JSC::createError needs to check for OOM in errorDescriptionForValue
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
2
3         JSC::createError needs to check for OOM in errorDescriptionForValue
4         https://bugs.webkit.org/show_bug.cgi?id=196032
5         <rdar://problem/46842740>
6
7         Reviewed by Mark Lam.
8
9         * stress/create-error-out-of-memory-rope-string.js: Added.
10
11 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
12
13         Unreviewed, reduce # of iterations to avoid timing out after r242991
14         https://bugs.webkit.org/show_bug.cgi?id=195791
15
16         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
17
18         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
19
20 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
21
22         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
23         https://bugs.webkit.org/show_bug.cgi?id=195950
24
25         Unreviewed, reducing the amount of memory used on this test to avoid
26         OOM on devices with memory restrictions.
27
28         * microbenchmarks/generate-multiple-llint-entrypoints.js:
29
30 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
31
32         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
33         https://bugs.webkit.org/show_bug.cgi?id=194648
34
35         Reviewed by Keith Miller.
36
37         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
38
39 2019-03-18  Mark Lam  <mark.lam@apple.com>
40
41         Missing a ThrowScope release in JSObject::toString().
42         https://bugs.webkit.org/show_bug.cgi?id=195893
43         <rdar://problem/48970986>
44
45         Reviewed by Michael Saboff.
46
47         * stress/to-string-exception-check-release.js: Added.
48
49 2019-03-18  Mark Lam  <mark.lam@apple.com>
50
51         Structure::flattenDictionary() should clear unused property slots.
52         https://bugs.webkit.org/show_bug.cgi?id=195871
53         <rdar://problem/48959497>
54
55         Reviewed by Michael Saboff.
56
57         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
58
59 2019-03-15  Mark Lam  <mark.lam@apple.com>
60
61         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
62         https://bugs.webkit.org/show_bug.cgi?id=195827
63         <rdar://problem/48845513>
64
65         Reviewed by Filip Pizlo.
66
67         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
68
69 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
70
71         [ARM,MIPS] Skip slow tests
72         https://bugs.webkit.org/show_bug.cgi?id=195799
73
74         Unreviewed, test does not finish on ARM and MIPS within the
75         timeout limit.
76
77         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
78
79 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
80
81         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
82         https://bugs.webkit.org/show_bug.cgi?id=195791
83         <rdar://problem/48806130>
84
85         Reviewed by Mark Lam.
86
87         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
88         (foo):
89
90 2019-03-14  Saam barati  <sbarati@apple.com>
91
92         We can't remove code after ForceOSRExit until after FixupPhase
93         https://bugs.webkit.org/show_bug.cgi?id=186916
94         <rdar://problem/41396612>
95
96         Reviewed by Yusuke Suzuki.
97
98         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
99         (foo):
100         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
101         (foo):
102
103 2019-03-13  Michael Saboff  <msaboff@apple.com>
104
105         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
106         https://bugs.webkit.org/show_bug.cgi?id=195735
107
108         Reviewed by Mark Lam.
109
110         New regression test.
111
112         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
113         (foo):
114         (bar):
115
116 2019-03-14  Saam barati  <sbarati@apple.com>
117
118         Fixup uses KnownInt32 incorrectly in some nodes
119         https://bugs.webkit.org/show_bug.cgi?id=195279
120         <rdar://problem/47915654>
121
122         Reviewed by Yusuke Suzuki.
123
124         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
125         (foo):
126
127 2019-03-14  Keith Miller  <keith_miller@apple.com>
128
129         DFG liveness can't skip tail caller inline frames
130         https://bugs.webkit.org/show_bug.cgi?id=195715
131
132         Reviewed by Saam Barati.
133
134         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
135         (i.foo):
136
137 2019-03-13  Mark Lam  <mark.lam@apple.com>
138
139         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
140         https://bugs.webkit.org/show_bug.cgi?id=195415
141
142         Not reviewed.
143
144         Changed these tests to only run the default configuration.
145         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
146         There's no strong need to run this test on that variant.
147
148         * stress/dfg-to-string-on-int-does-gc.js:
149         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
150
151 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
152
153         String overflow when using StringBuilder in JSC::createError
154         https://bugs.webkit.org/show_bug.cgi?id=194957
155
156         Reviewed by Mark Lam.
157
158         Add test string-overflow-createError-bulder.js that overflows
159         StringBuilder in notAFunctionSourceAppender. The second new test
160         string-overflow-createError-fit.js has an error message that doesn't
161         overflow, it still failed since the String's capacity can't be doubled.
162         Run test string-overflow-createError.js only in the default
163         configuration to reduce memory consumption when running the test
164         in all configurations on multiple CPUs in parallel.
165
166         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
167         (catch):
168         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
169         (catch):
170         * stress/string-overflow-createError.js:
171
172 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
173
174         [JSC] OSR entry should respect abstract values in addition to flush formats
175         https://bugs.webkit.org/show_bug.cgi?id=195653
176
177         Reviewed by Mark Lam.
178
179         * stress/osr-entry-locals-none.js: Added.
180
181 2019-03-12  Michael Saboff  <msaboff@apple.com>
182
183         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
184         https://bugs.webkit.org/show_bug.cgi?id=195613
185
186         Reviewed by Mark Lam.
187
188         New regression test.
189
190         * stress/regexp-backref-inbounds.js: Added.
191         (testRegExp):
192
193 2019-03-12  Mark Lam  <mark.lam@apple.com>
194
195         The HasIndexedProperty node does GC.
196         https://bugs.webkit.org/show_bug.cgi?id=195559
197         <rdar://problem/48767923>
198
199         Reviewed by Yusuke Suzuki.
200
201         * stress/HasIndexedProperty-does-gc.js: Added.
202
203 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
204
205         [ESNext][BigInt] Implement "~" unary operation
206         https://bugs.webkit.org/show_bug.cgi?id=182216
207
208         Reviewed by Keith Miller.
209
210         * stress/big-int-bit-not-general.js: Added.
211         * stress/big-int-bitwise-not-jit.js: Added.
212         * stress/big-int-bitwise-not-wrapped-value.js: Added.
213         * stress/bit-op-with-object-returning-int32.js:
214         * stress/bitwise-not-fixup-rules.js: Added.
215         * stress/value-bit-not-ai-rule.js: Added.
216
217 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
218
219         Invalid flags in a RegExp literal should be an early SyntaxError
220         https://bugs.webkit.org/show_bug.cgi?id=195514
221
222         Reviewed by Darin Adler.
223
224         * test262/expectations.yaml:
225         Mark 4 test cases as passing.
226
227         * stress/regexp-syntax-error-invalid-flags.js:
228         * stress/regress-161995.js: Removed.
229         Update existing test, merging in an older test for the same behavior.
230
231 2019-03-08  Mark Lam  <mark.lam@apple.com>
232
233         Stack overflow crash in JSC::JSObject::hasInstance.
234         https://bugs.webkit.org/show_bug.cgi?id=195458
235         <rdar://problem/48710195>
236
237         Reviewed by Yusuke Suzuki.
238
239         * stress/stack-overflow-in-custom-hasInstance.js: Added.
240
241 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
242
243         op_check_tdz does not def its argument
244         https://bugs.webkit.org/show_bug.cgi?id=192880
245         <rdar://problem/46221598>
246
247         Reviewed by Saam Barati.
248
249         * microbenchmarks/let-for-in.js: Added.
250         (foo):
251
252 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
253
254         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
255         https://bugs.webkit.org/show_bug.cgi?id=195429
256
257         Reviewed by Saam Barati.
258
259         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
260         (foo):
261         * stress/string-from-char-code-255.js: Added.
262
263 2019-03-06  Mark Lam  <mark.lam@apple.com>
264
265         Fix incorrect handling of try-finally completion values.
266         https://bugs.webkit.org/show_bug.cgi?id=195131
267         <rdar://problem/46222079>
268
269         Reviewed by Saam Barati and Yusuke Suzuki.
270
271         Added many permutations of new test case to test-finally.js.  test-finally.js has
272         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
273         tests passes there as well.
274
275         * stress/test-finally.js:
276
277 2019-03-06  Saam Barati  <sbarati@apple.com>
278
279         Air::reportUsedRegisters must padInterference
280         https://bugs.webkit.org/show_bug.cgi?id=195303
281         <rdar://problem/48270343>
282
283         Reviewed by Keith Miller.
284
285         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
286
287 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
288
289         [JSC] AI should not propagate AbstractValue relying on constant folding phase
290         https://bugs.webkit.org/show_bug.cgi?id=195375
291
292         Reviewed by Saam Barati.
293
294         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
295         (let.array):
296
297 2019-03-05  Saam barati  <sbarati@apple.com>
298
299         op_switch_char broken for rope strings after JSRopeString layout rewrite
300         https://bugs.webkit.org/show_bug.cgi?id=195339
301         <rdar://problem/48592545>
302
303         Reviewed by Yusuke Suzuki.
304
305         * stress/switch-on-char-llint-rope.js: Added.
306
307 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
308
309         [JSC] Store bits for JSRopeString in 3 stores
310         https://bugs.webkit.org/show_bug.cgi?id=195234
311
312         Reviewed by Saam Barati.
313
314         * stress/null-rope-and-collectors.js: Added.
315
316 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
317
318         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
319         https://bugs.webkit.org/show_bug.cgi?id=195207
320
321         Unreviewed. After test runtime was reduced in r242213, test can be
322         run again on ARM/MIPS.
323
324         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
325
326 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
327
328         [JSC] sizeof(JSString) should be 16
329         https://bugs.webkit.org/show_bug.cgi?id=194375
330
331         Reviewed by Saam Barati.
332
333         * microbenchmarks/make-rope.js: Added.
334         (makeRope):
335         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
336         (returnRope.helper): Deleted.
337         (returnRope): Deleted.
338
339 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
340
341         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
342         https://bugs.webkit.org/show_bug.cgi?id=195144
343
344         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
345         Change the number from 1e8 to 1e5.
346
347         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
348         (foo):
349
350 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
351
352         Test times out on ARM/MIPS
353         https://bugs.webkit.org/show_bug.cgi?id=195168
354
355         Unreviewed. Skip test on ARM/MIPS.
356
357         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
358
359 2019-02-27  Mark Lam  <mark.lam@apple.com>
360
361         The parser is failing to record the token location of new in new.target.
362         https://bugs.webkit.org/show_bug.cgi?id=195127
363         <rdar://problem/39645578>
364
365         Reviewed by Yusuke Suzuki.
366
367         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
368
369 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
370
371         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
372         https://bugs.webkit.org/show_bug.cgi?id=195144
373         <rdar://problem/47595961>
374
375         Reviewed by Mark Lam.
376
377         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
378         (bar):
379         (foo):
380         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
381         (bar):
382         (foo):
383
384 2019-02-27  Robin Morisset  <rmorisset@apple.com>
385
386         DFG: Loop-invariant code motion (LICM) should not hoist dead code
387         https://bugs.webkit.org/show_bug.cgi?id=194945
388         <rdar://problem/48311657>
389
390         Reviewed by Mark Lam.
391
392         * stress/licm-dead-code.js: Added.
393
394 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
395
396         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
397         https://bugs.webkit.org/show_bug.cgi?id=194677
398         <rdar://problem/48112492>
399
400         Reviewed by Mark Lam.
401
402         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
403         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
404         it immediately fails due the large size.
405
406         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
407         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
408         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
409         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
410
411         This patch changes the test to produce 16bit string from String.fromCharCode.
412
413         * stress/regress-178386.js:
414
415 2019-02-26  Mark Lam  <mark.lam@apple.com>
416
417         wasmToJS() should purify incoming NaNs.
418         https://bugs.webkit.org/show_bug.cgi?id=194807
419         <rdar://problem/48189132>
420
421         Reviewed by Saam Barati.
422
423         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
424
425 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
426
427         [JSC] Repeat string created from Array.prototype.join() take too much memory
428         https://bugs.webkit.org/show_bug.cgi?id=193912
429
430         Reviewed by Saam Barati.
431
432         Added a test and a microbenchmark for corner cases of
433         Array.prototype.join() with an uninitialized array.
434
435         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
436         * stress/array-prototype-join-uninitialized.js: Added.
437         (testArray):
438         (testABC):
439         (B):
440         (C):
441
442 2019-02-22  Robin Morisset  <rmorisset@apple.com>
443
444         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
445         https://bugs.webkit.org/show_bug.cgi?id=194953
446         <rdar://problem/47595253>
447
448         Reviewed by Saam Barati.
449
450         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
451
452         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
453
454 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
455
456         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
457         https://bugs.webkit.org/show_bug.cgi?id=172848
458         <rdar://problem/25709212>
459
460         Reviewed by Mark Lam.
461
462         * typeProfiler/inheritance.js:
463         Rewrite the test slightly for clarity. The hoisting was confusing.
464
465         * heapProfiler/class-names.js: Added.
466         (MyES5Class):
467         (MyES6Class):
468         (MyES6Subclass):
469         Test object types and improved class names.
470
471         * heapProfiler/driver/driver.js:
472         (CheapHeapSnapshotNode):
473         (CheapHeapSnapshot):
474         (createCheapHeapSnapshot):
475         (HeapSnapshot):
476         (createHeapSnapshot):
477         Update snapshot parsing from version 1 to version 2.
478
479 2019-02-19  Truitt Savell  <tsavell@apple.com>
480
481         Unreviewed, rolling out r241784.
482
483         Broke all OpenSource builds.
484
485         Reverted changeset:
486
487         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
488         instances view"
489         https://bugs.webkit.org/show_bug.cgi?id=172848
490         https://trac.webkit.org/changeset/241784
491
492 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
493
494         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
495         https://bugs.webkit.org/show_bug.cgi?id=172848
496         <rdar://problem/25709212>
497
498         Reviewed by Mark Lam.
499
500         * typeProfiler/inheritance.js:
501         Rewrite the test slightly for clarity. The hoisting was confusing.
502
503         * heapProfiler/class-names.js: Added.
504         (MyES5Class):
505         (MyES6Class):
506         (MyES6Subclass):
507         Test object types and improved class names.
508
509         * heapProfiler/driver/driver.js:
510         (CheapHeapSnapshotNode):
511         (CheapHeapSnapshot):
512         (createCheapHeapSnapshot):
513         (HeapSnapshot):
514         (createHeapSnapshot):
515         Update snapshot parsing from version 1 to version 2.
516
517 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
518
519         [ARM] Fix crash with sampling profiler
520         https://bugs.webkit.org/show_bug.cgi?id=194772
521
522         Reviewed by Mark Lam.
523
524         Do not skip test since crash with sampling profiler is now fixed.
525
526         * stress/sampling-profiler-richards.js:
527
528 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
529
530         [JSC] Add LazyClassStructure::getInitializedOnMainThread
531         https://bugs.webkit.org/show_bug.cgi?id=194784
532         <rdar://problem/48154820>
533
534         Reviewed by Mark Lam.
535
536         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
537         (getProperties):
538         (getRandomProperty):
539         (i.catch):
540
541 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
542
543         [ARM] Test gardening: Test running out of executable memory
544         https://bugs.webkit.org/show_bug.cgi?id=194771
545
546         Unreviewed. Do not run test without LLInt, test is running out of executable
547         memory on ARM otherwise.
548
549         * stress/tagged-template-object-collect.js:
550
551 2019-02-18  Tomas Popela  <tpopela@redhat.com>
552
553         Unreviewed, skip the test on platforms without sampling profiler
554
555         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
556         (platformSupportsSamplingProfiler.foo):
557         (platformSupportsSamplingProfiler.test):
558         (platformSupportsSamplingProfiler):
559         (foo): Deleted.
560         (test): Deleted.
561
562 2019-02-17  Saam Barati  <sbarati@apple.com>
563
564         Deadlock when adding a Structure property transition and then doing incremental marking
565         https://bugs.webkit.org/show_bug.cgi?id=194767
566
567         Reviewed by Mark Lam.
568
569         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
570
571 2019-02-15  Michael Saboff  <msaboff@apple.com>
572
573         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
574         https://bugs.webkit.org/show_bug.cgi?id=194558
575
576         Reviewed by Saam Barati.
577
578         New regression test.
579
580         * stress/regexp-unicode-within-string.js: Added.
581
582 2019-02-15  Mark Lam  <mark.lam@apple.com>
583
584         SamplingProfiler::stackTracesAsJSON() should escape strings.
585         https://bugs.webkit.org/show_bug.cgi?id=194649
586         <rdar://problem/48072386>
587
588         Reviewed by Saam Barati.
589
590         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
591         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
592         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
593         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
594
595 2019-02-15  Robin Morisset  <rmorisset@apple.com>
596         CodeBlock::jettison should clear related watchpoints
597         https://bugs.webkit.org/show_bug.cgi?id=194544
598
599         Reviewed by Mark Lam.
600
601         * stress/regexp-replace-double-watchpoint.js: Added.
602         (foo):
603
604 2019-02-15  Saam barati  <sbarati@apple.com>
605
606         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
607         https://bugs.webkit.org/show_bug.cgi?id=194036
608
609         Reviewed by Yusuke Suzuki.
610
611         * stress/tail-call-many-arguments.js: Added.
612         (foo):
613         (bar):
614
615 2019-02-14  Saam Barati  <sbarati@apple.com>
616
617         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
618         https://bugs.webkit.org/show_bug.cgi?id=194583
619         <rdar://problem/48028140>
620
621         Reviewed by Yusuke Suzuki.
622
623         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
624
625 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
626
627         [JSC] String.fromCharCode's slow path always generates 16bit string
628         https://bugs.webkit.org/show_bug.cgi?id=194466
629
630         Reviewed by Keith Miller.
631
632         * stress/string-from-char-code-slow-path.js: Added.
633         (shouldBe):
634         (testWithLength):
635
636 2019-02-08  Saam barati  <sbarati@apple.com>
637
638         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
639         https://bugs.webkit.org/show_bug.cgi?id=194334
640         <rdar://problem/47844327>
641
642         Reviewed by Mark Lam.
643
644         * stress/check-in-bounds-should-be-a-child-use.js: Added.
645         (func):
646
647 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
648
649         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
650         https://bugs.webkit.org/show_bug.cgi?id=194369
651         <rdar://problem/47813087>
652
653         Reviewed by Saam Barati.
654
655         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
656         (A):
657
658 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
659
660         [JSC] PrivateName to PublicName hash table is wasteful
661         https://bugs.webkit.org/show_bug.cgi?id=194277
662
663         Reviewed by Michael Saboff.
664
665         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
666
667         * ChakraCore.yaml:
668
669 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
670
671         [ARM] Test running out of executable memory
672         https://bugs.webkit.org/show_bug.cgi?id=194285
673
674         Unreviewed. Do no execute test with LLInt disabled, test runs out of
675         executable memory otherwise.
676
677         * stress/class-subclassing-function.js:
678
679 2019-02-04  Robin Morisset  <rmorisset@apple.com>
680
681         when lowering AssertNotEmpty, create the value before creating the patchpoint
682         https://bugs.webkit.org/show_bug.cgi?id=194231
683
684         Reviewed by Saam Barati.
685
686         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
687         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
688         So even tiny changes to this test can change the path code taken.
689
690         * stress/assert-not-empty.js: Added.
691         (foo):
692
693 2019-02-01  Mark Lam  <mark.lam@apple.com>
694
695         Remove invalid assertion in DFG's compileDoubleRep().
696         https://bugs.webkit.org/show_bug.cgi?id=194130
697         <rdar://problem/47699474>
698
699         Reviewed by Saam Barati.
700
701         * stress/constant-fold-double-rep-into-double-constant.js: Added.
702
703 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
704
705         Import latest Test262 updates.
706
707         Rubber-stamped by Keith Miller.
708
709         * test262.yaml: Deleted.
710         * test262/config.yaml:
711         * test262/expectations.yaml:
712         * test262/latest-changes-summary.txt:
713         * test262/test/:
714         * test262/test262-Revision.txt:
715
716 2019-01-30  Robin Morisset  <rmorisset@apple.com>
717
718         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
719         https://bugs.webkit.org/show_bug.cgi?id=194050
720         <rdar://problem/47595592>
721
722         Reviewed by Yusuke Suzuki.
723
724         * stress/object-keys-osr-exit.js: Added.
725         (foo):
726         (catch):
727
728 2019-01-29  Mark Lam  <mark.lam@apple.com>
729
730         ValueRecovery::recover() should purify NaN values it recovers.
731         https://bugs.webkit.org/show_bug.cgi?id=193978
732         <rdar://problem/47625488>
733
734         Reviewed by Saam Barati.
735
736         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
737
738 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
739
740         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
741         https://bugs.webkit.org/show_bug.cgi?id=193713
742
743         * stress/try-get-by-id-should-spill-registers-dfg.js:
744         (let.f.createBuiltin):
745
746 2019-01-28  Mark Lam  <mark.lam@apple.com>
747
748         ToString node actually does GC.
749         https://bugs.webkit.org/show_bug.cgi?id=193920
750         <rdar://problem/46695900>
751
752         Reviewed by Yusuke Suzuki.
753
754         * stress/dfg-to-string-on-int-does-gc.js: Added.
755         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
756         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
757
758 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
759
760         [JSC] NativeErrorConstructor should not have own IsoSubspace
761         https://bugs.webkit.org/show_bug.cgi?id=193713
762
763         Reviewed by Saam Barati.
764
765         Remove @Error use.
766
767         * stress/try-get-by-id-should-spill-registers-dfg.js:
768         (let.f.createBuiltin):
769
770 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
771
772         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
773         https://bugs.webkit.org/show_bug.cgi?id=190693
774
775         Reviewed by Michael Saboff.
776
777         * stress/regress-190693.js: Added.
778         (truth):
779         (assert):
780         (shouldThrowInvalidConstAssignment):
781         (taz):
782
783 2019-01-24  Saam Barati  <sbarati@apple.com>
784
785         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
786         https://bugs.webkit.org/show_bug.cgi?id=193751
787         <rdar://problem/47280215>
788
789         Reviewed by Michael Saboff.
790
791         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
792         (let.thing):
793         (foo.let.hello):
794         (foo):
795
796 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
797
798         [JSC] Reenable baseline JIT on mips
799         https://bugs.webkit.org/show_bug.cgi?id=192983
800
801         Reviewed by Mark Lam.
802
803         Added a new test for a case that was triggering a RELEASE_ASSERT when
804         testing.
805         Disable some slow tests that were already disabled for arm and x86.
806
807         * stress/json-parse-big-object.js: Added.
808         * stress/new-largeish-contiguous-array-with-size.js:
809         * stress/op_add.js:
810         * stress/op_bitand.js:
811         * stress/op_bitor.js:
812         * stress/op_bitxor.js:
813         * stress/op_lshift-ConstVar.js:
814         * stress/op_lshift-VarConst.js:
815         * stress/op_lshift-VarVar.js:
816         * stress/op_mod-ConstVar.js:
817         * stress/op_mod-VarConst.js:
818         * stress/op_mod-VarVar.js:
819         * stress/op_mul-ConstVar.js:
820         * stress/op_mul-VarConst.js:
821         * stress/op_mul-VarVar.js:
822         * stress/op_rshift-ConstVar.js:
823         * stress/op_rshift-VarConst.js:
824         * stress/op_rshift-VarVar.js:
825         * stress/op_sub-ConstVar.js:
826         * stress/op_sub-VarConst.js:
827         * stress/op_sub-VarVar.js:
828         * stress/op_urshift-ConstVar.js:
829         * stress/op_urshift-VarConst.js:
830         * stress/op_urshift-VarVar.js:
831         * stress/sampling-profiler-richards.js:
832         * stress/spread-forward-call-varargs-stack-overflow.js:
833
834 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
835
836         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
837         https://bugs.webkit.org/show_bug.cgi?id=193711
838         <rdar://problem/47250262>
839
840         Reviewed by Saam Barati.
841
842         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
843         (shouldBe):
844         (foo):
845         (bar):
846         (baz):
847
848 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
849
850         Unreviewed, fix initial global lexical binding epoch
851         https://bugs.webkit.org/show_bug.cgi?id=193603
852         <rdar://problem/47380869>
853
854         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
855         (f1.f2.f3.f4):
856         (f1.f2.f3):
857         (f1.f2):
858         (f1):
859
860 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
861
862         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
863         https://bugs.webkit.org/show_bug.cgi?id=193709
864         <rdar://problem/47363838>
865
866         Unreviewed, rollout to watch the tests.
867
868         * stress/object-tostring-changed-proto.js: Removed.
869         * stress/object-tostring-changed.js: Removed.
870         * stress/object-tostring-misc.js: Removed.
871         * stress/object-tostring-other.js: Removed.
872         * stress/object-tostring-untyped.js: Removed.
873
874 2019-01-22  Saam Barati  <sbarati@apple.com>
875
876         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
877
878         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
879         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
880         (testUncheckedLessThanZero):
881         (testUncheckedLessThanOrEqualZero):
882         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
883         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
884
885 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
886
887         [JSC] Invalidate old scope operations using global lexical binding epoch
888         https://bugs.webkit.org/show_bug.cgi?id=193603
889         <rdar://problem/47380869>
890
891         Reviewed by Saam Barati.
892
893         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
894         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
895         (shouldThrow):
896         (bar):
897         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
898         (shouldBe):
899         (get1):
900         (get2):
901         (get1If):
902         (get2If):
903         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
904         (shouldThrow):
905         (foo):
906
907 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
908
909         Unreviewed, roll out r240220 due to date-format-xparb regression
910         https://bugs.webkit.org/show_bug.cgi?id=193603
911
912         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
913         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
914         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
915         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
916
917 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
918
919         DoesGC rule is wrong for nodes with BigIntUse
920         https://bugs.webkit.org/show_bug.cgi?id=193652
921
922         Reviewed by Saam Barati.
923
924         * stress/big-int-value-op-update-gc-rules.js: Added.
925         (assert):
926         (doesGCAdd):
927         (doesGCSub):
928         (doesGCDiv):
929         (doesGCMul):
930         (doesGCBitAnd):
931         (doesGCBitOr):
932         (doesGCBitXor):
933
934 2019-01-20  Saam Barati  <sbarati@apple.com>
935
936         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
937         https://bugs.webkit.org/show_bug.cgi?id=193644
938         <rdar://problem/46209745>
939
940         Reviewed by Yusuke Suzuki.
941
942         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
943         (foo):
944         * stress/data-view-set-intrinsic-undefined-result.js: Added.
945         (foo):
946         (bar):
947
948 2019-01-20  Saam Barati  <sbarati@apple.com>
949
950         MovHint must merge NodeBytecodeUsesAsValue for its child
951         https://bugs.webkit.org/show_bug.cgi?id=186916
952         <rdar://problem/41396612>
953
954         Reviewed by Yusuke Suzuki.
955
956         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
957         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
958
959 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
960
961         [JSC] Invalidate old scope operations using global lexical binding epoch
962         https://bugs.webkit.org/show_bug.cgi?id=193603
963         <rdar://problem/47380869>
964
965         Reviewed by Saam Barati.
966
967         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
968         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
969         (shouldThrow):
970         (bar):
971         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
972         (shouldBe):
973         (get1):
974         (get2):
975         (get1If):
976         (get2If):
977         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
978         (shouldThrow):
979         (foo):
980
981 2019-01-17  Saam barati  <sbarati@apple.com>
982
983         StringObjectUse should not be a structure check for the original string object structure
984         https://bugs.webkit.org/show_bug.cgi?id=193483
985         <rdar://problem/47280522>
986
987         Reviewed by Yusuke Suzuki.
988
989         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
990         (foo):
991         (a.valueOf.0):
992
993 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
994
995         [JSC] ToThis omission in DFGByteCodeParser is wrong
996         https://bugs.webkit.org/show_bug.cgi?id=193513
997         <rdar://problem/45842236>
998
999         Reviewed by Saam Barati.
1000
1001         * stress/to-this-omission-with-different-strict-modes.js: Added.
1002         (thisA):
1003         (thisAStrictWrapper):
1004
1005 2019-01-15  Mark Lam  <mark.lam@apple.com>
1006
1007         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1008         https://bugs.webkit.org/show_bug.cgi?id=193423
1009         <rdar://problem/46209355>
1010
1011         Reviewed by Saam Barati.
1012
1013         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1014         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1015         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1016         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1017
1018 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1019
1020         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1021         https://bugs.webkit.org/show_bug.cgi?id=193438
1022         <rdar://problem/45581249>
1023
1024         Reviewed by Saam Barati and Keith Miller.
1025
1026         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1027         Then, GetByVal(String) crashed.
1028
1029         * stress/string-get-by-val-lowering.js: Added.
1030         (shouldBe):
1031         (test):
1032         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1033         (Hello):
1034         (foo):
1035
1036 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1037
1038         Unreviewed, skip JIT tests if it's not enabled
1039
1040         * stress/bit-op-with-object-returning-int32.js:
1041
1042 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1043
1044         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1045         https://bugs.webkit.org/show_bug.cgi?id=192966
1046
1047         Reviewed by Yusuke Suzuki.
1048
1049         * stress/bit-op-with-object-returning-int32.js: Added.
1050
1051 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1052
1053         Skip a slow test and a flakey test on arm
1054
1055         Unreviewed gardening.
1056
1057         * typeProfiler/getter-richards.js:
1058         this test always times out, it used to be always skipped on arm and
1059         mips, but got accidentally enabled by r237919 now that we have DFG on
1060         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1061
1062 2019-01-14  Keith Miller  <keith_miller@apple.com>
1063
1064         Skip type-check-hoisting-phase-hoist... with no jit
1065         https://bugs.webkit.org/show_bug.cgi?id=193421
1066
1067         Reviewed by Mark Lam.
1068
1069         It's timing out the 32-bit bots and takes 330 seconds
1070         on my machine when run by itself.
1071
1072         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1073
1074 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1075
1076         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1077         https://bugs.webkit.org/show_bug.cgi?id=193413
1078         <rdar://problem/46092389>
1079
1080         Reviewed by Keith Miller.
1081
1082         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1083         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1084         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1085         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1086
1087         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1088         (compareArray):
1089
1090 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1091
1092         [BigInt] Literal parsing is crashing when used inside a Object Literal
1093         https://bugs.webkit.org/show_bug.cgi?id=193404
1094
1095         Reviewed by Yusuke Suzuki.
1096
1097         * stress/big-int-literal-inside-literal-object.js: Added.
1098
1099 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1100
1101         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1102         https://bugs.webkit.org/show_bug.cgi?id=193372
1103
1104         Reviewed by Saam Barati.
1105
1106         * stress/typed-array-array-modes-profile.js: Added.
1107         (foo):
1108
1109 2019-01-14  Mark Lam  <mark.lam@apple.com>
1110
1111         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1112         https://bugs.webkit.org/show_bug.cgi?id=193402
1113         <rdar://problem/46012309>
1114
1115         Reviewed by Keith Miller.
1116
1117         * stress/regexp-compile-oom.js:
1118         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1119           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1120
1121 2019-01-11  Saam barati  <sbarati@apple.com>
1122
1123         DFG combined liveness can be wrong for terminal basic blocks
1124         https://bugs.webkit.org/show_bug.cgi?id=193304
1125         <rdar://problem/45268632>
1126
1127         Reviewed by Yusuke Suzuki.
1128
1129         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1130
1131 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1132
1133         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1134         https://bugs.webkit.org/show_bug.cgi?id=193308
1135         <rdar://problem/45546542>
1136
1137         Reviewed by Saam Barati.
1138
1139         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1140         (shouldThrow):
1141         (shouldBe):
1142         (foo):
1143         (get shouldThrow):
1144         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1145         (shouldThrow):
1146         (shouldBe):
1147         (foo):
1148         (get shouldBe):
1149         (get shouldThrow):
1150         (get return):
1151         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1152         (shouldThrow):
1153         (shouldBe):
1154         (foo):
1155         (get shouldBe):
1156         (get shouldThrow):
1157         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1158         (shouldThrow):
1159         (shouldBe):
1160         (foo):
1161         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1162         (shouldThrow):
1163         (shouldBe):
1164         (foo):
1165         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1166         (shouldThrow):
1167         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1168         (shouldThrow):
1169         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1170         (shouldThrow):
1171         (shouldBe):
1172         (foo):
1173         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1174         (shouldThrow):
1175         (shouldBe):
1176         (foo):
1177         (get shouldBe):
1178         (get shouldThrow):
1179         (get return):
1180         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1181         (shouldThrow):
1182         (shouldBe):
1183         (foo):
1184         (get shouldBe):
1185         (get shouldThrow):
1186         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1187         (shouldThrow):
1188         (shouldBe):
1189         (foo):
1190         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1191         (shouldThrow):
1192         (shouldBe):
1193         (foo):
1194
1195 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1196
1197         Enable DFG on ARM/Linux again
1198         https://bugs.webkit.org/show_bug.cgi?id=192496
1199
1200         Reviewed by Yusuke Suzuki.
1201
1202         Test wasn't really skipped before moving the line with skip
1203         to the top.
1204
1205         * stress/regress-192717.js:
1206
1207 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1208
1209         Unreviewed, rolling out r239825.
1210         https://bugs.webkit.org/show_bug.cgi?id=193330
1211
1212         Broke tests on armv7/linux bots (Requested by guijemont on
1213         #webkit).
1214
1215         Reverted changeset:
1216
1217         "Enable DFG on ARM/Linux again"
1218         https://bugs.webkit.org/show_bug.cgi?id=192496
1219         https://trac.webkit.org/changeset/239825
1220
1221 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1222
1223         Enable DFG on ARM/Linux again
1224         https://bugs.webkit.org/show_bug.cgi?id=192496
1225
1226         Reviewed by Yusuke Suzuki.
1227
1228         Test wasn't really skipped before moving the line with skip
1229         to the top.
1230
1231         * stress/regress-192717.js:
1232
1233 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1234
1235         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1236         https://bugs.webkit.org/show_bug.cgi?id=193127
1237
1238         Reviewed by Saam Barati.
1239
1240         * stress/array-species-create-should-handle-masquerader.js: Added.
1241         (shouldThrow):
1242         * stress/is-undefined-or-null-builtin.js: Added.
1243         (shouldBe):
1244         (isUndefinedOrNull.vm.createBuiltin):
1245
1246 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1247
1248         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1249         https://bugs.webkit.org/show_bug.cgi?id=193221
1250
1251         Reviewed by Mark Lam.
1252
1253         * stress/put-by-id-flags.js: Added.
1254         (f):
1255         (g):
1256         (numberOfDFGCompiles):
1257
1258 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1259
1260         Baseline version of get_by_id may corrupt metadata
1261         https://bugs.webkit.org/show_bug.cgi?id=193085
1262         <rdar://problem/23453006>
1263
1264         Reviewed by Saam Barati.
1265
1266         * stress/get-by-id-change-mode.js: Added.
1267         (forEach):
1268
1269 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1270
1271         [JSC] Optimize Object.prototype.toString
1272         https://bugs.webkit.org/show_bug.cgi?id=193031
1273
1274         Reviewed by Saam Barati.
1275
1276         * stress/object-tostring-changed-proto.js: Added.
1277         (shouldBe):
1278         (test):
1279         * stress/object-tostring-changed.js: Added.
1280         (shouldBe):
1281         (test):
1282         * stress/object-tostring-misc.js: Added.
1283         (shouldBe):
1284         (test):
1285         (i.switch):
1286         * stress/object-tostring-other.js: Added.
1287         (shouldBe):
1288         (test):
1289         * stress/object-tostring-untyped.js: Added.
1290         (shouldBe):
1291         (test):
1292         (i.switch):
1293
1294 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1295
1296         test262-runner misbehaves when test file YAML has a trailing space
1297         https://bugs.webkit.org/show_bug.cgi?id=193053
1298
1299         Reviewed by Yusuke Suzuki.
1300
1301         * test262/expectations.yaml:
1302         Mark two dozen tests as passing (and correct the output of another).
1303
1304 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1305
1306         Unreviewed, JSTests gardening with memoryLimited
1307
1308         * stress/string-overflow-createError.js:
1309
1310 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1311
1312         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1313         https://bugs.webkit.org/show_bug.cgi?id=193050
1314
1315         Reviewed by Yusuke Suzuki.
1316
1317         * test262.yaml:
1318         * test262/expectations.yaml:
1319         Mark 16 tests as passing.
1320
1321 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1322
1323         [BigInt] Support BigInt in JSON.stringify
1324         https://bugs.webkit.org/show_bug.cgi?id=192624
1325
1326         Reviewed by Saam Barati.
1327
1328         * stress/big-int-json-stringify-to-json.js: Added.
1329         (shouldBe):
1330         (shouldThrow):
1331         (BigInt.prototype.toJSON):
1332         (shouldBe.JSON.stringify):
1333         * stress/big-int-json-stringify.js: Added.
1334         (shouldBe):
1335         (shouldThrow):
1336
1337 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1338
1339         [JSC] Implement "well-formed JSON.stringify" proposal
1340         https://bugs.webkit.org/show_bug.cgi?id=191677
1341
1342         Reviewed by Darin Adler.
1343
1344         * stress/json-surrogate-pair.js: Added.
1345         (shouldBe):
1346         * test262/expectations.yaml:
1347
1348 2018-12-20  Keith Miller  <keith_miller@apple.com>
1349
1350         Add support for globalThis
1351         https://bugs.webkit.org/show_bug.cgi?id=165171
1352
1353         Reviewed by Mark Lam.
1354
1355         * test262/config.yaml:
1356
1357 2018-12-19  Keith Miller  <keith_miller@apple.com>
1358
1359         Update test262 configuration to not run tests dependent on ICU version.
1360         https://bugs.webkit.org/show_bug.cgi?id=192920
1361
1362         Reviewed by Saam Barati.
1363
1364         * test262/expectations.yaml:
1365
1366 2018-12-20  Mark Lam  <mark.lam@apple.com>
1367
1368         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1369         https://bugs.webkit.org/show_bug.cgi?id=192939
1370         <rdar://problem/46869516>
1371
1372         Reviewed by Keith Miller.
1373
1374         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1375
1376 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1377
1378         WTF::String and StringImpl overflow MaxLength
1379         https://bugs.webkit.org/show_bug.cgi?id=192853
1380         <rdar://problem/45726906>
1381
1382         Reviewed by Mark Lam.
1383
1384         * stress/string-16bit-repeat-overflow.js: Added.
1385         (catch):
1386
1387 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1388
1389         Unreviewed follow-up to r192914.
1390
1391         * test262/expectations.yaml:
1392         Add the last 20 missing expectations.
1393
1394 2018-12-19  Keith Miller  <keith_miller@apple.com>
1395
1396         Fix test262 expectations
1397         https://bugs.webkit.org/show_bug.cgi?id=192914
1398
1399         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1400
1401         * test262/expectations.yaml:
1402
1403 2018-12-19  Keith Miller  <keith_miller@apple.com>
1404
1405         Update test262 tests.
1406         https://bugs.webkit.org/show_bug.cgi?id=192907
1407
1408         Rubber stamped by Mark Lam.
1409
1410         * test262/*: Omitted because prepare-changelog crashes.
1411
1412 2018-12-19  Mark Lam  <mark.lam@apple.com>
1413
1414         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1415         https://bugs.webkit.org/show_bug.cgi?id=192464
1416         <rdar://problem/46519455>
1417
1418         Reviewed by Saam Barati.
1419
1420         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1421         microbenchmark.
1422
1423         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1424         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1425
1426 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1427
1428         String overflow in JSC::createError results in ASSERT in WTF::makeString
1429         https://bugs.webkit.org/show_bug.cgi?id=192833
1430         <rdar://problem/45706868>
1431
1432         Reviewed by Mark Lam.
1433
1434         * stress/string-overflow-createError.js: Added.
1435
1436 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1437
1438         Error message for `-x ** y` contains a typo.
1439         https://bugs.webkit.org/show_bug.cgi?id=192832
1440
1441         Reviewed by Saam Barati.
1442
1443         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1444         (assert.assert.return.throws):
1445         * stress/pow-expects-update-expression-on-lhs.js:
1446         (throw.new.Error):
1447         Update test expectations which match against the exact error message.
1448
1449 2018-12-18  Mark Lam  <mark.lam@apple.com>
1450
1451         Gardening: test options fix.
1452         https://bugs.webkit.org/show_bug.cgi?id=192822
1453
1454         Unreviewed.
1455
1456         * stress/json-stringify-string-builder-overflow.js:
1457
1458 2018-12-18  Mark Lam  <mark.lam@apple.com>
1459
1460         JSON.stringify() should throw OOM on StringBuilder overflows.
1461         https://bugs.webkit.org/show_bug.cgi?id=192822
1462         <rdar://problem/46670577>
1463
1464         Reviewed by Saam Barati.
1465
1466         * stress/json-stringify-string-builder-overflow.js: Added.
1467
1468 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1469
1470         Redeclaration of var over let/const/class should be a syntax error.
1471         https://bugs.webkit.org/show_bug.cgi?id=192298
1472
1473         Reviewed by Keith Miller.
1474
1475         * test262.yaml:
1476         * test262/expectations.yaml:
1477         Mark 46 tests as passing.
1478
1479         * stress/block-scope-redeclarations.js:
1480         Add some new tests.
1481
1482         * stress/for-in-invalidate-context-weird-assignments.js:
1483         * stress/for-in-tests.js:
1484         Replace tests for outdated behavior with tests for SyntaxError.
1485
1486         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1487         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1488         Update expectations.
1489
1490 2018-12-18  Mark Lam  <mark.lam@apple.com>
1491
1492         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1493         https://bugs.webkit.org/show_bug.cgi?id=191374
1494         <rdar://problem/46525447>
1495
1496         Reviewed by Yusuke Suzuki.
1497
1498         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1499
1500         * stress/elidable-new-object-roflcopter-then-exit.js:
1501
1502 2018-12-17  Mark Lam  <mark.lam@apple.com>
1503
1504         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1505         https://bugs.webkit.org/show_bug.cgi?id=192019
1506         <rdar://problem/46525456>
1507
1508         Reviewed by Yusuke Suzuki.
1509
1510         The test runs too slow on 32-bit.
1511
1512         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1513
1514 2018-12-17  Mark Lam  <mark.lam@apple.com>
1515
1516         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1517         https://bugs.webkit.org/show_bug.cgi?id=191373
1518         <rdar://problem/46525458>
1519
1520         Reviewed by Yusuke Suzuki.
1521
1522         The test is already slow running with a JIT on 64-bit.  It will always timeout
1523         on 32-bit without a JIT.
1524
1525         * stress/materialize-regexp-cyclic-regexp.js:
1526
1527 2018-12-17  Mark Lam  <mark.lam@apple.com>
1528
1529         Array unshift/shift should not race against the AI in the compiler thread.
1530         https://bugs.webkit.org/show_bug.cgi?id=192795
1531         <rdar://problem/46724263>
1532
1533         Reviewed by Saam Barati.
1534
1535         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1536
1537 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1538
1539         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1540         https://bugs.webkit.org/show_bug.cgi?id=190047
1541
1542         Reviewed by Saam Barati.
1543
1544         * stress/object-keys-cached-zero.js: Added.
1545         (shouldBe):
1546         (test):
1547         * stress/object-keys-changed-attribute.js: Added.
1548         (shouldBe):
1549         (test):
1550         * stress/object-keys-changed-index.js: Added.
1551         (shouldBe):
1552         (test):
1553         * stress/object-keys-changed.js: Added.
1554         (shouldBe):
1555         (test):
1556         * stress/object-keys-indexed-non-cache.js: Added.
1557         (shouldBe):
1558         (test):
1559         * stress/object-keys-overrides-get-property-names.js: Added.
1560         (shouldBe):
1561         (test):
1562         (noInline):
1563
1564 2018-12-17  Mark Lam  <mark.lam@apple.com>
1565
1566         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1567         https://bugs.webkit.org/show_bug.cgi?id=192779
1568         <rdar://problem/46775869>
1569
1570         Reviewed by Saam Barati.
1571
1572         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1573
1574 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1575
1576         Unreviewed test gardening, address a syntax error in a new test.
1577
1578         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1579
1580 2018-12-17  Mark Lam  <mark.lam@apple.com>
1581
1582         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1583         https://bugs.webkit.org/show_bug.cgi?id=192776
1584         <rdar://problem/46772368>
1585
1586         Reviewed by Keith Miller.
1587
1588         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1589
1590 2018-12-17  Mark Lam  <mark.lam@apple.com>
1591
1592         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1593         https://bugs.webkit.org/show_bug.cgi?id=192770
1594         <rdar://problem/46449037>
1595
1596         Reviewed by Keith Miller.
1597
1598         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1599
1600 2018-12-14  Mark Lam  <mark.lam@apple.com>
1601
1602         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1603         https://bugs.webkit.org/show_bug.cgi?id=192717
1604         <rdar://problem/46660677>
1605
1606         Reviewed by Saam Barati.
1607
1608         * stress/regress-192717.js: Added.
1609
1610 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1611
1612         Unreviewed, rolling out r239153, r239154, and r239155.
1613         https://bugs.webkit.org/show_bug.cgi?id=192715
1614
1615         Caused flaky GC-related crashes seen with layout tests
1616         (Requested by ryanhaddad on #webkit).
1617
1618         Reverted changesets:
1619
1620         "[JSC] Optimize Object.keys by caching own keys results in
1621         StructureRareData"
1622         https://bugs.webkit.org/show_bug.cgi?id=190047
1623         https://trac.webkit.org/changeset/239153
1624
1625         "Unreviewed, build fix after r239153"
1626         https://bugs.webkit.org/show_bug.cgi?id=190047
1627         https://trac.webkit.org/changeset/239154
1628
1629         "Unreviewed, build fix after r239153, part 2"
1630         https://bugs.webkit.org/show_bug.cgi?id=190047
1631         https://trac.webkit.org/changeset/239155
1632
1633 2018-12-14  Keith Miller  <keith_miller@apple.com>
1634
1635         Callers of JSString::getIndex should check for OOM exceptions
1636         https://bugs.webkit.org/show_bug.cgi?id=192709
1637
1638         Reviewed by Mark Lam.
1639
1640         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1641
1642 2018-12-13  Mark Lam  <mark.lam@apple.com>
1643
1644         Add a missing exception check.
1645         https://bugs.webkit.org/show_bug.cgi?id=192626
1646         <rdar://problem/46662163>
1647
1648         Reviewed by Keith Miller.
1649
1650         * stress/regress-192626.js: Added.
1651
1652 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1653
1654         [BigInt] Add ValueDiv into DFG
1655         https://bugs.webkit.org/show_bug.cgi?id=186178
1656
1657         Reviewed by Yusuke Suzuki.
1658
1659         * stress/big-int-div-jit-osr.js: Added.
1660         * stress/big-int-div-jit-untyped.js: Added.
1661         * stress/value-div-fixup-int32-big-int.js: Added.
1662
1663 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1664
1665         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1666         https://bugs.webkit.org/show_bug.cgi?id=190047
1667
1668         Reviewed by Keith Miller.
1669
1670         * stress/object-keys-cached-zero.js: Added.
1671         (shouldBe):
1672         (test):
1673         * stress/object-keys-changed-attribute.js: Added.
1674         (shouldBe):
1675         (test):
1676         * stress/object-keys-changed-index.js: Added.
1677         (shouldBe):
1678         (test):
1679         * stress/object-keys-changed.js: Added.
1680         (shouldBe):
1681         (test):
1682         * stress/object-keys-indexed-non-cache.js: Added.
1683         (shouldBe):
1684         (test):
1685         * stress/object-keys-overrides-get-property-names.js: Added.
1686         (shouldBe):
1687         (test):
1688         (noInline):
1689
1690 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1691
1692         [DFG][FTL] Add NewSymbol
1693         https://bugs.webkit.org/show_bug.cgi?id=192620
1694
1695         Reviewed by Saam Barati.
1696
1697         * microbenchmarks/symbol-creation.js: Added.
1698         (test):
1699         * stress/symbol-description-identity.js: Added.
1700         (shouldBe):
1701         (test):
1702         * stress/symbol-identity.js: Added.
1703         (shouldBe):
1704         (test):
1705         * stress/symbol-with-description-throw-error.js: Added.
1706         (shouldBe):
1707         (shouldThrow):
1708         (test):
1709         (object.toString):
1710
1711 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1712
1713         [BigInt] Implement DFG/FTL typeof for BigInt
1714         https://bugs.webkit.org/show_bug.cgi?id=192619
1715
1716         Reviewed by Keith Miller.
1717
1718         * stress/big-int-boolean-proven-type.js: Added.
1719         (assert):
1720         (bool):
1721         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1722         (assert):
1723         (typeOf):
1724         (i.switch):
1725         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1726         (assert):
1727         (typeOf):
1728         * stress/big-int-type-of.js:
1729         (typeOf):
1730         (func):
1731
1732 2018-12-10  Mark Lam  <mark.lam@apple.com>
1733
1734         PropertyAttribute needs a CustomValue bit.
1735         https://bugs.webkit.org/show_bug.cgi?id=191993
1736         <rdar://problem/46264467>
1737
1738         Reviewed by Saam Barati.
1739
1740         * stress/regress-191993.js: Added.
1741
1742 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1743
1744         [BigInt] Add ValueMul into DFG
1745         https://bugs.webkit.org/show_bug.cgi?id=186175
1746
1747         Reviewed by Yusuke Suzuki.
1748
1749         * stress/big-int-mul-jit-osr.js: Added.
1750         * stress/big-int-mul-jit-untyped.js: Added.
1751         * stress/value-mul-fixup-int32-big-int.js: Added.
1752
1753 2018-12-06  Keith Miller  <keith_miller@apple.com>
1754
1755         stress/big-wasm-memory tests failing on 32-bit JSC bot
1756         https://bugs.webkit.org/show_bug.cgi?id=192020
1757
1758         Reviewed by Saam Barati.
1759
1760         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1761         the wasm stress tests if the WebAssembly object does not exist.
1762
1763         * stress/big-wasm-memory-grow-no-max.js:
1764         (test.foo):
1765         (test):
1766         (foo): Deleted.
1767         (catch): Deleted.
1768         * stress/big-wasm-memory-grow.js:
1769         (test.foo):
1770         (test):
1771         (foo): Deleted.
1772         (catch): Deleted.
1773         * stress/big-wasm-memory.js:
1774         (test.foo):
1775         (test):
1776         (foo): Deleted.
1777         (catch): Deleted.
1778
1779 2018-12-05  Mark Lam  <mark.lam@apple.com>
1780
1781         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1782         https://bugs.webkit.org/show_bug.cgi?id=192441
1783         <rdar://problem/46480355>
1784
1785         Reviewed by Saam Barati.
1786
1787         * stress/regress-192441.js: Added.
1788
1789 2018-12-04  Mark Lam  <mark.lam@apple.com>
1790
1791         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1792         https://bugs.webkit.org/show_bug.cgi?id=192386
1793         <rdar://problem/46445516>
1794
1795         Reviewed by Saam Barati.
1796
1797         * stress/regress-192386.js: Added.
1798
1799 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1800
1801         [ESNext][BigInt] Support logic operations
1802         https://bugs.webkit.org/show_bug.cgi?id=179903
1803
1804         Reviewed by Yusuke Suzuki.
1805
1806         * stress/big-int-branch-usage.js: Added.
1807         * stress/big-int-logical-and.js: Added.
1808         * stress/big-int-logical-not.js: Added.
1809         * stress/big-int-logical-or.js: Added.
1810
1811 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1812
1813         Unreviewed, rolling out r238833.
1814
1815         Breaks macOS and iOS debug builds.
1816
1817         Reverted changeset:
1818
1819         "[ESNext][BigInt] Support logic operations"
1820         https://bugs.webkit.org/show_bug.cgi?id=179903
1821         https://trac.webkit.org/changeset/238833
1822
1823 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1824
1825         [ESNext][BigInt] Support logic operations
1826         https://bugs.webkit.org/show_bug.cgi?id=179903
1827
1828         Reviewed by Yusuke Suzuki.
1829
1830         * stress/big-int-branch-usage.js: Added.
1831         * stress/big-int-logical-and.js: Added.
1832         * stress/big-int-logical-not.js: Added.
1833         * stress/big-int-logical-or.js: Added.
1834
1835 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1836
1837         [ESNext][BigInt] Implement support for "<<" and ">>"
1838         https://bugs.webkit.org/show_bug.cgi?id=186233
1839
1840         Reviewed by Yusuke Suzuki.
1841
1842         * stress/big-int-left-shift-general.js: Added.
1843         * stress/big-int-left-shift-range-error.js: Added.
1844         * stress/big-int-left-shift-type-error.js: Added.
1845         * stress/big-int-left-shift-wrapped-value.js: Added.
1846         * stress/big-int-right-shift-general.js: Added.
1847         * stress/big-int-right-shift-type-error.js: Added.
1848         * stress/big-int-right-shift-wrapped-value.js: Added.
1849         * stress/left-shift-to-primitive-precedence.js: Added.
1850         * stress/right-shift-to-primitive-precedence.js: Added.
1851
1852 2018-11-30  Dean Jackson  <dino@apple.com>
1853
1854         Add first-class support for .mjs files in jsc binary
1855         https://bugs.webkit.org/show_bug.cgi?id=192190
1856         <rdar://problem/46375715>
1857
1858         Reviewed by Keith Miller.
1859
1860         * stress/simple-module.mjs: Added.
1861         * stress/simple-script.js: Added.
1862
1863 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1864
1865         [BigInt] Implement ValueBitXor into DFG
1866         https://bugs.webkit.org/show_bug.cgi?id=190264
1867
1868         Reviewed by Yusuke Suzuki.
1869
1870         * stress/big-int-bitwise-xor-jit.js: Added.
1871         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1872         * stress/big-int-bitwise-xor-untyped.js: Added.
1873
1874 2018-11-27  Saam barati  <sbarati@apple.com>
1875
1876         r238510 broke scopes of size zero
1877         https://bugs.webkit.org/show_bug.cgi?id=192033
1878         <rdar://problem/46281734>
1879
1880         Reviewed by Keith Miller.
1881
1882         * stress/r238510-bad-loop.js: Added.
1883         (foo):
1884
1885 2018-11-27  Mark Lam  <mark.lam@apple.com>
1886
1887         [Re-landing] NaNs read from Wasm code needs to be be purified.
1888         https://bugs.webkit.org/show_bug.cgi?id=191056
1889         <rdar://problem/45660341>
1890
1891         Reviewed by Filip Pizlo.
1892
1893         * wasm/regress/regress-191056.js: Added.
1894
1895 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1896
1897         Unreviewed, rolling out r238509.
1898
1899         Causes JSC tests to fail on iOS.
1900
1901         Reverted changeset:
1902
1903         "NaNs read from Wasm code needs to be be purified."
1904         https://bugs.webkit.org/show_bug.cgi?id=191056
1905         https://trac.webkit.org/changeset/238509
1906
1907 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1908
1909         Re-introduce op_bitnot
1910         https://bugs.webkit.org/show_bug.cgi?id=190923
1911
1912         Reviewed by Yusuke Suzuki.
1913
1914         * stress/bit-not-must-generate.js: Added.
1915         * stress/bitwise-not-no-int32.js: Added.
1916
1917 2018-11-26  Saam barati  <sbarati@apple.com>
1918
1919         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1920         https://bugs.webkit.org/show_bug.cgi?id=191956
1921         <rdar://problem/45665806>
1922
1923         Reviewed by Yusuke Suzuki.
1924
1925         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1926         (bar):
1927         (foo):
1928
1929 2018-11-26  Saam barati  <sbarati@apple.com>
1930
1931         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1932         https://bugs.webkit.org/show_bug.cgi?id=191958
1933         <rdar://problem/46221877>
1934
1935         Reviewed by Yusuke Suzuki.
1936
1937         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1938         (x):
1939         (foo):
1940
1941 2018-11-26  Mark Lam  <mark.lam@apple.com>
1942
1943         NaNs read from Wasm code needs to be be purified.
1944         https://bugs.webkit.org/show_bug.cgi?id=191056
1945         <rdar://problem/45660341>
1946
1947         Reviewed by Filip Pizlo.
1948
1949         * wasm/regress/regress-191056.js: Added.
1950
1951 2018-11-26  Michael Saboff  <msaboff@apple.com>
1952
1953         32-bit JSC test failure: stress/regexp-compile-oom.js
1954         https://bugs.webkit.org/show_bug.cgi?id=191375
1955
1956         Reviewed by Mark Lam.
1957
1958         Disabled the test for 32 bit platforms.
1959
1960         * stress/regexp-compile-oom.js:
1961
1962 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1963
1964         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1965         https://bugs.webkit.org/show_bug.cgi?id=191716
1966         <rdar://problem/45723878>
1967
1968         Reviewed by Saam Barati.
1969
1970         * stress/regress-187373.js: Added.
1971         (async.fn):
1972
1973 2018-11-21  Saam barati  <sbarati@apple.com>
1974
1975         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1976         https://bugs.webkit.org/show_bug.cgi?id=191897
1977         <rdar://problem/45871998>
1978
1979         Reviewed by Mark Lam.
1980
1981         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1982         (bar):
1983         (foo):
1984
1985 2018-11-21  Saam barati  <sbarati@apple.com>
1986
1987         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1988         https://bugs.webkit.org/show_bug.cgi?id=191895
1989         <rdar://problem/46167406>
1990
1991         Reviewed by Mark Lam.
1992
1993         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1994         (foo):
1995         (bar):
1996
1997 2018-11-21  Mark Lam  <mark.lam@apple.com>
1998
1999         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2000         https://bugs.webkit.org/show_bug.cgi?id=191776
2001         <rdar://problem/46152851>
2002
2003         Reviewed by Saam Barati.
2004
2005         * stress/big-wasm-memory-grow-no-max.js:
2006         * stress/big-wasm-memory-grow.js:
2007         * stress/big-wasm-memory.js:
2008         - updated these to expect an OutOfMemoryError.
2009
2010         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2011         (Binary.prototype.emit_u8):
2012         (Binary.prototype.emit_u32v):
2013         (Binary.prototype.emit_header):
2014         (Binary.prototype.emit_section):
2015         (Binary):
2016         (WasmModuleBuilder):
2017         (WasmModuleBuilder.prototype.addMemory):
2018         (WasmModuleBuilder.prototype.toArray):
2019         (WasmModuleBuilder.prototype.toBuffer):
2020         (WasmModuleBuilder.prototype.instantiate):
2021         (catch):
2022         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2023         (catch):
2024
2025 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2026
2027         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2028         https://bugs.webkit.org/show_bug.cgi?id=190836
2029
2030         Reviewed by Saam Barati and Yusuke Suzuki.
2031
2032         * stress/big-int-out-of-memory-tests.js: Added.
2033
2034 2018-11-20  Mark Lam  <mark.lam@apple.com>
2035
2036         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2037         https://bugs.webkit.org/show_bug.cgi?id=191856
2038         <rdar://problem/46089992>
2039
2040         Reviewed by Yusuke Suzuki.
2041
2042         * stress/regress-191856.js: Added.
2043         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2044
2045 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2046
2047         Enable JIT on ARM/Linux
2048         https://bugs.webkit.org/show_bug.cgi?id=191548
2049
2050         Reviewed by Yusuke Suzuki.
2051
2052         Disable test on system with limited memory. Program was killed by
2053         the OS before the exception was thrown.
2054
2055         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2056
2057 2018-11-20  Saam barati  <sbarati@apple.com>
2058
2059         Merging an IC variant may lead to the IC status containing overlapping structure sets
2060         https://bugs.webkit.org/show_bug.cgi?id=191869
2061         <rdar://problem/45403453>
2062
2063         Reviewed by Mark Lam.
2064
2065         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2066
2067 2018-11-19  Mark Lam  <mark.lam@apple.com>
2068
2069         globalFuncImportModule() should return a promise when it clears exceptions.
2070         https://bugs.webkit.org/show_bug.cgi?id=191792
2071         <rdar://problem/46090763>
2072
2073         Reviewed by Michael Saboff.
2074
2075         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2076
2077 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2078
2079         Skip new memory-hungry tests on memory limited devices
2080
2081         Unreviewed gardening.
2082
2083         * stress/big-wasm-memory-grow-no-max.js:
2084         * stress/big-wasm-memory-grow.js:
2085         * stress/big-wasm-memory.js:
2086
2087 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2088
2089         Unreviewed, rolling in the rest of r237254
2090         https://bugs.webkit.org/show_bug.cgi?id=190340
2091
2092         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2093         * stress/function-cache-with-parameters-end-position.js: Added.
2094         (shouldBe):
2095         (shouldThrow):
2096         (i.anonymous):
2097         * stress/function-constructor-name.js: Added.
2098         (shouldBe):
2099         (GeneratorFunction):
2100         (AsyncFunction.async):
2101         (AsyncGeneratorFunction.async):
2102         (anonymous):
2103         (async.anonymous):
2104         * test262/expectations.yaml:
2105
2106 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2107
2108         All users of ArrayBuffer should agree on the same max size
2109         https://bugs.webkit.org/show_bug.cgi?id=191771
2110
2111         Reviewed by Mark Lam.
2112
2113         * stress/big-wasm-memory-grow-no-max.js: Added.
2114         (foo):
2115         (catch):
2116         * stress/big-wasm-memory-grow.js: Added.
2117         (foo):
2118         (catch):
2119         * stress/big-wasm-memory.js: Added.
2120         (foo):
2121         (catch):
2122
2123 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2124
2125         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2126         run for each JSC config since they're regression tests for runtime bugs.
2127
2128         * stress/json-stringified-overflow-2.js:
2129         * stress/json-stringified-overflow.js:
2130
2131 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2132
2133         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2134         config since they're regression tests for runtime bugs.
2135
2136         * stress/large-unshift-splice.js:
2137         * stress/regress-185888.js:
2138
2139 2018-11-16  Saam Barati  <sbarati@apple.com>
2140
2141         KnownCellUse should also have SpecCellCheck as its type filter
2142         https://bugs.webkit.org/show_bug.cgi?id=191729
2143         <rdar://problem/45872852>
2144
2145         Reviewed by Filip Pizlo.
2146
2147         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2148         (C):
2149
2150 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2151
2152         Fix assertion failure on BytecodeGenerator::recordOpcode
2153         https://bugs.webkit.org/show_bug.cgi?id=191724
2154         <rdar://problem/45724395>
2155
2156         Reviewed by Saam Barati.
2157
2158         * stress/regress-187373-2.js: Added.
2159         (foo):
2160
2161 2018-11-15  Mark Lam  <mark.lam@apple.com>
2162
2163         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2164         https://bugs.webkit.org/show_bug.cgi?id=191730
2165         <rdar://problem/46048517>
2166
2167         Reviewed by Saam Barati.
2168
2169         * stress/regress-187006.js: Removed.
2170           - this test is invalid because its sole purpose is to test for the non-spec
2171             compliant behavior that we just fixed.
2172
2173         * stress/regress-191730.js: Added.
2174
2175 2018-11-15  Mark Lam  <mark.lam@apple.com>
2176
2177         RegExp operations should not take fast patch if lastIndex is not numeric.
2178         https://bugs.webkit.org/show_bug.cgi?id=191731
2179         <rdar://problem/46017305>
2180
2181         Reviewed by Saam Barati.
2182
2183         * stress/regress-191731.js: Added.
2184
2185 2018-11-13  Saam Barati  <sbarati@apple.com>
2186
2187         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2188         https://bugs.webkit.org/show_bug.cgi?id=191600
2189
2190         Reviewed by Mark Lam.
2191
2192         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2193         (foo):
2194         (test):
2195         (bar):
2196
2197 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2198
2199         Unreviewed, rolling out r238132.
2200
2201         The test added with this change is timing out on Debug JSC
2202         bots.
2203
2204         Reverted changeset:
2205
2206         "[BigInt] JSBigInt::createWithLength should throw when length
2207         is greater than JSBigInt::maxLength"
2208         https://bugs.webkit.org/show_bug.cgi?id=190836
2209         https://trac.webkit.org/changeset/238132
2210
2211 2018-11-13  Mark Lam  <mark.lam@apple.com>
2212
2213         Add OOM detection to StringPrototype's substituteBackreferences().
2214         https://bugs.webkit.org/show_bug.cgi?id=191563
2215         <rdar://problem/45720428>
2216
2217         Reviewed by Saam Barati.
2218
2219         * stress/regress-191563.js: Added.
2220
2221 2018-11-13  Mark Lam  <mark.lam@apple.com>
2222
2223         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2224         https://bugs.webkit.org/show_bug.cgi?id=191579
2225         <rdar://problem/45942472>
2226
2227         Reviewed by Saam Barati.
2228
2229         * stress/regress-191579.js: Added.
2230
2231 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2232
2233         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2234         https://bugs.webkit.org/show_bug.cgi?id=190836
2235
2236         Reviewed by Saam Barati.
2237
2238         * stress/big-int-out-of-memory-tests.js: Added.
2239
2240 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2241
2242         U+180E is no longer a whitespace character
2243         https://bugs.webkit.org/show_bug.cgi?id=191415
2244
2245         Reviewed by Saam Barati.
2246
2247         * ChakraCore/test/es5/regexSpace.baseline:
2248         * ChakraCore/test/es6/unicode_whitespace.js:
2249         Update tests to latest version.
2250         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2251
2252         * test262.yaml:
2253         * test262/config.yaml:
2254         * test262/expectations.yaml:
2255         Update expectations.
2256
2257 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2258
2259         [BigInt] Add support to BigInt into ValueAdd
2260         https://bugs.webkit.org/show_bug.cgi?id=186177
2261
2262         Reviewed by Keith Miller.
2263
2264         * stress/big-int-negate-jit.js:
2265         * stress/value-add-big-int-and-string.js: Added.
2266         * stress/value-add-big-int-prediction-propagation.js: Added.
2267         * stress/value-add-big-int-untyped.js: Added.
2268
2269 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2270
2271         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2272         https://bugs.webkit.org/show_bug.cgi?id=191184
2273
2274         Reviewed by Saam Barati.
2275
2276         Most tests were failing due to timeouts, since they are too slow to
2277         run on CLoop. The exceptions are:
2278
2279         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2280         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2281         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2282         to change the stack size since CLoop requires it to be page aligned.
2283
2284         * microbenchmarks/array-push-1.js:
2285         * microbenchmarks/array-push-2.js:
2286         * microbenchmarks/elidable-new-object-dag.js:
2287         * microbenchmarks/elidable-new-object-roflcopter.js:
2288         * microbenchmarks/elidable-new-object-tree.js:
2289         * microbenchmarks/getter-richards.js:
2290         * microbenchmarks/sinkable-new-object-dag.js:
2291         * microbenchmarks/string-concat-long-convert.js:
2292         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2293         * slowMicrobenchmarks/array-push-3.js:
2294         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2295         * slowMicrobenchmarks/spread-small-array.js:
2296         * slowMicrobenchmarks/undefined-property-access.js:
2297         * stress/activation-sink-default-value-tdz-error.js:
2298         * stress/activation-sink-default-value.js:
2299         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2300         * stress/activation-sink-osrexit-default-value.js:
2301         * stress/activation-sink-osrexit.js:
2302         * stress/activation-sink.js:
2303         * stress/allow-math-ic-b3-code-duplication.js:
2304         * stress/array-push-multiple-int32.js:
2305         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2306         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2307         * stress/arrowfunction-lexical-this-activation-sink.js:
2308         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2309         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2310         * stress/elide-new-object-dag-then-exit.js:
2311         * stress/materialize-regexp-cyclic.js:
2312         * stress/new-regex-inline.js:
2313         * stress/op_add.js:
2314         * stress/op_bitand.js:
2315         * stress/op_bitor.js:
2316         * stress/op_bitxor.js:
2317         * stress/op_div-ConstVar.js:
2318         * stress/op_div-VarConst.js:
2319         * stress/op_div-VarVar.js:
2320         * stress/op_lshift-ConstVar.js:
2321         * stress/op_lshift-VarConst.js:
2322         * stress/op_lshift-VarVar.js:
2323         * stress/op_mod-ConstVar.js:
2324         * stress/op_mod-VarConst.js:
2325         * stress/op_mod-VarVar.js:
2326         * stress/op_mul-ConstVar.js:
2327         * stress/op_mul-VarConst.js:
2328         * stress/op_mul-VarVar.js:
2329         * stress/op_rshift-ConstVar.js:
2330         * stress/op_rshift-VarConst.js:
2331         * stress/op_rshift-VarVar.js:
2332         * stress/op_sub-ConstVar.js:
2333         * stress/op_sub-VarConst.js:
2334         * stress/op_sub-VarVar.js:
2335         * stress/op_urshift-ConstVar.js:
2336         * stress/op_urshift-VarConst.js:
2337         * stress/op_urshift-VarVar.js:
2338         * stress/proxy-get-set-correct-receiver.js:
2339         * stress/regress-179562.js:
2340         * stress/rest-parameter-many-arguments.js:
2341         * stress/sampling-profiler-richards.js:
2342         * stress/splay-flash-access-1ms.js:
2343         * stress/tailCallForwardArguments.js:
2344         * stress/typed-array-get-by-val-profiling.js:
2345         * typeProfiler/getter-richards.js:
2346
2347 2018-11-06  Michael Saboff  <msaboff@apple.com>
2348
2349         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2350         https://bugs.webkit.org/show_bug.cgi?id=191271
2351
2352         Reviewed by Saam Barati.
2353
2354         Added more test cases and made all test cases run with the same deeply recursive stack
2355         instead of finding that same point for each test case.
2356
2357         * stress/regexp-compile-oom.js:
2358         (prototype.runTest):
2359         (recurseAndTest):
2360         (testList.push.new.TestAndExpectedException):
2361
2362 2018-11-05  Michael Saboff  <msaboff@apple.com>
2363
2364         Unreviewed build fix for linux.
2365
2366         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2367
2368 2018-11-02  Michael Saboff  <msaboff@apple.com>
2369
2370         Rolling in r237753 with unreviewed build fix.
2371
2372         Fixed issues with DECLARE_THROW_SCOPE placement.
2373
2374 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2375
2376         Unreviewed, rolling out r237753.
2377
2378         Introduced JSC test failures
2379
2380         Reverted changeset:
2381
2382         "Running out of stack space not properly handled in
2383         RegExp::compile() and its callers"
2384         https://bugs.webkit.org/show_bug.cgi?id=191206
2385         https://trac.webkit.org/changeset/237753
2386
2387 2018-11-02  Michael Saboff  <msaboff@apple.com>
2388
2389         Running out of stack space not properly handled in RegExp::compile() and its callers
2390         https://bugs.webkit.org/show_bug.cgi?id=191206
2391
2392         Reviewed by Filip Pizlo.
2393
2394         New regression test.
2395
2396         * stress/regexp-compile-oom.js: Added.
2397         (recurseAndTest):
2398
2399 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2400
2401         Skip tests on arm/mips that time out now we're running on CLoop
2402
2403         Unreviewed gardening.
2404
2405         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2406         time out on the bots and need to be disabled. There's more tests
2407         disabled on arm because the timeout is longer on the mips bot (as the
2408         device is slower to start with), so many of the tests don't time out
2409         there.
2410
2411         * microbenchmarks/getter-richards.js: disable on arm and mips.
2412         * stress/op_add.js: disable on arm.
2413         * stress/op_bitand.js: disable on arm.
2414         * stress/op_bitor.js: disable on arm.
2415         * stress/op_bitxor.js: disable on arm.
2416         * stress/op_lshift-ConstVar.js: disable on arm.
2417         * stress/op_lshift-VarConst.js: disable on arm.
2418         * stress/op_lshift-VarVar.js: disable on arm.
2419         * stress/op_mod-ConstVar.js: disable on arm.
2420         * stress/op_mod-VarConst.js: disable on arm.
2421         * stress/op_mod-VarVar.js: disable on arm.
2422         * stress/op_mul-ConstVar.js: disable on arm.
2423         * stress/op_mul-VarConst.js: disable on arm.
2424         * stress/op_mul-VarVar.js: disable on arm.
2425         * stress/op_rshift-ConstVar.js: disable on arm.
2426         * stress/op_rshift-VarConst.js: disable on arm.
2427         * stress/op_rshift-VarVar.js: disable on arm.
2428         * stress/op_sub-ConstVar.js: disable on arm.
2429         * stress/op_sub-VarConst.js: disable on arm.
2430         * stress/op_sub-VarVar.js: disable on arm.
2431         * stress/op_urshift-ConstVar.js: disable on arm.
2432         * stress/op_urshift-VarConst.js: disable on arm.
2433         * stress/op_urshift-VarVar.js: disable on arm.
2434         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2435         * stress/value-to-boolean.js: disable on arm and mips.
2436
2437 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2438
2439         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2440         https://bugs.webkit.org/show_bug.cgi?id=191108
2441         <rdar://problem/45690700>
2442
2443         Reviewed by Saam Barati.
2444
2445         * stress/wide-op_catch.js: Added.
2446         (catch):
2447
2448 2018-10-29  Mark Lam  <mark.lam@apple.com>
2449
2450         Correctly detect string overflow when using the 'Function' constructor.
2451         https://bugs.webkit.org/show_bug.cgi?id=184883
2452         <rdar://problem/36320331>
2453
2454         Reviewed by Saam Barati.
2455
2456         I've verified that this passes on 32-bit as well.
2457
2458         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2459
2460 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2461
2462         Add support for GetStack FlushedDouble
2463         https://bugs.webkit.org/show_bug.cgi?id=191012
2464         <rdar://problem/45265141>
2465
2466         Reviewed by Saam Barati.
2467
2468         * stress/get-stack-double.js: Added.
2469         (bar):
2470         (noInline):
2471
2472 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2473
2474         New bytecode format for JSC
2475         https://bugs.webkit.org/show_bug.cgi?id=187373
2476         <rdar://problem/44186758>
2477
2478         Reviewed by Filip Pizlo.
2479
2480         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2481
2482         * stress/maximum-inline-capacity.js: Added.
2483         (test1):
2484         (test3.Foo):
2485         (test3):
2486
2487 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2488
2489         Unreviewed, rolling out r237479 and r237484.
2490         https://bugs.webkit.org/show_bug.cgi?id=190978
2491
2492         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2493
2494         Reverted changesets:
2495
2496         "New bytecode format for JSC"
2497         https://bugs.webkit.org/show_bug.cgi?id=187373
2498         https://trac.webkit.org/changeset/237479
2499
2500         "Gardening: Build fix after r237479."
2501         https://bugs.webkit.org/show_bug.cgi?id=187373
2502         https://trac.webkit.org/changeset/237484
2503
2504 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2505
2506         New bytecode format for JSC
2507         https://bugs.webkit.org/show_bug.cgi?id=187373
2508         <rdar://problem/44186758>
2509
2510         Reviewed by Filip Pizlo.
2511
2512         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2513
2514         * stress/maximum-inline-capacity.js: Added.
2515         (test1):
2516         (test3.Foo):
2517         (test3):
2518
2519 2018-10-26  Mark Lam  <mark.lam@apple.com>
2520
2521         Fix missing edge cases with JSGlobalObjects having a bad time.
2522         https://bugs.webkit.org/show_bug.cgi?id=189028
2523         <rdar://problem/45204939>
2524
2525         Reviewed by Saam Barati.
2526
2527         * stress/regress-189028.js: Added.
2528
2529 2018-10-22  Mark Lam  <mark.lam@apple.com>
2530
2531         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2532         https://bugs.webkit.org/show_bug.cgi?id=190515
2533         <rdar://problem/45222379>
2534
2535         Rubber-stamped by Saam Barati.
2536
2537         Adding another test.
2538
2539         * stress/regress-190515-2.js: Added.
2540
2541 2018-10-22  Mark Lam  <mark.lam@apple.com>
2542
2543         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2544         https://bugs.webkit.org/show_bug.cgi?id=190515
2545         <rdar://problem/45222379>
2546
2547         Reviewed by Saam Barati.
2548
2549         * stress/regress-190515.js: Added.
2550
2551 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2552
2553         Unreviewed, rolling out r237254.
2554         https://bugs.webkit.org/show_bug.cgi?id=190760
2555
2556         "It regresses JetStream 2 by 5% on some iOS devices"
2557         (Requested by saamyjoon on #webkit).
2558
2559         Reverted changeset:
2560
2561         "[JSC] JSC should have "parseFunction" to optimize Function
2562         constructor"
2563         https://bugs.webkit.org/show_bug.cgi?id=190340
2564         https://trac.webkit.org/changeset/237254
2565
2566 2018-10-19  Saam Barati  <sbarati@apple.com>
2567
2568         vmCall should check if we exit before emitting an OSR exit due to exceptions
2569         https://bugs.webkit.org/show_bug.cgi?id=190740
2570         <rdar://problem/45220139>
2571
2572         Reviewed by Mark Lam.
2573
2574         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2575         (foo):
2576
2577 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2578
2579         [ESNext][BigInt] Implement support for "^"
2580         https://bugs.webkit.org/show_bug.cgi?id=186235
2581
2582         Reviewed by Yusuke Suzuki.
2583
2584         * stress/big-int-bitwise-xor-general.js: Added.
2585         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2586         * stress/big-int-bitwise-xor-type-error.js: Added.
2587         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2588
2589 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2590
2591         [BigInt] Add ValueSub into DFG
2592         https://bugs.webkit.org/show_bug.cgi?id=186176
2593
2594         Reviewed by Yusuke Suzuki.
2595
2596         * stress/big-int-subtraction-jit.js:
2597         * stress/value-sub-big-int-prediction-propagation.js: Added.
2598         * stress/value-sub-big-int-untyped.js: Added.
2599         * stress/value-sub-spec-none-case.js: Added.
2600
2601 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2602
2603         [JSC] JSC should have "parseFunction" to optimize Function constructor
2604         https://bugs.webkit.org/show_bug.cgi?id=190340
2605
2606         Reviewed by Mark Lam.
2607
2608         This patch fixes the line number of syntax errors raised by the Function constructor,
2609         since we now parse the final code only once. And we no longer use block statement
2610         for Function constructor's parsing.
2611
2612         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2613         * stress/function-cache-with-parameters-end-position.js: Added.
2614         (shouldBe):
2615         (shouldThrow):
2616         (i.anonymous):
2617         * stress/function-constructor-name.js: Added.
2618         (shouldBe):
2619         (GeneratorFunction):
2620         (AsyncFunction.async):
2621         (AsyncGeneratorFunction.async):
2622         (anonymous):
2623         (async.anonymous):
2624         * test262/expectations.yaml:
2625
2626 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2627
2628         Unreviewed, rolling out r237242.
2629         https://bugs.webkit.org/show_bug.cgi?id=190701
2630
2631         it breaks "stress/sampling-profiler-basic.js" (Requested by
2632         caiolima on #webkit).
2633
2634         Reverted changeset:
2635
2636         "[BigInt] Add ValueSub into DFG"
2637         https://bugs.webkit.org/show_bug.cgi?id=186176
2638         https://trac.webkit.org/changeset/237242
2639
2640 2018-10-17  Keith Miller  <keith_miller@apple.com>
2641
2642         AI does not clear Phantom allocation nodes.
2643         https://bugs.webkit.org/show_bug.cgi?id=190694
2644
2645         Reviewed by Saam Barati.
2646
2647         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2648         (Day):
2649         (DaysInYear):
2650         (TimeInYear):
2651         (TimeFromYear):
2652         (DayFromYear):
2653         (InLeapYear):
2654         (YearFromTime):
2655         (WeekDay):
2656         (DaylightSavingTA):
2657         (GetSecondSundayInMarch):
2658         (TimeInMonth):
2659
2660 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2661
2662         [BigInt] Add ValueSub into DFG
2663         https://bugs.webkit.org/show_bug.cgi?id=186176
2664
2665         Reviewed by Yusuke Suzuki.
2666
2667         * stress/big-int-subtraction-jit.js:
2668         * stress/value-sub-big-int-prediction-propagation.js: Added.
2669         * stress/value-sub-big-int-untyped.js: Added.
2670
2671 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2672
2673         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2674         https://bugs.webkit.org/show_bug.cgi?id=190611
2675
2676         Reviewed by Saam Barati.
2677
2678         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2679         to improve test runtime. On ARM/MIPS this test even timed out when running all
2680         tests.
2681
2682         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2683         (test):
2684
2685 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2686
2687         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2688
2689         Unreviewed gardening.
2690
2691         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2692
2693 2018-10-15  Saam barati  <sbarati@apple.com>
2694
2695         Emit fjcvtzs on ARM64E on Darwin
2696         https://bugs.webkit.org/show_bug.cgi?id=184023
2697
2698         Reviewed by Yusuke Suzuki and Filip Pizlo.
2699
2700         * stress/double-to-int32-NaN.js: Added.
2701         (assert):
2702         (foo):
2703
2704 2018-10-15  Saam Barati  <sbarati@apple.com>
2705
2706         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2707         https://bugs.webkit.org/show_bug.cgi?id=190262
2708         <rdar://problem/44986241>
2709
2710         Reviewed by Mark Lam.
2711
2712         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2713         (test):
2714         * stress/slice-array-storage-with-holes.js: Added.
2715         (main):
2716
2717 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2718
2719         Unreviewed, rolling out r237054.
2720         https://bugs.webkit.org/show_bug.cgi?id=190593
2721
2722         "this regressed JetStream 2 by 6% on iOS" (Requested by
2723         saamyjoon on #webkit).
2724
2725         Reverted changeset:
2726
2727         "[JSC] JSC should have "parseFunction" to optimize Function
2728         constructor"
2729         https://bugs.webkit.org/show_bug.cgi?id=190340
2730         https://trac.webkit.org/changeset/237054
2731
2732 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2733
2734         [JSC] JSON.stringify can accept call-with-no-arguments
2735         https://bugs.webkit.org/show_bug.cgi?id=190343
2736
2737         Reviewed by Mark Lam.
2738
2739         * stress/json-stringify-no-arguments.js: Added.
2740         (shouldBe):
2741
2742 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2743
2744         [JSC] JSC should have "parseFunction" to optimize Function constructor
2745         https://bugs.webkit.org/show_bug.cgi?id=190340
2746
2747         Reviewed by Mark Lam.
2748
2749         This patch fixes the line number of syntax errors raised by the Function constructor,
2750         since we now parse the final code only once. And we no longer use block statement
2751         for Function constructor's parsing.
2752
2753         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2754         * stress/function-cache-with-parameters-end-position.js: Added.
2755         (shouldBe):
2756         (shouldThrow):
2757         (i.anonymous):
2758         * stress/function-constructor-name.js: Added.
2759         (shouldBe):
2760         (GeneratorFunction):
2761         (AsyncFunction.async):
2762         (AsyncGeneratorFunction.async):
2763         (anonymous):
2764         (async.anonymous):
2765         * test262/expectations.yaml:
2766
2767 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2768
2769         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2770         https://bugs.webkit.org/show_bug.cgi?id=190426
2771
2772         Unreviewed gardening.
2773
2774         * stress/sampling-profiler-richards.js:
2775
2776 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2777
2778         [ESNext][BigInt] Implement support for "|"
2779         https://bugs.webkit.org/show_bug.cgi?id=186229
2780
2781         Reviewed by Yusuke Suzuki.
2782
2783         * stress/big-int-bitwise-and-jit.js:
2784         * stress/big-int-bitwise-or-general.js: Added.
2785         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2786         * stress/big-int-bitwise-or-jit.js: Added.
2787         * stress/big-int-bitwise-or-memory-stress.js: Added.
2788         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2789         * stress/big-int-bitwise-or-type-error.js: Added.
2790         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2791
2792 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2793
2794         Skip test on systems with limited memory
2795         https://bugs.webkit.org/show_bug.cgi?id=190310
2796
2797         Invoking runDefault adds test to runlist, skipping the test in the next
2798         line does not prevent the test from executing. Change order of lines such
2799         that runDefault is only executed if test is not executed.
2800
2801         Reviewed by Mark Lam.
2802
2803         * stress/regress-190187.js:
2804
2805 2018-10-03  Saam barati  <sbarati@apple.com>
2806
2807         lowXYZ in FTLLower should always filter the type of the incoming edge
2808         https://bugs.webkit.org/show_bug.cgi?id=189939
2809         <rdar://problem/44407030>
2810
2811         Reviewed by Michael Saboff.
2812
2813         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2814         (foo):
2815         (test):
2816
2817 2018-10-03  Mark Lam  <mark.lam@apple.com>
2818
2819         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2820         https://bugs.webkit.org/show_bug.cgi?id=190187
2821         <rdar://problem/42512909>
2822
2823         Reviewed by Michael Saboff.
2824
2825         * stress/regress-190187.js: Added.
2826
2827 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2828
2829         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2830         https://bugs.webkit.org/show_bug.cgi?id=190033
2831
2832         Reviewed by Yusuke Suzuki.
2833
2834         * stress/big-int-to-string.js:
2835
2836 2018-10-01  Mark Lam  <mark.lam@apple.com>
2837
2838         Function.toString() should also copy the source code Functions that are class definitions.
2839         https://bugs.webkit.org/show_bug.cgi?id=190186
2840         <rdar://problem/44733360>
2841
2842         Reviewed by Saam Barati.
2843
2844         * stress/regress-190186.js: Added.
2845
2846 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2847
2848         Split NaN-check into separate test
2849         https://bugs.webkit.org/show_bug.cgi?id=190010
2850
2851         Reviewed by Saam Barati.
2852
2853         DataView exposes NaN-representation, which is not necessarily the same on each
2854         architecture. Therefore move the check of the NaN-representation into its own
2855         file such that we can disable this test on MIPS where NaN-representation can be
2856         different on older CPUs.
2857
2858         * stress/dataview-jit-set-nan.js: Added.
2859         (assert):
2860         (test.storeLittleEndian):
2861         (test.storeBigEndian):
2862         (test.store):
2863         (test):
2864         * stress/dataview-jit-set.js:
2865         (test5):
2866
2867 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2868
2869         Unreviewed, rolling out r236647.
2870         https://bugs.webkit.org/show_bug.cgi?id=190124
2871
2872         Breaking test stress/big-int-to-string.js (Requested by
2873         caiolima_ on #webkit).
2874
2875         Reverted changeset:
2876
2877         "[BigInt] BigInt.proptotype.toString is broken when radix is
2878         power of 2"
2879         https://bugs.webkit.org/show_bug.cgi?id=190033
2880         https://trac.webkit.org/changeset/236647
2881
2882 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2883
2884         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2885         https://bugs.webkit.org/show_bug.cgi?id=190033
2886
2887         Reviewed by Yusuke Suzuki.
2888
2889         * stress/big-int-to-string.js:
2890
2891 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2892
2893         [ESNext][BigInt] Implement support for "&"
2894         https://bugs.webkit.org/show_bug.cgi?id=186228
2895
2896         Reviewed by Yusuke Suzuki.
2897
2898         * stress/big-int-bitwise-and-general.js: Added.
2899         (assert):
2900         (assert.sameValue):
2901         * stress/big-int-bitwise-and-jit.js: Added.
2902         (let.assert.sameValue):
2903         (bigIntBitAnd):
2904         * stress/big-int-bitwise-and-memory-stress.js: Added.
2905         (assert):
2906         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2907         (assert.sameValue):
2908         (let.o.Symbol.toPrimitive):
2909         (catch):
2910         * stress/big-int-bitwise-and-type-error.js: Added.
2911         (assert):
2912         (assertThrowTypeError):
2913         (let.o.valueOf):
2914         (o.valueOf):
2915         (o.toString):
2916         (o.Symbol.toPrimitive):
2917         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2918         (assert.sameValue):
2919         (testBitAnd):
2920         (let.o.Symbol.toPrimitive):
2921         (o.valueOf):
2922         (o.toString):
2923
2924 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2925
2926         JSC test stress/jsc-read.js doesn't support CRLF
2927         https://bugs.webkit.org/show_bug.cgi?id=190063
2928
2929         Reviewed by Yusuke Suzuki.
2930
2931         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2932
2933         * stress/jsc-read.js:
2934         (test):
2935
2936 2018-09-27  Saam barati  <sbarati@apple.com>
2937
2938         Verify the contents of AssemblerBuffer on arm64e
2939         https://bugs.webkit.org/show_bug.cgi?id=190057
2940         <rdar://problem/38916630>
2941
2942         Reviewed by Mark Lam.
2943
2944         * stress/regress-189132.js:
2945
2946 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2947
2948         Disable test without LLInt on ARMv7
2949         https://bugs.webkit.org/show_bug.cgi?id=190037
2950
2951         Reviewed by Mark Lam.
2952
2953         Test runs out of executable memory on ARMv7, do not run
2954         this test without LLInt enabled.
2955
2956         * stress/regress-169445.js:
2957
2958 2018-09-26  Keith Miller  <keith_miller@apple.com>
2959
2960         We should zero unused property storage when rebalancing array storage.
2961         https://bugs.webkit.org/show_bug.cgi?id=188151
2962
2963         Reviewed by Michael Saboff.
2964
2965         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2966
2967 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2968
2969         [JSC] Optimize Array#lastIndexOf
2970         https://bugs.webkit.org/show_bug.cgi?id=189780
2971
2972         Reviewed by Saam Barati.
2973
2974         * stress/array-lastindexof-array-prototype-trap.js: Added.
2975         (shouldBe):
2976         (AncestorArray.prototype.get 2):
2977         (AncestorArray):
2978         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2979         (shouldBe):
2980         * stress/array-lastindexof-hole-nan.js: Added.
2981         (shouldBe):
2982         (throw.new.Error):
2983         * stress/array-lastindexof-infinity.js: Added.
2984         (shouldBe):
2985         (throw.new.Error):
2986         * stress/array-lastindexof-negative-zero.js: Added.
2987         (shouldBe):
2988         (throw.new.Error):
2989         * stress/array-lastindexof-own-getter.js: Added.
2990         (shouldBe):
2991         (throw.new.Error.get array):
2992         (get array):
2993         * stress/array-lastindexof-prototype-trap.js: Added.
2994         (shouldBe):
2995         (DerivedArray.prototype.get 2):
2996         (DerivedArray):
2997
2998 2018-09-25  Saam Barati  <sbarati@apple.com>
2999
3000         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3001         https://bugs.webkit.org/show_bug.cgi?id=189940
3002         <rdar://problem/43640987>
3003
3004         Reviewed by Mark Lam.
3005
3006         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3007
3008 2018-09-24  Saam Barati  <sbarati@apple.com>
3009
3010         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3011         https://bugs.webkit.org/show_bug.cgi?id=189922
3012         <rdar://problem/44651275>
3013
3014         Reviewed by Mark Lam.
3015
3016         * stress/array-indexof-fast-path-effects.js: Added.
3017         * stress/array-indexof-cached-length.js: Added.
3018
3019 2018-09-24  Saam barati  <sbarati@apple.com>
3020
3021         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3022         https://bugs.webkit.org/show_bug.cgi?id=189682
3023         <rdar://problem/43557315>
3024
3025         Reviewed by Mark Lam.
3026
3027         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3028         (foo):
3029
3030 2018-09-22  Saam barati  <sbarati@apple.com>
3031
3032         The sampling should not use Strong<CodeBlock> in its machineLocation field
3033         https://bugs.webkit.org/show_bug.cgi?id=189319
3034
3035         Reviewed by Filip Pizlo.
3036
3037         * stress/sampling-profiler-richards.js: Added.
3038
3039 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3040
3041         [JSC] Optimize Array#indexOf in C++ runtime
3042         https://bugs.webkit.org/show_bug.cgi?id=189507
3043
3044         Reviewed by Saam Barati.
3045
3046         * stress/array-indexof-array-prototype-trap.js: Added.
3047         (shouldBe):
3048         (AncestorArray.prototype.get 2):
3049         (AncestorArray):
3050         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3051         (shouldBe):
3052         * stress/array-indexof-hole-nan.js: Added.
3053         (shouldBe):
3054         (throw.new.Error):
3055         * stress/array-indexof-infinity.js: Added.
3056         (shouldBe):
3057         (throw.new.Error):
3058         * stress/array-indexof-negative-zero.js: Added.
3059         (shouldBe):
3060         (throw.new.Error):
3061         * stress/array-indexof-own-getter.js: Added.
3062         (shouldBe):
3063         (throw.new.Error.get array):
3064         (get array):
3065         * stress/array-indexof-prototype-trap.js: Added.
3066         (shouldBe):
3067         (DerivedArray.prototype.get 2):
3068         (DerivedArray):
3069
3070 2018-09-19  Saam barati  <sbarati@apple.com>
3071
3072         AI rule for MultiPutByOffset executes its effects in the wrong order
3073         https://bugs.webkit.org/show_bug.cgi?id=189757
3074         <rdar://problem/43535257>
3075
3076         Reviewed by Michael Saboff.
3077
3078         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3079         (foo):
3080         (Foo):
3081         (g):
3082
3083 2018-09-17  Mark Lam  <mark.lam@apple.com>
3084
3085         Ensure that ForInContexts are invalidated if their loop local is over-written.
3086         https://bugs.webkit.org/show_bug.cgi?id=189571
3087         <rdar://problem/44402277>
3088
3089         Reviewed by Saam Barati.
3090
3091         * stress/regress-189571.js: Added.
3092
3093 2018-09-17  Saam barati  <sbarati@apple.com>
3094
3095         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3096         https://bugs.webkit.org/show_bug.cgi?id=189676
3097         <rdar://problem/39682897>
3098
3099         Reviewed by Michael Saboff.
3100
3101         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3102         (A):
3103         (K):
3104         (i.catch):
3105
3106 2018-09-14  Saam barati  <sbarati@apple.com>
3107
3108         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3109         https://bugs.webkit.org/show_bug.cgi?id=189628
3110         <rdar://problem/39481690>
3111
3112         Reviewed by Mark Lam.
3113
3114         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3115         (foo):
3116
3117 2018-09-11  Mark Lam  <mark.lam@apple.com>
3118
3119         Test for array initialization in arrayProtoFuncSplice.
3120         https://bugs.webkit.org/show_bug.cgi?id=170253
3121         <rdar://problem/31328773>
3122
3123         Rubber-stamped by Saam Barati.
3124
3125         * stress/regress-170253.js: Added.
3126
3127 2018-09-11  Mark Lam  <mark.lam@apple.com>
3128
3129         Test for IntlObject initialization.
3130         https://bugs.webkit.org/show_bug.cgi?id=170251
3131         <rdar://problem/31328419>
3132
3133         Rubber-stamped by Saam Barati.
3134
3135         * stress/regress-170251.js: Added.
3136
3137 2018-09-11  Mark Lam  <mark.lam@apple.com>
3138
3139         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3140         https://bugs.webkit.org/show_bug.cgi?id=169889
3141         <rdar://problem/31155607>
3142
3143         Reviewed by Saam Barati.
3144
3145         * stress/regress-169889-array-concat.js: Added.
3146         * stress/regress-169889-array-concat1.js: Added.
3147         * stress/regress-169889-array-slice.js: Added.
3148
3149 2018-09-11  Mark Lam  <mark.lam@apple.com>
3150
3151         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3152         https://bugs.webkit.org/show_bug.cgi?id=169445
3153         <rdar://problem/30957435>
3154
3155         Reviewed by Saam Barati.
3156
3157         * stress/regress-169445.js: Added.
3158         (let.gun.eval.A):
3159         (let.gun.eval.B.C):
3160         (let.gun.eval.B.C.prototype.trigger):
3161         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3162         (let.gun.eval.B):
3163         (let.gun.eval):
3164
3165 == Rolled over to ChangeLog-2018-09-11 ==