op_switch_char broken for rope strings after JSRopeString layout rewrite
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-05  Saam barati  <sbarati@apple.com>
2
3         op_switch_char broken for rope strings after JSRopeString layout rewrite
4         https://bugs.webkit.org/show_bug.cgi?id=195339
5         <rdar://problem/48592545>
6
7         Reviewed by Yusuke Suzuki.
8
9         * stress/switch-on-char-llint-rope.js: Added.
10
11 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
12
13         [JSC] Store bits for JSRopeString in 3 stores
14         https://bugs.webkit.org/show_bug.cgi?id=195234
15
16         Reviewed by Saam Barati.
17
18         * stress/null-rope-and-collectors.js: Added.
19
20 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
21
22         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
23         https://bugs.webkit.org/show_bug.cgi?id=195207
24
25         Unreviewed. After test runtime was reduced in r242213, test can be
26         run again on ARM/MIPS.
27
28         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
29
30 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
31
32         [JSC] sizeof(JSString) should be 16
33         https://bugs.webkit.org/show_bug.cgi?id=194375
34
35         Reviewed by Saam Barati.
36
37         * microbenchmarks/make-rope.js: Added.
38         (makeRope):
39         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
40         (returnRope.helper): Deleted.
41         (returnRope): Deleted.
42
43 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
44
45         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
46         https://bugs.webkit.org/show_bug.cgi?id=195144
47
48         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
49         Change the number from 1e8 to 1e5.
50
51         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
52         (foo):
53
54 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
55
56         Test times out on ARM/MIPS
57         https://bugs.webkit.org/show_bug.cgi?id=195168
58
59         Unreviewed. Skip test on ARM/MIPS.
60
61         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
62
63 2019-02-27  Mark Lam  <mark.lam@apple.com>
64
65         The parser is failing to record the token location of new in new.target.
66         https://bugs.webkit.org/show_bug.cgi?id=195127
67         <rdar://problem/39645578>
68
69         Reviewed by Yusuke Suzuki.
70
71         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
72
73 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
74
75         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
76         https://bugs.webkit.org/show_bug.cgi?id=195144
77         <rdar://problem/47595961>
78
79         Reviewed by Mark Lam.
80
81         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
82         (bar):
83         (foo):
84         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
85         (bar):
86         (foo):
87
88 2019-02-27  Robin Morisset  <rmorisset@apple.com>
89
90         DFG: Loop-invariant code motion (LICM) should not hoist dead code
91         https://bugs.webkit.org/show_bug.cgi?id=194945
92         <rdar://problem/48311657>
93
94         Reviewed by Mark Lam.
95
96         * stress/licm-dead-code.js: Added.
97
98 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
99
100         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
101         https://bugs.webkit.org/show_bug.cgi?id=194677
102         <rdar://problem/48112492>
103
104         Reviewed by Mark Lam.
105
106         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
107         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
108         it immediately fails due the large size.
109
110         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
111         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
112         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
113         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
114
115         This patch changes the test to produce 16bit string from String.fromCharCode.
116
117         * stress/regress-178386.js:
118
119 2019-02-26  Mark Lam  <mark.lam@apple.com>
120
121         wasmToJS() should purify incoming NaNs.
122         https://bugs.webkit.org/show_bug.cgi?id=194807
123         <rdar://problem/48189132>
124
125         Reviewed by Saam Barati.
126
127         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
128
129 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
130
131         [JSC] Repeat string created from Array.prototype.join() take too much memory
132         https://bugs.webkit.org/show_bug.cgi?id=193912
133
134         Reviewed by Saam Barati.
135
136         Added a test and a microbenchmark for corner cases of
137         Array.prototype.join() with an uninitialized array.
138
139         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
140         * stress/array-prototype-join-uninitialized.js: Added.
141         (testArray):
142         (testABC):
143         (B):
144         (C):
145
146 2019-02-22  Robin Morisset  <rmorisset@apple.com>
147
148         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
149         https://bugs.webkit.org/show_bug.cgi?id=194953
150         <rdar://problem/47595253>
151
152         Reviewed by Saam Barati.
153
154         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
155
156         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
157
158 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
159
160         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
161         https://bugs.webkit.org/show_bug.cgi?id=172848
162         <rdar://problem/25709212>
163
164         Reviewed by Mark Lam.
165
166         * typeProfiler/inheritance.js:
167         Rewrite the test slightly for clarity. The hoisting was confusing.
168
169         * heapProfiler/class-names.js: Added.
170         (MyES5Class):
171         (MyES6Class):
172         (MyES6Subclass):
173         Test object types and improved class names.
174
175         * heapProfiler/driver/driver.js:
176         (CheapHeapSnapshotNode):
177         (CheapHeapSnapshot):
178         (createCheapHeapSnapshot):
179         (HeapSnapshot):
180         (createHeapSnapshot):
181         Update snapshot parsing from version 1 to version 2.
182
183 2019-02-19  Truitt Savell  <tsavell@apple.com>
184
185         Unreviewed, rolling out r241784.
186
187         Broke all OpenSource builds.
188
189         Reverted changeset:
190
191         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
192         instances view"
193         https://bugs.webkit.org/show_bug.cgi?id=172848
194         https://trac.webkit.org/changeset/241784
195
196 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
197
198         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
199         https://bugs.webkit.org/show_bug.cgi?id=172848
200         <rdar://problem/25709212>
201
202         Reviewed by Mark Lam.
203
204         * typeProfiler/inheritance.js:
205         Rewrite the test slightly for clarity. The hoisting was confusing.
206
207         * heapProfiler/class-names.js: Added.
208         (MyES5Class):
209         (MyES6Class):
210         (MyES6Subclass):
211         Test object types and improved class names.
212
213         * heapProfiler/driver/driver.js:
214         (CheapHeapSnapshotNode):
215         (CheapHeapSnapshot):
216         (createCheapHeapSnapshot):
217         (HeapSnapshot):
218         (createHeapSnapshot):
219         Update snapshot parsing from version 1 to version 2.
220
221 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
222
223         [ARM] Fix crash with sampling profiler
224         https://bugs.webkit.org/show_bug.cgi?id=194772
225
226         Reviewed by Mark Lam.
227
228         Do not skip test since crash with sampling profiler is now fixed.
229
230         * stress/sampling-profiler-richards.js:
231
232 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
233
234         [JSC] Add LazyClassStructure::getInitializedOnMainThread
235         https://bugs.webkit.org/show_bug.cgi?id=194784
236         <rdar://problem/48154820>
237
238         Reviewed by Mark Lam.
239
240         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
241         (getProperties):
242         (getRandomProperty):
243         (i.catch):
244
245 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
246
247         [ARM] Test gardening: Test running out of executable memory
248         https://bugs.webkit.org/show_bug.cgi?id=194771
249
250         Unreviewed. Do not run test without LLInt, test is running out of executable
251         memory on ARM otherwise.
252
253         * stress/tagged-template-object-collect.js:
254
255 2019-02-18  Tomas Popela  <tpopela@redhat.com>
256
257         Unreviewed, skip the test on platforms without sampling profiler
258
259         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
260         (platformSupportsSamplingProfiler.foo):
261         (platformSupportsSamplingProfiler.test):
262         (platformSupportsSamplingProfiler):
263         (foo): Deleted.
264         (test): Deleted.
265
266 2019-02-17  Saam Barati  <sbarati@apple.com>
267
268         Deadlock when adding a Structure property transition and then doing incremental marking
269         https://bugs.webkit.org/show_bug.cgi?id=194767
270
271         Reviewed by Mark Lam.
272
273         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
274
275 2019-02-15  Michael Saboff  <msaboff@apple.com>
276
277         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
278         https://bugs.webkit.org/show_bug.cgi?id=194558
279
280         Reviewed by Saam Barati.
281
282         New regression test.
283
284         * stress/regexp-unicode-within-string.js: Added.
285
286 2019-02-15  Mark Lam  <mark.lam@apple.com>
287
288         SamplingProfiler::stackTracesAsJSON() should escape strings.
289         https://bugs.webkit.org/show_bug.cgi?id=194649
290         <rdar://problem/48072386>
291
292         Reviewed by Saam Barati.
293
294         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
295         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
296         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
297         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
298
299 2019-02-15  Robin Morisset  <rmorisset@apple.com>
300         CodeBlock::jettison should clear related watchpoints
301         https://bugs.webkit.org/show_bug.cgi?id=194544
302
303         Reviewed by Mark Lam.
304
305         * stress/regexp-replace-double-watchpoint.js: Added.
306         (foo):
307
308 2019-02-15  Saam barati  <sbarati@apple.com>
309
310         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
311         https://bugs.webkit.org/show_bug.cgi?id=194036
312
313         Reviewed by Yusuke Suzuki.
314
315         * stress/tail-call-many-arguments.js: Added.
316         (foo):
317         (bar):
318
319 2019-02-14  Saam Barati  <sbarati@apple.com>
320
321         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
322         https://bugs.webkit.org/show_bug.cgi?id=194583
323         <rdar://problem/48028140>
324
325         Reviewed by Yusuke Suzuki.
326
327         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
328
329 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
330
331         [JSC] String.fromCharCode's slow path always generates 16bit string
332         https://bugs.webkit.org/show_bug.cgi?id=194466
333
334         Reviewed by Keith Miller.
335
336         * stress/string-from-char-code-slow-path.js: Added.
337         (shouldBe):
338         (testWithLength):
339
340 2019-02-08  Saam barati  <sbarati@apple.com>
341
342         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
343         https://bugs.webkit.org/show_bug.cgi?id=194334
344         <rdar://problem/47844327>
345
346         Reviewed by Mark Lam.
347
348         * stress/check-in-bounds-should-be-a-child-use.js: Added.
349         (func):
350
351 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
352
353         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
354         https://bugs.webkit.org/show_bug.cgi?id=194369
355         <rdar://problem/47813087>
356
357         Reviewed by Saam Barati.
358
359         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
360         (A):
361
362 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
363
364         [JSC] PrivateName to PublicName hash table is wasteful
365         https://bugs.webkit.org/show_bug.cgi?id=194277
366
367         Reviewed by Michael Saboff.
368
369         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
370
371         * ChakraCore.yaml:
372
373 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
374
375         [ARM] Test running out of executable memory
376         https://bugs.webkit.org/show_bug.cgi?id=194285
377
378         Unreviewed. Do no execute test with LLInt disabled, test runs out of
379         executable memory otherwise.
380
381         * stress/class-subclassing-function.js:
382
383 2019-02-04  Robin Morisset  <rmorisset@apple.com>
384
385         when lowering AssertNotEmpty, create the value before creating the patchpoint
386         https://bugs.webkit.org/show_bug.cgi?id=194231
387
388         Reviewed by Saam Barati.
389
390         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
391         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
392         So even tiny changes to this test can change the path code taken.
393
394         * stress/assert-not-empty.js: Added.
395         (foo):
396
397 2019-02-01  Mark Lam  <mark.lam@apple.com>
398
399         Remove invalid assertion in DFG's compileDoubleRep().
400         https://bugs.webkit.org/show_bug.cgi?id=194130
401         <rdar://problem/47699474>
402
403         Reviewed by Saam Barati.
404
405         * stress/constant-fold-double-rep-into-double-constant.js: Added.
406
407 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
408
409         Import latest Test262 updates.
410
411         Rubber-stamped by Keith Miller.
412
413         * test262.yaml: Deleted.
414         * test262/config.yaml:
415         * test262/expectations.yaml:
416         * test262/latest-changes-summary.txt:
417         * test262/test/:
418         * test262/test262-Revision.txt:
419
420 2019-01-30  Robin Morisset  <rmorisset@apple.com>
421
422         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
423         https://bugs.webkit.org/show_bug.cgi?id=194050
424         <rdar://problem/47595592>
425
426         Reviewed by Yusuke Suzuki.
427
428         * stress/object-keys-osr-exit.js: Added.
429         (foo):
430         (catch):
431
432 2019-01-29  Mark Lam  <mark.lam@apple.com>
433
434         ValueRecovery::recover() should purify NaN values it recovers.
435         https://bugs.webkit.org/show_bug.cgi?id=193978
436         <rdar://problem/47625488>
437
438         Reviewed by Saam Barati.
439
440         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
441
442 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
443
444         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
445         https://bugs.webkit.org/show_bug.cgi?id=193713
446
447         * stress/try-get-by-id-should-spill-registers-dfg.js:
448         (let.f.createBuiltin):
449
450 2019-01-28  Mark Lam  <mark.lam@apple.com>
451
452         ToString node actually does GC.
453         https://bugs.webkit.org/show_bug.cgi?id=193920
454         <rdar://problem/46695900>
455
456         Reviewed by Yusuke Suzuki.
457
458         * stress/dfg-to-string-on-int-does-gc.js: Added.
459         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
460         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
461
462 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
463
464         [JSC] NativeErrorConstructor should not have own IsoSubspace
465         https://bugs.webkit.org/show_bug.cgi?id=193713
466
467         Reviewed by Saam Barati.
468
469         Remove @Error use.
470
471         * stress/try-get-by-id-should-spill-registers-dfg.js:
472         (let.f.createBuiltin):
473
474 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
475
476         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
477         https://bugs.webkit.org/show_bug.cgi?id=190693
478
479         Reviewed by Michael Saboff.
480
481         * stress/regress-190693.js: Added.
482         (truth):
483         (assert):
484         (shouldThrowInvalidConstAssignment):
485         (taz):
486
487 2019-01-24  Saam Barati  <sbarati@apple.com>
488
489         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
490         https://bugs.webkit.org/show_bug.cgi?id=193751
491         <rdar://problem/47280215>
492
493         Reviewed by Michael Saboff.
494
495         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
496         (let.thing):
497         (foo.let.hello):
498         (foo):
499
500 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
501
502         [JSC] Reenable baseline JIT on mips
503         https://bugs.webkit.org/show_bug.cgi?id=192983
504
505         Reviewed by Mark Lam.
506
507         Added a new test for a case that was triggering a RELEASE_ASSERT when
508         testing.
509         Disable some slow tests that were already disabled for arm and x86.
510
511         * stress/json-parse-big-object.js: Added.
512         * stress/new-largeish-contiguous-array-with-size.js:
513         * stress/op_add.js:
514         * stress/op_bitand.js:
515         * stress/op_bitor.js:
516         * stress/op_bitxor.js:
517         * stress/op_lshift-ConstVar.js:
518         * stress/op_lshift-VarConst.js:
519         * stress/op_lshift-VarVar.js:
520         * stress/op_mod-ConstVar.js:
521         * stress/op_mod-VarConst.js:
522         * stress/op_mod-VarVar.js:
523         * stress/op_mul-ConstVar.js:
524         * stress/op_mul-VarConst.js:
525         * stress/op_mul-VarVar.js:
526         * stress/op_rshift-ConstVar.js:
527         * stress/op_rshift-VarConst.js:
528         * stress/op_rshift-VarVar.js:
529         * stress/op_sub-ConstVar.js:
530         * stress/op_sub-VarConst.js:
531         * stress/op_sub-VarVar.js:
532         * stress/op_urshift-ConstVar.js:
533         * stress/op_urshift-VarConst.js:
534         * stress/op_urshift-VarVar.js:
535         * stress/sampling-profiler-richards.js:
536         * stress/spread-forward-call-varargs-stack-overflow.js:
537
538 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
539
540         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
541         https://bugs.webkit.org/show_bug.cgi?id=193711
542         <rdar://problem/47250262>
543
544         Reviewed by Saam Barati.
545
546         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
547         (shouldBe):
548         (foo):
549         (bar):
550         (baz):
551
552 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
553
554         Unreviewed, fix initial global lexical binding epoch
555         https://bugs.webkit.org/show_bug.cgi?id=193603
556         <rdar://problem/47380869>
557
558         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
559         (f1.f2.f3.f4):
560         (f1.f2.f3):
561         (f1.f2):
562         (f1):
563
564 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
565
566         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
567         https://bugs.webkit.org/show_bug.cgi?id=193709
568         <rdar://problem/47363838>
569
570         Unreviewed, rollout to watch the tests.
571
572         * stress/object-tostring-changed-proto.js: Removed.
573         * stress/object-tostring-changed.js: Removed.
574         * stress/object-tostring-misc.js: Removed.
575         * stress/object-tostring-other.js: Removed.
576         * stress/object-tostring-untyped.js: Removed.
577
578 2019-01-22  Saam Barati  <sbarati@apple.com>
579
580         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
581
582         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
583         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
584         (testUncheckedLessThanZero):
585         (testUncheckedLessThanOrEqualZero):
586         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
587         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
588
589 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
590
591         [JSC] Invalidate old scope operations using global lexical binding epoch
592         https://bugs.webkit.org/show_bug.cgi?id=193603
593         <rdar://problem/47380869>
594
595         Reviewed by Saam Barati.
596
597         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
598         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
599         (shouldThrow):
600         (bar):
601         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
602         (shouldBe):
603         (get1):
604         (get2):
605         (get1If):
606         (get2If):
607         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
608         (shouldThrow):
609         (foo):
610
611 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
612
613         Unreviewed, roll out r240220 due to date-format-xparb regression
614         https://bugs.webkit.org/show_bug.cgi?id=193603
615
616         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
617         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
618         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
619         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
620
621 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
622
623         DoesGC rule is wrong for nodes with BigIntUse
624         https://bugs.webkit.org/show_bug.cgi?id=193652
625
626         Reviewed by Saam Barati.
627
628         * stress/big-int-value-op-update-gc-rules.js: Added.
629         (assert):
630         (doesGCAdd):
631         (doesGCSub):
632         (doesGCDiv):
633         (doesGCMul):
634         (doesGCBitAnd):
635         (doesGCBitOr):
636         (doesGCBitXor):
637
638 2019-01-20  Saam Barati  <sbarati@apple.com>
639
640         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
641         https://bugs.webkit.org/show_bug.cgi?id=193644
642         <rdar://problem/46209745>
643
644         Reviewed by Yusuke Suzuki.
645
646         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
647         (foo):
648         * stress/data-view-set-intrinsic-undefined-result.js: Added.
649         (foo):
650         (bar):
651
652 2019-01-20  Saam Barati  <sbarati@apple.com>
653
654         MovHint must merge NodeBytecodeUsesAsValue for its child
655         https://bugs.webkit.org/show_bug.cgi?id=186916
656         <rdar://problem/41396612>
657
658         Reviewed by Yusuke Suzuki.
659
660         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
661         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
662
663 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
664
665         [JSC] Invalidate old scope operations using global lexical binding epoch
666         https://bugs.webkit.org/show_bug.cgi?id=193603
667         <rdar://problem/47380869>
668
669         Reviewed by Saam Barati.
670
671         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
672         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
673         (shouldThrow):
674         (bar):
675         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
676         (shouldBe):
677         (get1):
678         (get2):
679         (get1If):
680         (get2If):
681         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
682         (shouldThrow):
683         (foo):
684
685 2019-01-17  Saam barati  <sbarati@apple.com>
686
687         StringObjectUse should not be a structure check for the original string object structure
688         https://bugs.webkit.org/show_bug.cgi?id=193483
689         <rdar://problem/47280522>
690
691         Reviewed by Yusuke Suzuki.
692
693         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
694         (foo):
695         (a.valueOf.0):
696
697 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
698
699         [JSC] ToThis omission in DFGByteCodeParser is wrong
700         https://bugs.webkit.org/show_bug.cgi?id=193513
701         <rdar://problem/45842236>
702
703         Reviewed by Saam Barati.
704
705         * stress/to-this-omission-with-different-strict-modes.js: Added.
706         (thisA):
707         (thisAStrictWrapper):
708
709 2019-01-15  Mark Lam  <mark.lam@apple.com>
710
711         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
712         https://bugs.webkit.org/show_bug.cgi?id=193423
713         <rdar://problem/46209355>
714
715         Reviewed by Saam Barati.
716
717         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
718         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
719         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
720         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
721
722 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
723
724         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
725         https://bugs.webkit.org/show_bug.cgi?id=193438
726         <rdar://problem/45581249>
727
728         Reviewed by Saam Barati and Keith Miller.
729
730         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
731         Then, GetByVal(String) crashed.
732
733         * stress/string-get-by-val-lowering.js: Added.
734         (shouldBe):
735         (test):
736         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
737         (Hello):
738         (foo):
739
740 2019-01-15  Tomas Popela  <tpopela@redhat.com>
741
742         Unreviewed, skip JIT tests if it's not enabled
743
744         * stress/bit-op-with-object-returning-int32.js:
745
746 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
747
748         DFGByteCodeParser rules for bitwise operations should consider type of their operands
749         https://bugs.webkit.org/show_bug.cgi?id=192966
750
751         Reviewed by Yusuke Suzuki.
752
753         * stress/bit-op-with-object-returning-int32.js: Added.
754
755 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
756
757         Skip a slow test and a flakey test on arm
758
759         Unreviewed gardening.
760
761         * typeProfiler/getter-richards.js:
762         this test always times out, it used to be always skipped on arm and
763         mips, but got accidentally enabled by r237919 now that we have DFG on
764         arm. Also skipping on mips as we plan to soon enable DFG for it too.
765
766 2019-01-14  Keith Miller  <keith_miller@apple.com>
767
768         Skip type-check-hoisting-phase-hoist... with no jit
769         https://bugs.webkit.org/show_bug.cgi?id=193421
770
771         Reviewed by Mark Lam.
772
773         It's timing out the 32-bit bots and takes 330 seconds
774         on my machine when run by itself.
775
776         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
777
778 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
779
780         [JSC] AI should check the given constant's array type when folding GetByVal into constant
781         https://bugs.webkit.org/show_bug.cgi?id=193413
782         <rdar://problem/46092389>
783
784         Reviewed by Keith Miller.
785
786         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
787         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
788         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
789         but GetByVal does not have appropriate ArrayModes, JSC crashes.
790
791         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
792         (compareArray):
793
794 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
795
796         [BigInt] Literal parsing is crashing when used inside a Object Literal
797         https://bugs.webkit.org/show_bug.cgi?id=193404
798
799         Reviewed by Yusuke Suzuki.
800
801         * stress/big-int-literal-inside-literal-object.js: Added.
802
803 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
804
805         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
806         https://bugs.webkit.org/show_bug.cgi?id=193372
807
808         Reviewed by Saam Barati.
809
810         * stress/typed-array-array-modes-profile.js: Added.
811         (foo):
812
813 2019-01-14  Mark Lam  <mark.lam@apple.com>
814
815         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
816         https://bugs.webkit.org/show_bug.cgi?id=193402
817         <rdar://problem/46012309>
818
819         Reviewed by Keith Miller.
820
821         * stress/regexp-compile-oom.js:
822         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
823           is enabled.  As a result, it will fail on cloop builds though there is no bug.
824
825 2019-01-11  Saam barati  <sbarati@apple.com>
826
827         DFG combined liveness can be wrong for terminal basic blocks
828         https://bugs.webkit.org/show_bug.cgi?id=193304
829         <rdar://problem/45268632>
830
831         Reviewed by Yusuke Suzuki.
832
833         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
834
835 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
836
837         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
838         https://bugs.webkit.org/show_bug.cgi?id=193308
839         <rdar://problem/45546542>
840
841         Reviewed by Saam Barati.
842
843         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
844         (shouldThrow):
845         (shouldBe):
846         (foo):
847         (get shouldThrow):
848         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
849         (shouldThrow):
850         (shouldBe):
851         (foo):
852         (get shouldBe):
853         (get shouldThrow):
854         (get return):
855         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
856         (shouldThrow):
857         (shouldBe):
858         (foo):
859         (get shouldBe):
860         (get shouldThrow):
861         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
862         (shouldThrow):
863         (shouldBe):
864         (foo):
865         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
866         (shouldThrow):
867         (shouldBe):
868         (foo):
869         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
870         (shouldThrow):
871         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
872         (shouldThrow):
873         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
874         (shouldThrow):
875         (shouldBe):
876         (foo):
877         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
878         (shouldThrow):
879         (shouldBe):
880         (foo):
881         (get shouldBe):
882         (get shouldThrow):
883         (get return):
884         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
885         (shouldThrow):
886         (shouldBe):
887         (foo):
888         (get shouldBe):
889         (get shouldThrow):
890         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
891         (shouldThrow):
892         (shouldBe):
893         (foo):
894         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
895         (shouldThrow):
896         (shouldBe):
897         (foo):
898
899 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
900
901         Enable DFG on ARM/Linux again
902         https://bugs.webkit.org/show_bug.cgi?id=192496
903
904         Reviewed by Yusuke Suzuki.
905
906         Test wasn't really skipped before moving the line with skip
907         to the top.
908
909         * stress/regress-192717.js:
910
911 2019-01-10  Commit Queue  <commit-queue@webkit.org>
912
913         Unreviewed, rolling out r239825.
914         https://bugs.webkit.org/show_bug.cgi?id=193330
915
916         Broke tests on armv7/linux bots (Requested by guijemont on
917         #webkit).
918
919         Reverted changeset:
920
921         "Enable DFG on ARM/Linux again"
922         https://bugs.webkit.org/show_bug.cgi?id=192496
923         https://trac.webkit.org/changeset/239825
924
925 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
926
927         Enable DFG on ARM/Linux again
928         https://bugs.webkit.org/show_bug.cgi?id=192496
929
930         Reviewed by Yusuke Suzuki.
931
932         Test wasn't really skipped before moving the line with skip
933         to the top.
934
935         * stress/regress-192717.js:
936
937 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
938
939         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
940         https://bugs.webkit.org/show_bug.cgi?id=193127
941
942         Reviewed by Saam Barati.
943
944         * stress/array-species-create-should-handle-masquerader.js: Added.
945         (shouldThrow):
946         * stress/is-undefined-or-null-builtin.js: Added.
947         (shouldBe):
948         (isUndefinedOrNull.vm.createBuiltin):
949
950 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
951
952         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
953         https://bugs.webkit.org/show_bug.cgi?id=193221
954
955         Reviewed by Mark Lam.
956
957         * stress/put-by-id-flags.js: Added.
958         (f):
959         (g):
960         (numberOfDFGCompiles):
961
962 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
963
964         Baseline version of get_by_id may corrupt metadata
965         https://bugs.webkit.org/show_bug.cgi?id=193085
966         <rdar://problem/23453006>
967
968         Reviewed by Saam Barati.
969
970         * stress/get-by-id-change-mode.js: Added.
971         (forEach):
972
973 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
974
975         [JSC] Optimize Object.prototype.toString
976         https://bugs.webkit.org/show_bug.cgi?id=193031
977
978         Reviewed by Saam Barati.
979
980         * stress/object-tostring-changed-proto.js: Added.
981         (shouldBe):
982         (test):
983         * stress/object-tostring-changed.js: Added.
984         (shouldBe):
985         (test):
986         * stress/object-tostring-misc.js: Added.
987         (shouldBe):
988         (test):
989         (i.switch):
990         * stress/object-tostring-other.js: Added.
991         (shouldBe):
992         (test):
993         * stress/object-tostring-untyped.js: Added.
994         (shouldBe):
995         (test):
996         (i.switch):
997
998 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
999
1000         test262-runner misbehaves when test file YAML has a trailing space
1001         https://bugs.webkit.org/show_bug.cgi?id=193053
1002
1003         Reviewed by Yusuke Suzuki.
1004
1005         * test262/expectations.yaml:
1006         Mark two dozen tests as passing (and correct the output of another).
1007
1008 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1009
1010         Unreviewed, JSTests gardening with memoryLimited
1011
1012         * stress/string-overflow-createError.js:
1013
1014 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1015
1016         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1017         https://bugs.webkit.org/show_bug.cgi?id=193050
1018
1019         Reviewed by Yusuke Suzuki.
1020
1021         * test262.yaml:
1022         * test262/expectations.yaml:
1023         Mark 16 tests as passing.
1024
1025 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1026
1027         [BigInt] Support BigInt in JSON.stringify
1028         https://bugs.webkit.org/show_bug.cgi?id=192624
1029
1030         Reviewed by Saam Barati.
1031
1032         * stress/big-int-json-stringify-to-json.js: Added.
1033         (shouldBe):
1034         (shouldThrow):
1035         (BigInt.prototype.toJSON):
1036         (shouldBe.JSON.stringify):
1037         * stress/big-int-json-stringify.js: Added.
1038         (shouldBe):
1039         (shouldThrow):
1040
1041 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1042
1043         [JSC] Implement "well-formed JSON.stringify" proposal
1044         https://bugs.webkit.org/show_bug.cgi?id=191677
1045
1046         Reviewed by Darin Adler.
1047
1048         * stress/json-surrogate-pair.js: Added.
1049         (shouldBe):
1050         * test262/expectations.yaml:
1051
1052 2018-12-20  Keith Miller  <keith_miller@apple.com>
1053
1054         Add support for globalThis
1055         https://bugs.webkit.org/show_bug.cgi?id=165171
1056
1057         Reviewed by Mark Lam.
1058
1059         * test262/config.yaml:
1060
1061 2018-12-19  Keith Miller  <keith_miller@apple.com>
1062
1063         Update test262 configuration to not run tests dependent on ICU version.
1064         https://bugs.webkit.org/show_bug.cgi?id=192920
1065
1066         Reviewed by Saam Barati.
1067
1068         * test262/expectations.yaml:
1069
1070 2018-12-20  Mark Lam  <mark.lam@apple.com>
1071
1072         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1073         https://bugs.webkit.org/show_bug.cgi?id=192939
1074         <rdar://problem/46869516>
1075
1076         Reviewed by Keith Miller.
1077
1078         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1079
1080 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1081
1082         WTF::String and StringImpl overflow MaxLength
1083         https://bugs.webkit.org/show_bug.cgi?id=192853
1084         <rdar://problem/45726906>
1085
1086         Reviewed by Mark Lam.
1087
1088         * stress/string-16bit-repeat-overflow.js: Added.
1089         (catch):
1090
1091 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1092
1093         Unreviewed follow-up to r192914.
1094
1095         * test262/expectations.yaml:
1096         Add the last 20 missing expectations.
1097
1098 2018-12-19  Keith Miller  <keith_miller@apple.com>
1099
1100         Fix test262 expectations
1101         https://bugs.webkit.org/show_bug.cgi?id=192914
1102
1103         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1104
1105         * test262/expectations.yaml:
1106
1107 2018-12-19  Keith Miller  <keith_miller@apple.com>
1108
1109         Update test262 tests.
1110         https://bugs.webkit.org/show_bug.cgi?id=192907
1111
1112         Rubber stamped by Mark Lam.
1113
1114         * test262/*: Omitted because prepare-changelog crashes.
1115
1116 2018-12-19  Mark Lam  <mark.lam@apple.com>
1117
1118         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1119         https://bugs.webkit.org/show_bug.cgi?id=192464
1120         <rdar://problem/46519455>
1121
1122         Reviewed by Saam Barati.
1123
1124         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1125         microbenchmark.
1126
1127         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1128         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1129
1130 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1131
1132         String overflow in JSC::createError results in ASSERT in WTF::makeString
1133         https://bugs.webkit.org/show_bug.cgi?id=192833
1134         <rdar://problem/45706868>
1135
1136         Reviewed by Mark Lam.
1137
1138         * stress/string-overflow-createError.js: Added.
1139
1140 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1141
1142         Error message for `-x ** y` contains a typo.
1143         https://bugs.webkit.org/show_bug.cgi?id=192832
1144
1145         Reviewed by Saam Barati.
1146
1147         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1148         (assert.assert.return.throws):
1149         * stress/pow-expects-update-expression-on-lhs.js:
1150         (throw.new.Error):
1151         Update test expectations which match against the exact error message.
1152
1153 2018-12-18  Mark Lam  <mark.lam@apple.com>
1154
1155         Gardening: test options fix.
1156         https://bugs.webkit.org/show_bug.cgi?id=192822
1157
1158         Unreviewed.
1159
1160         * stress/json-stringify-string-builder-overflow.js:
1161
1162 2018-12-18  Mark Lam  <mark.lam@apple.com>
1163
1164         JSON.stringify() should throw OOM on StringBuilder overflows.
1165         https://bugs.webkit.org/show_bug.cgi?id=192822
1166         <rdar://problem/46670577>
1167
1168         Reviewed by Saam Barati.
1169
1170         * stress/json-stringify-string-builder-overflow.js: Added.
1171
1172 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1173
1174         Redeclaration of var over let/const/class should be a syntax error.
1175         https://bugs.webkit.org/show_bug.cgi?id=192298
1176
1177         Reviewed by Keith Miller.
1178
1179         * test262.yaml:
1180         * test262/expectations.yaml:
1181         Mark 46 tests as passing.
1182
1183         * stress/block-scope-redeclarations.js:
1184         Add some new tests.
1185
1186         * stress/for-in-invalidate-context-weird-assignments.js:
1187         * stress/for-in-tests.js:
1188         Replace tests for outdated behavior with tests for SyntaxError.
1189
1190         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1191         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1192         Update expectations.
1193
1194 2018-12-18  Mark Lam  <mark.lam@apple.com>
1195
1196         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1197         https://bugs.webkit.org/show_bug.cgi?id=191374
1198         <rdar://problem/46525447>
1199
1200         Reviewed by Yusuke Suzuki.
1201
1202         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1203
1204         * stress/elidable-new-object-roflcopter-then-exit.js:
1205
1206 2018-12-17  Mark Lam  <mark.lam@apple.com>
1207
1208         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1209         https://bugs.webkit.org/show_bug.cgi?id=192019
1210         <rdar://problem/46525456>
1211
1212         Reviewed by Yusuke Suzuki.
1213
1214         The test runs too slow on 32-bit.
1215
1216         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1217
1218 2018-12-17  Mark Lam  <mark.lam@apple.com>
1219
1220         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1221         https://bugs.webkit.org/show_bug.cgi?id=191373
1222         <rdar://problem/46525458>
1223
1224         Reviewed by Yusuke Suzuki.
1225
1226         The test is already slow running with a JIT on 64-bit.  It will always timeout
1227         on 32-bit without a JIT.
1228
1229         * stress/materialize-regexp-cyclic-regexp.js:
1230
1231 2018-12-17  Mark Lam  <mark.lam@apple.com>
1232
1233         Array unshift/shift should not race against the AI in the compiler thread.
1234         https://bugs.webkit.org/show_bug.cgi?id=192795
1235         <rdar://problem/46724263>
1236
1237         Reviewed by Saam Barati.
1238
1239         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1240
1241 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1242
1243         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1244         https://bugs.webkit.org/show_bug.cgi?id=190047
1245
1246         Reviewed by Saam Barati.
1247
1248         * stress/object-keys-cached-zero.js: Added.
1249         (shouldBe):
1250         (test):
1251         * stress/object-keys-changed-attribute.js: Added.
1252         (shouldBe):
1253         (test):
1254         * stress/object-keys-changed-index.js: Added.
1255         (shouldBe):
1256         (test):
1257         * stress/object-keys-changed.js: Added.
1258         (shouldBe):
1259         (test):
1260         * stress/object-keys-indexed-non-cache.js: Added.
1261         (shouldBe):
1262         (test):
1263         * stress/object-keys-overrides-get-property-names.js: Added.
1264         (shouldBe):
1265         (test):
1266         (noInline):
1267
1268 2018-12-17  Mark Lam  <mark.lam@apple.com>
1269
1270         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1271         https://bugs.webkit.org/show_bug.cgi?id=192779
1272         <rdar://problem/46775869>
1273
1274         Reviewed by Saam Barati.
1275
1276         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1277
1278 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1279
1280         Unreviewed test gardening, address a syntax error in a new test.
1281
1282         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1283
1284 2018-12-17  Mark Lam  <mark.lam@apple.com>
1285
1286         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1287         https://bugs.webkit.org/show_bug.cgi?id=192776
1288         <rdar://problem/46772368>
1289
1290         Reviewed by Keith Miller.
1291
1292         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1293
1294 2018-12-17  Mark Lam  <mark.lam@apple.com>
1295
1296         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1297         https://bugs.webkit.org/show_bug.cgi?id=192770
1298         <rdar://problem/46449037>
1299
1300         Reviewed by Keith Miller.
1301
1302         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1303
1304 2018-12-14  Mark Lam  <mark.lam@apple.com>
1305
1306         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1307         https://bugs.webkit.org/show_bug.cgi?id=192717
1308         <rdar://problem/46660677>
1309
1310         Reviewed by Saam Barati.
1311
1312         * stress/regress-192717.js: Added.
1313
1314 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1315
1316         Unreviewed, rolling out r239153, r239154, and r239155.
1317         https://bugs.webkit.org/show_bug.cgi?id=192715
1318
1319         Caused flaky GC-related crashes seen with layout tests
1320         (Requested by ryanhaddad on #webkit).
1321
1322         Reverted changesets:
1323
1324         "[JSC] Optimize Object.keys by caching own keys results in
1325         StructureRareData"
1326         https://bugs.webkit.org/show_bug.cgi?id=190047
1327         https://trac.webkit.org/changeset/239153
1328
1329         "Unreviewed, build fix after r239153"
1330         https://bugs.webkit.org/show_bug.cgi?id=190047
1331         https://trac.webkit.org/changeset/239154
1332
1333         "Unreviewed, build fix after r239153, part 2"
1334         https://bugs.webkit.org/show_bug.cgi?id=190047
1335         https://trac.webkit.org/changeset/239155
1336
1337 2018-12-14  Keith Miller  <keith_miller@apple.com>
1338
1339         Callers of JSString::getIndex should check for OOM exceptions
1340         https://bugs.webkit.org/show_bug.cgi?id=192709
1341
1342         Reviewed by Mark Lam.
1343
1344         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1345
1346 2018-12-13  Mark Lam  <mark.lam@apple.com>
1347
1348         Add a missing exception check.
1349         https://bugs.webkit.org/show_bug.cgi?id=192626
1350         <rdar://problem/46662163>
1351
1352         Reviewed by Keith Miller.
1353
1354         * stress/regress-192626.js: Added.
1355
1356 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1357
1358         [BigInt] Add ValueDiv into DFG
1359         https://bugs.webkit.org/show_bug.cgi?id=186178
1360
1361         Reviewed by Yusuke Suzuki.
1362
1363         * stress/big-int-div-jit-osr.js: Added.
1364         * stress/big-int-div-jit-untyped.js: Added.
1365         * stress/value-div-fixup-int32-big-int.js: Added.
1366
1367 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1368
1369         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1370         https://bugs.webkit.org/show_bug.cgi?id=190047
1371
1372         Reviewed by Keith Miller.
1373
1374         * stress/object-keys-cached-zero.js: Added.
1375         (shouldBe):
1376         (test):
1377         * stress/object-keys-changed-attribute.js: Added.
1378         (shouldBe):
1379         (test):
1380         * stress/object-keys-changed-index.js: Added.
1381         (shouldBe):
1382         (test):
1383         * stress/object-keys-changed.js: Added.
1384         (shouldBe):
1385         (test):
1386         * stress/object-keys-indexed-non-cache.js: Added.
1387         (shouldBe):
1388         (test):
1389         * stress/object-keys-overrides-get-property-names.js: Added.
1390         (shouldBe):
1391         (test):
1392         (noInline):
1393
1394 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1395
1396         [DFG][FTL] Add NewSymbol
1397         https://bugs.webkit.org/show_bug.cgi?id=192620
1398
1399         Reviewed by Saam Barati.
1400
1401         * microbenchmarks/symbol-creation.js: Added.
1402         (test):
1403         * stress/symbol-description-identity.js: Added.
1404         (shouldBe):
1405         (test):
1406         * stress/symbol-identity.js: Added.
1407         (shouldBe):
1408         (test):
1409         * stress/symbol-with-description-throw-error.js: Added.
1410         (shouldBe):
1411         (shouldThrow):
1412         (test):
1413         (object.toString):
1414
1415 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1416
1417         [BigInt] Implement DFG/FTL typeof for BigInt
1418         https://bugs.webkit.org/show_bug.cgi?id=192619
1419
1420         Reviewed by Keith Miller.
1421
1422         * stress/big-int-boolean-proven-type.js: Added.
1423         (assert):
1424         (bool):
1425         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1426         (assert):
1427         (typeOf):
1428         (i.switch):
1429         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1430         (assert):
1431         (typeOf):
1432         * stress/big-int-type-of.js:
1433         (typeOf):
1434         (func):
1435
1436 2018-12-10  Mark Lam  <mark.lam@apple.com>
1437
1438         PropertyAttribute needs a CustomValue bit.
1439         https://bugs.webkit.org/show_bug.cgi?id=191993
1440         <rdar://problem/46264467>
1441
1442         Reviewed by Saam Barati.
1443
1444         * stress/regress-191993.js: Added.
1445
1446 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1447
1448         [BigInt] Add ValueMul into DFG
1449         https://bugs.webkit.org/show_bug.cgi?id=186175
1450
1451         Reviewed by Yusuke Suzuki.
1452
1453         * stress/big-int-mul-jit-osr.js: Added.
1454         * stress/big-int-mul-jit-untyped.js: Added.
1455         * stress/value-mul-fixup-int32-big-int.js: Added.
1456
1457 2018-12-06  Keith Miller  <keith_miller@apple.com>
1458
1459         stress/big-wasm-memory tests failing on 32-bit JSC bot
1460         https://bugs.webkit.org/show_bug.cgi?id=192020
1461
1462         Reviewed by Saam Barati.
1463
1464         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1465         the wasm stress tests if the WebAssembly object does not exist.
1466
1467         * stress/big-wasm-memory-grow-no-max.js:
1468         (test.foo):
1469         (test):
1470         (foo): Deleted.
1471         (catch): Deleted.
1472         * stress/big-wasm-memory-grow.js:
1473         (test.foo):
1474         (test):
1475         (foo): Deleted.
1476         (catch): Deleted.
1477         * stress/big-wasm-memory.js:
1478         (test.foo):
1479         (test):
1480         (foo): Deleted.
1481         (catch): Deleted.
1482
1483 2018-12-05  Mark Lam  <mark.lam@apple.com>
1484
1485         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1486         https://bugs.webkit.org/show_bug.cgi?id=192441
1487         <rdar://problem/46480355>
1488
1489         Reviewed by Saam Barati.
1490
1491         * stress/regress-192441.js: Added.
1492
1493 2018-12-04  Mark Lam  <mark.lam@apple.com>
1494
1495         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1496         https://bugs.webkit.org/show_bug.cgi?id=192386
1497         <rdar://problem/46445516>
1498
1499         Reviewed by Saam Barati.
1500
1501         * stress/regress-192386.js: Added.
1502
1503 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1504
1505         [ESNext][BigInt] Support logic operations
1506         https://bugs.webkit.org/show_bug.cgi?id=179903
1507
1508         Reviewed by Yusuke Suzuki.
1509
1510         * stress/big-int-branch-usage.js: Added.
1511         * stress/big-int-logical-and.js: Added.
1512         * stress/big-int-logical-not.js: Added.
1513         * stress/big-int-logical-or.js: Added.
1514
1515 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1516
1517         Unreviewed, rolling out r238833.
1518
1519         Breaks macOS and iOS debug builds.
1520
1521         Reverted changeset:
1522
1523         "[ESNext][BigInt] Support logic operations"
1524         https://bugs.webkit.org/show_bug.cgi?id=179903
1525         https://trac.webkit.org/changeset/238833
1526
1527 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1528
1529         [ESNext][BigInt] Support logic operations
1530         https://bugs.webkit.org/show_bug.cgi?id=179903
1531
1532         Reviewed by Yusuke Suzuki.
1533
1534         * stress/big-int-branch-usage.js: Added.
1535         * stress/big-int-logical-and.js: Added.
1536         * stress/big-int-logical-not.js: Added.
1537         * stress/big-int-logical-or.js: Added.
1538
1539 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1540
1541         [ESNext][BigInt] Implement support for "<<" and ">>"
1542         https://bugs.webkit.org/show_bug.cgi?id=186233
1543
1544         Reviewed by Yusuke Suzuki.
1545
1546         * stress/big-int-left-shift-general.js: Added.
1547         * stress/big-int-left-shift-range-error.js: Added.
1548         * stress/big-int-left-shift-type-error.js: Added.
1549         * stress/big-int-left-shift-wrapped-value.js: Added.
1550         * stress/big-int-right-shift-general.js: Added.
1551         * stress/big-int-right-shift-type-error.js: Added.
1552         * stress/big-int-right-shift-wrapped-value.js: Added.
1553         * stress/left-shift-to-primitive-precedence.js: Added.
1554         * stress/right-shift-to-primitive-precedence.js: Added.
1555
1556 2018-11-30  Dean Jackson  <dino@apple.com>
1557
1558         Add first-class support for .mjs files in jsc binary
1559         https://bugs.webkit.org/show_bug.cgi?id=192190
1560         <rdar://problem/46375715>
1561
1562         Reviewed by Keith Miller.
1563
1564         * stress/simple-module.mjs: Added.
1565         * stress/simple-script.js: Added.
1566
1567 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1568
1569         [BigInt] Implement ValueBitXor into DFG
1570         https://bugs.webkit.org/show_bug.cgi?id=190264
1571
1572         Reviewed by Yusuke Suzuki.
1573
1574         * stress/big-int-bitwise-xor-jit.js: Added.
1575         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1576         * stress/big-int-bitwise-xor-untyped.js: Added.
1577
1578 2018-11-27  Saam barati  <sbarati@apple.com>
1579
1580         r238510 broke scopes of size zero
1581         https://bugs.webkit.org/show_bug.cgi?id=192033
1582         <rdar://problem/46281734>
1583
1584         Reviewed by Keith Miller.
1585
1586         * stress/r238510-bad-loop.js: Added.
1587         (foo):
1588
1589 2018-11-27  Mark Lam  <mark.lam@apple.com>
1590
1591         [Re-landing] NaNs read from Wasm code needs to be be purified.
1592         https://bugs.webkit.org/show_bug.cgi?id=191056
1593         <rdar://problem/45660341>
1594
1595         Reviewed by Filip Pizlo.
1596
1597         * wasm/regress/regress-191056.js: Added.
1598
1599 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1600
1601         Unreviewed, rolling out r238509.
1602
1603         Causes JSC tests to fail on iOS.
1604
1605         Reverted changeset:
1606
1607         "NaNs read from Wasm code needs to be be purified."
1608         https://bugs.webkit.org/show_bug.cgi?id=191056
1609         https://trac.webkit.org/changeset/238509
1610
1611 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1612
1613         Re-introduce op_bitnot
1614         https://bugs.webkit.org/show_bug.cgi?id=190923
1615
1616         Reviewed by Yusuke Suzuki.
1617
1618         * stress/bit-not-must-generate.js: Added.
1619         * stress/bitwise-not-no-int32.js: Added.
1620
1621 2018-11-26  Saam barati  <sbarati@apple.com>
1622
1623         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1624         https://bugs.webkit.org/show_bug.cgi?id=191956
1625         <rdar://problem/45665806>
1626
1627         Reviewed by Yusuke Suzuki.
1628
1629         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1630         (bar):
1631         (foo):
1632
1633 2018-11-26  Saam barati  <sbarati@apple.com>
1634
1635         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1636         https://bugs.webkit.org/show_bug.cgi?id=191958
1637         <rdar://problem/46221877>
1638
1639         Reviewed by Yusuke Suzuki.
1640
1641         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1642         (x):
1643         (foo):
1644
1645 2018-11-26  Mark Lam  <mark.lam@apple.com>
1646
1647         NaNs read from Wasm code needs to be be purified.
1648         https://bugs.webkit.org/show_bug.cgi?id=191056
1649         <rdar://problem/45660341>
1650
1651         Reviewed by Filip Pizlo.
1652
1653         * wasm/regress/regress-191056.js: Added.
1654
1655 2018-11-26  Michael Saboff  <msaboff@apple.com>
1656
1657         32-bit JSC test failure: stress/regexp-compile-oom.js
1658         https://bugs.webkit.org/show_bug.cgi?id=191375
1659
1660         Reviewed by Mark Lam.
1661
1662         Disabled the test for 32 bit platforms.
1663
1664         * stress/regexp-compile-oom.js:
1665
1666 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1667
1668         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1669         https://bugs.webkit.org/show_bug.cgi?id=191716
1670         <rdar://problem/45723878>
1671
1672         Reviewed by Saam Barati.
1673
1674         * stress/regress-187373.js: Added.
1675         (async.fn):
1676
1677 2018-11-21  Saam barati  <sbarati@apple.com>
1678
1679         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1680         https://bugs.webkit.org/show_bug.cgi?id=191897
1681         <rdar://problem/45871998>
1682
1683         Reviewed by Mark Lam.
1684
1685         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1686         (bar):
1687         (foo):
1688
1689 2018-11-21  Saam barati  <sbarati@apple.com>
1690
1691         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1692         https://bugs.webkit.org/show_bug.cgi?id=191895
1693         <rdar://problem/46167406>
1694
1695         Reviewed by Mark Lam.
1696
1697         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1698         (foo):
1699         (bar):
1700
1701 2018-11-21  Mark Lam  <mark.lam@apple.com>
1702
1703         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1704         https://bugs.webkit.org/show_bug.cgi?id=191776
1705         <rdar://problem/46152851>
1706
1707         Reviewed by Saam Barati.
1708
1709         * stress/big-wasm-memory-grow-no-max.js:
1710         * stress/big-wasm-memory-grow.js:
1711         * stress/big-wasm-memory.js:
1712         - updated these to expect an OutOfMemoryError.
1713
1714         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1715         (Binary.prototype.emit_u8):
1716         (Binary.prototype.emit_u32v):
1717         (Binary.prototype.emit_header):
1718         (Binary.prototype.emit_section):
1719         (Binary):
1720         (WasmModuleBuilder):
1721         (WasmModuleBuilder.prototype.addMemory):
1722         (WasmModuleBuilder.prototype.toArray):
1723         (WasmModuleBuilder.prototype.toBuffer):
1724         (WasmModuleBuilder.prototype.instantiate):
1725         (catch):
1726         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1727         (catch):
1728
1729 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1730
1731         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1732         https://bugs.webkit.org/show_bug.cgi?id=190836
1733
1734         Reviewed by Saam Barati and Yusuke Suzuki.
1735
1736         * stress/big-int-out-of-memory-tests.js: Added.
1737
1738 2018-11-20  Mark Lam  <mark.lam@apple.com>
1739
1740         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1741         https://bugs.webkit.org/show_bug.cgi?id=191856
1742         <rdar://problem/46089992>
1743
1744         Reviewed by Yusuke Suzuki.
1745
1746         * stress/regress-191856.js: Added.
1747         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1748
1749 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1750
1751         Enable JIT on ARM/Linux
1752         https://bugs.webkit.org/show_bug.cgi?id=191548
1753
1754         Reviewed by Yusuke Suzuki.
1755
1756         Disable test on system with limited memory. Program was killed by
1757         the OS before the exception was thrown.
1758
1759         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1760
1761 2018-11-20  Saam barati  <sbarati@apple.com>
1762
1763         Merging an IC variant may lead to the IC status containing overlapping structure sets
1764         https://bugs.webkit.org/show_bug.cgi?id=191869
1765         <rdar://problem/45403453>
1766
1767         Reviewed by Mark Lam.
1768
1769         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1770
1771 2018-11-19  Mark Lam  <mark.lam@apple.com>
1772
1773         globalFuncImportModule() should return a promise when it clears exceptions.
1774         https://bugs.webkit.org/show_bug.cgi?id=191792
1775         <rdar://problem/46090763>
1776
1777         Reviewed by Michael Saboff.
1778
1779         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1780
1781 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1782
1783         Skip new memory-hungry tests on memory limited devices
1784
1785         Unreviewed gardening.
1786
1787         * stress/big-wasm-memory-grow-no-max.js:
1788         * stress/big-wasm-memory-grow.js:
1789         * stress/big-wasm-memory.js:
1790
1791 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1792
1793         Unreviewed, rolling in the rest of r237254
1794         https://bugs.webkit.org/show_bug.cgi?id=190340
1795
1796         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1797         * stress/function-cache-with-parameters-end-position.js: Added.
1798         (shouldBe):
1799         (shouldThrow):
1800         (i.anonymous):
1801         * stress/function-constructor-name.js: Added.
1802         (shouldBe):
1803         (GeneratorFunction):
1804         (AsyncFunction.async):
1805         (AsyncGeneratorFunction.async):
1806         (anonymous):
1807         (async.anonymous):
1808         * test262/expectations.yaml:
1809
1810 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1811
1812         All users of ArrayBuffer should agree on the same max size
1813         https://bugs.webkit.org/show_bug.cgi?id=191771
1814
1815         Reviewed by Mark Lam.
1816
1817         * stress/big-wasm-memory-grow-no-max.js: Added.
1818         (foo):
1819         (catch):
1820         * stress/big-wasm-memory-grow.js: Added.
1821         (foo):
1822         (catch):
1823         * stress/big-wasm-memory.js: Added.
1824         (foo):
1825         (catch):
1826
1827 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1828
1829         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1830         run for each JSC config since they're regression tests for runtime bugs.
1831
1832         * stress/json-stringified-overflow-2.js:
1833         * stress/json-stringified-overflow.js:
1834
1835 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1836
1837         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1838         config since they're regression tests for runtime bugs.
1839
1840         * stress/large-unshift-splice.js:
1841         * stress/regress-185888.js:
1842
1843 2018-11-16  Saam Barati  <sbarati@apple.com>
1844
1845         KnownCellUse should also have SpecCellCheck as its type filter
1846         https://bugs.webkit.org/show_bug.cgi?id=191729
1847         <rdar://problem/45872852>
1848
1849         Reviewed by Filip Pizlo.
1850
1851         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1852         (C):
1853
1854 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1855
1856         Fix assertion failure on BytecodeGenerator::recordOpcode
1857         https://bugs.webkit.org/show_bug.cgi?id=191724
1858         <rdar://problem/45724395>
1859
1860         Reviewed by Saam Barati.
1861
1862         * stress/regress-187373-2.js: Added.
1863         (foo):
1864
1865 2018-11-15  Mark Lam  <mark.lam@apple.com>
1866
1867         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1868         https://bugs.webkit.org/show_bug.cgi?id=191730
1869         <rdar://problem/46048517>
1870
1871         Reviewed by Saam Barati.
1872
1873         * stress/regress-187006.js: Removed.
1874           - this test is invalid because its sole purpose is to test for the non-spec
1875             compliant behavior that we just fixed.
1876
1877         * stress/regress-191730.js: Added.
1878
1879 2018-11-15  Mark Lam  <mark.lam@apple.com>
1880
1881         RegExp operations should not take fast patch if lastIndex is not numeric.
1882         https://bugs.webkit.org/show_bug.cgi?id=191731
1883         <rdar://problem/46017305>
1884
1885         Reviewed by Saam Barati.
1886
1887         * stress/regress-191731.js: Added.
1888
1889 2018-11-13  Saam Barati  <sbarati@apple.com>
1890
1891         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1892         https://bugs.webkit.org/show_bug.cgi?id=191600
1893
1894         Reviewed by Mark Lam.
1895
1896         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1897         (foo):
1898         (test):
1899         (bar):
1900
1901 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1902
1903         Unreviewed, rolling out r238132.
1904
1905         The test added with this change is timing out on Debug JSC
1906         bots.
1907
1908         Reverted changeset:
1909
1910         "[BigInt] JSBigInt::createWithLength should throw when length
1911         is greater than JSBigInt::maxLength"
1912         https://bugs.webkit.org/show_bug.cgi?id=190836
1913         https://trac.webkit.org/changeset/238132
1914
1915 2018-11-13  Mark Lam  <mark.lam@apple.com>
1916
1917         Add OOM detection to StringPrototype's substituteBackreferences().
1918         https://bugs.webkit.org/show_bug.cgi?id=191563
1919         <rdar://problem/45720428>
1920
1921         Reviewed by Saam Barati.
1922
1923         * stress/regress-191563.js: Added.
1924
1925 2018-11-13  Mark Lam  <mark.lam@apple.com>
1926
1927         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1928         https://bugs.webkit.org/show_bug.cgi?id=191579
1929         <rdar://problem/45942472>
1930
1931         Reviewed by Saam Barati.
1932
1933         * stress/regress-191579.js: Added.
1934
1935 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1936
1937         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1938         https://bugs.webkit.org/show_bug.cgi?id=190836
1939
1940         Reviewed by Saam Barati.
1941
1942         * stress/big-int-out-of-memory-tests.js: Added.
1943
1944 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1945
1946         U+180E is no longer a whitespace character
1947         https://bugs.webkit.org/show_bug.cgi?id=191415
1948
1949         Reviewed by Saam Barati.
1950
1951         * ChakraCore/test/es5/regexSpace.baseline:
1952         * ChakraCore/test/es6/unicode_whitespace.js:
1953         Update tests to latest version.
1954         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1955
1956         * test262.yaml:
1957         * test262/config.yaml:
1958         * test262/expectations.yaml:
1959         Update expectations.
1960
1961 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1962
1963         [BigInt] Add support to BigInt into ValueAdd
1964         https://bugs.webkit.org/show_bug.cgi?id=186177
1965
1966         Reviewed by Keith Miller.
1967
1968         * stress/big-int-negate-jit.js:
1969         * stress/value-add-big-int-and-string.js: Added.
1970         * stress/value-add-big-int-prediction-propagation.js: Added.
1971         * stress/value-add-big-int-untyped.js: Added.
1972
1973 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1974
1975         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1976         https://bugs.webkit.org/show_bug.cgi?id=191184
1977
1978         Reviewed by Saam Barati.
1979
1980         Most tests were failing due to timeouts, since they are too slow to
1981         run on CLoop. The exceptions are:
1982
1983         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1984         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1985         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1986         to change the stack size since CLoop requires it to be page aligned.
1987
1988         * microbenchmarks/array-push-1.js:
1989         * microbenchmarks/array-push-2.js:
1990         * microbenchmarks/elidable-new-object-dag.js:
1991         * microbenchmarks/elidable-new-object-roflcopter.js:
1992         * microbenchmarks/elidable-new-object-tree.js:
1993         * microbenchmarks/getter-richards.js:
1994         * microbenchmarks/sinkable-new-object-dag.js:
1995         * microbenchmarks/string-concat-long-convert.js:
1996         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1997         * slowMicrobenchmarks/array-push-3.js:
1998         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1999         * slowMicrobenchmarks/spread-small-array.js:
2000         * slowMicrobenchmarks/undefined-property-access.js:
2001         * stress/activation-sink-default-value-tdz-error.js:
2002         * stress/activation-sink-default-value.js:
2003         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2004         * stress/activation-sink-osrexit-default-value.js:
2005         * stress/activation-sink-osrexit.js:
2006         * stress/activation-sink.js:
2007         * stress/allow-math-ic-b3-code-duplication.js:
2008         * stress/array-push-multiple-int32.js:
2009         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2010         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2011         * stress/arrowfunction-lexical-this-activation-sink.js:
2012         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2013         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2014         * stress/elide-new-object-dag-then-exit.js:
2015         * stress/materialize-regexp-cyclic.js:
2016         * stress/new-regex-inline.js:
2017         * stress/op_add.js:
2018         * stress/op_bitand.js:
2019         * stress/op_bitor.js:
2020         * stress/op_bitxor.js:
2021         * stress/op_div-ConstVar.js:
2022         * stress/op_div-VarConst.js:
2023         * stress/op_div-VarVar.js:
2024         * stress/op_lshift-ConstVar.js:
2025         * stress/op_lshift-VarConst.js:
2026         * stress/op_lshift-VarVar.js:
2027         * stress/op_mod-ConstVar.js:
2028         * stress/op_mod-VarConst.js:
2029         * stress/op_mod-VarVar.js:
2030         * stress/op_mul-ConstVar.js:
2031         * stress/op_mul-VarConst.js:
2032         * stress/op_mul-VarVar.js:
2033         * stress/op_rshift-ConstVar.js:
2034         * stress/op_rshift-VarConst.js:
2035         * stress/op_rshift-VarVar.js:
2036         * stress/op_sub-ConstVar.js:
2037         * stress/op_sub-VarConst.js:
2038         * stress/op_sub-VarVar.js:
2039         * stress/op_urshift-ConstVar.js:
2040         * stress/op_urshift-VarConst.js:
2041         * stress/op_urshift-VarVar.js:
2042         * stress/proxy-get-set-correct-receiver.js:
2043         * stress/regress-179562.js:
2044         * stress/rest-parameter-many-arguments.js:
2045         * stress/sampling-profiler-richards.js:
2046         * stress/splay-flash-access-1ms.js:
2047         * stress/tailCallForwardArguments.js:
2048         * stress/typed-array-get-by-val-profiling.js:
2049         * typeProfiler/getter-richards.js:
2050
2051 2018-11-06  Michael Saboff  <msaboff@apple.com>
2052
2053         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2054         https://bugs.webkit.org/show_bug.cgi?id=191271
2055
2056         Reviewed by Saam Barati.
2057
2058         Added more test cases and made all test cases run with the same deeply recursive stack
2059         instead of finding that same point for each test case.
2060
2061         * stress/regexp-compile-oom.js:
2062         (prototype.runTest):
2063         (recurseAndTest):
2064         (testList.push.new.TestAndExpectedException):
2065
2066 2018-11-05  Michael Saboff  <msaboff@apple.com>
2067
2068         Unreviewed build fix for linux.
2069
2070         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2071
2072 2018-11-02  Michael Saboff  <msaboff@apple.com>
2073
2074         Rolling in r237753 with unreviewed build fix.
2075
2076         Fixed issues with DECLARE_THROW_SCOPE placement.
2077
2078 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2079
2080         Unreviewed, rolling out r237753.
2081
2082         Introduced JSC test failures
2083
2084         Reverted changeset:
2085
2086         "Running out of stack space not properly handled in
2087         RegExp::compile() and its callers"
2088         https://bugs.webkit.org/show_bug.cgi?id=191206
2089         https://trac.webkit.org/changeset/237753
2090
2091 2018-11-02  Michael Saboff  <msaboff@apple.com>
2092
2093         Running out of stack space not properly handled in RegExp::compile() and its callers
2094         https://bugs.webkit.org/show_bug.cgi?id=191206
2095
2096         Reviewed by Filip Pizlo.
2097
2098         New regression test.
2099
2100         * stress/regexp-compile-oom.js: Added.
2101         (recurseAndTest):
2102
2103 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2104
2105         Skip tests on arm/mips that time out now we're running on CLoop
2106
2107         Unreviewed gardening.
2108
2109         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2110         time out on the bots and need to be disabled. There's more tests
2111         disabled on arm because the timeout is longer on the mips bot (as the
2112         device is slower to start with), so many of the tests don't time out
2113         there.
2114
2115         * microbenchmarks/getter-richards.js: disable on arm and mips.
2116         * stress/op_add.js: disable on arm.
2117         * stress/op_bitand.js: disable on arm.
2118         * stress/op_bitor.js: disable on arm.
2119         * stress/op_bitxor.js: disable on arm.
2120         * stress/op_lshift-ConstVar.js: disable on arm.
2121         * stress/op_lshift-VarConst.js: disable on arm.
2122         * stress/op_lshift-VarVar.js: disable on arm.
2123         * stress/op_mod-ConstVar.js: disable on arm.
2124         * stress/op_mod-VarConst.js: disable on arm.
2125         * stress/op_mod-VarVar.js: disable on arm.
2126         * stress/op_mul-ConstVar.js: disable on arm.
2127         * stress/op_mul-VarConst.js: disable on arm.
2128         * stress/op_mul-VarVar.js: disable on arm.
2129         * stress/op_rshift-ConstVar.js: disable on arm.
2130         * stress/op_rshift-VarConst.js: disable on arm.
2131         * stress/op_rshift-VarVar.js: disable on arm.
2132         * stress/op_sub-ConstVar.js: disable on arm.
2133         * stress/op_sub-VarConst.js: disable on arm.
2134         * stress/op_sub-VarVar.js: disable on arm.
2135         * stress/op_urshift-ConstVar.js: disable on arm.
2136         * stress/op_urshift-VarConst.js: disable on arm.
2137         * stress/op_urshift-VarVar.js: disable on arm.
2138         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2139         * stress/value-to-boolean.js: disable on arm and mips.
2140
2141 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2142
2143         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2144         https://bugs.webkit.org/show_bug.cgi?id=191108
2145         <rdar://problem/45690700>
2146
2147         Reviewed by Saam Barati.
2148
2149         * stress/wide-op_catch.js: Added.
2150         (catch):
2151
2152 2018-10-29  Mark Lam  <mark.lam@apple.com>
2153
2154         Correctly detect string overflow when using the 'Function' constructor.
2155         https://bugs.webkit.org/show_bug.cgi?id=184883
2156         <rdar://problem/36320331>
2157
2158         Reviewed by Saam Barati.
2159
2160         I've verified that this passes on 32-bit as well.
2161
2162         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2163
2164 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2165
2166         Add support for GetStack FlushedDouble
2167         https://bugs.webkit.org/show_bug.cgi?id=191012
2168         <rdar://problem/45265141>
2169
2170         Reviewed by Saam Barati.
2171
2172         * stress/get-stack-double.js: Added.
2173         (bar):
2174         (noInline):
2175
2176 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2177
2178         New bytecode format for JSC
2179         https://bugs.webkit.org/show_bug.cgi?id=187373
2180         <rdar://problem/44186758>
2181
2182         Reviewed by Filip Pizlo.
2183
2184         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2185
2186         * stress/maximum-inline-capacity.js: Added.
2187         (test1):
2188         (test3.Foo):
2189         (test3):
2190
2191 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2192
2193         Unreviewed, rolling out r237479 and r237484.
2194         https://bugs.webkit.org/show_bug.cgi?id=190978
2195
2196         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2197
2198         Reverted changesets:
2199
2200         "New bytecode format for JSC"
2201         https://bugs.webkit.org/show_bug.cgi?id=187373
2202         https://trac.webkit.org/changeset/237479
2203
2204         "Gardening: Build fix after r237479."
2205         https://bugs.webkit.org/show_bug.cgi?id=187373
2206         https://trac.webkit.org/changeset/237484
2207
2208 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2209
2210         New bytecode format for JSC
2211         https://bugs.webkit.org/show_bug.cgi?id=187373
2212         <rdar://problem/44186758>
2213
2214         Reviewed by Filip Pizlo.
2215
2216         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2217
2218         * stress/maximum-inline-capacity.js: Added.
2219         (test1):
2220         (test3.Foo):
2221         (test3):
2222
2223 2018-10-26  Mark Lam  <mark.lam@apple.com>
2224
2225         Fix missing edge cases with JSGlobalObjects having a bad time.
2226         https://bugs.webkit.org/show_bug.cgi?id=189028
2227         <rdar://problem/45204939>
2228
2229         Reviewed by Saam Barati.
2230
2231         * stress/regress-189028.js: Added.
2232
2233 2018-10-22  Mark Lam  <mark.lam@apple.com>
2234
2235         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2236         https://bugs.webkit.org/show_bug.cgi?id=190515
2237         <rdar://problem/45222379>
2238
2239         Rubber-stamped by Saam Barati.
2240
2241         Adding another test.
2242
2243         * stress/regress-190515-2.js: Added.
2244
2245 2018-10-22  Mark Lam  <mark.lam@apple.com>
2246
2247         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2248         https://bugs.webkit.org/show_bug.cgi?id=190515
2249         <rdar://problem/45222379>
2250
2251         Reviewed by Saam Barati.
2252
2253         * stress/regress-190515.js: Added.
2254
2255 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2256
2257         Unreviewed, rolling out r237254.
2258         https://bugs.webkit.org/show_bug.cgi?id=190760
2259
2260         "It regresses JetStream 2 by 5% on some iOS devices"
2261         (Requested by saamyjoon on #webkit).
2262
2263         Reverted changeset:
2264
2265         "[JSC] JSC should have "parseFunction" to optimize Function
2266         constructor"
2267         https://bugs.webkit.org/show_bug.cgi?id=190340
2268         https://trac.webkit.org/changeset/237254
2269
2270 2018-10-19  Saam Barati  <sbarati@apple.com>
2271
2272         vmCall should check if we exit before emitting an OSR exit due to exceptions
2273         https://bugs.webkit.org/show_bug.cgi?id=190740
2274         <rdar://problem/45220139>
2275
2276         Reviewed by Mark Lam.
2277
2278         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2279         (foo):
2280
2281 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2282
2283         [ESNext][BigInt] Implement support for "^"
2284         https://bugs.webkit.org/show_bug.cgi?id=186235
2285
2286         Reviewed by Yusuke Suzuki.
2287
2288         * stress/big-int-bitwise-xor-general.js: Added.
2289         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2290         * stress/big-int-bitwise-xor-type-error.js: Added.
2291         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2292
2293 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2294
2295         [BigInt] Add ValueSub into DFG
2296         https://bugs.webkit.org/show_bug.cgi?id=186176
2297
2298         Reviewed by Yusuke Suzuki.
2299
2300         * stress/big-int-subtraction-jit.js:
2301         * stress/value-sub-big-int-prediction-propagation.js: Added.
2302         * stress/value-sub-big-int-untyped.js: Added.
2303         * stress/value-sub-spec-none-case.js: Added.
2304
2305 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2306
2307         [JSC] JSC should have "parseFunction" to optimize Function constructor
2308         https://bugs.webkit.org/show_bug.cgi?id=190340
2309
2310         Reviewed by Mark Lam.
2311
2312         This patch fixes the line number of syntax errors raised by the Function constructor,
2313         since we now parse the final code only once. And we no longer use block statement
2314         for Function constructor's parsing.
2315
2316         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2317         * stress/function-cache-with-parameters-end-position.js: Added.
2318         (shouldBe):
2319         (shouldThrow):
2320         (i.anonymous):
2321         * stress/function-constructor-name.js: Added.
2322         (shouldBe):
2323         (GeneratorFunction):
2324         (AsyncFunction.async):
2325         (AsyncGeneratorFunction.async):
2326         (anonymous):
2327         (async.anonymous):
2328         * test262/expectations.yaml:
2329
2330 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2331
2332         Unreviewed, rolling out r237242.
2333         https://bugs.webkit.org/show_bug.cgi?id=190701
2334
2335         it breaks "stress/sampling-profiler-basic.js" (Requested by
2336         caiolima on #webkit).
2337
2338         Reverted changeset:
2339
2340         "[BigInt] Add ValueSub into DFG"
2341         https://bugs.webkit.org/show_bug.cgi?id=186176
2342         https://trac.webkit.org/changeset/237242
2343
2344 2018-10-17  Keith Miller  <keith_miller@apple.com>
2345
2346         AI does not clear Phantom allocation nodes.
2347         https://bugs.webkit.org/show_bug.cgi?id=190694
2348
2349         Reviewed by Saam Barati.
2350
2351         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2352         (Day):
2353         (DaysInYear):
2354         (TimeInYear):
2355         (TimeFromYear):
2356         (DayFromYear):
2357         (InLeapYear):
2358         (YearFromTime):
2359         (WeekDay):
2360         (DaylightSavingTA):
2361         (GetSecondSundayInMarch):
2362         (TimeInMonth):
2363
2364 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2365
2366         [BigInt] Add ValueSub into DFG
2367         https://bugs.webkit.org/show_bug.cgi?id=186176
2368
2369         Reviewed by Yusuke Suzuki.
2370
2371         * stress/big-int-subtraction-jit.js:
2372         * stress/value-sub-big-int-prediction-propagation.js: Added.
2373         * stress/value-sub-big-int-untyped.js: Added.
2374
2375 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2376
2377         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2378         https://bugs.webkit.org/show_bug.cgi?id=190611
2379
2380         Reviewed by Saam Barati.
2381
2382         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2383         to improve test runtime. On ARM/MIPS this test even timed out when running all
2384         tests.
2385
2386         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2387         (test):
2388
2389 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2390
2391         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2392
2393         Unreviewed gardening.
2394
2395         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2396
2397 2018-10-15  Saam barati  <sbarati@apple.com>
2398
2399         Emit fjcvtzs on ARM64E on Darwin
2400         https://bugs.webkit.org/show_bug.cgi?id=184023
2401
2402         Reviewed by Yusuke Suzuki and Filip Pizlo.
2403
2404         * stress/double-to-int32-NaN.js: Added.
2405         (assert):
2406         (foo):
2407
2408 2018-10-15  Saam Barati  <sbarati@apple.com>
2409
2410         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2411         https://bugs.webkit.org/show_bug.cgi?id=190262
2412         <rdar://problem/44986241>
2413
2414         Reviewed by Mark Lam.
2415
2416         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2417         (test):
2418         * stress/slice-array-storage-with-holes.js: Added.
2419         (main):
2420
2421 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2422
2423         Unreviewed, rolling out r237054.
2424         https://bugs.webkit.org/show_bug.cgi?id=190593
2425
2426         "this regressed JetStream 2 by 6% on iOS" (Requested by
2427         saamyjoon on #webkit).
2428
2429         Reverted changeset:
2430
2431         "[JSC] JSC should have "parseFunction" to optimize Function
2432         constructor"
2433         https://bugs.webkit.org/show_bug.cgi?id=190340
2434         https://trac.webkit.org/changeset/237054
2435
2436 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2437
2438         [JSC] JSON.stringify can accept call-with-no-arguments
2439         https://bugs.webkit.org/show_bug.cgi?id=190343
2440
2441         Reviewed by Mark Lam.
2442
2443         * stress/json-stringify-no-arguments.js: Added.
2444         (shouldBe):
2445
2446 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2447
2448         [JSC] JSC should have "parseFunction" to optimize Function constructor
2449         https://bugs.webkit.org/show_bug.cgi?id=190340
2450
2451         Reviewed by Mark Lam.
2452
2453         This patch fixes the line number of syntax errors raised by the Function constructor,
2454         since we now parse the final code only once. And we no longer use block statement
2455         for Function constructor's parsing.
2456
2457         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2458         * stress/function-cache-with-parameters-end-position.js: Added.
2459         (shouldBe):
2460         (shouldThrow):
2461         (i.anonymous):
2462         * stress/function-constructor-name.js: Added.
2463         (shouldBe):
2464         (GeneratorFunction):
2465         (AsyncFunction.async):
2466         (AsyncGeneratorFunction.async):
2467         (anonymous):
2468         (async.anonymous):
2469         * test262/expectations.yaml:
2470
2471 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2472
2473         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2474         https://bugs.webkit.org/show_bug.cgi?id=190426
2475
2476         Unreviewed gardening.
2477
2478         * stress/sampling-profiler-richards.js:
2479
2480 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2481
2482         [ESNext][BigInt] Implement support for "|"
2483         https://bugs.webkit.org/show_bug.cgi?id=186229
2484
2485         Reviewed by Yusuke Suzuki.
2486
2487         * stress/big-int-bitwise-and-jit.js:
2488         * stress/big-int-bitwise-or-general.js: Added.
2489         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2490         * stress/big-int-bitwise-or-jit.js: Added.
2491         * stress/big-int-bitwise-or-memory-stress.js: Added.
2492         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2493         * stress/big-int-bitwise-or-type-error.js: Added.
2494         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2495
2496 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2497
2498         Skip test on systems with limited memory
2499         https://bugs.webkit.org/show_bug.cgi?id=190310
2500
2501         Invoking runDefault adds test to runlist, skipping the test in the next
2502         line does not prevent the test from executing. Change order of lines such
2503         that runDefault is only executed if test is not executed.
2504
2505         Reviewed by Mark Lam.
2506
2507         * stress/regress-190187.js:
2508
2509 2018-10-03  Saam barati  <sbarati@apple.com>
2510
2511         lowXYZ in FTLLower should always filter the type of the incoming edge
2512         https://bugs.webkit.org/show_bug.cgi?id=189939
2513         <rdar://problem/44407030>
2514
2515         Reviewed by Michael Saboff.
2516
2517         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2518         (foo):
2519         (test):
2520
2521 2018-10-03  Mark Lam  <mark.lam@apple.com>
2522
2523         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2524         https://bugs.webkit.org/show_bug.cgi?id=190187
2525         <rdar://problem/42512909>
2526
2527         Reviewed by Michael Saboff.
2528
2529         * stress/regress-190187.js: Added.
2530
2531 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2532
2533         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2534         https://bugs.webkit.org/show_bug.cgi?id=190033
2535
2536         Reviewed by Yusuke Suzuki.
2537
2538         * stress/big-int-to-string.js:
2539
2540 2018-10-01  Mark Lam  <mark.lam@apple.com>
2541
2542         Function.toString() should also copy the source code Functions that are class definitions.
2543         https://bugs.webkit.org/show_bug.cgi?id=190186
2544         <rdar://problem/44733360>
2545
2546         Reviewed by Saam Barati.
2547
2548         * stress/regress-190186.js: Added.
2549
2550 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2551
2552         Split NaN-check into separate test
2553         https://bugs.webkit.org/show_bug.cgi?id=190010
2554
2555         Reviewed by Saam Barati.
2556
2557         DataView exposes NaN-representation, which is not necessarily the same on each
2558         architecture. Therefore move the check of the NaN-representation into its own
2559         file such that we can disable this test on MIPS where NaN-representation can be
2560         different on older CPUs.
2561
2562         * stress/dataview-jit-set-nan.js: Added.
2563         (assert):
2564         (test.storeLittleEndian):
2565         (test.storeBigEndian):
2566         (test.store):
2567         (test):
2568         * stress/dataview-jit-set.js:
2569         (test5):
2570
2571 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2572
2573         Unreviewed, rolling out r236647.
2574         https://bugs.webkit.org/show_bug.cgi?id=190124
2575
2576         Breaking test stress/big-int-to-string.js (Requested by
2577         caiolima_ on #webkit).
2578
2579         Reverted changeset:
2580
2581         "[BigInt] BigInt.proptotype.toString is broken when radix is
2582         power of 2"
2583         https://bugs.webkit.org/show_bug.cgi?id=190033
2584         https://trac.webkit.org/changeset/236647
2585
2586 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2587
2588         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2589         https://bugs.webkit.org/show_bug.cgi?id=190033
2590
2591         Reviewed by Yusuke Suzuki.
2592
2593         * stress/big-int-to-string.js:
2594
2595 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2596
2597         [ESNext][BigInt] Implement support for "&"
2598         https://bugs.webkit.org/show_bug.cgi?id=186228
2599
2600         Reviewed by Yusuke Suzuki.
2601
2602         * stress/big-int-bitwise-and-general.js: Added.
2603         (assert):
2604         (assert.sameValue):
2605         * stress/big-int-bitwise-and-jit.js: Added.
2606         (let.assert.sameValue):
2607         (bigIntBitAnd):
2608         * stress/big-int-bitwise-and-memory-stress.js: Added.
2609         (assert):
2610         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2611         (assert.sameValue):
2612         (let.o.Symbol.toPrimitive):
2613         (catch):
2614         * stress/big-int-bitwise-and-type-error.js: Added.
2615         (assert):
2616         (assertThrowTypeError):
2617         (let.o.valueOf):
2618         (o.valueOf):
2619         (o.toString):
2620         (o.Symbol.toPrimitive):
2621         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2622         (assert.sameValue):
2623         (testBitAnd):
2624         (let.o.Symbol.toPrimitive):
2625         (o.valueOf):
2626         (o.toString):
2627
2628 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2629
2630         JSC test stress/jsc-read.js doesn't support CRLF
2631         https://bugs.webkit.org/show_bug.cgi?id=190063
2632
2633         Reviewed by Yusuke Suzuki.
2634
2635         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2636
2637         * stress/jsc-read.js:
2638         (test):
2639
2640 2018-09-27  Saam barati  <sbarati@apple.com>
2641
2642         Verify the contents of AssemblerBuffer on arm64e
2643         https://bugs.webkit.org/show_bug.cgi?id=190057
2644         <rdar://problem/38916630>
2645
2646         Reviewed by Mark Lam.
2647
2648         * stress/regress-189132.js:
2649
2650 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2651
2652         Disable test without LLInt on ARMv7
2653         https://bugs.webkit.org/show_bug.cgi?id=190037
2654
2655         Reviewed by Mark Lam.
2656
2657         Test runs out of executable memory on ARMv7, do not run
2658         this test without LLInt enabled.
2659
2660         * stress/regress-169445.js:
2661
2662 2018-09-26  Keith Miller  <keith_miller@apple.com>
2663
2664         We should zero unused property storage when rebalancing array storage.
2665         https://bugs.webkit.org/show_bug.cgi?id=188151
2666
2667         Reviewed by Michael Saboff.
2668
2669         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2670
2671 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2672
2673         [JSC] Optimize Array#lastIndexOf
2674         https://bugs.webkit.org/show_bug.cgi?id=189780
2675
2676         Reviewed by Saam Barati.
2677
2678         * stress/array-lastindexof-array-prototype-trap.js: Added.
2679         (shouldBe):
2680         (AncestorArray.prototype.get 2):
2681         (AncestorArray):
2682         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2683         (shouldBe):
2684         * stress/array-lastindexof-hole-nan.js: Added.
2685         (shouldBe):
2686         (throw.new.Error):
2687         * stress/array-lastindexof-infinity.js: Added.
2688         (shouldBe):
2689         (throw.new.Error):
2690         * stress/array-lastindexof-negative-zero.js: Added.
2691         (shouldBe):
2692         (throw.new.Error):
2693         * stress/array-lastindexof-own-getter.js: Added.
2694         (shouldBe):
2695         (throw.new.Error.get array):
2696         (get array):
2697         * stress/array-lastindexof-prototype-trap.js: Added.
2698         (shouldBe):
2699         (DerivedArray.prototype.get 2):
2700         (DerivedArray):
2701
2702 2018-09-25  Saam Barati  <sbarati@apple.com>
2703
2704         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2705         https://bugs.webkit.org/show_bug.cgi?id=189940
2706         <rdar://problem/43640987>
2707
2708         Reviewed by Mark Lam.
2709
2710         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2711
2712 2018-09-24  Saam Barati  <sbarati@apple.com>
2713
2714         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2715         https://bugs.webkit.org/show_bug.cgi?id=189922
2716         <rdar://problem/44651275>
2717
2718         Reviewed by Mark Lam.
2719
2720         * stress/array-indexof-fast-path-effects.js: Added.
2721         * stress/array-indexof-cached-length.js: Added.
2722
2723 2018-09-24  Saam barati  <sbarati@apple.com>
2724
2725         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2726         https://bugs.webkit.org/show_bug.cgi?id=189682
2727         <rdar://problem/43557315>
2728
2729         Reviewed by Mark Lam.
2730
2731         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2732         (foo):
2733
2734 2018-09-22  Saam barati  <sbarati@apple.com>
2735
2736         The sampling should not use Strong<CodeBlock> in its machineLocation field
2737         https://bugs.webkit.org/show_bug.cgi?id=189319
2738
2739         Reviewed by Filip Pizlo.
2740
2741         * stress/sampling-profiler-richards.js: Added.
2742
2743 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2744
2745         [JSC] Optimize Array#indexOf in C++ runtime
2746         https://bugs.webkit.org/show_bug.cgi?id=189507
2747
2748         Reviewed by Saam Barati.
2749
2750         * stress/array-indexof-array-prototype-trap.js: Added.
2751         (shouldBe):
2752         (AncestorArray.prototype.get 2):
2753         (AncestorArray):
2754         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2755         (shouldBe):
2756         * stress/array-indexof-hole-nan.js: Added.
2757         (shouldBe):
2758         (throw.new.Error):
2759         * stress/array-indexof-infinity.js: Added.
2760         (shouldBe):
2761         (throw.new.Error):
2762         * stress/array-indexof-negative-zero.js: Added.
2763         (shouldBe):
2764         (throw.new.Error):
2765         * stress/array-indexof-own-getter.js: Added.
2766         (shouldBe):
2767         (throw.new.Error.get array):
2768         (get array):
2769         * stress/array-indexof-prototype-trap.js: Added.
2770         (shouldBe):
2771         (DerivedArray.prototype.get 2):
2772         (DerivedArray):
2773
2774 2018-09-19  Saam barati  <sbarati@apple.com>
2775
2776         AI rule for MultiPutByOffset executes its effects in the wrong order
2777         https://bugs.webkit.org/show_bug.cgi?id=189757
2778         <rdar://problem/43535257>
2779
2780         Reviewed by Michael Saboff.
2781
2782         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2783         (foo):
2784         (Foo):
2785         (g):
2786
2787 2018-09-17  Mark Lam  <mark.lam@apple.com>
2788
2789         Ensure that ForInContexts are invalidated if their loop local is over-written.
2790         https://bugs.webkit.org/show_bug.cgi?id=189571
2791         <rdar://problem/44402277>
2792
2793         Reviewed by Saam Barati.
2794
2795         * stress/regress-189571.js: Added.
2796
2797 2018-09-17  Saam barati  <sbarati@apple.com>
2798
2799         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2800         https://bugs.webkit.org/show_bug.cgi?id=189676
2801         <rdar://problem/39682897>
2802
2803         Reviewed by Michael Saboff.
2804
2805         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2806         (A):
2807         (K):
2808         (i.catch):
2809
2810 2018-09-14  Saam barati  <sbarati@apple.com>
2811
2812         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2813         https://bugs.webkit.org/show_bug.cgi?id=189628
2814         <rdar://problem/39481690>
2815
2816         Reviewed by Mark Lam.
2817
2818         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2819         (foo):
2820
2821 2018-09-11  Mark Lam  <mark.lam@apple.com>
2822
2823         Test for array initialization in arrayProtoFuncSplice.
2824         https://bugs.webkit.org/show_bug.cgi?id=170253
2825         <rdar://problem/31328773>
2826
2827         Rubber-stamped by Saam Barati.
2828
2829         * stress/regress-170253.js: Added.
2830
2831 2018-09-11  Mark Lam  <mark.lam@apple.com>
2832
2833         Test for IntlObject initialization.
2834         https://bugs.webkit.org/show_bug.cgi?id=170251
2835         <rdar://problem/31328419>
2836
2837         Rubber-stamped by Saam Barati.
2838
2839         * stress/regress-170251.js: Added.
2840
2841 2018-09-11  Mark Lam  <mark.lam@apple.com>
2842
2843         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2844         https://bugs.webkit.org/show_bug.cgi?id=169889
2845         <rdar://problem/31155607>
2846
2847         Reviewed by Saam Barati.
2848
2849         * stress/regress-169889-array-concat.js: Added.
2850         * stress/regress-169889-array-concat1.js: Added.
2851         * stress/regress-169889-array-slice.js: Added.
2852
2853 2018-09-11  Mark Lam  <mark.lam@apple.com>
2854
2855         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2856         https://bugs.webkit.org/show_bug.cgi?id=169445
2857         <rdar://problem/30957435>
2858
2859         Reviewed by Saam Barati.
2860
2861         * stress/regress-169445.js: Added.
2862         (let.gun.eval.A):
2863         (let.gun.eval.B.C):
2864         (let.gun.eval.B.C.prototype.trigger):
2865         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2866         (let.gun.eval.B):
2867         (let.gun.eval):
2868
2869 == Rolled over to ChangeLog-2018-09-11 ==