d0f173221a9f404660b5d9892613ac96fda1fecf
[WebKit-https.git] / JSTests / ChangeLog
1 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
2
3         Add b3 macro lowering for CheckMul on arm64
4         https://bugs.webkit.org/show_bug.cgi?id=199251
5
6         Reviewed by Robin Morisset.
7
8         * microbenchmarks/check-mul-constant.js: Added.
9         (doTest):
10         * microbenchmarks/check-mul-no-constant.js: Added.
11         (doTest):
12         * microbenchmarks/check-mul-power-of-two.js: Added.
13         (doTest):
14
15 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
16
17         Optimize join of large empty arrays
18         https://bugs.webkit.org/show_bug.cgi?id=199636
19
20         Reviewed by Mark Lam.
21
22         * microbenchmarks/large-empty-array-join.js: Added.
23         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
24
25 2019-07-06  Michael Saboff  <msaboff@apple.com>
26
27         switch(String) needs to check for exceptions when resolving the string
28         https://bugs.webkit.org/show_bug.cgi?id=199541
29
30         Reviewed by Mark Lam.
31
32         New tests.
33
34         * stress/switch-string-oom.js: Added.
35         (test):
36         (testLowerTiers):
37         (testFTL):
38
39 2019-07-05  Mark Lam  <mark.lam@apple.com>
40
41         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
42         https://bugs.webkit.org/show_bug.cgi?id=199533
43         <rdar://problem/52669111>
44
45         Reviewed by Filip Pizlo.
46
47         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
48
49 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
50
51         [JSC] Clean up ArraySpeciesCreate
52         https://bugs.webkit.org/show_bug.cgi?id=182434
53
54         Reviewed by Yusuke Suzuki.
55
56         Adjusts error message expectations in stress tests.
57
58         * stress/array-flatmap.js:
59         * stress/array-flatten.js:
60         * stress/array-species-create-should-handle-masquerader.js:
61         * test262/expectations.yaml: Mark 4 test cases as passing.
62
63 2019-07-02  Michael Saboff  <msaboff@apple.com>
64
65         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
66         https://bugs.webkit.org/show_bug.cgi?id=199395
67
68         Reviewed by Filip Pizlo.
69
70         New regession test.
71
72         * stress/for-of-tdz-with-try-catch.js: Added.
73         (test):
74         (i.catch):
75
76 2019-07-02  Keith Miller  <keith_miller@apple.com>
77
78         Frozen Arrays length assignment should throw in strict mode
79         https://bugs.webkit.org/show_bug.cgi?id=199365
80
81         Reviewed by Yusuke Suzuki.
82
83         * stress/frozen-array-length-should-throw-strict.js: Added.
84         (test):
85
86 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
87
88         [Wasm-References] Disable references by default
89         https://bugs.webkit.org/show_bug.cgi?id=199390
90
91         Reviewed by Saam Barati.
92
93         * wasm/references-spec-tests/ref_is_null.js:
94         * wasm/references-spec-tests/ref_null.js:
95         * wasm/references/anyref_globals.js:
96         * wasm/references/anyref_modules.js:
97         * wasm/references/anyref_table.js:
98         * wasm/references/anyref_table_import.js:
99         * wasm/references/element_parsing.js:
100         * wasm/references/func_ref.js:
101         * wasm/references/is_null.js:
102         * wasm/references/multitable.js:
103         * wasm/references/table_misc.js:
104         * wasm/references/validation.js:
105
106 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
107
108         Unreviewed, rolling out r246946.
109
110         Caused JSC test crashes on arm64
111
112         Reverted changeset:
113
114         "Add b3 macro lowering for CheckMul on arm64"
115         https://bugs.webkit.org/show_bug.cgi?id=199251
116         https://trac.webkit.org/changeset/246946
117
118 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
119
120         Add b3 macro lowering for CheckMul on arm64
121         https://bugs.webkit.org/show_bug.cgi?id=199251
122
123         Reviewed by Robin Morisset.
124
125         * microbenchmarks/check-mul-constant.js: Added.
126         (doTest):
127         * microbenchmarks/check-mul-no-constant.js: Added.
128         (doTest):
129         * microbenchmarks/check-mul-power-of-two.js: Added.
130         (doTest):
131
132 2019-06-26  Keith Miller  <keith_miller@apple.com>
133
134         speciesConstruct needs to throw if the result is a DataView
135         https://bugs.webkit.org/show_bug.cgi?id=199231
136
137         Reviewed by Mark Lam.
138
139         * stress/typedarray-filter.js:
140         (subclasses.forEach):
141         * stress/typedarray-map.js:
142         (subclasses.forEach):
143         * stress/typedarray-slice.js:
144         (typedArrays.forEach):
145         * stress/typedarray-subarray.js:
146         (subclasses.forEach):
147
148 2019-06-24  Commit Queue  <commit-queue@webkit.org>
149
150         Unreviewed, rolling out r246714.
151         https://bugs.webkit.org/show_bug.cgi?id=199179
152
153         revert to do patch in a different way. (Requested by keith_mi_
154         on #webkit).
155
156         Reverted changeset:
157
158         "All prototypes should call didBecomePrototype()"
159         https://bugs.webkit.org/show_bug.cgi?id=196315
160         https://trac.webkit.org/changeset/246714
161
162 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
163
164         Add Array.prototype.{flat,flatMap} to unscopables
165         https://bugs.webkit.org/show_bug.cgi?id=194322
166
167         Reviewed by Keith Miller.
168
169         * stress/unscopables.js: Fix test.
170         * test262/expectations.yaml: Mark 2 test cases as passing.
171
172 2019-06-21  Mark Lam  <mark.lam@apple.com>
173
174         ArraySlice needs to keep the source array alive.
175         https://bugs.webkit.org/show_bug.cgi?id=197374
176         <rdar://problem/50304429>
177
178         Reviewed by Michael Saboff and Filip Pizlo.
179
180         * stress/array-slice-must-keep-source-array-alive.js: Added.
181
182 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
183
184         All prototypes should call didBecomePrototype()
185         https://bugs.webkit.org/show_bug.cgi?id=196315
186
187         Reviewed by Saam Barati.
188
189         * stress/function-prototype-indexed-accessor.js: Added.
190
191 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
192
193         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
194         https://bugs.webkit.org/show_bug.cgi?id=197631
195
196         Reviewed by Saam Barati.
197
198         * stress/has-own-property-arguments.js: Added.
199         (shouldBe):
200         (A):
201
202 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
203
204         [JSC] ClassExpr should not store result in the middle of evaluation
205         https://bugs.webkit.org/show_bug.cgi?id=199106
206
207         Reviewed by Tadeu Zagallo.
208
209         * stress/class-expression-should-store-result-at-last.js: Added.
210         (shouldThrow):
211         (shouldThrow.let.a):
212
213 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
214
215         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
216         https://bugs.webkit.org/show_bug.cgi?id=199044
217
218         Reviewed by Saam Barati.
219
220         Add wasm references spec tests as well as a worker test.
221
222         * wasm.yaml:
223         * wasm/Builder_WebAssemblyBinary.js:
224         (const.emitters.Element):
225         * wasm/js-api/element.js:
226         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
227         * wasm/references-spec-tests/ref_is_null.js: Added.
228         (hostref):
229         (is_hostref):
230         (is_funcref):
231         (eq_ref):
232         (let.handler.get target):
233         (register):
234         (module):
235         (instance):
236         (call):
237         (get instance):
238         (exports):
239         (run):
240         (assert_malformed):
241         (assert_invalid):
242         (assert_unlinkable):
243         (assert_uninstantiable):
244         (assert_trap):
245         (try.f):
246         (catch):
247         (assert_exhaustion):
248         (assert_return):
249         (assert_return_canonical_nan):
250         (assert_return_arithmetic_nan):
251         (assert_return_ref):
252         (assert_return_func):
253         * wasm/references-spec-tests/ref_null.js: Added.
254         (hostref):
255         (is_hostref):
256         (is_funcref):
257         (eq_ref):
258         (let.handler.get target):
259         (register):
260         (module):
261         (instance):
262         (call):
263         (get instance):
264         (exports):
265         (run):
266         (assert_malformed):
267         (assert_invalid):
268         (assert_unlinkable):
269         (assert_uninstantiable):
270         (assert_trap):
271         (try.f):
272         (catch):
273         (assert_exhaustion):
274         (assert_return):
275         (assert_return_canonical_nan):
276         (assert_return_arithmetic_nan):
277         (assert_return_ref):
278         (assert_return_func):
279         * wasm/references/element_parsing.js: Added.
280         (module):
281         * wasm/references/func_ref.js:
282         * wasm/references/multitable.js:
283         * wasm/references/table_misc.js:
284         (TableSize.0.End.End.WebAssembly):
285         * wasm/references/validation.js:
286         (assert.throws):
287
288 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
289
290         Optimize `resolve` method lookup in Promise static methods
291         https://bugs.webkit.org/show_bug.cgi?id=198864
292
293         Reviewed by Yusuke Suzuki.
294
295         * test262/expectations.yaml: Mark 18 test cases as passing.
296
297 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
298
299         [WASM-References] Rename anyfunc to funcref
300         https://bugs.webkit.org/show_bug.cgi?id=198983
301
302         Reviewed by Yusuke Suzuki.
303
304         * wasm/function-tests/basic-element.js:
305         * wasm/function-tests/context-switch.js:
306         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
307         (makeInstance):
308         (assert.eq.makeInstance):
309         * wasm/function-tests/exceptions.js:
310         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
311         * wasm/function-tests/grow-memory-2.js:
312         (assert.eq.instance.exports.foo):
313         * wasm/function-tests/nameSection.js:
314         (const.compile):
315         * wasm/function-tests/stack-overflow.js:
316         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
317         (assertOverflows.makeInstance):
318         * wasm/function-tests/table-basic-2.js:
319         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
320         * wasm/function-tests/table-basic.js:
321         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
322         * wasm/function-tests/trap-from-start-async.js:
323         * wasm/function-tests/trap-from-start.js:
324         * wasm/js-api/Module.exports.js:
325         (assert.truthy):
326         * wasm/js-api/Module.imports.js:
327         (assert.truthy):
328         * wasm/js-api/call-indirect.js:
329         (const.oneTable):
330         (const.multiTable):
331         (multiTable.const.makeTable):
332         (multiTable):
333         (multiTable.Polyphic2Import):
334         (multiTable.VirtualImport):
335         * wasm/js-api/element-data.js:
336         * wasm/js-api/element.js:
337         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
338         (assert.throws):
339         (badInstantiation.makeModule):
340         (badInstantiation.test):
341         (badInstantiation):
342         * wasm/js-api/extension-MemoryMode.js:
343         * wasm/js-api/table.js:
344         (new.WebAssembly.Module):
345         (assert.throws):
346         (assertBadTableImport):
347         (assert.throws.WebAssembly.Table.prototype.grow):
348         (new.WebAssembly.Table):
349         (assertBadTable):
350         (assert.truthy):
351         * wasm/js-api/test_basic_api.js:
352         (const.c.in.constructorProperties.switch):
353         * wasm/js-api/unique-signature.js:
354         (CallIndirectWithDuplicateSignatures):
355         * wasm/js-api/wrapper-function.js:
356         * wasm/modules/table.wat:
357         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
358         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
359         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
360         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
361         * wasm/references/anyref_table.js:
362         * wasm/references/anyref_table_import.js:
363         (doSet):
364         (assert.throws):
365         * wasm/references/func_ref.js:
366         (makeFuncrefIdent):
367         (assert.eq.instance.exports.fix):
368         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
369         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
370         (let.importedFun.of):
371         (makeAnyfuncIdent): Deleted.
372         (makeAnyfuncIdent.fun): Deleted.
373         * wasm/references/multitable.js:
374         (assert.eq):
375         (assert.throws):
376         * wasm/references/table_misc.js:
377         (GetLocal.0.TableFill.0.End.End.WebAssembly):
378         * wasm/references/validation.js:
379         (assert.throws.new.WebAssembly.Module.bin):
380         (assert.throws):
381         * wasm/spec-harness/index.js:
382         * wasm/spec-harness/wasm-constants.js:
383         * wasm/spec-harness/wasm-module-builder.js:
384         (WasmModuleBuilder.prototype.toArray):
385         * wasm/spec-harness/wast.js:
386         (elem_type):
387         (string_of_elem_type):
388         (string_of_table_type):
389         * wasm/spec-tests/jsapi.js:
390         * wasm/stress/wasm-table-grow-initialize.js:
391         * wasm/wasm.json:
392
393 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
394
395         [WASM-References] Add support for Table.size, grow and fill instructions
396         https://bugs.webkit.org/show_bug.cgi?id=198761
397
398         Reviewed by Yusuke Suzuki.
399
400         * wasm/Builder_WebAssemblyBinary.js:
401         (const.putOp):
402         * wasm/references/table_misc.js: Added.
403         (TableSize.End.End.WebAssembly):
404         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
405         * wasm/wasm.json:
406
407 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
408
409         [WASM-References] Add support for multiple tables
410         https://bugs.webkit.org/show_bug.cgi?id=198760
411
412         Reviewed by Saam Barati.
413
414         * wasm/Builder.js:
415         * wasm/js-api/call-indirect.js:
416         (const.oneTable):
417         (const.multiTable):
418         (multiTable):
419         (multiTable.Polyphic2Import):
420         (multiTable.VirtualImport):
421         (const.wasmModuleWhichImportJS): Deleted.
422         (const.makeTable): Deleted.
423         (): Deleted.
424         (Polyphic2Import): Deleted.
425         (VirtualImport): Deleted.
426         * wasm/js-api/table.js:
427         (new.WebAssembly.Module):
428         (assert.throws):
429         (assertBadTableImport):
430         (assert.truthy):
431         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
432         * wasm/references/anyref_table.js:
433         * wasm/references/anyref_table_import.js:
434         (makeImport):
435         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
436         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
437         * wasm/references/multitable.js: Added.
438         (assert.throws.1.exports.set_tbl0):
439         (assert.throws):
440         (assert.eq):
441         * wasm/references/validation.js:
442         (assert.throws.new.WebAssembly.Module.bin):
443         (assert.throws):
444         * wasm/spec-tests/imports.wast.js:
445         * wasm/wasm.json:
446
447         * wasm/Builder.js:
448         * wasm/js-api/call-indirect.js:
449         (const.oneTable):
450         (const.multiTable):
451         (multiTable):
452         (multiTable.Polyphic2Import):
453         (multiTable.VirtualImport):
454         (const.wasmModuleWhichImportJS): Deleted.
455         (const.makeTable): Deleted.
456         (): Deleted.
457         (Polyphic2Import): Deleted.
458         (VirtualImport): Deleted.
459         * wasm/js-api/table.js:
460         (new.WebAssembly.Module):
461         (assert.throws):
462         (assertBadTableImport):
463         (assert.truthy):
464         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
465         * wasm/references/anyref_table.js:
466         * wasm/references/anyref_table_import.js:
467         (makeImport):
468         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
469         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
470         * wasm/references/func_ref.js:
471         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
472         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
473         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
474         * wasm/references/multitable.js: Added.
475         (assert.throws.1.exports.set_tbl0):
476         (assert.throws):
477         (assert.eq):
478         (string_appeared_here.tableInsanity):
479         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
480         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
481         * wasm/references/validation.js:
482         (assert.throws.new.WebAssembly.Module.bin):
483         (assert.throws):
484         * wasm/spec-tests/imports.wast.js:
485         * wasm/wasm.json:
486
487 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
488
489         [ESNExt] String.prototype.matchAll
490         https://bugs.webkit.org/show_bug.cgi?id=186694
491
492         Reviewed by Yusuke Suzuki.
493
494         Implement String.prototype.matchAll.
495         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
496
497         * test262/config.yaml:
498
499 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
500
501         DFG code should not reify the names of builtin functions with private names
502         https://bugs.webkit.org/show_bug.cgi?id=198849
503         <rdar://problem/51733890>
504
505         Reviewed by Filip Pizlo.
506
507         * stress/builtin-private-function-name.js: Added.
508         (then):
509         (PromiseLike):
510
511 2019-06-18  Keith Miller  <keith_miller@apple.com>
512
513         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
514         https://bugs.webkit.org/show_bug.cgi?id=198969
515         <rdar://problem/51620714>
516
517         Reviewed by Tadeu Zagallo.
518
519         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
520         (catch):
521
522 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
523
524         Validate that table element type is funcref if using an element section
525         https://bugs.webkit.org/show_bug.cgi?id=198910
526
527         Reviewed by Yusuke Suzuki.
528
529         * wasm/references/anyref_table.js:
530
531 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
532
533         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
534         https://bugs.webkit.org/show_bug.cgi?id=197378
535
536         Reviewed by Saam Barati.
537
538         * stress/disposable-call-site-index-with-call-and-this.js: Added.
539         (foo):
540         (bar):
541         * stress/disposable-call-site-index.js: Added.
542         (foo):
543         (bar):
544
545 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
546
547         [WASM-References] Add support for Funcref in parameters and return types
548         https://bugs.webkit.org/show_bug.cgi?id=198157
549
550         Reviewed by Yusuke Suzuki.
551
552         * wasm/Builder.js:
553         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
554         * wasm/references/anyref_globals.js:
555         * wasm/references/func_ref.js: Added.
556         (fullGC.gc.makeExportedFunction):
557         (makeExportedIdent):
558         (makeAnyfuncIdent):
559         (fun):
560         (assert.eq.instance.exports.fix.fun):
561         (assert.eq.instance.exports.fix):
562         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
563         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
564         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
565         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
566         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
567         (assert.throws):
568         (assert.throws.doTest):
569         (let.importedFun.of):
570         (makeAnyfuncIdent.fun):
571         * wasm/references/validation.js:
572         (assert.throws):
573         * wasm/wasm.json:
574
575 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
576
577         Update test262 tests (2019.06.13)
578         https://bugs.webkit.org/show_bug.cgi?id=198821
579
580         Reviewed by Konstantin Tokarev.
581
582         * test262/expectations.yaml:
583         * test262/harness/:
584         * test262/latest-changes-summary.txt:
585         * test262/test/:
586         * test262/test262-Revision.txt:
587
588 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
589
590         [JSC] Grown region of WasmTable should be initialized with null
591         https://bugs.webkit.org/show_bug.cgi?id=198903
592
593         Reviewed by Saam Barati.
594
595         * wasm/stress/wasm-table-grow-initialize.js: Added.
596         (shouldBe):
597
598 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
599
600         Yarr bytecode compilation failure should be gracefully handled
601         https://bugs.webkit.org/show_bug.cgi?id=198700
602
603         Reviewed by Michael Saboff.
604
605         * stress/regexp-bytecode-compilation-fail.js: Added.
606         (shouldThrow):
607
608 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
609
610         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
611         https://bugs.webkit.org/show_bug.cgi?id=198770
612
613         Reviewed by Saam Barati.
614
615         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
616         (test):
617
618 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
619
620         JSC should throw if proxy set returns falsish in strict mode context
621         https://bugs.webkit.org/show_bug.cgi?id=177398
622
623         Reviewed by Yusuke Suzuki.
624
625         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
626         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
627
628         * stress/proxy-set.js: Add 2 test cases.
629         * stress/regexp-match-proxy.js: Fix test.
630         * stress/regexp-replace-proxy.js: Fix test.
631
632 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
633
634         Error message for non-callable Proxy `construct` trap is misleading
635         https://bugs.webkit.org/show_bug.cgi?id=198637
636
637         Reviewed by Saam Barati.
638
639         * stress/proxy-construct.js:
640
641 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
642
643         AI BitURShift's result should not be unsigned
644         https://bugs.webkit.org/show_bug.cgi?id=198689
645         <rdar://problem/51550063>
646
647         Reviewed by Saam Barati.
648
649         * stress/urshift-int32-overflow.js: Added.
650         (foo.):
651         (foo):
652
653 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
654
655         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
656
657         Unreviewed gardening.
658
659         * stress/ftl-gettypedarrayoffset-wasteful.js:
660         Skipped on arm/linux as it always times out on the bot since a change
661         between r246270 and r246278 inclusive.
662
663 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
664
665         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
666         https://bugs.webkit.org/show_bug.cgi?id=198023
667
668         Reviewed by Saam Barati.
669
670         * stress/reparsing-unlinked-codeblock.js: Added.
671         (shouldBe):
672         (hello):
673
674 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
675
676         [JSC] Use mergePrediction in ValuePow prediction propagation
677         https://bugs.webkit.org/show_bug.cgi?id=198648
678
679         Reviewed by Saam Barati.
680
681         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
682
683 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
684
685         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
686         https://bugs.webkit.org/show_bug.cgi?id=198581
687         <rdar://problem/51099753>
688
689         Reviewed by Saam Barati.
690
691         * stress/global-object-proto-getter.js: Added.
692         (f):
693         (test):
694
695 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
696
697         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
698         https://bugs.webkit.org/show_bug.cgi?id=198398
699
700         Reviewed by Saam Barati.
701
702         * wasm/references/anyref_table.js: Added.
703         (string_appeared_here.doGCSet):
704         (doGCTest):
705         (doGCSet.doGCTest.let.count.0.doBarrierSet):
706         * wasm/references/anyref_table_import.js: Added.
707         (makeImport):
708         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
709         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
710         * wasm/references/is_null_error.js: Removed.
711         * wasm/references/validation.js: Added.
712         (assert.throws.new.WebAssembly.Module.bin):
713         (assert.throws):
714         * wasm/wasm.json:
715
716 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
717
718         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
719         https://bugs.webkit.org/show_bug.cgi?id=198106
720
721         Reviewed by Saam Barati.
722
723         * wasm/regress/selectf64.js: Added.
724         * wasm/regress/selectf64.wasm: Added.
725         * wasm/regress/selectf64.wat: Added.
726
727 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
728
729         Argument elimination should check transitive dependents for interference
730         https://bugs.webkit.org/show_bug.cgi?id=198520
731         <rdar://problem/50863343>
732
733         Reviewed by Filip Pizlo.
734
735         * stress/argument-elimination-inline-rest-past-kill.js: Added.
736         (f2):
737         (f3):
738
739 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
740
741         Argument elimination should check for negative indices in GetByVal
742         https://bugs.webkit.org/show_bug.cgi?id=198302
743         <rdar://problem/51188095>
744
745         Reviewed by Filip Pizlo.
746
747         * stress/eliminate-arguments-negative-rest-access.js: Added.
748         (inlinee):
749         (opt):
750
751 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
752
753         [ESNext][BigInt] Implement support for "**"
754         https://bugs.webkit.org/show_bug.cgi?id=190799
755
756         Reviewed by Saam Barati.
757
758         * stress/big-int-exp-basic.js: Added.
759         * stress/big-int-exp-jit-osr.js: Added.
760         * stress/big-int-exp-jit-untyped.js: Added.
761         * stress/big-int-exp-jit.js: Added.
762         * stress/big-int-exp-negative-exponent.js: Added.
763         * stress/big-int-exp-to-primitive.js: Added.
764         * stress/big-int-exp-type-error.js: Added.
765         * stress/big-int-exp-wrapped-value.js: Added.
766         * stress/value-pow-ai-rule.js: Added.
767
768 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
769
770         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
771         https://bugs.webkit.org/show_bug.cgi?id=197979
772
773         Reviewed by Filip Pizlo.
774
775         * stress/16bit-code.js: Added.
776         (shouldBe):
777         * stress/32bit-code.js: Added.
778         (shouldBe):
779
780 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
781
782         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
783         https://bugs.webkit.org/show_bug.cgi?id=198355
784
785         Reviewed by Saam Barati.
786
787         * wasm/references/is_null.js:
788
789 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
790
791         [PlayStation] Skip additional tests on PlayStation
792         https://bugs.webkit.org/show_bug.cgi?id=198352
793
794         Reviewed by Don Olmstead.
795
796         Skip pow test on PlayStation due to behavior difference in standard library.
797         Skip incremental marking test due to OOM on PlayStation systems.
798
799         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
800         * stress/math-pow-with-constants.js:
801         * stress/pow-with-constants.js:
802
803 2019-05-28  Dean Jackson  <dino@apple.com>
804
805         Implement Promise.allSettled
806         https://bugs.webkit.org/show_bug.cgi?id=197600
807         <rdar://problem/50483885>
808
809         Reviewed by Keith Miller.
810
811         Start testing Promise.allSettled. We pass most of the tests.
812         The ones that fail are similar to the Promise.all tests we already fail.
813
814         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
815         * test262/expectations.yaml: Add new expectations for allSettled tests.
816
817 2019-05-28  Michael Saboff  <msaboff@apple.com>
818
819         [YARR] Properly handle RegExp's that require large ParenContext space
820         https://bugs.webkit.org/show_bug.cgi?id=198065
821
822         Reviewed by Keith Miller.
823
824         New test.
825
826         * stress/regexp-large-paren-context.js: Added.
827         (testLargeRegExp):
828
829 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
830
831         JITOperations putByVal should mark negative array indices as out-of-bounds
832         https://bugs.webkit.org/show_bug.cgi?id=198271
833
834         Reviewed by Saam Barati.
835
836         * microbenchmarks/get-by-val-negative-array-index.js:
837         (foo):
838         Update the getByVal microbenchmark added in r245769. This now shows that r245769
839         is 4.2x faster than the previous commit.
840
841         * microbenchmarks/put-by-val-negative-array-index.js: Added.
842         (foo):
843
844 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
845
846         JITOperations getByVal should mark negative array indices as out-of-bounds
847         https://bugs.webkit.org/show_bug.cgi?id=198229
848
849         Reviewed by Saam Barati.
850
851         * microbenchmarks/get-by-val-negative-array-index.js: Added.
852         (foo):
853
854 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
855
856         [WASM-References] Support Anyref in globals
857         https://bugs.webkit.org/show_bug.cgi?id=198102
858
859         Reviewed by Saam Barati.
860
861         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
862
863         * wasm/Builder.js:
864         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
865         * wasm/Builder_WebAssemblyBinary.js:
866         (const.putInitExpr):
867         * wasm/references/anyref_globals.js: Added.
868         (GetGlobal.0.End.End.WebAssembly):
869         (5.doGCSet):
870         (doGCTest):
871         (doGCSet.doGCTest.let.count.0.doBarrierSet):
872
873 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
874
875         DFG::OSREntry should not perform arity check
876         https://bugs.webkit.org/show_bug.cgi?id=198189
877
878         Reviewed by Saam Barati.
879
880         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
881         (foo):
882
883 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
884
885         [PlayStation] Skip additional tests on PlayStation
886         https://bugs.webkit.org/show_bug.cgi?id=198145
887
888         Reviewed by Ross Kirsling.
889
890         * exceptionFuzz.yaml:
891         Add skip on hostOS playstation
892         * executableAllocationFuzz.yaml:
893         Add skip on hostOS playstation
894
895 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
896
897         createListFromArrayLike should throw if value is not an object
898         https://bugs.webkit.org/show_bug.cgi?id=198138
899
900         Reviewed by Yusuke Suzuki.
901
902         * stress/create-list-from-array-like-not-object.js: Added.
903         (testValid):
904         (testInvalid):
905         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
906         (opt):
907         * stress/proxy-proto-enumerator.js: Added.
908         (main):
909         * stress/proxy-proto-own-keys.js: Added.
910         (assert):
911         (ownKeys):
912
913 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
914
915         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
916         https://bugs.webkit.org/show_bug.cgi?id=197809
917
918         Reviewed by Michael Saboff.
919
920         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
921         (foo):
922
923 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
924
925         [ESNext] Implement support for Numeric Separators
926         https://bugs.webkit.org/show_bug.cgi?id=196351
927
928         Reviewed by Keith Miller.
929
930         * stress/numeric-literal-separators.js: Added.
931         Add tests for feature.
932
933         * test262/expectations.yaml:
934         Mark 60 test cases as passing.
935
936 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
937
938         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
939         https://bugs.webkit.org/show_bug.cgi?id=198120
940         <rdar://problem/49668795>
941
942         Reviewed by Michael Saboff.
943
944         * stress/get-array-length-concurrently-change-mode.js: Added.
945         (main):
946
947 2019-05-22  Commit Queue  <commit-queue@webkit.org>
948
949         Unreviewed, rolling out r245634.
950         https://bugs.webkit.org/show_bug.cgi?id=198140
951
952         'This patch makes JSC crash on launch in debug builds'
953         (Requested by tadeuzagallo on #webkit).
954
955         Reverted changeset:
956
957         "[ESNext] Implement support for Numeric Separators"
958         https://bugs.webkit.org/show_bug.cgi?id=196351
959         https://trac.webkit.org/changeset/245634
960
961 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
962
963         Stack-buffer-overflow in decodeURIComponent
964         https://bugs.webkit.org/show_bug.cgi?id=198109
965         <rdar://problem/50397550>
966
967         Reviewed by Michael Saboff.
968
969         * stress/decode-uri-icu-count-trail-bytes.js: Added.
970         (i.j.try.i.toString):
971         (i.j.catch):
972
973 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
974
975         Don't clear PropertyNameArray in Proxy code
976         https://bugs.webkit.org/show_bug.cgi?id=197691
977
978         Reviewed by Saam Barati.
979
980         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
981         (shouldBe):
982         (opt):
983
984 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
985
986         [ESNext] Implement support for Numeric Separators
987         https://bugs.webkit.org/show_bug.cgi?id=196351
988
989         Reviewed by Keith Miller.
990
991         * stress/numeric-literal-separators.js: Added.
992         Add tests for feature.
993
994         * test262/expectations.yaml:
995         Mark 60 test cases as passing.
996
997 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
998
999         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
1000         https://bugs.webkit.org/show_bug.cgi?id=198101
1001
1002         Reviewed by Michael Saboff.
1003
1004         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
1005         (shouldBe):
1006
1007 2019-05-20  Keith Miller  <keith_miller@apple.com>
1008
1009         Cleanup Yarr regexp code around paren contexts.
1010         https://bugs.webkit.org/show_bug.cgi?id=198063
1011
1012         Reviewed by Yusuke Suzuki.
1013
1014         * stress/regexp-many-named-sequential-capture-groups.js: Added.
1015         (i.s):
1016         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
1017
1018 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
1019
1020         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
1021         https://bugs.webkit.org/show_bug.cgi?id=197969
1022
1023         Reviewed by Keith Miller.
1024
1025         Support the anyref type in Builder.js, plus add some extra error logging.
1026         Add new folder for wasm references tests.
1027
1028         * wasm.yaml:
1029         * wasm/Builder.js:
1030         (const._isValidValue):
1031         * wasm/references/anyref_modules.js: Added.
1032         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
1033         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
1034         (Call.3.RefIsNull.End.End.WebAssembly):
1035         (undefined):
1036         * wasm/references/is_null.js: Added.
1037         * wasm/references/is_null_error.js: Added.
1038         * wasm/spec-harness/index.js:
1039         * wasm/wasm.json:
1040
1041 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
1042
1043         [JSC] Invalid AssignmentTargetType should be an early error.
1044         https://bugs.webkit.org/show_bug.cgi?id=197603
1045
1046         Reviewed by Keith Miller.
1047
1048         * test262/expectations.yaml:
1049         Update expectations to reflect new SyntaxErrors.
1050         (Ideally, these should all be viewed as passing in the near future.)
1051
1052         * stress/async-await-basic.js:
1053         * stress/big-int-literals.js:
1054         Update tests to reflect new SyntaxErrors.
1055
1056         * ChakraCore.yaml:
1057         * ChakraCore/test/EH/try6.baseline-jsc:
1058         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
1059         Update baselines to reflect new SyntaxErrors.
1060
1061 2019-05-15  Saam Barati  <sbarati@apple.com>
1062
1063         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
1064         https://bugs.webkit.org/show_bug.cgi?id=197855
1065         <rdar://problem/50236506>
1066
1067         Reviewed by Michael Saboff.
1068
1069         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
1070         (f0):
1071         (bar):
1072         (foo):
1073         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
1074         (f1):
1075         (f2):
1076         (foo):
1077
1078 2019-05-14  Keith Miller  <keith_miller@apple.com>
1079
1080         Fix issue with byteOffset on ARM64E
1081         https://bugs.webkit.org/show_bug.cgi?id=197884
1082
1083         Reviewed by Saam Barati.
1084
1085         We didn't have any tests that run with non-byte/non-zero offset
1086         typed arrays.
1087
1088         * stress/ftl-gettypedarrayoffset-wasteful.js:
1089
1090 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
1091
1092         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
1093         https://bugs.webkit.org/show_bug.cgi?id=197833
1094
1095         Reviewed by Darin Adler.
1096
1097         * stress/generator-name.js: Added.
1098         (shouldBe):
1099         (gen):
1100         (catch):
1101
1102 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
1103
1104         JSObject::getOwnPropertyDescriptor is missing an exception check
1105         https://bugs.webkit.org/show_bug.cgi?id=197693
1106         <rdar://problem/50441784>
1107
1108         Reviewed by Saam Barati.
1109
1110         * stress/proxy-spread.js: Added.
1111         (foo):
1112
1113 2019-05-10  Saam barati  <sbarati@apple.com>
1114
1115         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
1116         https://bugs.webkit.org/show_bug.cgi?id=197807
1117         <rdar://problem/50530400>
1118
1119         Reviewed by Yusuke Suzuki.
1120
1121         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
1122         (test.getInstance):
1123         (test):
1124
1125 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
1126
1127         [Test262] Unreviewed expectations update following r245188.
1128
1129         * test262/config.yaml:
1130         * test262/expectations.yaml:
1131
1132         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
1133         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
1134         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
1135         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
1136         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
1137         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
1138         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
1139         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
1140         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
1141         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
1142         These files have invalid YAML comments. Will also submit corrections back to Test262.
1143
1144 2019-05-10  Keith Miller  <keith_miller@apple.com>
1145
1146         Update test262 tests.
1147
1148         Rubber-stamped by Yusuke Suzuki.
1149
1150         * test262/*: mega-patch too many things to list individually.
1151
1152 2019-05-09  Keith Miller  <keith_miller@apple.com>
1153
1154         Unreview, fix test to have a try-catch.
1155
1156         * stress/many-nested-functions-parser-stack-overflow.js:
1157         (catch):
1158
1159 2019-05-09  Keith Miller  <keith_miller@apple.com>
1160
1161         parseStatementListItem needs a stack overflow check
1162         https://bugs.webkit.org/show_bug.cgi?id=197749
1163
1164         Reviewed by Saam Barati.
1165
1166         * stress/many-nested-functions-parser-stack-overflow.js: Added.
1167
1168 2019-05-08  Saam barati  <sbarati@apple.com>
1169
1170         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
1171         https://bugs.webkit.org/show_bug.cgi?id=197715
1172         <rdar://problem/50399252>
1173
1174         Reviewed by Filip Pizlo.
1175
1176         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
1177         (foo):
1178         (bar):
1179
1180 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
1181
1182         Unreviewed, rolling out r245068.
1183
1184         Caused debug layout tests to exit early due to an assertion
1185         failure.
1186
1187         Reverted changeset:
1188
1189         "All prototypes should call didBecomePrototype()"
1190         https://bugs.webkit.org/show_bug.cgi?id=196315
1191         https://trac.webkit.org/changeset/245068
1192
1193 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
1194
1195         Invalid DFG JIT genereation in high CPU usage state
1196         https://bugs.webkit.org/show_bug.cgi?id=197453
1197
1198         Reviewed by Saam Barati.
1199
1200         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
1201         (trigger):
1202         (main):
1203
1204 2019-05-08  Robin Morisset  <rmorisset@apple.com>
1205
1206         All prototypes should call didBecomePrototype()
1207         https://bugs.webkit.org/show_bug.cgi?id=196315
1208
1209         Reviewed by Saam Barati.
1210
1211         This changelog already landed, but the commit was missing the actual changes.
1212
1213         * stress/function-prototype-indexed-accessor.js: Added.
1214
1215 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
1216
1217         [BigInt] Add ValueMod into DFG
1218         https://bugs.webkit.org/show_bug.cgi?id=186174
1219
1220         Reviewed by Saam Barati.
1221
1222         * microbenchmarks/mod-untyped.js: Added.
1223         * stress/big-int-mod-osr.js: Added.
1224         * stress/value-div-ai-rule.js: Added.
1225         * stress/value-mod-ai-rule.js: Added.
1226
1227 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
1228
1229         [JSC] DFG_ASSERT failed in lowInt52
1230         https://bugs.webkit.org/show_bug.cgi?id=197569
1231
1232         Reviewed by Saam Barati.
1233
1234         * stress/getstack-int52.js: Added.
1235         (opt):
1236         (main):
1237
1238 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
1239
1240         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
1241         https://bugs.webkit.org/show_bug.cgi?id=197479
1242
1243         Reviewed by Saam Barati.
1244
1245         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
1246         (shouldBe):
1247
1248 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
1249
1250         TemplateObject passed to template literal tags are not always identical for the same source location.
1251         https://bugs.webkit.org/show_bug.cgi?id=190756
1252
1253         Reviewed by Saam Barati.
1254
1255         * complex.yaml:
1256         * complex/tagged-template-regeneration-after.js: Added.
1257         (shouldBe):
1258         * complex/tagged-template-regeneration.js: Added.
1259         (call):
1260         (test):
1261         * modules/tagged-template-inside-module.js: Added.
1262         (from.string_appeared_here.call):
1263         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
1264         (call):
1265         (export.otherTaggedTemplates):
1266         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
1267         (shouldBe):
1268         (call):
1269         (poly):
1270         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
1271         (shouldBe):
1272         (call):
1273         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
1274         (shouldBe):
1275         (call):
1276         (test):
1277         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
1278         (shouldBe):
1279         (call):
1280         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
1281         (shouldBe):
1282         (call):
1283         * stress/tagged-templates-in-multiple-functions.js: Added.
1284         (shouldBe):
1285         (call):
1286         (a):
1287         (b):
1288         (c):
1289         * stress/tagged-templates-with-same-start-offset.js: Added.
1290         (shouldBe):
1291
1292 2019-05-07  Robin Morisset  <rmorisset@apple.com>
1293
1294         All prototypes should call didBecomePrototype()
1295         https://bugs.webkit.org/show_bug.cgi?id=196315
1296
1297         Reviewed by Saam Barati.
1298
1299         * stress/function-prototype-indexed-accessor.js: Added.
1300
1301 2019-05-07  Commit Queue  <commit-queue@webkit.org>
1302
1303         Unreviewed, rolling out r244978.
1304         https://bugs.webkit.org/show_bug.cgi?id=197671
1305
1306         TemplateObject map should use start/end offsets (Requested by
1307         yusukesuzuki on #webkit).
1308
1309         Reverted changeset:
1310
1311         "TemplateObject passed to template literal tags are not always
1312         identical for the same source location."
1313         https://bugs.webkit.org/show_bug.cgi?id=190756
1314         https://trac.webkit.org/changeset/244978
1315
1316 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
1317
1318         tryCachePutByID should not crash if target offset changes
1319         https://bugs.webkit.org/show_bug.cgi?id=197311
1320         <rdar://problem/48033612>
1321
1322         Reviewed by Filip Pizlo.
1323
1324         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
1325         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
1326
1327         * stress/cache-put-by-id-delete-prototype.js: Added.
1328         (A.prototype.set y):
1329         (A):
1330         (B.prototype.set y):
1331         (B):
1332         (C):
1333         * stress/cache-put-by-id-different-__proto__.js: Added.
1334         (A.prototype.set y):
1335         (A):
1336         (B1):
1337         (B2.prototype.set y):
1338         (B2):
1339         (C):
1340         (D):
1341         * stress/cache-put-by-id-different-attributes.js: Added.
1342         (Foo):
1343         (set x):
1344         * stress/cache-put-by-id-different-offset.js: Added.
1345         (Foo):
1346         (set x):
1347         * stress/cache-put-by-id-insert-prototype.js: Added.
1348         (A.prototype.set y):
1349         (A):
1350         (C):
1351         * stress/cache-put-by-id-poly-proto.js: Added.
1352         (Foo):
1353         (set _):
1354         (createBar.Bar):
1355         (createBar):
1356
1357 2019-05-07  Saam Barati  <sbarati@apple.com>
1358
1359         Don't OSR enter into an FTL CodeBlock that has been jettisoned
1360         https://bugs.webkit.org/show_bug.cgi?id=197531
1361         <rdar://problem/50162379>
1362
1363         Reviewed by Yusuke Suzuki.
1364
1365         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
1366
1367 2019-05-06  Dean Jackson  <dino@apple.com>
1368
1369         Update test262 expectations for Proxy passes
1370         https://bugs.webkit.org/show_bug.cgi?id=197628
1371
1372         Reviewed by Yusuke Suzuki.
1373
1374         There are two consistent passes in Proxy.ownKeys.
1375
1376         * test262/expectations.yaml:
1377
1378 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
1379
1380         [JSC] We should check OOM for description string of Symbol
1381         https://bugs.webkit.org/show_bug.cgi?id=197634
1382
1383         Reviewed by Keith Miller.
1384
1385         * stress/check-symbol-description-oom.js: Added.
1386         (shouldThrow):
1387
1388 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
1389
1390         Unreviewed, land one more test
1391         https://bugs.webkit.org/show_bug.cgi?id=197587
1392
1393         * stress/setter-frame-flush.js: Added.
1394         (setter):
1395         (foo):
1396         (bar):
1397
1398 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
1399
1400         TemplateObject passed to template literal tags are not always identical for the same source location.
1401         https://bugs.webkit.org/show_bug.cgi?id=190756
1402
1403         Reviewed by Saam Barati.
1404
1405         * complex.yaml:
1406         * complex/tagged-template-regeneration-after.js: Added.
1407         (shouldBe):
1408         * complex/tagged-template-regeneration.js: Added.
1409         (call):
1410         (test):
1411         * modules/tagged-template-inside-module.js: Added.
1412         (from.string_appeared_here.call):
1413         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
1414         (call):
1415         (export.otherTaggedTemplates):
1416         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
1417         (shouldBe):
1418         (call):
1419         (poly):
1420         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
1421         (shouldBe):
1422         (call):
1423         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
1424         (shouldBe):
1425         (call):
1426         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
1427         (shouldBe):
1428         (call):
1429         * stress/tagged-templates-in-multiple-functions.js: Added.
1430         (shouldBe):
1431         (call):
1432         (a):
1433         (b):
1434         (c):
1435
1436 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
1437
1438         [PlayStation] JSC Stress tests failing due to timezone printing
1439         https://bugs.webkit.org/show_bug.cgi?id=197615
1440
1441         PlayStation's strftime does not give timezone strings, which
1442         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
1443         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
1444         which causes diff failures with the expectations. Add expectations
1445         without the timezone string and use those on playstation.
1446
1447         Reviewed by Ross Kirsling.
1448
1449         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
1450         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
1451         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
1452         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
1453
1454 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
1455
1456         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
1457         https://bugs.webkit.org/show_bug.cgi?id=197587
1458
1459         Reviewed by Sam Weinig.
1460
1461         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
1462
1463         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
1464
1465 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
1466
1467         TypedArrays should not store properties that are canonical numeric indices
1468         https://bugs.webkit.org/show_bug.cgi?id=197228
1469         <rdar://problem/49557381>
1470
1471         Reviewed by Saam Barati.
1472
1473         * stress/array-species-config-array-constructor.js:
1474         (test):
1475         * stress/put-direct-index-broken-2.js:
1476         * stress/typed-array-canonical-numeric-index-string.js: Added.
1477         (makeTest.assert):
1478         (makeTest):
1479         (const.testInvalidIndices.makeTest.set assert):
1480         (const.testInvalidIndices.makeTest):
1481         (const.makeTestValidIndex.configurable.set assert):
1482         (const.makeTestValidIndex.configurable):
1483         * stress/typedarray-access-monomorphic-neutered.js:
1484         (checkNoException):
1485         (testNoException):
1486         (testFTLNoException):
1487         * stress/typedarray-access-neutered.js:
1488         (testNoException):
1489         * stress/typedarray-getownproperty-not-configurable.js:
1490         (foo):
1491         * test262/expectations.yaml:
1492
1493 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
1494
1495         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
1496         https://bugs.webkit.org/show_bug.cgi?id=197584
1497
1498         Reviewed by Saam Barati.
1499
1500         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
1501         (X):
1502         (foo):
1503
1504 2019-05-03  Michael Saboff  <msaboff@apple.com>
1505
1506         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
1507         https://bugs.webkit.org/show_bug.cgi?id=197586
1508
1509         Reviewed by Keith Miller.
1510
1511         We should only run one config of this test and only when we think we'll have the memory.
1512
1513         * stress/json-stringify-string-builder-overflow.js:
1514
1515 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
1516
1517         [JSC] Generator CodeBlock generation should be idempotent
1518         https://bugs.webkit.org/show_bug.cgi?id=197552
1519
1520         Reviewed by Keith Miller.
1521
1522         Add complex.yaml, which controls how to run JSC shell more.
1523         We split test files into two to run macro task between them which allows debugger to be attached to VM.
1524
1525         * complex.yaml: Added.
1526         * complex/generator-regeneration-after.js: Added.
1527         * complex/generator-regeneration.js: Added.
1528         (gen):
1529
1530 2019-05-02  Michael Saboff  <msaboff@apple.com>
1531
1532         Unreviewed rollout of r244862.
1533
1534         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
1535
1536 2019-05-01  Saam barati  <sbarati@apple.com>
1537
1538         Baseline JIT should do argument value profiling after checking for stack overflow
1539         https://bugs.webkit.org/show_bug.cgi?id=197052
1540         <rdar://problem/50009602>
1541
1542         Reviewed by Yusuke Suzuki.
1543
1544         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
1545
1546 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
1547
1548         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
1549         https://bugs.webkit.org/show_bug.cgi?id=197405
1550
1551         Reviewed by Saam Barati.
1552
1553         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
1554         (foo):
1555         (test):
1556         (i.o.get f):
1557         (i.o.set f):
1558
1559 2019-05-01  Michael Saboff  <msaboff@apple.com>
1560
1561         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
1562         https://bugs.webkit.org/show_bug.cgi?id=197485
1563
1564         Reviewed by Saam Barati.
1565
1566         New test.
1567
1568         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
1569         (foo):
1570
1571 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
1572
1573         Unreviewed correction to Test262 expectations following r244828.
1574
1575         * test262/expectations.yaml:
1576
1577 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
1578
1579         Add memory-limited skipping to some tests generating very large strings
1580         https://bugs.webkit.org/show_bug.cgi?id=197437
1581
1582         Reviewed by Ross Kirsling.
1583
1584         * stress/StringObject-define-length-getter-rope-string-oom.js:
1585         * stress/create-error-out-of-memory-rope-string.js:
1586         * stress/string-16bit-repeat-overflow.js:
1587
1588 2019-04-30  Commit Queue  <commit-queue@webkit.org>
1589
1590         Unreviewed, rolling out r244806.
1591         https://bugs.webkit.org/show_bug.cgi?id=197446
1592
1593         Causing Test262 and JSC test failures on multiple builds
1594         (Requested by ShawnRoberts on #webkit).
1595
1596         Reverted changeset:
1597
1598         "TypeArrays should not store properties that are canonical
1599         numeric indices"
1600         https://bugs.webkit.org/show_bug.cgi?id=197228
1601         https://trac.webkit.org/changeset/244806
1602
1603 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
1604
1605         TypeArrays should not store properties that are canonical numeric indices
1606         https://bugs.webkit.org/show_bug.cgi?id=197228
1607         <rdar://problem/49557381>
1608
1609         Reviewed by Darin Adler.
1610
1611         * stress/typed-array-canonical-numeric-index-string.js: Added.
1612         (makeTest.assert):
1613         (makeTest):
1614         (const.testInvalidIndices.makeTest.set assert):
1615         (const.testInvalidIndices.makeTest):
1616         (const.testValidIndices.makeTest.set assert):
1617         (const.testValidIndices.makeTest):
1618
1619 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
1620
1621         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
1622         https://bugs.webkit.org/show_bug.cgi?id=197362
1623
1624         Reviewed by Saam Barati.
1625
1626         * stress/map-with-nan.js: Added.
1627         (shouldBe):
1628         (div):
1629         (NaN1):
1630         (NaN2):
1631         (NaN3):
1632         (NaN4):
1633         (NaN1NoInline):
1634         (NaN2NoInline):
1635         (NaN3NoInline):
1636         (NaN4NoInline):
1637         (test1):
1638         (test2):
1639         (test3):
1640         (test4):
1641         * stress/set-with-nan.js: Added.
1642         (shouldBe):
1643         (div):
1644         (NaN1):
1645         (NaN2):
1646         (NaN3):
1647         (NaN4):
1648         (NaN1NoInline):
1649         (NaN2NoInline):
1650         (NaN3NoInline):
1651         (NaN4NoInline):
1652         (test2):
1653         (test4):
1654
1655 2019-04-26  Commit Queue  <commit-queue@webkit.org>
1656
1657         Unreviewed, rolling out r244708.
1658         https://bugs.webkit.org/show_bug.cgi?id=197334
1659
1660         "Broke the debug build" (Requested by rmorisset on #webkit).
1661
1662         Reverted changeset:
1663
1664         "All prototypes should call didBecomePrototype()"
1665         https://bugs.webkit.org/show_bug.cgi?id=196315
1666         https://trac.webkit.org/changeset/244708
1667
1668 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
1669
1670         [JSC] linkPolymorphicCall now does GC
1671         https://bugs.webkit.org/show_bug.cgi?id=197306
1672
1673         Reviewed by Saam Barati.
1674
1675         * stress/link-polymorphic-call-can-gc.js: Added.
1676         (module):
1677         (instance):
1678
1679 2019-04-26  Robin Morisset  <rmorisset@apple.com>
1680
1681         All prototypes should call didBecomePrototype()
1682         https://bugs.webkit.org/show_bug.cgi?id=196315
1683
1684         Reviewed by Saam Barati.
1685
1686         * stress/function-prototype-indexed-accessor.js: Added.
1687
1688 2019-04-23  Saam Barati  <sbarati@apple.com>
1689
1690         LICM incorrectly assumes it'll never insert a node which provably OSR exits
1691         https://bugs.webkit.org/show_bug.cgi?id=196721
1692         <rdar://problem/49556479> 
1693
1694         Reviewed by Filip Pizlo.
1695
1696         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
1697         (foo):
1698
1699 2019-04-19  Saam Barati  <sbarati@apple.com>
1700
1701         AbstractValue can represent more than int52
1702         https://bugs.webkit.org/show_bug.cgi?id=197118
1703         <rdar://problem/49969960>
1704
1705         Reviewed by Michael Saboff.
1706
1707         * stress/abstract-value-can-include-int52.js: Added.
1708         (foo):
1709         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
1710
1711 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
1712
1713         [WTF] StringBuilder should set correct m_is8Bit flag when merging
1714         https://bugs.webkit.org/show_bug.cgi?id=197053
1715
1716         Reviewed by Saam Barati.
1717
1718         * stress/merge-string-builder-in-dfg.js: Added.
1719         (foo):
1720
1721 2019-04-16  Caitlin Potter  <caitp@igalia.com>
1722
1723         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
1724         https://bugs.webkit.org/show_bug.cgi?id=176810
1725
1726         Reviewed by Saam Barati.
1727
1728         Add tests for the DontEnum filtering, and variations of other tests
1729         take the DontEnum-filtering path.
1730
1731         * stress/proxy-own-keys.js:
1732         (i.catch):
1733         (set assert):
1734         (set add):
1735         (let.set new):
1736         (get let):
1737
1738 2019-04-15  Saam barati  <sbarati@apple.com>
1739
1740         Modify how we do SetArgument when we inline varargs calls
1741         https://bugs.webkit.org/show_bug.cgi?id=196712
1742         <rdar://problem/49605012>
1743
1744         Reviewed by Michael Saboff.
1745
1746         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
1747         (foo):
1748
1749 2019-04-15  Saam barati  <sbarati@apple.com>
1750
1751         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
1752         https://bugs.webkit.org/show_bug.cgi?id=196945
1753         <rdar://problem/49802750>
1754
1755         Reviewed by Filip Pizlo.
1756
1757         * stress/get-by-offset-should-use-correct-child.js: Added.
1758         (foo.bar):
1759         (foo):
1760
1761 2019-04-15  Robin Morisset  <rmorisset@apple.com>
1762
1763         DFG should be able to constant fold Object.create() with a constant prototype operand
1764         https://bugs.webkit.org/show_bug.cgi?id=196886
1765
1766         Reviewed by Yusuke Suzuki.
1767
1768         Note that this new benchmark does not currently see a speedup with inlining removed.
1769         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
1770
1771         * microbenchmarks/object-create-constant-prototype.js: Added.
1772         (test):
1773
1774 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
1775
1776         Incremental bytecode cache should not append function updates when loaded from memory
1777         https://bugs.webkit.org/show_bug.cgi?id=196865
1778
1779         Reviewed by Filip Pizlo.
1780
1781         * stress/bytecode-cache-shared-code-block.js: Added.
1782         (b):
1783         (program):
1784
1785 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
1786
1787         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
1788         https://bugs.webkit.org/show_bug.cgi?id=196880
1789
1790         Reviewed by Yusuke Suzuki.
1791
1792         * stress/bytecode-cache-syntax-error.js: Added.
1793         (catch):
1794
1795 2019-04-12  Saam barati  <sbarati@apple.com>
1796
1797         r244079 logically broke shouldSpeculateInt52
1798         https://bugs.webkit.org/show_bug.cgi?id=196884
1799
1800         Reviewed by Yusuke Suzuki.
1801
1802         * microbenchmarks/int52-rand-function.js: Added.
1803         (Math.random):
1804
1805 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
1806
1807         [JSC] op_has_indexed_property should not assume subscript part is Uint32
1808         https://bugs.webkit.org/show_bug.cgi?id=196850
1809
1810         Reviewed by Saam Barati.
1811
1812         * stress/has-indexed-property-should-accept-non-int32.js: Added.
1813         (foo):
1814
1815 2019-04-11  Saam barati  <sbarati@apple.com>
1816
1817         Remove invalid assertion in operationInstanceOfCustom
1818         https://bugs.webkit.org/show_bug.cgi?id=196842
1819         <rdar://problem/49725493>
1820
1821         Reviewed by Michael Saboff.
1822
1823         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
1824
1825 2019-04-10  Saam Barati  <sbarati@apple.com>
1826
1827         AbstractValue::validateOSREntryValue is wrong for Int52 constants
1828         https://bugs.webkit.org/show_bug.cgi?id=196801
1829         <rdar://problem/49771122>
1830
1831         Reviewed by Yusuke Suzuki.
1832
1833         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
1834
1835 2019-04-10  Robin Morisset  <rmorisset@apple.com>
1836
1837         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
1838         https://bugs.webkit.org/show_bug.cgi?id=196746
1839
1840         Reviewed by Yusuke Suzuki.
1841
1842         * stress/cyclic-define-properties.js: Added.
1843         (foo):
1844
1845 2019-04-09  Saam barati  <sbarati@apple.com>
1846
1847         Clean up Int52 code and some bugs in it
1848         https://bugs.webkit.org/show_bug.cgi?id=196639
1849         <rdar://problem/49515757>
1850
1851         Reviewed by Yusuke Suzuki.
1852
1853         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
1854
1855 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
1856
1857         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
1858         https://bugs.webkit.org/show_bug.cgi?id=196708
1859         <rdar://problem/49556803>
1860
1861         Reviewed by Yusuke Suzuki.
1862
1863         * stress/proxy-getter-stack-overflow.js: Added.
1864         (const.handler.get target):
1865         (const.handler.has):
1866         (try.with):
1867         (catch):
1868
1869 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1870
1871         [JSC] DFG should respect node's strict flag
1872         https://bugs.webkit.org/show_bug.cgi?id=196617
1873
1874         Reviewed by Saam Barati.
1875
1876         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
1877         (shouldEqual):
1878         (makeUnwriteableUnconfigurableObject):
1879         (runTest):
1880         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
1881         (shouldBe):
1882         (shouldThrow):
1883         (with.result):
1884         (with.putValueStrict):
1885         (with.putValueSloppy):
1886
1887 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1888
1889         [JSC] isRope jump in StringSlice should not jump over register allocations
1890         https://bugs.webkit.org/show_bug.cgi?id=196716
1891
1892         Reviewed by Saam Barati.
1893
1894         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
1895         (foo.bar):
1896         (foo):
1897
1898 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1899
1900         [JSC] to_index_string should not assume incoming value is Uint32
1901         https://bugs.webkit.org/show_bug.cgi?id=196713
1902
1903         Reviewed by Saam Barati.
1904
1905         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
1906         (foo):
1907
1908 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1909
1910         [JSC] Add more tests for r243966
1911         https://bugs.webkit.org/show_bug.cgi?id=196711
1912
1913         Reviewed by Saam Barati.
1914
1915         Adding one more test for r243966 fix. The added test will not crash after r243966.
1916
1917         * stress/stress-cleared-calllinkinfo.js: Added.
1918         (runNearStackLimit.t):
1919         (runNearStackLimit):
1920         (repeat):
1921         (cls):
1922         (let.item.of.array.runNearStackLimit):
1923
1924 2019-04-08  Saam Barati  <sbarati@apple.com>
1925
1926         WebAssembly.RuntimeError missing exception check
1927         https://bugs.webkit.org/show_bug.cgi?id=196700
1928         <rdar://problem/49693932>
1929
1930         Reviewed by Yusuke Suzuki.
1931
1932         * wasm/js-api/runtime-error-should-exception-check.js: Added.
1933
1934 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1935
1936         Unreviewed, rolling in r243948 with test fix
1937         https://bugs.webkit.org/show_bug.cgi?id=196486
1938
1939         * stress/arrow-function-and-use-strict-directive.js: Added.
1940         * stress/arrow-function-syntax.js: Added.
1941         (checkSyntax):
1942         (checkSyntaxError):
1943
1944 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
1945
1946         Unreviewed, rolling out r243948.
1947
1948         Caused inspector/runtime/parse.html to fail
1949
1950         Reverted changeset:
1951
1952         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
1953         https://bugs.webkit.org/show_bug.cgi?id=196486
1954         https://trac.webkit.org/changeset/243948
1955
1956 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
1957
1958         Unreviewed, rolling out r243943.
1959
1960         Caused test262 failures.
1961
1962         Reverted changeset:
1963
1964         "[JSC] Filter DontEnum properties in
1965         ProxyObject::getOwnPropertyNames()"
1966         https://bugs.webkit.org/show_bug.cgi?id=176810
1967         https://trac.webkit.org/changeset/243943
1968
1969 2019-04-07  Michael Saboff  <msaboff@apple.com>
1970
1971         REGRESSION (r243642): Crash in reddit.com page
1972         https://bugs.webkit.org/show_bug.cgi?id=196684
1973
1974         Reviewed by Geoffrey Garen.
1975
1976         New regression test.
1977
1978         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
1979
1980 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
1981
1982         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
1983         https://bugs.webkit.org/show_bug.cgi?id=196683
1984
1985         Reviewed by Saam Barati.
1986
1987         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
1988         (foo):
1989
1990 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
1991
1992         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
1993         https://bugs.webkit.org/show_bug.cgi?id=196582
1994
1995         Reviewed by Saam Barati.
1996
1997         * stress/add-overflow-check-with-three-same-registers.js: Added.
1998         (foo):
1999         (Number.prototype.valueOf):
2000         (runWithNumber):
2001
2002 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
2003
2004         Unreviewed, rolling out r243665.
2005
2006         Caused iOS JSC tests to exit with an exception.
2007
2008         Reverted changeset:
2009
2010         "Assertion failed in JSC::createError"
2011         https://bugs.webkit.org/show_bug.cgi?id=196305
2012         https://trac.webkit.org/changeset/243665
2013
2014 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
2015
2016         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
2017         https://bugs.webkit.org/show_bug.cgi?id=196486
2018
2019         Reviewed by Saam Barati.
2020
2021         * stress/arrow-function-and-use-strict-directive.js: Added.
2022         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
2023         (checkSyntax):
2024         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
2025
2026 2019-04-05  Caitlin Potter  <caitp@igalia.com>
2027
2028         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
2029         https://bugs.webkit.org/show_bug.cgi?id=176810
2030
2031         Reviewed by Saam Barati.
2032
2033         Add tests for the DontEnum filtering, and variations of other tests
2034         take the DontEnum-filtering path.
2035
2036         * stress/proxy-own-keys.js:
2037         (i.catch):
2038         (set assert):
2039         (set add):
2040         (let.set new):
2041         (get let):
2042
2043 2019-04-05  Caitlin Potter  <caitp@igalia.com>
2044
2045         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
2046         https://bugs.webkit.org/show_bug.cgi?id=185211
2047
2048         Reviewed by Saam Barati.
2049
2050         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
2051
2052         This changes several assertions to expect a TypeError to be thrown (in some cases,
2053         changing thee expected message).
2054
2055         * es6/Proxy_ownKeys_duplicates.js:
2056         (handler):
2057         (shouldThrow):
2058         (test):
2059         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
2060         (shouldThrow):
2061         * stress/proxy-own-keys.js:
2062         (i.catch):
2063         (assert):
2064
2065 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
2066
2067         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
2068         https://bugs.webkit.org/show_bug.cgi?id=196631
2069
2070         Reviewed by Saam Barati.
2071
2072         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
2073         (assert):
2074         (test):
2075         (foo):
2076
2077 2019-04-04  Saam Barati  <sbarati@apple.com>
2078
2079         Unreviewed. Make the test from r243906 catch the thrown exceptions.
2080
2081         * stress/inferred-types-regex-matches-array.js:
2082
2083 2019-04-04  Saam Barati  <sbarati@apple.com>
2084
2085         createRegExpMatchesArray does not respect inferred types
2086         https://bugs.webkit.org/show_bug.cgi?id=193287
2087
2088         Reviewed by Yusuke Suzuki.
2089
2090         This checks in the test case for 193287. This issue was discovered by
2091         Samuel GroƟ of Google Project Zero.
2092
2093         * stress/inferred-types-regex-matches-array.js: Added.
2094
2095 2019-04-04  Saam barati  <sbarati@apple.com>
2096
2097         Teach Call ICs how to call Wasm
2098         https://bugs.webkit.org/show_bug.cgi?id=196387
2099
2100         Reviewed by Filip Pizlo.
2101
2102         * wasm/function-tests/stack-trace.js:
2103
2104 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
2105
2106         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
2107         https://bugs.webkit.org/show_bug.cgi?id=194944
2108
2109         Reviewed by Keith Miller.
2110
2111         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
2112
2113 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
2114
2115         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
2116         https://bugs.webkit.org/show_bug.cgi?id=196409
2117
2118         Reviewed by Saam Barati.
2119
2120         * stress/bytecode-cache-cached-string-impl.js: Added.
2121         (f):
2122         (g):
2123         * stress/bytecode-cache-run-string.js: Added.
2124
2125 2019-04-03  Robin Morisset  <rmorisset@apple.com>
2126
2127         B3 should use associativity to optimize expression trees
2128         https://bugs.webkit.org/show_bug.cgi?id=194081
2129
2130         Reviewed by Filip Pizlo.
2131
2132         Added three microbenchmarks:
2133         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
2134         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
2135           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
2136         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
2137
2138         * microbenchmarks/add-tree.js: Added.
2139         * microbenchmarks/bit-or-tree.js: Added.
2140         * microbenchmarks/bit-xor-tree.js: Added.
2141
2142 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
2143
2144         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
2145         https://bugs.webkit.org/show_bug.cgi?id=196574
2146
2147         Reviewed by Saam Barati.
2148
2149         * stress/string-index-of-exception-check.js: Added.
2150         (blurType):
2151         (1.forEach):
2152
2153 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
2154
2155         Assertion failed in JSC::createError
2156         https://bugs.webkit.org/show_bug.cgi?id=196305
2157         <rdar://problem/49387382>
2158
2159         Reviewed by Saam Barati.
2160
2161         * stress/create-error-out-of-memory-rope-string-2.js: Added.
2162         (assert):
2163         (catch):
2164
2165 2019-03-28  Saam Barati  <sbarati@apple.com>
2166
2167         BackwardsGraph needs to consider back edges as the backward's root successor
2168         https://bugs.webkit.org/show_bug.cgi?id=195991
2169
2170         Reviewed by Filip Pizlo.
2171
2172         * stress/map-b3-licm-infinite-loop.js: Added.
2173
2174 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
2175
2176         CodeBlock::jettison() should disallow repatching its own calls
2177         https://bugs.webkit.org/show_bug.cgi?id=196359
2178         <rdar://problem/48973663>
2179
2180         Reviewed by Saam Barati.
2181
2182         * stress/call-link-info-osrexit-repatch.js: Added.
2183         (foo):
2184
2185 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
2186
2187         [JSC] imports-oom.js intermittently fails
2188         https://bugs.webkit.org/show_bug.cgi?id=196373
2189
2190         Reviewed by Saam Barati.
2191
2192         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
2193         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
2194         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
2195         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
2196         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
2197
2198         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
2199         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
2200
2201         * wasm/lowExecutableMemory/imports-oom.js:
2202
2203 2019-03-27  Saam Barati  <sbarati@apple.com>
2204
2205         validateOSREntryValue with Int52 should box the value being checked into double format
2206         https://bugs.webkit.org/show_bug.cgi?id=196313
2207         <rdar://problem/49306703>
2208
2209         Reviewed by Yusuke Suzuki.
2210
2211         * stress/validate-int-52-ai-state.js: Added.
2212
2213 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
2214
2215         [JSC] Owner of watchpoints should validate at GC finalizing phase
2216         https://bugs.webkit.org/show_bug.cgi?id=195827
2217
2218         Reviewed by Filip Pizlo.
2219
2220         * stress/gc-should-reap-dead-watchpoints.js: Added.
2221         (foo):
2222         (A.prototype.y):
2223         (A):
2224
2225 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
2226
2227         Skip WebAssembly test on 32-bit systems
2228         https://bugs.webkit.org/show_bug.cgi?id=196206
2229
2230         Reviewed by Saam Barati.
2231
2232         Invoking runDefault executes test immediately even though
2233         that test should be skipped due to missing WASM support.
2234         Therefore remove runDefault.
2235
2236         * wasm/regress/web-assembly-link-error-exception-check.js:
2237
2238 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
2239
2240         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
2241         https://bugs.webkit.org/show_bug.cgi?id=196217
2242
2243         Reviewed by Saam Barati.
2244
2245         Re-enable all NaN tests for f32.min, f64.min and f64.max.
2246
2247         * wasm/spec-tests/f32.wast.js:
2248         * wasm/spec-tests/f64.wast.js:
2249         * wasm/wasm.json:
2250
2251 2019-03-25  Keith Miller  <keith_miller@apple.com>
2252
2253         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
2254         https://bugs.webkit.org/show_bug.cgi?id=196176
2255
2256         Reviewed by Saam Barati.
2257
2258         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
2259         (main.v10):
2260         (main):
2261
2262 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
2263
2264         WebAssembly: f32.max with NaN generates incorrect result
2265         https://bugs.webkit.org/show_bug.cgi?id=175691
2266         <rdar://problem/33952228>
2267
2268         Reviewed by Saam Barati.
2269
2270         Enable all f32.max NaN tests
2271
2272         * wasm/spec-tests/f32.wast.js:
2273         * wasm/wasm.json:
2274
2275 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
2276
2277         [JSC] Move test into directory for WASM tests
2278         https://bugs.webkit.org/show_bug.cgi?id=196187
2279
2280         Reviewed by Mark Lam.
2281
2282         Move Test into wasm-directory. Otherwise this test
2283         is also executed on systems without WASM support.
2284
2285         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
2286
2287 2019-03-23  Mark Lam  <mark.lam@apple.com>
2288
2289         Rolling out r243032 and r243071 because the fix is incorrect.
2290         https://bugs.webkit.org/show_bug.cgi?id=195892
2291         <rdar://problem/48981239>
2292
2293         Not reviewed.
2294
2295         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
2296
2297 2019-03-22  Mark Lam  <mark.lam@apple.com>
2298
2299         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
2300         https://bugs.webkit.org/show_bug.cgi?id=196154
2301         <rdar://problem/49145307>
2302
2303         Reviewed by Filip Pizlo.
2304
2305         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
2306         There's no need to run this test on more than 1 test configuration.
2307
2308         * stress/typed-array-lastIndexOf-exception-check.js: Added.
2309         * stress/web-assembly-link-error-exception-check.js:
2310
2311 2019-03-22  Mark Lam  <mark.lam@apple.com>
2312
2313         Placate exception check validation in constructJSWebAssemblyLinkError().
2314         https://bugs.webkit.org/show_bug.cgi?id=196152
2315         <rdar://problem/49145257>
2316
2317         Reviewed by Michael Saboff.
2318
2319         * stress/web-assembly-link-error-exception-check.js: Added.
2320
2321 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
2322
2323         Skip tests running out of memory on ARM/MIPS
2324         https://bugs.webkit.org/show_bug.cgi?id=196131
2325
2326         Unreviewed. Skip test if memory is limited.
2327
2328         * microbenchmarks/put-by-val-direct-large-index.js:
2329
2330 2019-03-21  Mark Lam  <mark.lam@apple.com>
2331
2332         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
2333         https://bugs.webkit.org/show_bug.cgi?id=196116
2334         <rdar://problem/48976951>
2335
2336         Reviewed by Filip Pizlo.
2337
2338         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
2339
2340 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
2341
2342         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
2343         https://bugs.webkit.org/show_bug.cgi?id=196078
2344         <rdar://problem/35925380>
2345
2346         Reviewed by Mark Lam.
2347
2348         Add a new benchmark that allocates several objects and invokes put_by_val_direct
2349         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
2350
2351         * microbenchmarks/put-by-val-direct-large-index.js: Added.
2352
2353 2019-03-21  Mark Lam  <mark.lam@apple.com>
2354
2355         Placate exception check validation in operationArrayIndexOfString().
2356         https://bugs.webkit.org/show_bug.cgi?id=196067
2357         <rdar://problem/49056572>
2358
2359         Reviewed by Michael Saboff.
2360
2361         * stress/string-equal-exception-check.js: Added.
2362
2363 2019-03-21  Mark Lam  <mark.lam@apple.com>
2364
2365         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
2366         https://bugs.webkit.org/show_bug.cgi?id=196055
2367         <rdar://problem/49067448>
2368
2369         Reviewed by Yusuke Suzuki.
2370
2371         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
2372
2373 2019-03-20  Saam Barati  <sbarati@apple.com>
2374
2375         typeOfDoubleSum is wrong for when NaN can be produced
2376         https://bugs.webkit.org/show_bug.cgi?id=196030
2377
2378         Reviewed by Filip Pizlo.
2379
2380         * stress/double-add-sub-mul-can-produce-nan.js: Added.
2381         (assert):
2382         (noInline.sub):
2383         (noInline):
2384         (assert.mul):
2385         (assert.add):
2386
2387 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
2388
2389         Update the test to ensure OutOfMemoryError is thrown as intended
2390         https://bugs.webkit.org/show_bug.cgi?id=196032
2391         <rdar://problem/46842740>
2392
2393         Rubber stamped by Saam Barati.
2394
2395         * stress/create-error-out-of-memory-rope-string.js:
2396         (assert):
2397         (catch):
2398
2399 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
2400
2401         JSC::createError needs to check for OOM in errorDescriptionForValue
2402         https://bugs.webkit.org/show_bug.cgi?id=196032
2403         <rdar://problem/46842740>
2404
2405         Reviewed by Mark Lam.
2406
2407         * stress/create-error-out-of-memory-rope-string.js: Added.
2408
2409 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
2410
2411         Unreviewed, reduce # of iterations to avoid timing out after r242991
2412         https://bugs.webkit.org/show_bug.cgi?id=195791
2413
2414         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
2415
2416         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
2417
2418 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
2419
2420         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
2421         https://bugs.webkit.org/show_bug.cgi?id=195950
2422
2423         Unreviewed, reducing the amount of memory used on this test to avoid
2424         OOM on devices with memory restrictions.
2425
2426         * microbenchmarks/generate-multiple-llint-entrypoints.js:
2427
2428 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
2429
2430         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
2431         https://bugs.webkit.org/show_bug.cgi?id=194648
2432
2433         Reviewed by Keith Miller.
2434
2435         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
2436
2437 2019-03-18  Mark Lam  <mark.lam@apple.com>
2438
2439         Missing a ThrowScope release in JSObject::toString().
2440         https://bugs.webkit.org/show_bug.cgi?id=195893
2441         <rdar://problem/48970986>
2442
2443         Reviewed by Michael Saboff.
2444
2445         * stress/to-string-exception-check-release.js: Added.
2446
2447 2019-03-18  Mark Lam  <mark.lam@apple.com>
2448
2449         Structure::flattenDictionary() should clear unused property slots.
2450         https://bugs.webkit.org/show_bug.cgi?id=195871
2451         <rdar://problem/48959497>
2452
2453         Reviewed by Michael Saboff.
2454
2455         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
2456
2457 2019-03-15  Mark Lam  <mark.lam@apple.com>
2458
2459         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
2460         https://bugs.webkit.org/show_bug.cgi?id=195827
2461         <rdar://problem/48845513>
2462
2463         Reviewed by Filip Pizlo.
2464
2465         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
2466
2467 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
2468
2469         [ARM,MIPS] Skip slow tests
2470         https://bugs.webkit.org/show_bug.cgi?id=195799
2471
2472         Unreviewed, test does not finish on ARM and MIPS within the
2473         timeout limit.
2474
2475         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
2476
2477 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
2478
2479         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
2480         https://bugs.webkit.org/show_bug.cgi?id=195791
2481         <rdar://problem/48806130>
2482
2483         Reviewed by Mark Lam.
2484
2485         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
2486         (foo):
2487
2488 2019-03-14  Saam barati  <sbarati@apple.com>
2489
2490         We can't remove code after ForceOSRExit until after FixupPhase
2491         https://bugs.webkit.org/show_bug.cgi?id=186916
2492         <rdar://problem/41396612>
2493
2494         Reviewed by Yusuke Suzuki.
2495
2496         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
2497         (foo):
2498         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
2499         (foo):
2500
2501 2019-03-13  Michael Saboff  <msaboff@apple.com>
2502
2503         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
2504         https://bugs.webkit.org/show_bug.cgi?id=195735
2505
2506         Reviewed by Mark Lam.
2507
2508         New regression test.
2509
2510         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
2511         (foo):
2512         (bar):
2513
2514 2019-03-14  Saam barati  <sbarati@apple.com>
2515
2516         Fixup uses KnownInt32 incorrectly in some nodes
2517         https://bugs.webkit.org/show_bug.cgi?id=195279
2518         <rdar://problem/47915654>
2519
2520         Reviewed by Yusuke Suzuki.
2521
2522         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
2523         (foo):
2524
2525 2019-03-14  Keith Miller  <keith_miller@apple.com>
2526
2527         DFG liveness can't skip tail caller inline frames
2528         https://bugs.webkit.org/show_bug.cgi?id=195715
2529
2530         Reviewed by Saam Barati.
2531
2532         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
2533         (i.foo):
2534
2535 2019-03-13  Mark Lam  <mark.lam@apple.com>
2536
2537         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
2538         https://bugs.webkit.org/show_bug.cgi?id=195415
2539
2540         Not reviewed.
2541
2542         Changed these tests to only run the default configuration.
2543         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
2544         There's no strong need to run this test on that variant.
2545
2546         * stress/dfg-to-string-on-int-does-gc.js:
2547         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
2548
2549 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
2550
2551         String overflow when using StringBuilder in JSC::createError
2552         https://bugs.webkit.org/show_bug.cgi?id=194957
2553
2554         Reviewed by Mark Lam.
2555
2556         Add test string-overflow-createError-bulder.js that overflows
2557         StringBuilder in notAFunctionSourceAppender. The second new test
2558         string-overflow-createError-fit.js has an error message that doesn't
2559         overflow, it still failed since the String's capacity can't be doubled.
2560         Run test string-overflow-createError.js only in the default
2561         configuration to reduce memory consumption when running the test
2562         in all configurations on multiple CPUs in parallel.
2563
2564         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
2565         (catch):
2566         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
2567         (catch):
2568         * stress/string-overflow-createError.js:
2569
2570 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
2571
2572         [JSC] OSR entry should respect abstract values in addition to flush formats
2573         https://bugs.webkit.org/show_bug.cgi?id=195653
2574
2575         Reviewed by Mark Lam.
2576
2577         * stress/osr-entry-locals-none.js: Added.
2578
2579 2019-03-12  Michael Saboff  <msaboff@apple.com>
2580
2581         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
2582         https://bugs.webkit.org/show_bug.cgi?id=195613
2583
2584         Reviewed by Mark Lam.
2585
2586         New regression test.
2587
2588         * stress/regexp-backref-inbounds.js: Added.
2589         (testRegExp):
2590
2591 2019-03-12  Mark Lam  <mark.lam@apple.com>
2592
2593         The HasIndexedProperty node does GC.
2594         https://bugs.webkit.org/show_bug.cgi?id=195559
2595         <rdar://problem/48767923>
2596
2597         Reviewed by Yusuke Suzuki.
2598
2599         * stress/HasIndexedProperty-does-gc.js: Added.
2600
2601 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
2602
2603         [ESNext][BigInt] Implement "~" unary operation
2604         https://bugs.webkit.org/show_bug.cgi?id=182216
2605
2606         Reviewed by Keith Miller.
2607
2608         * stress/big-int-bit-not-general.js: Added.
2609         * stress/big-int-bitwise-not-jit.js: Added.
2610         * stress/big-int-bitwise-not-wrapped-value.js: Added.
2611         * stress/bit-op-with-object-returning-int32.js:
2612         * stress/bitwise-not-fixup-rules.js: Added.
2613         * stress/value-bit-not-ai-rule.js: Added.
2614
2615 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
2616
2617         Invalid flags in a RegExp literal should be an early SyntaxError
2618         https://bugs.webkit.org/show_bug.cgi?id=195514
2619
2620         Reviewed by Darin Adler.
2621
2622         * test262/expectations.yaml:
2623         Mark 4 test cases as passing.
2624
2625         * stress/regexp-syntax-error-invalid-flags.js:
2626         * stress/regress-161995.js: Removed.
2627         Update existing test, merging in an older test for the same behavior.
2628
2629 2019-03-08  Mark Lam  <mark.lam@apple.com>
2630
2631         Stack overflow crash in JSC::JSObject::hasInstance.
2632         https://bugs.webkit.org/show_bug.cgi?id=195458
2633         <rdar://problem/48710195>
2634
2635         Reviewed by Yusuke Suzuki.
2636
2637         * stress/stack-overflow-in-custom-hasInstance.js: Added.
2638
2639 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
2640
2641         op_check_tdz does not def its argument
2642         https://bugs.webkit.org/show_bug.cgi?id=192880
2643         <rdar://problem/46221598>
2644
2645         Reviewed by Saam Barati.
2646
2647         * microbenchmarks/let-for-in.js: Added.
2648         (foo):
2649
2650 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
2651
2652         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
2653         https://bugs.webkit.org/show_bug.cgi?id=195429
2654
2655         Reviewed by Saam Barati.
2656
2657         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
2658         (foo):
2659         * stress/string-from-char-code-255.js: Added.
2660
2661 2019-03-06  Mark Lam  <mark.lam@apple.com>
2662
2663         Fix incorrect handling of try-finally completion values.
2664         https://bugs.webkit.org/show_bug.cgi?id=195131
2665         <rdar://problem/46222079>
2666
2667         Reviewed by Saam Barati and Yusuke Suzuki.
2668
2669         Added many permutations of new test case to test-finally.js.  test-finally.js has
2670         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
2671         tests passes there as well.
2672
2673         * stress/test-finally.js:
2674
2675 2019-03-06  Saam Barati  <sbarati@apple.com>
2676
2677         Air::reportUsedRegisters must padInterference
2678         https://bugs.webkit.org/show_bug.cgi?id=195303
2679         <rdar://problem/48270343>
2680
2681         Reviewed by Keith Miller.
2682
2683         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
2684
2685 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
2686
2687         [JSC] AI should not propagate AbstractValue relying on constant folding phase
2688         https://bugs.webkit.org/show_bug.cgi?id=195375
2689
2690         Reviewed by Saam Barati.
2691
2692         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
2693         (let.array):
2694
2695 2019-03-05  Saam barati  <sbarati@apple.com>
2696
2697         op_switch_char broken for rope strings after JSRopeString layout rewrite
2698         https://bugs.webkit.org/show_bug.cgi?id=195339
2699         <rdar://problem/48592545>
2700
2701         Reviewed by Yusuke Suzuki.
2702
2703         * stress/switch-on-char-llint-rope.js: Added.
2704
2705 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
2706
2707         [JSC] Store bits for JSRopeString in 3 stores
2708         https://bugs.webkit.org/show_bug.cgi?id=195234
2709
2710         Reviewed by Saam Barati.
2711
2712         * stress/null-rope-and-collectors.js: Added.
2713
2714 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
2715
2716         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
2717         https://bugs.webkit.org/show_bug.cgi?id=195207
2718
2719         Unreviewed. After test runtime was reduced in r242213, test can be
2720         run again on ARM/MIPS.
2721
2722         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
2723
2724 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
2725
2726         [JSC] sizeof(JSString) should be 16
2727         https://bugs.webkit.org/show_bug.cgi?id=194375
2728
2729         Reviewed by Saam Barati.
2730
2731         * microbenchmarks/make-rope.js: Added.
2732         (makeRope):
2733         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
2734         (returnRope.helper): Deleted.
2735         (returnRope): Deleted.
2736
2737 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
2738
2739         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
2740         https://bugs.webkit.org/show_bug.cgi?id=195144
2741
2742         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
2743         Change the number from 1e8 to 1e5.
2744
2745         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
2746         (foo):
2747
2748 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
2749
2750         Test times out on ARM/MIPS
2751         https://bugs.webkit.org/show_bug.cgi?id=195168
2752
2753         Unreviewed. Skip test on ARM/MIPS.
2754
2755         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
2756
2757 2019-02-27  Mark Lam  <mark.lam@apple.com>
2758
2759         The parser is failing to record the token location of new in new.target.
2760         https://bugs.webkit.org/show_bug.cgi?id=195127
2761         <rdar://problem/39645578>
2762
2763         Reviewed by Yusuke Suzuki.
2764
2765         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
2766
2767 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
2768
2769         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
2770         https://bugs.webkit.org/show_bug.cgi?id=195144
2771         <rdar://problem/47595961>
2772
2773         Reviewed by Mark Lam.
2774
2775         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
2776         (bar):
2777         (foo):
2778         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
2779         (bar):
2780         (foo):
2781
2782 2019-02-27  Robin Morisset  <rmorisset@apple.com>
2783
2784         DFG: Loop-invariant code motion (LICM) should not hoist dead code
2785         https://bugs.webkit.org/show_bug.cgi?id=194945
2786         <rdar://problem/48311657>
2787
2788         Reviewed by Mark Lam.
2789
2790         * stress/licm-dead-code.js: Added.
2791
2792 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
2793
2794         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
2795         https://bugs.webkit.org/show_bug.cgi?id=194677
2796         <rdar://problem/48112492>
2797
2798         Reviewed by Mark Lam.
2799
2800         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
2801         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
2802         it immediately fails due the large size.
2803
2804         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
2805         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
2806         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
2807         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
2808
2809         This patch changes the test to produce 16bit string from String.fromCharCode.
2810
2811         * stress/regress-178386.js:
2812
2813 2019-02-26  Mark Lam  <mark.lam@apple.com>
2814
2815         wasmToJS() should purify incoming NaNs.
2816         https://bugs.webkit.org/show_bug.cgi?id=194807
2817         <rdar://problem/48189132>
2818
2819         Reviewed by Saam Barati.
2820
2821         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
2822
2823 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
2824
2825         [JSC] Repeat string created from Array.prototype.join() take too much memory
2826         https://bugs.webkit.org/show_bug.cgi?id=193912
2827
2828         Reviewed by Saam Barati.
2829
2830         Added a test and a microbenchmark for corner cases of
2831         Array.prototype.join() with an uninitialized array.
2832
2833         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
2834         * stress/array-prototype-join-uninitialized.js: Added.
2835         (testArray):
2836         (testABC):
2837         (B):
2838         (C):
2839
2840 2019-02-22  Robin Morisset  <rmorisset@apple.com>
2841
2842         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
2843         https://bugs.webkit.org/show_bug.cgi?id=194953
2844         <rdar://problem/47595253>
2845
2846         Reviewed by Saam Barati.
2847
2848         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
2849
2850         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
2851
2852 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2853
2854         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
2855         https://bugs.webkit.org/show_bug.cgi?id=172848
2856         <rdar://problem/25709212>
2857
2858         Reviewed by Mark Lam.
2859
2860         * typeProfiler/inheritance.js:
2861         Rewrite the test slightly for clarity. The hoisting was confusing.
2862
2863         * heapProfiler/class-names.js: Added.
2864         (MyES5Class):
2865         (MyES6Class):
2866         (MyES6Subclass):
2867         Test object types and improved class names.
2868
2869         * heapProfiler/driver/driver.js:
2870         (CheapHeapSnapshotNode):
2871         (CheapHeapSnapshot):
2872         (createCheapHeapSnapshot):
2873         (HeapSnapshot):
2874         (createHeapSnapshot):
2875         Update snapshot parsing from version 1 to version 2.
2876
2877 2019-02-19  Truitt Savell  <tsavell@apple.com>
2878
2879         Unreviewed, rolling out r241784.
2880
2881         Broke all OpenSource builds.
2882
2883         Reverted changeset:
2884
2885         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
2886         instances view"
2887         https://bugs.webkit.org/show_bug.cgi?id=172848
2888         https://trac.webkit.org/changeset/241784
2889
2890 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2891
2892         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
2893         https://bugs.webkit.org/show_bug.cgi?id=172848
2894         <rdar://problem/25709212>
2895
2896         Reviewed by Mark Lam.
2897
2898         * typeProfiler/inheritance.js:
2899         Rewrite the test slightly for clarity. The hoisting was confusing.
2900
2901         * heapProfiler/class-names.js: Added.
2902         (MyES5Class):
2903         (MyES6Class):
2904         (MyES6Subclass):
2905         Test object types and improved class names.
2906
2907         * heapProfiler/driver/driver.js:
2908         (CheapHeapSnapshotNode):
2909         (CheapHeapSnapshot):
2910         (createCheapHeapSnapshot):
2911         (HeapSnapshot):
2912         (createHeapSnapshot):
2913         Update snapshot parsing from version 1 to version 2.
2914
2915 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
2916
2917         [ARM] Fix crash with sampling profiler
2918         https://bugs.webkit.org/show_bug.cgi?id=194772
2919
2920         Reviewed by Mark Lam.
2921
2922         Do not skip test since crash with sampling profiler is now fixed.
2923
2924         * stress/sampling-profiler-richards.js:
2925
2926 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
2927
2928         [JSC] Add LazyClassStructure::getInitializedOnMainThread
2929         https://bugs.webkit.org/show_bug.cgi?id=194784
2930         <rdar://problem/48154820>
2931
2932         Reviewed by Mark Lam.
2933
2934         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
2935         (getProperties):
2936         (getRandomProperty):
2937         (i.catch):
2938
2939 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
2940
2941         [ARM] Test gardening: Test running out of executable memory
2942         https://bugs.webkit.org/show_bug.cgi?id=194771
2943
2944         Unreviewed. Do not run test without LLInt, test is running out of executable
2945         memory on ARM otherwise.
2946
2947         * stress/tagged-template-object-collect.js:
2948
2949 2019-02-18  Tomas Popela  <tpopela@redhat.com>
2950
2951         Unreviewed, skip the test on platforms without sampling profiler
2952
2953         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
2954         (platformSupportsSamplingProfiler.foo):
2955         (platformSupportsSamplingProfiler.test):
2956         (platformSupportsSamplingProfiler):
2957         (foo): Deleted.
2958         (test): Deleted.
2959
2960 2019-02-17  Saam Barati  <sbarati@apple.com>
2961
2962         Deadlock when adding a Structure property transition and then doing incremental marking
2963         https://bugs.webkit.org/show_bug.cgi?id=194767
2964
2965         Reviewed by Mark Lam.
2966
2967         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
2968
2969 2019-02-15  Michael Saboff  <msaboff@apple.com>
2970
2971         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
2972         https://bugs.webkit.org/show_bug.cgi?id=194558
2973
2974         Reviewed by Saam Barati.
2975
2976         New regression test.
2977
2978         * stress/regexp-unicode-within-string.js: Added.
2979
2980 2019-02-15  Mark Lam  <mark.lam@apple.com>
2981
2982         SamplingProfiler::stackTracesAsJSON() should escape strings.
2983         https://bugs.webkit.org/show_bug.cgi?id=194649
2984         <rdar://problem/48072386>
2985
2986         Reviewed by Saam Barati.
2987
2988         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
2989         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
2990         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
2991         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
2992
2993 2019-02-15  Robin Morisset  <rmorisset@apple.com>
2994         CodeBlock::jettison should clear related watchpoints
2995         https://bugs.webkit.org/show_bug.cgi?id=194544
2996
2997         Reviewed by Mark Lam.
2998
2999         * stress/regexp-replace-double-watchpoint.js: Added.
3000         (foo):
3001
3002 2019-02-15  Saam barati  <sbarati@apple.com>
3003
3004         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
3005         https://bugs.webkit.org/show_bug.cgi?id=194036
3006
3007         Reviewed by Yusuke Suzuki.
3008
3009         * stress/tail-call-many-arguments.js: Added.
3010         (foo):
3011         (bar):
3012
3013 2019-02-14  Saam Barati  <sbarati@apple.com>
3014
3015         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
3016         https://bugs.webkit.org/show_bug.cgi?id=194583
3017         <rdar://problem/48028140>
3018
3019         Reviewed by Yusuke Suzuki.
3020
3021         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
3022
3023 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
3024
3025         [JSC] String.fromCharCode's slow path always generates 16bit string
3026         https://bugs.webkit.org/show_bug.cgi?id=194466
3027
3028         Reviewed by Keith Miller.
3029
3030         * stress/string-from-char-code-slow-path.js: Added.
3031         (shouldBe):
3032         (testWithLength):
3033
3034 2019-02-08  Saam barati  <sbarati@apple.com>
3035
3036         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
3037         https://bugs.webkit.org/show_bug.cgi?id=194334
3038         <rdar://problem/47844327>
3039
3040         Reviewed by Mark Lam.
3041
3042         * stress/check-in-bounds-should-be-a-child-use.js: Added.
3043         (func):
3044
3045 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
3046
3047         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
3048         https://bugs.webkit.org/show_bug.cgi?id=194369
3049         <rdar://problem/47813087>
3050
3051         Reviewed by Saam Barati.
3052
3053         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
3054         (A):
3055
3056 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
3057
3058         [JSC] PrivateName to PublicName hash table is wasteful
3059         https://bugs.webkit.org/show_bug.cgi?id=194277
3060
3061         Reviewed by Michael Saboff.
3062
3063         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
3064
3065         * ChakraCore.yaml:
3066
3067 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
3068
3069         [ARM] Test running out of executable memory
3070         https://bugs.webkit.org/show_bug.cgi?id=194285
3071
3072         Unreviewed. Do no execute test with LLInt disabled, test runs out of
3073         executable memory otherwise.
3074
3075         * stress/class-subclassing-function.js:
3076
3077 2019-02-04  Robin Morisset  <rmorisset@apple.com>
3078
3079         when lowering AssertNotEmpty, create the value before creating the patchpoint
3080         https://bugs.webkit.org/show_bug.cgi?id=194231
3081
3082         Reviewed by Saam Barati.
3083
3084         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
3085         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
3086         So even tiny changes to this test can change the path code taken.
3087
3088         * stress/assert-not-empty.js: Added.
3089         (foo):
3090
3091 2019-02-01  Mark Lam  <mark.lam@apple.com>
3092
3093         Remove invalid assertion in DFG's compileDoubleRep().
3094         https://bugs.webkit.org/show_bug.cgi?id=194130
3095         <rdar://problem/47699474>
3096
3097         Reviewed by Saam Barati.
3098
3099         * stress/constant-fold-double-rep-into-double-constant.js: Added.
3100
3101 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
3102
3103         Import latest Test262 updates.
3104
3105         Rubber-stamped by Keith Miller.
3106
3107         * test262.yaml: Deleted.
3108         * test262/config.yaml:
3109         * test262/expectations.yaml:
3110         * test262/latest-changes-summary.txt:
3111         * test262/test/:
3112         * test262/test262-Revision.txt:
3113
3114 2019-01-30  Robin Morisset  <rmorisset@apple.com>
3115
3116         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
3117         https://bugs.webkit.org/show_bug.cgi?id=194050
3118         <rdar://problem/47595592>
3119
3120         Reviewed by Yusuke Suzuki.
3121
3122         * stress/object-keys-osr-exit.js: Added.
3123         (foo):
3124         (catch):
3125
3126 2019-01-29  Mark Lam  <mark.lam@apple.com>
3127
3128         ValueRecovery::recover() should purify NaN values it recovers.
3129         https://bugs.webkit.org/show_bug.cgi?id=193978
3130         <rdar://problem/47625488>
3131
3132         Reviewed by Saam Barati.
3133
3134         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
3135
3136 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3137
3138         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
3139         https://bugs.webkit.org/show_bug.cgi?id=193713
3140
3141         * stress/try-get-by-id-should-spill-registers-dfg.js:
3142         (let.f.createBuiltin):
3143
3144 2019-01-28  Mark Lam  <mark.lam@apple.com>
3145
3146         ToString node actually does GC.
3147         https://bugs.webkit.org/show_bug.cgi?id=193920
3148         <rdar://problem/46695900>
3149
3150         Reviewed by Yusuke Suzuki.
3151
3152         * stress/dfg-to-string-on-int-does-gc.js: Added.
3153         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
3154         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
3155
3156 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3157
3158         [JSC] NativeErrorConstructor should not have own IsoSubspace
3159         https://bugs.webkit.org/show_bug.cgi?id=193713
3160
3161         Reviewed by Saam Barati.
3162
3163         Remove @Error use.
3164
3165         * stress/try-get-by-id-should-spill-registers-dfg.js:
3166         (let.f.createBuiltin):
3167
3168 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3169
3170         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
3171         https://bugs.webkit.org/show_bug.cgi?id=190693
3172
3173         Reviewed by Michael Saboff.
3174
3175         * stress/regress-190693.js: Added.
3176         (truth):
3177         (assert):
3178         (shouldThrowInvalidConstAssignment):
3179         (taz):
3180
3181 2019-01-24  Saam Barati  <sbarati@apple.com>
3182
3183         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
3184         https://bugs.webkit.org/show_bug.cgi?id=193751
3185         <rdar://problem/47280215>
3186
3187         Reviewed by Michael Saboff.
3188
3189         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
3190         (let.thing):
3191         (foo.let.hello):
3192         (foo):
3193
3194 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
3195
3196         [JSC] Reenable baseline JIT on mips
3197         https://bugs.webkit.org/show_bug.cgi?id=192983
3198
3199         Reviewed by Mark Lam.
3200
3201         Added a new test for a case that was triggering a RELEASE_ASSERT when
3202         testing.
3203         Disable some slow tests that were already disabled for arm and x86.
3204
3205         * stress/json-parse-big-object.js: Added.
3206         * stress/new-largeish-contiguous-array-with-size.js:
3207         * stress/op_add.js:
3208         * stress/op_bitand.js:
3209         * stress/op_bitor.js:
3210         * stress/op_bitxor.js:
3211         * stress/op_lshift-ConstVar.js:
3212         * stress/op_lshift-VarConst.js:
3213         * stress/op_lshift-VarVar.js:
3214         * stress/op_mod-ConstVar.js:
3215         * stress/op_mod-VarConst.js:
3216         * stress/op_mod-VarVar.js:
3217         * stress/op_mul-ConstVar.js:
3218         * stress/op_mul-VarConst.js:
3219         * stress/op_mul-VarVar.js:
3220         * stress/op_rshift-ConstVar.js:
3221         * stress/op_rshift-VarConst.js:
3222         * stress/op_rshift-VarVar.js:
3223         * stress/op_sub-ConstVar.js:
3224         * stress/op_sub-VarConst.js:
3225         * stress/op_sub-VarVar.js:
3226         * stress/op_urshift-ConstVar.js:
3227         * stress/op_urshift-VarConst.js:
3228         * stress/op_urshift-VarVar.js:
3229         * stress/sampling-profiler-richards.js:
3230         * stress/spread-forward-call-varargs-stack-overflow.js:
3231
3232 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
3233
3234         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
3235         https://bugs.webkit.org/show_bug.cgi?id=193711
3236         <rdar://problem/47250262>
3237
3238         Reviewed by Saam Barati.
3239
3240         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
3241         (shouldBe):
3242         (foo):
3243         (bar):
3244         (baz):
3245
3246 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
3247
3248         Unreviewed, fix initial global lexical binding epoch
3249         https://bugs.webkit.org/show_bug.cgi?id=193603
3250         <rdar://problem/47380869>
3251
3252         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
3253         (f1.f2.f3.f4):
3254         (f1.f2.f3):
3255         (f1.f2):
3256         (f1):
3257
3258 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
3259
3260         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
3261         https://bugs.webkit.org/show_bug.cgi?id=193709
3262         <rdar://problem/47363838>
3263
3264         Unreviewed, rollout to watch the tests.
3265
3266         * stress/object-tostring-changed-proto.js: Removed.
3267         * stress/object-tostring-changed.js: Removed.
3268         * stress/object-tostring-misc.js: Removed.
3269         * stress/object-tostring-other.js: Removed.
3270         * stress/object-tostring-untyped.js: Removed.
3271
3272 2019-01-22  Saam Barati  <sbarati@apple.com>
3273
3274         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
3275
3276         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
3277         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
3278         (testUncheckedLessThanZero):
3279         (testUncheckedLessThanOrEqualZero):
3280         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
3281         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
3282
3283 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
3284
3285         [JSC] Invalidate old scope operations using global lexical binding epoch
3286         https://bugs.webkit.org/show_bug.cgi?id=193603
3287         <rdar://problem/47380869>
3288
3289         Reviewed by Saam Barati.
3290
3291         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
3292         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
3293         (shouldThrow):
3294         (bar):
3295         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
3296         (shouldBe):
3297         (get1):
3298         (get2):
3299         (get1If):
3300         (get2If):
3301         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
3302         (shouldThrow):
3303         (foo):
3304
3305 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
3306
3307         Unreviewed, roll out r240220 due to date-format-xparb regression
3308         https://bugs.webkit.org/show_bug.cgi?id=193603
3309
3310         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
3311         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
3312         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
3313         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
3314
3315 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
3316
3317         DoesGC rule is wrong for nodes with BigIntUse
3318         https://bugs.webkit.org/show_bug.cgi?id=193652
3319
3320         Reviewed by Saam Barati.
3321
3322         * stress/big-int-value-op-update-gc-rules.js: Added.
3323         (assert):
3324         (doesGCAdd):
3325         (doesGCSub):
3326         (doesGCDiv):
3327         (doesGCMul):
3328         (doesGCBitAnd):
3329         (doesGCBitOr):
3330         (doesGCBitXor):
3331
3332 2019-01-20  Saam Barati  <sbarati@apple.com>
3333
3334         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
3335         https://bugs.webkit.org/show_bug.cgi?id=193644
3336         <rdar://problem/46209745>
3337
3338         Reviewed by Yusuke Suzuki.
3339
3340         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
3341         (foo):
3342         * stress/data-view-set-intrinsic-undefined-result.js: Added.
3343         (foo):
3344         (bar):
3345
3346 2019-01-20  Saam Barati  <sbarati@apple.com>
3347
3348         MovHint must merge NodeBytecodeUsesAsValue for its child
3349         https://bugs.webkit.org/show_bug.cgi?id=186916
3350         <rdar://problem/41396612>
3351
3352         Reviewed by Yusuke Suzuki.
3353
3354         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
3355         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
3356
3357 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
3358
3359         [JSC] Invalidate old scope operations using global lexical binding epoch
3360         https://bugs.webkit.org/show_bug.cgi?id=193603
3361         <rdar://problem/47380869>
3362
3363         Reviewed by Saam Barati.
3364
3365         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
3366         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
3367         (shouldThrow):
3368         (bar):
3369         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
3370         (shouldBe):
3371         (get1):
3372         (get2):
3373         (get1If):
3374         (get2If):
3375         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
3376         (shouldThrow):
3377         (foo):
3378
3379 2019-01-17  Saam barati  <sbarati@apple.com>
3380
3381         StringObjectUse should not be a structure check for the original string object structure
3382         https://bugs.webkit.org/show_bug.cgi?id=193483
3383         <rdar://problem/47280522>
3384
3385         Reviewed by Yusuke Suzuki.
3386
3387         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
3388         (foo):
3389         (a.valueOf.0):
3390
3391 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3392
3393         [JSC] ToThis omission in DFGByteCodeParser is wrong
3394         https://bugs.webkit.org/show_bug.cgi?id=193513
3395         <rdar://problem/45842236>
3396
3397         Reviewed by Saam Barati.
3398
3399         * stress/to-this-omission-with-different-strict-modes.js: Added.
3400         (thisA):
3401         (thisAStrictWrapper):
3402
3403 2019-01-15  Mark Lam  <mark.lam@apple.com>
3404
3405         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
3406         https://bugs.webkit.org/show_bug.cgi?id=193423
3407         <rdar://problem/46209355>
3408
3409         Reviewed by Saam Barati.
3410
3411         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
3412         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
3413         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
3414         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
3415
3416 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3417
3418         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
3419         https://bugs.webkit.org/show_bug.cgi?id=193438
3420         <rdar://problem/45581249>
3421
3422         Reviewed by Saam Barati and Keith Miller.
3423
3424         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
3425         Then, GetByVal(String) crashed.
3426
3427         * stress/string-get-by-val-lowering.js: Added.
3428         (shouldBe):
3429         (test):
3430         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
3431         (Hello):
3432         (foo):
3433
3434 2019-01-15  Tomas Popela  <tpopela@redhat.com>
3435
3436         Unreviewed, skip JIT tests if it's not enabled
3437
3438         * stress/bit-op-with-object-returning-int32.js:
3439
3440 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
3441
3442         DFGByteCodeParser rules for bitwise operations should consider type of their operands
3443         https://bugs.webkit.org/show_bug.cgi?id=192966
3444
3445         Reviewed by Yusuke Suzuki.
3446
3447         * stress/bit-op-with-object-returning-int32.js: Added.
3448
3449 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
3450
3451         Skip a slow test and a flakey test on arm
3452
3453         Unreviewed gardening.
3454
3455         * typeProfiler/getter-richards.js:
3456         this test always times out, it used to be always skipped on arm and
3457         mips, but got accidentally enabled by r237919 now that we have DFG on
3458         arm. Also skipping on mips as we plan to soon enable DFG for it too.
3459
3460 2019-01-14  Keith Miller  <keith_miller@apple.com>
3461
3462         Skip type-check-hoisting-phase-hoist... with no jit
3463         https://bugs.webkit.org/show_bug.cgi?id=193421
3464
3465         Reviewed by Mark Lam.
3466
3467         It's timing out the 32-bit bots and takes 330 seconds
3468         on my machine when run by itself.
3469
3470         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
3471
3472 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3473
3474         [JSC] AI should check the given constant's array type when folding GetByVal into constant
3475         https://bugs.webkit.org/show_bug.cgi?id=193413
3476         <rdar://problem/46092389>
3477
3478         Reviewed by Keith Miller.
3479
3480         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
3481         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
3482         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
3483         but GetByVal does not have appropriate ArrayModes, JSC crashes.
3484
3485         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
3486         (compareArray):
3487
3488 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
3489
3490         [BigInt] Literal parsing is crashing when used inside a Object Literal
3491         https://bugs.webkit.org/show_bug.cgi?id=193404
3492
3493         Reviewed by Yusuke Suzuki.
3494
3495         * stress/big-int-literal-inside-literal-object.js: Added.
3496
3497 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3498
3499         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
3500         https://bugs.webkit.org/show_bug.cgi?id=193372
3501
3502         Reviewed by Saam Barati.
3503
3504         * stress/typed-array-array-modes-profile.js: Added.
3505         (foo):
3506
3507 2019-01-14  Mark Lam  <mark.lam@apple.com>
3508
3509         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
3510         https://bugs.webkit.org/show_bug.cgi?id=193402
3511         <rdar://problem/46012309>
3512
3513         Reviewed by Keith Miller.
3514
3515         * stress/regexp-compile-oom.js:
3516         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
3517           is enabled.  As a result, it will fail on cloop builds though there is no bug.
3518
3519 2019-01-11  Saam barati  <sbarati@apple.com>
3520
3521         DFG combined liveness can be wrong for terminal basic blocks
3522         https://bugs.webkit.org/show_bug.cgi?id=193304
3523         <rdar://problem/45268632>
3524
3525         Reviewed by Yusuke Suzuki.
3526
3527         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
3528
3529 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3530
3531         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
3532         https://bugs.webkit.org/show_bug.cgi?id=193308
3533         <rdar://problem/45546542>
3534
3535         Reviewed by Saam Barati.
3536
3537         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
3538         (shouldThrow):
3539         (shouldBe):
3540         (foo):
3541         (get shouldThrow):
3542         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
3543         (shouldThrow):
3544         (shouldBe):
3545         (foo):
3546         (get shouldBe):
3547         (get shouldThrow):
3548         (get return):
3549         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
3550         (shouldThrow):
3551         (shouldBe):
3552         (foo):
3553         (get shouldBe):
3554         (get shouldThrow):
3555         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
3556         (shouldThrow):
3557         (shouldBe):
3558         (foo):
3559         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
3560         (shouldThrow):
3561         (shouldBe):
3562         (foo):
3563         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
3564         (shouldThrow):
3565         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
3566         (shouldThrow):
3567         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
3568         (shouldThrow):
3569         (shouldBe):
3570         (foo):
3571         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
3572         (shouldThrow):
3573         (shouldBe):
3574         (foo):
3575         (get shouldBe):
3576         (get shouldThrow):
3577         (get return):
3578         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
3579         (shouldThrow):
3580         (shouldBe):
3581         (foo):
3582         (get shouldBe):
3583         (get shouldThrow):
3584         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
3585         (shouldThrow):
3586         (shouldBe):
3587         (foo):
3588         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
3589         (shouldThrow):
3590         (shouldBe):
3591         (foo):
3592
3593 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
3594
3595         Enable DFG on ARM/Linux again
3596         https://bugs.webkit.org/show_bug.cgi?id=192496
3597
3598         Reviewed by Yusuke Suzuki.
3599
3600         Test wasn't really skipped before moving the line with skip
3601         to the top.
3602
3603         * stress/regress-192717.js:
3604
3605 2019-01-10  Commit Queue  <commit-queue@webkit.org>
3606
3607         Unreviewed, rolling out r239825.
3608         https://bugs.webkit.org/show_bug.cgi?id=193330
3609
3610         Broke tests on armv7/linux bots (Requested by guijemont on
3611         #webkit).
3612
3613         Reverted changeset:
3614
3615         "Enable DFG on ARM/Linux again"
3616         https://bugs.webkit.org/show_bug.cgi?id=192496
3617         https://trac.webkit.org/changeset/239825
3618
3619 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
3620
3621         Enable DFG on ARM/Linux again
3622         https://bugs.webkit.org/show_bug.cgi?id=192496
3623
3624         Reviewed by Yusuke Suzuki.
3625
3626         Test wasn't really skipped before moving the line with skip
3627         to the top.
3628
3629         * stress/regress-192717.js:
3630
3631 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3632
3633         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
3634         https://bugs.webkit.org/show_bug.cgi?id=193127
3635
3636         Reviewed by Saam Barati.
3637
3638         * stress/array-species-create-should-handle-masquerader.js: Added.
3639         (shouldThrow):
3640         * stress/is-undefined-or-null-builtin.js: Added.
3641         (shouldBe):
3642         (isUndefinedOrNull.vm.createBuiltin):
3643
3644 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
3645
3646         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
3647         https://bugs.webkit.org/show_bug.cgi?id=193221
3648
3649         Reviewed by Mark Lam.
3650
3651         * stress/put-by-id-flags.js: Added.
3652         (f):
3653         (g):
3654         (numberOfDFGCompiles):
3655
3656 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
3657
3658         Baseline version of get_by_id may corrupt metadata
3659         https://bugs.webkit.org/show_bug.cgi?id=193085
3660         <rdar://problem/23453006>
3661
3662         Reviewed by Saam Barati.
3663
3664         * stress/get-by-id-change-mode.js: Added.
3665         (forEach):
3666
3667 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3668
3669         [JSC] Optimize Object.prototype.toString
3670         https://bugs.webkit.org/show_bug.cgi?id=193031
3671
3672         Reviewed by Saam Barati.
3673
3674         * stress/object-tostring-changed-proto.js: Added.
3675         (shouldBe):
3676         (test):
3677         * stress/object-tostring-changed.js: Added.
3678         (shouldBe):
3679         (test):
3680         * stress/object-tostring-misc.js: Added.
3681         (shouldBe):
3682         (test):
3683         (i.switch):
3684         * stress/object-tostring-other.js: Added.
3685         (shouldBe):
3686         (test):
3687         * stress/object-tostring-untyped.js: Added.
3688         (shouldBe):
3689         (test):
3690         (i.switch):
3691
3692 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
3693
3694         test262-runner misbehaves when test file YAML has a trailing space
3695         https://bugs.webkit.org/show_bug.cgi?id=193053
3696
3697         Reviewed by Yusuke Suzuki.
3698
3699         * test262/expectations.yaml:
3700         Mark two dozen tests as passing (and correct the output of another).
3701
3702 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3703
3704         Unreviewed, JSTests gardening with memoryLimited
3705
3706         * stress/string-overflow-createError.js:
3707
3708 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
3709
3710         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
3711         https://bugs.webkit.org/show_bug.cgi?id=193050
3712
3713         Reviewed by Yusuke Suzuki.
3714
3715         * test262.yaml:
3716         * test262/expectations.yaml:
3717         Mark 16 tests as passing.
3718
3719 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3720
3721         [BigInt] Support BigInt in JSON.stringify
3722         https://bugs.webkit.org/show_bug.cgi?id=192624
3723
3724         Reviewed by Saam Barati.
3725
3726         * stress/big-int-json-stringify-to-json.js: Added.
3727         (shouldBe):
3728         (shouldThrow):
3729         (BigInt.prototype.toJSON):
3730         (shouldBe.JSON.stringify):
3731         * stress/big-int-json-stringify.js: Added.
3732         (shouldBe):
3733         (shouldThrow):
3734
3735 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3736
3737         [JSC] Implement "well-formed JSON.stringify" proposal
3738         https://bugs.webkit.org/show_bug.cgi?id=191677
3739
3740         Reviewed by Darin Adler.
3741
3742         * stress/json-surrogate-pair.js: Added.
3743         (shouldBe):
3744         * test262/expectations.yaml:
3745
3746 2018-12-20  Keith Miller  <keith_miller@apple.com>
3747
3748         Add support for globalThis
3749         https://bugs.webkit.org/show_bug.cgi?id=165171
3750
3751         Reviewed by Mark Lam.
3752
3753         * test262/config.yaml:
3754
3755 2018-12-19  Keith Miller  <keith_miller@apple.com>
3756
3757         Update test262 configuration to not run tests dependent on ICU version.
3758         https://bugs.webkit.org/show_bug.cgi?id=192920
3759
3760         Reviewed by Saam Barati.
3761
3762         * test262/expectations.yaml:
3763
3764 2018-12-20  Mark Lam  <mark.lam@apple.com>
3765
3766         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
3767         https://bugs.webkit.org/show_bug.cgi?id=192939
3768         <rdar://problem/46869516>
3769
3770         Reviewed by Keith Miller.
3771
3772         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
3773
3774 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
3775
3776         WTF::String and StringImpl overflow MaxLength
3777         https://bugs.webkit.org/show_bug.cgi?id=192853
3778         <rdar://problem/45726906>
3779
3780         Reviewed by Mark Lam.
3781
3782         * stress/string-16bit-repeat-overflow.js: Added.
3783         (catch):
3784
3785 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
3786
3787         Unreviewed follow-up to r192914.
3788
3789         * test262/expectations.yaml:
3790         Add the last 20 missing expectations.
3791
3792 2018-12-19  Keith Miller  <keith_miller@apple.com>
3793
3794         Fix test262 expectations
3795         https://bugs.webkit.org/show_bug.cgi?id=192914
3796
3797         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
3798
3799         * test262/expectations.yaml:
3800
3801 2018-12-19  Keith Miller  <keith_miller@apple.com>
3802
3803         Update test262 tests.
3804         https://bugs.webkit.org/show_bug.cgi?id=192907
3805
3806         Rubber stamped by Mark Lam.
3807
3808         * test262/*: Omitted because prepare-changelog crashes.
3809
3810 2018-12-19  Mark Lam  <mark.lam@apple.com>
3811
3812         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
3813         https://bugs.webkit.org/show_bug.cgi?id=192464
3814         <rdar://problem/46519455>
3815
3816         Reviewed by Saam Barati.
3817
3818         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
3819         microbenchmark.
3820
3821         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
3822         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
3823
3824 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
3825
3826         String overflow in JSC::createError results in ASSERT in WTF::makeString
3827         https://bugs.webkit.org/show_bug.cgi?id=192833
3828         <rdar://problem/45706868>
3829
3830         Reviewed by Mark Lam.
3831
3832         * stress/string-overflow-createError.js: Added.
3833
3834 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
3835
3836         Error message for `-x ** y` contains a typo.
3837         https://bugs.webkit.org/show_bug.cgi?id=192832
3838
3839         Reviewed by Saam Barati.
3840
3841         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
3842         (assert.assert.return.throws):
3843         * stress/pow-expects-update-expression-on-lhs.js:
3844         (throw.new.Error):
3845         Update test expectations which match against the exact error message.
3846
3847 2018-12-18  Mark Lam  <mark.lam@apple.com>
3848
3849         Gardening: test options fix.
3850         https://bugs.webkit.org/show_bug.cgi?id=192822
3851
3852         Unreviewed.
3853
3854         * stress/json-stringify-string-builder-overflow.js:
3855
3856 2018-12-18  Mark Lam  <mark.lam@apple.com>
3857
3858         JSON.stringify() should throw OOM on StringBuilder overflows.
3859         https://bugs.webkit.org/show_bug.cgi?id=192822
3860         <rdar://problem/46670577>
3861
3862         Reviewed by Saam Barati.
3863
3864         * stress/json-stringify-string-builder-overflow.js: Added.
3865
3866 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
3867
3868         Redeclaration of var over let/const/class should be a syntax error.
3869         https://bugs.webkit.org/show_bug.cgi?id=192298
3870
3871         Reviewed by Keith Miller.
3872
3873         * test262.yaml:
3874         * test262/expectations.yaml:
3875         Mark 46 tests as passing.
3876
3877         * stress/block-scope-redeclarations.js:
3878         Add some new tests.
3879
3880         * stress/for-in-invalidate-context-weird-assignments.js:
3881         * stress/for-in-tests.js:
3882         Replace tests for outdated behavior with tests for SyntaxError.
3883
3884         * ChakraCore/test/LetConst/defer3.baseline-jsc:
3885         * ChakraCore/test/LetConst/letvar.baseline-jsc:
3886         Update expectations.
3887
3888 2018-12-18  Mark Lam  <mark.lam@apple.com>
3889
3890         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
3891         https://bugs.webkit.org/show_bug.cgi?id=191374
3892         <rdar://problem/46525447>
3893
3894         Reviewed by Yusuke Suzuki.
3895
3896         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
3897
3898         * stress/elidable-new-object-roflcopter-then-exit.js:
3899
3900 2018-12-17  Mark Lam  <mark.lam@apple.com>
3901
3902         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
3903         https://bugs.webkit.org/show_bug.cgi?id=192019
3904         <rdar://problem/46525456>
3905
3906         Reviewed by Yusuke Suzuki.
3907
3908         The test runs too slow on 32-bit.
3909
3910         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
3911
3912 2018-12-17  Mark Lam  <mark.lam@apple.com>
3913
3914         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
3915         https://bugs.webkit.org/show_bug.cgi?id=191373
3916         <rdar://problem/46525458>
3917
3918         Reviewed by Yusuke Suzuki.
3919
3920         The test is already slow running with a JIT on 64-bit.  It will always timeout
3921         on 32-bit without a JIT.
3922
3923         * stress/materialize-regexp-cyclic-regexp.js:
3924
3925 2018-12-17  Mark Lam  <mark.lam@apple.com>
3926
3927         Array unshift/shift should not race against the AI in the compiler thread.
3928         https://bugs.webkit.org/show_bug.cgi?id=192795
3929         <rdar://problem/46724263>
3930
3931         Reviewed by Saam Barati.
3932
3933         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
3934
3935 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3936
3937         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
3938         https://bugs.webkit.org/show_bug.cgi?id=190047
3939
3940         Reviewed by Saam Barati.
3941
3942         * stress/object-keys-cached-zero.js: Added.
3943         (shouldBe):
3944         (test):
3945         * stress/object-keys-changed-attribute.js: Added.
3946         (shouldBe):
3947         (test):
3948         * stress/object-keys-changed-index.js: Added.
3949         (shouldBe):
3950         (test):
3951         * stress/object-keys-changed.js: Added.
3952         (shouldBe):
3953         (test):
3954         * stress/object-keys-indexed-non-cache.js: Added.
3955         (shouldBe):
3956         (test):
3957         * stress/object-keys-overrides-get-property-names.js: Added.
3958         (shouldBe):
3959         (test):
3960         (noInline):
3961
3962 2018-12-17  Mark Lam  <mark.lam@apple.com>
3963
3964         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
3965         https://bugs.webkit.org/show_bug.cgi?id=192779
3966         <rdar://problem/46775869>
3967
3968         Reviewed by Saam Barati.
3969
3970         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
3971
3972 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
3973
3974         Unreviewed test gardening, address a syntax error in a new test.
3975
3976         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
3977
3978 2018-12-17  Mark Lam  <mark.lam@apple.com>
3979
3980         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
3981         https://bugs.webkit.org/show_bug.cgi?id=192776
3982         <rdar://problem/46772368>
3983
3984         Reviewed by Keith Miller.
3985
3986         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
3987
3988 2018-12-17  Mark Lam  <mark.lam@apple.com>
3989
3990         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
3991         https://bugs.webkit.org/show_bug.cgi?id=192770
3992         <rdar://problem/46449037>
3993
3994         Reviewed by Keith Miller.
3995
3996         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
3997
3998 2018-12-14  Mark Lam  <mark.lam@apple.com>
3999
4000         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
4001         https://bugs.webkit.org/show_bug.cgi?id=192717
4002         <rdar://problem/46660677>
4003
4004         Reviewed by Saam Barati.
4005
4006         * stress/regress-192717.js: Added.
4007
4008 2018-12-14  Commit Queue  <commit-queue@webkit.org>
4009
4010         Unreviewed, rolling out r239153, r239154, and r239155.
4011         https://bugs.webkit.org/show_bug.cgi?id=192715
4012
4013         Caused flaky GC-related crashes seen with layout tests
4014         (Requested by ryanhaddad on #webkit).
4015
4016         Reverted changesets:
4017
4018         "[JSC] Optimize Object.keys by caching own keys results in
4019         StructureRareData"
4020         https://bugs.webkit.org/show_bug.cgi?id=190047
4021         https://trac.webkit.org/changeset/239153
4022
4023         "Unreviewed, build fix after r239153"
4024         https://bugs.webkit.org/show_bug.cgi?id=190047
4025         https://trac.webkit.org/changeset/239154
4026
4027         "Unreviewed, build fix after r239153, part 2"
4028         https://bugs.webkit.org/show_bug.cgi?id=190047
4029         https://trac.webkit.org/changeset/239155
4030
4031 2018-12-14  Keith Miller  <keith_miller@apple.com>
4032
4033         Callers of JSString::getIndex should check for OOM exceptions
4034         https://bugs.webkit.org/show_bug.cgi?id=192709
4035
4036         Reviewed by Mark Lam.
4037
4038         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
4039
4040 2018-12-13  Mark Lam  <mark.lam@apple.com>
4041
4042         Add a missing exception check.
4043         https://bugs.webkit.org/show_bug.cgi?id=192626
4044         <rdar://problem/46662163>
4045
4046         Reviewed by Keith Miller.
4047
4048         * stress/regress-192626.js: Added.
4049
4050 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
4051
4052         [BigInt] Add ValueDiv into DFG
4053         https://bugs.webkit.org/show_bug.cgi?id=186178
4054
4055         Reviewed by Yusuke Suzuki.
4056
4057         * stress/big-int-div-jit-osr.js: Added.
4058         * stress/big-int-div-jit-untyped.js: Added.
4059         * stress/value-div-fixup-int32-big-int.js: Added.
4060
4061 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
4062
4063         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
4064         https://bugs.webkit.org/show_bug.cgi?id=190047
4065
4066         Reviewed by Keith Miller.
4067
4068         * stress/object-keys-cached-zero.js: Added.
4069         (shouldBe):
4070         (test):
4071         * stress/object-keys-changed-attribute.js: Added.
4072         (shouldBe):
4073         (test):
4074         * stress/object-keys-changed-index.js: Added.
4075         (shouldBe):
4076         (test):
4077         * stress/object-keys-changed.js: Added.
4078         (shouldBe):
4079         (test):
4080         * stress/object-keys-indexed-non-cache.js: Added.
4081         (shouldBe):
4082         (test):
4083         * stress/object-keys-overrides-get-property-names.js: Added.
4084         (shouldBe):
4085         (test):
4086         (noInline):
4087
4088 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
4089
4090         [DFG][FTL] Add NewSymbol
4091         https://bugs.webkit.org/show_bug.cgi?id=192620
4092
4093         Reviewed by Saam Barati.
4094
4095         * microbenchmarks/symbol-creation.js: Added.
4096         (test):
4097         * stress/symbol-description-identity.js: Added.
4098         (shouldBe):
4099         (test):
4100         * stress/symbol-identity.js: Added.
4101         (shouldBe):
4102         (test):
4103         * stress/symbol-with-description-throw-error.js: Added.
4104         (shouldBe):
4105         (shouldThrow):
4106         (test):
4107         (object.toString):
4108
4109 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
4110
4111         [BigInt] Implement DFG/FTL typeof for BigInt
4112         https://bugs.webkit.org/show_bug.cgi?id=192619
4113
4114         Reviewed by Keith Miller.
4115
4116         * stress/big-int-boolean-proven-type.js: Added.
4117         (assert):
4118         (bool):
4119         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
4120         (assert):
4121         (typeOf):
4122         (i.switch):
4123         * stress/big-int-type-of-proven-type-non-constant.js: Added.
4124         (assert):
4125         (typeOf):
4126         * stress/big-int-type-of.js:
4127         (typeOf):
4128         (func):
4129
4130 2018-12-10  Mark Lam  <mark.lam@apple.com>
4131
4132         PropertyAttribute needs a CustomValue bit.
4133         https://bugs.webkit.org/show_bug.cgi?id=191993
4134         <rdar://problem/46264467>
4135
4136         Reviewed by Saam Barati.
4137
4138         * stress/regress-191993.js: Added.
4139
4140 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
4141
4142         [BigInt] Add ValueMul into DFG
4143         https://bugs.webkit.org/show_bug.cgi?id=186175
4144
4145         Reviewed by Yusuke Suzuki.
4146
4147         * stress/big-int-mul-jit-osr.js: Added.
4148         * stress/big-int-mul-jit-untyped.js: Added.
4149         * stress/value-mul-fixup-int32-big-int.js: Added.
4150
4151 2018-12-06  Keith Miller  <keith_miller@apple.com>
4152
4153         stress/big-wasm-memory tests failing on 32-bit JSC bot
4154         https://bugs.webkit.org/show_bug.cgi?id=192020
4155
4156         Reviewed by Saam Barati.
4157
4158         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
4159         the wasm stress tests if the WebAssembly object does not exist.
4160
4161         * stress/big-wasm-memory-grow-no-max.js:
4162         (test.foo):
4163         (test):
4164         (foo): Deleted.
4165         (catch): Deleted.
4166         * stress/big-wasm-memory-grow.js:
4167         (test.foo):
4168         (test):
4169         (foo): Deleted.
4170         (catch): Deleted.
4171         * stress/big-wasm-memory.js:
4172         (test.foo):
4173         (test):
4174         (foo): Deleted.
4175         (catch): Deleted.
4176
4177 2018-12-05  Mark Lam  <mark.lam@apple.com>
4178
4179         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
4180         https://bugs.webkit.org/show_bug.cgi?id=192441
4181         <rdar://problem/46480355>
4182
4183         Reviewed by Saam Barati.
4184
4185         * stress/regress-192441.js: Added.
4186
4187 2018-12-04  Mark Lam  <mark.lam@apple.com>
4188
4189         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
4190         https://bugs.webkit.org/show_bug.cgi?id=192386
4191         <rdar://problem/46445516>
4192
4193         Reviewed by Saam Barati.
4194
4195         * stress/regress-192386.js: Added.
4196
4197 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
4198
4199         [ESNext][BigInt] Support logic operations
4200         https://bugs.webkit.org/show_bug.cgi?id=179903
4201
4202         Reviewed by Yusuke Suzuki.
4203
4204         * stress/big-int-branch-usage.js: Added.
4205         * stress/big-int-logical-and.js: Added.
4206         * stress/big-int-logical-not.js: Added.
4207         * stress/big-int-logical-or.js: Added.
4208
4209 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
4210
4211         Unreviewed, rolling out r238833.
4212
4213         Breaks macOS and iOS debug builds.
4214
4215         Reverted changeset:
4216
4217         "[ESNext][BigInt] Support logic operations"
4218         https://bugs.webkit.org/show_bug.cgi?id=179903
4219         https://trac.webkit.org/changeset/238833
4220
4221 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
4222
4223         [ESNext][BigInt] Support logic operations
4224         https://bugs.webkit.org/show_bug.cgi?id=179903
4225
4226         Reviewed by Yusuke Suzuki.
4227
4228         * stress/big-int-branch-usage.js: Added.
4229         * stress/big-int-logical-and.js: Added.
4230         * stress/big-int-logical-not.js: Added.
4231         * stress/big-int-logical-or.js: Added.
4232
4233 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
4234
4235         [ESNext][BigInt] Implement support for "<<" and ">>"
4236         https://bugs.webkit.org/show_bug.cgi?id=186233
4237
4238         Reviewed by Yusuke Suzuki.
4239
4240         * stress/big-int-left-shift-general.js: Added.
4241         * stress/big-int-left-shift-range-error.js: Added.
4242         * stress/big-int-left-shift-type-error.js: Added.
4243         * stress/big-int-left-shift-wrapped-value.js: Added.
4244         * stress/big-int-right-shift-general.js: Added.
4245         * stress/big-int-right-shift-type-error.js: Added.
4246         * stress/big-int-right-shift-wrapped-value.js: Added.
4247         * stress/left-shift-to-primitive-precedence.js: Added.
4248         * stress/right-shift-to-primitive-precedence.js: Added.
4249
4250 2018-11-30  Dean Jackson  <dino@apple.com>
4251
4252         Add first-class support for .mjs files in jsc binary
4253         https://bugs.webkit.org/show_bug.cgi?id=192190
4254         <rdar://problem/46375715>
4255
4256         Reviewed by Keith Miller.
4257
4258         * stress/simple-module.mjs: Added.
4259         * stress/simple-script.js: Added.
4260
4261 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
4262
4263         [BigInt] Implement ValueBitXor into DFG
4264         https://bugs.webkit.org/show_bug.cgi?id=190264
4265
4266         Reviewed by Yusuke Suzuki.
4267
4268         * stress/big-int-bitwise-xor-jit.js: Added.
4269         * stress/big-int-bitwise-xor-memory-stress.js: Added.
4270         * stress/big-int-bitwise-xor-untyped.js: Added.
4271
4272 2018-11-27  Saam barati  <sbarati@apple.com>
4273
4274         r238510 broke scopes of size zero
4275         https://bugs.webkit.org/show_bug.cgi?id=192033
4276         <rdar://problem/46281734>
4277
4278         Reviewed by Keith Miller.
4279
4280         * stress/r238510-bad-loop.js: Added.
4281         (foo):
4282
4283 2018-11-27  Mark Lam  <mark.lam@apple.com>
4284
4285         [Re-landing] NaNs read from Wasm code needs to be be purified.
4286         https://bugs.webkit.org/show_bug.cgi?id=191056
4287         <rdar://problem/45660341>
4288
4289         Reviewed by Filip Pizlo.
4290
4291         * wasm/regress/regress-191056.js: Added.
4292
4293 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
4294
4295         Unreviewed, rolling out r238509.
4296
4297         Causes JSC tests to fail on iOS.
4298
4299         Reverted changeset:
4300
4301         "NaNs read from Wasm code needs to be be purified."
4302         https://bugs.webkit.org/show_bug.cgi?id=191056
4303         https://trac.webkit.org/changeset/238509
4304
4305 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
4306
4307         Re-introduce op_bitnot
4308         https://bugs.webkit.org/show_bug.cgi?id=190923
4309
4310         Reviewed by Yusuke Suzuki.
4311
4312         * stress/bit-not-must-generate.js: Added.
4313         * stress/bitwise-not-no-int32.js: Added.
4314
4315 2018-11-26  Saam barati  <sbarati@apple.com>
4316
4317         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
4318         https://bugs.webkit.org/show_bug.cgi?id=191956
4319         <rdar://problem/45665806>
4320
4321         Reviewed by Yusuke Suzuki.
4322
4323         * stress/end-basic-block-set-local-should-filter-type.js: Added.
4324         (bar):
4325         (foo):
4326
4327 2018-11-26  Saam barati  <sbarati@apple.com>
4328
4329         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
4330         https://bugs.webkit.org/show_bug.cgi?id=191958
4331         <rdar://problem/46221877>
4332
4333         Reviewed by Yusuke Suzuki.
4334
4335         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
4336         (x):
4337         (foo):
4338
4339 2018-11-26  Mark Lam  <mark.lam@apple.com>
4340
4341         NaNs read from Wasm code needs to be be purified.
4342         https://bugs.webkit.org/show_bug.cgi?id=191056
4343         <rdar://problem/45660341>
4344
4345         Reviewed by Filip Pizlo.
4346
4347         * wasm/regress/regress-191056.js: Added.
4348
4349 2018-11-26  Michael Saboff  <msaboff@apple.com>
4350
4351         32-bit JSC test failure: stress/regexp-compile-oom.js
4352         https://bugs.webkit.org/show_bug.cgi?id=191375
4353
4354         Reviewed by Mark Lam.
4355
4356         Disabled the test for 32 bit platforms.
4357
4358         * stress/regexp-compile-oom.js:
4359
4360 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
4361
4362         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
4363         https://bugs.webkit.org/show_bug.cgi?id=191716
4364         <rdar://problem/45723878>
4365
4366         Reviewed by Saam Barati.
4367
4368         * stress/regress-187373.js: Added.
4369         (async.fn):
4370
4371 2018-11-21  Saam barati  <sbarati@apple.com>
4372
4373         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
4374         https://bugs.webkit.org/show_bug.cgi?id=191897
4375         <rdar://problem/45871998>
4376
4377         Reviewed by Mark Lam.
4378
4379         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
4380         (bar):
4381         (foo):
4382
4383 2018-11-21  Saam barati  <sbarati@apple.com>
4384
4385         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
4386         https://bugs.webkit.org/show_bug.cgi?id=191895
4387         <rdar://problem/46167406>
4388
4389         Reviewed by Mark Lam.
4390
4391         * stress/known-cell-use-needs-type-check-assertion.js: Added.
4392         (foo):
4393         (bar):
4394
4395 2018-11-21  Mark Lam  <mark.lam@apple.com>
4396
4397         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
4398         https://bugs.webkit.org/show_bug.cgi?id=191776
4399         <rdar://problem/46152851>
4400
4401         Reviewed by Saam Barati.
4402
4403         * stress/big-wasm-memory-grow-no-max.js:
4404         * stress/big-wasm-memory-grow.js:
4405         * stress/big-wasm-memory.js:
4406         - updated these to expect an OutOfMemoryError.
4407
4408         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
4409         (Binary.prototype.emit_u8):
4410         (Binary.prototype.emit_u32v):
4411         (Binary.prototype.emit_header):
4412         (Binary.prototype.emit_section):
4413         (Binary):
4414         (WasmModuleBuilder):
4415         (WasmModuleBuilder.prototype.addMemory):
4416         (WasmModuleBuilder.prototype.toArray):
4417         (WasmModuleBuilder.prototype.toBuffer):
4418         (WasmModuleBuilder.prototype.instantiate):
4419         (catch):
4420         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
4421         (catch):
4422
4423 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
4424
4425         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
4426         https://bugs.webkit.org/show_bug.cgi?id=190836
4427
4428         Reviewed by Saam Barati and Yusuke Suzuki.
4429
4430         * stress/big-int-out-of-memory-tests.js: Added.
4431
4432 2018-11-20  Mark Lam  <mark.lam@apple.com>
4433
4434         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
4435         https://bugs.webkit.org/show_bug.cgi?id=191856
4436         <rdar://problem/46089992>
4437
4438         Reviewed by Yusuke Suzuki.
4439
4440         * stress/regress-191856.js: Added.
4441         - this test is skipped for now until we have a fix for webkit.org/b/191855.
4442
4443 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
4444
4445         Enable JIT on ARM/Linux
4446         https://bugs.webkit.org/show_bug.cgi?id=191548
4447
4448         Reviewed by Yusuke Suzuki.
4449
4450         Disable test on system with limited memory. Program was killed by
4451         the OS before the exception was thrown.
4452
4453         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
4454
4455 2018-11-20  Saam barati  <sbarati@apple.com>
4456
4457         Merging an IC variant may lead to the IC status containing overlapping structure sets
4458         https://bugs.webkit.org/show_bug.cgi?id=191869
4459         <rdar://problem/45403453>
4460
4461         Reviewed by Mark Lam.
4462
4463         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
4464
4465 2018-11-19  Mark Lam  <mark.lam@apple.com>
4466
4467         globalFuncImportModule() should return a promise when it clears exceptions.
4468         https://bugs.webkit.org/show_bug.cgi?id=191792
4469         <rdar://problem/46090763>
4470
4471         Reviewed by Michael Saboff.
4472
4473         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
4474
4475 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
4476
4477         Skip new memory-hungry tests on memory limited devices
4478
4479         Unreviewed gardening.
4480
4481         * stress/big-wasm-memory-grow-no-max.js:
4482         * stress/big-wasm-memory-grow.js:
4483         * stress/big-wasm-memory.js:
4484
4485 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
4486
4487         Unreviewed, rolling in the rest of r237254
4488         https://bugs.webkit.org/show_bug.cgi?id=190340
4489
4490         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
4491         * stress/function-cache-with-parameters-end-position.js: Added.
4492         (shouldBe):
4493         (shouldThrow):
4494         (i.anonymous):
4495         * stress/function-constructor-name.js: Added.
4496         (shouldBe):
4497         (GeneratorFunction):
4498         (AsyncFunction.async):
4499         (AsyncGeneratorFunction.async):
4500         (anonymous):
4501         (async.anonymous):
4502         * test262/expectations.yaml:
4503
4504 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
4505
4506         All users of ArrayBuffer should agree on the same max size
4507         https://bugs.webkit.org/show_bug.cgi?id=191771
4508
4509         Reviewed by Mark Lam.
4510
4511         * stress/big-w