[JSC] Add more tests for r243966
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Add more tests for r243966
4         https://bugs.webkit.org/show_bug.cgi?id=196711
5
6         Reviewed by Saam Barati.
7
8         Adding one more test for r243966 fix. The added test will not crash after r243966.
9
10         * stress/stress-cleared-calllinkinfo.js: Added.
11         (runNearStackLimit.t):
12         (runNearStackLimit):
13         (repeat):
14         (cls):
15         (let.item.of.array.runNearStackLimit):
16
17 2019-04-08  Saam Barati  <sbarati@apple.com>
18
19         WebAssembly.RuntimeError missing exception check
20         https://bugs.webkit.org/show_bug.cgi?id=196700
21         <rdar://problem/49693932>
22
23         Reviewed by Yusuke Suzuki.
24
25         * wasm/js-api/runtime-error-should-exception-check.js: Added.
26
27 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
28
29         Unreviewed, rolling in r243948 with test fix
30         https://bugs.webkit.org/show_bug.cgi?id=196486
31
32         * stress/arrow-function-and-use-strict-directive.js: Added.
33         * stress/arrow-function-syntax.js: Added.
34         (checkSyntax):
35         (checkSyntaxError):
36
37 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
38
39         Unreviewed, rolling out r243948.
40
41         Caused inspector/runtime/parse.html to fail
42
43         Reverted changeset:
44
45         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
46         https://bugs.webkit.org/show_bug.cgi?id=196486
47         https://trac.webkit.org/changeset/243948
48
49 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
50
51         Unreviewed, rolling out r243943.
52
53         Caused test262 failures.
54
55         Reverted changeset:
56
57         "[JSC] Filter DontEnum properties in
58         ProxyObject::getOwnPropertyNames()"
59         https://bugs.webkit.org/show_bug.cgi?id=176810
60         https://trac.webkit.org/changeset/243943
61
62 2019-04-07  Michael Saboff  <msaboff@apple.com>
63
64         REGRESSION (r243642): Crash in reddit.com page
65         https://bugs.webkit.org/show_bug.cgi?id=196684
66
67         Reviewed by Geoffrey Garen.
68
69         New regression test.
70
71         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
72
73 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
74
75         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
76         https://bugs.webkit.org/show_bug.cgi?id=196683
77
78         Reviewed by Saam Barati.
79
80         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
81         (foo):
82
83 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
84
85         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
86         https://bugs.webkit.org/show_bug.cgi?id=196582
87
88         Reviewed by Saam Barati.
89
90         * stress/add-overflow-check-with-three-same-registers.js: Added.
91         (foo):
92         (Number.prototype.valueOf):
93         (runWithNumber):
94
95 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
96
97         Unreviewed, rolling out r243665.
98
99         Caused iOS JSC tests to exit with an exception.
100
101         Reverted changeset:
102
103         "Assertion failed in JSC::createError"
104         https://bugs.webkit.org/show_bug.cgi?id=196305
105         https://trac.webkit.org/changeset/243665
106
107 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
108
109         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
110         https://bugs.webkit.org/show_bug.cgi?id=196486
111
112         Reviewed by Saam Barati.
113
114         * stress/arrow-function-and-use-strict-directive.js: Added.
115         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
116         (checkSyntax):
117         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
118
119 2019-04-05  Caitlin Potter  <caitp@igalia.com>
120
121         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
122         https://bugs.webkit.org/show_bug.cgi?id=176810
123
124         Reviewed by Saam Barati.
125
126         Add tests for the DontEnum filtering, and variations of other tests
127         take the DontEnum-filtering path.
128
129         * stress/proxy-own-keys.js:
130         (i.catch):
131         (set assert):
132         (set add):
133         (let.set new):
134         (get let):
135
136 2019-04-05  Caitlin Potter  <caitp@igalia.com>
137
138         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
139         https://bugs.webkit.org/show_bug.cgi?id=185211
140
141         Reviewed by Saam Barati.
142
143         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
144
145         This changes several assertions to expect a TypeError to be thrown (in some cases,
146         changing thee expected message).
147
148         * es6/Proxy_ownKeys_duplicates.js:
149         (handler):
150         (shouldThrow):
151         (test):
152         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
153         (shouldThrow):
154         * stress/proxy-own-keys.js:
155         (i.catch):
156         (assert):
157
158 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
159
160         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
161         https://bugs.webkit.org/show_bug.cgi?id=196631
162
163         Reviewed by Saam Barati.
164
165         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
166         (assert):
167         (test):
168         (foo):
169
170 2019-04-04  Saam Barati  <sbarati@apple.com>
171
172         Unreviewed. Make the test from r243906 catch the thrown exceptions.
173
174         * stress/inferred-types-regex-matches-array.js:
175
176 2019-04-04  Saam Barati  <sbarati@apple.com>
177
178         createRegExpMatchesArray does not respect inferred types
179         https://bugs.webkit.org/show_bug.cgi?id=193287
180
181         Reviewed by Yusuke Suzuki.
182
183         This checks in the test case for 193287. This issue was discovered by
184         Samuel GroƟ of Google Project Zero.
185
186         * stress/inferred-types-regex-matches-array.js: Added.
187
188 2019-04-04  Saam barati  <sbarati@apple.com>
189
190         Teach Call ICs how to call Wasm
191         https://bugs.webkit.org/show_bug.cgi?id=196387
192
193         Reviewed by Filip Pizlo.
194
195         * wasm/function-tests/stack-trace.js:
196
197 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
198
199         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
200         https://bugs.webkit.org/show_bug.cgi?id=194944
201
202         Reviewed by Keith Miller.
203
204         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
205
206 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
207
208         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
209         https://bugs.webkit.org/show_bug.cgi?id=196409
210
211         Reviewed by Saam Barati.
212
213         * stress/bytecode-cache-cached-string-impl.js: Added.
214         (f):
215         (g):
216         * stress/bytecode-cache-run-string.js: Added.
217
218 2019-04-03  Robin Morisset  <rmorisset@apple.com>
219
220         B3 should use associativity to optimize expression trees
221         https://bugs.webkit.org/show_bug.cgi?id=194081
222
223         Reviewed by Filip Pizlo.
224
225         Added three microbenchmarks:
226         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
227         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
228           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
229         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
230
231         * microbenchmarks/add-tree.js: Added.
232         * microbenchmarks/bit-or-tree.js: Added.
233         * microbenchmarks/bit-xor-tree.js: Added.
234
235 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
236
237         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
238         https://bugs.webkit.org/show_bug.cgi?id=196574
239
240         Reviewed by Saam Barati.
241
242         * stress/string-index-of-exception-check.js: Added.
243         (blurType):
244         (1.forEach):
245
246 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
247
248         Assertion failed in JSC::createError
249         https://bugs.webkit.org/show_bug.cgi?id=196305
250         <rdar://problem/49387382>
251
252         Reviewed by Saam Barati.
253
254         * stress/create-error-out-of-memory-rope-string-2.js: Added.
255         (assert):
256         (catch):
257
258 2019-03-28  Saam Barati  <sbarati@apple.com>
259
260         BackwardsGraph needs to consider back edges as the backward's root successor
261         https://bugs.webkit.org/show_bug.cgi?id=195991
262
263         Reviewed by Filip Pizlo.
264
265         * stress/map-b3-licm-infinite-loop.js: Added.
266
267 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
268
269         CodeBlock::jettison() should disallow repatching its own calls
270         https://bugs.webkit.org/show_bug.cgi?id=196359
271         <rdar://problem/48973663>
272
273         Reviewed by Saam Barati.
274
275         * stress/call-link-info-osrexit-repatch.js: Added.
276         (foo):
277
278 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
279
280         [JSC] imports-oom.js intermittently fails
281         https://bugs.webkit.org/show_bug.cgi?id=196373
282
283         Reviewed by Saam Barati.
284
285         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
286         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
287         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
288         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
289         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
290
291         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
292         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
293
294         * wasm/lowExecutableMemory/imports-oom.js:
295
296 2019-03-27  Saam Barati  <sbarati@apple.com>
297
298         validateOSREntryValue with Int52 should box the value being checked into double format
299         https://bugs.webkit.org/show_bug.cgi?id=196313
300         <rdar://problem/49306703>
301
302         Reviewed by Yusuke Suzuki.
303
304         * stress/validate-int-52-ai-state.js: Added.
305
306 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
307
308         [JSC] Owner of watchpoints should validate at GC finalizing phase
309         https://bugs.webkit.org/show_bug.cgi?id=195827
310
311         Reviewed by Filip Pizlo.
312
313         * stress/gc-should-reap-dead-watchpoints.js: Added.
314         (foo):
315         (A.prototype.y):
316         (A):
317
318 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
319
320         Skip WebAssembly test on 32-bit systems
321         https://bugs.webkit.org/show_bug.cgi?id=196206
322
323         Reviewed by Saam Barati.
324
325         Invoking runDefault executes test immediately even though
326         that test should be skipped due to missing WASM support.
327         Therefore remove runDefault.
328
329         * wasm/regress/web-assembly-link-error-exception-check.js:
330
331 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
332
333         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
334         https://bugs.webkit.org/show_bug.cgi?id=196217
335
336         Reviewed by Saam Barati.
337
338         Re-enable all NaN tests for f32.min, f64.min and f64.max.
339
340         * wasm/spec-tests/f32.wast.js:
341         * wasm/spec-tests/f64.wast.js:
342         * wasm/wasm.json:
343
344 2019-03-25  Keith Miller  <keith_miller@apple.com>
345
346         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
347         https://bugs.webkit.org/show_bug.cgi?id=196176
348
349         Reviewed by Saam Barati.
350
351         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
352         (main.v10):
353         (main):
354
355 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
356
357         WebAssembly: f32.max with NaN generates incorrect result
358         https://bugs.webkit.org/show_bug.cgi?id=175691
359         <rdar://problem/33952228>
360
361         Reviewed by Saam Barati.
362
363         Enable all f32.max NaN tests
364
365         * wasm/spec-tests/f32.wast.js:
366         * wasm/wasm.json:
367
368 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
369
370         [JSC] Move test into directory for WASM tests
371         https://bugs.webkit.org/show_bug.cgi?id=196187
372
373         Reviewed by Mark Lam.
374
375         Move Test into wasm-directory. Otherwise this test
376         is also executed on systems without WASM support.
377
378         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
379
380 2019-03-23  Mark Lam  <mark.lam@apple.com>
381
382         Rolling out r243032 and r243071 because the fix is incorrect.
383         https://bugs.webkit.org/show_bug.cgi?id=195892
384         <rdar://problem/48981239>
385
386         Not reviewed.
387
388         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
389
390 2019-03-22  Mark Lam  <mark.lam@apple.com>
391
392         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
393         https://bugs.webkit.org/show_bug.cgi?id=196154
394         <rdar://problem/49145307>
395
396         Reviewed by Filip Pizlo.
397
398         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
399         There's no need to run this test on more than 1 test configuration.
400
401         * stress/typed-array-lastIndexOf-exception-check.js: Added.
402         * stress/web-assembly-link-error-exception-check.js:
403
404 2019-03-22  Mark Lam  <mark.lam@apple.com>
405
406         Placate exception check validation in constructJSWebAssemblyLinkError().
407         https://bugs.webkit.org/show_bug.cgi?id=196152
408         <rdar://problem/49145257>
409
410         Reviewed by Michael Saboff.
411
412         * stress/web-assembly-link-error-exception-check.js: Added.
413
414 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
415
416         Skip tests running out of memory on ARM/MIPS
417         https://bugs.webkit.org/show_bug.cgi?id=196131
418
419         Unreviewed. Skip test if memory is limited.
420
421         * microbenchmarks/put-by-val-direct-large-index.js:
422
423 2019-03-21  Mark Lam  <mark.lam@apple.com>
424
425         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
426         https://bugs.webkit.org/show_bug.cgi?id=196116
427         <rdar://problem/48976951>
428
429         Reviewed by Filip Pizlo.
430
431         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
432
433 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
434
435         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
436         https://bugs.webkit.org/show_bug.cgi?id=196078
437         <rdar://problem/35925380>
438
439         Reviewed by Mark Lam.
440
441         Add a new benchmark that allocates several objects and invokes put_by_val_direct
442         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
443
444         * microbenchmarks/put-by-val-direct-large-index.js: Added.
445
446 2019-03-21  Mark Lam  <mark.lam@apple.com>
447
448         Placate exception check validation in operationArrayIndexOfString().
449         https://bugs.webkit.org/show_bug.cgi?id=196067
450         <rdar://problem/49056572>
451
452         Reviewed by Michael Saboff.
453
454         * stress/string-equal-exception-check.js: Added.
455
456 2019-03-21  Mark Lam  <mark.lam@apple.com>
457
458         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
459         https://bugs.webkit.org/show_bug.cgi?id=196055
460         <rdar://problem/49067448>
461
462         Reviewed by Yusuke Suzuki.
463
464         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
465
466 2019-03-20  Saam Barati  <sbarati@apple.com>
467
468         typeOfDoubleSum is wrong for when NaN can be produced
469         https://bugs.webkit.org/show_bug.cgi?id=196030
470
471         Reviewed by Filip Pizlo.
472
473         * stress/double-add-sub-mul-can-produce-nan.js: Added.
474         (assert):
475         (noInline.sub):
476         (noInline):
477         (assert.mul):
478         (assert.add):
479
480 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
481
482         Update the test to ensure OutOfMemoryError is thrown as intended
483         https://bugs.webkit.org/show_bug.cgi?id=196032
484         <rdar://problem/46842740>
485
486         Rubber stamped by Saam Barati.
487
488         * stress/create-error-out-of-memory-rope-string.js:
489         (assert):
490         (catch):
491
492 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
493
494         JSC::createError needs to check for OOM in errorDescriptionForValue
495         https://bugs.webkit.org/show_bug.cgi?id=196032
496         <rdar://problem/46842740>
497
498         Reviewed by Mark Lam.
499
500         * stress/create-error-out-of-memory-rope-string.js: Added.
501
502 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
503
504         Unreviewed, reduce # of iterations to avoid timing out after r242991
505         https://bugs.webkit.org/show_bug.cgi?id=195791
506
507         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
508
509         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
510
511 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
512
513         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
514         https://bugs.webkit.org/show_bug.cgi?id=195950
515
516         Unreviewed, reducing the amount of memory used on this test to avoid
517         OOM on devices with memory restrictions.
518
519         * microbenchmarks/generate-multiple-llint-entrypoints.js:
520
521 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
522
523         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
524         https://bugs.webkit.org/show_bug.cgi?id=194648
525
526         Reviewed by Keith Miller.
527
528         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
529
530 2019-03-18  Mark Lam  <mark.lam@apple.com>
531
532         Missing a ThrowScope release in JSObject::toString().
533         https://bugs.webkit.org/show_bug.cgi?id=195893
534         <rdar://problem/48970986>
535
536         Reviewed by Michael Saboff.
537
538         * stress/to-string-exception-check-release.js: Added.
539
540 2019-03-18  Mark Lam  <mark.lam@apple.com>
541
542         Structure::flattenDictionary() should clear unused property slots.
543         https://bugs.webkit.org/show_bug.cgi?id=195871
544         <rdar://problem/48959497>
545
546         Reviewed by Michael Saboff.
547
548         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
549
550 2019-03-15  Mark Lam  <mark.lam@apple.com>
551
552         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
553         https://bugs.webkit.org/show_bug.cgi?id=195827
554         <rdar://problem/48845513>
555
556         Reviewed by Filip Pizlo.
557
558         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
559
560 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
561
562         [ARM,MIPS] Skip slow tests
563         https://bugs.webkit.org/show_bug.cgi?id=195799
564
565         Unreviewed, test does not finish on ARM and MIPS within the
566         timeout limit.
567
568         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
569
570 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
571
572         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
573         https://bugs.webkit.org/show_bug.cgi?id=195791
574         <rdar://problem/48806130>
575
576         Reviewed by Mark Lam.
577
578         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
579         (foo):
580
581 2019-03-14  Saam barati  <sbarati@apple.com>
582
583         We can't remove code after ForceOSRExit until after FixupPhase
584         https://bugs.webkit.org/show_bug.cgi?id=186916
585         <rdar://problem/41396612>
586
587         Reviewed by Yusuke Suzuki.
588
589         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
590         (foo):
591         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
592         (foo):
593
594 2019-03-13  Michael Saboff  <msaboff@apple.com>
595
596         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
597         https://bugs.webkit.org/show_bug.cgi?id=195735
598
599         Reviewed by Mark Lam.
600
601         New regression test.
602
603         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
604         (foo):
605         (bar):
606
607 2019-03-14  Saam barati  <sbarati@apple.com>
608
609         Fixup uses KnownInt32 incorrectly in some nodes
610         https://bugs.webkit.org/show_bug.cgi?id=195279
611         <rdar://problem/47915654>
612
613         Reviewed by Yusuke Suzuki.
614
615         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
616         (foo):
617
618 2019-03-14  Keith Miller  <keith_miller@apple.com>
619
620         DFG liveness can't skip tail caller inline frames
621         https://bugs.webkit.org/show_bug.cgi?id=195715
622
623         Reviewed by Saam Barati.
624
625         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
626         (i.foo):
627
628 2019-03-13  Mark Lam  <mark.lam@apple.com>
629
630         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
631         https://bugs.webkit.org/show_bug.cgi?id=195415
632
633         Not reviewed.
634
635         Changed these tests to only run the default configuration.
636         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
637         There's no strong need to run this test on that variant.
638
639         * stress/dfg-to-string-on-int-does-gc.js:
640         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
641
642 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
643
644         String overflow when using StringBuilder in JSC::createError
645         https://bugs.webkit.org/show_bug.cgi?id=194957
646
647         Reviewed by Mark Lam.
648
649         Add test string-overflow-createError-bulder.js that overflows
650         StringBuilder in notAFunctionSourceAppender. The second new test
651         string-overflow-createError-fit.js has an error message that doesn't
652         overflow, it still failed since the String's capacity can't be doubled.
653         Run test string-overflow-createError.js only in the default
654         configuration to reduce memory consumption when running the test
655         in all configurations on multiple CPUs in parallel.
656
657         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
658         (catch):
659         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
660         (catch):
661         * stress/string-overflow-createError.js:
662
663 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
664
665         [JSC] OSR entry should respect abstract values in addition to flush formats
666         https://bugs.webkit.org/show_bug.cgi?id=195653
667
668         Reviewed by Mark Lam.
669
670         * stress/osr-entry-locals-none.js: Added.
671
672 2019-03-12  Michael Saboff  <msaboff@apple.com>
673
674         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
675         https://bugs.webkit.org/show_bug.cgi?id=195613
676
677         Reviewed by Mark Lam.
678
679         New regression test.
680
681         * stress/regexp-backref-inbounds.js: Added.
682         (testRegExp):
683
684 2019-03-12  Mark Lam  <mark.lam@apple.com>
685
686         The HasIndexedProperty node does GC.
687         https://bugs.webkit.org/show_bug.cgi?id=195559
688         <rdar://problem/48767923>
689
690         Reviewed by Yusuke Suzuki.
691
692         * stress/HasIndexedProperty-does-gc.js: Added.
693
694 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
695
696         [ESNext][BigInt] Implement "~" unary operation
697         https://bugs.webkit.org/show_bug.cgi?id=182216
698
699         Reviewed by Keith Miller.
700
701         * stress/big-int-bit-not-general.js: Added.
702         * stress/big-int-bitwise-not-jit.js: Added.
703         * stress/big-int-bitwise-not-wrapped-value.js: Added.
704         * stress/bit-op-with-object-returning-int32.js:
705         * stress/bitwise-not-fixup-rules.js: Added.
706         * stress/value-bit-not-ai-rule.js: Added.
707
708 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
709
710         Invalid flags in a RegExp literal should be an early SyntaxError
711         https://bugs.webkit.org/show_bug.cgi?id=195514
712
713         Reviewed by Darin Adler.
714
715         * test262/expectations.yaml:
716         Mark 4 test cases as passing.
717
718         * stress/regexp-syntax-error-invalid-flags.js:
719         * stress/regress-161995.js: Removed.
720         Update existing test, merging in an older test for the same behavior.
721
722 2019-03-08  Mark Lam  <mark.lam@apple.com>
723
724         Stack overflow crash in JSC::JSObject::hasInstance.
725         https://bugs.webkit.org/show_bug.cgi?id=195458
726         <rdar://problem/48710195>
727
728         Reviewed by Yusuke Suzuki.
729
730         * stress/stack-overflow-in-custom-hasInstance.js: Added.
731
732 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
733
734         op_check_tdz does not def its argument
735         https://bugs.webkit.org/show_bug.cgi?id=192880
736         <rdar://problem/46221598>
737
738         Reviewed by Saam Barati.
739
740         * microbenchmarks/let-for-in.js: Added.
741         (foo):
742
743 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
744
745         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
746         https://bugs.webkit.org/show_bug.cgi?id=195429
747
748         Reviewed by Saam Barati.
749
750         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
751         (foo):
752         * stress/string-from-char-code-255.js: Added.
753
754 2019-03-06  Mark Lam  <mark.lam@apple.com>
755
756         Fix incorrect handling of try-finally completion values.
757         https://bugs.webkit.org/show_bug.cgi?id=195131
758         <rdar://problem/46222079>
759
760         Reviewed by Saam Barati and Yusuke Suzuki.
761
762         Added many permutations of new test case to test-finally.js.  test-finally.js has
763         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
764         tests passes there as well.
765
766         * stress/test-finally.js:
767
768 2019-03-06  Saam Barati  <sbarati@apple.com>
769
770         Air::reportUsedRegisters must padInterference
771         https://bugs.webkit.org/show_bug.cgi?id=195303
772         <rdar://problem/48270343>
773
774         Reviewed by Keith Miller.
775
776         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
777
778 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
779
780         [JSC] AI should not propagate AbstractValue relying on constant folding phase
781         https://bugs.webkit.org/show_bug.cgi?id=195375
782
783         Reviewed by Saam Barati.
784
785         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
786         (let.array):
787
788 2019-03-05  Saam barati  <sbarati@apple.com>
789
790         op_switch_char broken for rope strings after JSRopeString layout rewrite
791         https://bugs.webkit.org/show_bug.cgi?id=195339
792         <rdar://problem/48592545>
793
794         Reviewed by Yusuke Suzuki.
795
796         * stress/switch-on-char-llint-rope.js: Added.
797
798 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
799
800         [JSC] Store bits for JSRopeString in 3 stores
801         https://bugs.webkit.org/show_bug.cgi?id=195234
802
803         Reviewed by Saam Barati.
804
805         * stress/null-rope-and-collectors.js: Added.
806
807 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
808
809         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
810         https://bugs.webkit.org/show_bug.cgi?id=195207
811
812         Unreviewed. After test runtime was reduced in r242213, test can be
813         run again on ARM/MIPS.
814
815         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
816
817 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
818
819         [JSC] sizeof(JSString) should be 16
820         https://bugs.webkit.org/show_bug.cgi?id=194375
821
822         Reviewed by Saam Barati.
823
824         * microbenchmarks/make-rope.js: Added.
825         (makeRope):
826         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
827         (returnRope.helper): Deleted.
828         (returnRope): Deleted.
829
830 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
831
832         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
833         https://bugs.webkit.org/show_bug.cgi?id=195144
834
835         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
836         Change the number from 1e8 to 1e5.
837
838         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
839         (foo):
840
841 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
842
843         Test times out on ARM/MIPS
844         https://bugs.webkit.org/show_bug.cgi?id=195168
845
846         Unreviewed. Skip test on ARM/MIPS.
847
848         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
849
850 2019-02-27  Mark Lam  <mark.lam@apple.com>
851
852         The parser is failing to record the token location of new in new.target.
853         https://bugs.webkit.org/show_bug.cgi?id=195127
854         <rdar://problem/39645578>
855
856         Reviewed by Yusuke Suzuki.
857
858         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
859
860 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
861
862         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
863         https://bugs.webkit.org/show_bug.cgi?id=195144
864         <rdar://problem/47595961>
865
866         Reviewed by Mark Lam.
867
868         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
869         (bar):
870         (foo):
871         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
872         (bar):
873         (foo):
874
875 2019-02-27  Robin Morisset  <rmorisset@apple.com>
876
877         DFG: Loop-invariant code motion (LICM) should not hoist dead code
878         https://bugs.webkit.org/show_bug.cgi?id=194945
879         <rdar://problem/48311657>
880
881         Reviewed by Mark Lam.
882
883         * stress/licm-dead-code.js: Added.
884
885 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
886
887         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
888         https://bugs.webkit.org/show_bug.cgi?id=194677
889         <rdar://problem/48112492>
890
891         Reviewed by Mark Lam.
892
893         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
894         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
895         it immediately fails due the large size.
896
897         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
898         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
899         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
900         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
901
902         This patch changes the test to produce 16bit string from String.fromCharCode.
903
904         * stress/regress-178386.js:
905
906 2019-02-26  Mark Lam  <mark.lam@apple.com>
907
908         wasmToJS() should purify incoming NaNs.
909         https://bugs.webkit.org/show_bug.cgi?id=194807
910         <rdar://problem/48189132>
911
912         Reviewed by Saam Barati.
913
914         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
915
916 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
917
918         [JSC] Repeat string created from Array.prototype.join() take too much memory
919         https://bugs.webkit.org/show_bug.cgi?id=193912
920
921         Reviewed by Saam Barati.
922
923         Added a test and a microbenchmark for corner cases of
924         Array.prototype.join() with an uninitialized array.
925
926         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
927         * stress/array-prototype-join-uninitialized.js: Added.
928         (testArray):
929         (testABC):
930         (B):
931         (C):
932
933 2019-02-22  Robin Morisset  <rmorisset@apple.com>
934
935         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
936         https://bugs.webkit.org/show_bug.cgi?id=194953
937         <rdar://problem/47595253>
938
939         Reviewed by Saam Barati.
940
941         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
942
943         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
944
945 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
946
947         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
948         https://bugs.webkit.org/show_bug.cgi?id=172848
949         <rdar://problem/25709212>
950
951         Reviewed by Mark Lam.
952
953         * typeProfiler/inheritance.js:
954         Rewrite the test slightly for clarity. The hoisting was confusing.
955
956         * heapProfiler/class-names.js: Added.
957         (MyES5Class):
958         (MyES6Class):
959         (MyES6Subclass):
960         Test object types and improved class names.
961
962         * heapProfiler/driver/driver.js:
963         (CheapHeapSnapshotNode):
964         (CheapHeapSnapshot):
965         (createCheapHeapSnapshot):
966         (HeapSnapshot):
967         (createHeapSnapshot):
968         Update snapshot parsing from version 1 to version 2.
969
970 2019-02-19  Truitt Savell  <tsavell@apple.com>
971
972         Unreviewed, rolling out r241784.
973
974         Broke all OpenSource builds.
975
976         Reverted changeset:
977
978         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
979         instances view"
980         https://bugs.webkit.org/show_bug.cgi?id=172848
981         https://trac.webkit.org/changeset/241784
982
983 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
984
985         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
986         https://bugs.webkit.org/show_bug.cgi?id=172848
987         <rdar://problem/25709212>
988
989         Reviewed by Mark Lam.
990
991         * typeProfiler/inheritance.js:
992         Rewrite the test slightly for clarity. The hoisting was confusing.
993
994         * heapProfiler/class-names.js: Added.
995         (MyES5Class):
996         (MyES6Class):
997         (MyES6Subclass):
998         Test object types and improved class names.
999
1000         * heapProfiler/driver/driver.js:
1001         (CheapHeapSnapshotNode):
1002         (CheapHeapSnapshot):
1003         (createCheapHeapSnapshot):
1004         (HeapSnapshot):
1005         (createHeapSnapshot):
1006         Update snapshot parsing from version 1 to version 2.
1007
1008 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1009
1010         [ARM] Fix crash with sampling profiler
1011         https://bugs.webkit.org/show_bug.cgi?id=194772
1012
1013         Reviewed by Mark Lam.
1014
1015         Do not skip test since crash with sampling profiler is now fixed.
1016
1017         * stress/sampling-profiler-richards.js:
1018
1019 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1020
1021         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1022         https://bugs.webkit.org/show_bug.cgi?id=194784
1023         <rdar://problem/48154820>
1024
1025         Reviewed by Mark Lam.
1026
1027         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1028         (getProperties):
1029         (getRandomProperty):
1030         (i.catch):
1031
1032 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1033
1034         [ARM] Test gardening: Test running out of executable memory
1035         https://bugs.webkit.org/show_bug.cgi?id=194771
1036
1037         Unreviewed. Do not run test without LLInt, test is running out of executable
1038         memory on ARM otherwise.
1039
1040         * stress/tagged-template-object-collect.js:
1041
1042 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1043
1044         Unreviewed, skip the test on platforms without sampling profiler
1045
1046         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1047         (platformSupportsSamplingProfiler.foo):
1048         (platformSupportsSamplingProfiler.test):
1049         (platformSupportsSamplingProfiler):
1050         (foo): Deleted.
1051         (test): Deleted.
1052
1053 2019-02-17  Saam Barati  <sbarati@apple.com>
1054
1055         Deadlock when adding a Structure property transition and then doing incremental marking
1056         https://bugs.webkit.org/show_bug.cgi?id=194767
1057
1058         Reviewed by Mark Lam.
1059
1060         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1061
1062 2019-02-15  Michael Saboff  <msaboff@apple.com>
1063
1064         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1065         https://bugs.webkit.org/show_bug.cgi?id=194558
1066
1067         Reviewed by Saam Barati.
1068
1069         New regression test.
1070
1071         * stress/regexp-unicode-within-string.js: Added.
1072
1073 2019-02-15  Mark Lam  <mark.lam@apple.com>
1074
1075         SamplingProfiler::stackTracesAsJSON() should escape strings.
1076         https://bugs.webkit.org/show_bug.cgi?id=194649
1077         <rdar://problem/48072386>
1078
1079         Reviewed by Saam Barati.
1080
1081         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1082         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1083         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1084         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1085
1086 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1087         CodeBlock::jettison should clear related watchpoints
1088         https://bugs.webkit.org/show_bug.cgi?id=194544
1089
1090         Reviewed by Mark Lam.
1091
1092         * stress/regexp-replace-double-watchpoint.js: Added.
1093         (foo):
1094
1095 2019-02-15  Saam barati  <sbarati@apple.com>
1096
1097         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1098         https://bugs.webkit.org/show_bug.cgi?id=194036
1099
1100         Reviewed by Yusuke Suzuki.
1101
1102         * stress/tail-call-many-arguments.js: Added.
1103         (foo):
1104         (bar):
1105
1106 2019-02-14  Saam Barati  <sbarati@apple.com>
1107
1108         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1109         https://bugs.webkit.org/show_bug.cgi?id=194583
1110         <rdar://problem/48028140>
1111
1112         Reviewed by Yusuke Suzuki.
1113
1114         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1115
1116 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1117
1118         [JSC] String.fromCharCode's slow path always generates 16bit string
1119         https://bugs.webkit.org/show_bug.cgi?id=194466
1120
1121         Reviewed by Keith Miller.
1122
1123         * stress/string-from-char-code-slow-path.js: Added.
1124         (shouldBe):
1125         (testWithLength):
1126
1127 2019-02-08  Saam barati  <sbarati@apple.com>
1128
1129         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1130         https://bugs.webkit.org/show_bug.cgi?id=194334
1131         <rdar://problem/47844327>
1132
1133         Reviewed by Mark Lam.
1134
1135         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1136         (func):
1137
1138 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1139
1140         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1141         https://bugs.webkit.org/show_bug.cgi?id=194369
1142         <rdar://problem/47813087>
1143
1144         Reviewed by Saam Barati.
1145
1146         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1147         (A):
1148
1149 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1150
1151         [JSC] PrivateName to PublicName hash table is wasteful
1152         https://bugs.webkit.org/show_bug.cgi?id=194277
1153
1154         Reviewed by Michael Saboff.
1155
1156         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1157
1158         * ChakraCore.yaml:
1159
1160 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1161
1162         [ARM] Test running out of executable memory
1163         https://bugs.webkit.org/show_bug.cgi?id=194285
1164
1165         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1166         executable memory otherwise.
1167
1168         * stress/class-subclassing-function.js:
1169
1170 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1171
1172         when lowering AssertNotEmpty, create the value before creating the patchpoint
1173         https://bugs.webkit.org/show_bug.cgi?id=194231
1174
1175         Reviewed by Saam Barati.
1176
1177         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1178         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1179         So even tiny changes to this test can change the path code taken.
1180
1181         * stress/assert-not-empty.js: Added.
1182         (foo):
1183
1184 2019-02-01  Mark Lam  <mark.lam@apple.com>
1185
1186         Remove invalid assertion in DFG's compileDoubleRep().
1187         https://bugs.webkit.org/show_bug.cgi?id=194130
1188         <rdar://problem/47699474>
1189
1190         Reviewed by Saam Barati.
1191
1192         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1193
1194 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1195
1196         Import latest Test262 updates.
1197
1198         Rubber-stamped by Keith Miller.
1199
1200         * test262.yaml: Deleted.
1201         * test262/config.yaml:
1202         * test262/expectations.yaml:
1203         * test262/latest-changes-summary.txt:
1204         * test262/test/:
1205         * test262/test262-Revision.txt:
1206
1207 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1208
1209         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1210         https://bugs.webkit.org/show_bug.cgi?id=194050
1211         <rdar://problem/47595592>
1212
1213         Reviewed by Yusuke Suzuki.
1214
1215         * stress/object-keys-osr-exit.js: Added.
1216         (foo):
1217         (catch):
1218
1219 2019-01-29  Mark Lam  <mark.lam@apple.com>
1220
1221         ValueRecovery::recover() should purify NaN values it recovers.
1222         https://bugs.webkit.org/show_bug.cgi?id=193978
1223         <rdar://problem/47625488>
1224
1225         Reviewed by Saam Barati.
1226
1227         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1228
1229 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1230
1231         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1232         https://bugs.webkit.org/show_bug.cgi?id=193713
1233
1234         * stress/try-get-by-id-should-spill-registers-dfg.js:
1235         (let.f.createBuiltin):
1236
1237 2019-01-28  Mark Lam  <mark.lam@apple.com>
1238
1239         ToString node actually does GC.
1240         https://bugs.webkit.org/show_bug.cgi?id=193920
1241         <rdar://problem/46695900>
1242
1243         Reviewed by Yusuke Suzuki.
1244
1245         * stress/dfg-to-string-on-int-does-gc.js: Added.
1246         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1247         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1248
1249 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1250
1251         [JSC] NativeErrorConstructor should not have own IsoSubspace
1252         https://bugs.webkit.org/show_bug.cgi?id=193713
1253
1254         Reviewed by Saam Barati.
1255
1256         Remove @Error use.
1257
1258         * stress/try-get-by-id-should-spill-registers-dfg.js:
1259         (let.f.createBuiltin):
1260
1261 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1262
1263         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1264         https://bugs.webkit.org/show_bug.cgi?id=190693
1265
1266         Reviewed by Michael Saboff.
1267
1268         * stress/regress-190693.js: Added.
1269         (truth):
1270         (assert):
1271         (shouldThrowInvalidConstAssignment):
1272         (taz):
1273
1274 2019-01-24  Saam Barati  <sbarati@apple.com>
1275
1276         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1277         https://bugs.webkit.org/show_bug.cgi?id=193751
1278         <rdar://problem/47280215>
1279
1280         Reviewed by Michael Saboff.
1281
1282         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1283         (let.thing):
1284         (foo.let.hello):
1285         (foo):
1286
1287 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1288
1289         [JSC] Reenable baseline JIT on mips
1290         https://bugs.webkit.org/show_bug.cgi?id=192983
1291
1292         Reviewed by Mark Lam.
1293
1294         Added a new test for a case that was triggering a RELEASE_ASSERT when
1295         testing.
1296         Disable some slow tests that were already disabled for arm and x86.
1297
1298         * stress/json-parse-big-object.js: Added.
1299         * stress/new-largeish-contiguous-array-with-size.js:
1300         * stress/op_add.js:
1301         * stress/op_bitand.js:
1302         * stress/op_bitor.js:
1303         * stress/op_bitxor.js:
1304         * stress/op_lshift-ConstVar.js:
1305         * stress/op_lshift-VarConst.js:
1306         * stress/op_lshift-VarVar.js:
1307         * stress/op_mod-ConstVar.js:
1308         * stress/op_mod-VarConst.js:
1309         * stress/op_mod-VarVar.js:
1310         * stress/op_mul-ConstVar.js:
1311         * stress/op_mul-VarConst.js:
1312         * stress/op_mul-VarVar.js:
1313         * stress/op_rshift-ConstVar.js:
1314         * stress/op_rshift-VarConst.js:
1315         * stress/op_rshift-VarVar.js:
1316         * stress/op_sub-ConstVar.js:
1317         * stress/op_sub-VarConst.js:
1318         * stress/op_sub-VarVar.js:
1319         * stress/op_urshift-ConstVar.js:
1320         * stress/op_urshift-VarConst.js:
1321         * stress/op_urshift-VarVar.js:
1322         * stress/sampling-profiler-richards.js:
1323         * stress/spread-forward-call-varargs-stack-overflow.js:
1324
1325 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1326
1327         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1328         https://bugs.webkit.org/show_bug.cgi?id=193711
1329         <rdar://problem/47250262>
1330
1331         Reviewed by Saam Barati.
1332
1333         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1334         (shouldBe):
1335         (foo):
1336         (bar):
1337         (baz):
1338
1339 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1340
1341         Unreviewed, fix initial global lexical binding epoch
1342         https://bugs.webkit.org/show_bug.cgi?id=193603
1343         <rdar://problem/47380869>
1344
1345         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1346         (f1.f2.f3.f4):
1347         (f1.f2.f3):
1348         (f1.f2):
1349         (f1):
1350
1351 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1352
1353         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1354         https://bugs.webkit.org/show_bug.cgi?id=193709
1355         <rdar://problem/47363838>
1356
1357         Unreviewed, rollout to watch the tests.
1358
1359         * stress/object-tostring-changed-proto.js: Removed.
1360         * stress/object-tostring-changed.js: Removed.
1361         * stress/object-tostring-misc.js: Removed.
1362         * stress/object-tostring-other.js: Removed.
1363         * stress/object-tostring-untyped.js: Removed.
1364
1365 2019-01-22  Saam Barati  <sbarati@apple.com>
1366
1367         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1368
1369         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1370         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1371         (testUncheckedLessThanZero):
1372         (testUncheckedLessThanOrEqualZero):
1373         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1374         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1375
1376 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1377
1378         [JSC] Invalidate old scope operations using global lexical binding epoch
1379         https://bugs.webkit.org/show_bug.cgi?id=193603
1380         <rdar://problem/47380869>
1381
1382         Reviewed by Saam Barati.
1383
1384         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1385         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1386         (shouldThrow):
1387         (bar):
1388         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1389         (shouldBe):
1390         (get1):
1391         (get2):
1392         (get1If):
1393         (get2If):
1394         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1395         (shouldThrow):
1396         (foo):
1397
1398 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1399
1400         Unreviewed, roll out r240220 due to date-format-xparb regression
1401         https://bugs.webkit.org/show_bug.cgi?id=193603
1402
1403         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1404         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1405         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1406         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1407
1408 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1409
1410         DoesGC rule is wrong for nodes with BigIntUse
1411         https://bugs.webkit.org/show_bug.cgi?id=193652
1412
1413         Reviewed by Saam Barati.
1414
1415         * stress/big-int-value-op-update-gc-rules.js: Added.
1416         (assert):
1417         (doesGCAdd):
1418         (doesGCSub):
1419         (doesGCDiv):
1420         (doesGCMul):
1421         (doesGCBitAnd):
1422         (doesGCBitOr):
1423         (doesGCBitXor):
1424
1425 2019-01-20  Saam Barati  <sbarati@apple.com>
1426
1427         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1428         https://bugs.webkit.org/show_bug.cgi?id=193644
1429         <rdar://problem/46209745>
1430
1431         Reviewed by Yusuke Suzuki.
1432
1433         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1434         (foo):
1435         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1436         (foo):
1437         (bar):
1438
1439 2019-01-20  Saam Barati  <sbarati@apple.com>
1440
1441         MovHint must merge NodeBytecodeUsesAsValue for its child
1442         https://bugs.webkit.org/show_bug.cgi?id=186916
1443         <rdar://problem/41396612>
1444
1445         Reviewed by Yusuke Suzuki.
1446
1447         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1448         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1449
1450 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1451
1452         [JSC] Invalidate old scope operations using global lexical binding epoch
1453         https://bugs.webkit.org/show_bug.cgi?id=193603
1454         <rdar://problem/47380869>
1455
1456         Reviewed by Saam Barati.
1457
1458         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1459         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1460         (shouldThrow):
1461         (bar):
1462         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1463         (shouldBe):
1464         (get1):
1465         (get2):
1466         (get1If):
1467         (get2If):
1468         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1469         (shouldThrow):
1470         (foo):
1471
1472 2019-01-17  Saam barati  <sbarati@apple.com>
1473
1474         StringObjectUse should not be a structure check for the original string object structure
1475         https://bugs.webkit.org/show_bug.cgi?id=193483
1476         <rdar://problem/47280522>
1477
1478         Reviewed by Yusuke Suzuki.
1479
1480         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1481         (foo):
1482         (a.valueOf.0):
1483
1484 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1485
1486         [JSC] ToThis omission in DFGByteCodeParser is wrong
1487         https://bugs.webkit.org/show_bug.cgi?id=193513
1488         <rdar://problem/45842236>
1489
1490         Reviewed by Saam Barati.
1491
1492         * stress/to-this-omission-with-different-strict-modes.js: Added.
1493         (thisA):
1494         (thisAStrictWrapper):
1495
1496 2019-01-15  Mark Lam  <mark.lam@apple.com>
1497
1498         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1499         https://bugs.webkit.org/show_bug.cgi?id=193423
1500         <rdar://problem/46209355>
1501
1502         Reviewed by Saam Barati.
1503
1504         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1505         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1506         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1507         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1508
1509 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1510
1511         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1512         https://bugs.webkit.org/show_bug.cgi?id=193438
1513         <rdar://problem/45581249>
1514
1515         Reviewed by Saam Barati and Keith Miller.
1516
1517         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1518         Then, GetByVal(String) crashed.
1519
1520         * stress/string-get-by-val-lowering.js: Added.
1521         (shouldBe):
1522         (test):
1523         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1524         (Hello):
1525         (foo):
1526
1527 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1528
1529         Unreviewed, skip JIT tests if it's not enabled
1530
1531         * stress/bit-op-with-object-returning-int32.js:
1532
1533 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1534
1535         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1536         https://bugs.webkit.org/show_bug.cgi?id=192966
1537
1538         Reviewed by Yusuke Suzuki.
1539
1540         * stress/bit-op-with-object-returning-int32.js: Added.
1541
1542 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1543
1544         Skip a slow test and a flakey test on arm
1545
1546         Unreviewed gardening.
1547
1548         * typeProfiler/getter-richards.js:
1549         this test always times out, it used to be always skipped on arm and
1550         mips, but got accidentally enabled by r237919 now that we have DFG on
1551         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1552
1553 2019-01-14  Keith Miller  <keith_miller@apple.com>
1554
1555         Skip type-check-hoisting-phase-hoist... with no jit
1556         https://bugs.webkit.org/show_bug.cgi?id=193421
1557
1558         Reviewed by Mark Lam.
1559
1560         It's timing out the 32-bit bots and takes 330 seconds
1561         on my machine when run by itself.
1562
1563         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1564
1565 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1566
1567         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1568         https://bugs.webkit.org/show_bug.cgi?id=193413
1569         <rdar://problem/46092389>
1570
1571         Reviewed by Keith Miller.
1572
1573         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1574         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1575         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1576         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1577
1578         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1579         (compareArray):
1580
1581 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1582
1583         [BigInt] Literal parsing is crashing when used inside a Object Literal
1584         https://bugs.webkit.org/show_bug.cgi?id=193404
1585
1586         Reviewed by Yusuke Suzuki.
1587
1588         * stress/big-int-literal-inside-literal-object.js: Added.
1589
1590 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1591
1592         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1593         https://bugs.webkit.org/show_bug.cgi?id=193372
1594
1595         Reviewed by Saam Barati.
1596
1597         * stress/typed-array-array-modes-profile.js: Added.
1598         (foo):
1599
1600 2019-01-14  Mark Lam  <mark.lam@apple.com>
1601
1602         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1603         https://bugs.webkit.org/show_bug.cgi?id=193402
1604         <rdar://problem/46012309>
1605
1606         Reviewed by Keith Miller.
1607
1608         * stress/regexp-compile-oom.js:
1609         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1610           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1611
1612 2019-01-11  Saam barati  <sbarati@apple.com>
1613
1614         DFG combined liveness can be wrong for terminal basic blocks
1615         https://bugs.webkit.org/show_bug.cgi?id=193304
1616         <rdar://problem/45268632>
1617
1618         Reviewed by Yusuke Suzuki.
1619
1620         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1621
1622 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1623
1624         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1625         https://bugs.webkit.org/show_bug.cgi?id=193308
1626         <rdar://problem/45546542>
1627
1628         Reviewed by Saam Barati.
1629
1630         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1631         (shouldThrow):
1632         (shouldBe):
1633         (foo):
1634         (get shouldThrow):
1635         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1636         (shouldThrow):
1637         (shouldBe):
1638         (foo):
1639         (get shouldBe):
1640         (get shouldThrow):
1641         (get return):
1642         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1643         (shouldThrow):
1644         (shouldBe):
1645         (foo):
1646         (get shouldBe):
1647         (get shouldThrow):
1648         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1649         (shouldThrow):
1650         (shouldBe):
1651         (foo):
1652         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1653         (shouldThrow):
1654         (shouldBe):
1655         (foo):
1656         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1657         (shouldThrow):
1658         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1659         (shouldThrow):
1660         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1661         (shouldThrow):
1662         (shouldBe):
1663         (foo):
1664         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1665         (shouldThrow):
1666         (shouldBe):
1667         (foo):
1668         (get shouldBe):
1669         (get shouldThrow):
1670         (get return):
1671         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1672         (shouldThrow):
1673         (shouldBe):
1674         (foo):
1675         (get shouldBe):
1676         (get shouldThrow):
1677         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1678         (shouldThrow):
1679         (shouldBe):
1680         (foo):
1681         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1682         (shouldThrow):
1683         (shouldBe):
1684         (foo):
1685
1686 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1687
1688         Enable DFG on ARM/Linux again
1689         https://bugs.webkit.org/show_bug.cgi?id=192496
1690
1691         Reviewed by Yusuke Suzuki.
1692
1693         Test wasn't really skipped before moving the line with skip
1694         to the top.
1695
1696         * stress/regress-192717.js:
1697
1698 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1699
1700         Unreviewed, rolling out r239825.
1701         https://bugs.webkit.org/show_bug.cgi?id=193330
1702
1703         Broke tests on armv7/linux bots (Requested by guijemont on
1704         #webkit).
1705
1706         Reverted changeset:
1707
1708         "Enable DFG on ARM/Linux again"
1709         https://bugs.webkit.org/show_bug.cgi?id=192496
1710         https://trac.webkit.org/changeset/239825
1711
1712 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1713
1714         Enable DFG on ARM/Linux again
1715         https://bugs.webkit.org/show_bug.cgi?id=192496
1716
1717         Reviewed by Yusuke Suzuki.
1718
1719         Test wasn't really skipped before moving the line with skip
1720         to the top.
1721
1722         * stress/regress-192717.js:
1723
1724 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1725
1726         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1727         https://bugs.webkit.org/show_bug.cgi?id=193127
1728
1729         Reviewed by Saam Barati.
1730
1731         * stress/array-species-create-should-handle-masquerader.js: Added.
1732         (shouldThrow):
1733         * stress/is-undefined-or-null-builtin.js: Added.
1734         (shouldBe):
1735         (isUndefinedOrNull.vm.createBuiltin):
1736
1737 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1738
1739         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1740         https://bugs.webkit.org/show_bug.cgi?id=193221
1741
1742         Reviewed by Mark Lam.
1743
1744         * stress/put-by-id-flags.js: Added.
1745         (f):
1746         (g):
1747         (numberOfDFGCompiles):
1748
1749 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1750
1751         Baseline version of get_by_id may corrupt metadata
1752         https://bugs.webkit.org/show_bug.cgi?id=193085
1753         <rdar://problem/23453006>
1754
1755         Reviewed by Saam Barati.
1756
1757         * stress/get-by-id-change-mode.js: Added.
1758         (forEach):
1759
1760 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1761
1762         [JSC] Optimize Object.prototype.toString
1763         https://bugs.webkit.org/show_bug.cgi?id=193031
1764
1765         Reviewed by Saam Barati.
1766
1767         * stress/object-tostring-changed-proto.js: Added.
1768         (shouldBe):
1769         (test):
1770         * stress/object-tostring-changed.js: Added.
1771         (shouldBe):
1772         (test):
1773         * stress/object-tostring-misc.js: Added.
1774         (shouldBe):
1775         (test):
1776         (i.switch):
1777         * stress/object-tostring-other.js: Added.
1778         (shouldBe):
1779         (test):
1780         * stress/object-tostring-untyped.js: Added.
1781         (shouldBe):
1782         (test):
1783         (i.switch):
1784
1785 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1786
1787         test262-runner misbehaves when test file YAML has a trailing space
1788         https://bugs.webkit.org/show_bug.cgi?id=193053
1789
1790         Reviewed by Yusuke Suzuki.
1791
1792         * test262/expectations.yaml:
1793         Mark two dozen tests as passing (and correct the output of another).
1794
1795 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1796
1797         Unreviewed, JSTests gardening with memoryLimited
1798
1799         * stress/string-overflow-createError.js:
1800
1801 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1802
1803         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1804         https://bugs.webkit.org/show_bug.cgi?id=193050
1805
1806         Reviewed by Yusuke Suzuki.
1807
1808         * test262.yaml:
1809         * test262/expectations.yaml:
1810         Mark 16 tests as passing.
1811
1812 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1813
1814         [BigInt] Support BigInt in JSON.stringify
1815         https://bugs.webkit.org/show_bug.cgi?id=192624
1816
1817         Reviewed by Saam Barati.
1818
1819         * stress/big-int-json-stringify-to-json.js: Added.
1820         (shouldBe):
1821         (shouldThrow):
1822         (BigInt.prototype.toJSON):
1823         (shouldBe.JSON.stringify):
1824         * stress/big-int-json-stringify.js: Added.
1825         (shouldBe):
1826         (shouldThrow):
1827
1828 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1829
1830         [JSC] Implement "well-formed JSON.stringify" proposal
1831         https://bugs.webkit.org/show_bug.cgi?id=191677
1832
1833         Reviewed by Darin Adler.
1834
1835         * stress/json-surrogate-pair.js: Added.
1836         (shouldBe):
1837         * test262/expectations.yaml:
1838
1839 2018-12-20  Keith Miller  <keith_miller@apple.com>
1840
1841         Add support for globalThis
1842         https://bugs.webkit.org/show_bug.cgi?id=165171
1843
1844         Reviewed by Mark Lam.
1845
1846         * test262/config.yaml:
1847
1848 2018-12-19  Keith Miller  <keith_miller@apple.com>
1849
1850         Update test262 configuration to not run tests dependent on ICU version.
1851         https://bugs.webkit.org/show_bug.cgi?id=192920
1852
1853         Reviewed by Saam Barati.
1854
1855         * test262/expectations.yaml:
1856
1857 2018-12-20  Mark Lam  <mark.lam@apple.com>
1858
1859         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1860         https://bugs.webkit.org/show_bug.cgi?id=192939
1861         <rdar://problem/46869516>
1862
1863         Reviewed by Keith Miller.
1864
1865         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1866
1867 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1868
1869         WTF::String and StringImpl overflow MaxLength
1870         https://bugs.webkit.org/show_bug.cgi?id=192853
1871         <rdar://problem/45726906>
1872
1873         Reviewed by Mark Lam.
1874
1875         * stress/string-16bit-repeat-overflow.js: Added.
1876         (catch):
1877
1878 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1879
1880         Unreviewed follow-up to r192914.
1881
1882         * test262/expectations.yaml:
1883         Add the last 20 missing expectations.
1884
1885 2018-12-19  Keith Miller  <keith_miller@apple.com>
1886
1887         Fix test262 expectations
1888         https://bugs.webkit.org/show_bug.cgi?id=192914
1889
1890         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1891
1892         * test262/expectations.yaml:
1893
1894 2018-12-19  Keith Miller  <keith_miller@apple.com>
1895
1896         Update test262 tests.
1897         https://bugs.webkit.org/show_bug.cgi?id=192907
1898
1899         Rubber stamped by Mark Lam.
1900
1901         * test262/*: Omitted because prepare-changelog crashes.
1902
1903 2018-12-19  Mark Lam  <mark.lam@apple.com>
1904
1905         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1906         https://bugs.webkit.org/show_bug.cgi?id=192464
1907         <rdar://problem/46519455>
1908
1909         Reviewed by Saam Barati.
1910
1911         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1912         microbenchmark.
1913
1914         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1915         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1916
1917 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1918
1919         String overflow in JSC::createError results in ASSERT in WTF::makeString
1920         https://bugs.webkit.org/show_bug.cgi?id=192833
1921         <rdar://problem/45706868>
1922
1923         Reviewed by Mark Lam.
1924
1925         * stress/string-overflow-createError.js: Added.
1926
1927 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1928
1929         Error message for `-x ** y` contains a typo.
1930         https://bugs.webkit.org/show_bug.cgi?id=192832
1931
1932         Reviewed by Saam Barati.
1933
1934         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1935         (assert.assert.return.throws):
1936         * stress/pow-expects-update-expression-on-lhs.js:
1937         (throw.new.Error):
1938         Update test expectations which match against the exact error message.
1939
1940 2018-12-18  Mark Lam  <mark.lam@apple.com>
1941
1942         Gardening: test options fix.
1943         https://bugs.webkit.org/show_bug.cgi?id=192822
1944
1945         Unreviewed.
1946
1947         * stress/json-stringify-string-builder-overflow.js:
1948
1949 2018-12-18  Mark Lam  <mark.lam@apple.com>
1950
1951         JSON.stringify() should throw OOM on StringBuilder overflows.
1952         https://bugs.webkit.org/show_bug.cgi?id=192822
1953         <rdar://problem/46670577>
1954
1955         Reviewed by Saam Barati.
1956
1957         * stress/json-stringify-string-builder-overflow.js: Added.
1958
1959 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1960
1961         Redeclaration of var over let/const/class should be a syntax error.
1962         https://bugs.webkit.org/show_bug.cgi?id=192298
1963
1964         Reviewed by Keith Miller.
1965
1966         * test262.yaml:
1967         * test262/expectations.yaml:
1968         Mark 46 tests as passing.
1969
1970         * stress/block-scope-redeclarations.js:
1971         Add some new tests.
1972
1973         * stress/for-in-invalidate-context-weird-assignments.js:
1974         * stress/for-in-tests.js:
1975         Replace tests for outdated behavior with tests for SyntaxError.
1976
1977         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1978         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1979         Update expectations.
1980
1981 2018-12-18  Mark Lam  <mark.lam@apple.com>
1982
1983         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1984         https://bugs.webkit.org/show_bug.cgi?id=191374
1985         <rdar://problem/46525447>
1986
1987         Reviewed by Yusuke Suzuki.
1988
1989         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1990
1991         * stress/elidable-new-object-roflcopter-then-exit.js:
1992
1993 2018-12-17  Mark Lam  <mark.lam@apple.com>
1994
1995         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1996         https://bugs.webkit.org/show_bug.cgi?id=192019
1997         <rdar://problem/46525456>
1998
1999         Reviewed by Yusuke Suzuki.
2000
2001         The test runs too slow on 32-bit.
2002
2003         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2004
2005 2018-12-17  Mark Lam  <mark.lam@apple.com>
2006
2007         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2008         https://bugs.webkit.org/show_bug.cgi?id=191373
2009         <rdar://problem/46525458>
2010
2011         Reviewed by Yusuke Suzuki.
2012
2013         The test is already slow running with a JIT on 64-bit.  It will always timeout
2014         on 32-bit without a JIT.
2015
2016         * stress/materialize-regexp-cyclic-regexp.js:
2017
2018 2018-12-17  Mark Lam  <mark.lam@apple.com>
2019
2020         Array unshift/shift should not race against the AI in the compiler thread.
2021         https://bugs.webkit.org/show_bug.cgi?id=192795
2022         <rdar://problem/46724263>
2023
2024         Reviewed by Saam Barati.
2025
2026         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2027
2028 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2029
2030         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2031         https://bugs.webkit.org/show_bug.cgi?id=190047
2032
2033         Reviewed by Saam Barati.
2034
2035         * stress/object-keys-cached-zero.js: Added.
2036         (shouldBe):
2037         (test):
2038         * stress/object-keys-changed-attribute.js: Added.
2039         (shouldBe):
2040         (test):
2041         * stress/object-keys-changed-index.js: Added.
2042         (shouldBe):
2043         (test):
2044         * stress/object-keys-changed.js: Added.
2045         (shouldBe):
2046         (test):
2047         * stress/object-keys-indexed-non-cache.js: Added.
2048         (shouldBe):
2049         (test):
2050         * stress/object-keys-overrides-get-property-names.js: Added.
2051         (shouldBe):
2052         (test):
2053         (noInline):
2054
2055 2018-12-17  Mark Lam  <mark.lam@apple.com>
2056
2057         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2058         https://bugs.webkit.org/show_bug.cgi?id=192779
2059         <rdar://problem/46775869>
2060
2061         Reviewed by Saam Barati.
2062
2063         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2064
2065 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2066
2067         Unreviewed test gardening, address a syntax error in a new test.
2068
2069         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2070
2071 2018-12-17  Mark Lam  <mark.lam@apple.com>
2072
2073         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2074         https://bugs.webkit.org/show_bug.cgi?id=192776
2075         <rdar://problem/46772368>
2076
2077         Reviewed by Keith Miller.
2078
2079         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2080
2081 2018-12-17  Mark Lam  <mark.lam@apple.com>
2082
2083         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2084         https://bugs.webkit.org/show_bug.cgi?id=192770
2085         <rdar://problem/46449037>
2086
2087         Reviewed by Keith Miller.
2088
2089         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2090
2091 2018-12-14  Mark Lam  <mark.lam@apple.com>
2092
2093         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2094         https://bugs.webkit.org/show_bug.cgi?id=192717
2095         <rdar://problem/46660677>
2096
2097         Reviewed by Saam Barati.
2098
2099         * stress/regress-192717.js: Added.
2100
2101 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2102
2103         Unreviewed, rolling out r239153, r239154, and r239155.
2104         https://bugs.webkit.org/show_bug.cgi?id=192715
2105
2106         Caused flaky GC-related crashes seen with layout tests
2107         (Requested by ryanhaddad on #webkit).
2108
2109         Reverted changesets:
2110
2111         "[JSC] Optimize Object.keys by caching own keys results in
2112         StructureRareData"
2113         https://bugs.webkit.org/show_bug.cgi?id=190047
2114         https://trac.webkit.org/changeset/239153
2115
2116         "Unreviewed, build fix after r239153"
2117         https://bugs.webkit.org/show_bug.cgi?id=190047
2118         https://trac.webkit.org/changeset/239154
2119
2120         "Unreviewed, build fix after r239153, part 2"
2121         https://bugs.webkit.org/show_bug.cgi?id=190047
2122         https://trac.webkit.org/changeset/239155
2123
2124 2018-12-14  Keith Miller  <keith_miller@apple.com>
2125
2126         Callers of JSString::getIndex should check for OOM exceptions
2127         https://bugs.webkit.org/show_bug.cgi?id=192709
2128
2129         Reviewed by Mark Lam.
2130
2131         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2132
2133 2018-12-13  Mark Lam  <mark.lam@apple.com>
2134
2135         Add a missing exception check.
2136         https://bugs.webkit.org/show_bug.cgi?id=192626
2137         <rdar://problem/46662163>
2138
2139         Reviewed by Keith Miller.
2140
2141         * stress/regress-192626.js: Added.
2142
2143 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2144
2145         [BigInt] Add ValueDiv into DFG
2146         https://bugs.webkit.org/show_bug.cgi?id=186178
2147
2148         Reviewed by Yusuke Suzuki.
2149
2150         * stress/big-int-div-jit-osr.js: Added.
2151         * stress/big-int-div-jit-untyped.js: Added.
2152         * stress/value-div-fixup-int32-big-int.js: Added.
2153
2154 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2155
2156         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2157         https://bugs.webkit.org/show_bug.cgi?id=190047
2158
2159         Reviewed by Keith Miller.
2160
2161         * stress/object-keys-cached-zero.js: Added.
2162         (shouldBe):
2163         (test):
2164         * stress/object-keys-changed-attribute.js: Added.
2165         (shouldBe):
2166         (test):
2167         * stress/object-keys-changed-index.js: Added.
2168         (shouldBe):
2169         (test):
2170         * stress/object-keys-changed.js: Added.
2171         (shouldBe):
2172         (test):
2173         * stress/object-keys-indexed-non-cache.js: Added.
2174         (shouldBe):
2175         (test):
2176         * stress/object-keys-overrides-get-property-names.js: Added.
2177         (shouldBe):
2178         (test):
2179         (noInline):
2180
2181 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2182
2183         [DFG][FTL] Add NewSymbol
2184         https://bugs.webkit.org/show_bug.cgi?id=192620
2185
2186         Reviewed by Saam Barati.
2187
2188         * microbenchmarks/symbol-creation.js: Added.
2189         (test):
2190         * stress/symbol-description-identity.js: Added.
2191         (shouldBe):
2192         (test):
2193         * stress/symbol-identity.js: Added.
2194         (shouldBe):
2195         (test):
2196         * stress/symbol-with-description-throw-error.js: Added.
2197         (shouldBe):
2198         (shouldThrow):
2199         (test):
2200         (object.toString):
2201
2202 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2203
2204         [BigInt] Implement DFG/FTL typeof for BigInt
2205         https://bugs.webkit.org/show_bug.cgi?id=192619
2206
2207         Reviewed by Keith Miller.
2208
2209         * stress/big-int-boolean-proven-type.js: Added.
2210         (assert):
2211         (bool):
2212         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2213         (assert):
2214         (typeOf):
2215         (i.switch):
2216         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2217         (assert):
2218         (typeOf):
2219         * stress/big-int-type-of.js:
2220         (typeOf):
2221         (func):
2222
2223 2018-12-10  Mark Lam  <mark.lam@apple.com>
2224
2225         PropertyAttribute needs a CustomValue bit.
2226         https://bugs.webkit.org/show_bug.cgi?id=191993
2227         <rdar://problem/46264467>
2228
2229         Reviewed by Saam Barati.
2230
2231         * stress/regress-191993.js: Added.
2232
2233 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2234
2235         [BigInt] Add ValueMul into DFG
2236         https://bugs.webkit.org/show_bug.cgi?id=186175
2237
2238         Reviewed by Yusuke Suzuki.
2239
2240         * stress/big-int-mul-jit-osr.js: Added.
2241         * stress/big-int-mul-jit-untyped.js: Added.
2242         * stress/value-mul-fixup-int32-big-int.js: Added.
2243
2244 2018-12-06  Keith Miller  <keith_miller@apple.com>
2245
2246         stress/big-wasm-memory tests failing on 32-bit JSC bot
2247         https://bugs.webkit.org/show_bug.cgi?id=192020
2248
2249         Reviewed by Saam Barati.
2250
2251         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2252         the wasm stress tests if the WebAssembly object does not exist.
2253
2254         * stress/big-wasm-memory-grow-no-max.js:
2255         (test.foo):
2256         (test):
2257         (foo): Deleted.
2258         (catch): Deleted.
2259         * stress/big-wasm-memory-grow.js:
2260         (test.foo):
2261         (test):
2262         (foo): Deleted.
2263         (catch): Deleted.
2264         * stress/big-wasm-memory.js:
2265         (test.foo):
2266         (test):
2267         (foo): Deleted.
2268         (catch): Deleted.
2269
2270 2018-12-05  Mark Lam  <mark.lam@apple.com>
2271
2272         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2273         https://bugs.webkit.org/show_bug.cgi?id=192441
2274         <rdar://problem/46480355>
2275
2276         Reviewed by Saam Barati.
2277
2278         * stress/regress-192441.js: Added.
2279
2280 2018-12-04  Mark Lam  <mark.lam@apple.com>
2281
2282         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2283         https://bugs.webkit.org/show_bug.cgi?id=192386
2284         <rdar://problem/46445516>
2285
2286         Reviewed by Saam Barati.
2287
2288         * stress/regress-192386.js: Added.
2289
2290 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2291
2292         [ESNext][BigInt] Support logic operations
2293         https://bugs.webkit.org/show_bug.cgi?id=179903
2294
2295         Reviewed by Yusuke Suzuki.
2296
2297         * stress/big-int-branch-usage.js: Added.
2298         * stress/big-int-logical-and.js: Added.
2299         * stress/big-int-logical-not.js: Added.
2300         * stress/big-int-logical-or.js: Added.
2301
2302 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2303
2304         Unreviewed, rolling out r238833.
2305
2306         Breaks macOS and iOS debug builds.
2307
2308         Reverted changeset:
2309
2310         "[ESNext][BigInt] Support logic operations"
2311         https://bugs.webkit.org/show_bug.cgi?id=179903
2312         https://trac.webkit.org/changeset/238833
2313
2314 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2315
2316         [ESNext][BigInt] Support logic operations
2317         https://bugs.webkit.org/show_bug.cgi?id=179903
2318
2319         Reviewed by Yusuke Suzuki.
2320
2321         * stress/big-int-branch-usage.js: Added.
2322         * stress/big-int-logical-and.js: Added.
2323         * stress/big-int-logical-not.js: Added.
2324         * stress/big-int-logical-or.js: Added.
2325
2326 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2327
2328         [ESNext][BigInt] Implement support for "<<" and ">>"
2329         https://bugs.webkit.org/show_bug.cgi?id=186233
2330
2331         Reviewed by Yusuke Suzuki.
2332
2333         * stress/big-int-left-shift-general.js: Added.
2334         * stress/big-int-left-shift-range-error.js: Added.
2335         * stress/big-int-left-shift-type-error.js: Added.
2336         * stress/big-int-left-shift-wrapped-value.js: Added.
2337         * stress/big-int-right-shift-general.js: Added.
2338         * stress/big-int-right-shift-type-error.js: Added.
2339         * stress/big-int-right-shift-wrapped-value.js: Added.
2340         * stress/left-shift-to-primitive-precedence.js: Added.
2341         * stress/right-shift-to-primitive-precedence.js: Added.
2342
2343 2018-11-30  Dean Jackson  <dino@apple.com>
2344
2345         Add first-class support for .mjs files in jsc binary
2346         https://bugs.webkit.org/show_bug.cgi?id=192190
2347         <rdar://problem/46375715>
2348
2349         Reviewed by Keith Miller.
2350
2351         * stress/simple-module.mjs: Added.
2352         * stress/simple-script.js: Added.
2353
2354 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2355
2356         [BigInt] Implement ValueBitXor into DFG
2357         https://bugs.webkit.org/show_bug.cgi?id=190264
2358
2359         Reviewed by Yusuke Suzuki.
2360
2361         * stress/big-int-bitwise-xor-jit.js: Added.
2362         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2363         * stress/big-int-bitwise-xor-untyped.js: Added.
2364
2365 2018-11-27  Saam barati  <sbarati@apple.com>
2366
2367         r238510 broke scopes of size zero
2368         https://bugs.webkit.org/show_bug.cgi?id=192033
2369         <rdar://problem/46281734>
2370
2371         Reviewed by Keith Miller.
2372
2373         * stress/r238510-bad-loop.js: Added.
2374         (foo):
2375
2376 2018-11-27  Mark Lam  <mark.lam@apple.com>
2377
2378         [Re-landing] NaNs read from Wasm code needs to be be purified.
2379         https://bugs.webkit.org/show_bug.cgi?id=191056
2380         <rdar://problem/45660341>
2381
2382         Reviewed by Filip Pizlo.
2383
2384         * wasm/regress/regress-191056.js: Added.
2385
2386 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2387
2388         Unreviewed, rolling out r238509.
2389
2390         Causes JSC tests to fail on iOS.
2391
2392         Reverted changeset:
2393
2394         "NaNs read from Wasm code needs to be be purified."
2395         https://bugs.webkit.org/show_bug.cgi?id=191056
2396         https://trac.webkit.org/changeset/238509
2397
2398 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2399
2400         Re-introduce op_bitnot
2401         https://bugs.webkit.org/show_bug.cgi?id=190923
2402
2403         Reviewed by Yusuke Suzuki.
2404
2405         * stress/bit-not-must-generate.js: Added.
2406         * stress/bitwise-not-no-int32.js: Added.
2407
2408 2018-11-26  Saam barati  <sbarati@apple.com>
2409
2410         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2411         https://bugs.webkit.org/show_bug.cgi?id=191956
2412         <rdar://problem/45665806>
2413
2414         Reviewed by Yusuke Suzuki.
2415
2416         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2417         (bar):
2418         (foo):
2419
2420 2018-11-26  Saam barati  <sbarati@apple.com>
2421
2422         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2423         https://bugs.webkit.org/show_bug.cgi?id=191958
2424         <rdar://problem/46221877>
2425
2426         Reviewed by Yusuke Suzuki.
2427
2428         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2429         (x):
2430         (foo):
2431
2432 2018-11-26  Mark Lam  <mark.lam@apple.com>
2433
2434         NaNs read from Wasm code needs to be be purified.
2435         https://bugs.webkit.org/show_bug.cgi?id=191056
2436         <rdar://problem/45660341>
2437
2438         Reviewed by Filip Pizlo.
2439
2440         * wasm/regress/regress-191056.js: Added.
2441
2442 2018-11-26  Michael Saboff  <msaboff@apple.com>
2443
2444         32-bit JSC test failure: stress/regexp-compile-oom.js
2445         https://bugs.webkit.org/show_bug.cgi?id=191375
2446
2447         Reviewed by Mark Lam.
2448
2449         Disabled the test for 32 bit platforms.
2450
2451         * stress/regexp-compile-oom.js:
2452
2453 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2454
2455         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2456         https://bugs.webkit.org/show_bug.cgi?id=191716
2457         <rdar://problem/45723878>
2458
2459         Reviewed by Saam Barati.
2460
2461         * stress/regress-187373.js: Added.
2462         (async.fn):
2463
2464 2018-11-21  Saam barati  <sbarati@apple.com>
2465
2466         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2467         https://bugs.webkit.org/show_bug.cgi?id=191897
2468         <rdar://problem/45871998>
2469
2470         Reviewed by Mark Lam.
2471
2472         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2473         (bar):
2474         (foo):
2475
2476 2018-11-21  Saam barati  <sbarati@apple.com>
2477
2478         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2479         https://bugs.webkit.org/show_bug.cgi?id=191895
2480         <rdar://problem/46167406>
2481
2482         Reviewed by Mark Lam.
2483
2484         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2485         (foo):
2486         (bar):
2487
2488 2018-11-21  Mark Lam  <mark.lam@apple.com>
2489
2490         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2491         https://bugs.webkit.org/show_bug.cgi?id=191776
2492         <rdar://problem/46152851>
2493
2494         Reviewed by Saam Barati.
2495
2496         * stress/big-wasm-memory-grow-no-max.js:
2497         * stress/big-wasm-memory-grow.js:
2498         * stress/big-wasm-memory.js:
2499         - updated these to expect an OutOfMemoryError.
2500
2501         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2502         (Binary.prototype.emit_u8):
2503         (Binary.prototype.emit_u32v):
2504         (Binary.prototype.emit_header):
2505         (Binary.prototype.emit_section):
2506         (Binary):
2507         (WasmModuleBuilder):
2508         (WasmModuleBuilder.prototype.addMemory):
2509         (WasmModuleBuilder.prototype.toArray):
2510         (WasmModuleBuilder.prototype.toBuffer):
2511         (WasmModuleBuilder.prototype.instantiate):
2512         (catch):
2513         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2514         (catch):
2515
2516 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2517
2518         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2519         https://bugs.webkit.org/show_bug.cgi?id=190836
2520
2521         Reviewed by Saam Barati and Yusuke Suzuki.
2522
2523         * stress/big-int-out-of-memory-tests.js: Added.
2524
2525 2018-11-20  Mark Lam  <mark.lam@apple.com>
2526
2527         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2528         https://bugs.webkit.org/show_bug.cgi?id=191856
2529         <rdar://problem/46089992>
2530
2531         Reviewed by Yusuke Suzuki.
2532
2533         * stress/regress-191856.js: Added.
2534         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2535
2536 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2537
2538         Enable JIT on ARM/Linux
2539         https://bugs.webkit.org/show_bug.cgi?id=191548
2540
2541         Reviewed by Yusuke Suzuki.
2542
2543         Disable test on system with limited memory. Program was killed by
2544         the OS before the exception was thrown.
2545
2546         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2547
2548 2018-11-20  Saam barati  <sbarati@apple.com>
2549
2550         Merging an IC variant may lead to the IC status containing overlapping structure sets
2551         https://bugs.webkit.org/show_bug.cgi?id=191869
2552         <rdar://problem/45403453>
2553
2554         Reviewed by Mark Lam.
2555
2556         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2557
2558 2018-11-19  Mark Lam  <mark.lam@apple.com>
2559
2560         globalFuncImportModule() should return a promise when it clears exceptions.
2561         https://bugs.webkit.org/show_bug.cgi?id=191792
2562         <rdar://problem/46090763>
2563
2564         Reviewed by Michael Saboff.
2565
2566         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2567
2568 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2569
2570         Skip new memory-hungry tests on memory limited devices
2571
2572         Unreviewed gardening.
2573
2574         * stress/big-wasm-memory-grow-no-max.js:
2575         * stress/big-wasm-memory-grow.js:
2576         * stress/big-wasm-memory.js:
2577
2578 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2579
2580         Unreviewed, rolling in the rest of r237254
2581         https://bugs.webkit.org/show_bug.cgi?id=190340
2582
2583         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2584         * stress/function-cache-with-parameters-end-position.js: Added.
2585         (shouldBe):
2586         (shouldThrow):
2587         (i.anonymous):
2588         * stress/function-constructor-name.js: Added.
2589         (shouldBe):
2590         (GeneratorFunction):
2591         (AsyncFunction.async):
2592         (AsyncGeneratorFunction.async):
2593         (anonymous):
2594         (async.anonymous):
2595         * test262/expectations.yaml:
2596
2597 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2598
2599         All users of ArrayBuffer should agree on the same max size
2600         https://bugs.webkit.org/show_bug.cgi?id=191771
2601
2602         Reviewed by Mark Lam.
2603
2604         * stress/big-wasm-memory-grow-no-max.js: Added.
2605         (foo):
2606         (catch):
2607         * stress/big-wasm-memory-grow.js: Added.
2608         (foo):
2609         (catch):
2610         * stress/big-wasm-memory.js: Added.
2611         (foo):
2612         (catch):
2613
2614 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2615
2616         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2617         run for each JSC config since they're regression tests for runtime bugs.
2618
2619         * stress/json-stringified-overflow-2.js:
2620         * stress/json-stringified-overflow.js:
2621
2622 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2623
2624         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2625         config since they're regression tests for runtime bugs.
2626
2627         * stress/large-unshift-splice.js:
2628         * stress/regress-185888.js:
2629
2630 2018-11-16  Saam Barati  <sbarati@apple.com>
2631
2632         KnownCellUse should also have SpecCellCheck as its type filter
2633         https://bugs.webkit.org/show_bug.cgi?id=191729
2634         <rdar://problem/45872852>
2635
2636         Reviewed by Filip Pizlo.
2637
2638         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2639         (C):
2640
2641 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2642
2643         Fix assertion failure on BytecodeGenerator::recordOpcode
2644         https://bugs.webkit.org/show_bug.cgi?id=191724
2645         <rdar://problem/45724395>
2646
2647         Reviewed by Saam Barati.
2648
2649         * stress/regress-187373-2.js: Added.
2650         (foo):
2651
2652 2018-11-15  Mark Lam  <mark.lam@apple.com>
2653
2654         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2655         https://bugs.webkit.org/show_bug.cgi?id=191730
2656         <rdar://problem/46048517>
2657
2658         Reviewed by Saam Barati.
2659
2660         * stress/regress-187006.js: Removed.
2661           - this test is invalid because its sole purpose is to test for the non-spec
2662             compliant behavior that we just fixed.
2663
2664         * stress/regress-191730.js: Added.
2665
2666 2018-11-15  Mark Lam  <mark.lam@apple.com>
2667
2668         RegExp operations should not take fast patch if lastIndex is not numeric.
2669         https://bugs.webkit.org/show_bug.cgi?id=191731
2670         <rdar://problem/46017305>
2671
2672         Reviewed by Saam Barati.
2673
2674         * stress/regress-191731.js: Added.
2675
2676 2018-11-13  Saam Barati  <sbarati@apple.com>
2677
2678         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2679         https://bugs.webkit.org/show_bug.cgi?id=191600
2680
2681         Reviewed by Mark Lam.
2682
2683         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2684         (foo):
2685         (test):
2686         (bar):
2687
2688 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2689
2690         Unreviewed, rolling out r238132.
2691
2692         The test added with this change is timing out on Debug JSC
2693         bots.
2694
2695         Reverted changeset:
2696
2697         "[BigInt] JSBigInt::createWithLength should throw when length
2698         is greater than JSBigInt::maxLength"
2699         https://bugs.webkit.org/show_bug.cgi?id=190836
2700         https://trac.webkit.org/changeset/238132
2701
2702 2018-11-13  Mark Lam  <mark.lam@apple.com>
2703
2704         Add OOM detection to StringPrototype's substituteBackreferences().
2705         https://bugs.webkit.org/show_bug.cgi?id=191563
2706         <rdar://problem/45720428>
2707
2708         Reviewed by Saam Barati.
2709
2710         * stress/regress-191563.js: Added.
2711
2712 2018-11-13  Mark Lam  <mark.lam@apple.com>
2713
2714         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2715         https://bugs.webkit.org/show_bug.cgi?id=191579
2716         <rdar://problem/45942472>
2717
2718         Reviewed by Saam Barati.
2719
2720         * stress/regress-191579.js: Added.
2721
2722 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2723
2724         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2725         https://bugs.webkit.org/show_bug.cgi?id=190836
2726
2727         Reviewed by Saam Barati.
2728
2729         * stress/big-int-out-of-memory-tests.js: Added.
2730
2731 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2732
2733         U+180E is no longer a whitespace character
2734         https://bugs.webkit.org/show_bug.cgi?id=191415
2735
2736         Reviewed by Saam Barati.
2737
2738         * ChakraCore/test/es5/regexSpace.baseline:
2739         * ChakraCore/test/es6/unicode_whitespace.js:
2740         Update tests to latest version.
2741         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2742
2743         * test262.yaml:
2744         * test262/config.yaml:
2745         * test262/expectations.yaml:
2746         Update expectations.
2747
2748 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2749
2750         [BigInt] Add support to BigInt into ValueAdd
2751         https://bugs.webkit.org/show_bug.cgi?id=186177
2752
2753         Reviewed by Keith Miller.
2754
2755         * stress/big-int-negate-jit.js:
2756         * stress/value-add-big-int-and-string.js: Added.
2757         * stress/value-add-big-int-prediction-propagation.js: Added.
2758         * stress/value-add-big-int-untyped.js: Added.
2759
2760 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2761
2762         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2763         https://bugs.webkit.org/show_bug.cgi?id=191184
2764
2765         Reviewed by Saam Barati.
2766
2767         Most tests were failing due to timeouts, since they are too slow to
2768         run on CLoop. The exceptions are:
2769
2770         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2771         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2772         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2773         to change the stack size since CLoop requires it to be page aligned.
2774
2775         * microbenchmarks/array-push-1.js:
2776         * microbenchmarks/array-push-2.js:
2777         * microbenchmarks/elidable-new-object-dag.js:
2778         * microbenchmarks/elidable-new-object-roflcopter.js:
2779         * microbenchmarks/elidable-new-object-tree.js:
2780         * microbenchmarks/getter-richards.js:
2781         * microbenchmarks/sinkable-new-object-dag.js:
2782         * microbenchmarks/string-concat-long-convert.js:
2783         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2784         * slowMicrobenchmarks/array-push-3.js:
2785         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2786         * slowMicrobenchmarks/spread-small-array.js:
2787         * slowMicrobenchmarks/undefined-property-access.js:
2788         * stress/activation-sink-default-value-tdz-error.js:
2789         * stress/activation-sink-default-value.js:
2790         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2791         * stress/activation-sink-osrexit-default-value.js:
2792         * stress/activation-sink-osrexit.js:
2793         * stress/activation-sink.js:
2794         * stress/allow-math-ic-b3-code-duplication.js:
2795         * stress/array-push-multiple-int32.js:
2796         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2797         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2798         * stress/arrowfunction-lexical-this-activation-sink.js:
2799         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2800         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2801         * stress/elide-new-object-dag-then-exit.js:
2802         * stress/materialize-regexp-cyclic.js:
2803         * stress/new-regex-inline.js:
2804         * stress/op_add.js:
2805         * stress/op_bitand.js:
2806         * stress/op_bitor.js:
2807         * stress/op_bitxor.js:
2808         * stress/op_div-ConstVar.js:
2809         * stress/op_div-VarConst.js:
2810         * stress/op_div-VarVar.js:
2811         * stress/op_lshift-ConstVar.js:
2812         * stress/op_lshift-VarConst.js:
2813         * stress/op_lshift-VarVar.js:
2814         * stress/op_mod-ConstVar.js:
2815         * stress/op_mod-VarConst.js:
2816         * stress/op_mod-VarVar.js:
2817         * stress/op_mul-ConstVar.js:
2818         * stress/op_mul-VarConst.js:
2819         * stress/op_mul-VarVar.js:
2820         * stress/op_rshift-ConstVar.js:
2821         * stress/op_rshift-VarConst.js:
2822         * stress/op_rshift-VarVar.js:
2823         * stress/op_sub-ConstVar.js:
2824         * stress/op_sub-VarConst.js:
2825         * stress/op_sub-VarVar.js:
2826         * stress/op_urshift-ConstVar.js:
2827         * stress/op_urshift-VarConst.js:
2828         * stress/op_urshift-VarVar.js:
2829         * stress/proxy-get-set-correct-receiver.js:
2830         * stress/regress-179562.js:
2831         * stress/rest-parameter-many-arguments.js:
2832         * stress/sampling-profiler-richards.js:
2833         * stress/splay-flash-access-1ms.js:
2834         * stress/tailCallForwardArguments.js:
2835         * stress/typed-array-get-by-val-profiling.js:
2836         * typeProfiler/getter-richards.js:
2837
2838 2018-11-06  Michael Saboff  <msaboff@apple.com>
2839
2840         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2841         https://bugs.webkit.org/show_bug.cgi?id=191271
2842
2843         Reviewed by Saam Barati.
2844
2845         Added more test cases and made all test cases run with the same deeply recursive stack
2846         instead of finding that same point for each test case.
2847
2848         * stress/regexp-compile-oom.js:
2849         (prototype.runTest):
2850         (recurseAndTest):
2851         (testList.push.new.TestAndExpectedException):
2852
2853 2018-11-05  Michael Saboff  <msaboff@apple.com>
2854
2855         Unreviewed build fix for linux.
2856
2857         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2858
2859 2018-11-02  Michael Saboff  <msaboff@apple.com>
2860
2861         Rolling in r237753 with unreviewed build fix.
2862
2863         Fixed issues with DECLARE_THROW_SCOPE placement.
2864
2865 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2866
2867         Unreviewed, rolling out r237753.
2868
2869         Introduced JSC test failures
2870
2871         Reverted changeset:
2872
2873         "Running out of stack space not properly handled in
2874         RegExp::compile() and its callers"
2875         https://bugs.webkit.org/show_bug.cgi?id=191206
2876         https://trac.webkit.org/changeset/237753
2877
2878 2018-11-02  Michael Saboff  <msaboff@apple.com>
2879
2880         Running out of stack space not properly handled in RegExp::compile() and its callers
2881         https://bugs.webkit.org/show_bug.cgi?id=191206
2882
2883         Reviewed by Filip Pizlo.
2884
2885         New regression test.
2886
2887         * stress/regexp-compile-oom.js: Added.
2888         (recurseAndTest):
2889
2890 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2891
2892         Skip tests on arm/mips that time out now we're running on CLoop
2893
2894         Unreviewed gardening.
2895
2896         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2897         time out on the bots and need to be disabled. There's more tests
2898         disabled on arm because the timeout is longer on the mips bot (as the
2899         device is slower to start with), so many of the tests don't time out
2900         there.
2901
2902         * microbenchmarks/getter-richards.js: disable on arm and mips.
2903         * stress/op_add.js: disable on arm.
2904         * stress/op_bitand.js: disable on arm.
2905         * stress/op_bitor.js: disable on arm.
2906         * stress/op_bitxor.js: disable on arm.
2907         * stress/op_lshift-ConstVar.js: disable on arm.
2908         * stress/op_lshift-VarConst.js: disable on arm.
2909         * stress/op_lshift-VarVar.js: disable on arm.
2910         * stress/op_mod-ConstVar.js: disable on arm.
2911         * stress/op_mod-VarConst.js: disable on arm.
2912         * stress/op_mod-VarVar.js: disable on arm.
2913         * stress/op_mul-ConstVar.js: disable on arm.
2914         * stress/op_mul-VarConst.js: disable on arm.
2915         * stress/op_mul-VarVar.js: disable on arm.
2916         * stress/op_rshift-ConstVar.js: disable on arm.
2917         * stress/op_rshift-VarConst.js: disable on arm.
2918         * stress/op_rshift-VarVar.js: disable on arm.
2919         * stress/op_sub-ConstVar.js: disable on arm.
2920         * stress/op_sub-VarConst.js: disable on arm.
2921         * stress/op_sub-VarVar.js: disable on arm.
2922         * stress/op_urshift-ConstVar.js: disable on arm.
2923         * stress/op_urshift-VarConst.js: disable on arm.
2924         * stress/op_urshift-VarVar.js: disable on arm.
2925         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2926         * stress/value-to-boolean.js: disable on arm and mips.
2927
2928 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2929
2930         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2931         https://bugs.webkit.org/show_bug.cgi?id=191108
2932         <rdar://problem/45690700>
2933
2934         Reviewed by Saam Barati.
2935
2936         * stress/wide-op_catch.js: Added.
2937         (catch):
2938
2939 2018-10-29  Mark Lam  <mark.lam@apple.com>
2940
2941         Correctly detect string overflow when using the 'Function' constructor.
2942         https://bugs.webkit.org/show_bug.cgi?id=184883
2943         <rdar://problem/36320331>
2944
2945         Reviewed by Saam Barati.
2946
2947         I've verified that this passes on 32-bit as well.
2948
2949         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2950
2951 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2952
2953         Add support for GetStack FlushedDouble
2954         https://bugs.webkit.org/show_bug.cgi?id=191012
2955         <rdar://problem/45265141>
2956
2957         Reviewed by Saam Barati.
2958
2959         * stress/get-stack-double.js: Added.
2960         (bar):
2961         (noInline):
2962
2963 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2964
2965         New bytecode format for JSC
2966         https://bugs.webkit.org/show_bug.cgi?id=187373
2967         <rdar://problem/44186758>
2968
2969         Reviewed by Filip Pizlo.
2970
2971         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2972
2973         * stress/maximum-inline-capacity.js: Added.
2974         (test1):
2975         (test3.Foo):
2976         (test3):
2977
2978 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2979
2980         Unreviewed, rolling out r237479 and r237484.
2981         https://bugs.webkit.org/show_bug.cgi?id=190978
2982
2983         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2984
2985         Reverted changesets:
2986
2987         "New bytecode format for JSC"
2988         https://bugs.webkit.org/show_bug.cgi?id=187373
2989         https://trac.webkit.org/changeset/237479
2990
2991         "Gardening: Build fix after r237479."
2992         https://bugs.webkit.org/show_bug.cgi?id=187373
2993         https://trac.webkit.org/changeset/237484
2994
2995 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2996
2997         New bytecode format for JSC
2998         https://bugs.webkit.org/show_bug.cgi?id=187373
2999         <rdar://problem/44186758>
3000
3001         Reviewed by Filip Pizlo.
3002
3003         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3004
3005         * stress/maximum-inline-capacity.js: Added.
3006         (test1):
3007         (test3.Foo):
3008         (test3):
3009
3010 2018-10-26  Mark Lam  <mark.lam@apple.com>
3011
3012         Fix missing edge cases with JSGlobalObjects having a bad time.
3013         https://bugs.webkit.org/show_bug.cgi?id=189028
3014         <rdar://problem/45204939>
3015
3016         Reviewed by Saam Barati.
3017
3018         * stress/regress-189028.js: Added.
3019
3020 2018-10-22  Mark Lam  <mark.lam@apple.com>
3021
3022         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3023         https://bugs.webkit.org/show_bug.cgi?id=190515
3024         <rdar://problem/45222379>
3025
3026         Rubber-stamped by Saam Barati.
3027
3028         Adding another test.
3029
3030         * stress/regress-190515-2.js: Added.
3031
3032 2018-10-22  Mark Lam  <mark.lam@apple.com>
3033
3034         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3035         https://bugs.webkit.org/show_bug.cgi?id=190515
3036         <rdar://problem/45222379>
3037
3038         Reviewed by Saam Barati.
3039
3040         * stress/regress-190515.js: Added.
3041
3042 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3043
3044         Unreviewed, rolling out r237254.
3045         https://bugs.webkit.org/show_bug.cgi?id=190760
3046
3047         "It regresses JetStream 2 by 5% on some iOS devices"
3048         (Requested by saamyjoon on #webkit).
3049
3050         Reverted changeset:
3051
3052         "[JSC] JSC should have "parseFunction" to optimize Function
3053         constructor"
3054         https://bugs.webkit.org/show_bug.cgi?id=190340
3055         https://trac.webkit.org/changeset/237254
3056
3057 2018-10-19  Saam Barati  <sbarati@apple.com>
3058
3059         vmCall should check if we exit before emitting an OSR exit due to exceptions
3060         https://bugs.webkit.org/show_bug.cgi?id=190740
3061         <rdar://problem/45220139>
3062
3063         Reviewed by Mark Lam.
3064
3065         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3066         (foo):
3067
3068 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3069
3070         [ESNext][BigInt] Implement support for "^"
3071         https://bugs.webkit.org/show_bug.cgi?id=186235
3072
3073         Reviewed by Yusuke Suzuki.
3074
3075         * stress/big-int-bitwise-xor-general.js: Added.
3076         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3077         * stress/big-int-bitwise-xor-type-error.js: Added.
3078         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3079
3080 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3081
3082         [BigInt] Add ValueSub into DFG
3083         https://bugs.webkit.org/show_bug.cgi?id=186176
3084
3085         Reviewed by Yusuke Suzuki.
3086
3087         * stress/big-int-subtraction-jit.js:
3088         * stress/value-sub-big-int-prediction-propagation.js: Added.
3089         * stress/value-sub-big-int-untyped.js: Added.
3090         * stress/value-sub-spec-none-case.js: Added.
3091
3092 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3093
3094         [JSC] JSC should have "parseFunction" to optimize Function constructor
3095         https://bugs.webkit.org/show_bug.cgi?id=190340
3096
3097         Reviewed by Mark Lam.
3098
3099         This patch fixes the line number of syntax errors raised by the Function constructor,
3100         since we now parse the final code only once. And we no longer use block statement
3101         for Function constructor's parsing.
3102
3103         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3104         * stress/function-cache-with-parameters-end-position.js: Added.
3105         (shouldBe):
3106         (shouldThrow):
3107         (i.anonymous):
3108         * stress/function-constructor-name.js: Added.
3109         (shouldBe):
3110         (GeneratorFunction):
3111         (AsyncFunction.async):
3112         (AsyncGeneratorFunction.async):
3113         (anonymous):
3114         (async.anonymous):
3115         * test262/expectations.yaml:
3116
3117 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3118
3119         Unreviewed, rolling out r237242.
3120         https://bugs.webkit.org/show_bug.cgi?id=190701
3121
3122         it breaks "stress/sampling-profiler-basic.js" (Requested by
3123         caiolima on #webkit).
3124
3125         Reverted changeset:
3126
3127         "[BigInt] Add ValueSub into DFG"
3128         https://bugs.webkit.org/show_bug.cgi?id=186176
3129         https://trac.webkit.org/changeset/237242
3130
3131 2018-10-17  Keith Miller  <keith_miller@apple.com>
3132
3133         AI does not clear Phantom allocation nodes.
3134         https://bugs.webkit.org/show_bug.cgi?id=190694
3135
3136         Reviewed by Saam Barati.
3137
3138         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3139         (Day):
3140         (DaysInYear):
3141         (TimeInYear):
3142         (TimeFromYear):
3143         (DayFromYear):
3144         (InLeapYear):
3145         (YearFromTime):
3146         (WeekDay):
3147         (DaylightSavingTA):
3148         (GetSecondSundayInMarch):
3149         (TimeInMonth):
3150
3151 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3152
3153         [BigInt] Add ValueSub into DFG
3154         https://bugs.webkit.org/show_bug.cgi?id=186176
3155
3156         Reviewed by Yusuke Suzuki.
3157
3158         * stress/big-int-subtraction-jit.js:
3159         * stress/value-sub-big-int-prediction-propagation.js: Added.
3160         * stress/value-sub-big-int-untyped.js: Added.
3161
3162 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3163
3164         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3165         https://bugs.webkit.org/show_bug.cgi?id=190611
3166
3167         Reviewed by Saam Barati.
3168
3169         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3170         to improve test runtime. On ARM/MIPS this test even timed out when running all
3171         tests.
3172
3173         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3174         (test):
3175
3176 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3177
3178         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3179
3180         Unreviewed gardening.
3181
3182         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3183
3184 2018-10-15  Saam barati  <sbarati@apple.com>
3185
3186         Emit fjcvtzs on ARM64E on Darwin
3187         https://bugs.webkit.org/show_bug.cgi?id=184023
3188
3189         Reviewed by Yusuke Suzuki and Filip Pizlo.
3190
3191         * stress/double-to-int32-NaN.js: Added.
3192         (assert):
3193         (foo):
3194
3195 2018-10-15  Saam Barati  <sbarati@apple.com>
3196
3197         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3198         https://bugs.webkit.org/show_bug.cgi?id=190262
3199         <rdar://problem/44986241>
3200
3201         Reviewed by Mark Lam.
3202
3203         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3204         (test):
3205         * stress/slice-array-storage-with-holes.js: Added.
3206         (main):
3207
3208 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3209
3210         Unreviewed, rolling out r237054.
3211         https://bugs.webkit.org/show_bug.cgi?id=190593
3212
3213         "this regressed JetStream 2 by 6% on iOS" (Requested by
3214         saamyjoon on #webkit).
3215
3216         Reverted changeset:
3217
3218         "[JSC] JSC should have "parseFunction" to optimize Function
3219         constructor"
3220         https://bugs.webkit.org/show_bug.cgi?id=190340
3221         https://trac.webkit.org/changeset/237054
3222
3223 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3224
3225         [JSC] JSON.stringify can accept call-with-no-arguments
3226         https://bugs.webkit.org/show_bug.cgi?id=190343
3227
3228         Reviewed by Mark Lam.
3229
3230         * stress/json-stringify-no-arguments.js: Added.
3231         (shouldBe):
3232
3233 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3234
3235         [JSC] JSC should have "parseFunction" to optimize Function constructor
3236         https://bugs.webkit.org/show_bug.cgi?id=190340
3237
3238         Reviewed by Mark Lam.
3239
3240         This patch fixes the line number of syntax errors raised by the Function constructor,
3241         since we now parse the final code only once. And we no longer use block statement
3242         for Function constructor's parsing.
3243
3244         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3245         * stress/function-cache-with-parameters-end-position.js: Added.
3246         (shouldBe):
3247         (shouldThrow):
3248         (i.anonymous):
3249         * stress/function-constructor-name.js: Added.
3250         (shouldBe):
3251         (GeneratorFunction):
3252         (AsyncFunction.async):
3253         (AsyncGeneratorFunction.async):
3254         (anonymous):
3255         (async.anonymous):
3256         * test262/expectations.yaml:
3257
3258 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3259
3260         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3261         https://bugs.webkit.org/show_bug.cgi?id=190426
3262
3263         Unreviewed gardening.
3264
3265         * stress/sampling-profiler-richards.js:
3266
3267 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3268
3269         [ESNext][BigInt] Implement support for "|"
3270         https://bugs.webkit.org/show_bug.cgi?id=186229
3271
3272         Reviewed by Yusuke Suzuki.
3273
3274         * stress/big-int-bitwise-and-jit.js:
3275         * stress/big-int-bitwise-or-general.js: Added.
3276         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3277         * stress/big-int-bitwise-or-jit.js: Added.
3278         * stress/big-int-bitwise-or-memory-stress.js: Added.
3279         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3280         * stress/big-int-bitwise-or-type-error.js: Added.
3281         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3282
3283 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3284
3285         Skip test on systems with limited memory
3286         https://bugs.webkit.org/show_bug.cgi?id=190310
3287
3288         Invoking runDefault adds test to runlist, skipping the test in the next
3289         line does not prevent the test from executing. Change order of lines such
3290         that runDefault is only executed if test is not executed.
3291
3292         Reviewed by Mark Lam.
3293
3294         * stress/regress-190187.js:
3295
3296 2018-10-03  Saam barati  <sbarati@apple.com>
3297
3298         lowXYZ in FTLLower should always filter the type of the incoming edge
3299         https://bugs.webkit.org/show_bug.cgi?id=189939
3300         <rdar://problem/44407030>
3301
3302         Reviewed by Michael Saboff.
3303
3304         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3305         (foo):
3306         (test):
3307
3308 2018-10-03  Mark Lam  <mark.lam@apple.com>
3309
3310         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3311         https://bugs.webkit.org/show_bug.cgi?id=190187
3312         <rdar://problem/42512909>
3313
3314         Reviewed by Michael Saboff.
3315
3316         * stress/regress-190187.js: Added.
3317
3318 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3319
3320         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3321         https://bugs.webkit.org/show_bug.cgi?id=190033
3322
3323         Reviewed by Yusuke Suzuki.
3324
3325         * stress/big-int-to-string.js:
3326
3327 2018-10-01  Mark Lam  <mark.lam@apple.com>
3328
3329         Function.toString() should also copy the source code Functions that are class definitions.
3330         https://bugs.webkit.org/show_bug.cgi?id=190186
3331         <rdar://problem/44733360>
3332
3333         Reviewed by Saam Barati.
3334
3335         * stress/regress-190186.js: Added.
3336
3337 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3338
3339         Split NaN-check into separate test
3340         https://bugs.webkit.org/show_bug.cgi?id=190010
3341
3342         Reviewed by Saam Barati.
3343
3344         DataView exposes NaN-representation, which is not necessarily the same on each
3345         architecture. Therefore move the check of the NaN-representation into its own
3346         file such that we can disable this test on MIPS where NaN-representation can be
3347         different on older CPUs.
3348
3349         * stress/dataview-jit-set-nan.js: Added.
3350         (assert):
3351         (test.storeLittleEndian):
3352         (test.storeBigEndian):
3353         (test.store):
3354         (test):
3355         * stress/dataview-jit-set.js:
3356         (test5):
3357
3358 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3359
3360         Unreviewed, rolling out r236647.
3361         https://bugs.webkit.org/show_bug.cgi?id=190124
3362
3363         Breaking test stress/big-int-to-string.js (Requested by
3364         caiolima_ on #webkit).
3365
3366         Reverted changeset:
3367
3368         "[BigInt] BigInt.proptotype.toString is broken when radix is
3369         power of 2"
3370         https://bugs.webkit.org/show_bug.cgi?id=190033
3371         https://trac.webkit.org/changeset/236647
3372
3373 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3374
3375         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3376         https://bugs.webkit.org/show_bug.cgi?id=190033
3377
3378         Reviewed by Yusuke Suzuki.
3379
3380         * stress/big-int-to-string.js:
3381
3382 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3383
3384         [ESNext][BigInt] Implement support for "&"
3385         https://bugs.webkit.org/show_bug.cgi?id=186228
3386
3387         Reviewed by Yusuke Suzuki.
3388
3389         * stress/big-int-bitwise-and-general.js: Added.
3390         (assert):
3391         (assert.sameValue):
3392         * stress/big-int-bitwise-and-jit.js: Added.
3393         (let.assert.sameValue):
3394         (bigIntBitAnd):
3395         * stress/big-int-bitwise-and-memory-stress.js: Added.
3396         (assert):
3397         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3398         (assert.sameValue):
3399         (let.o.Symbol.toPrimitive):
3400         (catch):
3401         * stress/big-int-bitwise-and-type-error.js: Added.
3402         (assert):
3403         (assertThrowTypeError):
3404         (let.o.valueOf):
3405         (o.valueOf):
3406         (o.toString):
3407         (o.Symbol.toPrimitive):
3408         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3409         (assert.sameValue):
3410         (testBitAnd):
3411         (let.o.Symbol.toPrimitive):
3412         (o.valueOf):
3413         (o.toString):
3414
3415 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3416
3417         JSC test stress/jsc-read.js doesn't support CRLF
3418         https://bugs.webkit.org/show_bug.cgi?id=190063
3419
3420         Reviewed by Yusuke Suzuki.
3421
3422         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3423
3424         * stress/jsc-read.js:
3425         (test):
3426
3427 2018-09-27  Saam barati  <sbarati@apple.com>
3428
3429         Verify the contents of AssemblerBuffer on arm64e
3430         https://bugs.webkit.org/show_bug.cgi?id=190057
3431         <rdar://problem/38916630>
3432
3433         Reviewed by Mark Lam.
3434
3435         * stress/regress-189132.js:
3436
3437 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3438
3439         Disable test without LLInt on ARMv7
3440         https://bugs.webkit.org/show_bug.cgi?id=190037
3441
3442         Reviewed by Mark Lam.
3443
3444         Test runs out of executable memory on ARMv7, do not run
3445         this test without LLInt enabled.
3446
3447         * stress/regress-169445.js:
3448
3449 2018-09-26  Keith Miller  <keith_miller@apple.com>
3450
3451         We should zero unused property storage when rebalancing array storage.
3452         https://bugs.webkit.org/show_bug.cgi?id=188151
3453
3454         Reviewed by Michael Saboff.
3455
3456         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3457
3458 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3459
3460         [JSC] Optimize Array#lastIndexOf
3461         https://bugs.webkit.org/show_bug.cgi?id=189780
3462
3463         Reviewed by Saam Barati.
3464
3465         * stress/array-lastindexof-array-prototype-trap.js: Added.
3466         (shouldBe):
3467         (AncestorArray.prototype.get 2):
3468         (AncestorArray):
3469         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3470         (shouldBe):
3471         * stress/array-lastindexof-hole-nan.js: Added.
3472         (shouldBe):
3473         (throw.new.Error):
3474         * stress/array-lastindexof-infinity.js: Added.
3475         (shouldBe):
3476         (throw.new.Error):
3477         * stress/array-lastindexof-negative-zero.js: Added.
3478         (shouldBe):
3479         (throw.new.Error):
3480         * stress/array-lastindexof-own-getter.js: Added.
3481         (shouldBe):
3482         (throw.new.Error.get array):
3483         (get array):
3484         * stress/array-lastindexof-prototype-trap.js: Added.
3485         (shouldBe):
3486         (DerivedArray.prototype.get 2):
3487         (DerivedArray):
3488
3489 2018-09-25  Saam Barati  <sbarati@apple.com>
3490
3491         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3492         https://bugs.webkit.org/show_bug.cgi?id=189940
3493         <rdar://problem/43640987>
3494
3495         Reviewed by Mark Lam.
3496
3497         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3498
3499 2018-09-24  Saam Barati  <sbarati@apple.com>
3500
3501         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3502         https://bugs.webkit.org/show_bug.cgi?id=189922
3503         <rdar://problem/44651275>
3504
3505         Reviewed by Mark Lam.
3506
3507         * stress/array-indexof-fast-path-effects.js: Added.
3508         * stress/array-indexof-cached-length.js: Added.
3509
3510 2018-09-24  Saam barati  <sbarati@apple.com>
3511
3512         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3513         https://bugs.webkit.org/show_bug.cgi?id=189682
3514         <rdar://problem/43557315>
3515
3516         Reviewed by Mark Lam.
3517
3518         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3519         (foo):
3520
3521 2018-09-22  Saam barati  <sbarati@apple.com>
3522
3523         The sampling should not use Strong<CodeBlock> in its machineLocation field
3524         https://bugs.webkit.org/show_bug.cgi?id=189319
3525
3526         Reviewed by Filip Pizlo.
3527
3528         * stress/sampling-profiler-richards.js: Added.
3529
3530 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3531
3532         [JSC] Optimize Array#indexOf in C++ runtime
3533         https://bugs.webkit.org/show_bug.cgi?id=189507
3534
3535         Reviewed by Saam Barati.
3536
3537         * stress/array-indexof-array-prototype-trap.js: Added.
3538         (shouldBe):
3539         (AncestorArray.prototype.get 2):
3540         (AncestorArray):
3541         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3542         (shouldBe):
3543         * stress/array-indexof-hole-nan.js: Added.
3544         (shouldBe):
3545         (throw.new.Error):
3546         * stress/array-indexof-infinity.js: Added.
3547         (shouldBe):
3548         (throw.new.Error):
3549         * stress/array-indexof-negative-zero.js: Added.
3550         (shouldBe):
3551         (throw.new.Error):
3552         * stress/array-indexof-own-getter.js: Added.
3553         (shouldBe):
3554         (throw.new.Error.get array):
3555         (get array):
3556         * stress/array-indexof-prototype-trap.js: Added.
3557         (shouldBe):
3558         (DerivedArray.prototype.get 2):
3559         (DerivedArray):
3560
3561 2018-09-19  Saam barati  <sbarati@apple.com>
3562
3563         AI rule for MultiPutByOffset executes its effects in the wrong order
3564         https://bugs.webkit.org/show_bug.cgi?id=189757
3565         <rdar://problem/43535257>
3566
3567         Reviewed by Michael Saboff.
3568
3569         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3570         (foo):
3571         (Foo):
3572         (g):
3573
3574 2018-09-17  Mark Lam  <mark.lam@apple.com>
3575
3576         Ensure that ForInContexts are invalidated if their loop local is over-written.
3577         https://bugs.webkit.org/show_bug.cgi?id=189571
3578         <rdar://problem/44402277>
3579
3580         Reviewed by Saam Barati.
3581
3582         * stress/regress-189571.js: Added.
3583
3584 2018-09-17  Saam barati  <sbarati@apple.com>
3585
3586         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3587         https://bugs.webkit.org/show_bug.cgi?id=189676
3588         <rdar://problem/39682897>
3589
3590         Reviewed by Michael Saboff.
3591
3592         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3593         (A):
3594         (K):
3595         (i.catch):
3596
3597 2018-09-14  Saam barati  <sbarati@apple.com>
3598
3599         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3600         https://bugs.webkit.org/show_bug.cgi?id=189628
3601         <rdar://problem/39481690>
3602
3603         Reviewed by Mark Lam.
3604
3605         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3606         (foo):
3607
3608 2018-09-11  Mark Lam  <mark.lam@apple.com>
3609
3610         Test for array initialization in arrayProtoFuncSplice.
3611         https://bugs.webkit.org/show_bug.cgi?id=170253
3612         <rdar://problem/31328773>
3613
3614         Rubber-stamped by Saam Barati.
3615
3616         * stress/regress-170253.js: Added.
3617
3618 2018-09-11  Mark Lam  <mark.lam@apple.com>
3619
3620         Test for IntlObject initialization.
3621         https://bugs.webkit.org/show_bug.cgi?id=170251
3622         <rdar://problem/31328419>
3623
3624         Rubber-stamped by Saam Barati.
3625
3626         * stress/regress-170251.js: Added.
3627
3628 2018-09-11  Mark Lam  <mark.lam@apple.com>
3629
3630         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3631         https://bugs.webkit.org/show_bug.cgi?id=169889
3632         <rdar://problem/31155607>
3633
3634         Reviewed by Saam Barati.
3635
3636         * stress/regress-169889-array-concat.js: Added.
3637         * stress/regress-169889-array-concat1.js: Added.
3638         * stress/regress-169889-array-slice.js: Added.
3639
3640 2018-09-11  Mark Lam  <mark.lam@apple.com>
3641
3642         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3643         https://bugs.webkit.org/show_bug.cgi?id=169445
3644         <rdar://problem/30957435>
3645
3646         Reviewed by Saam Barati.
3647
3648         * stress/regress-169445.js: Added.
3649         (let.gun.eval.A):
3650         (let.gun.eval.B.C):
3651         (let.gun.eval.B.C.prototype.trigger):
3652         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3653         (let.gun.eval.B):
3654         (let.gun.eval):
3655
3656 == Rolled over to ChangeLog-2018-09-11 ==