c381164f44f6a8bfaeebbed8050234a3e7d94be2
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-20  Saam Barati  <sbarati@apple.com>
2
3         typeOfDoubleSum is wrong for when NaN can be produced
4         https://bugs.webkit.org/show_bug.cgi?id=196030
5
6         Reviewed by Filip Pizlo.
7
8         * stress/double-add-sub-mul-can-produce-nan.js: Added.
9         (assert):
10         (noInline.sub):
11         (noInline):
12         (assert.mul):
13         (assert.add):
14
15 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
16
17         Update the test to ensure OutOfMemoryError is thrown as intended
18         https://bugs.webkit.org/show_bug.cgi?id=196032
19         <rdar://problem/46842740>
20
21         Rubber stamped by Saam Barati.
22
23         * stress/create-error-out-of-memory-rope-string.js:
24         (assert):
25         (catch):
26
27 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
28
29         JSC::createError needs to check for OOM in errorDescriptionForValue
30         https://bugs.webkit.org/show_bug.cgi?id=196032
31         <rdar://problem/46842740>
32
33         Reviewed by Mark Lam.
34
35         * stress/create-error-out-of-memory-rope-string.js: Added.
36
37 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
38
39         Unreviewed, reduce # of iterations to avoid timing out after r242991
40         https://bugs.webkit.org/show_bug.cgi?id=195791
41
42         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
43
44         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
45
46 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
47
48         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
49         https://bugs.webkit.org/show_bug.cgi?id=195950
50
51         Unreviewed, reducing the amount of memory used on this test to avoid
52         OOM on devices with memory restrictions.
53
54         * microbenchmarks/generate-multiple-llint-entrypoints.js:
55
56 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
57
58         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
59         https://bugs.webkit.org/show_bug.cgi?id=194648
60
61         Reviewed by Keith Miller.
62
63         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
64
65 2019-03-18  Mark Lam  <mark.lam@apple.com>
66
67         Missing a ThrowScope release in JSObject::toString().
68         https://bugs.webkit.org/show_bug.cgi?id=195893
69         <rdar://problem/48970986>
70
71         Reviewed by Michael Saboff.
72
73         * stress/to-string-exception-check-release.js: Added.
74
75 2019-03-18  Mark Lam  <mark.lam@apple.com>
76
77         Structure::flattenDictionary() should clear unused property slots.
78         https://bugs.webkit.org/show_bug.cgi?id=195871
79         <rdar://problem/48959497>
80
81         Reviewed by Michael Saboff.
82
83         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
84
85 2019-03-15  Mark Lam  <mark.lam@apple.com>
86
87         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
88         https://bugs.webkit.org/show_bug.cgi?id=195827
89         <rdar://problem/48845513>
90
91         Reviewed by Filip Pizlo.
92
93         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
94
95 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
96
97         [ARM,MIPS] Skip slow tests
98         https://bugs.webkit.org/show_bug.cgi?id=195799
99
100         Unreviewed, test does not finish on ARM and MIPS within the
101         timeout limit.
102
103         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
104
105 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
106
107         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
108         https://bugs.webkit.org/show_bug.cgi?id=195791
109         <rdar://problem/48806130>
110
111         Reviewed by Mark Lam.
112
113         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
114         (foo):
115
116 2019-03-14  Saam barati  <sbarati@apple.com>
117
118         We can't remove code after ForceOSRExit until after FixupPhase
119         https://bugs.webkit.org/show_bug.cgi?id=186916
120         <rdar://problem/41396612>
121
122         Reviewed by Yusuke Suzuki.
123
124         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
125         (foo):
126         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
127         (foo):
128
129 2019-03-13  Michael Saboff  <msaboff@apple.com>
130
131         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
132         https://bugs.webkit.org/show_bug.cgi?id=195735
133
134         Reviewed by Mark Lam.
135
136         New regression test.
137
138         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
139         (foo):
140         (bar):
141
142 2019-03-14  Saam barati  <sbarati@apple.com>
143
144         Fixup uses KnownInt32 incorrectly in some nodes
145         https://bugs.webkit.org/show_bug.cgi?id=195279
146         <rdar://problem/47915654>
147
148         Reviewed by Yusuke Suzuki.
149
150         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
151         (foo):
152
153 2019-03-14  Keith Miller  <keith_miller@apple.com>
154
155         DFG liveness can't skip tail caller inline frames
156         https://bugs.webkit.org/show_bug.cgi?id=195715
157
158         Reviewed by Saam Barati.
159
160         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
161         (i.foo):
162
163 2019-03-13  Mark Lam  <mark.lam@apple.com>
164
165         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
166         https://bugs.webkit.org/show_bug.cgi?id=195415
167
168         Not reviewed.
169
170         Changed these tests to only run the default configuration.
171         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
172         There's no strong need to run this test on that variant.
173
174         * stress/dfg-to-string-on-int-does-gc.js:
175         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
176
177 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
178
179         String overflow when using StringBuilder in JSC::createError
180         https://bugs.webkit.org/show_bug.cgi?id=194957
181
182         Reviewed by Mark Lam.
183
184         Add test string-overflow-createError-bulder.js that overflows
185         StringBuilder in notAFunctionSourceAppender. The second new test
186         string-overflow-createError-fit.js has an error message that doesn't
187         overflow, it still failed since the String's capacity can't be doubled.
188         Run test string-overflow-createError.js only in the default
189         configuration to reduce memory consumption when running the test
190         in all configurations on multiple CPUs in parallel.
191
192         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
193         (catch):
194         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
195         (catch):
196         * stress/string-overflow-createError.js:
197
198 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
199
200         [JSC] OSR entry should respect abstract values in addition to flush formats
201         https://bugs.webkit.org/show_bug.cgi?id=195653
202
203         Reviewed by Mark Lam.
204
205         * stress/osr-entry-locals-none.js: Added.
206
207 2019-03-12  Michael Saboff  <msaboff@apple.com>
208
209         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
210         https://bugs.webkit.org/show_bug.cgi?id=195613
211
212         Reviewed by Mark Lam.
213
214         New regression test.
215
216         * stress/regexp-backref-inbounds.js: Added.
217         (testRegExp):
218
219 2019-03-12  Mark Lam  <mark.lam@apple.com>
220
221         The HasIndexedProperty node does GC.
222         https://bugs.webkit.org/show_bug.cgi?id=195559
223         <rdar://problem/48767923>
224
225         Reviewed by Yusuke Suzuki.
226
227         * stress/HasIndexedProperty-does-gc.js: Added.
228
229 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
230
231         [ESNext][BigInt] Implement "~" unary operation
232         https://bugs.webkit.org/show_bug.cgi?id=182216
233
234         Reviewed by Keith Miller.
235
236         * stress/big-int-bit-not-general.js: Added.
237         * stress/big-int-bitwise-not-jit.js: Added.
238         * stress/big-int-bitwise-not-wrapped-value.js: Added.
239         * stress/bit-op-with-object-returning-int32.js:
240         * stress/bitwise-not-fixup-rules.js: Added.
241         * stress/value-bit-not-ai-rule.js: Added.
242
243 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
244
245         Invalid flags in a RegExp literal should be an early SyntaxError
246         https://bugs.webkit.org/show_bug.cgi?id=195514
247
248         Reviewed by Darin Adler.
249
250         * test262/expectations.yaml:
251         Mark 4 test cases as passing.
252
253         * stress/regexp-syntax-error-invalid-flags.js:
254         * stress/regress-161995.js: Removed.
255         Update existing test, merging in an older test for the same behavior.
256
257 2019-03-08  Mark Lam  <mark.lam@apple.com>
258
259         Stack overflow crash in JSC::JSObject::hasInstance.
260         https://bugs.webkit.org/show_bug.cgi?id=195458
261         <rdar://problem/48710195>
262
263         Reviewed by Yusuke Suzuki.
264
265         * stress/stack-overflow-in-custom-hasInstance.js: Added.
266
267 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
268
269         op_check_tdz does not def its argument
270         https://bugs.webkit.org/show_bug.cgi?id=192880
271         <rdar://problem/46221598>
272
273         Reviewed by Saam Barati.
274
275         * microbenchmarks/let-for-in.js: Added.
276         (foo):
277
278 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
279
280         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
281         https://bugs.webkit.org/show_bug.cgi?id=195429
282
283         Reviewed by Saam Barati.
284
285         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
286         (foo):
287         * stress/string-from-char-code-255.js: Added.
288
289 2019-03-06  Mark Lam  <mark.lam@apple.com>
290
291         Fix incorrect handling of try-finally completion values.
292         https://bugs.webkit.org/show_bug.cgi?id=195131
293         <rdar://problem/46222079>
294
295         Reviewed by Saam Barati and Yusuke Suzuki.
296
297         Added many permutations of new test case to test-finally.js.  test-finally.js has
298         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
299         tests passes there as well.
300
301         * stress/test-finally.js:
302
303 2019-03-06  Saam Barati  <sbarati@apple.com>
304
305         Air::reportUsedRegisters must padInterference
306         https://bugs.webkit.org/show_bug.cgi?id=195303
307         <rdar://problem/48270343>
308
309         Reviewed by Keith Miller.
310
311         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
312
313 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
314
315         [JSC] AI should not propagate AbstractValue relying on constant folding phase
316         https://bugs.webkit.org/show_bug.cgi?id=195375
317
318         Reviewed by Saam Barati.
319
320         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
321         (let.array):
322
323 2019-03-05  Saam barati  <sbarati@apple.com>
324
325         op_switch_char broken for rope strings after JSRopeString layout rewrite
326         https://bugs.webkit.org/show_bug.cgi?id=195339
327         <rdar://problem/48592545>
328
329         Reviewed by Yusuke Suzuki.
330
331         * stress/switch-on-char-llint-rope.js: Added.
332
333 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
334
335         [JSC] Store bits for JSRopeString in 3 stores
336         https://bugs.webkit.org/show_bug.cgi?id=195234
337
338         Reviewed by Saam Barati.
339
340         * stress/null-rope-and-collectors.js: Added.
341
342 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
343
344         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
345         https://bugs.webkit.org/show_bug.cgi?id=195207
346
347         Unreviewed. After test runtime was reduced in r242213, test can be
348         run again on ARM/MIPS.
349
350         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
351
352 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
353
354         [JSC] sizeof(JSString) should be 16
355         https://bugs.webkit.org/show_bug.cgi?id=194375
356
357         Reviewed by Saam Barati.
358
359         * microbenchmarks/make-rope.js: Added.
360         (makeRope):
361         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
362         (returnRope.helper): Deleted.
363         (returnRope): Deleted.
364
365 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
366
367         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
368         https://bugs.webkit.org/show_bug.cgi?id=195144
369
370         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
371         Change the number from 1e8 to 1e5.
372
373         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
374         (foo):
375
376 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
377
378         Test times out on ARM/MIPS
379         https://bugs.webkit.org/show_bug.cgi?id=195168
380
381         Unreviewed. Skip test on ARM/MIPS.
382
383         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
384
385 2019-02-27  Mark Lam  <mark.lam@apple.com>
386
387         The parser is failing to record the token location of new in new.target.
388         https://bugs.webkit.org/show_bug.cgi?id=195127
389         <rdar://problem/39645578>
390
391         Reviewed by Yusuke Suzuki.
392
393         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
394
395 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
396
397         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
398         https://bugs.webkit.org/show_bug.cgi?id=195144
399         <rdar://problem/47595961>
400
401         Reviewed by Mark Lam.
402
403         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
404         (bar):
405         (foo):
406         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
407         (bar):
408         (foo):
409
410 2019-02-27  Robin Morisset  <rmorisset@apple.com>
411
412         DFG: Loop-invariant code motion (LICM) should not hoist dead code
413         https://bugs.webkit.org/show_bug.cgi?id=194945
414         <rdar://problem/48311657>
415
416         Reviewed by Mark Lam.
417
418         * stress/licm-dead-code.js: Added.
419
420 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
421
422         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
423         https://bugs.webkit.org/show_bug.cgi?id=194677
424         <rdar://problem/48112492>
425
426         Reviewed by Mark Lam.
427
428         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
429         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
430         it immediately fails due the large size.
431
432         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
433         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
434         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
435         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
436
437         This patch changes the test to produce 16bit string from String.fromCharCode.
438
439         * stress/regress-178386.js:
440
441 2019-02-26  Mark Lam  <mark.lam@apple.com>
442
443         wasmToJS() should purify incoming NaNs.
444         https://bugs.webkit.org/show_bug.cgi?id=194807
445         <rdar://problem/48189132>
446
447         Reviewed by Saam Barati.
448
449         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
450
451 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
452
453         [JSC] Repeat string created from Array.prototype.join() take too much memory
454         https://bugs.webkit.org/show_bug.cgi?id=193912
455
456         Reviewed by Saam Barati.
457
458         Added a test and a microbenchmark for corner cases of
459         Array.prototype.join() with an uninitialized array.
460
461         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
462         * stress/array-prototype-join-uninitialized.js: Added.
463         (testArray):
464         (testABC):
465         (B):
466         (C):
467
468 2019-02-22  Robin Morisset  <rmorisset@apple.com>
469
470         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
471         https://bugs.webkit.org/show_bug.cgi?id=194953
472         <rdar://problem/47595253>
473
474         Reviewed by Saam Barati.
475
476         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
477
478         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
479
480 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
481
482         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
483         https://bugs.webkit.org/show_bug.cgi?id=172848
484         <rdar://problem/25709212>
485
486         Reviewed by Mark Lam.
487
488         * typeProfiler/inheritance.js:
489         Rewrite the test slightly for clarity. The hoisting was confusing.
490
491         * heapProfiler/class-names.js: Added.
492         (MyES5Class):
493         (MyES6Class):
494         (MyES6Subclass):
495         Test object types and improved class names.
496
497         * heapProfiler/driver/driver.js:
498         (CheapHeapSnapshotNode):
499         (CheapHeapSnapshot):
500         (createCheapHeapSnapshot):
501         (HeapSnapshot):
502         (createHeapSnapshot):
503         Update snapshot parsing from version 1 to version 2.
504
505 2019-02-19  Truitt Savell  <tsavell@apple.com>
506
507         Unreviewed, rolling out r241784.
508
509         Broke all OpenSource builds.
510
511         Reverted changeset:
512
513         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
514         instances view"
515         https://bugs.webkit.org/show_bug.cgi?id=172848
516         https://trac.webkit.org/changeset/241784
517
518 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
519
520         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
521         https://bugs.webkit.org/show_bug.cgi?id=172848
522         <rdar://problem/25709212>
523
524         Reviewed by Mark Lam.
525
526         * typeProfiler/inheritance.js:
527         Rewrite the test slightly for clarity. The hoisting was confusing.
528
529         * heapProfiler/class-names.js: Added.
530         (MyES5Class):
531         (MyES6Class):
532         (MyES6Subclass):
533         Test object types and improved class names.
534
535         * heapProfiler/driver/driver.js:
536         (CheapHeapSnapshotNode):
537         (CheapHeapSnapshot):
538         (createCheapHeapSnapshot):
539         (HeapSnapshot):
540         (createHeapSnapshot):
541         Update snapshot parsing from version 1 to version 2.
542
543 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
544
545         [ARM] Fix crash with sampling profiler
546         https://bugs.webkit.org/show_bug.cgi?id=194772
547
548         Reviewed by Mark Lam.
549
550         Do not skip test since crash with sampling profiler is now fixed.
551
552         * stress/sampling-profiler-richards.js:
553
554 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
555
556         [JSC] Add LazyClassStructure::getInitializedOnMainThread
557         https://bugs.webkit.org/show_bug.cgi?id=194784
558         <rdar://problem/48154820>
559
560         Reviewed by Mark Lam.
561
562         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
563         (getProperties):
564         (getRandomProperty):
565         (i.catch):
566
567 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
568
569         [ARM] Test gardening: Test running out of executable memory
570         https://bugs.webkit.org/show_bug.cgi?id=194771
571
572         Unreviewed. Do not run test without LLInt, test is running out of executable
573         memory on ARM otherwise.
574
575         * stress/tagged-template-object-collect.js:
576
577 2019-02-18  Tomas Popela  <tpopela@redhat.com>
578
579         Unreviewed, skip the test on platforms without sampling profiler
580
581         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
582         (platformSupportsSamplingProfiler.foo):
583         (platformSupportsSamplingProfiler.test):
584         (platformSupportsSamplingProfiler):
585         (foo): Deleted.
586         (test): Deleted.
587
588 2019-02-17  Saam Barati  <sbarati@apple.com>
589
590         Deadlock when adding a Structure property transition and then doing incremental marking
591         https://bugs.webkit.org/show_bug.cgi?id=194767
592
593         Reviewed by Mark Lam.
594
595         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
596
597 2019-02-15  Michael Saboff  <msaboff@apple.com>
598
599         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
600         https://bugs.webkit.org/show_bug.cgi?id=194558
601
602         Reviewed by Saam Barati.
603
604         New regression test.
605
606         * stress/regexp-unicode-within-string.js: Added.
607
608 2019-02-15  Mark Lam  <mark.lam@apple.com>
609
610         SamplingProfiler::stackTracesAsJSON() should escape strings.
611         https://bugs.webkit.org/show_bug.cgi?id=194649
612         <rdar://problem/48072386>
613
614         Reviewed by Saam Barati.
615
616         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
617         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
618         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
619         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
620
621 2019-02-15  Robin Morisset  <rmorisset@apple.com>
622         CodeBlock::jettison should clear related watchpoints
623         https://bugs.webkit.org/show_bug.cgi?id=194544
624
625         Reviewed by Mark Lam.
626
627         * stress/regexp-replace-double-watchpoint.js: Added.
628         (foo):
629
630 2019-02-15  Saam barati  <sbarati@apple.com>
631
632         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
633         https://bugs.webkit.org/show_bug.cgi?id=194036
634
635         Reviewed by Yusuke Suzuki.
636
637         * stress/tail-call-many-arguments.js: Added.
638         (foo):
639         (bar):
640
641 2019-02-14  Saam Barati  <sbarati@apple.com>
642
643         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
644         https://bugs.webkit.org/show_bug.cgi?id=194583
645         <rdar://problem/48028140>
646
647         Reviewed by Yusuke Suzuki.
648
649         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
650
651 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
652
653         [JSC] String.fromCharCode's slow path always generates 16bit string
654         https://bugs.webkit.org/show_bug.cgi?id=194466
655
656         Reviewed by Keith Miller.
657
658         * stress/string-from-char-code-slow-path.js: Added.
659         (shouldBe):
660         (testWithLength):
661
662 2019-02-08  Saam barati  <sbarati@apple.com>
663
664         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
665         https://bugs.webkit.org/show_bug.cgi?id=194334
666         <rdar://problem/47844327>
667
668         Reviewed by Mark Lam.
669
670         * stress/check-in-bounds-should-be-a-child-use.js: Added.
671         (func):
672
673 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
674
675         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
676         https://bugs.webkit.org/show_bug.cgi?id=194369
677         <rdar://problem/47813087>
678
679         Reviewed by Saam Barati.
680
681         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
682         (A):
683
684 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
685
686         [JSC] PrivateName to PublicName hash table is wasteful
687         https://bugs.webkit.org/show_bug.cgi?id=194277
688
689         Reviewed by Michael Saboff.
690
691         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
692
693         * ChakraCore.yaml:
694
695 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
696
697         [ARM] Test running out of executable memory
698         https://bugs.webkit.org/show_bug.cgi?id=194285
699
700         Unreviewed. Do no execute test with LLInt disabled, test runs out of
701         executable memory otherwise.
702
703         * stress/class-subclassing-function.js:
704
705 2019-02-04  Robin Morisset  <rmorisset@apple.com>
706
707         when lowering AssertNotEmpty, create the value before creating the patchpoint
708         https://bugs.webkit.org/show_bug.cgi?id=194231
709
710         Reviewed by Saam Barati.
711
712         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
713         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
714         So even tiny changes to this test can change the path code taken.
715
716         * stress/assert-not-empty.js: Added.
717         (foo):
718
719 2019-02-01  Mark Lam  <mark.lam@apple.com>
720
721         Remove invalid assertion in DFG's compileDoubleRep().
722         https://bugs.webkit.org/show_bug.cgi?id=194130
723         <rdar://problem/47699474>
724
725         Reviewed by Saam Barati.
726
727         * stress/constant-fold-double-rep-into-double-constant.js: Added.
728
729 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
730
731         Import latest Test262 updates.
732
733         Rubber-stamped by Keith Miller.
734
735         * test262.yaml: Deleted.
736         * test262/config.yaml:
737         * test262/expectations.yaml:
738         * test262/latest-changes-summary.txt:
739         * test262/test/:
740         * test262/test262-Revision.txt:
741
742 2019-01-30  Robin Morisset  <rmorisset@apple.com>
743
744         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
745         https://bugs.webkit.org/show_bug.cgi?id=194050
746         <rdar://problem/47595592>
747
748         Reviewed by Yusuke Suzuki.
749
750         * stress/object-keys-osr-exit.js: Added.
751         (foo):
752         (catch):
753
754 2019-01-29  Mark Lam  <mark.lam@apple.com>
755
756         ValueRecovery::recover() should purify NaN values it recovers.
757         https://bugs.webkit.org/show_bug.cgi?id=193978
758         <rdar://problem/47625488>
759
760         Reviewed by Saam Barati.
761
762         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
763
764 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
765
766         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
767         https://bugs.webkit.org/show_bug.cgi?id=193713
768
769         * stress/try-get-by-id-should-spill-registers-dfg.js:
770         (let.f.createBuiltin):
771
772 2019-01-28  Mark Lam  <mark.lam@apple.com>
773
774         ToString node actually does GC.
775         https://bugs.webkit.org/show_bug.cgi?id=193920
776         <rdar://problem/46695900>
777
778         Reviewed by Yusuke Suzuki.
779
780         * stress/dfg-to-string-on-int-does-gc.js: Added.
781         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
782         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
783
784 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
785
786         [JSC] NativeErrorConstructor should not have own IsoSubspace
787         https://bugs.webkit.org/show_bug.cgi?id=193713
788
789         Reviewed by Saam Barati.
790
791         Remove @Error use.
792
793         * stress/try-get-by-id-should-spill-registers-dfg.js:
794         (let.f.createBuiltin):
795
796 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
797
798         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
799         https://bugs.webkit.org/show_bug.cgi?id=190693
800
801         Reviewed by Michael Saboff.
802
803         * stress/regress-190693.js: Added.
804         (truth):
805         (assert):
806         (shouldThrowInvalidConstAssignment):
807         (taz):
808
809 2019-01-24  Saam Barati  <sbarati@apple.com>
810
811         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
812         https://bugs.webkit.org/show_bug.cgi?id=193751
813         <rdar://problem/47280215>
814
815         Reviewed by Michael Saboff.
816
817         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
818         (let.thing):
819         (foo.let.hello):
820         (foo):
821
822 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
823
824         [JSC] Reenable baseline JIT on mips
825         https://bugs.webkit.org/show_bug.cgi?id=192983
826
827         Reviewed by Mark Lam.
828
829         Added a new test for a case that was triggering a RELEASE_ASSERT when
830         testing.
831         Disable some slow tests that were already disabled for arm and x86.
832
833         * stress/json-parse-big-object.js: Added.
834         * stress/new-largeish-contiguous-array-with-size.js:
835         * stress/op_add.js:
836         * stress/op_bitand.js:
837         * stress/op_bitor.js:
838         * stress/op_bitxor.js:
839         * stress/op_lshift-ConstVar.js:
840         * stress/op_lshift-VarConst.js:
841         * stress/op_lshift-VarVar.js:
842         * stress/op_mod-ConstVar.js:
843         * stress/op_mod-VarConst.js:
844         * stress/op_mod-VarVar.js:
845         * stress/op_mul-ConstVar.js:
846         * stress/op_mul-VarConst.js:
847         * stress/op_mul-VarVar.js:
848         * stress/op_rshift-ConstVar.js:
849         * stress/op_rshift-VarConst.js:
850         * stress/op_rshift-VarVar.js:
851         * stress/op_sub-ConstVar.js:
852         * stress/op_sub-VarConst.js:
853         * stress/op_sub-VarVar.js:
854         * stress/op_urshift-ConstVar.js:
855         * stress/op_urshift-VarConst.js:
856         * stress/op_urshift-VarVar.js:
857         * stress/sampling-profiler-richards.js:
858         * stress/spread-forward-call-varargs-stack-overflow.js:
859
860 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
861
862         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
863         https://bugs.webkit.org/show_bug.cgi?id=193711
864         <rdar://problem/47250262>
865
866         Reviewed by Saam Barati.
867
868         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
869         (shouldBe):
870         (foo):
871         (bar):
872         (baz):
873
874 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
875
876         Unreviewed, fix initial global lexical binding epoch
877         https://bugs.webkit.org/show_bug.cgi?id=193603
878         <rdar://problem/47380869>
879
880         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
881         (f1.f2.f3.f4):
882         (f1.f2.f3):
883         (f1.f2):
884         (f1):
885
886 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
887
888         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
889         https://bugs.webkit.org/show_bug.cgi?id=193709
890         <rdar://problem/47363838>
891
892         Unreviewed, rollout to watch the tests.
893
894         * stress/object-tostring-changed-proto.js: Removed.
895         * stress/object-tostring-changed.js: Removed.
896         * stress/object-tostring-misc.js: Removed.
897         * stress/object-tostring-other.js: Removed.
898         * stress/object-tostring-untyped.js: Removed.
899
900 2019-01-22  Saam Barati  <sbarati@apple.com>
901
902         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
903
904         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
905         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
906         (testUncheckedLessThanZero):
907         (testUncheckedLessThanOrEqualZero):
908         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
909         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
910
911 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
912
913         [JSC] Invalidate old scope operations using global lexical binding epoch
914         https://bugs.webkit.org/show_bug.cgi?id=193603
915         <rdar://problem/47380869>
916
917         Reviewed by Saam Barati.
918
919         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
920         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
921         (shouldThrow):
922         (bar):
923         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
924         (shouldBe):
925         (get1):
926         (get2):
927         (get1If):
928         (get2If):
929         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
930         (shouldThrow):
931         (foo):
932
933 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
934
935         Unreviewed, roll out r240220 due to date-format-xparb regression
936         https://bugs.webkit.org/show_bug.cgi?id=193603
937
938         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
939         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
940         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
941         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
942
943 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
944
945         DoesGC rule is wrong for nodes with BigIntUse
946         https://bugs.webkit.org/show_bug.cgi?id=193652
947
948         Reviewed by Saam Barati.
949
950         * stress/big-int-value-op-update-gc-rules.js: Added.
951         (assert):
952         (doesGCAdd):
953         (doesGCSub):
954         (doesGCDiv):
955         (doesGCMul):
956         (doesGCBitAnd):
957         (doesGCBitOr):
958         (doesGCBitXor):
959
960 2019-01-20  Saam Barati  <sbarati@apple.com>
961
962         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
963         https://bugs.webkit.org/show_bug.cgi?id=193644
964         <rdar://problem/46209745>
965
966         Reviewed by Yusuke Suzuki.
967
968         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
969         (foo):
970         * stress/data-view-set-intrinsic-undefined-result.js: Added.
971         (foo):
972         (bar):
973
974 2019-01-20  Saam Barati  <sbarati@apple.com>
975
976         MovHint must merge NodeBytecodeUsesAsValue for its child
977         https://bugs.webkit.org/show_bug.cgi?id=186916
978         <rdar://problem/41396612>
979
980         Reviewed by Yusuke Suzuki.
981
982         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
983         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
984
985 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
986
987         [JSC] Invalidate old scope operations using global lexical binding epoch
988         https://bugs.webkit.org/show_bug.cgi?id=193603
989         <rdar://problem/47380869>
990
991         Reviewed by Saam Barati.
992
993         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
994         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
995         (shouldThrow):
996         (bar):
997         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
998         (shouldBe):
999         (get1):
1000         (get2):
1001         (get1If):
1002         (get2If):
1003         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1004         (shouldThrow):
1005         (foo):
1006
1007 2019-01-17  Saam barati  <sbarati@apple.com>
1008
1009         StringObjectUse should not be a structure check for the original string object structure
1010         https://bugs.webkit.org/show_bug.cgi?id=193483
1011         <rdar://problem/47280522>
1012
1013         Reviewed by Yusuke Suzuki.
1014
1015         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1016         (foo):
1017         (a.valueOf.0):
1018
1019 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1020
1021         [JSC] ToThis omission in DFGByteCodeParser is wrong
1022         https://bugs.webkit.org/show_bug.cgi?id=193513
1023         <rdar://problem/45842236>
1024
1025         Reviewed by Saam Barati.
1026
1027         * stress/to-this-omission-with-different-strict-modes.js: Added.
1028         (thisA):
1029         (thisAStrictWrapper):
1030
1031 2019-01-15  Mark Lam  <mark.lam@apple.com>
1032
1033         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1034         https://bugs.webkit.org/show_bug.cgi?id=193423
1035         <rdar://problem/46209355>
1036
1037         Reviewed by Saam Barati.
1038
1039         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1040         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1041         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1042         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1043
1044 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1045
1046         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1047         https://bugs.webkit.org/show_bug.cgi?id=193438
1048         <rdar://problem/45581249>
1049
1050         Reviewed by Saam Barati and Keith Miller.
1051
1052         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1053         Then, GetByVal(String) crashed.
1054
1055         * stress/string-get-by-val-lowering.js: Added.
1056         (shouldBe):
1057         (test):
1058         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1059         (Hello):
1060         (foo):
1061
1062 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1063
1064         Unreviewed, skip JIT tests if it's not enabled
1065
1066         * stress/bit-op-with-object-returning-int32.js:
1067
1068 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1069
1070         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1071         https://bugs.webkit.org/show_bug.cgi?id=192966
1072
1073         Reviewed by Yusuke Suzuki.
1074
1075         * stress/bit-op-with-object-returning-int32.js: Added.
1076
1077 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1078
1079         Skip a slow test and a flakey test on arm
1080
1081         Unreviewed gardening.
1082
1083         * typeProfiler/getter-richards.js:
1084         this test always times out, it used to be always skipped on arm and
1085         mips, but got accidentally enabled by r237919 now that we have DFG on
1086         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1087
1088 2019-01-14  Keith Miller  <keith_miller@apple.com>
1089
1090         Skip type-check-hoisting-phase-hoist... with no jit
1091         https://bugs.webkit.org/show_bug.cgi?id=193421
1092
1093         Reviewed by Mark Lam.
1094
1095         It's timing out the 32-bit bots and takes 330 seconds
1096         on my machine when run by itself.
1097
1098         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1099
1100 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1101
1102         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1103         https://bugs.webkit.org/show_bug.cgi?id=193413
1104         <rdar://problem/46092389>
1105
1106         Reviewed by Keith Miller.
1107
1108         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1109         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1110         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1111         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1112
1113         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1114         (compareArray):
1115
1116 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1117
1118         [BigInt] Literal parsing is crashing when used inside a Object Literal
1119         https://bugs.webkit.org/show_bug.cgi?id=193404
1120
1121         Reviewed by Yusuke Suzuki.
1122
1123         * stress/big-int-literal-inside-literal-object.js: Added.
1124
1125 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1126
1127         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1128         https://bugs.webkit.org/show_bug.cgi?id=193372
1129
1130         Reviewed by Saam Barati.
1131
1132         * stress/typed-array-array-modes-profile.js: Added.
1133         (foo):
1134
1135 2019-01-14  Mark Lam  <mark.lam@apple.com>
1136
1137         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1138         https://bugs.webkit.org/show_bug.cgi?id=193402
1139         <rdar://problem/46012309>
1140
1141         Reviewed by Keith Miller.
1142
1143         * stress/regexp-compile-oom.js:
1144         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1145           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1146
1147 2019-01-11  Saam barati  <sbarati@apple.com>
1148
1149         DFG combined liveness can be wrong for terminal basic blocks
1150         https://bugs.webkit.org/show_bug.cgi?id=193304
1151         <rdar://problem/45268632>
1152
1153         Reviewed by Yusuke Suzuki.
1154
1155         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1156
1157 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1158
1159         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1160         https://bugs.webkit.org/show_bug.cgi?id=193308
1161         <rdar://problem/45546542>
1162
1163         Reviewed by Saam Barati.
1164
1165         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1166         (shouldThrow):
1167         (shouldBe):
1168         (foo):
1169         (get shouldThrow):
1170         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1171         (shouldThrow):
1172         (shouldBe):
1173         (foo):
1174         (get shouldBe):
1175         (get shouldThrow):
1176         (get return):
1177         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1178         (shouldThrow):
1179         (shouldBe):
1180         (foo):
1181         (get shouldBe):
1182         (get shouldThrow):
1183         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1184         (shouldThrow):
1185         (shouldBe):
1186         (foo):
1187         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1188         (shouldThrow):
1189         (shouldBe):
1190         (foo):
1191         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1192         (shouldThrow):
1193         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1194         (shouldThrow):
1195         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1196         (shouldThrow):
1197         (shouldBe):
1198         (foo):
1199         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1200         (shouldThrow):
1201         (shouldBe):
1202         (foo):
1203         (get shouldBe):
1204         (get shouldThrow):
1205         (get return):
1206         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1207         (shouldThrow):
1208         (shouldBe):
1209         (foo):
1210         (get shouldBe):
1211         (get shouldThrow):
1212         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1213         (shouldThrow):
1214         (shouldBe):
1215         (foo):
1216         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1217         (shouldThrow):
1218         (shouldBe):
1219         (foo):
1220
1221 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1222
1223         Enable DFG on ARM/Linux again
1224         https://bugs.webkit.org/show_bug.cgi?id=192496
1225
1226         Reviewed by Yusuke Suzuki.
1227
1228         Test wasn't really skipped before moving the line with skip
1229         to the top.
1230
1231         * stress/regress-192717.js:
1232
1233 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1234
1235         Unreviewed, rolling out r239825.
1236         https://bugs.webkit.org/show_bug.cgi?id=193330
1237
1238         Broke tests on armv7/linux bots (Requested by guijemont on
1239         #webkit).
1240
1241         Reverted changeset:
1242
1243         "Enable DFG on ARM/Linux again"
1244         https://bugs.webkit.org/show_bug.cgi?id=192496
1245         https://trac.webkit.org/changeset/239825
1246
1247 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1248
1249         Enable DFG on ARM/Linux again
1250         https://bugs.webkit.org/show_bug.cgi?id=192496
1251
1252         Reviewed by Yusuke Suzuki.
1253
1254         Test wasn't really skipped before moving the line with skip
1255         to the top.
1256
1257         * stress/regress-192717.js:
1258
1259 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1260
1261         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1262         https://bugs.webkit.org/show_bug.cgi?id=193127
1263
1264         Reviewed by Saam Barati.
1265
1266         * stress/array-species-create-should-handle-masquerader.js: Added.
1267         (shouldThrow):
1268         * stress/is-undefined-or-null-builtin.js: Added.
1269         (shouldBe):
1270         (isUndefinedOrNull.vm.createBuiltin):
1271
1272 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1273
1274         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1275         https://bugs.webkit.org/show_bug.cgi?id=193221
1276
1277         Reviewed by Mark Lam.
1278
1279         * stress/put-by-id-flags.js: Added.
1280         (f):
1281         (g):
1282         (numberOfDFGCompiles):
1283
1284 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1285
1286         Baseline version of get_by_id may corrupt metadata
1287         https://bugs.webkit.org/show_bug.cgi?id=193085
1288         <rdar://problem/23453006>
1289
1290         Reviewed by Saam Barati.
1291
1292         * stress/get-by-id-change-mode.js: Added.
1293         (forEach):
1294
1295 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1296
1297         [JSC] Optimize Object.prototype.toString
1298         https://bugs.webkit.org/show_bug.cgi?id=193031
1299
1300         Reviewed by Saam Barati.
1301
1302         * stress/object-tostring-changed-proto.js: Added.
1303         (shouldBe):
1304         (test):
1305         * stress/object-tostring-changed.js: Added.
1306         (shouldBe):
1307         (test):
1308         * stress/object-tostring-misc.js: Added.
1309         (shouldBe):
1310         (test):
1311         (i.switch):
1312         * stress/object-tostring-other.js: Added.
1313         (shouldBe):
1314         (test):
1315         * stress/object-tostring-untyped.js: Added.
1316         (shouldBe):
1317         (test):
1318         (i.switch):
1319
1320 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1321
1322         test262-runner misbehaves when test file YAML has a trailing space
1323         https://bugs.webkit.org/show_bug.cgi?id=193053
1324
1325         Reviewed by Yusuke Suzuki.
1326
1327         * test262/expectations.yaml:
1328         Mark two dozen tests as passing (and correct the output of another).
1329
1330 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1331
1332         Unreviewed, JSTests gardening with memoryLimited
1333
1334         * stress/string-overflow-createError.js:
1335
1336 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1337
1338         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1339         https://bugs.webkit.org/show_bug.cgi?id=193050
1340
1341         Reviewed by Yusuke Suzuki.
1342
1343         * test262.yaml:
1344         * test262/expectations.yaml:
1345         Mark 16 tests as passing.
1346
1347 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1348
1349         [BigInt] Support BigInt in JSON.stringify
1350         https://bugs.webkit.org/show_bug.cgi?id=192624
1351
1352         Reviewed by Saam Barati.
1353
1354         * stress/big-int-json-stringify-to-json.js: Added.
1355         (shouldBe):
1356         (shouldThrow):
1357         (BigInt.prototype.toJSON):
1358         (shouldBe.JSON.stringify):
1359         * stress/big-int-json-stringify.js: Added.
1360         (shouldBe):
1361         (shouldThrow):
1362
1363 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1364
1365         [JSC] Implement "well-formed JSON.stringify" proposal
1366         https://bugs.webkit.org/show_bug.cgi?id=191677
1367
1368         Reviewed by Darin Adler.
1369
1370         * stress/json-surrogate-pair.js: Added.
1371         (shouldBe):
1372         * test262/expectations.yaml:
1373
1374 2018-12-20  Keith Miller  <keith_miller@apple.com>
1375
1376         Add support for globalThis
1377         https://bugs.webkit.org/show_bug.cgi?id=165171
1378
1379         Reviewed by Mark Lam.
1380
1381         * test262/config.yaml:
1382
1383 2018-12-19  Keith Miller  <keith_miller@apple.com>
1384
1385         Update test262 configuration to not run tests dependent on ICU version.
1386         https://bugs.webkit.org/show_bug.cgi?id=192920
1387
1388         Reviewed by Saam Barati.
1389
1390         * test262/expectations.yaml:
1391
1392 2018-12-20  Mark Lam  <mark.lam@apple.com>
1393
1394         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1395         https://bugs.webkit.org/show_bug.cgi?id=192939
1396         <rdar://problem/46869516>
1397
1398         Reviewed by Keith Miller.
1399
1400         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1401
1402 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1403
1404         WTF::String and StringImpl overflow MaxLength
1405         https://bugs.webkit.org/show_bug.cgi?id=192853
1406         <rdar://problem/45726906>
1407
1408         Reviewed by Mark Lam.
1409
1410         * stress/string-16bit-repeat-overflow.js: Added.
1411         (catch):
1412
1413 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1414
1415         Unreviewed follow-up to r192914.
1416
1417         * test262/expectations.yaml:
1418         Add the last 20 missing expectations.
1419
1420 2018-12-19  Keith Miller  <keith_miller@apple.com>
1421
1422         Fix test262 expectations
1423         https://bugs.webkit.org/show_bug.cgi?id=192914
1424
1425         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1426
1427         * test262/expectations.yaml:
1428
1429 2018-12-19  Keith Miller  <keith_miller@apple.com>
1430
1431         Update test262 tests.
1432         https://bugs.webkit.org/show_bug.cgi?id=192907
1433
1434         Rubber stamped by Mark Lam.
1435
1436         * test262/*: Omitted because prepare-changelog crashes.
1437
1438 2018-12-19  Mark Lam  <mark.lam@apple.com>
1439
1440         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1441         https://bugs.webkit.org/show_bug.cgi?id=192464
1442         <rdar://problem/46519455>
1443
1444         Reviewed by Saam Barati.
1445
1446         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1447         microbenchmark.
1448
1449         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1450         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1451
1452 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1453
1454         String overflow in JSC::createError results in ASSERT in WTF::makeString
1455         https://bugs.webkit.org/show_bug.cgi?id=192833
1456         <rdar://problem/45706868>
1457
1458         Reviewed by Mark Lam.
1459
1460         * stress/string-overflow-createError.js: Added.
1461
1462 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1463
1464         Error message for `-x ** y` contains a typo.
1465         https://bugs.webkit.org/show_bug.cgi?id=192832
1466
1467         Reviewed by Saam Barati.
1468
1469         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1470         (assert.assert.return.throws):
1471         * stress/pow-expects-update-expression-on-lhs.js:
1472         (throw.new.Error):
1473         Update test expectations which match against the exact error message.
1474
1475 2018-12-18  Mark Lam  <mark.lam@apple.com>
1476
1477         Gardening: test options fix.
1478         https://bugs.webkit.org/show_bug.cgi?id=192822
1479
1480         Unreviewed.
1481
1482         * stress/json-stringify-string-builder-overflow.js:
1483
1484 2018-12-18  Mark Lam  <mark.lam@apple.com>
1485
1486         JSON.stringify() should throw OOM on StringBuilder overflows.
1487         https://bugs.webkit.org/show_bug.cgi?id=192822
1488         <rdar://problem/46670577>
1489
1490         Reviewed by Saam Barati.
1491
1492         * stress/json-stringify-string-builder-overflow.js: Added.
1493
1494 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1495
1496         Redeclaration of var over let/const/class should be a syntax error.
1497         https://bugs.webkit.org/show_bug.cgi?id=192298
1498
1499         Reviewed by Keith Miller.
1500
1501         * test262.yaml:
1502         * test262/expectations.yaml:
1503         Mark 46 tests as passing.
1504
1505         * stress/block-scope-redeclarations.js:
1506         Add some new tests.
1507
1508         * stress/for-in-invalidate-context-weird-assignments.js:
1509         * stress/for-in-tests.js:
1510         Replace tests for outdated behavior with tests for SyntaxError.
1511
1512         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1513         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1514         Update expectations.
1515
1516 2018-12-18  Mark Lam  <mark.lam@apple.com>
1517
1518         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1519         https://bugs.webkit.org/show_bug.cgi?id=191374
1520         <rdar://problem/46525447>
1521
1522         Reviewed by Yusuke Suzuki.
1523
1524         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1525
1526         * stress/elidable-new-object-roflcopter-then-exit.js:
1527
1528 2018-12-17  Mark Lam  <mark.lam@apple.com>
1529
1530         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1531         https://bugs.webkit.org/show_bug.cgi?id=192019
1532         <rdar://problem/46525456>
1533
1534         Reviewed by Yusuke Suzuki.
1535
1536         The test runs too slow on 32-bit.
1537
1538         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1539
1540 2018-12-17  Mark Lam  <mark.lam@apple.com>
1541
1542         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1543         https://bugs.webkit.org/show_bug.cgi?id=191373
1544         <rdar://problem/46525458>
1545
1546         Reviewed by Yusuke Suzuki.
1547
1548         The test is already slow running with a JIT on 64-bit.  It will always timeout
1549         on 32-bit without a JIT.
1550
1551         * stress/materialize-regexp-cyclic-regexp.js:
1552
1553 2018-12-17  Mark Lam  <mark.lam@apple.com>
1554
1555         Array unshift/shift should not race against the AI in the compiler thread.
1556         https://bugs.webkit.org/show_bug.cgi?id=192795
1557         <rdar://problem/46724263>
1558
1559         Reviewed by Saam Barati.
1560
1561         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1562
1563 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1564
1565         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1566         https://bugs.webkit.org/show_bug.cgi?id=190047
1567
1568         Reviewed by Saam Barati.
1569
1570         * stress/object-keys-cached-zero.js: Added.
1571         (shouldBe):
1572         (test):
1573         * stress/object-keys-changed-attribute.js: Added.
1574         (shouldBe):
1575         (test):
1576         * stress/object-keys-changed-index.js: Added.
1577         (shouldBe):
1578         (test):
1579         * stress/object-keys-changed.js: Added.
1580         (shouldBe):
1581         (test):
1582         * stress/object-keys-indexed-non-cache.js: Added.
1583         (shouldBe):
1584         (test):
1585         * stress/object-keys-overrides-get-property-names.js: Added.
1586         (shouldBe):
1587         (test):
1588         (noInline):
1589
1590 2018-12-17  Mark Lam  <mark.lam@apple.com>
1591
1592         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1593         https://bugs.webkit.org/show_bug.cgi?id=192779
1594         <rdar://problem/46775869>
1595
1596         Reviewed by Saam Barati.
1597
1598         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1599
1600 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1601
1602         Unreviewed test gardening, address a syntax error in a new test.
1603
1604         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1605
1606 2018-12-17  Mark Lam  <mark.lam@apple.com>
1607
1608         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1609         https://bugs.webkit.org/show_bug.cgi?id=192776
1610         <rdar://problem/46772368>
1611
1612         Reviewed by Keith Miller.
1613
1614         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1615
1616 2018-12-17  Mark Lam  <mark.lam@apple.com>
1617
1618         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1619         https://bugs.webkit.org/show_bug.cgi?id=192770
1620         <rdar://problem/46449037>
1621
1622         Reviewed by Keith Miller.
1623
1624         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1625
1626 2018-12-14  Mark Lam  <mark.lam@apple.com>
1627
1628         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1629         https://bugs.webkit.org/show_bug.cgi?id=192717
1630         <rdar://problem/46660677>
1631
1632         Reviewed by Saam Barati.
1633
1634         * stress/regress-192717.js: Added.
1635
1636 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1637
1638         Unreviewed, rolling out r239153, r239154, and r239155.
1639         https://bugs.webkit.org/show_bug.cgi?id=192715
1640
1641         Caused flaky GC-related crashes seen with layout tests
1642         (Requested by ryanhaddad on #webkit).
1643
1644         Reverted changesets:
1645
1646         "[JSC] Optimize Object.keys by caching own keys results in
1647         StructureRareData"
1648         https://bugs.webkit.org/show_bug.cgi?id=190047
1649         https://trac.webkit.org/changeset/239153
1650
1651         "Unreviewed, build fix after r239153"
1652         https://bugs.webkit.org/show_bug.cgi?id=190047
1653         https://trac.webkit.org/changeset/239154
1654
1655         "Unreviewed, build fix after r239153, part 2"
1656         https://bugs.webkit.org/show_bug.cgi?id=190047
1657         https://trac.webkit.org/changeset/239155
1658
1659 2018-12-14  Keith Miller  <keith_miller@apple.com>
1660
1661         Callers of JSString::getIndex should check for OOM exceptions
1662         https://bugs.webkit.org/show_bug.cgi?id=192709
1663
1664         Reviewed by Mark Lam.
1665
1666         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1667
1668 2018-12-13  Mark Lam  <mark.lam@apple.com>
1669
1670         Add a missing exception check.
1671         https://bugs.webkit.org/show_bug.cgi?id=192626
1672         <rdar://problem/46662163>
1673
1674         Reviewed by Keith Miller.
1675
1676         * stress/regress-192626.js: Added.
1677
1678 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1679
1680         [BigInt] Add ValueDiv into DFG
1681         https://bugs.webkit.org/show_bug.cgi?id=186178
1682
1683         Reviewed by Yusuke Suzuki.
1684
1685         * stress/big-int-div-jit-osr.js: Added.
1686         * stress/big-int-div-jit-untyped.js: Added.
1687         * stress/value-div-fixup-int32-big-int.js: Added.
1688
1689 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1690
1691         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1692         https://bugs.webkit.org/show_bug.cgi?id=190047
1693
1694         Reviewed by Keith Miller.
1695
1696         * stress/object-keys-cached-zero.js: Added.
1697         (shouldBe):
1698         (test):
1699         * stress/object-keys-changed-attribute.js: Added.
1700         (shouldBe):
1701         (test):
1702         * stress/object-keys-changed-index.js: Added.
1703         (shouldBe):
1704         (test):
1705         * stress/object-keys-changed.js: Added.
1706         (shouldBe):
1707         (test):
1708         * stress/object-keys-indexed-non-cache.js: Added.
1709         (shouldBe):
1710         (test):
1711         * stress/object-keys-overrides-get-property-names.js: Added.
1712         (shouldBe):
1713         (test):
1714         (noInline):
1715
1716 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1717
1718         [DFG][FTL] Add NewSymbol
1719         https://bugs.webkit.org/show_bug.cgi?id=192620
1720
1721         Reviewed by Saam Barati.
1722
1723         * microbenchmarks/symbol-creation.js: Added.
1724         (test):
1725         * stress/symbol-description-identity.js: Added.
1726         (shouldBe):
1727         (test):
1728         * stress/symbol-identity.js: Added.
1729         (shouldBe):
1730         (test):
1731         * stress/symbol-with-description-throw-error.js: Added.
1732         (shouldBe):
1733         (shouldThrow):
1734         (test):
1735         (object.toString):
1736
1737 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1738
1739         [BigInt] Implement DFG/FTL typeof for BigInt
1740         https://bugs.webkit.org/show_bug.cgi?id=192619
1741
1742         Reviewed by Keith Miller.
1743
1744         * stress/big-int-boolean-proven-type.js: Added.
1745         (assert):
1746         (bool):
1747         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1748         (assert):
1749         (typeOf):
1750         (i.switch):
1751         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1752         (assert):
1753         (typeOf):
1754         * stress/big-int-type-of.js:
1755         (typeOf):
1756         (func):
1757
1758 2018-12-10  Mark Lam  <mark.lam@apple.com>
1759
1760         PropertyAttribute needs a CustomValue bit.
1761         https://bugs.webkit.org/show_bug.cgi?id=191993
1762         <rdar://problem/46264467>
1763
1764         Reviewed by Saam Barati.
1765
1766         * stress/regress-191993.js: Added.
1767
1768 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1769
1770         [BigInt] Add ValueMul into DFG
1771         https://bugs.webkit.org/show_bug.cgi?id=186175
1772
1773         Reviewed by Yusuke Suzuki.
1774
1775         * stress/big-int-mul-jit-osr.js: Added.
1776         * stress/big-int-mul-jit-untyped.js: Added.
1777         * stress/value-mul-fixup-int32-big-int.js: Added.
1778
1779 2018-12-06  Keith Miller  <keith_miller@apple.com>
1780
1781         stress/big-wasm-memory tests failing on 32-bit JSC bot
1782         https://bugs.webkit.org/show_bug.cgi?id=192020
1783
1784         Reviewed by Saam Barati.
1785
1786         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1787         the wasm stress tests if the WebAssembly object does not exist.
1788
1789         * stress/big-wasm-memory-grow-no-max.js:
1790         (test.foo):
1791         (test):
1792         (foo): Deleted.
1793         (catch): Deleted.
1794         * stress/big-wasm-memory-grow.js:
1795         (test.foo):
1796         (test):
1797         (foo): Deleted.
1798         (catch): Deleted.
1799         * stress/big-wasm-memory.js:
1800         (test.foo):
1801         (test):
1802         (foo): Deleted.
1803         (catch): Deleted.
1804
1805 2018-12-05  Mark Lam  <mark.lam@apple.com>
1806
1807         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1808         https://bugs.webkit.org/show_bug.cgi?id=192441
1809         <rdar://problem/46480355>
1810
1811         Reviewed by Saam Barati.
1812
1813         * stress/regress-192441.js: Added.
1814
1815 2018-12-04  Mark Lam  <mark.lam@apple.com>
1816
1817         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1818         https://bugs.webkit.org/show_bug.cgi?id=192386
1819         <rdar://problem/46445516>
1820
1821         Reviewed by Saam Barati.
1822
1823         * stress/regress-192386.js: Added.
1824
1825 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1826
1827         [ESNext][BigInt] Support logic operations
1828         https://bugs.webkit.org/show_bug.cgi?id=179903
1829
1830         Reviewed by Yusuke Suzuki.
1831
1832         * stress/big-int-branch-usage.js: Added.
1833         * stress/big-int-logical-and.js: Added.
1834         * stress/big-int-logical-not.js: Added.
1835         * stress/big-int-logical-or.js: Added.
1836
1837 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1838
1839         Unreviewed, rolling out r238833.
1840
1841         Breaks macOS and iOS debug builds.
1842
1843         Reverted changeset:
1844
1845         "[ESNext][BigInt] Support logic operations"
1846         https://bugs.webkit.org/show_bug.cgi?id=179903
1847         https://trac.webkit.org/changeset/238833
1848
1849 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1850
1851         [ESNext][BigInt] Support logic operations
1852         https://bugs.webkit.org/show_bug.cgi?id=179903
1853
1854         Reviewed by Yusuke Suzuki.
1855
1856         * stress/big-int-branch-usage.js: Added.
1857         * stress/big-int-logical-and.js: Added.
1858         * stress/big-int-logical-not.js: Added.
1859         * stress/big-int-logical-or.js: Added.
1860
1861 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1862
1863         [ESNext][BigInt] Implement support for "<<" and ">>"
1864         https://bugs.webkit.org/show_bug.cgi?id=186233
1865
1866         Reviewed by Yusuke Suzuki.
1867
1868         * stress/big-int-left-shift-general.js: Added.
1869         * stress/big-int-left-shift-range-error.js: Added.
1870         * stress/big-int-left-shift-type-error.js: Added.
1871         * stress/big-int-left-shift-wrapped-value.js: Added.
1872         * stress/big-int-right-shift-general.js: Added.
1873         * stress/big-int-right-shift-type-error.js: Added.
1874         * stress/big-int-right-shift-wrapped-value.js: Added.
1875         * stress/left-shift-to-primitive-precedence.js: Added.
1876         * stress/right-shift-to-primitive-precedence.js: Added.
1877
1878 2018-11-30  Dean Jackson  <dino@apple.com>
1879
1880         Add first-class support for .mjs files in jsc binary
1881         https://bugs.webkit.org/show_bug.cgi?id=192190
1882         <rdar://problem/46375715>
1883
1884         Reviewed by Keith Miller.
1885
1886         * stress/simple-module.mjs: Added.
1887         * stress/simple-script.js: Added.
1888
1889 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1890
1891         [BigInt] Implement ValueBitXor into DFG
1892         https://bugs.webkit.org/show_bug.cgi?id=190264
1893
1894         Reviewed by Yusuke Suzuki.
1895
1896         * stress/big-int-bitwise-xor-jit.js: Added.
1897         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1898         * stress/big-int-bitwise-xor-untyped.js: Added.
1899
1900 2018-11-27  Saam barati  <sbarati@apple.com>
1901
1902         r238510 broke scopes of size zero
1903         https://bugs.webkit.org/show_bug.cgi?id=192033
1904         <rdar://problem/46281734>
1905
1906         Reviewed by Keith Miller.
1907
1908         * stress/r238510-bad-loop.js: Added.
1909         (foo):
1910
1911 2018-11-27  Mark Lam  <mark.lam@apple.com>
1912
1913         [Re-landing] NaNs read from Wasm code needs to be be purified.
1914         https://bugs.webkit.org/show_bug.cgi?id=191056
1915         <rdar://problem/45660341>
1916
1917         Reviewed by Filip Pizlo.
1918
1919         * wasm/regress/regress-191056.js: Added.
1920
1921 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1922
1923         Unreviewed, rolling out r238509.
1924
1925         Causes JSC tests to fail on iOS.
1926
1927         Reverted changeset:
1928
1929         "NaNs read from Wasm code needs to be be purified."
1930         https://bugs.webkit.org/show_bug.cgi?id=191056
1931         https://trac.webkit.org/changeset/238509
1932
1933 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1934
1935         Re-introduce op_bitnot
1936         https://bugs.webkit.org/show_bug.cgi?id=190923
1937
1938         Reviewed by Yusuke Suzuki.
1939
1940         * stress/bit-not-must-generate.js: Added.
1941         * stress/bitwise-not-no-int32.js: Added.
1942
1943 2018-11-26  Saam barati  <sbarati@apple.com>
1944
1945         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1946         https://bugs.webkit.org/show_bug.cgi?id=191956
1947         <rdar://problem/45665806>
1948
1949         Reviewed by Yusuke Suzuki.
1950
1951         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1952         (bar):
1953         (foo):
1954
1955 2018-11-26  Saam barati  <sbarati@apple.com>
1956
1957         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1958         https://bugs.webkit.org/show_bug.cgi?id=191958
1959         <rdar://problem/46221877>
1960
1961         Reviewed by Yusuke Suzuki.
1962
1963         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1964         (x):
1965         (foo):
1966
1967 2018-11-26  Mark Lam  <mark.lam@apple.com>
1968
1969         NaNs read from Wasm code needs to be be purified.
1970         https://bugs.webkit.org/show_bug.cgi?id=191056
1971         <rdar://problem/45660341>
1972
1973         Reviewed by Filip Pizlo.
1974
1975         * wasm/regress/regress-191056.js: Added.
1976
1977 2018-11-26  Michael Saboff  <msaboff@apple.com>
1978
1979         32-bit JSC test failure: stress/regexp-compile-oom.js
1980         https://bugs.webkit.org/show_bug.cgi?id=191375
1981
1982         Reviewed by Mark Lam.
1983
1984         Disabled the test for 32 bit platforms.
1985
1986         * stress/regexp-compile-oom.js:
1987
1988 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1989
1990         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1991         https://bugs.webkit.org/show_bug.cgi?id=191716
1992         <rdar://problem/45723878>
1993
1994         Reviewed by Saam Barati.
1995
1996         * stress/regress-187373.js: Added.
1997         (async.fn):
1998
1999 2018-11-21  Saam barati  <sbarati@apple.com>
2000
2001         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2002         https://bugs.webkit.org/show_bug.cgi?id=191897
2003         <rdar://problem/45871998>
2004
2005         Reviewed by Mark Lam.
2006
2007         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2008         (bar):
2009         (foo):
2010
2011 2018-11-21  Saam barati  <sbarati@apple.com>
2012
2013         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2014         https://bugs.webkit.org/show_bug.cgi?id=191895
2015         <rdar://problem/46167406>
2016
2017         Reviewed by Mark Lam.
2018
2019         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2020         (foo):
2021         (bar):
2022
2023 2018-11-21  Mark Lam  <mark.lam@apple.com>
2024
2025         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2026         https://bugs.webkit.org/show_bug.cgi?id=191776
2027         <rdar://problem/46152851>
2028
2029         Reviewed by Saam Barati.
2030
2031         * stress/big-wasm-memory-grow-no-max.js:
2032         * stress/big-wasm-memory-grow.js:
2033         * stress/big-wasm-memory.js:
2034         - updated these to expect an OutOfMemoryError.
2035
2036         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2037         (Binary.prototype.emit_u8):
2038         (Binary.prototype.emit_u32v):
2039         (Binary.prototype.emit_header):
2040         (Binary.prototype.emit_section):
2041         (Binary):
2042         (WasmModuleBuilder):
2043         (WasmModuleBuilder.prototype.addMemory):
2044         (WasmModuleBuilder.prototype.toArray):
2045         (WasmModuleBuilder.prototype.toBuffer):
2046         (WasmModuleBuilder.prototype.instantiate):
2047         (catch):
2048         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2049         (catch):
2050
2051 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2052
2053         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2054         https://bugs.webkit.org/show_bug.cgi?id=190836
2055
2056         Reviewed by Saam Barati and Yusuke Suzuki.
2057
2058         * stress/big-int-out-of-memory-tests.js: Added.
2059
2060 2018-11-20  Mark Lam  <mark.lam@apple.com>
2061
2062         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2063         https://bugs.webkit.org/show_bug.cgi?id=191856
2064         <rdar://problem/46089992>
2065
2066         Reviewed by Yusuke Suzuki.
2067
2068         * stress/regress-191856.js: Added.
2069         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2070
2071 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2072
2073         Enable JIT on ARM/Linux
2074         https://bugs.webkit.org/show_bug.cgi?id=191548
2075
2076         Reviewed by Yusuke Suzuki.
2077
2078         Disable test on system with limited memory. Program was killed by
2079         the OS before the exception was thrown.
2080
2081         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2082
2083 2018-11-20  Saam barati  <sbarati@apple.com>
2084
2085         Merging an IC variant may lead to the IC status containing overlapping structure sets
2086         https://bugs.webkit.org/show_bug.cgi?id=191869
2087         <rdar://problem/45403453>
2088
2089         Reviewed by Mark Lam.
2090
2091         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2092
2093 2018-11-19  Mark Lam  <mark.lam@apple.com>
2094
2095         globalFuncImportModule() should return a promise when it clears exceptions.
2096         https://bugs.webkit.org/show_bug.cgi?id=191792
2097         <rdar://problem/46090763>
2098
2099         Reviewed by Michael Saboff.
2100
2101         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2102
2103 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2104
2105         Skip new memory-hungry tests on memory limited devices
2106
2107         Unreviewed gardening.
2108
2109         * stress/big-wasm-memory-grow-no-max.js:
2110         * stress/big-wasm-memory-grow.js:
2111         * stress/big-wasm-memory.js:
2112
2113 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2114
2115         Unreviewed, rolling in the rest of r237254
2116         https://bugs.webkit.org/show_bug.cgi?id=190340
2117
2118         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2119         * stress/function-cache-with-parameters-end-position.js: Added.
2120         (shouldBe):
2121         (shouldThrow):
2122         (i.anonymous):
2123         * stress/function-constructor-name.js: Added.
2124         (shouldBe):
2125         (GeneratorFunction):
2126         (AsyncFunction.async):
2127         (AsyncGeneratorFunction.async):
2128         (anonymous):
2129         (async.anonymous):
2130         * test262/expectations.yaml:
2131
2132 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2133
2134         All users of ArrayBuffer should agree on the same max size
2135         https://bugs.webkit.org/show_bug.cgi?id=191771
2136
2137         Reviewed by Mark Lam.
2138
2139         * stress/big-wasm-memory-grow-no-max.js: Added.
2140         (foo):
2141         (catch):
2142         * stress/big-wasm-memory-grow.js: Added.
2143         (foo):
2144         (catch):
2145         * stress/big-wasm-memory.js: Added.
2146         (foo):
2147         (catch):
2148
2149 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2150
2151         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2152         run for each JSC config since they're regression tests for runtime bugs.
2153
2154         * stress/json-stringified-overflow-2.js:
2155         * stress/json-stringified-overflow.js:
2156
2157 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2158
2159         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2160         config since they're regression tests for runtime bugs.
2161
2162         * stress/large-unshift-splice.js:
2163         * stress/regress-185888.js:
2164
2165 2018-11-16  Saam Barati  <sbarati@apple.com>
2166
2167         KnownCellUse should also have SpecCellCheck as its type filter
2168         https://bugs.webkit.org/show_bug.cgi?id=191729
2169         <rdar://problem/45872852>
2170
2171         Reviewed by Filip Pizlo.
2172
2173         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2174         (C):
2175
2176 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2177
2178         Fix assertion failure on BytecodeGenerator::recordOpcode
2179         https://bugs.webkit.org/show_bug.cgi?id=191724
2180         <rdar://problem/45724395>
2181
2182         Reviewed by Saam Barati.
2183
2184         * stress/regress-187373-2.js: Added.
2185         (foo):
2186
2187 2018-11-15  Mark Lam  <mark.lam@apple.com>
2188
2189         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2190         https://bugs.webkit.org/show_bug.cgi?id=191730
2191         <rdar://problem/46048517>
2192
2193         Reviewed by Saam Barati.
2194
2195         * stress/regress-187006.js: Removed.
2196           - this test is invalid because its sole purpose is to test for the non-spec
2197             compliant behavior that we just fixed.
2198
2199         * stress/regress-191730.js: Added.
2200
2201 2018-11-15  Mark Lam  <mark.lam@apple.com>
2202
2203         RegExp operations should not take fast patch if lastIndex is not numeric.
2204         https://bugs.webkit.org/show_bug.cgi?id=191731
2205         <rdar://problem/46017305>
2206
2207         Reviewed by Saam Barati.
2208
2209         * stress/regress-191731.js: Added.
2210
2211 2018-11-13  Saam Barati  <sbarati@apple.com>
2212
2213         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2214         https://bugs.webkit.org/show_bug.cgi?id=191600
2215
2216         Reviewed by Mark Lam.
2217
2218         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2219         (foo):
2220         (test):
2221         (bar):
2222
2223 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2224
2225         Unreviewed, rolling out r238132.
2226
2227         The test added with this change is timing out on Debug JSC
2228         bots.
2229
2230         Reverted changeset:
2231
2232         "[BigInt] JSBigInt::createWithLength should throw when length
2233         is greater than JSBigInt::maxLength"
2234         https://bugs.webkit.org/show_bug.cgi?id=190836
2235         https://trac.webkit.org/changeset/238132
2236
2237 2018-11-13  Mark Lam  <mark.lam@apple.com>
2238
2239         Add OOM detection to StringPrototype's substituteBackreferences().
2240         https://bugs.webkit.org/show_bug.cgi?id=191563
2241         <rdar://problem/45720428>
2242
2243         Reviewed by Saam Barati.
2244
2245         * stress/regress-191563.js: Added.
2246
2247 2018-11-13  Mark Lam  <mark.lam@apple.com>
2248
2249         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2250         https://bugs.webkit.org/show_bug.cgi?id=191579
2251         <rdar://problem/45942472>
2252
2253         Reviewed by Saam Barati.
2254
2255         * stress/regress-191579.js: Added.
2256
2257 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2258
2259         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2260         https://bugs.webkit.org/show_bug.cgi?id=190836
2261
2262         Reviewed by Saam Barati.
2263
2264         * stress/big-int-out-of-memory-tests.js: Added.
2265
2266 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2267
2268         U+180E is no longer a whitespace character
2269         https://bugs.webkit.org/show_bug.cgi?id=191415
2270
2271         Reviewed by Saam Barati.
2272
2273         * ChakraCore/test/es5/regexSpace.baseline:
2274         * ChakraCore/test/es6/unicode_whitespace.js:
2275         Update tests to latest version.
2276         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2277
2278         * test262.yaml:
2279         * test262/config.yaml:
2280         * test262/expectations.yaml:
2281         Update expectations.
2282
2283 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2284
2285         [BigInt] Add support to BigInt into ValueAdd
2286         https://bugs.webkit.org/show_bug.cgi?id=186177
2287
2288         Reviewed by Keith Miller.
2289
2290         * stress/big-int-negate-jit.js:
2291         * stress/value-add-big-int-and-string.js: Added.
2292         * stress/value-add-big-int-prediction-propagation.js: Added.
2293         * stress/value-add-big-int-untyped.js: Added.
2294
2295 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2296
2297         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2298         https://bugs.webkit.org/show_bug.cgi?id=191184
2299
2300         Reviewed by Saam Barati.
2301
2302         Most tests were failing due to timeouts, since they are too slow to
2303         run on CLoop. The exceptions are:
2304
2305         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2306         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2307         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2308         to change the stack size since CLoop requires it to be page aligned.
2309
2310         * microbenchmarks/array-push-1.js:
2311         * microbenchmarks/array-push-2.js:
2312         * microbenchmarks/elidable-new-object-dag.js:
2313         * microbenchmarks/elidable-new-object-roflcopter.js:
2314         * microbenchmarks/elidable-new-object-tree.js:
2315         * microbenchmarks/getter-richards.js:
2316         * microbenchmarks/sinkable-new-object-dag.js:
2317         * microbenchmarks/string-concat-long-convert.js:
2318         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2319         * slowMicrobenchmarks/array-push-3.js:
2320         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2321         * slowMicrobenchmarks/spread-small-array.js:
2322         * slowMicrobenchmarks/undefined-property-access.js:
2323         * stress/activation-sink-default-value-tdz-error.js:
2324         * stress/activation-sink-default-value.js:
2325         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2326         * stress/activation-sink-osrexit-default-value.js:
2327         * stress/activation-sink-osrexit.js:
2328         * stress/activation-sink.js:
2329         * stress/allow-math-ic-b3-code-duplication.js:
2330         * stress/array-push-multiple-int32.js:
2331         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2332         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2333         * stress/arrowfunction-lexical-this-activation-sink.js:
2334         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2335         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2336         * stress/elide-new-object-dag-then-exit.js:
2337         * stress/materialize-regexp-cyclic.js:
2338         * stress/new-regex-inline.js:
2339         * stress/op_add.js:
2340         * stress/op_bitand.js:
2341         * stress/op_bitor.js:
2342         * stress/op_bitxor.js:
2343         * stress/op_div-ConstVar.js:
2344         * stress/op_div-VarConst.js:
2345         * stress/op_div-VarVar.js:
2346         * stress/op_lshift-ConstVar.js:
2347         * stress/op_lshift-VarConst.js:
2348         * stress/op_lshift-VarVar.js:
2349         * stress/op_mod-ConstVar.js:
2350         * stress/op_mod-VarConst.js:
2351         * stress/op_mod-VarVar.js:
2352         * stress/op_mul-ConstVar.js:
2353         * stress/op_mul-VarConst.js:
2354         * stress/op_mul-VarVar.js:
2355         * stress/op_rshift-ConstVar.js:
2356         * stress/op_rshift-VarConst.js:
2357         * stress/op_rshift-VarVar.js:
2358         * stress/op_sub-ConstVar.js:
2359         * stress/op_sub-VarConst.js:
2360         * stress/op_sub-VarVar.js:
2361         * stress/op_urshift-ConstVar.js:
2362         * stress/op_urshift-VarConst.js:
2363         * stress/op_urshift-VarVar.js:
2364         * stress/proxy-get-set-correct-receiver.js:
2365         * stress/regress-179562.js:
2366         * stress/rest-parameter-many-arguments.js:
2367         * stress/sampling-profiler-richards.js:
2368         * stress/splay-flash-access-1ms.js:
2369         * stress/tailCallForwardArguments.js:
2370         * stress/typed-array-get-by-val-profiling.js:
2371         * typeProfiler/getter-richards.js:
2372
2373 2018-11-06  Michael Saboff  <msaboff@apple.com>
2374
2375         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2376         https://bugs.webkit.org/show_bug.cgi?id=191271
2377
2378         Reviewed by Saam Barati.
2379
2380         Added more test cases and made all test cases run with the same deeply recursive stack
2381         instead of finding that same point for each test case.
2382
2383         * stress/regexp-compile-oom.js:
2384         (prototype.runTest):
2385         (recurseAndTest):
2386         (testList.push.new.TestAndExpectedException):
2387
2388 2018-11-05  Michael Saboff  <msaboff@apple.com>
2389
2390         Unreviewed build fix for linux.
2391
2392         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2393
2394 2018-11-02  Michael Saboff  <msaboff@apple.com>
2395
2396         Rolling in r237753 with unreviewed build fix.
2397
2398         Fixed issues with DECLARE_THROW_SCOPE placement.
2399
2400 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2401
2402         Unreviewed, rolling out r237753.
2403
2404         Introduced JSC test failures
2405
2406         Reverted changeset:
2407
2408         "Running out of stack space not properly handled in
2409         RegExp::compile() and its callers"
2410         https://bugs.webkit.org/show_bug.cgi?id=191206
2411         https://trac.webkit.org/changeset/237753
2412
2413 2018-11-02  Michael Saboff  <msaboff@apple.com>
2414
2415         Running out of stack space not properly handled in RegExp::compile() and its callers
2416         https://bugs.webkit.org/show_bug.cgi?id=191206
2417
2418         Reviewed by Filip Pizlo.
2419
2420         New regression test.
2421
2422         * stress/regexp-compile-oom.js: Added.
2423         (recurseAndTest):
2424
2425 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2426
2427         Skip tests on arm/mips that time out now we're running on CLoop
2428
2429         Unreviewed gardening.
2430
2431         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2432         time out on the bots and need to be disabled. There's more tests
2433         disabled on arm because the timeout is longer on the mips bot (as the
2434         device is slower to start with), so many of the tests don't time out
2435         there.
2436
2437         * microbenchmarks/getter-richards.js: disable on arm and mips.
2438         * stress/op_add.js: disable on arm.
2439         * stress/op_bitand.js: disable on arm.
2440         * stress/op_bitor.js: disable on arm.
2441         * stress/op_bitxor.js: disable on arm.
2442         * stress/op_lshift-ConstVar.js: disable on arm.
2443         * stress/op_lshift-VarConst.js: disable on arm.
2444         * stress/op_lshift-VarVar.js: disable on arm.
2445         * stress/op_mod-ConstVar.js: disable on arm.
2446         * stress/op_mod-VarConst.js: disable on arm.
2447         * stress/op_mod-VarVar.js: disable on arm.
2448         * stress/op_mul-ConstVar.js: disable on arm.
2449         * stress/op_mul-VarConst.js: disable on arm.
2450         * stress/op_mul-VarVar.js: disable on arm.
2451         * stress/op_rshift-ConstVar.js: disable on arm.
2452         * stress/op_rshift-VarConst.js: disable on arm.
2453         * stress/op_rshift-VarVar.js: disable on arm.
2454         * stress/op_sub-ConstVar.js: disable on arm.
2455         * stress/op_sub-VarConst.js: disable on arm.
2456         * stress/op_sub-VarVar.js: disable on arm.
2457         * stress/op_urshift-ConstVar.js: disable on arm.
2458         * stress/op_urshift-VarConst.js: disable on arm.
2459         * stress/op_urshift-VarVar.js: disable on arm.
2460         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2461         * stress/value-to-boolean.js: disable on arm and mips.
2462
2463 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2464
2465         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2466         https://bugs.webkit.org/show_bug.cgi?id=191108
2467         <rdar://problem/45690700>
2468
2469         Reviewed by Saam Barati.
2470
2471         * stress/wide-op_catch.js: Added.
2472         (catch):
2473
2474 2018-10-29  Mark Lam  <mark.lam@apple.com>
2475
2476         Correctly detect string overflow when using the 'Function' constructor.
2477         https://bugs.webkit.org/show_bug.cgi?id=184883
2478         <rdar://problem/36320331>
2479
2480         Reviewed by Saam Barati.
2481
2482         I've verified that this passes on 32-bit as well.
2483
2484         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2485
2486 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2487
2488         Add support for GetStack FlushedDouble
2489         https://bugs.webkit.org/show_bug.cgi?id=191012
2490         <rdar://problem/45265141>
2491
2492         Reviewed by Saam Barati.
2493
2494         * stress/get-stack-double.js: Added.
2495         (bar):
2496         (noInline):
2497
2498 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2499
2500         New bytecode format for JSC
2501         https://bugs.webkit.org/show_bug.cgi?id=187373
2502         <rdar://problem/44186758>
2503
2504         Reviewed by Filip Pizlo.
2505
2506         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2507
2508         * stress/maximum-inline-capacity.js: Added.
2509         (test1):
2510         (test3.Foo):
2511         (test3):
2512
2513 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2514
2515         Unreviewed, rolling out r237479 and r237484.
2516         https://bugs.webkit.org/show_bug.cgi?id=190978
2517
2518         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2519
2520         Reverted changesets:
2521
2522         "New bytecode format for JSC"
2523         https://bugs.webkit.org/show_bug.cgi?id=187373
2524         https://trac.webkit.org/changeset/237479
2525
2526         "Gardening: Build fix after r237479."
2527         https://bugs.webkit.org/show_bug.cgi?id=187373
2528         https://trac.webkit.org/changeset/237484
2529
2530 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2531
2532         New bytecode format for JSC
2533         https://bugs.webkit.org/show_bug.cgi?id=187373
2534         <rdar://problem/44186758>
2535
2536         Reviewed by Filip Pizlo.
2537
2538         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2539
2540         * stress/maximum-inline-capacity.js: Added.
2541         (test1):
2542         (test3.Foo):
2543         (test3):
2544
2545 2018-10-26  Mark Lam  <mark.lam@apple.com>
2546
2547         Fix missing edge cases with JSGlobalObjects having a bad time.
2548         https://bugs.webkit.org/show_bug.cgi?id=189028
2549         <rdar://problem/45204939>
2550
2551         Reviewed by Saam Barati.
2552
2553         * stress/regress-189028.js: Added.
2554
2555 2018-10-22  Mark Lam  <mark.lam@apple.com>
2556
2557         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2558         https://bugs.webkit.org/show_bug.cgi?id=190515
2559         <rdar://problem/45222379>
2560
2561         Rubber-stamped by Saam Barati.
2562
2563         Adding another test.
2564
2565         * stress/regress-190515-2.js: Added.
2566
2567 2018-10-22  Mark Lam  <mark.lam@apple.com>
2568
2569         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2570         https://bugs.webkit.org/show_bug.cgi?id=190515
2571         <rdar://problem/45222379>
2572
2573         Reviewed by Saam Barati.
2574
2575         * stress/regress-190515.js: Added.
2576
2577 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2578
2579         Unreviewed, rolling out r237254.
2580         https://bugs.webkit.org/show_bug.cgi?id=190760
2581
2582         "It regresses JetStream 2 by 5% on some iOS devices"
2583         (Requested by saamyjoon on #webkit).
2584
2585         Reverted changeset:
2586
2587         "[JSC] JSC should have "parseFunction" to optimize Function
2588         constructor"
2589         https://bugs.webkit.org/show_bug.cgi?id=190340
2590         https://trac.webkit.org/changeset/237254
2591
2592 2018-10-19  Saam Barati  <sbarati@apple.com>
2593
2594         vmCall should check if we exit before emitting an OSR exit due to exceptions
2595         https://bugs.webkit.org/show_bug.cgi?id=190740
2596         <rdar://problem/45220139>
2597
2598         Reviewed by Mark Lam.
2599
2600         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2601         (foo):
2602
2603 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2604
2605         [ESNext][BigInt] Implement support for "^"
2606         https://bugs.webkit.org/show_bug.cgi?id=186235
2607
2608         Reviewed by Yusuke Suzuki.
2609
2610         * stress/big-int-bitwise-xor-general.js: Added.
2611         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2612         * stress/big-int-bitwise-xor-type-error.js: Added.
2613         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2614
2615 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2616
2617         [BigInt] Add ValueSub into DFG
2618         https://bugs.webkit.org/show_bug.cgi?id=186176
2619
2620         Reviewed by Yusuke Suzuki.
2621
2622         * stress/big-int-subtraction-jit.js:
2623         * stress/value-sub-big-int-prediction-propagation.js: Added.
2624         * stress/value-sub-big-int-untyped.js: Added.
2625         * stress/value-sub-spec-none-case.js: Added.
2626
2627 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2628
2629         [JSC] JSC should have "parseFunction" to optimize Function constructor
2630         https://bugs.webkit.org/show_bug.cgi?id=190340
2631
2632         Reviewed by Mark Lam.
2633
2634         This patch fixes the line number of syntax errors raised by the Function constructor,
2635         since we now parse the final code only once. And we no longer use block statement
2636         for Function constructor's parsing.
2637
2638         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2639         * stress/function-cache-with-parameters-end-position.js: Added.
2640         (shouldBe):
2641         (shouldThrow):
2642         (i.anonymous):
2643         * stress/function-constructor-name.js: Added.
2644         (shouldBe):
2645         (GeneratorFunction):
2646         (AsyncFunction.async):
2647         (AsyncGeneratorFunction.async):
2648         (anonymous):
2649         (async.anonymous):
2650         * test262/expectations.yaml:
2651
2652 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2653
2654         Unreviewed, rolling out r237242.
2655         https://bugs.webkit.org/show_bug.cgi?id=190701
2656
2657         it breaks "stress/sampling-profiler-basic.js" (Requested by
2658         caiolima on #webkit).
2659
2660         Reverted changeset:
2661
2662         "[BigInt] Add ValueSub into DFG"
2663         https://bugs.webkit.org/show_bug.cgi?id=186176
2664         https://trac.webkit.org/changeset/237242
2665
2666 2018-10-17  Keith Miller  <keith_miller@apple.com>
2667
2668         AI does not clear Phantom allocation nodes.
2669         https://bugs.webkit.org/show_bug.cgi?id=190694
2670
2671         Reviewed by Saam Barati.
2672
2673         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2674         (Day):
2675         (DaysInYear):
2676         (TimeInYear):
2677         (TimeFromYear):
2678         (DayFromYear):
2679         (InLeapYear):
2680         (YearFromTime):
2681         (WeekDay):
2682         (DaylightSavingTA):
2683         (GetSecondSundayInMarch):
2684         (TimeInMonth):
2685
2686 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2687
2688         [BigInt] Add ValueSub into DFG
2689         https://bugs.webkit.org/show_bug.cgi?id=186176
2690
2691         Reviewed by Yusuke Suzuki.
2692
2693         * stress/big-int-subtraction-jit.js:
2694         * stress/value-sub-big-int-prediction-propagation.js: Added.
2695         * stress/value-sub-big-int-untyped.js: Added.
2696
2697 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2698
2699         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2700         https://bugs.webkit.org/show_bug.cgi?id=190611
2701
2702         Reviewed by Saam Barati.
2703
2704         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2705         to improve test runtime. On ARM/MIPS this test even timed out when running all
2706         tests.
2707
2708         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2709         (test):
2710
2711 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2712
2713         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2714
2715         Unreviewed gardening.
2716
2717         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2718
2719 2018-10-15  Saam barati  <sbarati@apple.com>
2720
2721         Emit fjcvtzs on ARM64E on Darwin
2722         https://bugs.webkit.org/show_bug.cgi?id=184023
2723
2724         Reviewed by Yusuke Suzuki and Filip Pizlo.
2725
2726         * stress/double-to-int32-NaN.js: Added.
2727         (assert):
2728         (foo):
2729
2730 2018-10-15  Saam Barati  <sbarati@apple.com>
2731
2732         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2733         https://bugs.webkit.org/show_bug.cgi?id=190262
2734         <rdar://problem/44986241>
2735
2736         Reviewed by Mark Lam.
2737
2738         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2739         (test):
2740         * stress/slice-array-storage-with-holes.js: Added.
2741         (main):
2742
2743 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2744
2745         Unreviewed, rolling out r237054.
2746         https://bugs.webkit.org/show_bug.cgi?id=190593
2747
2748         "this regressed JetStream 2 by 6% on iOS" (Requested by
2749         saamyjoon on #webkit).
2750
2751         Reverted changeset:
2752
2753         "[JSC] JSC should have "parseFunction" to optimize Function
2754         constructor"
2755         https://bugs.webkit.org/show_bug.cgi?id=190340
2756         https://trac.webkit.org/changeset/237054
2757
2758 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2759
2760         [JSC] JSON.stringify can accept call-with-no-arguments
2761         https://bugs.webkit.org/show_bug.cgi?id=190343
2762
2763         Reviewed by Mark Lam.
2764
2765         * stress/json-stringify-no-arguments.js: Added.
2766         (shouldBe):
2767
2768 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2769
2770         [JSC] JSC should have "parseFunction" to optimize Function constructor
2771         https://bugs.webkit.org/show_bug.cgi?id=190340
2772
2773         Reviewed by Mark Lam.
2774
2775         This patch fixes the line number of syntax errors raised by the Function constructor,
2776         since we now parse the final code only once. And we no longer use block statement
2777         for Function constructor's parsing.
2778
2779         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2780         * stress/function-cache-with-parameters-end-position.js: Added.
2781         (shouldBe):
2782         (shouldThrow):
2783         (i.anonymous):
2784         * stress/function-constructor-name.js: Added.
2785         (shouldBe):
2786         (GeneratorFunction):
2787         (AsyncFunction.async):
2788         (AsyncGeneratorFunction.async):
2789         (anonymous):
2790         (async.anonymous):
2791         * test262/expectations.yaml:
2792
2793 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2794
2795         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2796         https://bugs.webkit.org/show_bug.cgi?id=190426
2797
2798         Unreviewed gardening.
2799
2800         * stress/sampling-profiler-richards.js:
2801
2802 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2803
2804         [ESNext][BigInt] Implement support for "|"
2805         https://bugs.webkit.org/show_bug.cgi?id=186229
2806
2807         Reviewed by Yusuke Suzuki.
2808
2809         * stress/big-int-bitwise-and-jit.js:
2810         * stress/big-int-bitwise-or-general.js: Added.
2811         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2812         * stress/big-int-bitwise-or-jit.js: Added.
2813         * stress/big-int-bitwise-or-memory-stress.js: Added.
2814         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2815         * stress/big-int-bitwise-or-type-error.js: Added.
2816         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2817
2818 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2819
2820         Skip test on systems with limited memory
2821         https://bugs.webkit.org/show_bug.cgi?id=190310
2822
2823         Invoking runDefault adds test to runlist, skipping the test in the next
2824         line does not prevent the test from executing. Change order of lines such
2825         that runDefault is only executed if test is not executed.
2826
2827         Reviewed by Mark Lam.
2828
2829         * stress/regress-190187.js:
2830
2831 2018-10-03  Saam barati  <sbarati@apple.com>
2832
2833         lowXYZ in FTLLower should always filter the type of the incoming edge
2834         https://bugs.webkit.org/show_bug.cgi?id=189939
2835         <rdar://problem/44407030>
2836
2837         Reviewed by Michael Saboff.
2838
2839         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2840         (foo):
2841         (test):
2842
2843 2018-10-03  Mark Lam  <mark.lam@apple.com>
2844
2845         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2846         https://bugs.webkit.org/show_bug.cgi?id=190187
2847         <rdar://problem/42512909>
2848
2849         Reviewed by Michael Saboff.
2850
2851         * stress/regress-190187.js: Added.
2852
2853 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2854
2855         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2856         https://bugs.webkit.org/show_bug.cgi?id=190033
2857
2858         Reviewed by Yusuke Suzuki.
2859
2860         * stress/big-int-to-string.js:
2861
2862 2018-10-01  Mark Lam  <mark.lam@apple.com>
2863
2864         Function.toString() should also copy the source code Functions that are class definitions.
2865         https://bugs.webkit.org/show_bug.cgi?id=190186
2866         <rdar://problem/44733360>
2867
2868         Reviewed by Saam Barati.
2869
2870         * stress/regress-190186.js: Added.
2871
2872 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2873
2874         Split NaN-check into separate test
2875         https://bugs.webkit.org/show_bug.cgi?id=190010
2876
2877         Reviewed by Saam Barati.
2878
2879         DataView exposes NaN-representation, which is not necessarily the same on each
2880         architecture. Therefore move the check of the NaN-representation into its own
2881         file such that we can disable this test on MIPS where NaN-representation can be
2882         different on older CPUs.
2883
2884         * stress/dataview-jit-set-nan.js: Added.
2885         (assert):
2886         (test.storeLittleEndian):
2887         (test.storeBigEndian):
2888         (test.store):
2889         (test):
2890         * stress/dataview-jit-set.js:
2891         (test5):
2892
2893 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2894
2895         Unreviewed, rolling out r236647.
2896         https://bugs.webkit.org/show_bug.cgi?id=190124
2897
2898         Breaking test stress/big-int-to-string.js (Requested by
2899         caiolima_ on #webkit).
2900
2901         Reverted changeset:
2902
2903         "[BigInt] BigInt.proptotype.toString is broken when radix is
2904         power of 2"
2905         https://bugs.webkit.org/show_bug.cgi?id=190033
2906         https://trac.webkit.org/changeset/236647
2907
2908 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2909
2910         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2911         https://bugs.webkit.org/show_bug.cgi?id=190033
2912
2913         Reviewed by Yusuke Suzuki.
2914
2915         * stress/big-int-to-string.js:
2916
2917 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2918
2919         [ESNext][BigInt] Implement support for "&"
2920         https://bugs.webkit.org/show_bug.cgi?id=186228
2921
2922         Reviewed by Yusuke Suzuki.
2923
2924         * stress/big-int-bitwise-and-general.js: Added.
2925         (assert):
2926         (assert.sameValue):
2927         * stress/big-int-bitwise-and-jit.js: Added.
2928         (let.assert.sameValue):
2929         (bigIntBitAnd):
2930         * stress/big-int-bitwise-and-memory-stress.js: Added.
2931         (assert):
2932         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2933         (assert.sameValue):
2934         (let.o.Symbol.toPrimitive):
2935         (catch):
2936         * stress/big-int-bitwise-and-type-error.js: Added.
2937         (assert):
2938         (assertThrowTypeError):
2939         (let.o.valueOf):
2940         (o.valueOf):
2941         (o.toString):
2942         (o.Symbol.toPrimitive):
2943         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2944         (assert.sameValue):
2945         (testBitAnd):
2946         (let.o.Symbol.toPrimitive):
2947         (o.valueOf):
2948         (o.toString):
2949
2950 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2951
2952         JSC test stress/jsc-read.js doesn't support CRLF
2953         https://bugs.webkit.org/show_bug.cgi?id=190063
2954
2955         Reviewed by Yusuke Suzuki.
2956
2957         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2958
2959         * stress/jsc-read.js:
2960         (test):
2961
2962 2018-09-27  Saam barati  <sbarati@apple.com>
2963
2964         Verify the contents of AssemblerBuffer on arm64e
2965         https://bugs.webkit.org/show_bug.cgi?id=190057
2966         <rdar://problem/38916630>
2967
2968         Reviewed by Mark Lam.
2969
2970         * stress/regress-189132.js:
2971
2972 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2973
2974         Disable test without LLInt on ARMv7
2975         https://bugs.webkit.org/show_bug.cgi?id=190037
2976
2977         Reviewed by Mark Lam.
2978
2979         Test runs out of executable memory on ARMv7, do not run
2980         this test without LLInt enabled.
2981
2982         * stress/regress-169445.js:
2983
2984 2018-09-26  Keith Miller  <keith_miller@apple.com>
2985
2986         We should zero unused property storage when rebalancing array storage.
2987         https://bugs.webkit.org/show_bug.cgi?id=188151
2988
2989         Reviewed by Michael Saboff.
2990
2991         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2992
2993 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2994
2995         [JSC] Optimize Array#lastIndexOf
2996         https://bugs.webkit.org/show_bug.cgi?id=189780
2997
2998         Reviewed by Saam Barati.
2999
3000         * stress/array-lastindexof-array-prototype-trap.js: Added.
3001         (shouldBe):
3002         (AncestorArray.prototype.get 2):
3003         (AncestorArray):
3004         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3005         (shouldBe):
3006         * stress/array-lastindexof-hole-nan.js: Added.
3007         (shouldBe):
3008         (throw.new.Error):
3009         * stress/array-lastindexof-infinity.js: Added.
3010         (shouldBe):
3011         (throw.new.Error):
3012         * stress/array-lastindexof-negative-zero.js: Added.
3013         (shouldBe):
3014         (throw.new.Error):
3015         * stress/array-lastindexof-own-getter.js: Added.
3016         (shouldBe):
3017         (throw.new.Error.get array):
3018         (get array):
3019         * stress/array-lastindexof-prototype-trap.js: Added.
3020         (shouldBe):
3021         (DerivedArray.prototype.get 2):
3022         (DerivedArray):
3023
3024 2018-09-25  Saam Barati  <sbarati@apple.com>
3025
3026         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3027         https://bugs.webkit.org/show_bug.cgi?id=189940
3028         <rdar://problem/43640987>
3029
3030         Reviewed by Mark Lam.
3031
3032         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3033
3034 2018-09-24  Saam Barati  <sbarati@apple.com>
3035
3036         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3037         https://bugs.webkit.org/show_bug.cgi?id=189922
3038         <rdar://problem/44651275>
3039
3040         Reviewed by Mark Lam.
3041
3042         * stress/array-indexof-fast-path-effects.js: Added.
3043         * stress/array-indexof-cached-length.js: Added.
3044
3045 2018-09-24  Saam barati  <sbarati@apple.com>
3046
3047         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3048         https://bugs.webkit.org/show_bug.cgi?id=189682
3049         <rdar://problem/43557315>
3050
3051         Reviewed by Mark Lam.
3052
3053         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3054         (foo):
3055
3056 2018-09-22  Saam barati  <sbarati@apple.com>
3057
3058         The sampling should not use Strong<CodeBlock> in its machineLocation field
3059         https://bugs.webkit.org/show_bug.cgi?id=189319
3060
3061         Reviewed by Filip Pizlo.
3062
3063         * stress/sampling-profiler-richards.js: Added.
3064
3065 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3066
3067         [JSC] Optimize Array#indexOf in C++ runtime
3068         https://bugs.webkit.org/show_bug.cgi?id=189507
3069
3070         Reviewed by Saam Barati.
3071
3072         * stress/array-indexof-array-prototype-trap.js: Added.
3073         (shouldBe):
3074         (AncestorArray.prototype.get 2):
3075         (AncestorArray):
3076         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3077         (shouldBe):
3078         * stress/array-indexof-hole-nan.js: Added.
3079         (shouldBe):
3080         (throw.new.Error):
3081         * stress/array-indexof-infinity.js: Added.
3082         (shouldBe):
3083         (throw.new.Error):
3084         * stress/array-indexof-negative-zero.js: Added.
3085         (shouldBe):
3086         (throw.new.Error):
3087         * stress/array-indexof-own-getter.js: Added.
3088         (shouldBe):
3089         (throw.new.Error.get array):
3090         (get array):
3091         * stress/array-indexof-prototype-trap.js: Added.
3092         (shouldBe):
3093         (DerivedArray.prototype.get 2):
3094         (DerivedArray):
3095
3096 2018-09-19  Saam barati  <sbarati@apple.com>
3097
3098         AI rule for MultiPutByOffset executes its effects in the wrong order
3099         https://bugs.webkit.org/show_bug.cgi?id=189757
3100         <rdar://problem/43535257>
3101
3102         Reviewed by Michael Saboff.
3103
3104         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3105         (foo):
3106         (Foo):
3107         (g):
3108
3109 2018-09-17  Mark Lam  <mark.lam@apple.com>
3110
3111         Ensure that ForInContexts are invalidated if their loop local is over-written.
3112         https://bugs.webkit.org/show_bug.cgi?id=189571
3113         <rdar://problem/44402277>
3114
3115         Reviewed by Saam Barati.
3116
3117         * stress/regress-189571.js: Added.
3118
3119 2018-09-17  Saam barati  <sbarati@apple.com>
3120
3121         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3122         https://bugs.webkit.org/show_bug.cgi?id=189676
3123         <rdar://problem/39682897>
3124
3125         Reviewed by Michael Saboff.
3126
3127         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3128         (A):
3129         (K):
3130         (i.catch):
3131
3132 2018-09-14  Saam barati  <sbarati@apple.com>
3133
3134         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3135         https://bugs.webkit.org/show_bug.cgi?id=189628
3136         <rdar://problem/39481690>
3137
3138         Reviewed by Mark Lam.
3139
3140         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3141         (foo):
3142
3143 2018-09-11  Mark Lam  <mark.lam@apple.com>
3144
3145         Test for array initialization in arrayProtoFuncSplice.
3146         https://bugs.webkit.org/show_bug.cgi?id=170253
3147         <rdar://problem/31328773>
3148
3149         Rubber-stamped by Saam Barati.
3150
3151         * stress/regress-170253.js: Added.
3152
3153 2018-09-11  Mark Lam  <mark.lam@apple.com>
3154
3155         Test for IntlObject initialization.
3156         https://bugs.webkit.org/show_bug.cgi?id=170251
3157         <rdar://problem/31328419>
3158
3159         Rubber-stamped by Saam Barati.
3160
3161         * stress/regress-170251.js: Added.
3162
3163 2018-09-11  Mark Lam  <mark.lam@apple.com>
3164
3165         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3166         https://bugs.webkit.org/show_bug.cgi?id=169889
3167         <rdar://problem/31155607>
3168
3169         Reviewed by Saam Barati.
3170
3171         * stress/regress-169889-array-concat.js: Added.
3172         * stress/regress-169889-array-concat1.js: Added.
3173         * stress/regress-169889-array-slice.js: Added.
3174
3175 2018-09-11  Mark Lam  <mark.lam@apple.com>
3176
3177         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3178         https://bugs.webkit.org/show_bug.cgi?id=169445
3179         <rdar://problem/30957435>
3180
3181         Reviewed by Saam Barati.
3182
3183         * stress/regress-169445.js: Added.
3184         (let.gun.eval.A):
3185         (let.gun.eval.B.C):
3186         (let.gun.eval.B.C.prototype.trigger):
3187         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3188         (let.gun.eval.B):
3189         (let.gun.eval):
3190
3191 == Rolled over to ChangeLog-2018-09-11 ==