syntax error in a new test.
1872
1873         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1874
1875 2018-12-17  Mark Lam  <mark.lam@apple.com>
1876
1877         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1878         https://bugs.webkit.org/show_bug.cgi?id=192776
1879         <rdar://problem/46772368>
1880
1881         Reviewed by Keith Miller.
1882
1883         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1884
1885 2018-12-17  Mark Lam  <mark.lam@apple.com>
1886
1887         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1888         https://bugs.webkit.org/show_bug.cgi?id=192770
1889         <rdar://problem/46449037>
1890
1891         Reviewed by Keith Miller.
1892
1893         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1894
1895 2018-12-14  Mark Lam  <mark.lam@apple.com>
1896
1897         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1898         https://bugs.webkit.org/show_bug.cgi?id=192717
1899         <rdar://problem/46660677>
1900
1901         Reviewed by Saam Barati.
1902
1903         * stress/regress-192717.js: Added.
1904
1905 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1906
1907         Unreviewed, rolling out r239153, r239154, and r239155.
1908         https://bugs.webkit.org/show_bug.cgi?id=192715
1909
1910         Caused flaky GC-related crashes seen with layout tests
1911         (Requested by ryanhaddad on #webkit).
1912
1913         Reverted changesets:
1914
1915         "[JSC] Optimize Object.keys by caching own keys results in
1916         StructureRareData"
1917         https://bugs.webkit.org/show_bug.cgi?id=190047
1918         https://trac.webkit.org/changeset/239153
1919
1920         "Unreviewed, build fix after r239153"
1921         https://bugs.webkit.org/show_bug.cgi?id=190047
1922         https://trac.webkit.org/changeset/239154
1923
1924         "Unreviewed, build fix after r239153, part 2"
1925         https://bugs.webkit.org/show_bug.cgi?id=190047
1926         https://trac.webkit.org/changeset/239155
1927
1928 2018-12-14  Keith Miller  <keith_miller@apple.com>
1929
1930         Callers of JSString::getIndex should check for OOM exceptions
1931         https://bugs.webkit.org/show_bug.cgi?id=192709
1932
1933         Reviewed by Mark Lam.
1934
1935         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1936
1937 2018-12-13  Mark Lam  <mark.lam@apple.com>
1938
1939         Add a missing exception check.
1940         https://bugs.webkit.org/show_bug.cgi?id=192626
1941         <rdar://problem/46662163>
1942
1943         Reviewed by Keith Miller.
1944
1945         * stress/regress-192626.js: Added.
1946
1947 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1948
1949         [BigInt] Add ValueDiv into DFG
1950         https://bugs.webkit.org/show_bug.cgi?id=186178
1951
1952         Reviewed by Yusuke Suzuki.
1953
1954         * stress/big-int-div-jit-osr.js: Added.
1955         * stress/big-int-div-jit-untyped.js: Added.
1956         * stress/value-div-fixup-int32-big-int.js: Added.
1957
1958 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1959
1960         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1961         https://bugs.webkit.org/show_bug.cgi?id=190047
1962
1963         Reviewed by Keith Miller.
1964
1965         * stress/object-keys-cached-zero.js: Added.
1966         (shouldBe):
1967         (test):
1968         * stress/object-keys-changed-attribute.js: Added.
1969         (shouldBe):
1970         (test):
1971         * stress/object-keys-changed-index.js: Added.
1972         (shouldBe):
1973         (test):
1974         * stress/object-keys-changed.js: Added.
1975         (shouldBe):
1976         (test):
1977         * stress/object-keys-indexed-non-cache.js: Added.
1978         (shouldBe):
1979         (test):
1980         * stress/object-keys-overrides-get-property-names.js: Added.
1981         (shouldBe):
1982         (test):
1983         (noInline):
1984
1985 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1986
1987         [DFG][FTL] Add NewSymbol
1988         https://bugs.webkit.org/show_bug.cgi?id=192620
1989
1990         Reviewed by Saam Barati.
1991
1992         * microbenchmarks/symbol-creation.js: Added.
1993         (test):
1994         * stress/symbol-description-identity.js: Added.
1995         (shouldBe):
1996         (test):
1997         * stress/symbol-identity.js: Added.
1998         (shouldBe):
1999         (test):
2000         * stress/symbol-with-description-throw-error.js: Added.
2001         (shouldBe):
2002         (shouldThrow):
2003         (test):
2004         (object.toString):
2005
2006 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2007
2008         [BigInt] Implement DFG/FTL typeof for BigInt
2009         https://bugs.webkit.org/show_bug.cgi?id=192619
2010
2011         Reviewed by Keith Miller.
2012
2013         * stress/big-int-boolean-proven-type.js: Added.
2014         (assert):
2015         (bool):
2016         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2017         (assert):
2018         (typeOf):
2019         (i.switch):
2020         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2021         (assert):
2022         (typeOf):
2023         * stress/big-int-type-of.js:
2024         (typeOf):
2025         (func):
2026
2027 2018-12-10  Mark Lam  <mark.lam@apple.com>
2028
2029         PropertyAttribute needs a CustomValue bit.
2030         https://bugs.webkit.org/show_bug.cgi?id=191993
2031         <rdar://problem/46264467>
2032
2033         Reviewed by Saam Barati.
2034
2035         * stress/regress-191993.js: Added.
2036
2037 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2038
2039         [BigInt] Add ValueMul into DFG
2040         https://bugs.webkit.org/show_bug.cgi?id=186175
2041
2042         Reviewed by Yusuke Suzuki.
2043
2044         * stress/big-int-mul-jit-osr.js: Added.
2045         * stress/big-int-mul-jit-untyped.js: Added.
2046         * stress/value-mul-fixup-int32-big-int.js: Added.
2047
2048 2018-12-06  Keith Miller  <keith_miller@apple.com>
2049
2050         stress/big-wasm-memory tests failing on 32-bit JSC bot
2051         https://bugs.webkit.org/show_bug.cgi?id=192020
2052
2053         Reviewed by Saam Barati.
2054
2055         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2056         the wasm stress tests if the WebAssembly object does not exist.
2057
2058         * stress/big-wasm-memory-grow-no-max.js:
2059         (test.foo):
2060         (test):
2061         (foo): Deleted.
2062         (catch): Deleted.
2063         * stress/big-wasm-memory-grow.js:
2064         (test.foo):
2065         (test):
2066         (foo): Deleted.
2067         (catch): Deleted.
2068         * stress/big-wasm-memory.js:
2069         (test.foo):
2070         (test):
2071         (foo): Deleted.
2072         (catch): Deleted.
2073
2074 2018-12-05  Mark Lam  <mark.lam@apple.com>
2075
2076         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2077         https://bugs.webkit.org/show_bug.cgi?id=192441
2078         <rdar://problem/46480355>
2079
2080         Reviewed by Saam Barati.
2081
2082         * stress/regress-192441.js: Added.
2083
2084 2018-12-04  Mark Lam  <mark.lam@apple.com>
2085
2086         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2087         https://bugs.webkit.org/show_bug.cgi?id=192386
2088         <rdar://problem/46445516>
2089
2090         Reviewed by Saam Barati.
2091
2092         * stress/regress-192386.js: Added.
2093
2094 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2095
2096         [ESNext][BigInt] Support logic operations
2097         https://bugs.webkit.org/show_bug.cgi?id=179903
2098
2099         Reviewed by Yusuke Suzuki.
2100
2101         * stress/big-int-branch-usage.js: Added.
2102         * stress/big-int-logical-and.js: Added.
2103         * stress/big-int-logical-not.js: Added.
2104         * stress/big-int-logical-or.js: Added.
2105
2106 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2107
2108         Unreviewed, rolling out r238833.
2109
2110         Breaks macOS and iOS debug builds.
2111
2112         Reverted changeset:
2113
2114         "[ESNext][BigInt] Support logic operations"
2115         https://bugs.webkit.org/show_bug.cgi?id=179903
2116         https://trac.webkit.org/changeset/238833
2117
2118 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2119
2120         [ESNext][BigInt] Support logic operations
2121         https://bugs.webkit.org/show_bug.cgi?id=179903
2122
2123         Reviewed by Yusuke Suzuki.
2124
2125         * stress/big-int-branch-usage.js: Added.
2126         * stress/big-int-logical-and.js: Added.
2127         * stress/big-int-logical-not.js: Added.
2128         * stress/big-int-logical-or.js: Added.
2129
2130 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2131
2132         [ESNext][BigInt] Implement support for "<<" and ">>"
2133         https://bugs.webkit.org/show_bug.cgi?id=186233
2134
2135         Reviewed by Yusuke Suzuki.
2136
2137         * stress/big-int-left-shift-general.js: Added.
2138         * stress/big-int-left-shift-range-error.js: Added.
2139         * stress/big-int-left-shift-type-error.js: Added.
2140         * stress/big-int-left-shift-wrapped-value.js: Added.
2141         * stress/big-int-right-shift-general.js: Added.
2142         * stress/big-int-right-shift-type-error.js: Added.
2143         * stress/big-int-right-shift-wrapped-value.js: Added.
2144         * stress/left-shift-to-primitive-precedence.js: Added.
2145         * stress/right-shift-to-primitive-precedence.js: Added.
2146
2147 2018-11-30  Dean Jackson  <dino@apple.com>
2148
2149         Add first-class support for .mjs files in jsc binary
2150         https://bugs.webkit.org/show_bug.cgi?id=192190
2151         <rdar://problem/46375715>
2152
2153         Reviewed by Keith Miller.
2154
2155         * stress/simple-module.mjs: Added.
2156         * stress/simple-script.js: Added.
2157
2158 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2159
2160         [BigInt] Implement ValueBitXor into DFG
2161         https://bugs.webkit.org/show_bug.cgi?id=190264
2162
2163         Reviewed by Yusuke Suzuki.
2164
2165         * stress/big-int-bitwise-xor-jit.js: Added.
2166         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2167         * stress/big-int-bitwise-xor-untyped.js: Added.
2168
2169 2018-11-27  Saam barati  <sbarati@apple.com>
2170
2171         r238510 broke scopes of size zero
2172         https://bugs.webkit.org/show_bug.cgi?id=192033
2173         <rdar://problem/46281734>
2174
2175         Reviewed by Keith Miller.
2176
2177         * stress/r238510-bad-loop.js: Added.
2178         (foo):
2179
2180 2018-11-27  Mark Lam  <mark.lam@apple.com>
2181
2182         [Re-landing] NaNs read from Wasm code needs to be be purified.
2183         https://bugs.webkit.org/show_bug.cgi?id=191056
2184         <rdar://problem/45660341>
2185
2186         Reviewed by Filip Pizlo.
2187
2188         * wasm/regress/regress-191056.js: Added.
2189
2190 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2191
2192         Unreviewed, rolling out r238509.
2193
2194         Causes JSC tests to fail on iOS.
2195
2196         Reverted changeset:
2197
2198         "NaNs read from Wasm code needs to be be purified."
2199         https://bugs.webkit.org/show_bug.cgi?id=191056
2200         https://trac.webkit.org/changeset/238509
2201
2202 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2203
2204         Re-introduce op_bitnot
2205         https://bugs.webkit.org/show_bug.cgi?id=190923
2206
2207         Reviewed by Yusuke Suzuki.
2208
2209         * stress/bit-not-must-generate.js: Added.
2210         * stress/bitwise-not-no-int32.js: Added.
2211
2212 2018-11-26  Saam barati  <sbarati@apple.com>
2213
2214         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2215         https://bugs.webkit.org/show_bug.cgi?id=191956
2216         <rdar://problem/45665806>
2217
2218         Reviewed by Yusuke Suzuki.
2219
2220         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2221         (bar):
2222         (foo):
2223
2224 2018-11-26  Saam barati  <sbarati@apple.com>
2225
2226         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2227         https://bugs.webkit.org/show_bug.cgi?id=191958
2228         <rdar://problem/46221877>
2229
2230         Reviewed by Yusuke Suzuki.
2231
2232         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2233         (x):
2234         (foo):
2235
2236 2018-11-26  Mark Lam  <mark.lam@apple.com>
2237
2238         NaNs read from Wasm code needs to be be purified.
2239         https://bugs.webkit.org/show_bug.cgi?id=191056
2240         <rdar://problem/45660341>
2241
2242         Reviewed by Filip Pizlo.
2243
2244         * wasm/regress/regress-191056.js: Added.
2245
2246 2018-11-26  Michael Saboff  <msaboff@apple.com>
2247
2248         32-bit JSC test failure: stress/regexp-compile-oom.js
2249         https://bugs.webkit.org/show_bug.cgi?id=191375
2250
2251         Reviewed by Mark Lam.
2252
2253         Disabled the test for 32 bit platforms.
2254
2255         * stress/regexp-compile-oom.js:
2256
2257 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2258
2259         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2260         https://bugs.webkit.org/show_bug.cgi?id=191716
2261         <rdar://problem/45723878>
2262
2263         Reviewed by Saam Barati.
2264
2265         * stress/regress-187373.js: Added.
2266         (async.fn):
2267
2268 2018-11-21  Saam barati  <sbarati@apple.com>
2269
2270         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2271         https://bugs.webkit.org/show_bug.cgi?id=191897
2272         <rdar://problem/45871998>
2273
2274         Reviewed by Mark Lam.
2275
2276         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2277         (bar):
2278         (foo):
2279
2280 2018-11-21  Saam barati  <sbarati@apple.com>
2281
2282         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2283         https://bugs.webkit.org/show_bug.cgi?id=191895
2284         <rdar://problem/46167406>
2285
2286         Reviewed by Mark Lam.
2287
2288         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2289         (foo):
2290         (bar):
2291
2292 2018-11-21  Mark Lam  <mark.lam@apple.com>
2293
2294         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2295         https://bugs.webkit.org/show_bug.cgi?id=191776
2296         <rdar://problem/46152851>
2297
2298         Reviewed by Saam Barati.
2299
2300         * stress/big-wasm-memory-grow-no-max.js:
2301         * stress/big-wasm-memory-grow.js:
2302         * stress/big-wasm-memory.js:
2303         - updated these to expect an OutOfMemoryError.
2304
2305         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2306         (Binary.prototype.emit_u8):
2307         (Binary.prototype.emit_u32v):
2308         (Binary.prototype.emit_header):
2309         (Binary.prototype.emit_section):
2310         (Binary):
2311         (WasmModuleBuilder):
2312         (WasmModuleBuilder.prototype.addMemory):
2313         (WasmModuleBuilder.prototype.toArray):
2314         (WasmModuleBuilder.prototype.toBuffer):
2315         (WasmModuleBuilder.prototype.instantiate):
2316         (catch):
2317         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2318         (catch):
2319
2320 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2321
2322         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2323         https://bugs.webkit.org/show_bug.cgi?id=190836
2324
2325         Reviewed by Saam Barati and Yusuke Suzuki.
2326
2327         * stress/big-int-out-of-memory-tests.js: Added.
2328
2329 2018-11-20  Mark Lam  <mark.lam@apple.com>
2330
2331         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2332         https://bugs.webkit.org/show_bug.cgi?id=191856
2333         <rdar://problem/46089992>
2334
2335         Reviewed by Yusuke Suzuki.
2336
2337         * stress/regress-191856.js: Added.
2338         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2339
2340 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2341
2342         Enable JIT on ARM/Linux
2343         https://bugs.webkit.org/show_bug.cgi?id=191548
2344
2345         Reviewed by Yusuke Suzuki.
2346
2347         Disable test on system with limited memory. Program was killed by
2348         the OS before the exception was thrown.
2349
2350         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2351
2352 2018-11-20  Saam barati  <sbarati@apple.com>
2353
2354         Merging an IC variant may lead to the IC status containing overlapping structure sets
2355         https://bugs.webkit.org/show_bug.cgi?id=191869
2356         <rdar://problem/45403453>
2357
2358         Reviewed by Mark Lam.
2359
2360         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2361
2362 2018-11-19  Mark Lam  <mark.lam@apple.com>
2363
2364         globalFuncImportModule() should return a promise when it clears exceptions.
2365         https://bugs.webkit.org/show_bug.cgi?id=191792
2366         <rdar://problem/46090763>
2367
2368         Reviewed by Michael Saboff.
2369
2370         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2371
2372 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2373
2374         Skip new memory-hungry tests on memory limited devices
2375
2376         Unreviewed gardening.
2377
2378         * stress/big-wasm-memory-grow-no-max.js:
2379         * stress/big-wasm-memory-grow.js:
2380         * stress/big-wasm-memory.js:
2381
2382 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2383
2384         Unreviewed, rolling in the rest of r237254
2385         https://bugs.webkit.org/show_bug.cgi?id=190340
2386
2387         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2388         * stress/function-cache-with-parameters-end-position.js: Added.
2389         (shouldBe):
2390         (shouldThrow):
2391         (i.anonymous):
2392         * stress/function-constructor-name.js: Added.
2393         (shouldBe):
2394         (GeneratorFunction):
2395         (AsyncFunction.async):
2396         (AsyncGeneratorFunction.async):
2397         (anonymous):
2398         (async.anonymous):
2399         * test262/expectations.yaml:
2400
2401 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2402
2403         All users of ArrayBuffer should agree on the same max size
2404         https://bugs.webkit.org/show_bug.cgi?id=191771
2405
2406         Reviewed by Mark Lam.
2407
2408         * stress/big-wasm-memory-grow-no-max.js: Added.
2409         (foo):
2410         (catch):
2411         * stress/big-wasm-memory-grow.js: Added.
2412         (foo):
2413         (catch):
2414         * stress/big-wasm-memory.js: Added.
2415         (foo):
2416         (catch):
2417
2418 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2419
2420         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2421         run for each JSC config since they're regression tests for runtime bugs.
2422
2423         * stress/json-stringified-overflow-2.js:
2424         * stress/json-stringified-overflow.js:
2425
2426 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2427
2428         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2429         config since they're regression tests for runtime bugs.
2430
2431         * stress/large-unshift-splice.js:
2432         * stress/regress-185888.js:
2433
2434 2018-11-16  Saam Barati  <sbarati@apple.com>
2435
2436         KnownCellUse should also have SpecCellCheck as its type filter
2437         https://bugs.webkit.org/show_bug.cgi?id=191729
2438         <rdar://problem/45872852>
2439
2440         Reviewed by Filip Pizlo.
2441
2442         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2443         (C):
2444
2445 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2446
2447         Fix assertion failure on BytecodeGenerator::recordOpcode
2448         https://bugs.webkit.org/show_bug.cgi?id=191724
2449         <rdar://problem/45724395>
2450
2451         Reviewed by Saam Barati.
2452
2453         * stress/regress-187373-2.js: Added.
2454         (foo):
2455
2456 2018-11-15  Mark Lam  <mark.lam@apple.com>
2457
2458         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2459         https://bugs.webkit.org/show_bug.cgi?id=191730
2460         <rdar://problem/46048517>
2461
2462         Reviewed by Saam Barati.
2463
2464         * stress/regress-187006.js: Removed.
2465           - this test is invalid because its sole purpose is to test for the non-spec
2466             compliant behavior that we just fixed.
2467
2468         * stress/regress-191730.js: Added.
2469
2470 2018-11-15  Mark Lam  <mark.lam@apple.com>
2471
2472         RegExp operations should not take fast patch if lastIndex is not numeric.
2473         https://bugs.webkit.org/show_bug.cgi?id=191731
2474         <rdar://problem/46017305>
2475
2476         Reviewed by Saam Barati.
2477
2478         * stress/regress-191731.js: Added.
2479
2480 2018-11-13  Saam Barati  <sbarati@apple.com>
2481
2482         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2483         https://bugs.webkit.org/show_bug.cgi?id=191600
2484
2485         Reviewed by Mark Lam.
2486
2487         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2488         (foo):
2489         (test):
2490         (bar):
2491
2492 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2493
2494         Unreviewed, rolling out r238132.
2495
2496         The test added with this change is timing out on Debug JSC
2497         bots.
2498
2499         Reverted changeset:
2500
2501         "[BigInt] JSBigInt::createWithLength should throw when length
2502         is greater than JSBigInt::maxLength"
2503         https://bugs.webkit.org/show_bug.cgi?id=190836
2504         https://trac.webkit.org/changeset/238132
2505
2506 2018-11-13  Mark Lam  <mark.lam@apple.com>
2507
2508         Add OOM detection to StringPrototype's substituteBackreferences().
2509         https://bugs.webkit.org/show_bug.cgi?id=191563
2510         <rdar://problem/45720428>
2511
2512         Reviewed by Saam Barati.
2513
2514         * stress/regress-191563.js: Added.
2515
2516 2018-11-13  Mark Lam  <mark.lam@apple.com>
2517
2518         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2519         https://bugs.webkit.org/show_bug.cgi?id=191579
2520         <rdar://problem/45942472>
2521
2522         Reviewed by Saam Barati.
2523
2524         * stress/regress-191579.js: Added.
2525
2526 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2527
2528         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2529         https://bugs.webkit.org/show_bug.cgi?id=190836
2530
2531         Reviewed by Saam Barati.
2532
2533         * stress/big-int-out-of-memory-tests.js: Added.
2534
2535 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2536
2537         U+180E is no longer a whitespace character
2538         https://bugs.webkit.org/show_bug.cgi?id=191415
2539
2540         Reviewed by Saam Barati.
2541
2542         * ChakraCore/test/es5/regexSpace.baseline:
2543         * ChakraCore/test/es6/unicode_whitespace.js:
2544         Update tests to latest version.
2545         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2546
2547         * test262.yaml:
2548         * test262/config.yaml:
2549         * test262/expectations.yaml:
2550         Update expectations.
2551
2552 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2553
2554         [BigInt] Add support to BigInt into ValueAdd
2555         https://bugs.webkit.org/show_bug.cgi?id=186177
2556
2557         Reviewed by Keith Miller.
2558
2559         * stress/big-int-negate-jit.js:
2560         * stress/value-add-big-int-and-string.js: Added.
2561         * stress/value-add-big-int-prediction-propagation.js: Added.
2562         * stress/value-add-big-int-untyped.js: Added.
2563
2564 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2565
2566         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2567         https://bugs.webkit.org/show_bug.cgi?id=191184
2568
2569         Reviewed by Saam Barati.
2570
2571         Most tests were failing due to timeouts, since they are too slow to
2572         run on CLoop. The exceptions are:
2573
2574         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2575         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2576         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2577         to change the stack size since CLoop requires it to be page aligned.
2578
2579         * microbenchmarks/array-push-1.js:
2580         * microbenchmarks/array-push-2.js:
2581         * microbenchmarks/elidable-new-object-dag.js:
2582         * microbenchmarks/elidable-new-object-roflcopter.js:
2583         * microbenchmarks/elidable-new-object-tree.js:
2584         * microbenchmarks/getter-richards.js:
2585         * microbenchmarks/sinkable-new-object-dag.js:
2586         * microbenchmarks/string-concat-long-convert.js:
2587         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2588         * slowMicrobenchmarks/array-push-3.js:
2589         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2590         * slowMicrobenchmarks/spread-small-array.js:
2591         * slowMicrobenchmarks/undefined-property-access.js:
2592         * stress/activation-sink-default-value-tdz-error.js:
2593         * stress/activation-sink-default-value.js:
2594         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2595         * stress/activation-sink-osrexit-default-value.js:
2596         * stress/activation-sink-osrexit.js:
2597         * stress/activation-sink.js:
2598         * stress/allow-math-ic-b3-code-duplication.js:
2599         * stress/array-push-multiple-int32.js:
2600         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2601         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2602         * stress/arrowfunction-lexical-this-activation-sink.js:
2603         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2604         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2605         * stress/elide-new-object-dag-then-exit.js:
2606         * stress/materialize-regexp-cyclic.js:
2607         * stress/new-regex-inline.js:
2608         * stress/op_add.js:
2609         * stress/op_bitand.js:
2610         * stress/op_bitor.js:
2611         * stress/op_bitxor.js:
2612         * stress/op_div-ConstVar.js:
2613         * stress/op_div-VarConst.js:
2614         * stress/op_div-VarVar.js:
2615         * stress/op_lshift-ConstVar.js:
2616         * stress/op_lshift-VarConst.js:
2617         * stress/op_lshift-VarVar.js:
2618         * stress/op_mod-ConstVar.js:
2619         * stress/op_mod-VarConst.js:
2620         * stress/op_mod-VarVar.js:
2621         * stress/op_mul-ConstVar.js:
2622         * stress/op_mul-VarConst.js:
2623         * stress/op_mul-VarVar.js:
2624         * stress/op_rshift-ConstVar.js:
2625         * stress/op_rshift-VarConst.js:
2626         * stress/op_rshift-VarVar.js:
2627         * stress/op_sub-ConstVar.js:
2628         * stress/op_sub-VarConst.js:
2629         * stress/op_sub-VarVar.js:
2630         * stress/op_urshift-ConstVar.js:
2631         * stress/op_urshift-VarConst.js:
2632         * stress/op_urshift-VarVar.js:
2633         * stress/proxy-get-set-correct-receiver.js:
2634         * stress/regress-179562.js:
2635         * stress/rest-parameter-many-arguments.js:
2636         * stress/sampling-profiler-richards.js:
2637         * stress/splay-flash-access-1ms.js:
2638         * stress/tailCallForwardArguments.js:
2639         * stress/typed-array-get-by-val-profiling.js:
2640         * typeProfiler/getter-richards.js:
2641
2642 2018-11-06  Michael Saboff  <msaboff@apple.com>
2643
2644         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2645         https://bugs.webkit.org/show_bug.cgi?id=191271
2646
2647         Reviewed by Saam Barati.
2648
2649         Added more test cases and made all test cases run with the same deeply recursive stack
2650         instead of finding that same point for each test case.
2651
2652         * stress/regexp-compile-oom.js:
2653         (prototype.runTest):
2654         (recurseAndTest):
2655         (testList.push.new.TestAndExpectedException):
2656
2657 2018-11-05  Michael Saboff  <msaboff@apple.com>
2658
2659         Unreviewed build fix for linux.
2660
2661         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2662
2663 2018-11-02  Michael Saboff  <msaboff@apple.com>
2664
2665         Rolling in r237753 with unreviewed build fix.
2666
2667         Fixed issues with DECLARE_THROW_SCOPE placement.
2668
2669 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2670
2671         Unreviewed, rolling out r237753.
2672
2673         Introduced JSC test failures
2674
2675         Reverted changeset:
2676
2677         "Running out of stack space not properly handled in
2678         RegExp::compile() and its callers"
2679         https://bugs.webkit.org/show_bug.cgi?id=191206
2680         https://trac.webkit.org/changeset/237753
2681
2682 2018-11-02  Michael Saboff  <msaboff@apple.com>
2683
2684         Running out of stack space not properly handled in RegExp::compile() and its callers
2685         https://bugs.webkit.org/show_bug.cgi?id=191206
2686
2687         Reviewed by Filip Pizlo.
2688
2689         New regression test.
2690
2691         * stress/regexp-compile-oom.js: Added.
2692         (recurseAndTest):
2693
2694 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2695
2696         Skip tests on arm/mips that time out now we're running on CLoop
2697
2698         Unreviewed gardening.
2699
2700         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2701         time out on the bots and need to be disabled. There's more tests
2702         disabled on arm because the timeout is longer on the mips bot (as the
2703         device is slower to start with), so many of the tests don't time out
2704         there.
2705
2706         * microbenchmarks/getter-richards.js: disable on arm and mips.
2707         * stress/op_add.js: disable on arm.
2708         * stress/op_bitand.js: disable on arm.
2709         * stress/op_bitor.js: disable on arm.
2710         * stress/op_bitxor.js: disable on arm.
2711         * stress/op_lshift-ConstVar.js: disable on arm.
2712         * stress/op_lshift-VarConst.js: disable on arm.
2713         * stress/op_lshift-VarVar.js: disable on arm.
2714         * stress/op_mod-ConstVar.js: disable on arm.
2715         * stress/op_mod-VarConst.js: disable on arm.
2716         * stress/op_mod-VarVar.js: disable on arm.
2717         * stress/op_mul-ConstVar.js: disable on arm.
2718         * stress/op_mul-VarConst.js: disable on arm.
2719         * stress/op_mul-VarVar.js: disable on arm.
2720         * stress/op_rshift-ConstVar.js: disable on arm.
2721         * stress/op_rshift-VarConst.js: disable on arm.
2722         * stress/op_rshift-VarVar.js: disable on arm.
2723         * stress/op_sub-ConstVar.js: disable on arm.
2724         * stress/op_sub-VarConst.js: disable on arm.
2725         * stress/op_sub-VarVar.js: disable on arm.
2726         * stress/op_urshift-ConstVar.js: disable on arm.
2727         * stress/op_urshift-VarConst.js: disable on arm.
2728         * stress/op_urshift-VarVar.js: disable on arm.
2729         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2730         * stress/value-to-boolean.js: disable on arm and mips.
2731
2732 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2733
2734         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2735         https://bugs.webkit.org/show_bug.cgi?id=191108
2736         <rdar://problem/45690700>
2737
2738         Reviewed by Saam Barati.
2739
2740         * stress/wide-op_catch.js: Added.
2741         (catch):
2742
2743 2018-10-29  Mark Lam  <mark.lam@apple.com>
2744
2745         Correctly detect string overflow when using the 'Function' constructor.
2746         https://bugs.webkit.org/show_bug.cgi?id=184883
2747         <rdar://problem/36320331>
2748
2749         Reviewed by Saam Barati.
2750
2751         I've verified that this passes on 32-bit as well.
2752
2753         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2754
2755 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2756
2757         Add support for GetStack FlushedDouble
2758         https://bugs.webkit.org/show_bug.cgi?id=191012
2759         <rdar://problem/45265141>
2760
2761         Reviewed by Saam Barati.
2762
2763         * stress/get-stack-double.js: Added.
2764         (bar):
2765         (noInline):
2766
2767 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2768
2769         New bytecode format for JSC
2770         https://bugs.webkit.org/show_bug.cgi?id=187373
2771         <rdar://problem/44186758>
2772
2773         Reviewed by Filip Pizlo.
2774
2775         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2776
2777         * stress/maximum-inline-capacity.js: Added.
2778         (test1):
2779         (test3.Foo):
2780         (test3):
2781
2782 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2783
2784         Unreviewed, rolling out r237479 and r237484.
2785         https://bugs.webkit.org/show_bug.cgi?id=190978
2786
2787         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2788
2789         Reverted changesets:
2790
2791         "New bytecode format for JSC"
2792         https://bugs.webkit.org/show_bug.cgi?id=187373
2793         https://trac.webkit.org/changeset/237479
2794
2795         "Gardening: Build fix after r237479."
2796         https://bugs.webkit.org/show_bug.cgi?id=187373
2797         https://trac.webkit.org/changeset/237484
2798
2799 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2800
2801         New bytecode format for JSC
2802         https://bugs.webkit.org/show_bug.cgi?id=187373
2803         <rdar://problem/44186758>
2804
2805         Reviewed by Filip Pizlo.
2806
2807         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2808
2809         * stress/maximum-inline-capacity.js: Added.
2810         (test1):
2811         (test3.Foo):
2812         (test3):
2813
2814 2018-10-26  Mark Lam  <mark.lam@apple.com>
2815
2816         Fix missing edge cases with JSGlobalObjects having a bad time.
2817         https://bugs.webkit.org/show_bug.cgi?id=189028
2818         <rdar://problem/45204939>
2819
2820         Reviewed by Saam Barati.
2821
2822         * stress/regress-189028.js: Added.
2823
2824 2018-10-22  Mark Lam  <mark.lam@apple.com>
2825
2826         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2827         https://bugs.webkit.org/show_bug.cgi?id=190515
2828         <rdar://problem/45222379>
2829
2830         Rubber-stamped by Saam Barati.
2831
2832         Adding another test.
2833
2834         * stress/regress-190515-2.js: Added.
2835
2836 2018-10-22  Mark Lam  <mark.lam@apple.com>
2837
2838         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2839         https://bugs.webkit.org/show_bug.cgi?id=190515
2840         <rdar://problem/45222379>
2841
2842         Reviewed by Saam Barati.
2843
2844         * stress/regress-190515.js: Added.
2845
2846 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2847
2848         Unreviewed, rolling out r237254.
2849         https://bugs.webkit.org/show_bug.cgi?id=190760
2850
2851         "It regresses JetStream 2 by 5% on some iOS devices"
2852         (Requested by saamyjoon on #webkit).
2853
2854         Reverted changeset:
2855
2856         "[JSC] JSC should have "parseFunction" to optimize Function
2857         constructor"
2858         https://bugs.webkit.org/show_bug.cgi?id=190340
2859         https://trac.webkit.org/changeset/237254
2860
2861 2018-10-19  Saam Barati  <sbarati@apple.com>
2862
2863         vmCall should check if we exit before emitting an OSR exit due to exceptions
2864         https://bugs.webkit.org/show_bug.cgi?id=190740
2865         <rdar://problem/45220139>
2866
2867         Reviewed by Mark Lam.
2868
2869         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2870         (foo):
2871
2872 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2873
2874         [ESNext][BigInt] Implement support for "^"
2875         https://bugs.webkit.org/show_bug.cgi?id=186235
2876
2877         Reviewed by Yusuke Suzuki.
2878
2879         * stress/big-int-bitwise-xor-general.js: Added.
2880         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2881         * stress/big-int-bitwise-xor-type-error.js: Added.
2882         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2883
2884 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2885
2886         [BigInt] Add ValueSub into DFG
2887         https://bugs.webkit.org/show_bug.cgi?id=186176
2888
2889         Reviewed by Yusuke Suzuki.
2890
2891         * stress/big-int-subtraction-jit.js:
2892         * stress/value-sub-big-int-prediction-propagation.js: Added.
2893         * stress/value-sub-big-int-untyped.js: Added.
2894         * stress/value-sub-spec-none-case.js: Added.
2895
2896 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2897
2898         [JSC] JSC should have "parseFunction" to optimize Function constructor
2899         https://bugs.webkit.org/show_bug.cgi?id=190340
2900
2901         Reviewed by Mark Lam.
2902
2903         This patch fixes the line number of syntax errors raised by the Function constructor,
2904         since we now parse the final code only once. And we no longer use block statement
2905         for Function constructor's parsing.
2906
2907         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2908         * stress/function-cache-with-parameters-end-position.js: Added.
2909         (shouldBe):
2910         (shouldThrow):
2911         (i.anonymous):
2912         * stress/function-constructor-name.js: Added.
2913         (shouldBe):
2914         (GeneratorFunction):
2915         (AsyncFunction.async):
2916         (AsyncGeneratorFunction.async):
2917         (anonymous):
2918         (async.anonymous):
2919         * test262/expectations.yaml:
2920
2921 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2922
2923         Unreviewed, rolling out r237242.
2924         https://bugs.webkit.org/show_bug.cgi?id=190701
2925
2926         it breaks "stress/sampling-profiler-basic.js" (Requested by
2927         caiolima on #webkit).
2928
2929         Reverted changeset:
2930
2931         "[BigInt] Add ValueSub into DFG"
2932         https://bugs.webkit.org/show_bug.cgi?id=186176
2933         https://trac.webkit.org/changeset/237242
2934
2935 2018-10-17  Keith Miller  <keith_miller@apple.com>
2936
2937         AI does not clear Phantom allocation nodes.
2938         https://bugs.webkit.org/show_bug.cgi?id=190694
2939
2940         Reviewed by Saam Barati.
2941
2942         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2943         (Day):
2944         (DaysInYear):
2945         (TimeInYear):
2946         (TimeFromYear):
2947         (DayFromYear):
2948         (InLeapYear):
2949         (YearFromTime):
2950         (WeekDay):
2951         (DaylightSavingTA):
2952         (GetSecondSundayInMarch):
2953         (TimeInMonth):
2954
2955 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2956
2957         [BigInt] Add ValueSub into DFG
2958         https://bugs.webkit.org/show_bug.cgi?id=186176
2959
2960         Reviewed by Yusuke Suzuki.
2961
2962         * stress/big-int-subtraction-jit.js:
2963         * stress/value-sub-big-int-prediction-propagation.js: Added.
2964         * stress/value-sub-big-int-untyped.js: Added.
2965
2966 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2967
2968         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2969         https://bugs.webkit.org/show_bug.cgi?id=190611
2970
2971         Reviewed by Saam Barati.
2972
2973         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2974         to improve test runtime. On ARM/MIPS this test even timed out when running all
2975         tests.
2976
2977         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2978         (test):
2979
2980 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2981
2982         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2983
2984         Unreviewed gardening.
2985
2986         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2987
2988 2018-10-15  Saam barati  <sbarati@apple.com>
2989
2990         Emit fjcvtzs on ARM64E on Darwin
2991         https://bugs.webkit.org/show_bug.cgi?id=184023
2992
2993         Reviewed by Yusuke Suzuki and Filip Pizlo.
2994
2995         * stress/double-to-int32-NaN.js: Added.
2996         (assert):
2997         (foo):
2998
2999 2018-10-15  Saam Barati  <sbarati@apple.com>
3000
3001         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3002         https://bugs.webkit.org/show_bug.cgi?id=190262
3003         <rdar://problem/44986241>
3004
3005         Reviewed by Mark Lam.
3006
3007         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3008         (test):
3009         * stress/slice-array-storage-with-holes.js: Added.
3010         (main):
3011
3012 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3013
3014         Unreviewed, rolling out r237054.
3015         https://bugs.webkit.org/show_bug.cgi?id=190593
3016
3017         "this regressed JetStream 2 by 6% on iOS" (Requested by
3018         saamyjoon on #webkit).
3019
3020         Reverted changeset:
3021
3022         "[JSC] JSC should have "parseFunction" to optimize Function
3023         constructor"
3024         https://bugs.webkit.org/show_bug.cgi?id=190340
3025         https://trac.webkit.org/changeset/237054
3026
3027 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3028
3029         [JSC] JSON.stringify can accept call-with-no-arguments
3030         https://bugs.webkit.org/show_bug.cgi?id=190343
3031
3032         Reviewed by Mark Lam.
3033
3034         * stress/json-stringify-no-arguments.js: Added.
3035         (shouldBe):
3036
3037 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3038
3039         [JSC] JSC should have "parseFunction" to optimize Function constructor
3040         https://bugs.webkit.org/show_bug.cgi?id=190340
3041
3042         Reviewed by Mark Lam.
3043
3044         This patch fixes the line number of syntax errors raised by the Function constructor,
3045         since we now parse the final code only once. And we no longer use block statement
3046         for Function constructor's parsing.
3047
3048         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3049         * stress/function-cache-with-parameters-end-position.js: Added.
3050         (shouldBe):
3051         (shouldThrow):
3052         (i.anonymous):
3053         * stress/function-constructor-name.js: Added.
3054         (shouldBe):
3055         (GeneratorFunction):
3056         (AsyncFunction.async):
3057         (AsyncGeneratorFunction.async):
3058         (anonymous):
3059         (async.anonymous):
3060         * test262/expectations.yaml:
3061
3062 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3063
3064         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3065         https://bugs.webkit.org/show_bug.cgi?id=190426
3066
3067         Unreviewed gardening.
3068
3069         * stress/sampling-profiler-richards.js:
3070
3071 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3072
3073         [ESNext][BigInt] Implement support for "|"
3074         https://bugs.webkit.org/show_bug.cgi?id=186229
3075
3076         Reviewed by Yusuke Suzuki.
3077
3078         * stress/big-int-bitwise-and-jit.js:
3079         * stress/big-int-bitwise-or-general.js: Added.
3080         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3081         * stress/big-int-bitwise-or-jit.js: Added.
3082         * stress/big-int-bitwise-or-memory-stress.js: Added.
3083         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3084         * stress/big-int-bitwise-or-type-error.js: Added.
3085         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3086
3087 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3088
3089         Skip test on systems with limited memory
3090         https://bugs.webkit.org/show_bug.cgi?id=190310
3091
3092         Invoking runDefault adds test to runlist, skipping the test in the next
3093         line does not prevent the test from executing. Change order of lines such
3094         that runDefault is only executed if test is not executed.
3095
3096         Reviewed by Mark Lam.
3097
3098         * stress/regress-190187.js:
3099
3100 2018-10-03  Saam barati  <sbarati@apple.com>
3101
3102         lowXYZ in FTLLower should always filter the type of the incoming edge
3103         https://bugs.webkit.org/show_bug.cgi?id=189939
3104         <rdar://problem/44407030>
3105
3106         Reviewed by Michael Saboff.
3107
3108         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3109         (foo):
3110         (test):
3111
3112 2018-10-03  Mark Lam  <mark.lam@apple.com>
3113
3114         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3115         https://bugs.webkit.org/show_bug.cgi?id=190187
3116         <rdar://problem/42512909>
3117
3118         Reviewed by Michael Saboff.
3119
3120         * stress/regress-190187.js: Added.
3121
3122 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3123
3124         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3125         https://bugs.webkit.org/show_bug.cgi?id=190033
3126
3127         Reviewed by Yusuke Suzuki.
3128
3129         * stress/big-int-to-string.js:
3130
3131 2018-10-01  Mark Lam  <mark.lam@apple.com>
3132
3133         Function.toString() should also copy the source code Functions that are class definitions.
3134         https://bugs.webkit.org/show_bug.cgi?id=190186
3135         <rdar://problem/44733360>
3136
3137         Reviewed by Saam Barati.
3138
3139         * stress/regress-190186.js: Added.
3140
3141 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3142
3143         Split NaN-check into separate test
3144         https://bugs.webkit.org/show_bug.cgi?id=190010
3145
3146         Reviewed by Saam Barati.
3147
3148         DataView exposes NaN-representation, which is not necessarily the same on each
3149         architecture. Therefore move the check of the NaN-representation into its own
3150         file such that we can disable this test on MIPS where NaN-representation can be
3151         different on older CPUs.
3152
3153         * stress/dataview-jit-set-nan.js: Added.
3154         (assert):
3155         (test.storeLittleEndian):
3156         (test.storeBigEndian):
3157         (test.store):
3158         (test):
3159         * stress/dataview-jit-set.js:
3160         (test5):
3161
3162 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3163
3164         Unreviewed, rolling out r236647.
3165         https://bugs.webkit.org/show_bug.cgi?id=190124
3166
3167         Breaking test stress/big-int-to-string.js (Requested by
3168         caiolima_ on #webkit).
3169
3170         Reverted changeset:
3171
3172         "[BigInt] BigInt.proptotype.toString is broken when radix is
3173         power of 2"
3174         https://bugs.webkit.org/show_bug.cgi?id=190033
3175         https://trac.webkit.org/changeset/236647
3176
3177 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3178
3179         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3180         https://bugs.webkit.org/show_bug.cgi?id=190033
3181
3182         Reviewed by Yusuke Suzuki.
3183
3184         * stress/big-int-to-string.js:
3185
3186 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3187
3188         [ESNext][BigInt] Implement support for "&"
3189         https://bugs.webkit.org/show_bug.cgi?id=186228
3190
3191         Reviewed by Yusuke Suzuki.
3192
3193         * stress/big-int-bitwise-and-general.js: Added.
3194         (assert):
3195         (assert.sameValue):
3196         * stress/big-int-bitwise-and-jit.js: Added.
3197         (let.assert.sameValue):
3198         (bigIntBitAnd):
3199         * stress/big-int-bitwise-and-memory-stress.js: Added.
3200         (assert):
3201         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3202         (assert.sameValue):
3203         (let.o.Symbol.toPrimitive):
3204         (catch):
3205         * stress/big-int-bitwise-and-type-error.js: Added.
3206         (assert):
3207         (assertThrowTypeError):
3208         (let.o.valueOf):
3209         (o.valueOf):
3210         (o.toString):
3211         (o.Symbol.toPrimitive):
3212         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3213         (assert.sameValue):
3214         (testBitAnd):
3215         (let.o.Symbol.toPrimitive):
3216         (o.valueOf):
3217         (o.toString):
3218
3219 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3220
3221         JSC test stress/jsc-read.js doesn't support CRLF
3222         https://bugs.webkit.org/show_bug.cgi?id=190063
3223
3224         Reviewed by Yusuke Suzuki.
3225
3226         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3227
3228         * stress/jsc-read.js:
3229         (test):
3230
3231 2018-09-27  Saam barati  <sbarati@apple.com>
3232
3233         Verify the contents of AssemblerBuffer on arm64e
3234         https://bugs.webkit.org/show_bug.cgi?id=190057
3235         <rdar://problem/38916630>
3236
3237         Reviewed by Mark Lam.
3238
3239         * stress/regress-189132.js:
3240
3241 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3242
3243         Disable test without LLInt on ARMv7
3244         https://bugs.webkit.org/show_bug.cgi?id=190037
3245
3246         Reviewed by Mark Lam.
3247
3248         Test runs out of executable memory on ARMv7, do not run
3249         this test without LLInt enabled.
3250
3251         * stress/regress-169445.js:
3252
3253 2018-09-26  Keith Miller  <keith_miller@apple.com>
3254
3255         We should zero unused property storage when rebalancing array storage.
3256         https://bugs.webkit.org/show_bug.cgi?id=188151
3257
3258         Reviewed by Michael Saboff.
3259
3260         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3261
3262 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3263
3264         [JSC] Optimize Array#lastIndexOf
3265         https://bugs.webkit.org/show_bug.cgi?id=189780
3266
3267         Reviewed by Saam Barati.
3268
3269         * stress/array-lastindexof-array-prototype-trap.js: Added.
3270         (shouldBe):
3271         (AncestorArray.prototype.get 2):
3272         (AncestorArray):
3273         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3274         (shouldBe):
3275         * stress/array-lastindexof-hole-nan.js: Added.
3276         (shouldBe):
3277         (throw.new.Error):
3278         * stress/array-lastindexof-infinity.js: Added.
3279         (shouldBe):
3280         (throw.new.Error):
3281         * stress/array-lastindexof-negative-zero.js: Added.
3282         (shouldBe):
3283         (throw.new.Error):
3284         * stress/array-lastindexof-own-getter.js: Added.
3285         (shouldBe):
3286         (throw.new.Error.get array):
3287         (get array):
3288         * stress/array-lastindexof-prototype-trap.js: Added.
3289         (shouldBe):
3290         (DerivedArray.prototype.get 2):
3291         (DerivedArray):
3292
3293 2018-09-25  Saam Barati  <sbarati@apple.com>
3294
3295         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3296         https://bugs.webkit.org/show_bug.cgi?id=189940
3297         <rdar://problem/43640987>
3298
3299         Reviewed by Mark Lam.
3300
3301         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3302
3303 2018-09-24  Saam Barati  <sbarati@apple.com>
3304
3305         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3306         https://bugs.webkit.org/show_bug.cgi?id=189922
3307         <rdar://problem/44651275>
3308
3309         Reviewed by Mark Lam.
3310
3311         * stress/array-indexof-fast-path-effects.js: Added.
3312         * stress/array-indexof-cached-length.js: Added.
3313
3314 2018-09-24  Saam barati  <sbarati@apple.com>
3315
3316         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3317         https://bugs.webkit.org/show_bug.cgi?id=189682
3318         <rdar://problem/43557315>
3319
3320         Reviewed by Mark Lam.
3321
3322         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3323         (foo):
3324
3325 2018-09-22  Saam barati  <sbarati@apple.com>
3326
3327         The sampling should not use Strong<CodeBlock> in its machineLocation field
3328         https://bugs.webkit.org/show_bug.cgi?id=189319
3329
3330         Reviewed by Filip Pizlo.
3331
3332         * stress/sampling-profiler-richards.js: Added.
3333
3334 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3335
3336         [JSC] Optimize Array#indexOf in C++ runtime
3337         https://bugs.webkit.org/show_bug.cgi?id=189507
3338
3339         Reviewed by Saam Barati.
3340
3341         * stress/array-indexof-array-prototype-trap.js: Added.
3342         (shouldBe):
3343         (AncestorArray.prototype.get 2):
3344         (AncestorArray):
3345         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3346         (shouldBe):
3347         * stress/array-indexof-hole-nan.js: Added.
3348         (shouldBe):
3349         (throw.new.Error):
3350         * stress/array-indexof-infinity.js: Added.
3351         (shouldBe):
3352         (throw.new.Error):
3353         * stress/array-indexof-negative-zero.js: Added.
3354         (shouldBe):
3355         (throw.new.Error):
3356         * stress/array-indexof-own-getter.js: Added.
3357         (shouldBe):
3358         (throw.new.Error.get array):
3359         (get array):
3360         * stress/array-indexof-prototype-trap.js: Added.
3361         (shouldBe):
3362         (DerivedArray.prototype.get 2):
3363         (DerivedArray):
3364
3365 2018-09-19  Saam barati  <sbarati@apple.com>
3366
3367         AI rule for MultiPutByOffset executes its effects in the wrong order
3368         https://bugs.webkit.org/show_bug.cgi?id=189757
3369         <rdar://problem/43535257>
3370
3371         Reviewed by Michael Saboff.
3372
3373         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3374         (foo):
3375         (Foo):
3376         (g):
3377
3378 2018-09-17  Mark Lam  <mark.lam@apple.com>
3379
3380         Ensure that ForInContexts are invalidated if their loop local is over-written.
3381         https://bugs.webkit.org/show_bug.cgi?id=189571
3382         <rdar://problem/44402277>
3383
3384         Reviewed by Saam Barati.
3385
3386         * stress/regress-189571.js: Added.
3387
3388 2018-09-17  Saam barati  <sbarati@apple.com>
3389
3390         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3391         https://bugs.webkit.org/show_bug.cgi?id=189676
3392         <rdar://problem/39682897>
3393
3394         Reviewed by Michael Saboff.
3395
3396         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3397         (A):
3398         (K):
3399         (i.catch):
3400
3401 2018-09-14  Saam barati  <sbarati@apple.com>
3402
3403         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3404         https://bugs.webkit.org/show_bug.cgi?id=189628
3405         <rdar://problem/39481690>
3406
3407         Reviewed by Mark Lam.
3408
3409         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3410         (foo):
3411
3412 2018-09-11  Mark Lam  <mark.lam@apple.com>
3413
3414         Test for array initialization in arrayProtoFuncSplice.
3415         https://bugs.webkit.org/show_bug.cgi?id=170253
3416         <rdar://problem/31328773>
3417
3418         Rubber-stamped by Saam Barati.
3419
3420         * stress/regress-170253.js: Added.
3421
3422 2018-09-11  Mark Lam  <mark.lam@apple.com>
3423
3424         Test for IntlObject initialization.
3425         https://bugs.webkit.org/show_bug.cgi?id=170251
3426         <rdar://problem/31328419>
3427
3428         Rubber-stamped by Saam Barati.
3429
3430         * stress/regress-170251.js: Added.
3431
3432 2018-09-11  Mark Lam  <mark.lam@apple.com>
3433
3434         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3435         https://bugs.webkit.org/show_bug.cgi?id=169889
3436         <rdar://problem/31155607>
3437
3438         Reviewed by Saam Barati.
3439
3440         * stress/regress-169889-array-concat.js: Added.
3441         * stress/regress-169889-array-concat1.js: Added.
3442         * stress/regress-169889-array-slice.js: Added.
3443
3444 2018-09-11  Mark Lam  <mark.lam@apple.com>
3445
3446         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3447         https://bugs.webkit.org/show_bug.cgi?id=169445
3448         <rdar://problem/30957435>
3449
3450         Reviewed by Saam Barati.
3451
3452         * stress/regress-169445.js: Added.
3453         (let.gun.eval.A):
3454         (let.gun.eval.B.C):
3455         (let.gun.eval.B.C.prototype.trigger):
3456         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3457         (let.gun.eval.B):
3458         (let.gun.eval):
3459
3460 == Rolled over to ChangeLog-2018-09-11 ==