[JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-16  Caitlin Potter  <caitp@igalia.com>
2
3         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
4         https://bugs.webkit.org/show_bug.cgi?id=176810
5
6         Reviewed by Saam Barati.
7
8         Add tests for the DontEnum filtering, and variations of other tests
9         take the DontEnum-filtering path.
10
11         * stress/proxy-own-keys.js:
12         (i.catch):
13         (set assert):
14         (set add):
15         (let.set new):
16         (get let):
17
18 2019-04-15  Saam barati  <sbarati@apple.com>
19
20         Modify how we do SetArgument when we inline varargs calls
21         https://bugs.webkit.org/show_bug.cgi?id=196712
22         <rdar://problem/49605012>
23
24         Reviewed by Michael Saboff.
25
26         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
27         (foo):
28
29 2019-04-15  Saam barati  <sbarati@apple.com>
30
31         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
32         https://bugs.webkit.org/show_bug.cgi?id=196945
33         <rdar://problem/49802750>
34
35         Reviewed by Filip Pizlo.
36
37         * stress/get-by-offset-should-use-correct-child.js: Added.
38         (foo.bar):
39         (foo):
40
41 2019-04-15  Robin Morisset  <rmorisset@apple.com>
42
43         DFG should be able to constant fold Object.create() with a constant prototype operand
44         https://bugs.webkit.org/show_bug.cgi?id=196886
45
46         Reviewed by Yusuke Suzuki.
47
48         Note that this new benchmark does not currently see a speedup with inlining removed.
49         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
50
51         * microbenchmarks/object-create-constant-prototype.js: Added.
52         (test):
53
54 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
55
56         Incremental bytecode cache should not append function updates when loaded from memory
57         https://bugs.webkit.org/show_bug.cgi?id=196865
58
59         Reviewed by Filip Pizlo.
60
61         * stress/bytecode-cache-shared-code-block.js: Added.
62         (b):
63         (program):
64
65 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
66
67         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
68         https://bugs.webkit.org/show_bug.cgi?id=196880
69
70         Reviewed by Yusuke Suzuki.
71
72         * stress/bytecode-cache-syntax-error.js: Added.
73         (catch):
74
75 2019-04-12  Saam barati  <sbarati@apple.com>
76
77         r244079 logically broke shouldSpeculateInt52
78         https://bugs.webkit.org/show_bug.cgi?id=196884
79
80         Reviewed by Yusuke Suzuki.
81
82         * microbenchmarks/int52-rand-function.js: Added.
83         (Math.random):
84
85 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
86
87         [JSC] op_has_indexed_property should not assume subscript part is Uint32
88         https://bugs.webkit.org/show_bug.cgi?id=196850
89
90         Reviewed by Saam Barati.
91
92         * stress/has-indexed-property-should-accept-non-int32.js: Added.
93         (foo):
94
95 2019-04-11  Saam barati  <sbarati@apple.com>
96
97         Remove invalid assertion in operationInstanceOfCustom
98         https://bugs.webkit.org/show_bug.cgi?id=196842
99         <rdar://problem/49725493>
100
101         Reviewed by Michael Saboff.
102
103         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
104
105 2019-04-10  Saam Barati  <sbarati@apple.com>
106
107         AbstractValue::validateOSREntryValue is wrong for Int52 constants
108         https://bugs.webkit.org/show_bug.cgi?id=196801
109         <rdar://problem/49771122>
110
111         Reviewed by Yusuke Suzuki.
112
113         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
114
115 2019-04-10  Robin Morisset  <rmorisset@apple.com>
116
117         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
118         https://bugs.webkit.org/show_bug.cgi?id=196746
119
120         Reviewed by Yusuke Suzuki.
121
122         * stress/cyclic-define-properties.js: Added.
123         (foo):
124
125 2019-04-09  Saam barati  <sbarati@apple.com>
126
127         Clean up Int52 code and some bugs in it
128         https://bugs.webkit.org/show_bug.cgi?id=196639
129         <rdar://problem/49515757>
130
131         Reviewed by Yusuke Suzuki.
132
133         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
134
135 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
136
137         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
138         https://bugs.webkit.org/show_bug.cgi?id=196708
139         <rdar://problem/49556803>
140
141         Reviewed by Yusuke Suzuki.
142
143         * stress/proxy-getter-stack-overflow.js: Added.
144         (const.handler.get target):
145         (const.handler.has):
146         (try.with):
147         (catch):
148
149 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
150
151         [JSC] DFG should respect node's strict flag
152         https://bugs.webkit.org/show_bug.cgi?id=196617
153
154         Reviewed by Saam Barati.
155
156         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
157         (shouldEqual):
158         (makeUnwriteableUnconfigurableObject):
159         (runTest):
160         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
161         (shouldBe):
162         (shouldThrow):
163         (with.result):
164         (with.putValueStrict):
165         (with.putValueSloppy):
166
167 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
168
169         [JSC] isRope jump in StringSlice should not jump over register allocations
170         https://bugs.webkit.org/show_bug.cgi?id=196716
171
172         Reviewed by Saam Barati.
173
174         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
175         (foo.bar):
176         (foo):
177
178 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
179
180         [JSC] to_index_string should not assume incoming value is Uint32
181         https://bugs.webkit.org/show_bug.cgi?id=196713
182
183         Reviewed by Saam Barati.
184
185         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
186         (foo):
187
188 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
189
190         [JSC] Add more tests for r243966
191         https://bugs.webkit.org/show_bug.cgi?id=196711
192
193         Reviewed by Saam Barati.
194
195         Adding one more test for r243966 fix. The added test will not crash after r243966.
196
197         * stress/stress-cleared-calllinkinfo.js: Added.
198         (runNearStackLimit.t):
199         (runNearStackLimit):
200         (repeat):
201         (cls):
202         (let.item.of.array.runNearStackLimit):
203
204 2019-04-08  Saam Barati  <sbarati@apple.com>
205
206         WebAssembly.RuntimeError missing exception check
207         https://bugs.webkit.org/show_bug.cgi?id=196700
208         <rdar://problem/49693932>
209
210         Reviewed by Yusuke Suzuki.
211
212         * wasm/js-api/runtime-error-should-exception-check.js: Added.
213
214 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
215
216         Unreviewed, rolling in r243948 with test fix
217         https://bugs.webkit.org/show_bug.cgi?id=196486
218
219         * stress/arrow-function-and-use-strict-directive.js: Added.
220         * stress/arrow-function-syntax.js: Added.
221         (checkSyntax):
222         (checkSyntaxError):
223
224 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
225
226         Unreviewed, rolling out r243948.
227
228         Caused inspector/runtime/parse.html to fail
229
230         Reverted changeset:
231
232         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
233         https://bugs.webkit.org/show_bug.cgi?id=196486
234         https://trac.webkit.org/changeset/243948
235
236 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
237
238         Unreviewed, rolling out r243943.
239
240         Caused test262 failures.
241
242         Reverted changeset:
243
244         "[JSC] Filter DontEnum properties in
245         ProxyObject::getOwnPropertyNames()"
246         https://bugs.webkit.org/show_bug.cgi?id=176810
247         https://trac.webkit.org/changeset/243943
248
249 2019-04-07  Michael Saboff  <msaboff@apple.com>
250
251         REGRESSION (r243642): Crash in reddit.com page
252         https://bugs.webkit.org/show_bug.cgi?id=196684
253
254         Reviewed by Geoffrey Garen.
255
256         New regression test.
257
258         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
259
260 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
261
262         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
263         https://bugs.webkit.org/show_bug.cgi?id=196683
264
265         Reviewed by Saam Barati.
266
267         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
268         (foo):
269
270 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
271
272         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
273         https://bugs.webkit.org/show_bug.cgi?id=196582
274
275         Reviewed by Saam Barati.
276
277         * stress/add-overflow-check-with-three-same-registers.js: Added.
278         (foo):
279         (Number.prototype.valueOf):
280         (runWithNumber):
281
282 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
283
284         Unreviewed, rolling out r243665.
285
286         Caused iOS JSC tests to exit with an exception.
287
288         Reverted changeset:
289
290         "Assertion failed in JSC::createError"
291         https://bugs.webkit.org/show_bug.cgi?id=196305
292         https://trac.webkit.org/changeset/243665
293
294 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
295
296         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
297         https://bugs.webkit.org/show_bug.cgi?id=196486
298
299         Reviewed by Saam Barati.
300
301         * stress/arrow-function-and-use-strict-directive.js: Added.
302         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
303         (checkSyntax):
304         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
305
306 2019-04-05  Caitlin Potter  <caitp@igalia.com>
307
308         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
309         https://bugs.webkit.org/show_bug.cgi?id=176810
310
311         Reviewed by Saam Barati.
312
313         Add tests for the DontEnum filtering, and variations of other tests
314         take the DontEnum-filtering path.
315
316         * stress/proxy-own-keys.js:
317         (i.catch):
318         (set assert):
319         (set add):
320         (let.set new):
321         (get let):
322
323 2019-04-05  Caitlin Potter  <caitp@igalia.com>
324
325         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
326         https://bugs.webkit.org/show_bug.cgi?id=185211
327
328         Reviewed by Saam Barati.
329
330         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
331
332         This changes several assertions to expect a TypeError to be thrown (in some cases,
333         changing thee expected message).
334
335         * es6/Proxy_ownKeys_duplicates.js:
336         (handler):
337         (shouldThrow):
338         (test):
339         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
340         (shouldThrow):
341         * stress/proxy-own-keys.js:
342         (i.catch):
343         (assert):
344
345 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
346
347         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
348         https://bugs.webkit.org/show_bug.cgi?id=196631
349
350         Reviewed by Saam Barati.
351
352         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
353         (assert):
354         (test):
355         (foo):
356
357 2019-04-04  Saam Barati  <sbarati@apple.com>
358
359         Unreviewed. Make the test from r243906 catch the thrown exceptions.
360
361         * stress/inferred-types-regex-matches-array.js:
362
363 2019-04-04  Saam Barati  <sbarati@apple.com>
364
365         createRegExpMatchesArray does not respect inferred types
366         https://bugs.webkit.org/show_bug.cgi?id=193287
367
368         Reviewed by Yusuke Suzuki.
369
370         This checks in the test case for 193287. This issue was discovered by
371         Samuel GroƟ of Google Project Zero.
372
373         * stress/inferred-types-regex-matches-array.js: Added.
374
375 2019-04-04  Saam barati  <sbarati@apple.com>
376
377         Teach Call ICs how to call Wasm
378         https://bugs.webkit.org/show_bug.cgi?id=196387
379
380         Reviewed by Filip Pizlo.
381
382         * wasm/function-tests/stack-trace.js:
383
384 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
385
386         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
387         https://bugs.webkit.org/show_bug.cgi?id=194944
388
389         Reviewed by Keith Miller.
390
391         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
392
393 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
394
395         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
396         https://bugs.webkit.org/show_bug.cgi?id=196409
397
398         Reviewed by Saam Barati.
399
400         * stress/bytecode-cache-cached-string-impl.js: Added.
401         (f):
402         (g):
403         * stress/bytecode-cache-run-string.js: Added.
404
405 2019-04-03  Robin Morisset  <rmorisset@apple.com>
406
407         B3 should use associativity to optimize expression trees
408         https://bugs.webkit.org/show_bug.cgi?id=194081
409
410         Reviewed by Filip Pizlo.
411
412         Added three microbenchmarks:
413         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
414         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
415           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
416         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
417
418         * microbenchmarks/add-tree.js: Added.
419         * microbenchmarks/bit-or-tree.js: Added.
420         * microbenchmarks/bit-xor-tree.js: Added.
421
422 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
423
424         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
425         https://bugs.webkit.org/show_bug.cgi?id=196574
426
427         Reviewed by Saam Barati.
428
429         * stress/string-index-of-exception-check.js: Added.
430         (blurType):
431         (1.forEach):
432
433 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
434
435         Assertion failed in JSC::createError
436         https://bugs.webkit.org/show_bug.cgi?id=196305
437         <rdar://problem/49387382>
438
439         Reviewed by Saam Barati.
440
441         * stress/create-error-out-of-memory-rope-string-2.js: Added.
442         (assert):
443         (catch):
444
445 2019-03-28  Saam Barati  <sbarati@apple.com>
446
447         BackwardsGraph needs to consider back edges as the backward's root successor
448         https://bugs.webkit.org/show_bug.cgi?id=195991
449
450         Reviewed by Filip Pizlo.
451
452         * stress/map-b3-licm-infinite-loop.js: Added.
453
454 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
455
456         CodeBlock::jettison() should disallow repatching its own calls
457         https://bugs.webkit.org/show_bug.cgi?id=196359
458         <rdar://problem/48973663>
459
460         Reviewed by Saam Barati.
461
462         * stress/call-link-info-osrexit-repatch.js: Added.
463         (foo):
464
465 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
466
467         [JSC] imports-oom.js intermittently fails
468         https://bugs.webkit.org/show_bug.cgi?id=196373
469
470         Reviewed by Saam Barati.
471
472         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
473         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
474         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
475         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
476         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
477
478         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
479         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
480
481         * wasm/lowExecutableMemory/imports-oom.js:
482
483 2019-03-27  Saam Barati  <sbarati@apple.com>
484
485         validateOSREntryValue with Int52 should box the value being checked into double format
486         https://bugs.webkit.org/show_bug.cgi?id=196313
487         <rdar://problem/49306703>
488
489         Reviewed by Yusuke Suzuki.
490
491         * stress/validate-int-52-ai-state.js: Added.
492
493 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
494
495         [JSC] Owner of watchpoints should validate at GC finalizing phase
496         https://bugs.webkit.org/show_bug.cgi?id=195827
497
498         Reviewed by Filip Pizlo.
499
500         * stress/gc-should-reap-dead-watchpoints.js: Added.
501         (foo):
502         (A.prototype.y):
503         (A):
504
505 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
506
507         Skip WebAssembly test on 32-bit systems
508         https://bugs.webkit.org/show_bug.cgi?id=196206
509
510         Reviewed by Saam Barati.
511
512         Invoking runDefault executes test immediately even though
513         that test should be skipped due to missing WASM support.
514         Therefore remove runDefault.
515
516         * wasm/regress/web-assembly-link-error-exception-check.js:
517
518 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
519
520         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
521         https://bugs.webkit.org/show_bug.cgi?id=196217
522
523         Reviewed by Saam Barati.
524
525         Re-enable all NaN tests for f32.min, f64.min and f64.max.
526
527         * wasm/spec-tests/f32.wast.js:
528         * wasm/spec-tests/f64.wast.js:
529         * wasm/wasm.json:
530
531 2019-03-25  Keith Miller  <keith_miller@apple.com>
532
533         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
534         https://bugs.webkit.org/show_bug.cgi?id=196176
535
536         Reviewed by Saam Barati.
537
538         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
539         (main.v10):
540         (main):
541
542 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
543
544         WebAssembly: f32.max with NaN generates incorrect result
545         https://bugs.webkit.org/show_bug.cgi?id=175691
546         <rdar://problem/33952228>
547
548         Reviewed by Saam Barati.
549
550         Enable all f32.max NaN tests
551
552         * wasm/spec-tests/f32.wast.js:
553         * wasm/wasm.json:
554
555 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
556
557         [JSC] Move test into directory for WASM tests
558         https://bugs.webkit.org/show_bug.cgi?id=196187
559
560         Reviewed by Mark Lam.
561
562         Move Test into wasm-directory. Otherwise this test
563         is also executed on systems without WASM support.
564
565         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
566
567 2019-03-23  Mark Lam  <mark.lam@apple.com>
568
569         Rolling out r243032 and r243071 because the fix is incorrect.
570         https://bugs.webkit.org/show_bug.cgi?id=195892
571         <rdar://problem/48981239>
572
573         Not reviewed.
574
575         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
576
577 2019-03-22  Mark Lam  <mark.lam@apple.com>
578
579         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
580         https://bugs.webkit.org/show_bug.cgi?id=196154
581         <rdar://problem/49145307>
582
583         Reviewed by Filip Pizlo.
584
585         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
586         There's no need to run this test on more than 1 test configuration.
587
588         * stress/typed-array-lastIndexOf-exception-check.js: Added.
589         * stress/web-assembly-link-error-exception-check.js:
590
591 2019-03-22  Mark Lam  <mark.lam@apple.com>
592
593         Placate exception check validation in constructJSWebAssemblyLinkError().
594         https://bugs.webkit.org/show_bug.cgi?id=196152
595         <rdar://problem/49145257>
596
597         Reviewed by Michael Saboff.
598
599         * stress/web-assembly-link-error-exception-check.js: Added.
600
601 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
602
603         Skip tests running out of memory on ARM/MIPS
604         https://bugs.webkit.org/show_bug.cgi?id=196131
605
606         Unreviewed. Skip test if memory is limited.
607
608         * microbenchmarks/put-by-val-direct-large-index.js:
609
610 2019-03-21  Mark Lam  <mark.lam@apple.com>
611
612         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
613         https://bugs.webkit.org/show_bug.cgi?id=196116
614         <rdar://problem/48976951>
615
616         Reviewed by Filip Pizlo.
617
618         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
619
620 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
621
622         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
623         https://bugs.webkit.org/show_bug.cgi?id=196078
624         <rdar://problem/35925380>
625
626         Reviewed by Mark Lam.
627
628         Add a new benchmark that allocates several objects and invokes put_by_val_direct
629         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
630
631         * microbenchmarks/put-by-val-direct-large-index.js: Added.
632
633 2019-03-21  Mark Lam  <mark.lam@apple.com>
634
635         Placate exception check validation in operationArrayIndexOfString().
636         https://bugs.webkit.org/show_bug.cgi?id=196067
637         <rdar://problem/49056572>
638
639         Reviewed by Michael Saboff.
640
641         * stress/string-equal-exception-check.js: Added.
642
643 2019-03-21  Mark Lam  <mark.lam@apple.com>
644
645         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
646         https://bugs.webkit.org/show_bug.cgi?id=196055
647         <rdar://problem/49067448>
648
649         Reviewed by Yusuke Suzuki.
650
651         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
652
653 2019-03-20  Saam Barati  <sbarati@apple.com>
654
655         typeOfDoubleSum is wrong for when NaN can be produced
656         https://bugs.webkit.org/show_bug.cgi?id=196030
657
658         Reviewed by Filip Pizlo.
659
660         * stress/double-add-sub-mul-can-produce-nan.js: Added.
661         (assert):
662         (noInline.sub):
663         (noInline):
664         (assert.mul):
665         (assert.add):
666
667 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
668
669         Update the test to ensure OutOfMemoryError is thrown as intended
670         https://bugs.webkit.org/show_bug.cgi?id=196032
671         <rdar://problem/46842740>
672
673         Rubber stamped by Saam Barati.
674
675         * stress/create-error-out-of-memory-rope-string.js:
676         (assert):
677         (catch):
678
679 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
680
681         JSC::createError needs to check for OOM in errorDescriptionForValue
682         https://bugs.webkit.org/show_bug.cgi?id=196032
683         <rdar://problem/46842740>
684
685         Reviewed by Mark Lam.
686
687         * stress/create-error-out-of-memory-rope-string.js: Added.
688
689 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
690
691         Unreviewed, reduce # of iterations to avoid timing out after r242991
692         https://bugs.webkit.org/show_bug.cgi?id=195791
693
694         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
695
696         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
697
698 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
699
700         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
701         https://bugs.webkit.org/show_bug.cgi?id=195950
702
703         Unreviewed, reducing the amount of memory used on this test to avoid
704         OOM on devices with memory restrictions.
705
706         * microbenchmarks/generate-multiple-llint-entrypoints.js:
707
708 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
709
710         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
711         https://bugs.webkit.org/show_bug.cgi?id=194648
712
713         Reviewed by Keith Miller.
714
715         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
716
717 2019-03-18  Mark Lam  <mark.lam@apple.com>
718
719         Missing a ThrowScope release in JSObject::toString().
720         https://bugs.webkit.org/show_bug.cgi?id=195893
721         <rdar://problem/48970986>
722
723         Reviewed by Michael Saboff.
724
725         * stress/to-string-exception-check-release.js: Added.
726
727 2019-03-18  Mark Lam  <mark.lam@apple.com>
728
729         Structure::flattenDictionary() should clear unused property slots.
730         https://bugs.webkit.org/show_bug.cgi?id=195871
731         <rdar://problem/48959497>
732
733         Reviewed by Michael Saboff.
734
735         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
736
737 2019-03-15  Mark Lam  <mark.lam@apple.com>
738
739         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
740         https://bugs.webkit.org/show_bug.cgi?id=195827
741         <rdar://problem/48845513>
742
743         Reviewed by Filip Pizlo.
744
745         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
746
747 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
748
749         [ARM,MIPS] Skip slow tests
750         https://bugs.webkit.org/show_bug.cgi?id=195799
751
752         Unreviewed, test does not finish on ARM and MIPS within the
753         timeout limit.
754
755         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
756
757 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
758
759         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
760         https://bugs.webkit.org/show_bug.cgi?id=195791
761         <rdar://problem/48806130>
762
763         Reviewed by Mark Lam.
764
765         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
766         (foo):
767
768 2019-03-14  Saam barati  <sbarati@apple.com>
769
770         We can't remove code after ForceOSRExit until after FixupPhase
771         https://bugs.webkit.org/show_bug.cgi?id=186916
772         <rdar://problem/41396612>
773
774         Reviewed by Yusuke Suzuki.
775
776         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
777         (foo):
778         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
779         (foo):
780
781 2019-03-13  Michael Saboff  <msaboff@apple.com>
782
783         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
784         https://bugs.webkit.org/show_bug.cgi?id=195735
785
786         Reviewed by Mark Lam.
787
788         New regression test.
789
790         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
791         (foo):
792         (bar):
793
794 2019-03-14  Saam barati  <sbarati@apple.com>
795
796         Fixup uses KnownInt32 incorrectly in some nodes
797         https://bugs.webkit.org/show_bug.cgi?id=195279
798         <rdar://problem/47915654>
799
800         Reviewed by Yusuke Suzuki.
801
802         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
803         (foo):
804
805 2019-03-14  Keith Miller  <keith_miller@apple.com>
806
807         DFG liveness can't skip tail caller inline frames
808         https://bugs.webkit.org/show_bug.cgi?id=195715
809
810         Reviewed by Saam Barati.
811
812         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
813         (i.foo):
814
815 2019-03-13  Mark Lam  <mark.lam@apple.com>
816
817         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
818         https://bugs.webkit.org/show_bug.cgi?id=195415
819
820         Not reviewed.
821
822         Changed these tests to only run the default configuration.
823         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
824         There's no strong need to run this test on that variant.
825
826         * stress/dfg-to-string-on-int-does-gc.js:
827         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
828
829 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
830
831         String overflow when using StringBuilder in JSC::createError
832         https://bugs.webkit.org/show_bug.cgi?id=194957
833
834         Reviewed by Mark Lam.
835
836         Add test string-overflow-createError-bulder.js that overflows
837         StringBuilder in notAFunctionSourceAppender. The second new test
838         string-overflow-createError-fit.js has an error message that doesn't
839         overflow, it still failed since the String's capacity can't be doubled.
840         Run test string-overflow-createError.js only in the default
841         configuration to reduce memory consumption when running the test
842         in all configurations on multiple CPUs in parallel.
843
844         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
845         (catch):
846         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
847         (catch):
848         * stress/string-overflow-createError.js:
849
850 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
851
852         [JSC] OSR entry should respect abstract values in addition to flush formats
853         https://bugs.webkit.org/show_bug.cgi?id=195653
854
855         Reviewed by Mark Lam.
856
857         * stress/osr-entry-locals-none.js: Added.
858
859 2019-03-12  Michael Saboff  <msaboff@apple.com>
860
861         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
862         https://bugs.webkit.org/show_bug.cgi?id=195613
863
864         Reviewed by Mark Lam.
865
866         New regression test.
867
868         * stress/regexp-backref-inbounds.js: Added.
869         (testRegExp):
870
871 2019-03-12  Mark Lam  <mark.lam@apple.com>
872
873         The HasIndexedProperty node does GC.
874         https://bugs.webkit.org/show_bug.cgi?id=195559
875         <rdar://problem/48767923>
876
877         Reviewed by Yusuke Suzuki.
878
879         * stress/HasIndexedProperty-does-gc.js: Added.
880
881 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
882
883         [ESNext][BigInt] Implement "~" unary operation
884         https://bugs.webkit.org/show_bug.cgi?id=182216
885
886         Reviewed by Keith Miller.
887
888         * stress/big-int-bit-not-general.js: Added.
889         * stress/big-int-bitwise-not-jit.js: Added.
890         * stress/big-int-bitwise-not-wrapped-value.js: Added.
891         * stress/bit-op-with-object-returning-int32.js:
892         * stress/bitwise-not-fixup-rules.js: Added.
893         * stress/value-bit-not-ai-rule.js: Added.
894
895 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
896
897         Invalid flags in a RegExp literal should be an early SyntaxError
898         https://bugs.webkit.org/show_bug.cgi?id=195514
899
900         Reviewed by Darin Adler.
901
902         * test262/expectations.yaml:
903         Mark 4 test cases as passing.
904
905         * stress/regexp-syntax-error-invalid-flags.js:
906         * stress/regress-161995.js: Removed.
907         Update existing test, merging in an older test for the same behavior.
908
909 2019-03-08  Mark Lam  <mark.lam@apple.com>
910
911         Stack overflow crash in JSC::JSObject::hasInstance.
912         https://bugs.webkit.org/show_bug.cgi?id=195458
913         <rdar://problem/48710195>
914
915         Reviewed by Yusuke Suzuki.
916
917         * stress/stack-overflow-in-custom-hasInstance.js: Added.
918
919 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
920
921         op_check_tdz does not def its argument
922         https://bugs.webkit.org/show_bug.cgi?id=192880
923         <rdar://problem/46221598>
924
925         Reviewed by Saam Barati.
926
927         * microbenchmarks/let-for-in.js: Added.
928         (foo):
929
930 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
931
932         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
933         https://bugs.webkit.org/show_bug.cgi?id=195429
934
935         Reviewed by Saam Barati.
936
937         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
938         (foo):
939         * stress/string-from-char-code-255.js: Added.
940
941 2019-03-06  Mark Lam  <mark.lam@apple.com>
942
943         Fix incorrect handling of try-finally completion values.
944         https://bugs.webkit.org/show_bug.cgi?id=195131
945         <rdar://problem/46222079>
946
947         Reviewed by Saam Barati and Yusuke Suzuki.
948
949         Added many permutations of new test case to test-finally.js.  test-finally.js has
950         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
951         tests passes there as well.
952
953         * stress/test-finally.js:
954
955 2019-03-06  Saam Barati  <sbarati@apple.com>
956
957         Air::reportUsedRegisters must padInterference
958         https://bugs.webkit.org/show_bug.cgi?id=195303
959         <rdar://problem/48270343>
960
961         Reviewed by Keith Miller.
962
963         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
964
965 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
966
967         [JSC] AI should not propagate AbstractValue relying on constant folding phase
968         https://bugs.webkit.org/show_bug.cgi?id=195375
969
970         Reviewed by Saam Barati.
971
972         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
973         (let.array):
974
975 2019-03-05  Saam barati  <sbarati@apple.com>
976
977         op_switch_char broken for rope strings after JSRopeString layout rewrite
978         https://bugs.webkit.org/show_bug.cgi?id=195339
979         <rdar://problem/48592545>
980
981         Reviewed by Yusuke Suzuki.
982
983         * stress/switch-on-char-llint-rope.js: Added.
984
985 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
986
987         [JSC] Store bits for JSRopeString in 3 stores
988         https://bugs.webkit.org/show_bug.cgi?id=195234
989
990         Reviewed by Saam Barati.
991
992         * stress/null-rope-and-collectors.js: Added.
993
994 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
995
996         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
997         https://bugs.webkit.org/show_bug.cgi?id=195207
998
999         Unreviewed. After test runtime was reduced in r242213, test can be
1000         run again on ARM/MIPS.
1001
1002         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1003
1004 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1005
1006         [JSC] sizeof(JSString) should be 16
1007         https://bugs.webkit.org/show_bug.cgi?id=194375
1008
1009         Reviewed by Saam Barati.
1010
1011         * microbenchmarks/make-rope.js: Added.
1012         (makeRope):
1013         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
1014         (returnRope.helper): Deleted.
1015         (returnRope): Deleted.
1016
1017 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1018
1019         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
1020         https://bugs.webkit.org/show_bug.cgi?id=195144
1021
1022         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
1023         Change the number from 1e8 to 1e5.
1024
1025         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1026         (foo):
1027
1028 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
1029
1030         Test times out on ARM/MIPS
1031         https://bugs.webkit.org/show_bug.cgi?id=195168
1032
1033         Unreviewed. Skip test on ARM/MIPS.
1034
1035         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1036
1037 2019-02-27  Mark Lam  <mark.lam@apple.com>
1038
1039         The parser is failing to record the token location of new in new.target.
1040         https://bugs.webkit.org/show_bug.cgi?id=195127
1041         <rdar://problem/39645578>
1042
1043         Reviewed by Yusuke Suzuki.
1044
1045         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
1046
1047 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
1048
1049         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
1050         https://bugs.webkit.org/show_bug.cgi?id=195144
1051         <rdar://problem/47595961>
1052
1053         Reviewed by Mark Lam.
1054
1055         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
1056         (bar):
1057         (foo):
1058         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
1059         (bar):
1060         (foo):
1061
1062 2019-02-27  Robin Morisset  <rmorisset@apple.com>
1063
1064         DFG: Loop-invariant code motion (LICM) should not hoist dead code
1065         https://bugs.webkit.org/show_bug.cgi?id=194945
1066         <rdar://problem/48311657>
1067
1068         Reviewed by Mark Lam.
1069
1070         * stress/licm-dead-code.js: Added.
1071
1072 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
1073
1074         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
1075         https://bugs.webkit.org/show_bug.cgi?id=194677
1076         <rdar://problem/48112492>
1077
1078         Reviewed by Mark Lam.
1079
1080         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
1081         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
1082         it immediately fails due the large size.
1083
1084         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
1085         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
1086         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
1087         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
1088
1089         This patch changes the test to produce 16bit string from String.fromCharCode.
1090
1091         * stress/regress-178386.js:
1092
1093 2019-02-26  Mark Lam  <mark.lam@apple.com>
1094
1095         wasmToJS() should purify incoming NaNs.
1096         https://bugs.webkit.org/show_bug.cgi?id=194807
1097         <rdar://problem/48189132>
1098
1099         Reviewed by Saam Barati.
1100
1101         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
1102
1103 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
1104
1105         [JSC] Repeat string created from Array.prototype.join() take too much memory
1106         https://bugs.webkit.org/show_bug.cgi?id=193912
1107
1108         Reviewed by Saam Barati.
1109
1110         Added a test and a microbenchmark for corner cases of
1111         Array.prototype.join() with an uninitialized array.
1112
1113         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1114         * stress/array-prototype-join-uninitialized.js: Added.
1115         (testArray):
1116         (testABC):
1117         (B):
1118         (C):
1119
1120 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1121
1122         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1123         https://bugs.webkit.org/show_bug.cgi?id=194953
1124         <rdar://problem/47595253>
1125
1126         Reviewed by Saam Barati.
1127
1128         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1129
1130         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1131
1132 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1133
1134         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1135         https://bugs.webkit.org/show_bug.cgi?id=172848
1136         <rdar://problem/25709212>
1137
1138         Reviewed by Mark Lam.
1139
1140         * typeProfiler/inheritance.js:
1141         Rewrite the test slightly for clarity. The hoisting was confusing.
1142
1143         * heapProfiler/class-names.js: Added.
1144         (MyES5Class):
1145         (MyES6Class):
1146         (MyES6Subclass):
1147         Test object types and improved class names.
1148
1149         * heapProfiler/driver/driver.js:
1150         (CheapHeapSnapshotNode):
1151         (CheapHeapSnapshot):
1152         (createCheapHeapSnapshot):
1153         (HeapSnapshot):
1154         (createHeapSnapshot):
1155         Update snapshot parsing from version 1 to version 2.
1156
1157 2019-02-19  Truitt Savell  <tsavell@apple.com>
1158
1159         Unreviewed, rolling out r241784.
1160
1161         Broke all OpenSource builds.
1162
1163         Reverted changeset:
1164
1165         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1166         instances view"
1167         https://bugs.webkit.org/show_bug.cgi?id=172848
1168         https://trac.webkit.org/changeset/241784
1169
1170 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1171
1172         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1173         https://bugs.webkit.org/show_bug.cgi?id=172848
1174         <rdar://problem/25709212>
1175
1176         Reviewed by Mark Lam.
1177
1178         * typeProfiler/inheritance.js:
1179         Rewrite the test slightly for clarity. The hoisting was confusing.
1180
1181         * heapProfiler/class-names.js: Added.
1182         (MyES5Class):
1183         (MyES6Class):
1184         (MyES6Subclass):
1185         Test object types and improved class names.
1186
1187         * heapProfiler/driver/driver.js:
1188         (CheapHeapSnapshotNode):
1189         (CheapHeapSnapshot):
1190         (createCheapHeapSnapshot):
1191         (HeapSnapshot):
1192         (createHeapSnapshot):
1193         Update snapshot parsing from version 1 to version 2.
1194
1195 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1196
1197         [ARM] Fix crash with sampling profiler
1198         https://bugs.webkit.org/show_bug.cgi?id=194772
1199
1200         Reviewed by Mark Lam.
1201
1202         Do not skip test since crash with sampling profiler is now fixed.
1203
1204         * stress/sampling-profiler-richards.js:
1205
1206 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1207
1208         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1209         https://bugs.webkit.org/show_bug.cgi?id=194784
1210         <rdar://problem/48154820>
1211
1212         Reviewed by Mark Lam.
1213
1214         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1215         (getProperties):
1216         (getRandomProperty):
1217         (i.catch):
1218
1219 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1220
1221         [ARM] Test gardening: Test running out of executable memory
1222         https://bugs.webkit.org/show_bug.cgi?id=194771
1223
1224         Unreviewed. Do not run test without LLInt, test is running out of executable
1225         memory on ARM otherwise.
1226
1227         * stress/tagged-template-object-collect.js:
1228
1229 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1230
1231         Unreviewed, skip the test on platforms without sampling profiler
1232
1233         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1234         (platformSupportsSamplingProfiler.foo):
1235         (platformSupportsSamplingProfiler.test):
1236         (platformSupportsSamplingProfiler):
1237         (foo): Deleted.
1238         (test): Deleted.
1239
1240 2019-02-17  Saam Barati  <sbarati@apple.com>
1241
1242         Deadlock when adding a Structure property transition and then doing incremental marking
1243         https://bugs.webkit.org/show_bug.cgi?id=194767
1244
1245         Reviewed by Mark Lam.
1246
1247         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1248
1249 2019-02-15  Michael Saboff  <msaboff@apple.com>
1250
1251         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1252         https://bugs.webkit.org/show_bug.cgi?id=194558
1253
1254         Reviewed by Saam Barati.
1255
1256         New regression test.
1257
1258         * stress/regexp-unicode-within-string.js: Added.
1259
1260 2019-02-15  Mark Lam  <mark.lam@apple.com>
1261
1262         SamplingProfiler::stackTracesAsJSON() should escape strings.
1263         https://bugs.webkit.org/show_bug.cgi?id=194649
1264         <rdar://problem/48072386>
1265
1266         Reviewed by Saam Barati.
1267
1268         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1269         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1270         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1271         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1272
1273 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1274         CodeBlock::jettison should clear related watchpoints
1275         https://bugs.webkit.org/show_bug.cgi?id=194544
1276
1277         Reviewed by Mark Lam.
1278
1279         * stress/regexp-replace-double-watchpoint.js: Added.
1280         (foo):
1281
1282 2019-02-15  Saam barati  <sbarati@apple.com>
1283
1284         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1285         https://bugs.webkit.org/show_bug.cgi?id=194036
1286
1287         Reviewed by Yusuke Suzuki.
1288
1289         * stress/tail-call-many-arguments.js: Added.
1290         (foo):
1291         (bar):
1292
1293 2019-02-14  Saam Barati  <sbarati@apple.com>
1294
1295         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1296         https://bugs.webkit.org/show_bug.cgi?id=194583
1297         <rdar://problem/48028140>
1298
1299         Reviewed by Yusuke Suzuki.
1300
1301         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1302
1303 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1304
1305         [JSC] String.fromCharCode's slow path always generates 16bit string
1306         https://bugs.webkit.org/show_bug.cgi?id=194466
1307
1308         Reviewed by Keith Miller.
1309
1310         * stress/string-from-char-code-slow-path.js: Added.
1311         (shouldBe):
1312         (testWithLength):
1313
1314 2019-02-08  Saam barati  <sbarati@apple.com>
1315
1316         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1317         https://bugs.webkit.org/show_bug.cgi?id=194334
1318         <rdar://problem/47844327>
1319
1320         Reviewed by Mark Lam.
1321
1322         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1323         (func):
1324
1325 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1326
1327         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1328         https://bugs.webkit.org/show_bug.cgi?id=194369
1329         <rdar://problem/47813087>
1330
1331         Reviewed by Saam Barati.
1332
1333         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1334         (A):
1335
1336 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1337
1338         [JSC] PrivateName to PublicName hash table is wasteful
1339         https://bugs.webkit.org/show_bug.cgi?id=194277
1340
1341         Reviewed by Michael Saboff.
1342
1343         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1344
1345         * ChakraCore.yaml:
1346
1347 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1348
1349         [ARM] Test running out of executable memory
1350         https://bugs.webkit.org/show_bug.cgi?id=194285
1351
1352         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1353         executable memory otherwise.
1354
1355         * stress/class-subclassing-function.js:
1356
1357 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1358
1359         when lowering AssertNotEmpty, create the value before creating the patchpoint
1360         https://bugs.webkit.org/show_bug.cgi?id=194231
1361
1362         Reviewed by Saam Barati.
1363
1364         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1365         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1366         So even tiny changes to this test can change the path code taken.
1367
1368         * stress/assert-not-empty.js: Added.
1369         (foo):
1370
1371 2019-02-01  Mark Lam  <mark.lam@apple.com>
1372
1373         Remove invalid assertion in DFG's compileDoubleRep().
1374         https://bugs.webkit.org/show_bug.cgi?id=194130
1375         <rdar://problem/47699474>
1376
1377         Reviewed by Saam Barati.
1378
1379         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1380
1381 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1382
1383         Import latest Test262 updates.
1384
1385         Rubber-stamped by Keith Miller.
1386
1387         * test262.yaml: Deleted.
1388         * test262/config.yaml:
1389         * test262/expectations.yaml:
1390         * test262/latest-changes-summary.txt:
1391         * test262/test/:
1392         * test262/test262-Revision.txt:
1393
1394 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1395
1396         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1397         https://bugs.webkit.org/show_bug.cgi?id=194050
1398         <rdar://problem/47595592>
1399
1400         Reviewed by Yusuke Suzuki.
1401
1402         * stress/object-keys-osr-exit.js: Added.
1403         (foo):
1404         (catch):
1405
1406 2019-01-29  Mark Lam  <mark.lam@apple.com>
1407
1408         ValueRecovery::recover() should purify NaN values it recovers.
1409         https://bugs.webkit.org/show_bug.cgi?id=193978
1410         <rdar://problem/47625488>
1411
1412         Reviewed by Saam Barati.
1413
1414         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1415
1416 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1417
1418         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1419         https://bugs.webkit.org/show_bug.cgi?id=193713
1420
1421         * stress/try-get-by-id-should-spill-registers-dfg.js:
1422         (let.f.createBuiltin):
1423
1424 2019-01-28  Mark Lam  <mark.lam@apple.com>
1425
1426         ToString node actually does GC.
1427         https://bugs.webkit.org/show_bug.cgi?id=193920
1428         <rdar://problem/46695900>
1429
1430         Reviewed by Yusuke Suzuki.
1431
1432         * stress/dfg-to-string-on-int-does-gc.js: Added.
1433         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1434         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1435
1436 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1437
1438         [JSC] NativeErrorConstructor should not have own IsoSubspace
1439         https://bugs.webkit.org/show_bug.cgi?id=193713
1440
1441         Reviewed by Saam Barati.
1442
1443         Remove @Error use.
1444
1445         * stress/try-get-by-id-should-spill-registers-dfg.js:
1446         (let.f.createBuiltin):
1447
1448 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1449
1450         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1451         https://bugs.webkit.org/show_bug.cgi?id=190693
1452
1453         Reviewed by Michael Saboff.
1454
1455         * stress/regress-190693.js: Added.
1456         (truth):
1457         (assert):
1458         (shouldThrowInvalidConstAssignment):
1459         (taz):
1460
1461 2019-01-24  Saam Barati  <sbarati@apple.com>
1462
1463         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1464         https://bugs.webkit.org/show_bug.cgi?id=193751
1465         <rdar://problem/47280215>
1466
1467         Reviewed by Michael Saboff.
1468
1469         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1470         (let.thing):
1471         (foo.let.hello):
1472         (foo):
1473
1474 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1475
1476         [JSC] Reenable baseline JIT on mips
1477         https://bugs.webkit.org/show_bug.cgi?id=192983
1478
1479         Reviewed by Mark Lam.
1480
1481         Added a new test for a case that was triggering a RELEASE_ASSERT when
1482         testing.
1483         Disable some slow tests that were already disabled for arm and x86.
1484
1485         * stress/json-parse-big-object.js: Added.
1486         * stress/new-largeish-contiguous-array-with-size.js:
1487         * stress/op_add.js:
1488         * stress/op_bitand.js:
1489         * stress/op_bitor.js:
1490         * stress/op_bitxor.js:
1491         * stress/op_lshift-ConstVar.js:
1492         * stress/op_lshift-VarConst.js:
1493         * stress/op_lshift-VarVar.js:
1494         * stress/op_mod-ConstVar.js:
1495         * stress/op_mod-VarConst.js:
1496         * stress/op_mod-VarVar.js:
1497         * stress/op_mul-ConstVar.js:
1498         * stress/op_mul-VarConst.js:
1499         * stress/op_mul-VarVar.js:
1500         * stress/op_rshift-ConstVar.js:
1501         * stress/op_rshift-VarConst.js:
1502         * stress/op_rshift-VarVar.js:
1503         * stress/op_sub-ConstVar.js:
1504         * stress/op_sub-VarConst.js:
1505         * stress/op_sub-VarVar.js:
1506         * stress/op_urshift-ConstVar.js:
1507         * stress/op_urshift-VarConst.js:
1508         * stress/op_urshift-VarVar.js:
1509         * stress/sampling-profiler-richards.js:
1510         * stress/spread-forward-call-varargs-stack-overflow.js:
1511
1512 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1513
1514         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1515         https://bugs.webkit.org/show_bug.cgi?id=193711
1516         <rdar://problem/47250262>
1517
1518         Reviewed by Saam Barati.
1519
1520         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1521         (shouldBe):
1522         (foo):
1523         (bar):
1524         (baz):
1525
1526 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1527
1528         Unreviewed, fix initial global lexical binding epoch
1529         https://bugs.webkit.org/show_bug.cgi?id=193603
1530         <rdar://problem/47380869>
1531
1532         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1533         (f1.f2.f3.f4):
1534         (f1.f2.f3):
1535         (f1.f2):
1536         (f1):
1537
1538 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1539
1540         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1541         https://bugs.webkit.org/show_bug.cgi?id=193709
1542         <rdar://problem/47363838>
1543
1544         Unreviewed, rollout to watch the tests.
1545
1546         * stress/object-tostring-changed-proto.js: Removed.
1547         * stress/object-tostring-changed.js: Removed.
1548         * stress/object-tostring-misc.js: Removed.
1549         * stress/object-tostring-other.js: Removed.
1550         * stress/object-tostring-untyped.js: Removed.
1551
1552 2019-01-22  Saam Barati  <sbarati@apple.com>
1553
1554         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1555
1556         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1557         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1558         (testUncheckedLessThanZero):
1559         (testUncheckedLessThanOrEqualZero):
1560         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1561         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1562
1563 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1564
1565         [JSC] Invalidate old scope operations using global lexical binding epoch
1566         https://bugs.webkit.org/show_bug.cgi?id=193603
1567         <rdar://problem/47380869>
1568
1569         Reviewed by Saam Barati.
1570
1571         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1572         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1573         (shouldThrow):
1574         (bar):
1575         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1576         (shouldBe):
1577         (get1):
1578         (get2):
1579         (get1If):
1580         (get2If):
1581         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1582         (shouldThrow):
1583         (foo):
1584
1585 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1586
1587         Unreviewed, roll out r240220 due to date-format-xparb regression
1588         https://bugs.webkit.org/show_bug.cgi?id=193603
1589
1590         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1591         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1592         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1593         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1594
1595 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1596
1597         DoesGC rule is wrong for nodes with BigIntUse
1598         https://bugs.webkit.org/show_bug.cgi?id=193652
1599
1600         Reviewed by Saam Barati.
1601
1602         * stress/big-int-value-op-update-gc-rules.js: Added.
1603         (assert):
1604         (doesGCAdd):
1605         (doesGCSub):
1606         (doesGCDiv):
1607         (doesGCMul):
1608         (doesGCBitAnd):
1609         (doesGCBitOr):
1610         (doesGCBitXor):
1611
1612 2019-01-20  Saam Barati  <sbarati@apple.com>
1613
1614         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1615         https://bugs.webkit.org/show_bug.cgi?id=193644
1616         <rdar://problem/46209745>
1617
1618         Reviewed by Yusuke Suzuki.
1619
1620         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1621         (foo):
1622         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1623         (foo):
1624         (bar):
1625
1626 2019-01-20  Saam Barati  <sbarati@apple.com>
1627
1628         MovHint must merge NodeBytecodeUsesAsValue for its child
1629         https://bugs.webkit.org/show_bug.cgi?id=186916
1630         <rdar://problem/41396612>
1631
1632         Reviewed by Yusuke Suzuki.
1633
1634         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1635         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1636
1637 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1638
1639         [JSC] Invalidate old scope operations using global lexical binding epoch
1640         https://bugs.webkit.org/show_bug.cgi?id=193603
1641         <rdar://problem/47380869>
1642
1643         Reviewed by Saam Barati.
1644
1645         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1646         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1647         (shouldThrow):
1648         (bar):
1649         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1650         (shouldBe):
1651         (get1):
1652         (get2):
1653         (get1If):
1654         (get2If):
1655         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1656         (shouldThrow):
1657         (foo):
1658
1659 2019-01-17  Saam barati  <sbarati@apple.com>
1660
1661         StringObjectUse should not be a structure check for the original string object structure
1662         https://bugs.webkit.org/show_bug.cgi?id=193483
1663         <rdar://problem/47280522>
1664
1665         Reviewed by Yusuke Suzuki.
1666
1667         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1668         (foo):
1669         (a.valueOf.0):
1670
1671 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1672
1673         [JSC] ToThis omission in DFGByteCodeParser is wrong
1674         https://bugs.webkit.org/show_bug.cgi?id=193513
1675         <rdar://problem/45842236>
1676
1677         Reviewed by Saam Barati.
1678
1679         * stress/to-this-omission-with-different-strict-modes.js: Added.
1680         (thisA):
1681         (thisAStrictWrapper):
1682
1683 2019-01-15  Mark Lam  <mark.lam@apple.com>
1684
1685         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1686         https://bugs.webkit.org/show_bug.cgi?id=193423
1687         <rdar://problem/46209355>
1688
1689         Reviewed by Saam Barati.
1690
1691         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1692         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1693         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1694         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1695
1696 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1697
1698         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1699         https://bugs.webkit.org/show_bug.cgi?id=193438
1700         <rdar://problem/45581249>
1701
1702         Reviewed by Saam Barati and Keith Miller.
1703
1704         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1705         Then, GetByVal(String) crashed.
1706
1707         * stress/string-get-by-val-lowering.js: Added.
1708         (shouldBe):
1709         (test):
1710         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1711         (Hello):
1712         (foo):
1713
1714 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1715
1716         Unreviewed, skip JIT tests if it's not enabled
1717
1718         * stress/bit-op-with-object-returning-int32.js:
1719
1720 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1721
1722         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1723         https://bugs.webkit.org/show_bug.cgi?id=192966
1724
1725         Reviewed by Yusuke Suzuki.
1726
1727         * stress/bit-op-with-object-returning-int32.js: Added.
1728
1729 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1730
1731         Skip a slow test and a flakey test on arm
1732
1733         Unreviewed gardening.
1734
1735         * typeProfiler/getter-richards.js:
1736         this test always times out, it used to be always skipped on arm and
1737         mips, but got accidentally enabled by r237919 now that we have DFG on
1738         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1739
1740 2019-01-14  Keith Miller  <keith_miller@apple.com>
1741
1742         Skip type-check-hoisting-phase-hoist... with no jit
1743         https://bugs.webkit.org/show_bug.cgi?id=193421
1744
1745         Reviewed by Mark Lam.
1746
1747         It's timing out the 32-bit bots and takes 330 seconds
1748         on my machine when run by itself.
1749
1750         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1751
1752 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1753
1754         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1755         https://bugs.webkit.org/show_bug.cgi?id=193413
1756         <rdar://problem/46092389>
1757
1758         Reviewed by Keith Miller.
1759
1760         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1761         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1762         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1763         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1764
1765         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1766         (compareArray):
1767
1768 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1769
1770         [BigInt] Literal parsing is crashing when used inside a Object Literal
1771         https://bugs.webkit.org/show_bug.cgi?id=193404
1772
1773         Reviewed by Yusuke Suzuki.
1774
1775         * stress/big-int-literal-inside-literal-object.js: Added.
1776
1777 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1778
1779         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1780         https://bugs.webkit.org/show_bug.cgi?id=193372
1781
1782         Reviewed by Saam Barati.
1783
1784         * stress/typed-array-array-modes-profile.js: Added.
1785         (foo):
1786
1787 2019-01-14  Mark Lam  <mark.lam@apple.com>
1788
1789         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1790         https://bugs.webkit.org/show_bug.cgi?id=193402
1791         <rdar://problem/46012309>
1792
1793         Reviewed by Keith Miller.
1794
1795         * stress/regexp-compile-oom.js:
1796         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1797           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1798
1799 2019-01-11  Saam barati  <sbarati@apple.com>
1800
1801         DFG combined liveness can be wrong for terminal basic blocks
1802         https://bugs.webkit.org/show_bug.cgi?id=193304
1803         <rdar://problem/45268632>
1804
1805         Reviewed by Yusuke Suzuki.
1806
1807         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1808
1809 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1810
1811         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1812         https://bugs.webkit.org/show_bug.cgi?id=193308
1813         <rdar://problem/45546542>
1814
1815         Reviewed by Saam Barati.
1816
1817         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1818         (shouldThrow):
1819         (shouldBe):
1820         (foo):
1821         (get shouldThrow):
1822         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1823         (shouldThrow):
1824         (shouldBe):
1825         (foo):
1826         (get shouldBe):
1827         (get shouldThrow):
1828         (get return):
1829         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1830         (shouldThrow):
1831         (shouldBe):
1832         (foo):
1833         (get shouldBe):
1834         (get shouldThrow):
1835         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1836         (shouldThrow):
1837         (shouldBe):
1838         (foo):
1839         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1840         (shouldThrow):
1841         (shouldBe):
1842         (foo):
1843         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1844         (shouldThrow):
1845         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1846         (shouldThrow):
1847         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1848         (shouldThrow):
1849         (shouldBe):
1850         (foo):
1851         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1852         (shouldThrow):
1853         (shouldBe):
1854         (foo):
1855         (get shouldBe):
1856         (get shouldThrow):
1857         (get return):
1858         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1859         (shouldThrow):
1860         (shouldBe):
1861         (foo):
1862         (get shouldBe):
1863         (get shouldThrow):
1864         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1865         (shouldThrow):
1866         (shouldBe):
1867         (foo):
1868         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1869         (shouldThrow):
1870         (shouldBe):
1871         (foo):
1872
1873 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1874
1875         Enable DFG on ARM/Linux again
1876         https://bugs.webkit.org/show_bug.cgi?id=192496
1877
1878         Reviewed by Yusuke Suzuki.
1879
1880         Test wasn't really skipped before moving the line with skip
1881         to the top.
1882
1883         * stress/regress-192717.js:
1884
1885 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1886
1887         Unreviewed, rolling out r239825.
1888         https://bugs.webkit.org/show_bug.cgi?id=193330
1889
1890         Broke tests on armv7/linux bots (Requested by guijemont on
1891         #webkit).
1892
1893         Reverted changeset:
1894
1895         "Enable DFG on ARM/Linux again"
1896         https://bugs.webkit.org/show_bug.cgi?id=192496
1897         https://trac.webkit.org/changeset/239825
1898
1899 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1900
1901         Enable DFG on ARM/Linux again
1902         https://bugs.webkit.org/show_bug.cgi?id=192496
1903
1904         Reviewed by Yusuke Suzuki.
1905
1906         Test wasn't really skipped before moving the line with skip
1907         to the top.
1908
1909         * stress/regress-192717.js:
1910
1911 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1912
1913         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1914         https://bugs.webkit.org/show_bug.cgi?id=193127
1915
1916         Reviewed by Saam Barati.
1917
1918         * stress/array-species-create-should-handle-masquerader.js: Added.
1919         (shouldThrow):
1920         * stress/is-undefined-or-null-builtin.js: Added.
1921         (shouldBe):
1922         (isUndefinedOrNull.vm.createBuiltin):
1923
1924 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1925
1926         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1927         https://bugs.webkit.org/show_bug.cgi?id=193221
1928
1929         Reviewed by Mark Lam.
1930
1931         * stress/put-by-id-flags.js: Added.
1932         (f):
1933         (g):
1934         (numberOfDFGCompiles):
1935
1936 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1937
1938         Baseline version of get_by_id may corrupt metadata
1939         https://bugs.webkit.org/show_bug.cgi?id=193085
1940         <rdar://problem/23453006>
1941
1942         Reviewed by Saam Barati.
1943
1944         * stress/get-by-id-change-mode.js: Added.
1945         (forEach):
1946
1947 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1948
1949         [JSC] Optimize Object.prototype.toString
1950         https://bugs.webkit.org/show_bug.cgi?id=193031
1951
1952         Reviewed by Saam Barati.
1953
1954         * stress/object-tostring-changed-proto.js: Added.
1955         (shouldBe):
1956         (test):
1957         * stress/object-tostring-changed.js: Added.
1958         (shouldBe):
1959         (test):
1960         * stress/object-tostring-misc.js: Added.
1961         (shouldBe):
1962         (test):
1963         (i.switch):
1964         * stress/object-tostring-other.js: Added.
1965         (shouldBe):
1966         (test):
1967         * stress/object-tostring-untyped.js: Added.
1968         (shouldBe):
1969         (test):
1970         (i.switch):
1971
1972 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1973
1974         test262-runner misbehaves when test file YAML has a trailing space
1975         https://bugs.webkit.org/show_bug.cgi?id=193053
1976
1977         Reviewed by Yusuke Suzuki.
1978
1979         * test262/expectations.yaml:
1980         Mark two dozen tests as passing (and correct the output of another).
1981
1982 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1983
1984         Unreviewed, JSTests gardening with memoryLimited
1985
1986         * stress/string-overflow-createError.js:
1987
1988 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1989
1990         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1991         https://bugs.webkit.org/show_bug.cgi?id=193050
1992
1993         Reviewed by Yusuke Suzuki.
1994
1995         * test262.yaml:
1996         * test262/expectations.yaml:
1997         Mark 16 tests as passing.
1998
1999 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2000
2001         [BigInt] Support BigInt in JSON.stringify
2002         https://bugs.webkit.org/show_bug.cgi?id=192624
2003
2004         Reviewed by Saam Barati.
2005
2006         * stress/big-int-json-stringify-to-json.js: Added.
2007         (shouldBe):
2008         (shouldThrow):
2009         (BigInt.prototype.toJSON):
2010         (shouldBe.JSON.stringify):
2011         * stress/big-int-json-stringify.js: Added.
2012         (shouldBe):
2013         (shouldThrow):
2014
2015 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2016
2017         [JSC] Implement "well-formed JSON.stringify" proposal
2018         https://bugs.webkit.org/show_bug.cgi?id=191677
2019
2020         Reviewed by Darin Adler.
2021
2022         * stress/json-surrogate-pair.js: Added.
2023         (shouldBe):
2024         * test262/expectations.yaml:
2025
2026 2018-12-20  Keith Miller  <keith_miller@apple.com>
2027
2028         Add support for globalThis
2029         https://bugs.webkit.org/show_bug.cgi?id=165171
2030
2031         Reviewed by Mark Lam.
2032
2033         * test262/config.yaml:
2034
2035 2018-12-19  Keith Miller  <keith_miller@apple.com>
2036
2037         Update test262 configuration to not run tests dependent on ICU version.
2038         https://bugs.webkit.org/show_bug.cgi?id=192920
2039
2040         Reviewed by Saam Barati.
2041
2042         * test262/expectations.yaml:
2043
2044 2018-12-20  Mark Lam  <mark.lam@apple.com>
2045
2046         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
2047         https://bugs.webkit.org/show_bug.cgi?id=192939
2048         <rdar://problem/46869516>
2049
2050         Reviewed by Keith Miller.
2051
2052         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
2053
2054 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
2055
2056         WTF::String and StringImpl overflow MaxLength
2057         https://bugs.webkit.org/show_bug.cgi?id=192853
2058         <rdar://problem/45726906>
2059
2060         Reviewed by Mark Lam.
2061
2062         * stress/string-16bit-repeat-overflow.js: Added.
2063         (catch):
2064
2065 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
2066
2067         Unreviewed follow-up to r192914.
2068
2069         * test262/expectations.yaml:
2070         Add the last 20 missing expectations.
2071
2072 2018-12-19  Keith Miller  <keith_miller@apple.com>
2073
2074         Fix test262 expectations
2075         https://bugs.webkit.org/show_bug.cgi?id=192914
2076
2077         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
2078
2079         * test262/expectations.yaml:
2080
2081 2018-12-19  Keith Miller  <keith_miller@apple.com>
2082
2083         Update test262 tests.
2084         https://bugs.webkit.org/show_bug.cgi?id=192907
2085
2086         Rubber stamped by Mark Lam.
2087
2088         * test262/*: Omitted because prepare-changelog crashes.
2089
2090 2018-12-19  Mark Lam  <mark.lam@apple.com>
2091
2092         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
2093         https://bugs.webkit.org/show_bug.cgi?id=192464
2094         <rdar://problem/46519455>
2095
2096         Reviewed by Saam Barati.
2097
2098         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
2099         microbenchmark.
2100
2101         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
2102         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
2103
2104 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
2105
2106         String overflow in JSC::createError results in ASSERT in WTF::makeString
2107         https://bugs.webkit.org/show_bug.cgi?id=192833
2108         <rdar://problem/45706868>
2109
2110         Reviewed by Mark Lam.
2111
2112         * stress/string-overflow-createError.js: Added.
2113
2114 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2115
2116         Error message for `-x ** y` contains a typo.
2117         https://bugs.webkit.org/show_bug.cgi?id=192832
2118
2119         Reviewed by Saam Barati.
2120
2121         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2122         (assert.assert.return.throws):
2123         * stress/pow-expects-update-expression-on-lhs.js:
2124         (throw.new.Error):
2125         Update test expectations which match against the exact error message.
2126
2127 2018-12-18  Mark Lam  <mark.lam@apple.com>
2128
2129         Gardening: test options fix.
2130         https://bugs.webkit.org/show_bug.cgi?id=192822
2131
2132         Unreviewed.
2133
2134         * stress/json-stringify-string-builder-overflow.js:
2135
2136 2018-12-18  Mark Lam  <mark.lam@apple.com>
2137
2138         JSON.stringify() should throw OOM on StringBuilder overflows.
2139         https://bugs.webkit.org/show_bug.cgi?id=192822
2140         <rdar://problem/46670577>
2141
2142         Reviewed by Saam Barati.
2143
2144         * stress/json-stringify-string-builder-overflow.js: Added.
2145
2146 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2147
2148         Redeclaration of var over let/const/class should be a syntax error.
2149         https://bugs.webkit.org/show_bug.cgi?id=192298
2150
2151         Reviewed by Keith Miller.
2152
2153         * test262.yaml:
2154         * test262/expectations.yaml:
2155         Mark 46 tests as passing.
2156
2157         * stress/block-scope-redeclarations.js:
2158         Add some new tests.
2159
2160         * stress/for-in-invalidate-context-weird-assignments.js:
2161         * stress/for-in-tests.js:
2162         Replace tests for outdated behavior with tests for SyntaxError.
2163
2164         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2165         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2166         Update expectations.
2167
2168 2018-12-18  Mark Lam  <mark.lam@apple.com>
2169
2170         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2171         https://bugs.webkit.org/show_bug.cgi?id=191374
2172         <rdar://problem/46525447>
2173
2174         Reviewed by Yusuke Suzuki.
2175
2176         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2177
2178         * stress/elidable-new-object-roflcopter-then-exit.js:
2179
2180 2018-12-17  Mark Lam  <mark.lam@apple.com>
2181
2182         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2183         https://bugs.webkit.org/show_bug.cgi?id=192019
2184         <rdar://problem/46525456>
2185
2186         Reviewed by Yusuke Suzuki.
2187
2188         The test runs too slow on 32-bit.
2189
2190         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2191
2192 2018-12-17  Mark Lam  <mark.lam@apple.com>
2193
2194         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2195         https://bugs.webkit.org/show_bug.cgi?id=191373
2196         <rdar://problem/46525458>
2197
2198         Reviewed by Yusuke Suzuki.
2199
2200         The test is already slow running with a JIT on 64-bit.  It will always timeout
2201         on 32-bit without a JIT.
2202
2203         * stress/materialize-regexp-cyclic-regexp.js:
2204
2205 2018-12-17  Mark Lam  <mark.lam@apple.com>
2206
2207         Array unshift/shift should not race against the AI in the compiler thread.
2208         https://bugs.webkit.org/show_bug.cgi?id=192795
2209         <rdar://problem/46724263>
2210
2211         Reviewed by Saam Barati.
2212
2213         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2214
2215 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2216
2217         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2218         https://bugs.webkit.org/show_bug.cgi?id=190047
2219
2220         Reviewed by Saam Barati.
2221
2222         * stress/object-keys-cached-zero.js: Added.
2223         (shouldBe):
2224         (test):
2225         * stress/object-keys-changed-attribute.js: Added.
2226         (shouldBe):
2227         (test):
2228         * stress/object-keys-changed-index.js: Added.
2229         (shouldBe):
2230         (test):
2231         * stress/object-keys-changed.js: Added.
2232         (shouldBe):
2233         (test):
2234         * stress/object-keys-indexed-non-cache.js: Added.
2235         (shouldBe):
2236         (test):
2237         * stress/object-keys-overrides-get-property-names.js: Added.
2238         (shouldBe):
2239         (test):
2240         (noInline):
2241
2242 2018-12-17  Mark Lam  <mark.lam@apple.com>
2243
2244         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2245         https://bugs.webkit.org/show_bug.cgi?id=192779
2246         <rdar://problem/46775869>
2247
2248         Reviewed by Saam Barati.
2249
2250         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2251
2252 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2253
2254         Unreviewed test gardening, address a syntax error in a new test.
2255
2256         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2257
2258 2018-12-17  Mark Lam  <mark.lam@apple.com>
2259
2260         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2261         https://bugs.webkit.org/show_bug.cgi?id=192776
2262         <rdar://problem/46772368>
2263
2264         Reviewed by Keith Miller.
2265
2266         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2267
2268 2018-12-17  Mark Lam  <mark.lam@apple.com>
2269
2270         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2271         https://bugs.webkit.org/show_bug.cgi?id=192770
2272         <rdar://problem/46449037>
2273
2274         Reviewed by Keith Miller.
2275
2276         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2277
2278 2018-12-14  Mark Lam  <mark.lam@apple.com>
2279
2280         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2281         https://bugs.webkit.org/show_bug.cgi?id=192717
2282         <rdar://problem/46660677>
2283
2284         Reviewed by Saam Barati.
2285
2286         * stress/regress-192717.js: Added.
2287
2288 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2289
2290         Unreviewed, rolling out r239153, r239154, and r239155.
2291         https://bugs.webkit.org/show_bug.cgi?id=192715
2292
2293         Caused flaky GC-related crashes seen with layout tests
2294         (Requested by ryanhaddad on #webkit).
2295
2296         Reverted changesets:
2297
2298         "[JSC] Optimize Object.keys by caching own keys results in
2299         StructureRareData"
2300         https://bugs.webkit.org/show_bug.cgi?id=190047
2301         https://trac.webkit.org/changeset/239153
2302
2303         "Unreviewed, build fix after r239153"
2304         https://bugs.webkit.org/show_bug.cgi?id=190047
2305         https://trac.webkit.org/changeset/239154
2306
2307         "Unreviewed, build fix after r239153, part 2"
2308         https://bugs.webkit.org/show_bug.cgi?id=190047
2309         https://trac.webkit.org/changeset/239155
2310
2311 2018-12-14  Keith Miller  <keith_miller@apple.com>
2312
2313         Callers of JSString::getIndex should check for OOM exceptions
2314         https://bugs.webkit.org/show_bug.cgi?id=192709
2315
2316         Reviewed by Mark Lam.
2317
2318         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2319
2320 2018-12-13  Mark Lam  <mark.lam@apple.com>
2321
2322         Add a missing exception check.
2323         https://bugs.webkit.org/show_bug.cgi?id=192626
2324         <rdar://problem/46662163>
2325
2326         Reviewed by Keith Miller.
2327
2328         * stress/regress-192626.js: Added.
2329
2330 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2331
2332         [BigInt] Add ValueDiv into DFG
2333         https://bugs.webkit.org/show_bug.cgi?id=186178
2334
2335         Reviewed by Yusuke Suzuki.
2336
2337         * stress/big-int-div-jit-osr.js: Added.
2338         * stress/big-int-div-jit-untyped.js: Added.
2339         * stress/value-div-fixup-int32-big-int.js: Added.
2340
2341 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2342
2343         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2344         https://bugs.webkit.org/show_bug.cgi?id=190047
2345
2346         Reviewed by Keith Miller.
2347
2348         * stress/object-keys-cached-zero.js: Added.
2349         (shouldBe):
2350         (test):
2351         * stress/object-keys-changed-attribute.js: Added.
2352         (shouldBe):
2353         (test):
2354         * stress/object-keys-changed-index.js: Added.
2355         (shouldBe):
2356         (test):
2357         * stress/object-keys-changed.js: Added.
2358         (shouldBe):
2359         (test):
2360         * stress/object-keys-indexed-non-cache.js: Added.
2361         (shouldBe):
2362         (test):
2363         * stress/object-keys-overrides-get-property-names.js: Added.
2364         (shouldBe):
2365         (test):
2366         (noInline):
2367
2368 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2369
2370         [DFG][FTL] Add NewSymbol
2371         https://bugs.webkit.org/show_bug.cgi?id=192620
2372
2373         Reviewed by Saam Barati.
2374
2375         * microbenchmarks/symbol-creation.js: Added.
2376         (test):
2377         * stress/symbol-description-identity.js: Added.
2378         (shouldBe):
2379         (test):
2380         * stress/symbol-identity.js: Added.
2381         (shouldBe):
2382         (test):
2383         * stress/symbol-with-description-throw-error.js: Added.
2384         (shouldBe):
2385         (shouldThrow):
2386         (test):
2387         (object.toString):
2388
2389 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2390
2391         [BigInt] Implement DFG/FTL typeof for BigInt
2392         https://bugs.webkit.org/show_bug.cgi?id=192619
2393
2394         Reviewed by Keith Miller.
2395
2396         * stress/big-int-boolean-proven-type.js: Added.
2397         (assert):
2398         (bool):
2399         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2400         (assert):
2401         (typeOf):
2402         (i.switch):
2403         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2404         (assert):
2405         (typeOf):
2406         * stress/big-int-type-of.js:
2407         (typeOf):
2408         (func):
2409
2410 2018-12-10  Mark Lam  <mark.lam@apple.com>
2411
2412         PropertyAttribute needs a CustomValue bit.
2413         https://bugs.webkit.org/show_bug.cgi?id=191993
2414         <rdar://problem/46264467>
2415
2416         Reviewed by Saam Barati.
2417
2418         * stress/regress-191993.js: Added.
2419
2420 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2421
2422         [BigInt] Add ValueMul into DFG
2423         https://bugs.webkit.org/show_bug.cgi?id=186175
2424
2425         Reviewed by Yusuke Suzuki.
2426
2427         * stress/big-int-mul-jit-osr.js: Added.
2428         * stress/big-int-mul-jit-untyped.js: Added.
2429         * stress/value-mul-fixup-int32-big-int.js: Added.
2430
2431 2018-12-06  Keith Miller  <keith_miller@apple.com>
2432
2433         stress/big-wasm-memory tests failing on 32-bit JSC bot
2434         https://bugs.webkit.org/show_bug.cgi?id=192020
2435
2436         Reviewed by Saam Barati.
2437
2438         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2439         the wasm stress tests if the WebAssembly object does not exist.
2440
2441         * stress/big-wasm-memory-grow-no-max.js:
2442         (test.foo):
2443         (test):
2444         (foo): Deleted.
2445         (catch): Deleted.
2446         * stress/big-wasm-memory-grow.js:
2447         (test.foo):
2448         (test):
2449         (foo): Deleted.
2450         (catch): Deleted.
2451         * stress/big-wasm-memory.js:
2452         (test.foo):
2453         (test):
2454         (foo): Deleted.
2455         (catch): Deleted.
2456
2457 2018-12-05  Mark Lam  <mark.lam@apple.com>
2458
2459         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2460         https://bugs.webkit.org/show_bug.cgi?id=192441
2461         <rdar://problem/46480355>
2462
2463         Reviewed by Saam Barati.
2464
2465         * stress/regress-192441.js: Added.
2466
2467 2018-12-04  Mark Lam  <mark.lam@apple.com>
2468
2469         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2470         https://bugs.webkit.org/show_bug.cgi?id=192386
2471         <rdar://problem/46445516>
2472
2473         Reviewed by Saam Barati.
2474
2475         * stress/regress-192386.js: Added.
2476
2477 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2478
2479         [ESNext][BigInt] Support logic operations
2480         https://bugs.webkit.org/show_bug.cgi?id=179903
2481
2482         Reviewed by Yusuke Suzuki.
2483
2484         * stress/big-int-branch-usage.js: Added.
2485         * stress/big-int-logical-and.js: Added.
2486         * stress/big-int-logical-not.js: Added.
2487         * stress/big-int-logical-or.js: Added.
2488
2489 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2490
2491         Unreviewed, rolling out r238833.
2492
2493         Breaks macOS and iOS debug builds.
2494
2495         Reverted changeset:
2496
2497         "[ESNext][BigInt] Support logic operations"
2498         https://bugs.webkit.org/show_bug.cgi?id=179903
2499         https://trac.webkit.org/changeset/238833
2500
2501 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2502
2503         [ESNext][BigInt] Support logic operations
2504         https://bugs.webkit.org/show_bug.cgi?id=179903
2505
2506         Reviewed by Yusuke Suzuki.
2507
2508         * stress/big-int-branch-usage.js: Added.
2509         * stress/big-int-logical-and.js: Added.
2510         * stress/big-int-logical-not.js: Added.
2511         * stress/big-int-logical-or.js: Added.
2512
2513 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2514
2515         [ESNext][BigInt] Implement support for "<<" and ">>"
2516         https://bugs.webkit.org/show_bug.cgi?id=186233
2517
2518         Reviewed by Yusuke Suzuki.
2519
2520         * stress/big-int-left-shift-general.js: Added.
2521         * stress/big-int-left-shift-range-error.js: Added.
2522         * stress/big-int-left-shift-type-error.js: Added.
2523         * stress/big-int-left-shift-wrapped-value.js: Added.
2524         * stress/big-int-right-shift-general.js: Added.
2525         * stress/big-int-right-shift-type-error.js: Added.
2526         * stress/big-int-right-shift-wrapped-value.js: Added.
2527         * stress/left-shift-to-primitive-precedence.js: Added.
2528         * stress/right-shift-to-primitive-precedence.js: Added.
2529
2530 2018-11-30  Dean Jackson  <dino@apple.com>
2531
2532         Add first-class support for .mjs files in jsc binary
2533         https://bugs.webkit.org/show_bug.cgi?id=192190
2534         <rdar://problem/46375715>
2535
2536         Reviewed by Keith Miller.
2537
2538         * stress/simple-module.mjs: Added.
2539         * stress/simple-script.js: Added.
2540
2541 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2542
2543         [BigInt] Implement ValueBitXor into DFG
2544         https://bugs.webkit.org/show_bug.cgi?id=190264
2545
2546         Reviewed by Yusuke Suzuki.
2547
2548         * stress/big-int-bitwise-xor-jit.js: Added.
2549         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2550         * stress/big-int-bitwise-xor-untyped.js: Added.
2551
2552 2018-11-27  Saam barati  <sbarati@apple.com>
2553
2554         r238510 broke scopes of size zero
2555         https://bugs.webkit.org/show_bug.cgi?id=192033
2556         <rdar://problem/46281734>
2557
2558         Reviewed by Keith Miller.
2559
2560         * stress/r238510-bad-loop.js: Added.
2561         (foo):
2562
2563 2018-11-27  Mark Lam  <mark.lam@apple.com>
2564
2565         [Re-landing] NaNs read from Wasm code needs to be be purified.
2566         https://bugs.webkit.org/show_bug.cgi?id=191056
2567         <rdar://problem/45660341>
2568
2569         Reviewed by Filip Pizlo.
2570
2571         * wasm/regress/regress-191056.js: Added.
2572
2573 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2574
2575         Unreviewed, rolling out r238509.
2576
2577         Causes JSC tests to fail on iOS.
2578
2579         Reverted changeset:
2580
2581         "NaNs read from Wasm code needs to be be purified."
2582         https://bugs.webkit.org/show_bug.cgi?id=191056
2583         https://trac.webkit.org/changeset/238509
2584
2585 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2586
2587         Re-introduce op_bitnot
2588         https://bugs.webkit.org/show_bug.cgi?id=190923
2589
2590         Reviewed by Yusuke Suzuki.
2591
2592         * stress/bit-not-must-generate.js: Added.
2593         * stress/bitwise-not-no-int32.js: Added.
2594
2595 2018-11-26  Saam barati  <sbarati@apple.com>
2596
2597         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2598         https://bugs.webkit.org/show_bug.cgi?id=191956
2599         <rdar://problem/45665806>
2600
2601         Reviewed by Yusuke Suzuki.
2602
2603         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2604         (bar):
2605         (foo):
2606
2607 2018-11-26  Saam barati  <sbarati@apple.com>
2608
2609         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2610         https://bugs.webkit.org/show_bug.cgi?id=191958
2611         <rdar://problem/46221877>
2612
2613         Reviewed by Yusuke Suzuki.
2614
2615         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2616         (x):
2617         (foo):
2618
2619 2018-11-26  Mark Lam  <mark.lam@apple.com>
2620
2621         NaNs read from Wasm code needs to be be purified.
2622         https://bugs.webkit.org/show_bug.cgi?id=191056
2623         <rdar://problem/45660341>
2624
2625         Reviewed by Filip Pizlo.
2626
2627         * wasm/regress/regress-191056.js: Added.
2628
2629 2018-11-26  Michael Saboff  <msaboff@apple.com>
2630
2631         32-bit JSC test failure: stress/regexp-compile-oom.js
2632         https://bugs.webkit.org/show_bug.cgi?id=191375
2633
2634         Reviewed by Mark Lam.
2635
2636         Disabled the test for 32 bit platforms.
2637
2638         * stress/regexp-compile-oom.js:
2639
2640 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2641
2642         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2643         https://bugs.webkit.org/show_bug.cgi?id=191716
2644         <rdar://problem/45723878>
2645
2646         Reviewed by Saam Barati.
2647
2648         * stress/regress-187373.js: Added.
2649         (async.fn):
2650
2651 2018-11-21  Saam barati  <sbarati@apple.com>
2652
2653         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2654         https://bugs.webkit.org/show_bug.cgi?id=191897
2655         <rdar://problem/45871998>
2656
2657         Reviewed by Mark Lam.
2658
2659         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2660         (bar):
2661         (foo):
2662
2663 2018-11-21  Saam barati  <sbarati@apple.com>
2664
2665         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2666         https://bugs.webkit.org/show_bug.cgi?id=191895
2667         <rdar://problem/46167406>
2668
2669         Reviewed by Mark Lam.
2670
2671         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2672         (foo):
2673         (bar):
2674
2675 2018-11-21  Mark Lam  <mark.lam@apple.com>
2676
2677         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2678         https://bugs.webkit.org/show_bug.cgi?id=191776
2679         <rdar://problem/46152851>
2680
2681         Reviewed by Saam Barati.
2682
2683         * stress/big-wasm-memory-grow-no-max.js:
2684         * stress/big-wasm-memory-grow.js:
2685         * stress/big-wasm-memory.js:
2686         - updated these to expect an OutOfMemoryError.
2687
2688         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2689         (Binary.prototype.emit_u8):
2690         (Binary.prototype.emit_u32v):
2691         (Binary.prototype.emit_header):
2692         (Binary.prototype.emit_section):
2693         (Binary):
2694         (WasmModuleBuilder):
2695         (WasmModuleBuilder.prototype.addMemory):
2696         (WasmModuleBuilder.prototype.toArray):
2697         (WasmModuleBuilder.prototype.toBuffer):
2698         (WasmModuleBuilder.prototype.instantiate):
2699         (catch):
2700         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2701         (catch):
2702
2703 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2704
2705         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2706         https://bugs.webkit.org/show_bug.cgi?id=190836
2707
2708         Reviewed by Saam Barati and Yusuke Suzuki.
2709
2710         * stress/big-int-out-of-memory-tests.js: Added.
2711
2712 2018-11-20  Mark Lam  <mark.lam@apple.com>
2713
2714         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2715         https://bugs.webkit.org/show_bug.cgi?id=191856
2716         <rdar://problem/46089992>
2717
2718         Reviewed by Yusuke Suzuki.
2719
2720         * stress/regress-191856.js: Added.
2721         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2722
2723 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2724
2725         Enable JIT on ARM/Linux
2726         https://bugs.webkit.org/show_bug.cgi?id=191548
2727
2728         Reviewed by Yusuke Suzuki.
2729
2730         Disable test on system with limited memory. Program was killed by
2731         the OS before the exception was thrown.
2732
2733         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2734
2735 2018-11-20  Saam barati  <sbarati@apple.com>
2736
2737         Merging an IC variant may lead to the IC status containing overlapping structure sets
2738         https://bugs.webkit.org/show_bug.cgi?id=191869
2739         <rdar://problem/45403453>
2740
2741         Reviewed by Mark Lam.
2742
2743         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2744
2745 2018-11-19  Mark Lam  <mark.lam@apple.com>
2746
2747         globalFuncImportModule() should return a promise when it clears exceptions.
2748         https://bugs.webkit.org/show_bug.cgi?id=191792
2749         <rdar://problem/46090763>
2750
2751         Reviewed by Michael Saboff.
2752
2753         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2754
2755 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2756
2757         Skip new memory-hungry tests on memory limited devices
2758
2759         Unreviewed gardening.
2760
2761         * stress/big-wasm-memory-grow-no-max.js:
2762         * stress/big-wasm-memory-grow.js:
2763         * stress/big-wasm-memory.js:
2764
2765 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2766
2767         Unreviewed, rolling in the rest of r237254
2768         https://bugs.webkit.org/show_bug.cgi?id=190340
2769
2770         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2771         * stress/function-cache-with-parameters-end-position.js: Added.
2772         (shouldBe):
2773         (shouldThrow):
2774         (i.anonymous):
2775         * stress/function-constructor-name.js: Added.
2776         (shouldBe):
2777         (GeneratorFunction):
2778         (AsyncFunction.async):
2779         (AsyncGeneratorFunction.async):
2780         (anonymous):
2781         (async.anonymous):
2782         * test262/expectations.yaml:
2783
2784 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2785
2786         All users of ArrayBuffer should agree on the same max size
2787         https://bugs.webkit.org/show_bug.cgi?id=191771
2788
2789         Reviewed by Mark Lam.
2790
2791         * stress/big-wasm-memory-grow-no-max.js: Added.
2792         (foo):
2793         (catch):
2794         * stress/big-wasm-memory-grow.js: Added.
2795         (foo):
2796         (catch):
2797         * stress/big-wasm-memory.js: Added.
2798         (foo):
2799         (catch):
2800
2801 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2802
2803         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2804         run for each JSC config since they're regression tests for runtime bugs.
2805
2806         * stress/json-stringified-overflow-2.js:
2807         * stress/json-stringified-overflow.js:
2808
2809 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2810
2811         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2812         config since they're regression tests for runtime bugs.
2813
2814         * stress/large-unshift-splice.js:
2815         * stress/regress-185888.js:
2816
2817 2018-11-16  Saam Barati  <sbarati@apple.com>
2818
2819         KnownCellUse should also have SpecCellCheck as its type filter
2820         https://bugs.webkit.org/show_bug.cgi?id=191729
2821         <rdar://problem/45872852>
2822
2823         Reviewed by Filip Pizlo.
2824
2825         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2826         (C):
2827
2828 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2829
2830         Fix assertion failure on BytecodeGenerator::recordOpcode
2831         https://bugs.webkit.org/show_bug.cgi?id=191724
2832         <rdar://problem/45724395>
2833
2834         Reviewed by Saam Barati.
2835
2836         * stress/regress-187373-2.js: Added.
2837         (foo):
2838
2839 2018-11-15  Mark Lam  <mark.lam@apple.com>
2840
2841         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2842         https://bugs.webkit.org/show_bug.cgi?id=191730
2843         <rdar://problem/46048517>
2844
2845         Reviewed by Saam Barati.
2846
2847         * stress/regress-187006.js: Removed.
2848           - this test is invalid because its sole purpose is to test for the non-spec
2849             compliant behavior that we just fixed.
2850
2851         * stress/regress-191730.js: Added.
2852
2853 2018-11-15  Mark Lam  <mark.lam@apple.com>
2854
2855         RegExp operations should not take fast patch if lastIndex is not numeric.
2856         https://bugs.webkit.org/show_bug.cgi?id=191731
2857         <rdar://problem/46017305>
2858
2859         Reviewed by Saam Barati.
2860
2861         * stress/regress-191731.js: Added.
2862
2863 2018-11-13  Saam Barati  <sbarati@apple.com>
2864
2865         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2866         https://bugs.webkit.org/show_bug.cgi?id=191600
2867
2868         Reviewed by Mark Lam.
2869
2870         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2871         (foo):
2872         (test):
2873         (bar):
2874
2875 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2876
2877         Unreviewed, rolling out r238132.
2878
2879         The test added with this change is timing out on Debug JSC
2880         bots.
2881
2882         Reverted changeset:
2883
2884         "[BigInt] JSBigInt::createWithLength should throw when length
2885         is greater than JSBigInt::maxLength"
2886         https://bugs.webkit.org/show_bug.cgi?id=190836
2887         https://trac.webkit.org/changeset/238132
2888
2889 2018-11-13  Mark Lam  <mark.lam@apple.com>
2890
2891         Add OOM detection to StringPrototype's substituteBackreferences().
2892         https://bugs.webkit.org/show_bug.cgi?id=191563
2893         <rdar://problem/45720428>
2894
2895         Reviewed by Saam Barati.
2896
2897         * stress/regress-191563.js: Added.
2898
2899 2018-11-13  Mark Lam  <mark.lam@apple.com>
2900
2901         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2902         https://bugs.webkit.org/show_bug.cgi?id=191579
2903         <rdar://problem/45942472>
2904
2905         Reviewed by Saam Barati.
2906
2907         * stress/regress-191579.js: Added.
2908
2909 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2910
2911         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2912         https://bugs.webkit.org/show_bug.cgi?id=190836
2913
2914         Reviewed by Saam Barati.
2915
2916         * stress/big-int-out-of-memory-tests.js: Added.
2917
2918 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2919
2920         U+180E is no longer a whitespace character
2921         https://bugs.webkit.org/show_bug.cgi?id=191415
2922
2923         Reviewed by Saam Barati.
2924
2925         * ChakraCore/test/es5/regexSpace.baseline:
2926         * ChakraCore/test/es6/unicode_whitespace.js:
2927         Update tests to latest version.
2928         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2929
2930         * test262.yaml:
2931         * test262/config.yaml:
2932         * test262/expectations.yaml:
2933         Update expectations.
2934
2935 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2936
2937         [BigInt] Add support to BigInt into ValueAdd
2938         https://bugs.webkit.org/show_bug.cgi?id=186177
2939
2940         Reviewed by Keith Miller.
2941
2942         * stress/big-int-negate-jit.js:
2943         * stress/value-add-big-int-and-string.js: Added.
2944         * stress/value-add-big-int-prediction-propagation.js: Added.
2945         * stress/value-add-big-int-untyped.js: Added.
2946
2947 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2948
2949         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2950         https://bugs.webkit.org/show_bug.cgi?id=191184
2951
2952         Reviewed by Saam Barati.
2953
2954         Most tests were failing due to timeouts, since they are too slow to
2955         run on CLoop. The exceptions are:
2956
2957         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2958         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2959         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2960         to change the stack size since CLoop requires it to be page aligned.
2961
2962         * microbenchmarks/array-push-1.js:
2963         * microbenchmarks/array-push-2.js:
2964         * microbenchmarks/elidable-new-object-dag.js:
2965         * microbenchmarks/elidable-new-object-roflcopter.js:
2966         * microbenchmarks/elidable-new-object-tree.js:
2967         * microbenchmarks/getter-richards.js:
2968         * microbenchmarks/sinkable-new-object-dag.js:
2969         * microbenchmarks/string-concat-long-convert.js:
2970         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2971         * slowMicrobenchmarks/array-push-3.js:
2972         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2973         * slowMicrobenchmarks/spread-small-array.js:
2974         * slowMicrobenchmarks/undefined-property-access.js:
2975         * stress/activation-sink-default-value-tdz-error.js:
2976         * stress/activation-sink-default-value.js:
2977         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2978         * stress/activation-sink-osrexit-default-value.js:
2979         * stress/activation-sink-osrexit.js:
2980         * stress/activation-sink.js:
2981         * stress/allow-math-ic-b3-code-duplication.js:
2982         * stress/array-push-multiple-int32.js:
2983         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2984         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2985         * stress/arrowfunction-lexical-this-activation-sink.js:
2986         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2987         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2988         * stress/elide-new-object-dag-then-exit.js:
2989         * stress/materialize-regexp-cyclic.js:
2990         * stress/new-regex-inline.js:
2991         * stress/op_add.js:
2992         * stress/op_bitand.js:
2993         * stress/op_bitor.js:
2994         * stress/op_bitxor.js:
2995         * stress/op_div-ConstVar.js:
2996         * stress/op_div-VarConst.js:
2997         * stress/op_div-VarVar.js:
2998         * stress/op_lshift-ConstVar.js:
2999         * stress/op_lshift-VarConst.js:
3000         * stress/op_lshift-VarVar.js:
3001         * stress/op_mod-ConstVar.js:
3002         * stress/op_mod-VarConst.js:
3003         * stress/op_mod-VarVar.js:
3004         * stress/op_mul-ConstVar.js:
3005         * stress/op_mul-VarConst.js:
3006         * stress/op_mul-VarVar.js:
3007         * stress/op_rshift-ConstVar.js:
3008         * stress/op_rshift-VarConst.js:
3009         * stress/op_rshift-VarVar.js:
3010         * stress/op_sub-ConstVar.js:
3011         * stress/op_sub-VarConst.js:
3012         * stress/op_sub-VarVar.js:
3013         * stress/op_urshift-ConstVar.js:
3014         * stress/op_urshift-VarConst.js:
3015         * stress/op_urshift-VarVar.js:
3016         * stress/proxy-get-set-correct-receiver.js:
3017         * stress/regress-179562.js:
3018         * stress/rest-parameter-many-arguments.js:
3019         * stress/sampling-profiler-richards.js:
3020         * stress/splay-flash-access-1ms.js:
3021         * stress/tailCallForwardArguments.js:
3022         * stress/typed-array-get-by-val-profiling.js:
3023         * typeProfiler/getter-richards.js:
3024
3025 2018-11-06  Michael Saboff  <msaboff@apple.com>
3026
3027         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
3028         https://bugs.webkit.org/show_bug.cgi?id=191271
3029
3030         Reviewed by Saam Barati.
3031
3032         Added more test cases and made all test cases run with the same deeply recursive stack
3033         instead of finding that same point for each test case.
3034
3035         * stress/regexp-compile-oom.js:
3036         (prototype.runTest):
3037         (recurseAndTest):
3038         (testList.push.new.TestAndExpectedException):
3039
3040 2018-11-05  Michael Saboff  <msaboff@apple.com>
3041
3042         Unreviewed build fix for linux.
3043
3044         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
3045
3046 2018-11-02  Michael Saboff  <msaboff@apple.com>
3047
3048         Rolling in r237753 with unreviewed build fix.
3049
3050         Fixed issues with DECLARE_THROW_SCOPE placement.
3051
3052 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
3053
3054         Unreviewed, rolling out r237753.
3055
3056         Introduced JSC test failures
3057
3058         Reverted changeset:
3059
3060         "Running out of stack space not properly handled in
3061         RegExp::compile() and its callers"
3062         https://bugs.webkit.org/show_bug.cgi?id=191206
3063         https://trac.webkit.org/changeset/237753
3064
3065 2018-11-02  Michael Saboff  <msaboff@apple.com>
3066
3067         Running out of stack space not properly handled in RegExp::compile() and its callers
3068         https://bugs.webkit.org/show_bug.cgi?id=191206
3069
3070         Reviewed by Filip Pizlo.
3071
3072         New regression test.
3073
3074         * stress/regexp-compile-oom.js: Added.
3075         (recurseAndTest):
3076
3077 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
3078
3079         Skip tests on arm/mips that time out now we're running on CLoop
3080
3081         Unreviewed gardening.
3082
3083         Since the JIT is temporarily disabled on 32-bit platforms, these tests
3084         time out on the bots and need to be disabled. There's more tests
3085         disabled on arm because the timeout is longer on the mips bot (as the
3086         device is slower to start with), so many of the tests don't time out
3087         there.
3088
3089         * microbenchmarks/getter-richards.js: disable on arm and mips.
3090         * stress/op_add.js: disable on arm.
3091         * stress/op_bitand.js: disable on arm.
3092         * stress/op_bitor.js: disable on arm.
3093         * stress/op_bitxor.js: disable on arm.
3094         * stress/op_lshift-ConstVar.js: disable on arm.
3095         * stress/op_lshift-VarConst.js: disable on arm.
3096         * stress/op_lshift-VarVar.js: disable on arm.
3097         * stress/op_mod-ConstVar.js: disable on arm.
3098         * stress/op_mod-VarConst.js: disable on arm.
3099         * stress/op_mod-VarVar.js: disable on arm.
3100         * stress/op_mul-ConstVar.js: disable on arm.
3101         * stress/op_mul-VarConst.js: disable on arm.
3102         * stress/op_mul-VarVar.js: disable on arm.
3103         * stress/op_rshift-ConstVar.js: disable on arm.
3104         * stress/op_rshift-VarConst.js: disable on arm.
3105         * stress/op_rshift-VarVar.js: disable on arm.
3106         * stress/op_sub-ConstVar.js: disable on arm.
3107         * stress/op_sub-VarConst.js: disable on arm.
3108         * stress/op_sub-VarVar.js: disable on arm.
3109         * stress/op_urshift-ConstVar.js: disable on arm.
3110         * stress/op_urshift-VarConst.js: disable on arm.
3111         * stress/op_urshift-VarVar.js: disable on arm.
3112         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
3113         * stress/value-to-boolean.js: disable on arm and mips.
3114
3115 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3116
3117         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3118         https://bugs.webkit.org/show_bug.cgi?id=191108
3119         <rdar://problem/45690700>
3120
3121         Reviewed by Saam Barati.
3122
3123         * stress/wide-op_catch.js: Added.
3124         (catch):
3125
3126 2018-10-29  Mark Lam  <mark.lam@apple.com>
3127
3128         Correctly detect string overflow when using the 'Function' constructor.
3129         https://bugs.webkit.org/show_bug.cgi?id=184883
3130         <rdar://problem/36320331>
3131
3132         Reviewed by Saam Barati.
3133
3134         I've verified that this passes on 32-bit as well.
3135
3136         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3137
3138 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3139
3140         Add support for GetStack FlushedDouble
3141         https://bugs.webkit.org/show_bug.cgi?id=191012
3142         <rdar://problem/45265141>
3143
3144         Reviewed by Saam Barati.
3145
3146         * stress/get-stack-double.js: Added.
3147         (bar):
3148         (noInline):
3149
3150 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3151
3152         New bytecode format for JSC
3153         https://bugs.webkit.org/show_bug.cgi?id=187373
3154         <rdar://problem/44186758>
3155
3156         Reviewed by Filip Pizlo.
3157
3158         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3159
3160         * stress/maximum-inline-capacity.js: Added.
3161         (test1):
3162         (test3.Foo):
3163         (test3):
3164
3165 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3166
3167         Unreviewed, rolling out r237479 and r237484.
3168         https://bugs.webkit.org/show_bug.cgi?id=190978
3169
3170         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3171
3172         Reverted changesets:
3173
3174         "New bytecode format for JSC"
3175         https://bugs.webkit.org/show_bug.cgi?id=187373
3176         https://trac.webkit.org/changeset/237479
3177
3178         "Gardening: Build fix after r237479."
3179         https://bugs.webkit.org/show_bug.cgi?id=187373
3180         https://trac.webkit.org/changeset/237484
3181
3182 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3183
3184         New bytecode format for JSC
3185         https://bugs.webkit.org/show_bug.cgi?id=187373
3186         <rdar://problem/44186758>
3187
3188         Reviewed by Filip Pizlo.
3189
3190         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3191
3192         * stress/maximum-inline-capacity.js: Added.
3193         (test1):
3194         (test3.Foo):
3195         (test3):
3196
3197 2018-10-26  Mark Lam  <mark.lam@apple.com>
3198
3199         Fix missing edge cases with JSGlobalObjects having a bad time.
3200         https://bugs.webkit.org/show_bug.cgi?id=189028
3201         <rdar://problem/45204939>
3202
3203         Reviewed by Saam Barati.
3204
3205         * stress/regress-189028.js: Added.
3206
3207 2018-10-22  Mark Lam  <mark.lam@apple.com>
3208
3209         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3210         https://bugs.webkit.org/show_bug.cgi?id=190515
3211         <rdar://problem/45222379>
3212
3213         Rubber-stamped by Saam Barati.
3214
3215         Adding another test.
3216
3217         * stress/regress-190515-2.js: Added.
3218
3219 2018-10-22  Mark Lam  <mark.lam@apple.com>
3220
3221         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3222         https://bugs.webkit.org/show_bug.cgi?id=190515
3223         <rdar://problem/45222379>
3224
3225         Reviewed by Saam Barati.
3226
3227         * stress/regress-190515.js: Added.
3228
3229 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3230
3231         Unreviewed, rolling out r237254.
3232         https://bugs.webkit.org/show_bug.cgi?id=190760
3233
3234         "It regresses JetStream 2 by 5% on some iOS devices"
3235         (Requested by saamyjoon on #webkit).
3236
3237         Reverted changeset:
3238
3239         "[JSC] JSC should have "parseFunction" to optimize Function
3240         constructor"
3241         https://bugs.webkit.org/show_bug.cgi?id=190340
3242         https://trac.webkit.org/changeset/237254
3243
3244 2018-10-19  Saam Barati  <sbarati@apple.com>
3245
3246         vmCall should check if we exit before emitting an OSR exit due to exceptions
3247         https://bugs.webkit.org/show_bug.cgi?id=190740
3248         <rdar://problem/45220139>
3249
3250         Reviewed by Mark Lam.
3251
3252         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3253         (foo):
3254
3255 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3256
3257         [ESNext][BigInt] Implement support for "^"
3258         https://bugs.webkit.org/show_bug.cgi?id=186235
3259
3260         Reviewed by Yusuke Suzuki.
3261
3262         * stress/big-int-bitwise-xor-general.js: Added.
3263         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3264         * stress/big-int-bitwise-xor-type-error.js: Added.
3265         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3266
3267 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3268
3269         [BigInt] Add ValueSub into DFG
3270         https://bugs.webkit.org/show_bug.cgi?id=186176
3271
3272         Reviewed by Yusuke Suzuki.
3273
3274         * stress/big-int-subtraction-jit.js:
3275         * stress/value-sub-big-int-prediction-propagation.js: Added.
3276         * stress/value-sub-big-int-untyped.js: Added.
3277         * stress/value-sub-spec-none-case.js: Added.
3278
3279 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3280
3281         [JSC] JSC should have "parseFunction" to optimize Function constructor
3282         https://bugs.webkit.org/show_bug.cgi?id=190340
3283
3284         Reviewed by Mark Lam.
3285
3286         This patch fixes the line number of syntax errors raised by the Function constructor,
3287         since we now parse the final code only once. And we no longer use block statement
3288         for Function constructor's parsing.
3289
3290         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3291         * stress/function-cache-with-parameters-end-position.js: Added.
3292         (shouldBe):
3293         (shouldThrow):
3294         (i.anonymous):
3295         * stress/function-constructor-name.js: Added.
3296         (shouldBe):
3297         (GeneratorFunction):
3298         (AsyncFunction.async):
3299         (AsyncGeneratorFunction.async):
3300         (anonymous):
3301         (async.anonymous):
3302         * test262/expectations.yaml:
3303
3304 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3305
3306         Unreviewed, rolling out r237242.
3307         https://bugs.webkit.org/show_bug.cgi?id=190701
3308
3309         it breaks "stress/sampling-profiler-basic.js" (Requested by
3310         caiolima on #webkit).
3311
3312         Reverted changeset:
3313
3314         "[BigInt] Add ValueSub into DFG"
3315         https://bugs.webkit.org/show_bug.cgi?id=186176
3316         https://trac.webkit.org/changeset/237242
3317
3318 2018-10-17  Keith Miller  <keith_miller@apple.com>
3319
3320         AI does not clear Phantom allocation nodes.
3321         https://bugs.webkit.org/show_bug.cgi?id=190694
3322
3323         Reviewed by Saam Barati.
3324
3325         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3326         (Day):
3327         (DaysInYear):
3328         (TimeInYear):
3329         (TimeFromYear):
3330         (DayFromYear):
3331         (InLeapYear):
3332         (YearFromTime):
3333         (WeekDay):
3334         (DaylightSavingTA):
3335         (GetSecondSundayInMarch):
3336         (TimeInMonth):
3337
3338 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3339
3340         [BigInt] Add ValueSub into DFG
3341         https://bugs.webkit.org/show_bug.cgi?id=186176
3342
3343         Reviewed by Yusuke Suzuki.
3344
3345         * stress/big-int-subtraction-jit.js:
3346         * stress/value-sub-big-int-prediction-propagation.js: Added.
3347         * stress/value-sub-big-int-untyped.js: Added.
3348
3349 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3350
3351         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3352         https://bugs.webkit.org/show_bug.cgi?id=190611
3353
3354         Reviewed by Saam Barati.
3355
3356         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3357         to improve test runtime. On ARM/MIPS this test even timed out when running all
3358         tests.
3359
3360         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3361         (test):
3362
3363 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3364
3365         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3366
3367         Unreviewed gardening.
3368
3369         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3370
3371 2018-10-15  Saam barati  <sbarati@apple.com>
3372
3373         Emit fjcvtzs on ARM64E on Darwin
3374         https://bugs.webkit.org/show_bug.cgi?id=184023
3375
3376         Reviewed by Yusuke Suzuki and Filip Pizlo.
3377
3378         * stress/double-to-int32-NaN.js: Added.
3379         (assert):
3380         (foo):
3381
3382 2018-10-15  Saam Barati  <sbarati@apple.com>
3383
3384         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3385         https://bugs.webkit.org/show_bug.cgi?id=190262
3386         <rdar://problem/44986241>
3387
3388         Reviewed by Mark Lam.
3389
3390         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3391         (test):
3392         * stress/slice-array-storage-with-holes.js: Added.
3393         (main):
3394
3395 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3396
3397         Unreviewed, rolling out r237054.
3398         https://bugs.webkit.org/show_bug.cgi?id=190593
3399
3400         "this regressed JetStream 2 by 6% on iOS" (Requested by
3401         saamyjoon on #webkit).
3402
3403         Reverted changeset:
3404
3405         "[JSC] JSC should have "parseFunction" to optimize Function
3406         constructor"
3407         https://bugs.webkit.org/show_bug.cgi?id=190340
3408         https://trac.webkit.org/changeset/237054
3409
3410 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3411
3412         [JSC] JSON.stringify can accept call-with-no-arguments
3413         https://bugs.webkit.org/show_bug.cgi?id=190343
3414
3415         Reviewed by Mark Lam.
3416
3417         * stress/json-stringify-no-arguments.js: Added.
3418         (shouldBe):
3419
3420 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3421
3422         [JSC] JSC should have "parseFunction" to optimize Function constructor
3423         https://bugs.webkit.org/show_bug.cgi?id=190340
3424
3425         Reviewed by Mark Lam.
3426
3427         This patch fixes the line number of syntax errors raised by the Function constructor,
3428         since we now parse the final code only once. And we no longer use block statement
3429         for Function constructor's parsing.
3430
3431         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3432         * stress/function-cache-with-parameters-end-position.js: Added.
3433         (shouldBe):
3434         (shouldThrow):
3435         (i.anonymous):
3436         * stress/function-constructor-name.js: Added.
3437         (shouldBe):
3438         (GeneratorFunction):
3439         (AsyncFunction.async):
3440         (AsyncGeneratorFunction.async):
3441         (anonymous):
3442         (async.anonymous):
3443         * test262/expectations.yaml:
3444
3445 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3446
3447         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3448         https://bugs.webkit.org/show_bug.cgi?id=190426
3449
3450         Unreviewed gardening.
3451
3452         * stress/sampling-profiler-richards.js:
3453
3454 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3455
3456         [ESNext][BigInt] Implement support for "|"
3457         https://bugs.webkit.org/show_bug.cgi?id=186229
3458
3459         Reviewed by Yusuke Suzuki.
3460
3461         * stress/big-int-bitwise-and-jit.js:
3462         * stress/big-int-bitwise-or-general.js: Added.
3463         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3464         * stress/big-int-bitwise-or-jit.js: Added.
3465         * stress/big-int-bitwise-or-memory-stress.js: Added.
3466         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3467         * stress/big-int-bitwise-or-type-error.js: Added.
3468         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3469
3470 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3471
3472         Skip test on systems with limited memory
3473         https://bugs.webkit.org/show_bug.cgi?id=190310
3474
3475         Invoking runDefault adds test to runlist, skipping the test in the next
3476         line does not prevent the test from executing. Change order of lines such
3477         that runDefault is only executed if test is not executed.
3478
3479         Reviewed by Mark Lam.
3480
3481         * stress/regress-190187.js:
3482
3483 2018-10-03  Saam barati  <sbarati@apple.com>
3484
3485         lowXYZ in FTLLower should always filter the type of the incoming edge
3486         https://bugs.webkit.org/show_bug.cgi?id=189939
3487         <rdar://problem/44407030>
3488
3489         Reviewed by Michael Saboff.
3490
3491         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3492         (foo):
3493         (test):
3494
3495 2018-10-03  Mark Lam  <mark.lam@apple.com>
3496
3497         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3498         https://bugs.webkit.org/show_bug.cgi?id=190187
3499         <rdar://problem/42512909>
3500
3501         Reviewed by Michael Saboff.
3502
3503         * stress/regress-190187.js: Added.
3504
3505 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3506
3507         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3508         https://bugs.webkit.org/show_bug.cgi?id=190033
3509
3510         Reviewed by Yusuke Suzuki.
3511
3512         * stress/big-int-to-string.js:
3513
3514 2018-10-01  Mark Lam  <mark.lam@apple.com>
3515
3516         Function.toString() should also copy the source code Functions that are class definitions.
3517         https://bugs.webkit.org/show_bug.cgi?id=190186
3518         <rdar://problem/44733360>
3519
3520         Reviewed by Saam Barati.
3521
3522         * stress/regress-190186.js: Added.
3523
3524 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3525
3526         Split NaN-check into separate test
3527         https://bugs.webkit.org/show_bug.cgi?id=190010
3528
3529         Reviewed by Saam Barati.
3530
3531         DataView exposes NaN-representation, which is not necessarily the same on each
3532         architecture. Therefore move the check of the NaN-representation into its own
3533         file such that we can disable this test on MIPS where NaN-representation can be
3534         different on older CPUs.
3535
3536         * stress/dataview-jit-set-nan.js: Added.
3537         (assert):
3538         (test.storeLittleEndian):
3539         (test.storeBigEndian):
3540         (test.store):
3541         (test):
3542         * stress/dataview-jit-set.js:
3543         (test5):
3544
3545 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3546
3547         Unreviewed, rolling out r236647.
3548         https://bugs.webkit.org/show_bug.cgi?id=190124
3549
3550         Breaking test stress/big-int-to-string.js (Requested by
3551         caiolima_ on #webkit).
3552
3553         Reverted changeset:
3554
3555         "[BigInt] BigInt.proptotype.toString is broken when radix is
3556         power of 2"
3557         https://bugs.webkit.org/show_bug.cgi?id=190033
3558         https://trac.webkit.org/changeset/236647
3559
3560 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3561
3562         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3563         https://bugs.webkit.org/show_bug.cgi?id=190033
3564
3565         Reviewed by Yusuke Suzuki.
3566
3567         * stress/big-int-to-string.js:
3568
3569 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3570
3571         [ESNext][BigInt] Implement support for "&"
3572         https://bugs.webkit.org/show_bug.cgi?id=186228
3573
3574         Reviewed by Yusuke Suzuki.
3575
3576         * stress/big-int-bitwise-and-general.js: Added.
3577         (assert):
3578         (assert.sameValue):
3579         * stress/big-int-bitwise-and-jit.js: Added.
3580         (let.assert.sameValue):
3581         (bigIntBitAnd):
3582         * stress/big-int-bitwise-and-memory-stress.js: Added.
3583         (assert):
3584         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3585         (assert.sameValue):
3586         (let.o.Symbol.toPrimitive):
3587         (catch):
3588         * stress/big-int-bitwise-and-type-error.js: Added.
3589         (assert):
3590         (assertThrowTypeError):
3591         (let.o.valueOf):
3592         (o.valueOf):
3593         (o.toString):
3594         (o.Symbol.toPrimitive):
3595         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3596         (assert.sameValue):
3597         (testBitAnd):
3598         (let.o.Symbol.toPrimitive):
3599         (o.valueOf):
3600         (o.toString):
3601
3602 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3603
3604         JSC test stress/jsc-read.js doesn't support CRLF
3605         https://bugs.webkit.org/show_bug.cgi?id=190063
3606
3607         Reviewed by Yusuke Suzuki.
3608
3609         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3610
3611         * stress/jsc-read.js:
3612         (test):
3613
3614 2018-09-27  Saam barati  <sbarati@apple.com>
3615
3616         Verify the contents of AssemblerBuffer on arm64e
3617         https://bugs.webkit.org/show_bug.cgi?id=190057
3618         <rdar://problem/38916630>
3619
3620         Reviewed by Mark Lam.
3621
3622         * stress/regress-189132.js:
3623
3624 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3625
3626         Disable test without LLInt on ARMv7
3627         https://bugs.webkit.org/show_bug.cgi?id=190037
3628
3629         Reviewed by Mark Lam.
3630
3631         Test runs out of executable memory on ARMv7, do not run
3632         this test without LLInt enabled.
3633
3634         * stress/regress-169445.js:
3635
3636 2018-09-26  Keith Miller  <keith_miller@apple.com>
3637
3638         We should zero unused property storage when rebalancing array storage.
3639         https://bugs.webkit.org/show_bug.cgi?id=188151
3640
3641         Reviewed by Michael Saboff.
3642
3643         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3644
3645 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3646
3647         [JSC] Optimize Array#lastIndexOf
3648         https://bugs.webkit.org/show_bug.cgi?id=189780
3649
3650         Reviewed by Saam Barati.
3651
3652         * stress/array-lastindexof-array-prototype-trap.js: Added.
3653         (shouldBe):
3654         (AncestorArray.prototype.get 2):
3655         (AncestorArray):
3656         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3657         (shouldBe):
3658         * stress/array-lastindexof-hole-nan.js: Added.
3659         (shouldBe):
3660         (throw.new.Error):
3661         * stress/array-lastindexof-infinity.js: Added.
3662         (shouldBe):
3663         (throw.new.Error):
3664         * stress/array-lastindexof-negative-zero.js: Added.
3665         (shouldBe):
3666         (throw.new.Error):
3667         * stress/array-lastindexof-own-getter.js: Added.
3668         (shouldBe):
3669         (throw.new.Error.get array):
3670         (get array):
3671         * stress/array-lastindexof-prototype-trap.js: Added.
3672         (shouldBe):
3673         (DerivedArray.prototype.get 2):
3674         (DerivedArray):
3675
3676 2018-09-25  Saam Barati  <sbarati@apple.com>
3677
3678         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3679         https://bugs.webkit.org/show_bug.cgi?id=189940
3680         <rdar://problem/43640987>
3681
3682         Reviewed by Mark Lam.
3683
3684         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3685
3686 2018-09-24  Saam Barati  <sbarati@apple.com>
3687
3688         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3689         https://bugs.webkit.org/show_bug.cgi?id=189922
3690         <rdar://problem/44651275>
3691
3692         Reviewed by Mark Lam.
3693
3694         * stress/array-indexof-fast-path-effects.js: Added.
3695         * stress/array-indexof-cached-length.js: Added.
3696
3697 2018-09-24  Saam barati  <sbarati@apple.com>
3698
3699         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3700         https://bugs.webkit.org/show_bug.cgi?id=189682
3701         <rdar://problem/43557315>
3702
3703         Reviewed by Mark Lam.
3704
3705         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3706         (foo):
3707
3708 2018-09-22  Saam barati  <sbarati@apple.com>
3709
3710         The sampling should not use Strong<CodeBlock> in its machineLocation field
3711         https://bugs.webkit.org/show_bug.cgi?id=189319
3712
3713         Reviewed by Filip Pizlo.
3714
3715         * stress/sampling-profiler-richards.js: Added.
3716
3717 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3718
3719         [JSC] Optimize Array#indexOf in C++ runtime
3720         https://bugs.webkit.org/show_bug.cgi?id=189507
3721
3722         Reviewed by Saam Barati.
3723
3724         * stress/array-indexof-array-prototype-trap.js: Added.
3725         (shouldBe):
3726         (AncestorArray.prototype.get 2):
3727         (AncestorArray):
3728         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3729         (shouldBe):
3730         * stress/array-indexof-hole-nan.js: Added.
3731         (shouldBe):
3732         (throw.new.Error):
3733         * stress/array-indexof-infinity.js: Added.
3734         (shouldBe):
3735         (throw.new.Error):
3736         * stress/array-indexof-negative-zero.js: Added.
3737         (shouldBe):
3738         (throw.new.Error):
3739         * stress/array-indexof-own-getter.js: Added.
3740         (shouldBe):
3741         (throw.new.Error.get array):
3742         (get array):
3743         * stress/array-indexof-prototype-trap.js: Added.
3744         (shouldBe):
3745         (DerivedArray.prototype.get 2):
3746         (DerivedArray):
3747
3748 2018-09-19  Saam barati  <sbarati@apple.com>
3749
3750         AI rule for MultiPutByOffset executes its effects in the wrong order
3751         https://bugs.webkit.org/show_bug.cgi?id=189757
3752         <rdar://problem/43535257>
3753
3754         Reviewed by Michael Saboff.
3755
3756         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3757         (foo):
3758         (Foo):
3759         (g):
3760
3761 2018-09-17  Mark Lam  <mark.lam@apple.com>
3762
3763         Ensure that ForInContexts are invalidated if their loop local is over-written.
3764         https://bugs.webkit.org/show_bug.cgi?id=189571
3765         <rdar://problem/44402277>
3766
3767         Reviewed by Saam Barati.
3768
3769         * stress/regress-189571.js: Added.
3770
3771 2018-09-17  Saam barati  <sbarati@apple.com>
3772
3773         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3774         https://bugs.webkit.org/show_bug.cgi?id=189676
3775         <rdar://problem/39682897>
3776
3777         Reviewed by Michael Saboff.
3778
3779         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3780         (A):
3781         (K):
3782         (i.catch):
3783
3784 2018-09-14  Saam barati  <sbarati@apple.com>
3785
3786         Don