Unreviewed, land one more test
[WebKit-https.git] / JSTests / ChangeLog
1 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         Unreviewed, land one more test
4         https://bugs.webkit.org/show_bug.cgi?id=197587
5
6         * stress/setter-frame-flush.js: Added.
7         (setter):
8         (foo):
9         (bar):
10
11 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
12
13         TemplateObject passed to template literal tags are not always identical for the same source location.
14         https://bugs.webkit.org/show_bug.cgi?id=190756
15
16         Reviewed by Saam Barati.
17
18         * complex.yaml:
19         * complex/tagged-template-regeneration-after.js: Added.
20         (shouldBe):
21         * complex/tagged-template-regeneration.js: Added.
22         (call):
23         (test):
24         * modules/tagged-template-inside-module.js: Added.
25         (from.string_appeared_here.call):
26         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
27         (call):
28         (export.otherTaggedTemplates):
29         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
30         (shouldBe):
31         (call):
32         (poly):
33         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
34         (shouldBe):
35         (call):
36         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
37         (shouldBe):
38         (call):
39         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
40         (shouldBe):
41         (call):
42         * stress/tagged-templates-in-multiple-functions.js: Added.
43         (shouldBe):
44         (call):
45         (a):
46         (b):
47         (c):
48
49 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
50
51         [PlayStation] JSC Stress tests failing due to timezone printing
52         https://bugs.webkit.org/show_bug.cgi?id=197615
53
54         PlayStation's strftime does not give timezone strings, which
55         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
56         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
57         which causes diff failures with the expectations. Add expectations
58         without the timezone string and use those on playstation.
59
60         Reviewed by Ross Kirsling.
61
62         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
63         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
64         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
65         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
66
67 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
68
69         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
70         https://bugs.webkit.org/show_bug.cgi?id=197587
71
72         Reviewed by Sam Weinig.
73
74         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
75
76         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
77
78 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
79
80         TypedArrays should not store properties that are canonical numeric indices
81         https://bugs.webkit.org/show_bug.cgi?id=197228
82         <rdar://problem/49557381>
83
84         Reviewed by Saam Barati.
85
86         * stress/array-species-config-array-constructor.js:
87         (test):
88         * stress/put-direct-index-broken-2.js:
89         * stress/typed-array-canonical-numeric-index-string.js: Added.
90         (makeTest.assert):
91         (makeTest):
92         (const.testInvalidIndices.makeTest.set assert):
93         (const.testInvalidIndices.makeTest):
94         (const.makeTestValidIndex.configurable.set assert):
95         (const.makeTestValidIndex.configurable):
96         * stress/typedarray-access-monomorphic-neutered.js:
97         (checkNoException):
98         (testNoException):
99         (testFTLNoException):
100         * stress/typedarray-access-neutered.js:
101         (testNoException):
102         * stress/typedarray-getownproperty-not-configurable.js:
103         (foo):
104         * test262/expectations.yaml:
105
106 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
107
108         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
109         https://bugs.webkit.org/show_bug.cgi?id=197584
110
111         Reviewed by Saam Barati.
112
113         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
114         (X):
115         (foo):
116
117 2019-05-03  Michael Saboff  <msaboff@apple.com>
118
119         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
120         https://bugs.webkit.org/show_bug.cgi?id=197586
121
122         Reviewed by Keith Miller.
123
124         We should only run one config of this test and only when we think we'll have the memory.
125
126         * stress/json-stringify-string-builder-overflow.js:
127
128 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
129
130         [JSC] Generator CodeBlock generation should be idempotent
131         https://bugs.webkit.org/show_bug.cgi?id=197552
132
133         Reviewed by Keith Miller.
134
135         Add complex.yaml, which controls how to run JSC shell more.
136         We split test files into two to run macro task between them which allows debugger to be attached to VM.
137
138         * complex.yaml: Added.
139         * complex/generator-regeneration-after.js: Added.
140         * complex/generator-regeneration.js: Added.
141         (gen):
142
143 2019-05-02  Michael Saboff  <msaboff@apple.com>
144
145         Unreviewed rollout of r244862.
146
147         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
148
149 2019-05-01  Saam barati  <sbarati@apple.com>
150
151         Baseline JIT should do argument value profiling after checking for stack overflow
152         https://bugs.webkit.org/show_bug.cgi?id=197052
153         <rdar://problem/50009602>
154
155         Reviewed by Yusuke Suzuki.
156
157         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
158
159 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
160
161         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
162         https://bugs.webkit.org/show_bug.cgi?id=197405
163
164         Reviewed by Saam Barati.
165
166         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
167         (foo):
168         (test):
169         (i.o.get f):
170         (i.o.set f):
171
172 2019-05-01  Michael Saboff  <msaboff@apple.com>
173
174         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
175         https://bugs.webkit.org/show_bug.cgi?id=197485
176
177         Reviewed by Saam Barati.
178
179         New test.
180
181         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
182         (foo):
183
184 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
185
186         Unreviewed correction to Test262 expectations following r244828.
187
188         * test262/expectations.yaml:
189
190 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
191
192         Add memory-limited skipping to some tests generating very large strings
193         https://bugs.webkit.org/show_bug.cgi?id=197437
194
195         Reviewed by Ross Kirsling.
196
197         * stress/StringObject-define-length-getter-rope-string-oom.js:
198         * stress/create-error-out-of-memory-rope-string.js:
199         * stress/string-16bit-repeat-overflow.js:
200
201 2019-04-30  Commit Queue  <commit-queue@webkit.org>
202
203         Unreviewed, rolling out r244806.
204         https://bugs.webkit.org/show_bug.cgi?id=197446
205
206         Causing Test262 and JSC test failures on multiple builds
207         (Requested by ShawnRoberts on #webkit).
208
209         Reverted changeset:
210
211         "TypeArrays should not store properties that are canonical
212         numeric indices"
213         https://bugs.webkit.org/show_bug.cgi?id=197228
214         https://trac.webkit.org/changeset/244806
215
216 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
217
218         TypeArrays should not store properties that are canonical numeric indices
219         https://bugs.webkit.org/show_bug.cgi?id=197228
220         <rdar://problem/49557381>
221
222         Reviewed by Darin Adler.
223
224         * stress/typed-array-canonical-numeric-index-string.js: Added.
225         (makeTest.assert):
226         (makeTest):
227         (const.testInvalidIndices.makeTest.set assert):
228         (const.testInvalidIndices.makeTest):
229         (const.testValidIndices.makeTest.set assert):
230         (const.testValidIndices.makeTest):
231
232 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
233
234         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
235         https://bugs.webkit.org/show_bug.cgi?id=197362
236
237         Reviewed by Saam Barati.
238
239         * stress/map-with-nan.js: Added.
240         (shouldBe):
241         (div):
242         (NaN1):
243         (NaN2):
244         (NaN3):
245         (NaN4):
246         (NaN1NoInline):
247         (NaN2NoInline):
248         (NaN3NoInline):
249         (NaN4NoInline):
250         (test1):
251         (test2):
252         (test3):
253         (test4):
254         * stress/set-with-nan.js: Added.
255         (shouldBe):
256         (div):
257         (NaN1):
258         (NaN2):
259         (NaN3):
260         (NaN4):
261         (NaN1NoInline):
262         (NaN2NoInline):
263         (NaN3NoInline):
264         (NaN4NoInline):
265         (test2):
266         (test4):
267
268 2019-04-26  Commit Queue  <commit-queue@webkit.org>
269
270         Unreviewed, rolling out r244708.
271         https://bugs.webkit.org/show_bug.cgi?id=197334
272
273         "Broke the debug build" (Requested by rmorisset on #webkit).
274
275         Reverted changeset:
276
277         "All prototypes should call didBecomePrototype()"
278         https://bugs.webkit.org/show_bug.cgi?id=196315
279         https://trac.webkit.org/changeset/244708
280
281 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
282
283         [JSC] linkPolymorphicCall now does GC
284         https://bugs.webkit.org/show_bug.cgi?id=197306
285
286         Reviewed by Saam Barati.
287
288         * stress/link-polymorphic-call-can-gc.js: Added.
289         (module):
290         (instance):
291
292 2019-04-26  Robin Morisset  <rmorisset@apple.com>
293
294         All prototypes should call didBecomePrototype()
295         https://bugs.webkit.org/show_bug.cgi?id=196315
296
297         Reviewed by Saam Barati.
298
299         * stress/function-prototype-indexed-accessor.js: Added.
300
301 2019-04-23  Saam Barati  <sbarati@apple.com>
302
303         LICM incorrectly assumes it'll never insert a node which provably OSR exits
304         https://bugs.webkit.org/show_bug.cgi?id=196721
305         <rdar://problem/49556479> 
306
307         Reviewed by Filip Pizlo.
308
309         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
310         (foo):
311
312 2019-04-19  Saam Barati  <sbarati@apple.com>
313
314         AbstractValue can represent more than int52
315         https://bugs.webkit.org/show_bug.cgi?id=197118
316         <rdar://problem/49969960>
317
318         Reviewed by Michael Saboff.
319
320         * stress/abstract-value-can-include-int52.js: Added.
321         (foo):
322         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
323
324 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
325
326         [WTF] StringBuilder should set correct m_is8Bit flag when merging
327         https://bugs.webkit.org/show_bug.cgi?id=197053
328
329         Reviewed by Saam Barati.
330
331         * stress/merge-string-builder-in-dfg.js: Added.
332         (foo):
333
334 2019-04-16  Caitlin Potter  <caitp@igalia.com>
335
336         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
337         https://bugs.webkit.org/show_bug.cgi?id=176810
338
339         Reviewed by Saam Barati.
340
341         Add tests for the DontEnum filtering, and variations of other tests
342         take the DontEnum-filtering path.
343
344         * stress/proxy-own-keys.js:
345         (i.catch):
346         (set assert):
347         (set add):
348         (let.set new):
349         (get let):
350
351 2019-04-15  Saam barati  <sbarati@apple.com>
352
353         Modify how we do SetArgument when we inline varargs calls
354         https://bugs.webkit.org/show_bug.cgi?id=196712
355         <rdar://problem/49605012>
356
357         Reviewed by Michael Saboff.
358
359         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
360         (foo):
361
362 2019-04-15  Saam barati  <sbarati@apple.com>
363
364         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
365         https://bugs.webkit.org/show_bug.cgi?id=196945
366         <rdar://problem/49802750>
367
368         Reviewed by Filip Pizlo.
369
370         * stress/get-by-offset-should-use-correct-child.js: Added.
371         (foo.bar):
372         (foo):
373
374 2019-04-15  Robin Morisset  <rmorisset@apple.com>
375
376         DFG should be able to constant fold Object.create() with a constant prototype operand
377         https://bugs.webkit.org/show_bug.cgi?id=196886
378
379         Reviewed by Yusuke Suzuki.
380
381         Note that this new benchmark does not currently see a speedup with inlining removed.
382         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
383
384         * microbenchmarks/object-create-constant-prototype.js: Added.
385         (test):
386
387 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
388
389         Incremental bytecode cache should not append function updates when loaded from memory
390         https://bugs.webkit.org/show_bug.cgi?id=196865
391
392         Reviewed by Filip Pizlo.
393
394         * stress/bytecode-cache-shared-code-block.js: Added.
395         (b):
396         (program):
397
398 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
399
400         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
401         https://bugs.webkit.org/show_bug.cgi?id=196880
402
403         Reviewed by Yusuke Suzuki.
404
405         * stress/bytecode-cache-syntax-error.js: Added.
406         (catch):
407
408 2019-04-12  Saam barati  <sbarati@apple.com>
409
410         r244079 logically broke shouldSpeculateInt52
411         https://bugs.webkit.org/show_bug.cgi?id=196884
412
413         Reviewed by Yusuke Suzuki.
414
415         * microbenchmarks/int52-rand-function.js: Added.
416         (Math.random):
417
418 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
419
420         [JSC] op_has_indexed_property should not assume subscript part is Uint32
421         https://bugs.webkit.org/show_bug.cgi?id=196850
422
423         Reviewed by Saam Barati.
424
425         * stress/has-indexed-property-should-accept-non-int32.js: Added.
426         (foo):
427
428 2019-04-11  Saam barati  <sbarati@apple.com>
429
430         Remove invalid assertion in operationInstanceOfCustom
431         https://bugs.webkit.org/show_bug.cgi?id=196842
432         <rdar://problem/49725493>
433
434         Reviewed by Michael Saboff.
435
436         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
437
438 2019-04-10  Saam Barati  <sbarati@apple.com>
439
440         AbstractValue::validateOSREntryValue is wrong for Int52 constants
441         https://bugs.webkit.org/show_bug.cgi?id=196801
442         <rdar://problem/49771122>
443
444         Reviewed by Yusuke Suzuki.
445
446         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
447
448 2019-04-10  Robin Morisset  <rmorisset@apple.com>
449
450         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
451         https://bugs.webkit.org/show_bug.cgi?id=196746
452
453         Reviewed by Yusuke Suzuki.
454
455         * stress/cyclic-define-properties.js: Added.
456         (foo):
457
458 2019-04-09  Saam barati  <sbarati@apple.com>
459
460         Clean up Int52 code and some bugs in it
461         https://bugs.webkit.org/show_bug.cgi?id=196639
462         <rdar://problem/49515757>
463
464         Reviewed by Yusuke Suzuki.
465
466         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
467
468 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
469
470         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
471         https://bugs.webkit.org/show_bug.cgi?id=196708
472         <rdar://problem/49556803>
473
474         Reviewed by Yusuke Suzuki.
475
476         * stress/proxy-getter-stack-overflow.js: Added.
477         (const.handler.get target):
478         (const.handler.has):
479         (try.with):
480         (catch):
481
482 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
483
484         [JSC] DFG should respect node's strict flag
485         https://bugs.webkit.org/show_bug.cgi?id=196617
486
487         Reviewed by Saam Barati.
488
489         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
490         (shouldEqual):
491         (makeUnwriteableUnconfigurableObject):
492         (runTest):
493         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
494         (shouldBe):
495         (shouldThrow):
496         (with.result):
497         (with.putValueStrict):
498         (with.putValueSloppy):
499
500 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
501
502         [JSC] isRope jump in StringSlice should not jump over register allocations
503         https://bugs.webkit.org/show_bug.cgi?id=196716
504
505         Reviewed by Saam Barati.
506
507         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
508         (foo.bar):
509         (foo):
510
511 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
512
513         [JSC] to_index_string should not assume incoming value is Uint32
514         https://bugs.webkit.org/show_bug.cgi?id=196713
515
516         Reviewed by Saam Barati.
517
518         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
519         (foo):
520
521 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
522
523         [JSC] Add more tests for r243966
524         https://bugs.webkit.org/show_bug.cgi?id=196711
525
526         Reviewed by Saam Barati.
527
528         Adding one more test for r243966 fix. The added test will not crash after r243966.
529
530         * stress/stress-cleared-calllinkinfo.js: Added.
531         (runNearStackLimit.t):
532         (runNearStackLimit):
533         (repeat):
534         (cls):
535         (let.item.of.array.runNearStackLimit):
536
537 2019-04-08  Saam Barati  <sbarati@apple.com>
538
539         WebAssembly.RuntimeError missing exception check
540         https://bugs.webkit.org/show_bug.cgi?id=196700
541         <rdar://problem/49693932>
542
543         Reviewed by Yusuke Suzuki.
544
545         * wasm/js-api/runtime-error-should-exception-check.js: Added.
546
547 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
548
549         Unreviewed, rolling in r243948 with test fix
550         https://bugs.webkit.org/show_bug.cgi?id=196486
551
552         * stress/arrow-function-and-use-strict-directive.js: Added.
553         * stress/arrow-function-syntax.js: Added.
554         (checkSyntax):
555         (checkSyntaxError):
556
557 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
558
559         Unreviewed, rolling out r243948.
560
561         Caused inspector/runtime/parse.html to fail
562
563         Reverted changeset:
564
565         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
566         https://bugs.webkit.org/show_bug.cgi?id=196486
567         https://trac.webkit.org/changeset/243948
568
569 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
570
571         Unreviewed, rolling out r243943.
572
573         Caused test262 failures.
574
575         Reverted changeset:
576
577         "[JSC] Filter DontEnum properties in
578         ProxyObject::getOwnPropertyNames()"
579         https://bugs.webkit.org/show_bug.cgi?id=176810
580         https://trac.webkit.org/changeset/243943
581
582 2019-04-07  Michael Saboff  <msaboff@apple.com>
583
584         REGRESSION (r243642): Crash in reddit.com page
585         https://bugs.webkit.org/show_bug.cgi?id=196684
586
587         Reviewed by Geoffrey Garen.
588
589         New regression test.
590
591         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
592
593 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
594
595         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
596         https://bugs.webkit.org/show_bug.cgi?id=196683
597
598         Reviewed by Saam Barati.
599
600         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
601         (foo):
602
603 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
604
605         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
606         https://bugs.webkit.org/show_bug.cgi?id=196582
607
608         Reviewed by Saam Barati.
609
610         * stress/add-overflow-check-with-three-same-registers.js: Added.
611         (foo):
612         (Number.prototype.valueOf):
613         (runWithNumber):
614
615 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
616
617         Unreviewed, rolling out r243665.
618
619         Caused iOS JSC tests to exit with an exception.
620
621         Reverted changeset:
622
623         "Assertion failed in JSC::createError"
624         https://bugs.webkit.org/show_bug.cgi?id=196305
625         https://trac.webkit.org/changeset/243665
626
627 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
628
629         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
630         https://bugs.webkit.org/show_bug.cgi?id=196486
631
632         Reviewed by Saam Barati.
633
634         * stress/arrow-function-and-use-strict-directive.js: Added.
635         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
636         (checkSyntax):
637         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
638
639 2019-04-05  Caitlin Potter  <caitp@igalia.com>
640
641         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
642         https://bugs.webkit.org/show_bug.cgi?id=176810
643
644         Reviewed by Saam Barati.
645
646         Add tests for the DontEnum filtering, and variations of other tests
647         take the DontEnum-filtering path.
648
649         * stress/proxy-own-keys.js:
650         (i.catch):
651         (set assert):
652         (set add):
653         (let.set new):
654         (get let):
655
656 2019-04-05  Caitlin Potter  <caitp@igalia.com>
657
658         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
659         https://bugs.webkit.org/show_bug.cgi?id=185211
660
661         Reviewed by Saam Barati.
662
663         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
664
665         This changes several assertions to expect a TypeError to be thrown (in some cases,
666         changing thee expected message).
667
668         * es6/Proxy_ownKeys_duplicates.js:
669         (handler):
670         (shouldThrow):
671         (test):
672         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
673         (shouldThrow):
674         * stress/proxy-own-keys.js:
675         (i.catch):
676         (assert):
677
678 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
679
680         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
681         https://bugs.webkit.org/show_bug.cgi?id=196631
682
683         Reviewed by Saam Barati.
684
685         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
686         (assert):
687         (test):
688         (foo):
689
690 2019-04-04  Saam Barati  <sbarati@apple.com>
691
692         Unreviewed. Make the test from r243906 catch the thrown exceptions.
693
694         * stress/inferred-types-regex-matches-array.js:
695
696 2019-04-04  Saam Barati  <sbarati@apple.com>
697
698         createRegExpMatchesArray does not respect inferred types
699         https://bugs.webkit.org/show_bug.cgi?id=193287
700
701         Reviewed by Yusuke Suzuki.
702
703         This checks in the test case for 193287. This issue was discovered by
704         Samuel GroƟ of Google Project Zero.
705
706         * stress/inferred-types-regex-matches-array.js: Added.
707
708 2019-04-04  Saam barati  <sbarati@apple.com>
709
710         Teach Call ICs how to call Wasm
711         https://bugs.webkit.org/show_bug.cgi?id=196387
712
713         Reviewed by Filip Pizlo.
714
715         * wasm/function-tests/stack-trace.js:
716
717 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
718
719         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
720         https://bugs.webkit.org/show_bug.cgi?id=194944
721
722         Reviewed by Keith Miller.
723
724         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
725
726 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
727
728         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
729         https://bugs.webkit.org/show_bug.cgi?id=196409
730
731         Reviewed by Saam Barati.
732
733         * stress/bytecode-cache-cached-string-impl.js: Added.
734         (f):
735         (g):
736         * stress/bytecode-cache-run-string.js: Added.
737
738 2019-04-03  Robin Morisset  <rmorisset@apple.com>
739
740         B3 should use associativity to optimize expression trees
741         https://bugs.webkit.org/show_bug.cgi?id=194081
742
743         Reviewed by Filip Pizlo.
744
745         Added three microbenchmarks:
746         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
747         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
748           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
749         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
750
751         * microbenchmarks/add-tree.js: Added.
752         * microbenchmarks/bit-or-tree.js: Added.
753         * microbenchmarks/bit-xor-tree.js: Added.
754
755 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
756
757         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
758         https://bugs.webkit.org/show_bug.cgi?id=196574
759
760         Reviewed by Saam Barati.
761
762         * stress/string-index-of-exception-check.js: Added.
763         (blurType):
764         (1.forEach):
765
766 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
767
768         Assertion failed in JSC::createError
769         https://bugs.webkit.org/show_bug.cgi?id=196305
770         <rdar://problem/49387382>
771
772         Reviewed by Saam Barati.
773
774         * stress/create-error-out-of-memory-rope-string-2.js: Added.
775         (assert):
776         (catch):
777
778 2019-03-28  Saam Barati  <sbarati@apple.com>
779
780         BackwardsGraph needs to consider back edges as the backward's root successor
781         https://bugs.webkit.org/show_bug.cgi?id=195991
782
783         Reviewed by Filip Pizlo.
784
785         * stress/map-b3-licm-infinite-loop.js: Added.
786
787 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
788
789         CodeBlock::jettison() should disallow repatching its own calls
790         https://bugs.webkit.org/show_bug.cgi?id=196359
791         <rdar://problem/48973663>
792
793         Reviewed by Saam Barati.
794
795         * stress/call-link-info-osrexit-repatch.js: Added.
796         (foo):
797
798 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
799
800         [JSC] imports-oom.js intermittently fails
801         https://bugs.webkit.org/show_bug.cgi?id=196373
802
803         Reviewed by Saam Barati.
804
805         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
806         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
807         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
808         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
809         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
810
811         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
812         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
813
814         * wasm/lowExecutableMemory/imports-oom.js:
815
816 2019-03-27  Saam Barati  <sbarati@apple.com>
817
818         validateOSREntryValue with Int52 should box the value being checked into double format
819         https://bugs.webkit.org/show_bug.cgi?id=196313
820         <rdar://problem/49306703>
821
822         Reviewed by Yusuke Suzuki.
823
824         * stress/validate-int-52-ai-state.js: Added.
825
826 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
827
828         [JSC] Owner of watchpoints should validate at GC finalizing phase
829         https://bugs.webkit.org/show_bug.cgi?id=195827
830
831         Reviewed by Filip Pizlo.
832
833         * stress/gc-should-reap-dead-watchpoints.js: Added.
834         (foo):
835         (A.prototype.y):
836         (A):
837
838 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
839
840         Skip WebAssembly test on 32-bit systems
841         https://bugs.webkit.org/show_bug.cgi?id=196206
842
843         Reviewed by Saam Barati.
844
845         Invoking runDefault executes test immediately even though
846         that test should be skipped due to missing WASM support.
847         Therefore remove runDefault.
848
849         * wasm/regress/web-assembly-link-error-exception-check.js:
850
851 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
852
853         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
854         https://bugs.webkit.org/show_bug.cgi?id=196217
855
856         Reviewed by Saam Barati.
857
858         Re-enable all NaN tests for f32.min, f64.min and f64.max.
859
860         * wasm/spec-tests/f32.wast.js:
861         * wasm/spec-tests/f64.wast.js:
862         * wasm/wasm.json:
863
864 2019-03-25  Keith Miller  <keith_miller@apple.com>
865
866         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
867         https://bugs.webkit.org/show_bug.cgi?id=196176
868
869         Reviewed by Saam Barati.
870
871         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
872         (main.v10):
873         (main):
874
875 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
876
877         WebAssembly: f32.max with NaN generates incorrect result
878         https://bugs.webkit.org/show_bug.cgi?id=175691
879         <rdar://problem/33952228>
880
881         Reviewed by Saam Barati.
882
883         Enable all f32.max NaN tests
884
885         * wasm/spec-tests/f32.wast.js:
886         * wasm/wasm.json:
887
888 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
889
890         [JSC] Move test into directory for WASM tests
891         https://bugs.webkit.org/show_bug.cgi?id=196187
892
893         Reviewed by Mark Lam.
894
895         Move Test into wasm-directory. Otherwise this test
896         is also executed on systems without WASM support.
897
898         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
899
900 2019-03-23  Mark Lam  <mark.lam@apple.com>
901
902         Rolling out r243032 and r243071 because the fix is incorrect.
903         https://bugs.webkit.org/show_bug.cgi?id=195892
904         <rdar://problem/48981239>
905
906         Not reviewed.
907
908         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
909
910 2019-03-22  Mark Lam  <mark.lam@apple.com>
911
912         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
913         https://bugs.webkit.org/show_bug.cgi?id=196154
914         <rdar://problem/49145307>
915
916         Reviewed by Filip Pizlo.
917
918         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
919         There's no need to run this test on more than 1 test configuration.
920
921         * stress/typed-array-lastIndexOf-exception-check.js: Added.
922         * stress/web-assembly-link-error-exception-check.js:
923
924 2019-03-22  Mark Lam  <mark.lam@apple.com>
925
926         Placate exception check validation in constructJSWebAssemblyLinkError().
927         https://bugs.webkit.org/show_bug.cgi?id=196152
928         <rdar://problem/49145257>
929
930         Reviewed by Michael Saboff.
931
932         * stress/web-assembly-link-error-exception-check.js: Added.
933
934 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
935
936         Skip tests running out of memory on ARM/MIPS
937         https://bugs.webkit.org/show_bug.cgi?id=196131
938
939         Unreviewed. Skip test if memory is limited.
940
941         * microbenchmarks/put-by-val-direct-large-index.js:
942
943 2019-03-21  Mark Lam  <mark.lam@apple.com>
944
945         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
946         https://bugs.webkit.org/show_bug.cgi?id=196116
947         <rdar://problem/48976951>
948
949         Reviewed by Filip Pizlo.
950
951         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
952
953 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
954
955         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
956         https://bugs.webkit.org/show_bug.cgi?id=196078
957         <rdar://problem/35925380>
958
959         Reviewed by Mark Lam.
960
961         Add a new benchmark that allocates several objects and invokes put_by_val_direct
962         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
963
964         * microbenchmarks/put-by-val-direct-large-index.js: Added.
965
966 2019-03-21  Mark Lam  <mark.lam@apple.com>
967
968         Placate exception check validation in operationArrayIndexOfString().
969         https://bugs.webkit.org/show_bug.cgi?id=196067
970         <rdar://problem/49056572>
971
972         Reviewed by Michael Saboff.
973
974         * stress/string-equal-exception-check.js: Added.
975
976 2019-03-21  Mark Lam  <mark.lam@apple.com>
977
978         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
979         https://bugs.webkit.org/show_bug.cgi?id=196055
980         <rdar://problem/49067448>
981
982         Reviewed by Yusuke Suzuki.
983
984         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
985
986 2019-03-20  Saam Barati  <sbarati@apple.com>
987
988         typeOfDoubleSum is wrong for when NaN can be produced
989         https://bugs.webkit.org/show_bug.cgi?id=196030
990
991         Reviewed by Filip Pizlo.
992
993         * stress/double-add-sub-mul-can-produce-nan.js: Added.
994         (assert):
995         (noInline.sub):
996         (noInline):
997         (assert.mul):
998         (assert.add):
999
1000 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
1001
1002         Update the test to ensure OutOfMemoryError is thrown as intended
1003         https://bugs.webkit.org/show_bug.cgi?id=196032
1004         <rdar://problem/46842740>
1005
1006         Rubber stamped by Saam Barati.
1007
1008         * stress/create-error-out-of-memory-rope-string.js:
1009         (assert):
1010         (catch):
1011
1012 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
1013
1014         JSC::createError needs to check for OOM in errorDescriptionForValue
1015         https://bugs.webkit.org/show_bug.cgi?id=196032
1016         <rdar://problem/46842740>
1017
1018         Reviewed by Mark Lam.
1019
1020         * stress/create-error-out-of-memory-rope-string.js: Added.
1021
1022 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
1023
1024         Unreviewed, reduce # of iterations to avoid timing out after r242991
1025         https://bugs.webkit.org/show_bug.cgi?id=195791
1026
1027         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
1028
1029         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
1030
1031 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
1032
1033         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
1034         https://bugs.webkit.org/show_bug.cgi?id=195950
1035
1036         Unreviewed, reducing the amount of memory used on this test to avoid
1037         OOM on devices with memory restrictions.
1038
1039         * microbenchmarks/generate-multiple-llint-entrypoints.js:
1040
1041 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
1042
1043         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
1044         https://bugs.webkit.org/show_bug.cgi?id=194648
1045
1046         Reviewed by Keith Miller.
1047
1048         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
1049
1050 2019-03-18  Mark Lam  <mark.lam@apple.com>
1051
1052         Missing a ThrowScope release in JSObject::toString().
1053         https://bugs.webkit.org/show_bug.cgi?id=195893
1054         <rdar://problem/48970986>
1055
1056         Reviewed by Michael Saboff.
1057
1058         * stress/to-string-exception-check-release.js: Added.
1059
1060 2019-03-18  Mark Lam  <mark.lam@apple.com>
1061
1062         Structure::flattenDictionary() should clear unused property slots.
1063         https://bugs.webkit.org/show_bug.cgi?id=195871
1064         <rdar://problem/48959497>
1065
1066         Reviewed by Michael Saboff.
1067
1068         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
1069
1070 2019-03-15  Mark Lam  <mark.lam@apple.com>
1071
1072         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
1073         https://bugs.webkit.org/show_bug.cgi?id=195827
1074         <rdar://problem/48845513>
1075
1076         Reviewed by Filip Pizlo.
1077
1078         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
1079
1080 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
1081
1082         [ARM,MIPS] Skip slow tests
1083         https://bugs.webkit.org/show_bug.cgi?id=195799
1084
1085         Unreviewed, test does not finish on ARM and MIPS within the
1086         timeout limit.
1087
1088         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
1089
1090 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
1091
1092         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
1093         https://bugs.webkit.org/show_bug.cgi?id=195791
1094         <rdar://problem/48806130>
1095
1096         Reviewed by Mark Lam.
1097
1098         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
1099         (foo):
1100
1101 2019-03-14  Saam barati  <sbarati@apple.com>
1102
1103         We can't remove code after ForceOSRExit until after FixupPhase
1104         https://bugs.webkit.org/show_bug.cgi?id=186916
1105         <rdar://problem/41396612>
1106
1107         Reviewed by Yusuke Suzuki.
1108
1109         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
1110         (foo):
1111         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1112         (foo):
1113
1114 2019-03-13  Michael Saboff  <msaboff@apple.com>
1115
1116         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
1117         https://bugs.webkit.org/show_bug.cgi?id=195735
1118
1119         Reviewed by Mark Lam.
1120
1121         New regression test.
1122
1123         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
1124         (foo):
1125         (bar):
1126
1127 2019-03-14  Saam barati  <sbarati@apple.com>
1128
1129         Fixup uses KnownInt32 incorrectly in some nodes
1130         https://bugs.webkit.org/show_bug.cgi?id=195279
1131         <rdar://problem/47915654>
1132
1133         Reviewed by Yusuke Suzuki.
1134
1135         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
1136         (foo):
1137
1138 2019-03-14  Keith Miller  <keith_miller@apple.com>
1139
1140         DFG liveness can't skip tail caller inline frames
1141         https://bugs.webkit.org/show_bug.cgi?id=195715
1142
1143         Reviewed by Saam Barati.
1144
1145         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
1146         (i.foo):
1147
1148 2019-03-13  Mark Lam  <mark.lam@apple.com>
1149
1150         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
1151         https://bugs.webkit.org/show_bug.cgi?id=195415
1152
1153         Not reviewed.
1154
1155         Changed these tests to only run the default configuration.
1156         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
1157         There's no strong need to run this test on that variant.
1158
1159         * stress/dfg-to-string-on-int-does-gc.js:
1160         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
1161
1162 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
1163
1164         String overflow when using StringBuilder in JSC::createError
1165         https://bugs.webkit.org/show_bug.cgi?id=194957
1166
1167         Reviewed by Mark Lam.
1168
1169         Add test string-overflow-createError-bulder.js that overflows
1170         StringBuilder in notAFunctionSourceAppender. The second new test
1171         string-overflow-createError-fit.js has an error message that doesn't
1172         overflow, it still failed since the String's capacity can't be doubled.
1173         Run test string-overflow-createError.js only in the default
1174         configuration to reduce memory consumption when running the test
1175         in all configurations on multiple CPUs in parallel.
1176
1177         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
1178         (catch):
1179         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
1180         (catch):
1181         * stress/string-overflow-createError.js:
1182
1183 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
1184
1185         [JSC] OSR entry should respect abstract values in addition to flush formats
1186         https://bugs.webkit.org/show_bug.cgi?id=195653
1187
1188         Reviewed by Mark Lam.
1189
1190         * stress/osr-entry-locals-none.js: Added.
1191
1192 2019-03-12  Michael Saboff  <msaboff@apple.com>
1193
1194         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
1195         https://bugs.webkit.org/show_bug.cgi?id=195613
1196
1197         Reviewed by Mark Lam.
1198
1199         New regression test.
1200
1201         * stress/regexp-backref-inbounds.js: Added.
1202         (testRegExp):
1203
1204 2019-03-12  Mark Lam  <mark.lam@apple.com>
1205
1206         The HasIndexedProperty node does GC.
1207         https://bugs.webkit.org/show_bug.cgi?id=195559
1208         <rdar://problem/48767923>
1209
1210         Reviewed by Yusuke Suzuki.
1211
1212         * stress/HasIndexedProperty-does-gc.js: Added.
1213
1214 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
1215
1216         [ESNext][BigInt] Implement "~" unary operation
1217         https://bugs.webkit.org/show_bug.cgi?id=182216
1218
1219         Reviewed by Keith Miller.
1220
1221         * stress/big-int-bit-not-general.js: Added.
1222         * stress/big-int-bitwise-not-jit.js: Added.
1223         * stress/big-int-bitwise-not-wrapped-value.js: Added.
1224         * stress/bit-op-with-object-returning-int32.js:
1225         * stress/bitwise-not-fixup-rules.js: Added.
1226         * stress/value-bit-not-ai-rule.js: Added.
1227
1228 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
1229
1230         Invalid flags in a RegExp literal should be an early SyntaxError
1231         https://bugs.webkit.org/show_bug.cgi?id=195514
1232
1233         Reviewed by Darin Adler.
1234
1235         * test262/expectations.yaml:
1236         Mark 4 test cases as passing.
1237
1238         * stress/regexp-syntax-error-invalid-flags.js:
1239         * stress/regress-161995.js: Removed.
1240         Update existing test, merging in an older test for the same behavior.
1241
1242 2019-03-08  Mark Lam  <mark.lam@apple.com>
1243
1244         Stack overflow crash in JSC::JSObject::hasInstance.
1245         https://bugs.webkit.org/show_bug.cgi?id=195458
1246         <rdar://problem/48710195>
1247
1248         Reviewed by Yusuke Suzuki.
1249
1250         * stress/stack-overflow-in-custom-hasInstance.js: Added.
1251
1252 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
1253
1254         op_check_tdz does not def its argument
1255         https://bugs.webkit.org/show_bug.cgi?id=192880
1256         <rdar://problem/46221598>
1257
1258         Reviewed by Saam Barati.
1259
1260         * microbenchmarks/let-for-in.js: Added.
1261         (foo):
1262
1263 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
1264
1265         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
1266         https://bugs.webkit.org/show_bug.cgi?id=195429
1267
1268         Reviewed by Saam Barati.
1269
1270         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
1271         (foo):
1272         * stress/string-from-char-code-255.js: Added.
1273
1274 2019-03-06  Mark Lam  <mark.lam@apple.com>
1275
1276         Fix incorrect handling of try-finally completion values.
1277         https://bugs.webkit.org/show_bug.cgi?id=195131
1278         <rdar://problem/46222079>
1279
1280         Reviewed by Saam Barati and Yusuke Suzuki.
1281
1282         Added many permutations of new test case to test-finally.js.  test-finally.js has
1283         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
1284         tests passes there as well.
1285
1286         * stress/test-finally.js:
1287
1288 2019-03-06  Saam Barati  <sbarati@apple.com>
1289
1290         Air::reportUsedRegisters must padInterference
1291         https://bugs.webkit.org/show_bug.cgi?id=195303
1292         <rdar://problem/48270343>
1293
1294         Reviewed by Keith Miller.
1295
1296         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
1297
1298 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
1299
1300         [JSC] AI should not propagate AbstractValue relying on constant folding phase
1301         https://bugs.webkit.org/show_bug.cgi?id=195375
1302
1303         Reviewed by Saam Barati.
1304
1305         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
1306         (let.array):
1307
1308 2019-03-05  Saam barati  <sbarati@apple.com>
1309
1310         op_switch_char broken for rope strings after JSRopeString layout rewrite
1311         https://bugs.webkit.org/show_bug.cgi?id=195339
1312         <rdar://problem/48592545>
1313
1314         Reviewed by Yusuke Suzuki.
1315
1316         * stress/switch-on-char-llint-rope.js: Added.
1317
1318 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
1319
1320         [JSC] Store bits for JSRopeString in 3 stores
1321         https://bugs.webkit.org/show_bug.cgi?id=195234
1322
1323         Reviewed by Saam Barati.
1324
1325         * stress/null-rope-and-collectors.js: Added.
1326
1327 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
1328
1329         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
1330         https://bugs.webkit.org/show_bug.cgi?id=195207
1331
1332         Unreviewed. After test runtime was reduced in r242213, test can be
1333         run again on ARM/MIPS.
1334
1335         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1336
1337 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1338
1339         [JSC] sizeof(JSString) should be 16
1340         https://bugs.webkit.org/show_bug.cgi?id=194375
1341
1342         Reviewed by Saam Barati.
1343
1344         * microbenchmarks/make-rope.js: Added.
1345         (makeRope):
1346         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
1347         (returnRope.helper): Deleted.
1348         (returnRope): Deleted.
1349
1350 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1351
1352         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
1353         https://bugs.webkit.org/show_bug.cgi?id=195144
1354
1355         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
1356         Change the number from 1e8 to 1e5.
1357
1358         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1359         (foo):
1360
1361 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
1362
1363         Test times out on ARM/MIPS
1364         https://bugs.webkit.org/show_bug.cgi?id=195168
1365
1366         Unreviewed. Skip test on ARM/MIPS.
1367
1368         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1369
1370 2019-02-27  Mark Lam  <mark.lam@apple.com>
1371
1372         The parser is failing to record the token location of new in new.target.
1373         https://bugs.webkit.org/show_bug.cgi?id=195127
1374         <rdar://problem/39645578>
1375
1376         Reviewed by Yusuke Suzuki.
1377
1378         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
1379
1380 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
1381
1382         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
1383         https://bugs.webkit.org/show_bug.cgi?id=195144
1384         <rdar://problem/47595961>
1385
1386         Reviewed by Mark Lam.
1387
1388         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
1389         (bar):
1390         (foo):
1391         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
1392         (bar):
1393         (foo):
1394
1395 2019-02-27  Robin Morisset  <rmorisset@apple.com>
1396
1397         DFG: Loop-invariant code motion (LICM) should not hoist dead code
1398         https://bugs.webkit.org/show_bug.cgi?id=194945
1399         <rdar://problem/48311657>
1400
1401         Reviewed by Mark Lam.
1402
1403         * stress/licm-dead-code.js: Added.
1404
1405 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
1406
1407         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
1408         https://bugs.webkit.org/show_bug.cgi?id=194677
1409         <rdar://problem/48112492>
1410
1411         Reviewed by Mark Lam.
1412
1413         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
1414         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
1415         it immediately fails due the large size.
1416
1417         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
1418         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
1419         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
1420         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
1421
1422         This patch changes the test to produce 16bit string from String.fromCharCode.
1423
1424         * stress/regress-178386.js:
1425
1426 2019-02-26  Mark Lam  <mark.lam@apple.com>
1427
1428         wasmToJS() should purify incoming NaNs.
1429         https://bugs.webkit.org/show_bug.cgi?id=194807
1430         <rdar://problem/48189132>
1431
1432         Reviewed by Saam Barati.
1433
1434         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
1435
1436 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
1437
1438         [JSC] Repeat string created from Array.prototype.join() take too much memory
1439         https://bugs.webkit.org/show_bug.cgi?id=193912
1440
1441         Reviewed by Saam Barati.
1442
1443         Added a test and a microbenchmark for corner cases of
1444         Array.prototype.join() with an uninitialized array.
1445
1446         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1447         * stress/array-prototype-join-uninitialized.js: Added.
1448         (testArray):
1449         (testABC):
1450         (B):
1451         (C):
1452
1453 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1454
1455         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1456         https://bugs.webkit.org/show_bug.cgi?id=194953
1457         <rdar://problem/47595253>
1458
1459         Reviewed by Saam Barati.
1460
1461         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1462
1463         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1464
1465 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1466
1467         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1468         https://bugs.webkit.org/show_bug.cgi?id=172848
1469         <rdar://problem/25709212>
1470
1471         Reviewed by Mark Lam.
1472
1473         * typeProfiler/inheritance.js:
1474         Rewrite the test slightly for clarity. The hoisting was confusing.
1475
1476         * heapProfiler/class-names.js: Added.
1477         (MyES5Class):
1478         (MyES6Class):
1479         (MyES6Subclass):
1480         Test object types and improved class names.
1481
1482         * heapProfiler/driver/driver.js:
1483         (CheapHeapSnapshotNode):
1484         (CheapHeapSnapshot):
1485         (createCheapHeapSnapshot):
1486         (HeapSnapshot):
1487         (createHeapSnapshot):
1488         Update snapshot parsing from version 1 to version 2.
1489
1490 2019-02-19  Truitt Savell  <tsavell@apple.com>
1491
1492         Unreviewed, rolling out r241784.
1493
1494         Broke all OpenSource builds.
1495
1496         Reverted changeset:
1497
1498         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1499         instances view"
1500         https://bugs.webkit.org/show_bug.cgi?id=172848
1501         https://trac.webkit.org/changeset/241784
1502
1503 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1504
1505         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1506         https://bugs.webkit.org/show_bug.cgi?id=172848
1507         <rdar://problem/25709212>
1508
1509         Reviewed by Mark Lam.
1510
1511         * typeProfiler/inheritance.js:
1512         Rewrite the test slightly for clarity. The hoisting was confusing.
1513
1514         * heapProfiler/class-names.js: Added.
1515         (MyES5Class):
1516         (MyES6Class):
1517         (MyES6Subclass):
1518         Test object types and improved class names.
1519
1520         * heapProfiler/driver/driver.js:
1521         (CheapHeapSnapshotNode):
1522         (CheapHeapSnapshot):
1523         (createCheapHeapSnapshot):
1524         (HeapSnapshot):
1525         (createHeapSnapshot):
1526         Update snapshot parsing from version 1 to version 2.
1527
1528 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1529
1530         [ARM] Fix crash with sampling profiler
1531         https://bugs.webkit.org/show_bug.cgi?id=194772
1532
1533         Reviewed by Mark Lam.
1534
1535         Do not skip test since crash with sampling profiler is now fixed.
1536
1537         * stress/sampling-profiler-richards.js:
1538
1539 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1540
1541         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1542         https://bugs.webkit.org/show_bug.cgi?id=194784
1543         <rdar://problem/48154820>
1544
1545         Reviewed by Mark Lam.
1546
1547         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1548         (getProperties):
1549         (getRandomProperty):
1550         (i.catch):
1551
1552 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1553
1554         [ARM] Test gardening: Test running out of executable memory
1555         https://bugs.webkit.org/show_bug.cgi?id=194771
1556
1557         Unreviewed. Do not run test without LLInt, test is running out of executable
1558         memory on ARM otherwise.
1559
1560         * stress/tagged-template-object-collect.js:
1561
1562 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1563
1564         Unreviewed, skip the test on platforms without sampling profiler
1565
1566         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1567         (platformSupportsSamplingProfiler.foo):
1568         (platformSupportsSamplingProfiler.test):
1569         (platformSupportsSamplingProfiler):
1570         (foo): Deleted.
1571         (test): Deleted.
1572
1573 2019-02-17  Saam Barati  <sbarati@apple.com>
1574
1575         Deadlock when adding a Structure property transition and then doing incremental marking
1576         https://bugs.webkit.org/show_bug.cgi?id=194767
1577
1578         Reviewed by Mark Lam.
1579
1580         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1581
1582 2019-02-15  Michael Saboff  <msaboff@apple.com>
1583
1584         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1585         https://bugs.webkit.org/show_bug.cgi?id=194558
1586
1587         Reviewed by Saam Barati.
1588
1589         New regression test.
1590
1591         * stress/regexp-unicode-within-string.js: Added.
1592
1593 2019-02-15  Mark Lam  <mark.lam@apple.com>
1594
1595         SamplingProfiler::stackTracesAsJSON() should escape strings.
1596         https://bugs.webkit.org/show_bug.cgi?id=194649
1597         <rdar://problem/48072386>
1598
1599         Reviewed by Saam Barati.
1600
1601         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1602         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1603         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1604         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1605
1606 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1607         CodeBlock::jettison should clear related watchpoints
1608         https://bugs.webkit.org/show_bug.cgi?id=194544
1609
1610         Reviewed by Mark Lam.
1611
1612         * stress/regexp-replace-double-watchpoint.js: Added.
1613         (foo):
1614
1615 2019-02-15  Saam barati  <sbarati@apple.com>
1616
1617         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1618         https://bugs.webkit.org/show_bug.cgi?id=194036
1619
1620         Reviewed by Yusuke Suzuki.
1621
1622         * stress/tail-call-many-arguments.js: Added.
1623         (foo):
1624         (bar):
1625
1626 2019-02-14  Saam Barati  <sbarati@apple.com>
1627
1628         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1629         https://bugs.webkit.org/show_bug.cgi?id=194583
1630         <rdar://problem/48028140>
1631
1632         Reviewed by Yusuke Suzuki.
1633
1634         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1635
1636 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1637
1638         [JSC] String.fromCharCode's slow path always generates 16bit string
1639         https://bugs.webkit.org/show_bug.cgi?id=194466
1640
1641         Reviewed by Keith Miller.
1642
1643         * stress/string-from-char-code-slow-path.js: Added.
1644         (shouldBe):
1645         (testWithLength):
1646
1647 2019-02-08  Saam barati  <sbarati@apple.com>
1648
1649         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1650         https://bugs.webkit.org/show_bug.cgi?id=194334
1651         <rdar://problem/47844327>
1652
1653         Reviewed by Mark Lam.
1654
1655         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1656         (func):
1657
1658 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1659
1660         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1661         https://bugs.webkit.org/show_bug.cgi?id=194369
1662         <rdar://problem/47813087>
1663
1664         Reviewed by Saam Barati.
1665
1666         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1667         (A):
1668
1669 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1670
1671         [JSC] PrivateName to PublicName hash table is wasteful
1672         https://bugs.webkit.org/show_bug.cgi?id=194277
1673
1674         Reviewed by Michael Saboff.
1675
1676         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1677
1678         * ChakraCore.yaml:
1679
1680 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1681
1682         [ARM] Test running out of executable memory
1683         https://bugs.webkit.org/show_bug.cgi?id=194285
1684
1685         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1686         executable memory otherwise.
1687
1688         * stress/class-subclassing-function.js:
1689
1690 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1691
1692         when lowering AssertNotEmpty, create the value before creating the patchpoint
1693         https://bugs.webkit.org/show_bug.cgi?id=194231
1694
1695         Reviewed by Saam Barati.
1696
1697         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1698         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1699         So even tiny changes to this test can change the path code taken.
1700
1701         * stress/assert-not-empty.js: Added.
1702         (foo):
1703
1704 2019-02-01  Mark Lam  <mark.lam@apple.com>
1705
1706         Remove invalid assertion in DFG's compileDoubleRep().
1707         https://bugs.webkit.org/show_bug.cgi?id=194130
1708         <rdar://problem/47699474>
1709
1710         Reviewed by Saam Barati.
1711
1712         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1713
1714 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1715
1716         Import latest Test262 updates.
1717
1718         Rubber-stamped by Keith Miller.
1719
1720         * test262.yaml: Deleted.
1721         * test262/config.yaml:
1722         * test262/expectations.yaml:
1723         * test262/latest-changes-summary.txt:
1724         * test262/test/:
1725         * test262/test262-Revision.txt:
1726
1727 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1728
1729         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1730         https://bugs.webkit.org/show_bug.cgi?id=194050
1731         <rdar://problem/47595592>
1732
1733         Reviewed by Yusuke Suzuki.
1734
1735         * stress/object-keys-osr-exit.js: Added.
1736         (foo):
1737         (catch):
1738
1739 2019-01-29  Mark Lam  <mark.lam@apple.com>
1740
1741         ValueRecovery::recover() should purify NaN values it recovers.
1742         https://bugs.webkit.org/show_bug.cgi?id=193978
1743         <rdar://problem/47625488>
1744
1745         Reviewed by Saam Barati.
1746
1747         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1748
1749 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1750
1751         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1752         https://bugs.webkit.org/show_bug.cgi?id=193713
1753
1754         * stress/try-get-by-id-should-spill-registers-dfg.js:
1755         (let.f.createBuiltin):
1756
1757 2019-01-28  Mark Lam  <mark.lam@apple.com>
1758
1759         ToString node actually does GC.
1760         https://bugs.webkit.org/show_bug.cgi?id=193920
1761         <rdar://problem/46695900>
1762
1763         Reviewed by Yusuke Suzuki.
1764
1765         * stress/dfg-to-string-on-int-does-gc.js: Added.
1766         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1767         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1768
1769 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1770
1771         [JSC] NativeErrorConstructor should not have own IsoSubspace
1772         https://bugs.webkit.org/show_bug.cgi?id=193713
1773
1774         Reviewed by Saam Barati.
1775
1776         Remove @Error use.
1777
1778         * stress/try-get-by-id-should-spill-registers-dfg.js:
1779         (let.f.createBuiltin):
1780
1781 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1782
1783         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1784         https://bugs.webkit.org/show_bug.cgi?id=190693
1785
1786         Reviewed by Michael Saboff.
1787
1788         * stress/regress-190693.js: Added.
1789         (truth):
1790         (assert):
1791         (shouldThrowInvalidConstAssignment):
1792         (taz):
1793
1794 2019-01-24  Saam Barati  <sbarati@apple.com>
1795
1796         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1797         https://bugs.webkit.org/show_bug.cgi?id=193751
1798         <rdar://problem/47280215>
1799
1800         Reviewed by Michael Saboff.
1801
1802         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1803         (let.thing):
1804         (foo.let.hello):
1805         (foo):
1806
1807 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1808
1809         [JSC] Reenable baseline JIT on mips
1810         https://bugs.webkit.org/show_bug.cgi?id=192983
1811
1812         Reviewed by Mark Lam.
1813
1814         Added a new test for a case that was triggering a RELEASE_ASSERT when
1815         testing.
1816         Disable some slow tests that were already disabled for arm and x86.
1817
1818         * stress/json-parse-big-object.js: Added.
1819         * stress/new-largeish-contiguous-array-with-size.js:
1820         * stress/op_add.js:
1821         * stress/op_bitand.js:
1822         * stress/op_bitor.js:
1823         * stress/op_bitxor.js:
1824         * stress/op_lshift-ConstVar.js:
1825         * stress/op_lshift-VarConst.js:
1826         * stress/op_lshift-VarVar.js:
1827         * stress/op_mod-ConstVar.js:
1828         * stress/op_mod-VarConst.js:
1829         * stress/op_mod-VarVar.js:
1830         * stress/op_mul-ConstVar.js:
1831         * stress/op_mul-VarConst.js:
1832         * stress/op_mul-VarVar.js:
1833         * stress/op_rshift-ConstVar.js:
1834         * stress/op_rshift-VarConst.js:
1835         * stress/op_rshift-VarVar.js:
1836         * stress/op_sub-ConstVar.js:
1837         * stress/op_sub-VarConst.js:
1838         * stress/op_sub-VarVar.js:
1839         * stress/op_urshift-ConstVar.js:
1840         * stress/op_urshift-VarConst.js:
1841         * stress/op_urshift-VarVar.js:
1842         * stress/sampling-profiler-richards.js:
1843         * stress/spread-forward-call-varargs-stack-overflow.js:
1844
1845 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1846
1847         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1848         https://bugs.webkit.org/show_bug.cgi?id=193711
1849         <rdar://problem/47250262>
1850
1851         Reviewed by Saam Barati.
1852
1853         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1854         (shouldBe):
1855         (foo):
1856         (bar):
1857         (baz):
1858
1859 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1860
1861         Unreviewed, fix initial global lexical binding epoch
1862         https://bugs.webkit.org/show_bug.cgi?id=193603
1863         <rdar://problem/47380869>
1864
1865         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1866         (f1.f2.f3.f4):
1867         (f1.f2.f3):
1868         (f1.f2):
1869         (f1):
1870
1871 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1872
1873         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1874         https://bugs.webkit.org/show_bug.cgi?id=193709
1875         <rdar://problem/47363838>
1876
1877         Unreviewed, rollout to watch the tests.
1878
1879         * stress/object-tostring-changed-proto.js: Removed.
1880         * stress/object-tostring-changed.js: Removed.
1881         * stress/object-tostring-misc.js: Removed.
1882         * stress/object-tostring-other.js: Removed.
1883         * stress/object-tostring-untyped.js: Removed.
1884
1885 2019-01-22  Saam Barati  <sbarati@apple.com>
1886
1887         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1888
1889         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1890         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1891         (testUncheckedLessThanZero):
1892         (testUncheckedLessThanOrEqualZero):
1893         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1894         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1895
1896 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1897
1898         [JSC] Invalidate old scope operations using global lexical binding epoch
1899         https://bugs.webkit.org/show_bug.cgi?id=193603
1900         <rdar://problem/47380869>
1901
1902         Reviewed by Saam Barati.
1903
1904         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1905         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1906         (shouldThrow):
1907         (bar):
1908         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1909         (shouldBe):
1910         (get1):
1911         (get2):
1912         (get1If):
1913         (get2If):
1914         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1915         (shouldThrow):
1916         (foo):
1917
1918 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1919
1920         Unreviewed, roll out r240220 due to date-format-xparb regression
1921         https://bugs.webkit.org/show_bug.cgi?id=193603
1922
1923         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1924         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1925         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1926         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1927
1928 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1929
1930         DoesGC rule is wrong for nodes with BigIntUse
1931         https://bugs.webkit.org/show_bug.cgi?id=193652
1932
1933         Reviewed by Saam Barati.
1934
1935         * stress/big-int-value-op-update-gc-rules.js: Added.
1936         (assert):
1937         (doesGCAdd):
1938         (doesGCSub):
1939         (doesGCDiv):
1940         (doesGCMul):
1941         (doesGCBitAnd):
1942         (doesGCBitOr):
1943         (doesGCBitXor):
1944
1945 2019-01-20  Saam Barati  <sbarati@apple.com>
1946
1947         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1948         https://bugs.webkit.org/show_bug.cgi?id=193644
1949         <rdar://problem/46209745>
1950
1951         Reviewed by Yusuke Suzuki.
1952
1953         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1954         (foo):
1955         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1956         (foo):
1957         (bar):
1958
1959 2019-01-20  Saam Barati  <sbarati@apple.com>
1960
1961         MovHint must merge NodeBytecodeUsesAsValue for its child
1962         https://bugs.webkit.org/show_bug.cgi?id=186916
1963         <rdar://problem/41396612>
1964
1965         Reviewed by Yusuke Suzuki.
1966
1967         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1968         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1969
1970 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1971
1972         [JSC] Invalidate old scope operations using global lexical binding epoch
1973         https://bugs.webkit.org/show_bug.cgi?id=193603
1974         <rdar://problem/47380869>
1975
1976         Reviewed by Saam Barati.
1977
1978         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1979         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1980         (shouldThrow):
1981         (bar):
1982         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1983         (shouldBe):
1984         (get1):
1985         (get2):
1986         (get1If):
1987         (get2If):
1988         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1989         (shouldThrow):
1990         (foo):
1991
1992 2019-01-17  Saam barati  <sbarati@apple.com>
1993
1994         StringObjectUse should not be a structure check for the original string object structure
1995         https://bugs.webkit.org/show_bug.cgi?id=193483
1996         <rdar://problem/47280522>
1997
1998         Reviewed by Yusuke Suzuki.
1999
2000         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
2001         (foo):
2002         (a.valueOf.0):
2003
2004 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2005
2006         [JSC] ToThis omission in DFGByteCodeParser is wrong
2007         https://bugs.webkit.org/show_bug.cgi?id=193513
2008         <rdar://problem/45842236>
2009
2010         Reviewed by Saam Barati.
2011
2012         * stress/to-this-omission-with-different-strict-modes.js: Added.
2013         (thisA):
2014         (thisAStrictWrapper):
2015
2016 2019-01-15  Mark Lam  <mark.lam@apple.com>
2017
2018         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
2019         https://bugs.webkit.org/show_bug.cgi?id=193423
2020         <rdar://problem/46209355>
2021
2022         Reviewed by Saam Barati.
2023
2024         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
2025         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
2026         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
2027         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
2028
2029 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2030
2031         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
2032         https://bugs.webkit.org/show_bug.cgi?id=193438
2033         <rdar://problem/45581249>
2034
2035         Reviewed by Saam Barati and Keith Miller.
2036
2037         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
2038         Then, GetByVal(String) crashed.
2039
2040         * stress/string-get-by-val-lowering.js: Added.
2041         (shouldBe):
2042         (test):
2043         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
2044         (Hello):
2045         (foo):
2046
2047 2019-01-15  Tomas Popela  <tpopela@redhat.com>
2048
2049         Unreviewed, skip JIT tests if it's not enabled
2050
2051         * stress/bit-op-with-object-returning-int32.js:
2052
2053 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
2054
2055         DFGByteCodeParser rules for bitwise operations should consider type of their operands
2056         https://bugs.webkit.org/show_bug.cgi?id=192966
2057
2058         Reviewed by Yusuke Suzuki.
2059
2060         * stress/bit-op-with-object-returning-int32.js: Added.
2061
2062 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
2063
2064         Skip a slow test and a flakey test on arm
2065
2066         Unreviewed gardening.
2067
2068         * typeProfiler/getter-richards.js:
2069         this test always times out, it used to be always skipped on arm and
2070         mips, but got accidentally enabled by r237919 now that we have DFG on
2071         arm. Also skipping on mips as we plan to soon enable DFG for it too.
2072
2073 2019-01-14  Keith Miller  <keith_miller@apple.com>
2074
2075         Skip type-check-hoisting-phase-hoist... with no jit
2076         https://bugs.webkit.org/show_bug.cgi?id=193421
2077
2078         Reviewed by Mark Lam.
2079
2080         It's timing out the 32-bit bots and takes 330 seconds
2081         on my machine when run by itself.
2082
2083         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
2084
2085 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2086
2087         [JSC] AI should check the given constant's array type when folding GetByVal into constant
2088         https://bugs.webkit.org/show_bug.cgi?id=193413
2089         <rdar://problem/46092389>
2090
2091         Reviewed by Keith Miller.
2092
2093         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
2094         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
2095         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
2096         but GetByVal does not have appropriate ArrayModes, JSC crashes.
2097
2098         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
2099         (compareArray):
2100
2101 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
2102
2103         [BigInt] Literal parsing is crashing when used inside a Object Literal
2104         https://bugs.webkit.org/show_bug.cgi?id=193404
2105
2106         Reviewed by Yusuke Suzuki.
2107
2108         * stress/big-int-literal-inside-literal-object.js: Added.
2109
2110 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2111
2112         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
2113         https://bugs.webkit.org/show_bug.cgi?id=193372
2114
2115         Reviewed by Saam Barati.
2116
2117         * stress/typed-array-array-modes-profile.js: Added.
2118         (foo):
2119
2120 2019-01-14  Mark Lam  <mark.lam@apple.com>
2121
2122         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
2123         https://bugs.webkit.org/show_bug.cgi?id=193402
2124         <rdar://problem/46012309>
2125
2126         Reviewed by Keith Miller.
2127
2128         * stress/regexp-compile-oom.js:
2129         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
2130           is enabled.  As a result, it will fail on cloop builds though there is no bug.
2131
2132 2019-01-11  Saam barati  <sbarati@apple.com>
2133
2134         DFG combined liveness can be wrong for terminal basic blocks
2135         https://bugs.webkit.org/show_bug.cgi?id=193304
2136         <rdar://problem/45268632>
2137
2138         Reviewed by Yusuke Suzuki.
2139
2140         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
2141
2142 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2143
2144         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
2145         https://bugs.webkit.org/show_bug.cgi?id=193308
2146         <rdar://problem/45546542>
2147
2148         Reviewed by Saam Barati.
2149
2150         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
2151         (shouldThrow):
2152         (shouldBe):
2153         (foo):
2154         (get shouldThrow):
2155         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
2156         (shouldThrow):
2157         (shouldBe):
2158         (foo):
2159         (get shouldBe):
2160         (get shouldThrow):
2161         (get return):
2162         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
2163         (shouldThrow):
2164         (shouldBe):
2165         (foo):
2166         (get shouldBe):
2167         (get shouldThrow):
2168         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
2169         (shouldThrow):
2170         (shouldBe):
2171         (foo):
2172         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
2173         (shouldThrow):
2174         (shouldBe):
2175         (foo):
2176         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
2177         (shouldThrow):
2178         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
2179         (shouldThrow):
2180         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
2181         (shouldThrow):
2182         (shouldBe):
2183         (foo):
2184         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
2185         (shouldThrow):
2186         (shouldBe):
2187         (foo):
2188         (get shouldBe):
2189         (get shouldThrow):
2190         (get return):
2191         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
2192         (shouldThrow):
2193         (shouldBe):
2194         (foo):
2195         (get shouldBe):
2196         (get shouldThrow):
2197         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
2198         (shouldThrow):
2199         (shouldBe):
2200         (foo):
2201         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
2202         (shouldThrow):
2203         (shouldBe):
2204         (foo):
2205
2206 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
2207
2208         Enable DFG on ARM/Linux again
2209         https://bugs.webkit.org/show_bug.cgi?id=192496
2210
2211         Reviewed by Yusuke Suzuki.
2212
2213         Test wasn't really skipped before moving the line with skip
2214         to the top.
2215
2216         * stress/regress-192717.js:
2217
2218 2019-01-10  Commit Queue  <commit-queue@webkit.org>
2219
2220         Unreviewed, rolling out r239825.
2221         https://bugs.webkit.org/show_bug.cgi?id=193330
2222
2223         Broke tests on armv7/linux bots (Requested by guijemont on
2224         #webkit).
2225
2226         Reverted changeset:
2227
2228         "Enable DFG on ARM/Linux again"
2229         https://bugs.webkit.org/show_bug.cgi?id=192496
2230         https://trac.webkit.org/changeset/239825
2231
2232 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
2233
2234         Enable DFG on ARM/Linux again
2235         https://bugs.webkit.org/show_bug.cgi?id=192496
2236
2237         Reviewed by Yusuke Suzuki.
2238
2239         Test wasn't really skipped before moving the line with skip
2240         to the top.
2241
2242         * stress/regress-192717.js:
2243
2244 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2245
2246         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
2247         https://bugs.webkit.org/show_bug.cgi?id=193127
2248
2249         Reviewed by Saam Barati.
2250
2251         * stress/array-species-create-should-handle-masquerader.js: Added.
2252         (shouldThrow):
2253         * stress/is-undefined-or-null-builtin.js: Added.
2254         (shouldBe):
2255         (isUndefinedOrNull.vm.createBuiltin):
2256
2257 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
2258
2259         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
2260         https://bugs.webkit.org/show_bug.cgi?id=193221
2261
2262         Reviewed by Mark Lam.
2263
2264         * stress/put-by-id-flags.js: Added.
2265         (f):
2266         (g):
2267         (numberOfDFGCompiles):
2268
2269 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
2270
2271         Baseline version of get_by_id may corrupt metadata
2272         https://bugs.webkit.org/show_bug.cgi?id=193085
2273         <rdar://problem/23453006>
2274
2275         Reviewed by Saam Barati.
2276
2277         * stress/get-by-id-change-mode.js: Added.
2278         (forEach):
2279
2280 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2281
2282         [JSC] Optimize Object.prototype.toString
2283         https://bugs.webkit.org/show_bug.cgi?id=193031
2284
2285         Reviewed by Saam Barati.
2286
2287         * stress/object-tostring-changed-proto.js: Added.
2288         (shouldBe):
2289         (test):
2290         * stress/object-tostring-changed.js: Added.
2291         (shouldBe):
2292         (test):
2293         * stress/object-tostring-misc.js: Added.
2294         (shouldBe):
2295         (test):
2296         (i.switch):
2297         * stress/object-tostring-other.js: Added.
2298         (shouldBe):
2299         (test):
2300         * stress/object-tostring-untyped.js: Added.
2301         (shouldBe):
2302         (test):
2303         (i.switch):
2304
2305 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
2306
2307         test262-runner misbehaves when test file YAML has a trailing space
2308         https://bugs.webkit.org/show_bug.cgi?id=193053
2309
2310         Reviewed by Yusuke Suzuki.
2311
2312         * test262/expectations.yaml:
2313         Mark two dozen tests as passing (and correct the output of another).
2314
2315 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2316
2317         Unreviewed, JSTests gardening with memoryLimited
2318
2319         * stress/string-overflow-createError.js:
2320
2321 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
2322
2323         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
2324         https://bugs.webkit.org/show_bug.cgi?id=193050
2325
2326         Reviewed by Yusuke Suzuki.
2327
2328         * test262.yaml:
2329         * test262/expectations.yaml:
2330         Mark 16 tests as passing.
2331
2332 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2333
2334         [BigInt] Support BigInt in JSON.stringify
2335         https://bugs.webkit.org/show_bug.cgi?id=192624
2336
2337         Reviewed by Saam Barati.
2338
2339         * stress/big-int-json-stringify-to-json.js: Added.
2340         (shouldBe):
2341         (shouldThrow):
2342         (BigInt.prototype.toJSON):
2343         (shouldBe.JSON.stringify):
2344         * stress/big-int-json-stringify.js: Added.
2345         (shouldBe):
2346         (shouldThrow):
2347
2348 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2349
2350         [JSC] Implement "well-formed JSON.stringify" proposal
2351         https://bugs.webkit.org/show_bug.cgi?id=191677
2352
2353         Reviewed by Darin Adler.
2354
2355         * stress/json-surrogate-pair.js: Added.
2356         (shouldBe):
2357         * test262/expectations.yaml:
2358
2359 2018-12-20  Keith Miller  <keith_miller@apple.com>
2360
2361         Add support for globalThis
2362         https://bugs.webkit.org/show_bug.cgi?id=165171
2363
2364         Reviewed by Mark Lam.
2365
2366         * test262/config.yaml:
2367
2368 2018-12-19  Keith Miller  <keith_miller@apple.com>
2369
2370         Update test262 configuration to not run tests dependent on ICU version.
2371         https://bugs.webkit.org/show_bug.cgi?id=192920
2372
2373         Reviewed by Saam Barati.
2374
2375         * test262/expectations.yaml:
2376
2377 2018-12-20  Mark Lam  <mark.lam@apple.com>
2378
2379         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
2380         https://bugs.webkit.org/show_bug.cgi?id=192939
2381         <rdar://problem/46869516>
2382
2383         Reviewed by Keith Miller.
2384
2385         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
2386
2387 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
2388
2389         WTF::String and StringImpl overflow MaxLength
2390         https://bugs.webkit.org/show_bug.cgi?id=192853
2391         <rdar://problem/45726906>
2392
2393         Reviewed by Mark Lam.
2394
2395         * stress/string-16bit-repeat-overflow.js: Added.
2396         (catch):
2397
2398 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
2399
2400         Unreviewed follow-up to r192914.
2401
2402         * test262/expectations.yaml:
2403         Add the last 20 missing expectations.
2404
2405 2018-12-19  Keith Miller  <keith_miller@apple.com>
2406
2407         Fix test262 expectations
2408         https://bugs.webkit.org/show_bug.cgi?id=192914
2409
2410         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
2411
2412         * test262/expectations.yaml:
2413
2414 2018-12-19  Keith Miller  <keith_miller@apple.com>
2415
2416         Update test262 tests.
2417         https://bugs.webkit.org/show_bug.cgi?id=192907
2418
2419         Rubber stamped by Mark Lam.
2420
2421         * test262/*: Omitted because prepare-changelog crashes.
2422
2423 2018-12-19  Mark Lam  <mark.lam@apple.com>
2424
2425         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
2426         https://bugs.webkit.org/show_bug.cgi?id=192464
2427         <rdar://problem/46519455>
2428
2429         Reviewed by Saam Barati.
2430
2431         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
2432         microbenchmark.
2433
2434         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
2435         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
2436
2437 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
2438
2439         String overflow in JSC::createError results in ASSERT in WTF::makeString
2440         https://bugs.webkit.org/show_bug.cgi?id=192833
2441         <rdar://problem/45706868>
2442
2443         Reviewed by Mark Lam.
2444
2445         * stress/string-overflow-createError.js: Added.
2446
2447 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2448
2449         Error message for `-x ** y` contains a typo.
2450         https://bugs.webkit.org/show_bug.cgi?id=192832
2451
2452         Reviewed by Saam Barati.
2453
2454         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2455         (assert.assert.return.throws):
2456         * stress/pow-expects-update-expression-on-lhs.js:
2457         (throw.new.Error):
2458         Update test expectations which match against the exact error message.
2459
2460 2018-12-18  Mark Lam  <mark.lam@apple.com>
2461
2462         Gardening: test options fix.
2463         https://bugs.webkit.org/show_bug.cgi?id=192822
2464
2465         Unreviewed.
2466
2467         * stress/json-stringify-string-builder-overflow.js:
2468
2469 2018-12-18  Mark Lam  <mark.lam@apple.com>
2470
2471         JSON.stringify() should throw OOM on StringBuilder overflows.
2472         https://bugs.webkit.org/show_bug.cgi?id=192822
2473         <rdar://problem/46670577>
2474
2475         Reviewed by Saam Barati.
2476
2477         * stress/json-stringify-string-builder-overflow.js: Added.
2478
2479 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2480
2481         Redeclaration of var over let/const/class should be a syntax error.
2482         https://bugs.webkit.org/show_bug.cgi?id=192298
2483
2484         Reviewed by Keith Miller.
2485
2486         * test262.yaml:
2487         * test262/expectations.yaml:
2488         Mark 46 tests as passing.
2489
2490         * stress/block-scope-redeclarations.js:
2491         Add some new tests.
2492
2493         * stress/for-in-invalidate-context-weird-assignments.js:
2494         * stress/for-in-tests.js:
2495         Replace tests for outdated behavior with tests for SyntaxError.
2496
2497         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2498         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2499         Update expectations.
2500
2501 2018-12-18  Mark Lam  <mark.lam@apple.com>
2502
2503         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2504         https://bugs.webkit.org/show_bug.cgi?id=191374
2505         <rdar://problem/46525447>
2506
2507         Reviewed by Yusuke Suzuki.
2508
2509         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2510
2511         * stress/elidable-new-object-roflcopter-then-exit.js:
2512
2513 2018-12-17  Mark Lam  <mark.lam@apple.com>
2514
2515         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2516         https://bugs.webkit.org/show_bug.cgi?id=192019
2517         <rdar://problem/46525456>
2518
2519         Reviewed by Yusuke Suzuki.
2520
2521         The test runs too slow on 32-bit.
2522
2523         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2524
2525 2018-12-17  Mark Lam  <mark.lam@apple.com>
2526
2527         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2528         https://bugs.webkit.org/show_bug.cgi?id=191373
2529         <rdar://problem/46525458>
2530
2531         Reviewed by Yusuke Suzuki.
2532
2533         The test is already slow running with a JIT on 64-bit.  It will always timeout
2534         on 32-bit without a JIT.
2535
2536         * stress/materialize-regexp-cyclic-regexp.js:
2537
2538 2018-12-17  Mark Lam  <mark.lam@apple.com>
2539
2540         Array unshift/shift should not race against the AI in the compiler thread.
2541         https://bugs.webkit.org/show_bug.cgi?id=192795
2542         <rdar://problem/46724263>
2543
2544         Reviewed by Saam Barati.
2545
2546         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2547
2548 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2549
2550         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2551         https://bugs.webkit.org/show_bug.cgi?id=190047
2552
2553         Reviewed by Saam Barati.
2554
2555         * stress/object-keys-cached-zero.js: Added.
2556         (shouldBe):
2557         (test):
2558         * stress/object-keys-changed-attribute.js: Added.
2559         (shouldBe):
2560         (test):
2561         * stress/object-keys-changed-index.js: Added.
2562         (shouldBe):
2563         (test):
2564         * stress/object-keys-changed.js: Added.
2565         (shouldBe):
2566         (test):
2567         * stress/object-keys-indexed-non-cache.js: Added.
2568         (shouldBe):
2569         (test):
2570         * stress/object-keys-overrides-get-property-names.js: Added.
2571         (shouldBe):
2572         (test):
2573         (noInline):
2574
2575 2018-12-17  Mark Lam  <mark.lam@apple.com>
2576
2577         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2578         https://bugs.webkit.org/show_bug.cgi?id=192779
2579         <rdar://problem/46775869>
2580
2581         Reviewed by Saam Barati.
2582
2583         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2584
2585 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2586
2587         Unreviewed test gardening, address a syntax error in a new test.
2588
2589         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2590
2591 2018-12-17  Mark Lam  <mark.lam@apple.com>
2592
2593         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2594         https://bugs.webkit.org/show_bug.cgi?id=192776
2595         <rdar://problem/46772368>
2596
2597         Reviewed by Keith Miller.
2598
2599         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2600
2601 2018-12-17  Mark Lam  <mark.lam@apple.com>
2602
2603         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2604         https://bugs.webkit.org/show_bug.cgi?id=192770
2605         <rdar://problem/46449037>
2606
2607         Reviewed by Keith Miller.
2608
2609         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2610
2611 2018-12-14  Mark Lam  <mark.lam@apple.com>
2612
2613         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2614         https://bugs.webkit.org/show_bug.cgi?id=192717
2615         <rdar://problem/46660677>
2616
2617         Reviewed by Saam Barati.
2618
2619         * stress/regress-192717.js: Added.
2620
2621 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2622
2623         Unreviewed, rolling out r239153, r239154, and r239155.
2624         https://bugs.webkit.org/show_bug.cgi?id=192715
2625
2626         Caused flaky GC-related crashes seen with layout tests
2627         (Requested by ryanhaddad on #webkit).
2628
2629         Reverted changesets:
2630
2631         "[JSC] Optimize Object.keys by caching own keys results in
2632         StructureRareData"
2633         https://bugs.webkit.org/show_bug.cgi?id=190047
2634         https://trac.webkit.org/changeset/239153
2635
2636         "Unreviewed, build fix after r239153"
2637         https://bugs.webkit.org/show_bug.cgi?id=190047
2638         https://trac.webkit.org/changeset/239154
2639
2640         "Unreviewed, build fix after r239153, part 2"
2641         https://bugs.webkit.org/show_bug.cgi?id=190047
2642         https://trac.webkit.org/changeset/239155
2643
2644 2018-12-14  Keith Miller  <keith_miller@apple.com>
2645
2646         Callers of JSString::getIndex should check for OOM exceptions
2647         https://bugs.webkit.org/show_bug.cgi?id=192709
2648
2649         Reviewed by Mark Lam.
2650
2651         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2652
2653 2018-12-13  Mark Lam  <mark.lam@apple.com>
2654
2655         Add a missing exception check.
2656         https://bugs.webkit.org/show_bug.cgi?id=192626
2657         <rdar://problem/46662163>
2658
2659         Reviewed by Keith Miller.
2660
2661         * stress/regress-192626.js: Added.
2662
2663 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2664
2665         [BigInt] Add ValueDiv into DFG
2666         https://bugs.webkit.org/show_bug.cgi?id=186178
2667
2668         Reviewed by Yusuke Suzuki.
2669
2670         * stress/big-int-div-jit-osr.js: Added.
2671         * stress/big-int-div-jit-untyped.js: Added.
2672         * stress/value-div-fixup-int32-big-int.js: Added.
2673
2674 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2675
2676         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2677         https://bugs.webkit.org/show_bug.cgi?id=190047
2678
2679         Reviewed by Keith Miller.
2680
2681         * stress/object-keys-cached-zero.js: Added.
2682         (shouldBe):
2683         (test):
2684         * stress/object-keys-changed-attribute.js: Added.
2685         (shouldBe):
2686         (test):
2687         * stress/object-keys-changed-index.js: Added.
2688         (shouldBe):
2689         (test):
2690         * stress/object-keys-changed.js: Added.
2691         (shouldBe):
2692         (test):
2693         * stress/object-keys-indexed-non-cache.js: Added.
2694         (shouldBe):
2695         (test):
2696         * stress/object-keys-overrides-get-property-names.js: Added.
2697         (shouldBe):
2698         (test):
2699         (noInline):
2700
2701 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2702
2703         [DFG][FTL] Add NewSymbol
2704         https://bugs.webkit.org/show_bug.cgi?id=192620
2705
2706         Reviewed by Saam Barati.
2707
2708         * microbenchmarks/symbol-creation.js: Added.
2709         (test):
2710         * stress/symbol-description-identity.js: Added.
2711         (shouldBe):
2712         (test):
2713         * stress/symbol-identity.js: Added.
2714         (shouldBe):
2715         (test):
2716         * stress/symbol-with-description-throw-error.js: Added.
2717         (shouldBe):
2718         (shouldThrow):
2719         (test):
2720         (object.toString):
2721
2722 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2723
2724         [BigInt] Implement DFG/FTL typeof for BigInt
2725         https://bugs.webkit.org/show_bug.cgi?id=192619
2726
2727         Reviewed by Keith Miller.
2728
2729         * stress/big-int-boolean-proven-type.js: Added.
2730         (assert):
2731         (bool):
2732         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2733         (assert):
2734         (typeOf):
2735         (i.switch):
2736         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2737         (assert):
2738         (typeOf):
2739         * stress/big-int-type-of.js:
2740         (typeOf):
2741         (func):
2742
2743 2018-12-10  Mark Lam  <mark.lam@apple.com>
2744
2745         PropertyAttribute needs a CustomValue bit.
2746         https://bugs.webkit.org/show_bug.cgi?id=191993
2747         <rdar://problem/46264467>
2748
2749         Reviewed by Saam Barati.
2750
2751         * stress/regress-191993.js: Added.
2752
2753 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2754
2755         [BigInt] Add ValueMul into DFG
2756         https://bugs.webkit.org/show_bug.cgi?id=186175
2757
2758         Reviewed by Yusuke Suzuki.
2759
2760         * stress/big-int-mul-jit-osr.js: Added.
2761         * stress/big-int-mul-jit-untyped.js: Added.
2762         * stress/value-mul-fixup-int32-big-int.js: Added.
2763
2764 2018-12-06  Keith Miller  <keith_miller@apple.com>
2765
2766         stress/big-wasm-memory tests failing on 32-bit JSC bot
2767         https://bugs.webkit.org/show_bug.cgi?id=192020
2768
2769         Reviewed by Saam Barati.
2770
2771         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2772         the wasm stress tests if the WebAssembly object does not exist.
2773
2774         * stress/big-wasm-memory-grow-no-max.js:
2775         (test.foo):
2776         (test):
2777         (foo): Deleted.
2778         (catch): Deleted.
2779         * stress/big-wasm-memory-grow.js:
2780         (test.foo):
2781         (test):
2782         (foo): Deleted.
2783         (catch): Deleted.
2784         * stress/big-wasm-memory.js:
2785         (test.foo):
2786         (test):
2787         (foo): Deleted.
2788         (catch): Deleted.
2789
2790 2018-12-05  Mark Lam  <mark.lam@apple.com>
2791
2792         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2793         https://bugs.webkit.org/show_bug.cgi?id=192441
2794         <rdar://problem/46480355>
2795
2796         Reviewed by Saam Barati.
2797
2798         * stress/regress-192441.js: Added.
2799
2800 2018-12-04  Mark Lam  <mark.lam@apple.com>
2801
2802         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2803         https://bugs.webkit.org/show_bug.cgi?id=192386
2804         <rdar://problem/46445516>
2805
2806         Reviewed by Saam Barati.
2807
2808         * stress/regress-192386.js: Added.
2809
2810 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2811
2812         [ESNext][BigInt] Support logic operations
2813         https://bugs.webkit.org/show_bug.cgi?id=179903
2814
2815         Reviewed by Yusuke Suzuki.
2816
2817         * stress/big-int-branch-usage.js: Added.
2818         * stress/big-int-logical-and.js: Added.
2819         * stress/big-int-logical-not.js: Added.
2820         * stress/big-int-logical-or.js: Added.
2821
2822 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2823
2824         Unreviewed, rolling out r238833.
2825
2826         Breaks macOS and iOS debug builds.
2827
2828         Reverted changeset:
2829
2830         "[ESNext][BigInt] Support logic operations"
2831         https://bugs.webkit.org/show_bug.cgi?id=179903
2832         https://trac.webkit.org/changeset/238833
2833
2834 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2835
2836         [ESNext][BigInt] Support logic operations
2837         https://bugs.webkit.org/show_bug.cgi?id=179903
2838
2839         Reviewed by Yusuke Suzuki.
2840
2841         * stress/big-int-branch-usage.js: Added.
2842         * stress/big-int-logical-and.js: Added.
2843         * stress/big-int-logical-not.js: Added.
2844         * stress/big-int-logical-or.js: Added.
2845
2846 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2847
2848         [ESNext][BigInt] Implement support for "<<" and ">>"
2849         https://bugs.webkit.org/show_bug.cgi?id=186233
2850
2851         Reviewed by Yusuke Suzuki.
2852
2853         * stress/big-int-left-shift-general.js: Added.
2854         * stress/big-int-left-shift-range-error.js: Added.
2855         * stress/big-int-left-shift-type-error.js: Added.
2856         * stress/big-int-left-shift-wrapped-value.js: Added.
2857         * stress/big-int-right-shift-general.js: Added.
2858         * stress/big-int-right-shift-type-error.js: Added.
2859         * stress/big-int-right-shift-wrapped-value.js: Added.
2860         * stress/left-shift-to-primitive-precedence.js: Added.
2861         * stress/right-shift-to-primitive-precedence.js: Added.
2862
2863 2018-11-30  Dean Jackson  <dino@apple.com>
2864
2865         Add first-class support for .mjs files in jsc binary
2866         https://bugs.webkit.org/show_bug.cgi?id=192190
2867         <rdar://problem/46375715>
2868
2869         Reviewed by Keith Miller.
2870
2871         * stress/simple-module.mjs: Added.
2872         * stress/simple-script.js: Added.
2873
2874 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2875
2876         [BigInt] Implement ValueBitXor into DFG
2877         https://bugs.webkit.org/show_bug.cgi?id=190264
2878
2879         Reviewed by Yusuke Suzuki.
2880
2881         * stress/big-int-bitwise-xor-jit.js: Added.
2882         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2883         * stress/big-int-bitwise-xor-untyped.js: Added.
2884
2885 2018-11-27  Saam barati  <sbarati@apple.com>
2886
2887         r238510 broke scopes of size zero
2888         https://bugs.webkit.org/show_bug.cgi?id=192033
2889         <rdar://problem/46281734>
2890
2891         Reviewed by Keith Miller.
2892
2893         * stress/r238510-bad-loop.js: Added.
2894         (foo):
2895
2896 2018-11-27  Mark Lam  <mark.lam@apple.com>
2897
2898         [Re-landing] NaNs read from Wasm code needs to be be purified.
2899         https://bugs.webkit.org/show_bug.cgi?id=191056
2900         <rdar://problem/45660341>
2901
2902         Reviewed by Filip Pizlo.
2903
2904         * wasm/regress/regress-191056.js: Added.
2905
2906 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2907
2908         Unreviewed, rolling out r238509.
2909
2910         Causes JSC tests to fail on iOS.
2911
2912         Reverted changeset:
2913
2914         "NaNs read from Wasm code needs to be be purified."
2915         https://bugs.webkit.org/show_bug.cgi?id=191056
2916         https://trac.webkit.org/changeset/238509
2917
2918 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2919
2920         Re-introduce op_bitnot
2921         https://bugs.webkit.org/show_bug.cgi?id=190923
2922
2923         Reviewed by Yusuke Suzuki.
2924
2925         * stress/bit-not-must-generate.js: Added.
2926         * stress/bitwise-not-no-int32.js: Added.
2927
2928 2018-11-26  Saam barati  <sbarati@apple.com>
2929
2930         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2931         https://bugs.webkit.org/show_bug.cgi?id=191956
2932         <rdar://problem/45665806>
2933
2934         Reviewed by Yusuke Suzuki.
2935
2936         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2937         (bar):
2938         (foo):
2939
2940 2018-11-26  Saam barati  <sbarati@apple.com>
2941
2942         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2943         https://bugs.webkit.org/show_bug.cgi?id=191958
2944         <rdar://problem/46221877>
2945
2946         Reviewed by Yusuke Suzuki.
2947
2948         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2949         (x):
2950         (foo):
2951
2952 2018-11-26  Mark Lam  <mark.lam@apple.com>
2953
2954         NaNs read from Wasm code needs to be be purified.
2955         https://bugs.webkit.org/show_bug.cgi?id=191056
2956         <rdar://problem/45660341>
2957
2958         Reviewed by Filip Pizlo.
2959
2960         * wasm/regress/regress-191056.js: Added.
2961
2962 2018-11-26  Michael Saboff  <msaboff@apple.com>
2963
2964         32-bit JSC test failure: stress/regexp-compile-oom.js
2965         https://bugs.webkit.org/show_bug.cgi?id=191375
2966
2967         Reviewed by Mark Lam.
2968
2969         Disabled the test for 32 bit platforms.
2970
2971         * stress/regexp-compile-oom.js:
2972
2973 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2974
2975         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2976         https://bugs.webkit.org/show_bug.cgi?id=191716
2977         <rdar://problem/45723878>
2978
2979         Reviewed by Saam Barati.
2980
2981         * stress/regress-187373.js: Added.
2982         (async.fn):
2983
2984 2018-11-21  Saam barati  <sbarati@apple.com>
2985
2986         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2987         https://bugs.webkit.org/show_bug.cgi?id=191897
2988         <rdar://problem/45871998>
2989
2990         Reviewed by Mark Lam.
2991
2992         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2993         (bar):
2994         (foo):
2995
2996 2018-11-21  Saam barati  <sbarati@apple.com>
2997
2998         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2999         https://bugs.webkit.org/show_bug.cgi?id=191895
3000         <rdar://problem/46167406>
3001
3002         Reviewed by Mark Lam.
3003
3004         * stress/known-cell-use-needs-type-check-assertion.js: Added.
3005         (foo):
3006         (bar):
3007
3008 2018-11-21  Mark Lam  <mark.lam@apple.com>
3009
3010         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
3011         https://bugs.webkit.org/show_bug.cgi?id=191776
3012         <rdar://problem/46152851>
3013
3014         Reviewed by Saam Barati.
3015
3016         * stress/big-wasm-memory-grow-no-max.js:
3017         * stress/big-wasm-memory-grow.js:
3018         * stress/big-wasm-memory.js:
3019         - updated these to expect an OutOfMemoryError.
3020
3021         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
3022         (Binary.prototype.emit_u8):
3023         (Binary.prototype.emit_u32v):
3024         (Binary.prototype.emit_header):
3025         (Binary.prototype.emit_section):
3026         (Binary):
3027         (WasmModuleBuilder):
3028         (WasmModuleBuilder.prototype.addMemory):
3029         (WasmModuleBuilder.prototype.toArray):
3030         (WasmModuleBuilder.prototype.toBuffer):
3031         (WasmModuleBuilder.prototype.instantiate):
3032         (catch):
3033         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
3034         (catch):
3035
3036 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
3037
3038         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
3039         https://bugs.webkit.org/show_bug.cgi?id=190836
3040
3041         Reviewed by Saam Barati and Yusuke Suzuki.
3042
3043         * stress/big-int-out-of-memory-tests.js: Added.
3044
3045 2018-11-20  Mark Lam  <mark.lam@apple.com>
3046
3047         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
3048         https://bugs.webkit.org/show_bug.cgi?id=191856
3049         <rdar://problem/46089992>
3050
3051         Reviewed by Yusuke Suzuki.
3052
3053         * stress/regress-191856.js: Added.
3054         - this test is skipped for now until we have a fix for webkit.org/b/191855.
3055
3056 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
3057
3058         Enable JIT on ARM/Linux
3059         https://bugs.webkit.org/show_bug.cgi?id=191548
3060
3061         Reviewed by Yusuke Suzuki.
3062
3063         Disable test on system with limited memory. Program was killed by
3064         the OS before the exception was thrown.
3065
3066         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
3067
3068 2018-11-20  Saam barati  <sbarati@apple.com>
3069
3070         Merging an IC variant may lead to the IC status containing overlapping structure sets
3071         https://bugs.webkit.org/show_bug.cgi?id=191869
3072         <rdar://problem/45403453>
3073
3074         Reviewed by Mark Lam.
3075
3076         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
3077
3078 2018-11-19  Mark Lam  <mark.lam@apple.com>
3079
3080         globalFuncImportModule() should return a promise when it clears exceptions.
3081         https://bugs.webkit.org/show_bug.cgi?id=191792
3082         <rdar://problem/46090763>
3083
3084         Reviewed by Michael Saboff.
3085
3086         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
3087
3088 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
3089
3090         Skip new memory-hungry tests on memory limited devices
3091
3092         Unreviewed gardening.
3093
3094         * stress/big-wasm-memory-grow-no-max.js:
3095         * stress/big-wasm-memory-grow.js:
3096         * stress/big-wasm-memory.js:
3097
3098 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3099
3100         Unreviewed, rolling in the rest of r237254
3101         https://bugs.webkit.org/show_bug.cgi?id=190340
3102
3103         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3104         * stress/function-cache-with-parameters-end-position.js: Added.
3105         (shouldBe):
3106         (shouldThrow):
3107         (i.anonymous):
3108         * stress/function-constructor-name.js: Added.
3109         (shouldBe):
3110         (GeneratorFunction):
3111         (AsyncFunction.async):
3112         (AsyncGeneratorFunction.async):
3113         (anonymous):
3114         (async.anonymous):
3115         * test262/expectations.yaml:
3116
3117 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
3118
3119         All users of ArrayBuffer should agree on the same max size
3120         https://bugs.webkit.org/show_bug.cgi?id=191771
3121
3122         Reviewed by Mark Lam.
3123
3124         * stress/big-wasm-memory-grow-no-max.js: Added.
3125         (foo):
3126         (catch):
3127         * stress/big-wasm-memory-grow.js: Added.
3128         (foo):
3129         (catch):
3130         * stress/big-wasm-memory.js: Added.
3131         (foo):
3132         (catch):
3133
3134 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
3135
3136         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
3137         run for each JSC config since they're regression tests for runtime bugs.
3138
3139         * stress/json-stringified-overflow-2.js:
3140         * stress/json-stringified-overflow.js:
3141
3142 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
3143
3144         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
3145         config since they're regression tests for runtime bugs.
3146
3147         * stress/large-unshift-splice.js:
3148         * stress/regress-185888.js:
3149
3150 2018-11-16  Saam Barati  <sbarati@apple.com>
3151
3152         KnownCellUse should also have SpecCellCheck as its type filter
3153         https://bugs.webkit.org/show_bug.cgi?id=191729
3154         <rdar://problem/45872852>
3155
3156         Reviewed by Filip Pizlo.
3157
3158         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
3159         (C):
3160
3161 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
3162
3163         Fix assertion failure on BytecodeGenerator::recordOpcode
3164         https://bugs.webkit.org/show_bug.cgi?id=191724
3165         <rdar://problem/45724395>
3166
3167         Reviewed by Saam Barati.
3168
3169         * stress/regress-187373-2.js: Added.
3170         (foo):
3171
3172 2018-11-15  Mark Lam  <mark.lam@apple.com>
3173
3174         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
3175         https://bugs.webkit.org/show_bug.cgi?id=191730
3176         <rdar://problem/46048517>
3177
3178         Reviewed by Saam Barati.
3179
3180         * stress/regress-187006.js: Removed.
3181           - this test is invalid because its sole purpose is to test for the non-spec
3182             compliant behavior that we just fixed.
3183
3184         * stress/regress-191730.js: Added.
3185
3186 2018-11-15  Mark Lam  <mark.lam@apple.com>
3187
3188         RegExp operations should not take fast patch if lastIndex is not numeric.
3189         https://bugs.webkit.org/show_bug.cgi?id=191731
3190         <rdar://problem/46017305>
3191
3192         Reviewed by Saam Barati.
3193
3194         * stress/regress-191731.js: Added.
3195
3196 2018-11-13  Saam Barati  <sbarati@apple.com>
3197
3198         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
3199         https://bugs.webkit.org/show_bug.cgi?id=191600
3200
3201         Reviewed by Mark Lam.
3202
3203         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
3204         (foo):
3205         (test):
3206         (bar):
3207
3208 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
3209
3210         Unreviewed, rolling out r238132.
3211
3212         The test added with this change is timing out on Debug JSC
3213         bots.
3214
3215         Reverted changeset:
3216
3217         "[BigInt] JSBigInt::createWithLength should throw when length
3218         is greater than JSBigInt::maxLength"
3219         https://bugs.webkit.org/show_bug.cgi?id=190836
3220         https://trac.webkit.org/changeset/238132
3221
3222 2018-11-13  Mark Lam  <mark.lam@apple.com>
3223
3224         Add OOM detection to StringPrototype's substituteBackreferences().
3225         https://bugs.webkit.org/show_bug.cgi?id=191563
3226         <rdar://problem/45720428>
3227
3228         Reviewed by Saam Barati.
3229
3230         * stress/regress-191563.js: Added.
3231
3232 2018-11-13  Mark Lam  <mark.lam@apple.com>
3233
3234         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
3235         https://bugs.webkit.org/show_bug.cgi?id=191579
3236         <rdar://problem/45942472>
3237
3238         Reviewed by Saam Barati.
3239
3240         * stress/regress-191579.js: Added.
3241
3242 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
3243
3244         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
3245         https://bugs.webkit.org/show_bug.cgi?id=190836
3246
3247         Reviewed by Saam Barati.
3248
3249         * stress/big-int-out-of-memory-tests.js: Added.
3250
3251 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
3252
3253         U+180E is no longer a whitespace character
3254         https://bugs.webkit.org/show_bug.cgi?id=191415
3255
3256         Reviewed by Saam Barati.
3257
3258         * ChakraCore/test/es5/regexSpace.baseline:
3259         * ChakraCore/test/es6/unicode_whitespace.js:
3260         Update tests to latest version.
3261         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
3262
3263         * test262.yaml:
3264         * test262/config.yaml:
3265         * test262/expectations.yaml:
3266         Update expectations.
3267
3268 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
3269
3270         [BigInt] Add support to BigInt into ValueAdd
3271         https://bugs.webkit.org/show_bug.cgi?id=186177
3272
3273         Reviewed by Keith Miller.
3274
3275         * stress/big-int-negate-jit.js:
3276         * stress/value-add-big-int-and-string.js: Added.
3277         * stress/value-add-big-int-prediction-propagation.js: Added.
3278         * stress/value-add-big-int-untyped.js: Added.
3279
3280 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
3281
3282         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
3283         https://bugs.webkit.org/show_bug.cgi?id=191184
3284
3285         Reviewed by Saam Barati.
3286
3287         Most tests were failing due to timeouts, since they are too slow to
3288         run on CLoop. The exceptions are:
3289
3290         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
3291         dont-crash-on-stack-overflow-when-parsing-builtin.js and
3292         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
3293         to change the stack size since CLoop requires it to be page aligned.
3294
3295         * microbenchmarks/array-push-1.js:
3296         * microbenchmarks/array-push-2.js:
3297         * microbenchmarks/elidable-new-object-dag.js:
3298         * microbenchmarks/elidable-new-object-roflcopter.js:
3299         * microbenchmarks/elidable-new-object-tree.js:
3300         * microbenchmarks/getter-richards.js:
3301         * microbenchmarks/sinkable-new-object-dag.js:
3302         * microbenchmarks/string-concat-long-convert.js:
3303         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
3304         * slowMicrobenchmarks/array-push-3.js:
3305         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
3306         * slowMicrobenchmarks/spread-small-array.js:
3307         * slowMicrobenchmarks/undefined-property-access.js:
3308         * stress/activation-sink-default-value-tdz-error.js:
3309         * stress/activation-sink-default-value.js:
3310         * stress/activation-sink-osrexit-default-value-tdz-error.js:
3311         * stress/activation-sink-osrexit-default-value.js:
3312         * stress/activation-sink-osrexit.js:
3313         * stress/activation-sink.js:
3314         * stress/allow-math-ic-b3-code-duplication.js:
3315         * stress/array-push-multiple-int32.js:
3316         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
3317         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
3318         * stress/arrowfunction-lexical-this-activation-sink.js:
3319         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
3320         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
3321         * stress/elide-new-object-dag-then-exit.js:
3322         * stress/materialize-regexp-cyclic.js:
3323         * stress/new-regex-inline.js:
3324         * stress/op_add.js:
3325         * stress/op_bitand.js:
3326         * stress/op_bitor.js:
3327         * stress/op_bitxor.js:
3328         * stress/op_div-ConstVar.js:
3329         * stress/op_div-VarConst.js:
3330         * stress/op_div-VarVar.js:
3331         * stress/op_lshift-ConstVar.js:
3332         * stress/op_lshift-VarConst.js:
3333         * stress/op_lshift-VarVar.js:
3334         * stress/op_mod-ConstVar.js:
3335         * stress/op_mod-VarConst.js:
3336         * stress/op_mod-VarVar.js:
3337         * stress/op_mul-ConstVar.js:
3338         * stress/op_mul-VarConst.js:
3339         * stress/op_mul-VarVar.js:
3340         * stress/op_rshift-ConstVar.js:
3341         * stress/op_rshift-VarConst.js:
3342         * stress/op_rshift-VarVar.js:
3343         * stress/op_sub-ConstVar.js:
3344         * stress/op_sub-VarConst.js:
3345         * stress/op_sub-VarVar.js:
3346         * stress/op_urshift-ConstVar.js:
3347         * stress/op_urshift-VarConst.js:
3348         * stress/op_urshift-VarVar.js:
3349         * stress/proxy-get-set-correct-receiver.js:
3350         * stress/regress-179562.js:
3351         * stress/rest-parameter-many-arguments.js:
3352         * stress/sampling-profiler-richards.js:
3353         * stress/splay-flash-access-1ms.js:
3354         * stress/tailCallForwardArguments.js:
3355         * stress/typed-array-get-by-val-profiling.js:
3356         * typeProfiler/getter-richards.js:
3357
3358 2018-11-06  Michael Saboff  <msaboff@apple.com>
3359
3360         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
3361         https://bugs.webkit.org/show_bug.cgi?id=191271
3362
3363         Reviewed by Saam Barati.
3364
3365         Added more test cases and made all test cases run with the same deeply recursive stack
3366         instead of finding that same point for each test case.
3367
3368         * stress/regexp-compile-oom.js:
3369         (prototype.runTest):
3370         (recurseAndTest):
3371         (testList.push.new.TestAndExpectedException):
3372
3373 2018-11-05  Michael Saboff  <msaboff@apple.com>
3374
3375         Unreviewed build fix for linux.
3376
3377         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
3378
3379 2018-11-02  Michael Saboff  <msaboff@apple.com>
3380
3381         Rolling in r237753 with unreviewed build fix.
3382
3383         Fixed issues with DECLARE_THROW_SCOPE placement.
3384
3385 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
3386
3387         Unreviewed, rolling out r237753.
3388
3389         Introduced JSC test failures
3390
3391         Reverted changeset:
3392
3393         "Running out of stack space not properly handled in
3394         RegExp::compile() and its callers"
3395         https://bugs.webkit.org/show_bug.cgi?id=191206
3396         https://trac.webkit.org/changeset/237753
3397
3398 2018-11-02  Michael Saboff  <msaboff@apple.com>
3399
3400         Running out of stack space not properly handled in RegExp::compile() and its callers
3401         https://bugs.webkit.org/show_bug.cgi?id=191206
3402
3403         Reviewed by Filip Pizlo.
3404
3405         New regression test.
3406
3407         * stress/regexp-compile-oom.js: Added.
3408         (recurseAndTest):
3409
3410 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
3411
3412         Skip tests on arm/mips that time out now we're running on CLoop
3413
3414         Unreviewed gardening.
3415
3416         Since the JIT is temporarily disabled on 32-bit platforms, these tests
3417         time out on the bots and need to be disabled. There's more tests
3418         disabled on arm because the timeout is longer on the mips bot (as the
3419         device is slower to start with), so many of the tests don't time out
3420         there.
3421
3422         * microbenchmarks/getter-richards.js: disable on arm and mips.
3423         * stress/op_add.js: disable on arm.
3424         * stress/op_bitand.js: disable on arm.
3425         * stress/op_bitor.js: disable on arm.
3426         * stress/op_bitxor.js: disable on arm.
3427         * stress/op_lshift-ConstVar.js: disable on arm.
3428         * stress/op_lshift-VarConst.js: disable on arm.
3429         * stress/op_lshift-VarVar.js: disable on arm.
3430         * stress/op_mod-ConstVar.js: disable on arm.
3431         * stress/op_mod-VarConst.js: disable on arm.
3432         * stress/op_mod-VarVar.js: disable on arm.
3433         * stress/op_mul-ConstVar.js: disable on arm.
3434         * stress/op_mul-VarConst.js: disable on arm.
3435         * stress/op_mul-VarVar.js: disable on arm.
3436         * stress/op_rshift-ConstVar.js: disable on arm.
3437         * stress/op_rshift-VarConst.js: disable on arm.
3438         * stress/op_rshift-VarVar.js: disable on arm.
3439         * stress/op_sub-ConstVar.js: disable on arm.
3440         * stress/op_sub-VarConst.js: disable on arm.
3441         * stress/op_sub-VarVar.js: disable on arm.
3442         * stress/op_urshift-ConstVar.js: disable on arm.
3443         * stress/op_urshift-VarConst.js: disable on arm.
3444         * stress/op_urshift-VarVar.js: disable on arm.
3445         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
3446         * stress/value-to-boolean.js: disable on arm and mips.
3447
3448 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3449
3450         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3451         https://bugs.webkit.org/show_bug.cgi?id=191108
3452         <rdar://problem/45690700>
3453
3454         Reviewed by Saam Barati.
3455
3456         * stress/wide-op_catch.js: Added.
3457         (catch):
3458
3459 2018-10-29  Mark Lam  <mark.lam@apple.com>
3460
3461         Correctly detect string overflow when using the 'Function' constructor.
3462         https://bugs.webkit.org/show_bug.cgi?id=184883
3463         <rdar://problem/36320331>
3464
3465         Reviewed by Saam Barati.
3466
3467         I've verified that this passes on 32-bit as well.
3468
3469         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3470
3471 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3472
3473         Add support for GetStack FlushedDouble
3474         https://bugs.webkit.org/show_bug.cgi?id=191012
3475         <rdar://problem/45265141>
3476
3477         Reviewed by Saam Barati.
3478
3479         * stress/get-stack-double.js: Added.
3480         (bar):
3481         (noInline):
3482
3483 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3484
3485         New bytecode format for JSC
3486         https://bugs.webkit.org/show_bug.cgi?id=187373
3487         <rdar://problem/44186758>
3488
3489         Reviewed by Filip Pizlo.
3490
3491         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3492
3493         * stress/maximum-inline-capacity.js: Added.
3494         (test1):
3495         (test3.Foo):
3496         (test3):
3497
3498 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3499
3500         Unreviewed, rolling out r237479 and r237484.
3501         https://bugs.webkit.org/show_bug.cgi?id=190978
3502
3503         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3504
3505         Reverted changesets:
3506
3507         "New bytecode format for JSC"
3508         https://bugs.webkit.org/show_bug.cgi?id=187373
3509         https://trac.webkit.org/changeset/237479
3510
3511         "Gardening: Build fix after r237479."
3512         https://bugs.webkit.org/show_bug.cgi?id=187373
3513         https://trac.webkit.org/changeset/237484
3514
3515 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3516
3517         New bytecode format for JSC
3518         https://bugs.webkit.org/show_bug.cgi?id=187373
3519         <rdar://problem/44186758>
3520
3521         Reviewed by Filip Pizlo.
3522
3523         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3524
3525         * stress/maximum-inline-capacity.js: Added.
3526         (test1):
3527         (test3.Foo):
3528         (test3):
3529
3530 2018-10-26  Mark Lam  <mark.lam@apple.com>
3531
3532         Fix missing edge cases with JSGlobalObjects having a bad time.
3533         https://bugs.webkit.org/show_bug.cgi?id=189028
3534         <rdar://problem/45204939>
3535
3536         Reviewed by Saam Barati.
3537
3538         * stress/regress-189028.js: Added.
3539
3540 2018-10-22  Mark Lam  <mark.lam@apple.com>
3541
3542         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3543         https://bugs.webkit.org/show_bug.cgi?id=190515
3544         <rdar://problem/45222379>
3545
3546         Rubber-stamped by Saam Barati.
3547
3548         Adding another test.
3549
3550         * stress/regress-190515-2.js: Added.
3551
3552 2018-10-22  Mark Lam  <mark.lam@apple.com>
3553
3554         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3555         https://bugs.webkit.org/show_bug.cgi?id=190515
3556         <rdar://problem/45222379>
3557
3558         Reviewed by Saam Barati.
3559
3560         * stress/regress-190515.js: Added.
3561
3562 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3563
3564         Unreviewed, rolling out r237254.
3565         https://bugs.webkit.org/show_bug.cgi?id=190760
3566
3567         "It regresses JetStream 2 by 5% on some iOS devices"
3568         (Requested by saamyjoon on #webkit).
3569
3570         Reverted changeset:
3571
3572         "[JSC] JSC should have "parseFunction" to optimize Function
3573         constructor"
3574         https://bugs.webkit.org/show_bug.cgi?id=190340
3575         https://trac.webkit.org/changeset/237254
3576
3577 2018-10-19  Saam Barati  <sbarati@apple.com>
3578
3579         vmCall should check if we exit before emitting an OSR exit due to exceptions
3580         https://bugs.webkit.org/show_bug.cgi?id=190740
3581         <rdar://problem/45220139>
3582
3583         Reviewed by Mark Lam.
3584
3585         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3586         (foo):
3587
3588 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3589
3590         [ESNext][BigInt] Implement support for "^"
3591         https://bugs.webkit.org/show_bug.cgi?id=186235
3592
3593         Reviewed by Yusuke Suzuki.
3594
3595         * stress/big-int-bitwise-xor-general.js: Added.
3596         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3597         * stress/big-int-bitwise-xor-type-error.js: Added.
3598         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3599
3600 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3601
3602         [BigInt] Add ValueSub into DFG
3603         https://bugs.webkit.org/show_bug.cgi?id=186176
3604
3605         Reviewed by Yusuke Suzuki.
3606
3607         * stress/big-int-subtraction-jit.js:
3608         * stress/value-sub-big-int-prediction-propagation.js: Added.
3609         * stress/value-sub-big-int-untyped.js: Added.
3610         * stress/value-sub-spec-none-case.js: Added.
3611
3612 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3613
3614         [JSC] JSC should have "parseFunction" to optimize Function constructor
3615         https://bugs.webkit.org/show_bug.cgi?id=190340
3616
3617         Reviewed by Mark Lam.
3618
3619         This patch fixes the line number of syntax errors raised by the Function constructor,
3620         since we now parse the final code only once. And we no longer use block statement
3621         for Function constructor's parsing.
3622
3623         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3624         * stress/function-cache-with-parameters-end-position.js: Added.
3625         (shouldBe):
3626         (shouldThrow):
3627         (i.anonymous):
3628         * stress/function-constructor-name.js: Added.
3629         (shouldBe):
3630         (GeneratorFunction):
3631         (AsyncFunction.async):
3632         (AsyncGeneratorFunction.async):
3633         (anonymous):
3634         (async.anonymous):
3635         * test262/expectations.yaml:
3636
3637 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3638
3639         Unreviewed, rolling out r237242.
3640         https://bugs.webkit.org/show_bug.cgi?id=190701
3641
3642         it breaks "stress/sampling-profiler-basic.js" (Requested by
3643         caiolima on #webkit).
3644
3645         Reverted changeset:
3646
3647         "[BigInt] Add ValueSub into DFG"
3648         https://bugs.webkit.org/show_bug.cgi?id=186176
3649         https://trac.webkit.org/changeset/237242
3650
3651 2018-10-17  Keith Miller  <keith_miller@apple.com>
3652
3653         AI does not clear Phantom allocation nodes.
3654         https://bugs.webkit.org/show_bug.cgi?id=190694
3655
3656         Reviewed by Saam Barati.
3657
3658         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3659         (Day):
3660         (DaysInYear):
3661         (TimeInYear):
3662         (TimeFromYear):
3663         (DayFromYear):
3664         (InLeapYear):
3665         (YearFromTime):
3666         (WeekDay):
3667         (DaylightSavingTA):
3668         (GetSecondSundayInMarch):
3669         (TimeInMonth):
3670
3671 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3672
3673         [BigInt] Add ValueSub into DFG
3674         https://bugs.webkit.org/show_bug.cgi?id=186176
3675
3676         Reviewed by Yusuke Suzuki.
3677
3678         * stress/big-int-subtraction-jit.js:
3679         * stress/value-sub-big-int-prediction-propagation.js: Added.
3680         * stress/value-sub-big-int-untyped.js: Added.
3681
3682 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3683
3684         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3685         https://bugs.webkit.org/show_bug.cgi?id=190611
3686
3687         Reviewed by Saam Barati.
3688
3689         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3690         to improve test runtime. On ARM/MIPS this test even timed out when running all
3691         tests.
3692
3693         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3694         (test):
3695
3696 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3697
3698         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3699
3700         Unreviewed gardening.
3701
3702         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3703
3704 2018-10-15  Saam barati  <sbarati@apple.com>
3705
3706         Emit fjcvtzs on ARM64E on Darwin
3707         https://bugs.webkit.org/show_bug.cgi?id=184023
3708
3709         Reviewed by Yusuke Suzuki and Filip Pizlo.
3710
3711         * stress/double-to-int32-NaN.js: Added.
3712         (assert):
3713         (foo):
3714
3715 2018-10-15  Saam Barati  <sbarati@apple.com>
3716
3717         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3718         https://bugs.webkit.org/show_bug.cgi?id=190262
3719         <rdar://problem/44986241>
3720
3721         Reviewed by Mark Lam.
3722
3723         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3724         (test):
3725         * stress/slice-array-storage-with-holes.js: Added.
3726         (main):
3727
3728 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3729
3730         Unreviewed, rolling out r237054.
3731         https://bugs.webkit.org/show_bug.cgi?id=190593
3732
3733         "this regressed JetStream 2 by 6% on iOS" (Requested by
3734         saamyjoon on #webkit).
3735
3736         Reverted changeset:
3737
3738         "[JSC] JSC should have "parseFunction" to optimize Function
3739         constructor"
3740         https://bugs.webkit.org/show_bug.cgi?id=190340
3741         https://trac.webkit.org/changeset/237054
3742
3743 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3744
3745         [JSC] JSON.stringify can accept call-with-no-arguments
3746         https://bugs.webkit.org/show_bug.cgi?id=190343
3747
3748         Reviewed by Mark Lam.
3749
3750         * stress/json-stringify-no-arguments.js: Added.
3751         (shouldBe):
3752
3753 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3754
3755         [JSC] JSC should have "parseFunction" to optimize Function constructor
3756         https://bugs.webkit.org/show_bug.cgi?id=190340
3757
3758         Reviewed by Mark Lam.
3759
3760         This patch fixes the line number of syntax errors raised by the Function constructor,
3761         since we now parse the final code only once. And we no longer use block statement
3762         for Function constructor's parsing.
3763
3764         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3765         * stress/function-cache-with-parameters-end-position.js: Added.
3766         (shouldBe):
3767         (shouldThrow):
3768         (i.anonymous):
3769         * stress/function-constructor-name.js: Added.
3770         (shouldBe):
3771         (GeneratorFunction):
3772         (AsyncFunction.async):
3773         (AsyncGeneratorFunction.async):
3774         (anonymous):
3775         (async.anonymous):
3776         * test262/expectations.yaml:
3777
3778 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3779
3780         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3781         https://bugs.webkit.org/show_bug.cgi?id=190426
3782
3783         Unreviewed gardening.
3784