e5d837eccf3c8cafdaeaa9ea60eb62b2f5b52605
[WebKit-https.git] / JSTests / ChangeLog
1 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
4         https://bugs.webkit.org/show_bug.cgi?id=197833
5
6         Reviewed by Darin Adler.
7
8         * stress/generator-name.js: Added.
9         (shouldBe):
10         (gen):
11         (catch):
12
13 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
14
15         JSObject::getOwnPropertyDescriptor is missing an exception check
16         https://bugs.webkit.org/show_bug.cgi?id=197693
17         <rdar://problem/50441784>
18
19         Reviewed by Saam Barati.
20
21         * stress/proxy-spread.js: Added.
22         (foo):
23
24 2019-05-10  Saam barati  <sbarati@apple.com>
25
26         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
27         https://bugs.webkit.org/show_bug.cgi?id=197807
28         <rdar://problem/50530400>
29
30         Reviewed by Yusuke Suzuki.
31
32         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
33         (test.getInstance):
34         (test):
35
36 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
37
38         [Test262] Unreviewed expectations update following r245188.
39
40         * test262/config.yaml:
41         * test262/expectations.yaml:
42
43         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
44         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
45         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
46         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
47         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
48         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
49         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
50         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
51         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
52         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
53         These files have invalid YAML comments. Will also submit corrections back to Test262.
54
55 2019-05-10  Keith Miller  <keith_miller@apple.com>
56
57         Update test262 tests.
58
59         Rubber-stamped by Yusuke Suzuki.
60
61         * test262/*: mega-patch too many things to list individually.
62
63 2019-05-09  Keith Miller  <keith_miller@apple.com>
64
65         Unreview, fix test to have a try-catch.
66
67         * stress/many-nested-functions-parser-stack-overflow.js:
68         (catch):
69
70 2019-05-09  Keith Miller  <keith_miller@apple.com>
71
72         parseStatementListItem needs a stack overflow check
73         https://bugs.webkit.org/show_bug.cgi?id=197749
74
75         Reviewed by Saam Barati.
76
77         * stress/many-nested-functions-parser-stack-overflow.js: Added.
78
79 2019-05-08  Saam barati  <sbarati@apple.com>
80
81         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
82         https://bugs.webkit.org/show_bug.cgi?id=197715
83         <rdar://problem/50399252>
84
85         Reviewed by Filip Pizlo.
86
87         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
88         (foo):
89         (bar):
90
91 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
92
93         Unreviewed, rolling out r245068.
94
95         Caused debug layout tests to exit early due to an assertion
96         failure.
97
98         Reverted changeset:
99
100         "All prototypes should call didBecomePrototype()"
101         https://bugs.webkit.org/show_bug.cgi?id=196315
102         https://trac.webkit.org/changeset/245068
103
104 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
105
106         Invalid DFG JIT genereation in high CPU usage state
107         https://bugs.webkit.org/show_bug.cgi?id=197453
108
109         Reviewed by Saam Barati.
110
111         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
112         (trigger):
113         (main):
114
115 2019-05-08  Robin Morisset  <rmorisset@apple.com>
116
117         All prototypes should call didBecomePrototype()
118         https://bugs.webkit.org/show_bug.cgi?id=196315
119
120         Reviewed by Saam Barati.
121
122         This changelog already landed, but the commit was missing the actual changes.
123
124         * stress/function-prototype-indexed-accessor.js: Added.
125
126 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
127
128         [BigInt] Add ValueMod into DFG
129         https://bugs.webkit.org/show_bug.cgi?id=186174
130
131         Reviewed by Saam Barati.
132
133         * microbenchmarks/mod-untyped.js: Added.
134         * stress/big-int-mod-osr.js: Added.
135         * stress/value-div-ai-rule.js: Added.
136         * stress/value-mod-ai-rule.js: Added.
137
138 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
139
140         [JSC] DFG_ASSERT failed in lowInt52
141         https://bugs.webkit.org/show_bug.cgi?id=197569
142
143         Reviewed by Saam Barati.
144
145         * stress/getstack-int52.js: Added.
146         (opt):
147         (main):
148
149 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
150
151         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
152         https://bugs.webkit.org/show_bug.cgi?id=197479
153
154         Reviewed by Saam Barati.
155
156         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
157         (shouldBe):
158
159 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
160
161         TemplateObject passed to template literal tags are not always identical for the same source location.
162         https://bugs.webkit.org/show_bug.cgi?id=190756
163
164         Reviewed by Saam Barati.
165
166         * complex.yaml:
167         * complex/tagged-template-regeneration-after.js: Added.
168         (shouldBe):
169         * complex/tagged-template-regeneration.js: Added.
170         (call):
171         (test):
172         * modules/tagged-template-inside-module.js: Added.
173         (from.string_appeared_here.call):
174         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
175         (call):
176         (export.otherTaggedTemplates):
177         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
178         (shouldBe):
179         (call):
180         (poly):
181         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
182         (shouldBe):
183         (call):
184         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
185         (shouldBe):
186         (call):
187         (test):
188         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
189         (shouldBe):
190         (call):
191         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
192         (shouldBe):
193         (call):
194         * stress/tagged-templates-in-multiple-functions.js: Added.
195         (shouldBe):
196         (call):
197         (a):
198         (b):
199         (c):
200         * stress/tagged-templates-with-same-start-offset.js: Added.
201         (shouldBe):
202
203 2019-05-07  Robin Morisset  <rmorisset@apple.com>
204
205         All prototypes should call didBecomePrototype()
206         https://bugs.webkit.org/show_bug.cgi?id=196315
207
208         Reviewed by Saam Barati.
209
210         * stress/function-prototype-indexed-accessor.js: Added.
211
212 2019-05-07  Commit Queue  <commit-queue@webkit.org>
213
214         Unreviewed, rolling out r244978.
215         https://bugs.webkit.org/show_bug.cgi?id=197671
216
217         TemplateObject map should use start/end offsets (Requested by
218         yusukesuzuki on #webkit).
219
220         Reverted changeset:
221
222         "TemplateObject passed to template literal tags are not always
223         identical for the same source location."
224         https://bugs.webkit.org/show_bug.cgi?id=190756
225         https://trac.webkit.org/changeset/244978
226
227 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
228
229         tryCachePutByID should not crash if target offset changes
230         https://bugs.webkit.org/show_bug.cgi?id=197311
231         <rdar://problem/48033612>
232
233         Reviewed by Filip Pizlo.
234
235         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
236         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
237
238         * stress/cache-put-by-id-delete-prototype.js: Added.
239         (A.prototype.set y):
240         (A):
241         (B.prototype.set y):
242         (B):
243         (C):
244         * stress/cache-put-by-id-different-__proto__.js: Added.
245         (A.prototype.set y):
246         (A):
247         (B1):
248         (B2.prototype.set y):
249         (B2):
250         (C):
251         (D):
252         * stress/cache-put-by-id-different-attributes.js: Added.
253         (Foo):
254         (set x):
255         * stress/cache-put-by-id-different-offset.js: Added.
256         (Foo):
257         (set x):
258         * stress/cache-put-by-id-insert-prototype.js: Added.
259         (A.prototype.set y):
260         (A):
261         (C):
262         * stress/cache-put-by-id-poly-proto.js: Added.
263         (Foo):
264         (set _):
265         (createBar.Bar):
266         (createBar):
267
268 2019-05-07  Saam Barati  <sbarati@apple.com>
269
270         Don't OSR enter into an FTL CodeBlock that has been jettisoned
271         https://bugs.webkit.org/show_bug.cgi?id=197531
272         <rdar://problem/50162379>
273
274         Reviewed by Yusuke Suzuki.
275
276         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
277
278 2019-05-06  Dean Jackson  <dino@apple.com>
279
280         Update test262 expectations for Proxy passes
281         https://bugs.webkit.org/show_bug.cgi?id=197628
282
283         Reviewed by Yusuke Suzuki.
284
285         There are two consistent passes in Proxy.ownKeys.
286
287         * test262/expectations.yaml:
288
289 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
290
291         [JSC] We should check OOM for description string of Symbol
292         https://bugs.webkit.org/show_bug.cgi?id=197634
293
294         Reviewed by Keith Miller.
295
296         * stress/check-symbol-description-oom.js: Added.
297         (shouldThrow):
298
299 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
300
301         Unreviewed, land one more test
302         https://bugs.webkit.org/show_bug.cgi?id=197587
303
304         * stress/setter-frame-flush.js: Added.
305         (setter):
306         (foo):
307         (bar):
308
309 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
310
311         TemplateObject passed to template literal tags are not always identical for the same source location.
312         https://bugs.webkit.org/show_bug.cgi?id=190756
313
314         Reviewed by Saam Barati.
315
316         * complex.yaml:
317         * complex/tagged-template-regeneration-after.js: Added.
318         (shouldBe):
319         * complex/tagged-template-regeneration.js: Added.
320         (call):
321         (test):
322         * modules/tagged-template-inside-module.js: Added.
323         (from.string_appeared_here.call):
324         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
325         (call):
326         (export.otherTaggedTemplates):
327         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
328         (shouldBe):
329         (call):
330         (poly):
331         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
332         (shouldBe):
333         (call):
334         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
335         (shouldBe):
336         (call):
337         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
338         (shouldBe):
339         (call):
340         * stress/tagged-templates-in-multiple-functions.js: Added.
341         (shouldBe):
342         (call):
343         (a):
344         (b):
345         (c):
346
347 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
348
349         [PlayStation] JSC Stress tests failing due to timezone printing
350         https://bugs.webkit.org/show_bug.cgi?id=197615
351
352         PlayStation's strftime does not give timezone strings, which
353         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
354         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
355         which causes diff failures with the expectations. Add expectations
356         without the timezone string and use those on playstation.
357
358         Reviewed by Ross Kirsling.
359
360         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
361         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
362         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
363         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
364
365 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
366
367         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
368         https://bugs.webkit.org/show_bug.cgi?id=197587
369
370         Reviewed by Sam Weinig.
371
372         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
373
374         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
375
376 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
377
378         TypedArrays should not store properties that are canonical numeric indices
379         https://bugs.webkit.org/show_bug.cgi?id=197228
380         <rdar://problem/49557381>
381
382         Reviewed by Saam Barati.
383
384         * stress/array-species-config-array-constructor.js:
385         (test):
386         * stress/put-direct-index-broken-2.js:
387         * stress/typed-array-canonical-numeric-index-string.js: Added.
388         (makeTest.assert):
389         (makeTest):
390         (const.testInvalidIndices.makeTest.set assert):
391         (const.testInvalidIndices.makeTest):
392         (const.makeTestValidIndex.configurable.set assert):
393         (const.makeTestValidIndex.configurable):
394         * stress/typedarray-access-monomorphic-neutered.js:
395         (checkNoException):
396         (testNoException):
397         (testFTLNoException):
398         * stress/typedarray-access-neutered.js:
399         (testNoException):
400         * stress/typedarray-getownproperty-not-configurable.js:
401         (foo):
402         * test262/expectations.yaml:
403
404 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
405
406         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
407         https://bugs.webkit.org/show_bug.cgi?id=197584
408
409         Reviewed by Saam Barati.
410
411         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
412         (X):
413         (foo):
414
415 2019-05-03  Michael Saboff  <msaboff@apple.com>
416
417         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
418         https://bugs.webkit.org/show_bug.cgi?id=197586
419
420         Reviewed by Keith Miller.
421
422         We should only run one config of this test and only when we think we'll have the memory.
423
424         * stress/json-stringify-string-builder-overflow.js:
425
426 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
427
428         [JSC] Generator CodeBlock generation should be idempotent
429         https://bugs.webkit.org/show_bug.cgi?id=197552
430
431         Reviewed by Keith Miller.
432
433         Add complex.yaml, which controls how to run JSC shell more.
434         We split test files into two to run macro task between them which allows debugger to be attached to VM.
435
436         * complex.yaml: Added.
437         * complex/generator-regeneration-after.js: Added.
438         * complex/generator-regeneration.js: Added.
439         (gen):
440
441 2019-05-02  Michael Saboff  <msaboff@apple.com>
442
443         Unreviewed rollout of r244862.
444
445         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
446
447 2019-05-01  Saam barati  <sbarati@apple.com>
448
449         Baseline JIT should do argument value profiling after checking for stack overflow
450         https://bugs.webkit.org/show_bug.cgi?id=197052
451         <rdar://problem/50009602>
452
453         Reviewed by Yusuke Suzuki.
454
455         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
456
457 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
458
459         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
460         https://bugs.webkit.org/show_bug.cgi?id=197405
461
462         Reviewed by Saam Barati.
463
464         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
465         (foo):
466         (test):
467         (i.o.get f):
468         (i.o.set f):
469
470 2019-05-01  Michael Saboff  <msaboff@apple.com>
471
472         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
473         https://bugs.webkit.org/show_bug.cgi?id=197485
474
475         Reviewed by Saam Barati.
476
477         New test.
478
479         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
480         (foo):
481
482 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
483
484         Unreviewed correction to Test262 expectations following r244828.
485
486         * test262/expectations.yaml:
487
488 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
489
490         Add memory-limited skipping to some tests generating very large strings
491         https://bugs.webkit.org/show_bug.cgi?id=197437
492
493         Reviewed by Ross Kirsling.
494
495         * stress/StringObject-define-length-getter-rope-string-oom.js:
496         * stress/create-error-out-of-memory-rope-string.js:
497         * stress/string-16bit-repeat-overflow.js:
498
499 2019-04-30  Commit Queue  <commit-queue@webkit.org>
500
501         Unreviewed, rolling out r244806.
502         https://bugs.webkit.org/show_bug.cgi?id=197446
503
504         Causing Test262 and JSC test failures on multiple builds
505         (Requested by ShawnRoberts on #webkit).
506
507         Reverted changeset:
508
509         "TypeArrays should not store properties that are canonical
510         numeric indices"
511         https://bugs.webkit.org/show_bug.cgi?id=197228
512         https://trac.webkit.org/changeset/244806
513
514 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
515
516         TypeArrays should not store properties that are canonical numeric indices
517         https://bugs.webkit.org/show_bug.cgi?id=197228
518         <rdar://problem/49557381>
519
520         Reviewed by Darin Adler.
521
522         * stress/typed-array-canonical-numeric-index-string.js: Added.
523         (makeTest.assert):
524         (makeTest):
525         (const.testInvalidIndices.makeTest.set assert):
526         (const.testInvalidIndices.makeTest):
527         (const.testValidIndices.makeTest.set assert):
528         (const.testValidIndices.makeTest):
529
530 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
531
532         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
533         https://bugs.webkit.org/show_bug.cgi?id=197362
534
535         Reviewed by Saam Barati.
536
537         * stress/map-with-nan.js: Added.
538         (shouldBe):
539         (div):
540         (NaN1):
541         (NaN2):
542         (NaN3):
543         (NaN4):
544         (NaN1NoInline):
545         (NaN2NoInline):
546         (NaN3NoInline):
547         (NaN4NoInline):
548         (test1):
549         (test2):
550         (test3):
551         (test4):
552         * stress/set-with-nan.js: Added.
553         (shouldBe):
554         (div):
555         (NaN1):
556         (NaN2):
557         (NaN3):
558         (NaN4):
559         (NaN1NoInline):
560         (NaN2NoInline):
561         (NaN3NoInline):
562         (NaN4NoInline):
563         (test2):
564         (test4):
565
566 2019-04-26  Commit Queue  <commit-queue@webkit.org>
567
568         Unreviewed, rolling out r244708.
569         https://bugs.webkit.org/show_bug.cgi?id=197334
570
571         "Broke the debug build" (Requested by rmorisset on #webkit).
572
573         Reverted changeset:
574
575         "All prototypes should call didBecomePrototype()"
576         https://bugs.webkit.org/show_bug.cgi?id=196315
577         https://trac.webkit.org/changeset/244708
578
579 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
580
581         [JSC] linkPolymorphicCall now does GC
582         https://bugs.webkit.org/show_bug.cgi?id=197306
583
584         Reviewed by Saam Barati.
585
586         * stress/link-polymorphic-call-can-gc.js: Added.
587         (module):
588         (instance):
589
590 2019-04-26  Robin Morisset  <rmorisset@apple.com>
591
592         All prototypes should call didBecomePrototype()
593         https://bugs.webkit.org/show_bug.cgi?id=196315
594
595         Reviewed by Saam Barati.
596
597         * stress/function-prototype-indexed-accessor.js: Added.
598
599 2019-04-23  Saam Barati  <sbarati@apple.com>
600
601         LICM incorrectly assumes it'll never insert a node which provably OSR exits
602         https://bugs.webkit.org/show_bug.cgi?id=196721
603         <rdar://problem/49556479> 
604
605         Reviewed by Filip Pizlo.
606
607         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
608         (foo):
609
610 2019-04-19  Saam Barati  <sbarati@apple.com>
611
612         AbstractValue can represent more than int52
613         https://bugs.webkit.org/show_bug.cgi?id=197118
614         <rdar://problem/49969960>
615
616         Reviewed by Michael Saboff.
617
618         * stress/abstract-value-can-include-int52.js: Added.
619         (foo):
620         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
621
622 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
623
624         [WTF] StringBuilder should set correct m_is8Bit flag when merging
625         https://bugs.webkit.org/show_bug.cgi?id=197053
626
627         Reviewed by Saam Barati.
628
629         * stress/merge-string-builder-in-dfg.js: Added.
630         (foo):
631
632 2019-04-16  Caitlin Potter  <caitp@igalia.com>
633
634         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
635         https://bugs.webkit.org/show_bug.cgi?id=176810
636
637         Reviewed by Saam Barati.
638
639         Add tests for the DontEnum filtering, and variations of other tests
640         take the DontEnum-filtering path.
641
642         * stress/proxy-own-keys.js:
643         (i.catch):
644         (set assert):
645         (set add):
646         (let.set new):
647         (get let):
648
649 2019-04-15  Saam barati  <sbarati@apple.com>
650
651         Modify how we do SetArgument when we inline varargs calls
652         https://bugs.webkit.org/show_bug.cgi?id=196712
653         <rdar://problem/49605012>
654
655         Reviewed by Michael Saboff.
656
657         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
658         (foo):
659
660 2019-04-15  Saam barati  <sbarati@apple.com>
661
662         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
663         https://bugs.webkit.org/show_bug.cgi?id=196945
664         <rdar://problem/49802750>
665
666         Reviewed by Filip Pizlo.
667
668         * stress/get-by-offset-should-use-correct-child.js: Added.
669         (foo.bar):
670         (foo):
671
672 2019-04-15  Robin Morisset  <rmorisset@apple.com>
673
674         DFG should be able to constant fold Object.create() with a constant prototype operand
675         https://bugs.webkit.org/show_bug.cgi?id=196886
676
677         Reviewed by Yusuke Suzuki.
678
679         Note that this new benchmark does not currently see a speedup with inlining removed.
680         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
681
682         * microbenchmarks/object-create-constant-prototype.js: Added.
683         (test):
684
685 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
686
687         Incremental bytecode cache should not append function updates when loaded from memory
688         https://bugs.webkit.org/show_bug.cgi?id=196865
689
690         Reviewed by Filip Pizlo.
691
692         * stress/bytecode-cache-shared-code-block.js: Added.
693         (b):
694         (program):
695
696 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
697
698         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
699         https://bugs.webkit.org/show_bug.cgi?id=196880
700
701         Reviewed by Yusuke Suzuki.
702
703         * stress/bytecode-cache-syntax-error.js: Added.
704         (catch):
705
706 2019-04-12  Saam barati  <sbarati@apple.com>
707
708         r244079 logically broke shouldSpeculateInt52
709         https://bugs.webkit.org/show_bug.cgi?id=196884
710
711         Reviewed by Yusuke Suzuki.
712
713         * microbenchmarks/int52-rand-function.js: Added.
714         (Math.random):
715
716 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
717
718         [JSC] op_has_indexed_property should not assume subscript part is Uint32
719         https://bugs.webkit.org/show_bug.cgi?id=196850
720
721         Reviewed by Saam Barati.
722
723         * stress/has-indexed-property-should-accept-non-int32.js: Added.
724         (foo):
725
726 2019-04-11  Saam barati  <sbarati@apple.com>
727
728         Remove invalid assertion in operationInstanceOfCustom
729         https://bugs.webkit.org/show_bug.cgi?id=196842
730         <rdar://problem/49725493>
731
732         Reviewed by Michael Saboff.
733
734         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
735
736 2019-04-10  Saam Barati  <sbarati@apple.com>
737
738         AbstractValue::validateOSREntryValue is wrong for Int52 constants
739         https://bugs.webkit.org/show_bug.cgi?id=196801
740         <rdar://problem/49771122>
741
742         Reviewed by Yusuke Suzuki.
743
744         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
745
746 2019-04-10  Robin Morisset  <rmorisset@apple.com>
747
748         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
749         https://bugs.webkit.org/show_bug.cgi?id=196746
750
751         Reviewed by Yusuke Suzuki.
752
753         * stress/cyclic-define-properties.js: Added.
754         (foo):
755
756 2019-04-09  Saam barati  <sbarati@apple.com>
757
758         Clean up Int52 code and some bugs in it
759         https://bugs.webkit.org/show_bug.cgi?id=196639
760         <rdar://problem/49515757>
761
762         Reviewed by Yusuke Suzuki.
763
764         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
765
766 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
767
768         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
769         https://bugs.webkit.org/show_bug.cgi?id=196708
770         <rdar://problem/49556803>
771
772         Reviewed by Yusuke Suzuki.
773
774         * stress/proxy-getter-stack-overflow.js: Added.
775         (const.handler.get target):
776         (const.handler.has):
777         (try.with):
778         (catch):
779
780 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
781
782         [JSC] DFG should respect node's strict flag
783         https://bugs.webkit.org/show_bug.cgi?id=196617
784
785         Reviewed by Saam Barati.
786
787         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
788         (shouldEqual):
789         (makeUnwriteableUnconfigurableObject):
790         (runTest):
791         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
792         (shouldBe):
793         (shouldThrow):
794         (with.result):
795         (with.putValueStrict):
796         (with.putValueSloppy):
797
798 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
799
800         [JSC] isRope jump in StringSlice should not jump over register allocations
801         https://bugs.webkit.org/show_bug.cgi?id=196716
802
803         Reviewed by Saam Barati.
804
805         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
806         (foo.bar):
807         (foo):
808
809 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
810
811         [JSC] to_index_string should not assume incoming value is Uint32
812         https://bugs.webkit.org/show_bug.cgi?id=196713
813
814         Reviewed by Saam Barati.
815
816         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
817         (foo):
818
819 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
820
821         [JSC] Add more tests for r243966
822         https://bugs.webkit.org/show_bug.cgi?id=196711
823
824         Reviewed by Saam Barati.
825
826         Adding one more test for r243966 fix. The added test will not crash after r243966.
827
828         * stress/stress-cleared-calllinkinfo.js: Added.
829         (runNearStackLimit.t):
830         (runNearStackLimit):
831         (repeat):
832         (cls):
833         (let.item.of.array.runNearStackLimit):
834
835 2019-04-08  Saam Barati  <sbarati@apple.com>
836
837         WebAssembly.RuntimeError missing exception check
838         https://bugs.webkit.org/show_bug.cgi?id=196700
839         <rdar://problem/49693932>
840
841         Reviewed by Yusuke Suzuki.
842
843         * wasm/js-api/runtime-error-should-exception-check.js: Added.
844
845 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
846
847         Unreviewed, rolling in r243948 with test fix
848         https://bugs.webkit.org/show_bug.cgi?id=196486
849
850         * stress/arrow-function-and-use-strict-directive.js: Added.
851         * stress/arrow-function-syntax.js: Added.
852         (checkSyntax):
853         (checkSyntaxError):
854
855 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
856
857         Unreviewed, rolling out r243948.
858
859         Caused inspector/runtime/parse.html to fail
860
861         Reverted changeset:
862
863         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
864         https://bugs.webkit.org/show_bug.cgi?id=196486
865         https://trac.webkit.org/changeset/243948
866
867 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
868
869         Unreviewed, rolling out r243943.
870
871         Caused test262 failures.
872
873         Reverted changeset:
874
875         "[JSC] Filter DontEnum properties in
876         ProxyObject::getOwnPropertyNames()"
877         https://bugs.webkit.org/show_bug.cgi?id=176810
878         https://trac.webkit.org/changeset/243943
879
880 2019-04-07  Michael Saboff  <msaboff@apple.com>
881
882         REGRESSION (r243642): Crash in reddit.com page
883         https://bugs.webkit.org/show_bug.cgi?id=196684
884
885         Reviewed by Geoffrey Garen.
886
887         New regression test.
888
889         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
890
891 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
892
893         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
894         https://bugs.webkit.org/show_bug.cgi?id=196683
895
896         Reviewed by Saam Barati.
897
898         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
899         (foo):
900
901 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
902
903         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
904         https://bugs.webkit.org/show_bug.cgi?id=196582
905
906         Reviewed by Saam Barati.
907
908         * stress/add-overflow-check-with-three-same-registers.js: Added.
909         (foo):
910         (Number.prototype.valueOf):
911         (runWithNumber):
912
913 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
914
915         Unreviewed, rolling out r243665.
916
917         Caused iOS JSC tests to exit with an exception.
918
919         Reverted changeset:
920
921         "Assertion failed in JSC::createError"
922         https://bugs.webkit.org/show_bug.cgi?id=196305
923         https://trac.webkit.org/changeset/243665
924
925 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
926
927         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
928         https://bugs.webkit.org/show_bug.cgi?id=196486
929
930         Reviewed by Saam Barati.
931
932         * stress/arrow-function-and-use-strict-directive.js: Added.
933         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
934         (checkSyntax):
935         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
936
937 2019-04-05  Caitlin Potter  <caitp@igalia.com>
938
939         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
940         https://bugs.webkit.org/show_bug.cgi?id=176810
941
942         Reviewed by Saam Barati.
943
944         Add tests for the DontEnum filtering, and variations of other tests
945         take the DontEnum-filtering path.
946
947         * stress/proxy-own-keys.js:
948         (i.catch):
949         (set assert):
950         (set add):
951         (let.set new):
952         (get let):
953
954 2019-04-05  Caitlin Potter  <caitp@igalia.com>
955
956         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
957         https://bugs.webkit.org/show_bug.cgi?id=185211
958
959         Reviewed by Saam Barati.
960
961         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
962
963         This changes several assertions to expect a TypeError to be thrown (in some cases,
964         changing thee expected message).
965
966         * es6/Proxy_ownKeys_duplicates.js:
967         (handler):
968         (shouldThrow):
969         (test):
970         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
971         (shouldThrow):
972         * stress/proxy-own-keys.js:
973         (i.catch):
974         (assert):
975
976 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
977
978         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
979         https://bugs.webkit.org/show_bug.cgi?id=196631
980
981         Reviewed by Saam Barati.
982
983         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
984         (assert):
985         (test):
986         (foo):
987
988 2019-04-04  Saam Barati  <sbarati@apple.com>
989
990         Unreviewed. Make the test from r243906 catch the thrown exceptions.
991
992         * stress/inferred-types-regex-matches-array.js:
993
994 2019-04-04  Saam Barati  <sbarati@apple.com>
995
996         createRegExpMatchesArray does not respect inferred types
997         https://bugs.webkit.org/show_bug.cgi?id=193287
998
999         Reviewed by Yusuke Suzuki.
1000
1001         This checks in the test case for 193287. This issue was discovered by
1002         Samuel GroƟ of Google Project Zero.
1003
1004         * stress/inferred-types-regex-matches-array.js: Added.
1005
1006 2019-04-04  Saam barati  <sbarati@apple.com>
1007
1008         Teach Call ICs how to call Wasm
1009         https://bugs.webkit.org/show_bug.cgi?id=196387
1010
1011         Reviewed by Filip Pizlo.
1012
1013         * wasm/function-tests/stack-trace.js:
1014
1015 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
1016
1017         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
1018         https://bugs.webkit.org/show_bug.cgi?id=194944
1019
1020         Reviewed by Keith Miller.
1021
1022         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
1023
1024 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1025
1026         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
1027         https://bugs.webkit.org/show_bug.cgi?id=196409
1028
1029         Reviewed by Saam Barati.
1030
1031         * stress/bytecode-cache-cached-string-impl.js: Added.
1032         (f):
1033         (g):
1034         * stress/bytecode-cache-run-string.js: Added.
1035
1036 2019-04-03  Robin Morisset  <rmorisset@apple.com>
1037
1038         B3 should use associativity to optimize expression trees
1039         https://bugs.webkit.org/show_bug.cgi?id=194081
1040
1041         Reviewed by Filip Pizlo.
1042
1043         Added three microbenchmarks:
1044         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
1045         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
1046           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
1047         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
1048
1049         * microbenchmarks/add-tree.js: Added.
1050         * microbenchmarks/bit-or-tree.js: Added.
1051         * microbenchmarks/bit-xor-tree.js: Added.
1052
1053 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1054
1055         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
1056         https://bugs.webkit.org/show_bug.cgi?id=196574
1057
1058         Reviewed by Saam Barati.
1059
1060         * stress/string-index-of-exception-check.js: Added.
1061         (blurType):
1062         (1.forEach):
1063
1064 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
1065
1066         Assertion failed in JSC::createError
1067         https://bugs.webkit.org/show_bug.cgi?id=196305
1068         <rdar://problem/49387382>
1069
1070         Reviewed by Saam Barati.
1071
1072         * stress/create-error-out-of-memory-rope-string-2.js: Added.
1073         (assert):
1074         (catch):
1075
1076 2019-03-28  Saam Barati  <sbarati@apple.com>
1077
1078         BackwardsGraph needs to consider back edges as the backward's root successor
1079         https://bugs.webkit.org/show_bug.cgi?id=195991
1080
1081         Reviewed by Filip Pizlo.
1082
1083         * stress/map-b3-licm-infinite-loop.js: Added.
1084
1085 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
1086
1087         CodeBlock::jettison() should disallow repatching its own calls
1088         https://bugs.webkit.org/show_bug.cgi?id=196359
1089         <rdar://problem/48973663>
1090
1091         Reviewed by Saam Barati.
1092
1093         * stress/call-link-info-osrexit-repatch.js: Added.
1094         (foo):
1095
1096 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
1097
1098         [JSC] imports-oom.js intermittently fails
1099         https://bugs.webkit.org/show_bug.cgi?id=196373
1100
1101         Reviewed by Saam Barati.
1102
1103         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
1104         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
1105         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
1106         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
1107         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
1108
1109         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
1110         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
1111
1112         * wasm/lowExecutableMemory/imports-oom.js:
1113
1114 2019-03-27  Saam Barati  <sbarati@apple.com>
1115
1116         validateOSREntryValue with Int52 should box the value being checked into double format
1117         https://bugs.webkit.org/show_bug.cgi?id=196313
1118         <rdar://problem/49306703>
1119
1120         Reviewed by Yusuke Suzuki.
1121
1122         * stress/validate-int-52-ai-state.js: Added.
1123
1124 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
1125
1126         [JSC] Owner of watchpoints should validate at GC finalizing phase
1127         https://bugs.webkit.org/show_bug.cgi?id=195827
1128
1129         Reviewed by Filip Pizlo.
1130
1131         * stress/gc-should-reap-dead-watchpoints.js: Added.
1132         (foo):
1133         (A.prototype.y):
1134         (A):
1135
1136 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
1137
1138         Skip WebAssembly test on 32-bit systems
1139         https://bugs.webkit.org/show_bug.cgi?id=196206
1140
1141         Reviewed by Saam Barati.
1142
1143         Invoking runDefault executes test immediately even though
1144         that test should be skipped due to missing WASM support.
1145         Therefore remove runDefault.
1146
1147         * wasm/regress/web-assembly-link-error-exception-check.js:
1148
1149 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
1150
1151         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
1152         https://bugs.webkit.org/show_bug.cgi?id=196217
1153
1154         Reviewed by Saam Barati.
1155
1156         Re-enable all NaN tests for f32.min, f64.min and f64.max.
1157
1158         * wasm/spec-tests/f32.wast.js:
1159         * wasm/spec-tests/f64.wast.js:
1160         * wasm/wasm.json:
1161
1162 2019-03-25  Keith Miller  <keith_miller@apple.com>
1163
1164         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
1165         https://bugs.webkit.org/show_bug.cgi?id=196176
1166
1167         Reviewed by Saam Barati.
1168
1169         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
1170         (main.v10):
1171         (main):
1172
1173 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
1174
1175         WebAssembly: f32.max with NaN generates incorrect result
1176         https://bugs.webkit.org/show_bug.cgi?id=175691
1177         <rdar://problem/33952228>
1178
1179         Reviewed by Saam Barati.
1180
1181         Enable all f32.max NaN tests
1182
1183         * wasm/spec-tests/f32.wast.js:
1184         * wasm/wasm.json:
1185
1186 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
1187
1188         [JSC] Move test into directory for WASM tests
1189         https://bugs.webkit.org/show_bug.cgi?id=196187
1190
1191         Reviewed by Mark Lam.
1192
1193         Move Test into wasm-directory. Otherwise this test
1194         is also executed on systems without WASM support.
1195
1196         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
1197
1198 2019-03-23  Mark Lam  <mark.lam@apple.com>
1199
1200         Rolling out r243032 and r243071 because the fix is incorrect.
1201         https://bugs.webkit.org/show_bug.cgi?id=195892
1202         <rdar://problem/48981239>
1203
1204         Not reviewed.
1205
1206         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
1207
1208 2019-03-22  Mark Lam  <mark.lam@apple.com>
1209
1210         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
1211         https://bugs.webkit.org/show_bug.cgi?id=196154
1212         <rdar://problem/49145307>
1213
1214         Reviewed by Filip Pizlo.
1215
1216         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
1217         There's no need to run this test on more than 1 test configuration.
1218
1219         * stress/typed-array-lastIndexOf-exception-check.js: Added.
1220         * stress/web-assembly-link-error-exception-check.js:
1221
1222 2019-03-22  Mark Lam  <mark.lam@apple.com>
1223
1224         Placate exception check validation in constructJSWebAssemblyLinkError().
1225         https://bugs.webkit.org/show_bug.cgi?id=196152
1226         <rdar://problem/49145257>
1227
1228         Reviewed by Michael Saboff.
1229
1230         * stress/web-assembly-link-error-exception-check.js: Added.
1231
1232 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
1233
1234         Skip tests running out of memory on ARM/MIPS
1235         https://bugs.webkit.org/show_bug.cgi?id=196131
1236
1237         Unreviewed. Skip test if memory is limited.
1238
1239         * microbenchmarks/put-by-val-direct-large-index.js:
1240
1241 2019-03-21  Mark Lam  <mark.lam@apple.com>
1242
1243         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
1244         https://bugs.webkit.org/show_bug.cgi?id=196116
1245         <rdar://problem/48976951>
1246
1247         Reviewed by Filip Pizlo.
1248
1249         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
1250
1251 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
1252
1253         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
1254         https://bugs.webkit.org/show_bug.cgi?id=196078
1255         <rdar://problem/35925380>
1256
1257         Reviewed by Mark Lam.
1258
1259         Add a new benchmark that allocates several objects and invokes put_by_val_direct
1260         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
1261
1262         * microbenchmarks/put-by-val-direct-large-index.js: Added.
1263
1264 2019-03-21  Mark Lam  <mark.lam@apple.com>
1265
1266         Placate exception check validation in operationArrayIndexOfString().
1267         https://bugs.webkit.org/show_bug.cgi?id=196067
1268         <rdar://problem/49056572>
1269
1270         Reviewed by Michael Saboff.
1271
1272         * stress/string-equal-exception-check.js: Added.
1273
1274 2019-03-21  Mark Lam  <mark.lam@apple.com>
1275
1276         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
1277         https://bugs.webkit.org/show_bug.cgi?id=196055
1278         <rdar://problem/49067448>
1279
1280         Reviewed by Yusuke Suzuki.
1281
1282         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
1283
1284 2019-03-20  Saam Barati  <sbarati@apple.com>
1285
1286         typeOfDoubleSum is wrong for when NaN can be produced
1287         https://bugs.webkit.org/show_bug.cgi?id=196030
1288
1289         Reviewed by Filip Pizlo.
1290
1291         * stress/double-add-sub-mul-can-produce-nan.js: Added.
1292         (assert):
1293         (noInline.sub):
1294         (noInline):
1295         (assert.mul):
1296         (assert.add):
1297
1298 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
1299
1300         Update the test to ensure OutOfMemoryError is thrown as intended
1301         https://bugs.webkit.org/show_bug.cgi?id=196032
1302         <rdar://problem/46842740>
1303
1304         Rubber stamped by Saam Barati.
1305
1306         * stress/create-error-out-of-memory-rope-string.js:
1307         (assert):
1308         (catch):
1309
1310 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
1311
1312         JSC::createError needs to check for OOM in errorDescriptionForValue
1313         https://bugs.webkit.org/show_bug.cgi?id=196032
1314         <rdar://problem/46842740>
1315
1316         Reviewed by Mark Lam.
1317
1318         * stress/create-error-out-of-memory-rope-string.js: Added.
1319
1320 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
1321
1322         Unreviewed, reduce # of iterations to avoid timing out after r242991
1323         https://bugs.webkit.org/show_bug.cgi?id=195791
1324
1325         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
1326
1327         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
1328
1329 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
1330
1331         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
1332         https://bugs.webkit.org/show_bug.cgi?id=195950
1333
1334         Unreviewed, reducing the amount of memory used on this test to avoid
1335         OOM on devices with memory restrictions.
1336
1337         * microbenchmarks/generate-multiple-llint-entrypoints.js:
1338
1339 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
1340
1341         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
1342         https://bugs.webkit.org/show_bug.cgi?id=194648
1343
1344         Reviewed by Keith Miller.
1345
1346         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
1347
1348 2019-03-18  Mark Lam  <mark.lam@apple.com>
1349
1350         Missing a ThrowScope release in JSObject::toString().
1351         https://bugs.webkit.org/show_bug.cgi?id=195893
1352         <rdar://problem/48970986>
1353
1354         Reviewed by Michael Saboff.
1355
1356         * stress/to-string-exception-check-release.js: Added.
1357
1358 2019-03-18  Mark Lam  <mark.lam@apple.com>
1359
1360         Structure::flattenDictionary() should clear unused property slots.
1361         https://bugs.webkit.org/show_bug.cgi?id=195871
1362         <rdar://problem/48959497>
1363
1364         Reviewed by Michael Saboff.
1365
1366         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
1367
1368 2019-03-15  Mark Lam  <mark.lam@apple.com>
1369
1370         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
1371         https://bugs.webkit.org/show_bug.cgi?id=195827
1372         <rdar://problem/48845513>
1373
1374         Reviewed by Filip Pizlo.
1375
1376         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
1377
1378 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
1379
1380         [ARM,MIPS] Skip slow tests
1381         https://bugs.webkit.org/show_bug.cgi?id=195799
1382
1383         Unreviewed, test does not finish on ARM and MIPS within the
1384         timeout limit.
1385
1386         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
1387
1388 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
1389
1390         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
1391         https://bugs.webkit.org/show_bug.cgi?id=195791
1392         <rdar://problem/48806130>
1393
1394         Reviewed by Mark Lam.
1395
1396         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
1397         (foo):
1398
1399 2019-03-14  Saam barati  <sbarati@apple.com>
1400
1401         We can't remove code after ForceOSRExit until after FixupPhase
1402         https://bugs.webkit.org/show_bug.cgi?id=186916
1403         <rdar://problem/41396612>
1404
1405         Reviewed by Yusuke Suzuki.
1406
1407         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
1408         (foo):
1409         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1410         (foo):
1411
1412 2019-03-13  Michael Saboff  <msaboff@apple.com>
1413
1414         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
1415         https://bugs.webkit.org/show_bug.cgi?id=195735
1416
1417         Reviewed by Mark Lam.
1418
1419         New regression test.
1420
1421         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
1422         (foo):
1423         (bar):
1424
1425 2019-03-14  Saam barati  <sbarati@apple.com>
1426
1427         Fixup uses KnownInt32 incorrectly in some nodes
1428         https://bugs.webkit.org/show_bug.cgi?id=195279
1429         <rdar://problem/47915654>
1430
1431         Reviewed by Yusuke Suzuki.
1432
1433         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
1434         (foo):
1435
1436 2019-03-14  Keith Miller  <keith_miller@apple.com>
1437
1438         DFG liveness can't skip tail caller inline frames
1439         https://bugs.webkit.org/show_bug.cgi?id=195715
1440
1441         Reviewed by Saam Barati.
1442
1443         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
1444         (i.foo):
1445
1446 2019-03-13  Mark Lam  <mark.lam@apple.com>
1447
1448         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
1449         https://bugs.webkit.org/show_bug.cgi?id=195415
1450
1451         Not reviewed.
1452
1453         Changed these tests to only run the default configuration.
1454         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
1455         There's no strong need to run this test on that variant.
1456
1457         * stress/dfg-to-string-on-int-does-gc.js:
1458         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
1459
1460 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
1461
1462         String overflow when using StringBuilder in JSC::createError
1463         https://bugs.webkit.org/show_bug.cgi?id=194957
1464
1465         Reviewed by Mark Lam.
1466
1467         Add test string-overflow-createError-bulder.js that overflows
1468         StringBuilder in notAFunctionSourceAppender. The second new test
1469         string-overflow-createError-fit.js has an error message that doesn't
1470         overflow, it still failed since the String's capacity can't be doubled.
1471         Run test string-overflow-createError.js only in the default
1472         configuration to reduce memory consumption when running the test
1473         in all configurations on multiple CPUs in parallel.
1474
1475         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
1476         (catch):
1477         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
1478         (catch):
1479         * stress/string-overflow-createError.js:
1480
1481 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
1482
1483         [JSC] OSR entry should respect abstract values in addition to flush formats
1484         https://bugs.webkit.org/show_bug.cgi?id=195653
1485
1486         Reviewed by Mark Lam.
1487
1488         * stress/osr-entry-locals-none.js: Added.
1489
1490 2019-03-12  Michael Saboff  <msaboff@apple.com>
1491
1492         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
1493         https://bugs.webkit.org/show_bug.cgi?id=195613
1494
1495         Reviewed by Mark Lam.
1496
1497         New regression test.
1498
1499         * stress/regexp-backref-inbounds.js: Added.
1500         (testRegExp):
1501
1502 2019-03-12  Mark Lam  <mark.lam@apple.com>
1503
1504         The HasIndexedProperty node does GC.
1505         https://bugs.webkit.org/show_bug.cgi?id=195559
1506         <rdar://problem/48767923>
1507
1508         Reviewed by Yusuke Suzuki.
1509
1510         * stress/HasIndexedProperty-does-gc.js: Added.
1511
1512 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
1513
1514         [ESNext][BigInt] Implement "~" unary operation
1515         https://bugs.webkit.org/show_bug.cgi?id=182216
1516
1517         Reviewed by Keith Miller.
1518
1519         * stress/big-int-bit-not-general.js: Added.
1520         * stress/big-int-bitwise-not-jit.js: Added.
1521         * stress/big-int-bitwise-not-wrapped-value.js: Added.
1522         * stress/bit-op-with-object-returning-int32.js:
1523         * stress/bitwise-not-fixup-rules.js: Added.
1524         * stress/value-bit-not-ai-rule.js: Added.
1525
1526 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
1527
1528         Invalid flags in a RegExp literal should be an early SyntaxError
1529         https://bugs.webkit.org/show_bug.cgi?id=195514
1530
1531         Reviewed by Darin Adler.
1532
1533         * test262/expectations.yaml:
1534         Mark 4 test cases as passing.
1535
1536         * stress/regexp-syntax-error-invalid-flags.js:
1537         * stress/regress-161995.js: Removed.
1538         Update existing test, merging in an older test for the same behavior.
1539
1540 2019-03-08  Mark Lam  <mark.lam@apple.com>
1541
1542         Stack overflow crash in JSC::JSObject::hasInstance.
1543         https://bugs.webkit.org/show_bug.cgi?id=195458
1544         <rdar://problem/48710195>
1545
1546         Reviewed by Yusuke Suzuki.
1547
1548         * stress/stack-overflow-in-custom-hasInstance.js: Added.
1549
1550 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
1551
1552         op_check_tdz does not def its argument
1553         https://bugs.webkit.org/show_bug.cgi?id=192880
1554         <rdar://problem/46221598>
1555
1556         Reviewed by Saam Barati.
1557
1558         * microbenchmarks/let-for-in.js: Added.
1559         (foo):
1560
1561 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
1562
1563         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
1564         https://bugs.webkit.org/show_bug.cgi?id=195429
1565
1566         Reviewed by Saam Barati.
1567
1568         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
1569         (foo):
1570         * stress/string-from-char-code-255.js: Added.
1571
1572 2019-03-06  Mark Lam  <mark.lam@apple.com>
1573
1574         Fix incorrect handling of try-finally completion values.
1575         https://bugs.webkit.org/show_bug.cgi?id=195131
1576         <rdar://problem/46222079>
1577
1578         Reviewed by Saam Barati and Yusuke Suzuki.
1579
1580         Added many permutations of new test case to test-finally.js.  test-finally.js has
1581         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
1582         tests passes there as well.
1583
1584         * stress/test-finally.js:
1585
1586 2019-03-06  Saam Barati  <sbarati@apple.com>
1587
1588         Air::reportUsedRegisters must padInterference
1589         https://bugs.webkit.org/show_bug.cgi?id=195303
1590         <rdar://problem/48270343>
1591
1592         Reviewed by Keith Miller.
1593
1594         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
1595
1596 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
1597
1598         [JSC] AI should not propagate AbstractValue relying on constant folding phase
1599         https://bugs.webkit.org/show_bug.cgi?id=195375
1600
1601         Reviewed by Saam Barati.
1602
1603         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
1604         (let.array):
1605
1606 2019-03-05  Saam barati  <sbarati@apple.com>
1607
1608         op_switch_char broken for rope strings after JSRopeString layout rewrite
1609         https://bugs.webkit.org/show_bug.cgi?id=195339
1610         <rdar://problem/48592545>
1611
1612         Reviewed by Yusuke Suzuki.
1613
1614         * stress/switch-on-char-llint-rope.js: Added.
1615
1616 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
1617
1618         [JSC] Store bits for JSRopeString in 3 stores
1619         https://bugs.webkit.org/show_bug.cgi?id=195234
1620
1621         Reviewed by Saam Barati.
1622
1623         * stress/null-rope-and-collectors.js: Added.
1624
1625 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
1626
1627         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
1628         https://bugs.webkit.org/show_bug.cgi?id=195207
1629
1630         Unreviewed. After test runtime was reduced in r242213, test can be
1631         run again on ARM/MIPS.
1632
1633         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1634
1635 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1636
1637         [JSC] sizeof(JSString) should be 16
1638         https://bugs.webkit.org/show_bug.cgi?id=194375
1639
1640         Reviewed by Saam Barati.
1641
1642         * microbenchmarks/make-rope.js: Added.
1643         (makeRope):
1644         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
1645         (returnRope.helper): Deleted.
1646         (returnRope): Deleted.
1647
1648 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1649
1650         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
1651         https://bugs.webkit.org/show_bug.cgi?id=195144
1652
1653         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
1654         Change the number from 1e8 to 1e5.
1655
1656         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1657         (foo):
1658
1659 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
1660
1661         Test times out on ARM/MIPS
1662         https://bugs.webkit.org/show_bug.cgi?id=195168
1663
1664         Unreviewed. Skip test on ARM/MIPS.
1665
1666         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1667
1668 2019-02-27  Mark Lam  <mark.lam@apple.com>
1669
1670         The parser is failing to record the token location of new in new.target.
1671         https://bugs.webkit.org/show_bug.cgi?id=195127
1672         <rdar://problem/39645578>
1673
1674         Reviewed by Yusuke Suzuki.
1675
1676         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
1677
1678 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
1679
1680         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
1681         https://bugs.webkit.org/show_bug.cgi?id=195144
1682         <rdar://problem/47595961>
1683
1684         Reviewed by Mark Lam.
1685
1686         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
1687         (bar):
1688         (foo):
1689         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
1690         (bar):
1691         (foo):
1692
1693 2019-02-27  Robin Morisset  <rmorisset@apple.com>
1694
1695         DFG: Loop-invariant code motion (LICM) should not hoist dead code
1696         https://bugs.webkit.org/show_bug.cgi?id=194945
1697         <rdar://problem/48311657>
1698
1699         Reviewed by Mark Lam.
1700
1701         * stress/licm-dead-code.js: Added.
1702
1703 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
1704
1705         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
1706         https://bugs.webkit.org/show_bug.cgi?id=194677
1707         <rdar://problem/48112492>
1708
1709         Reviewed by Mark Lam.
1710
1711         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
1712         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
1713         it immediately fails due the large size.
1714
1715         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
1716         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
1717         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
1718         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
1719
1720         This patch changes the test to produce 16bit string from String.fromCharCode.
1721
1722         * stress/regress-178386.js:
1723
1724 2019-02-26  Mark Lam  <mark.lam@apple.com>
1725
1726         wasmToJS() should purify incoming NaNs.
1727         https://bugs.webkit.org/show_bug.cgi?id=194807
1728         <rdar://problem/48189132>
1729
1730         Reviewed by Saam Barati.
1731
1732         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
1733
1734 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
1735
1736         [JSC] Repeat string created from Array.prototype.join() take too much memory
1737         https://bugs.webkit.org/show_bug.cgi?id=193912
1738
1739         Reviewed by Saam Barati.
1740
1741         Added a test and a microbenchmark for corner cases of
1742         Array.prototype.join() with an uninitialized array.
1743
1744         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1745         * stress/array-prototype-join-uninitialized.js: Added.
1746         (testArray):
1747         (testABC):
1748         (B):
1749         (C):
1750
1751 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1752
1753         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1754         https://bugs.webkit.org/show_bug.cgi?id=194953
1755         <rdar://problem/47595253>
1756
1757         Reviewed by Saam Barati.
1758
1759         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1760
1761         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1762
1763 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1764
1765         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1766         https://bugs.webkit.org/show_bug.cgi?id=172848
1767         <rdar://problem/25709212>
1768
1769         Reviewed by Mark Lam.
1770
1771         * typeProfiler/inheritance.js:
1772         Rewrite the test slightly for clarity. The hoisting was confusing.
1773
1774         * heapProfiler/class-names.js: Added.
1775         (MyES5Class):
1776         (MyES6Class):
1777         (MyES6Subclass):
1778         Test object types and improved class names.
1779
1780         * heapProfiler/driver/driver.js:
1781         (CheapHeapSnapshotNode):
1782         (CheapHeapSnapshot):
1783         (createCheapHeapSnapshot):
1784         (HeapSnapshot):
1785         (createHeapSnapshot):
1786         Update snapshot parsing from version 1 to version 2.
1787
1788 2019-02-19  Truitt Savell  <tsavell@apple.com>
1789
1790         Unreviewed, rolling out r241784.
1791
1792         Broke all OpenSource builds.
1793
1794         Reverted changeset:
1795
1796         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1797         instances view"
1798         https://bugs.webkit.org/show_bug.cgi?id=172848
1799         https://trac.webkit.org/changeset/241784
1800
1801 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1802
1803         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1804         https://bugs.webkit.org/show_bug.cgi?id=172848
1805         <rdar://problem/25709212>
1806
1807         Reviewed by Mark Lam.
1808
1809         * typeProfiler/inheritance.js:
1810         Rewrite the test slightly for clarity. The hoisting was confusing.
1811
1812         * heapProfiler/class-names.js: Added.
1813         (MyES5Class):
1814         (MyES6Class):
1815         (MyES6Subclass):
1816         Test object types and improved class names.
1817
1818         * heapProfiler/driver/driver.js:
1819         (CheapHeapSnapshotNode):
1820         (CheapHeapSnapshot):
1821         (createCheapHeapSnapshot):
1822         (HeapSnapshot):
1823         (createHeapSnapshot):
1824         Update snapshot parsing from version 1 to version 2.
1825
1826 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1827
1828         [ARM] Fix crash with sampling profiler
1829         https://bugs.webkit.org/show_bug.cgi?id=194772
1830
1831         Reviewed by Mark Lam.
1832
1833         Do not skip test since crash with sampling profiler is now fixed.
1834
1835         * stress/sampling-profiler-richards.js:
1836
1837 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1838
1839         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1840         https://bugs.webkit.org/show_bug.cgi?id=194784
1841         <rdar://problem/48154820>
1842
1843         Reviewed by Mark Lam.
1844
1845         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1846         (getProperties):
1847         (getRandomProperty):
1848         (i.catch):
1849
1850 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1851
1852         [ARM] Test gardening: Test running out of executable memory
1853         https://bugs.webkit.org/show_bug.cgi?id=194771
1854
1855         Unreviewed. Do not run test without LLInt, test is running out of executable
1856         memory on ARM otherwise.
1857
1858         * stress/tagged-template-object-collect.js:
1859
1860 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1861
1862         Unreviewed, skip the test on platforms without sampling profiler
1863
1864         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1865         (platformSupportsSamplingProfiler.foo):
1866         (platformSupportsSamplingProfiler.test):
1867         (platformSupportsSamplingProfiler):
1868         (foo): Deleted.
1869         (test): Deleted.
1870
1871 2019-02-17  Saam Barati  <sbarati@apple.com>
1872
1873         Deadlock when adding a Structure property transition and then doing incremental marking
1874         https://bugs.webkit.org/show_bug.cgi?id=194767
1875
1876         Reviewed by Mark Lam.
1877
1878         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1879
1880 2019-02-15  Michael Saboff  <msaboff@apple.com>
1881
1882         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1883         https://bugs.webkit.org/show_bug.cgi?id=194558
1884
1885         Reviewed by Saam Barati.
1886
1887         New regression test.
1888
1889         * stress/regexp-unicode-within-string.js: Added.
1890
1891 2019-02-15  Mark Lam  <mark.lam@apple.com>
1892
1893         SamplingProfiler::stackTracesAsJSON() should escape strings.
1894         https://bugs.webkit.org/show_bug.cgi?id=194649
1895         <rdar://problem/48072386>
1896
1897         Reviewed by Saam Barati.
1898
1899         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1900         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1901         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1902         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1903
1904 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1905         CodeBlock::jettison should clear related watchpoints
1906         https://bugs.webkit.org/show_bug.cgi?id=194544
1907
1908         Reviewed by Mark Lam.
1909
1910         * stress/regexp-replace-double-watchpoint.js: Added.
1911         (foo):
1912
1913 2019-02-15  Saam barati  <sbarati@apple.com>
1914
1915         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1916         https://bugs.webkit.org/show_bug.cgi?id=194036
1917
1918         Reviewed by Yusuke Suzuki.
1919
1920         * stress/tail-call-many-arguments.js: Added.
1921         (foo):
1922         (bar):
1923
1924 2019-02-14  Saam Barati  <sbarati@apple.com>
1925
1926         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1927         https://bugs.webkit.org/show_bug.cgi?id=194583
1928         <rdar://problem/48028140>
1929
1930         Reviewed by Yusuke Suzuki.
1931
1932         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1933
1934 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1935
1936         [JSC] String.fromCharCode's slow path always generates 16bit string
1937         https://bugs.webkit.org/show_bug.cgi?id=194466
1938
1939         Reviewed by Keith Miller.
1940
1941         * stress/string-from-char-code-slow-path.js: Added.
1942         (shouldBe):
1943         (testWithLength):
1944
1945 2019-02-08  Saam barati  <sbarati@apple.com>
1946
1947         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1948         https://bugs.webkit.org/show_bug.cgi?id=194334
1949         <rdar://problem/47844327>
1950
1951         Reviewed by Mark Lam.
1952
1953         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1954         (func):
1955
1956 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1957
1958         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1959         https://bugs.webkit.org/show_bug.cgi?id=194369
1960         <rdar://problem/47813087>
1961
1962         Reviewed by Saam Barati.
1963
1964         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1965         (A):
1966
1967 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1968
1969         [JSC] PrivateName to PublicName hash table is wasteful
1970         https://bugs.webkit.org/show_bug.cgi?id=194277
1971
1972         Reviewed by Michael Saboff.
1973
1974         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1975
1976         * ChakraCore.yaml:
1977
1978 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1979
1980         [ARM] Test running out of executable memory
1981         https://bugs.webkit.org/show_bug.cgi?id=194285
1982
1983         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1984         executable memory otherwise.
1985
1986         * stress/class-subclassing-function.js:
1987
1988 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1989
1990         when lowering AssertNotEmpty, create the value before creating the patchpoint
1991         https://bugs.webkit.org/show_bug.cgi?id=194231
1992
1993         Reviewed by Saam Barati.
1994
1995         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1996         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1997         So even tiny changes to this test can change the path code taken.
1998
1999         * stress/assert-not-empty.js: Added.
2000         (foo):
2001
2002 2019-02-01  Mark Lam  <mark.lam@apple.com>
2003
2004         Remove invalid assertion in DFG's compileDoubleRep().
2005         https://bugs.webkit.org/show_bug.cgi?id=194130
2006         <rdar://problem/47699474>
2007
2008         Reviewed by Saam Barati.
2009
2010         * stress/constant-fold-double-rep-into-double-constant.js: Added.
2011
2012 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
2013
2014         Import latest Test262 updates.
2015
2016         Rubber-stamped by Keith Miller.
2017
2018         * test262.yaml: Deleted.
2019         * test262/config.yaml:
2020         * test262/expectations.yaml:
2021         * test262/latest-changes-summary.txt:
2022         * test262/test/:
2023         * test262/test262-Revision.txt:
2024
2025 2019-01-30  Robin Morisset  <rmorisset@apple.com>
2026
2027         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
2028         https://bugs.webkit.org/show_bug.cgi?id=194050
2029         <rdar://problem/47595592>
2030
2031         Reviewed by Yusuke Suzuki.
2032
2033         * stress/object-keys-osr-exit.js: Added.
2034         (foo):
2035         (catch):
2036
2037 2019-01-29  Mark Lam  <mark.lam@apple.com>
2038
2039         ValueRecovery::recover() should purify NaN values it recovers.
2040         https://bugs.webkit.org/show_bug.cgi?id=193978
2041         <rdar://problem/47625488>
2042
2043         Reviewed by Saam Barati.
2044
2045         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
2046
2047 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
2048
2049         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
2050         https://bugs.webkit.org/show_bug.cgi?id=193713
2051
2052         * stress/try-get-by-id-should-spill-registers-dfg.js:
2053         (let.f.createBuiltin):
2054
2055 2019-01-28  Mark Lam  <mark.lam@apple.com>
2056
2057         ToString node actually does GC.
2058         https://bugs.webkit.org/show_bug.cgi?id=193920
2059         <rdar://problem/46695900>
2060
2061         Reviewed by Yusuke Suzuki.
2062
2063         * stress/dfg-to-string-on-int-does-gc.js: Added.
2064         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
2065         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
2066
2067 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
2068
2069         [JSC] NativeErrorConstructor should not have own IsoSubspace
2070         https://bugs.webkit.org/show_bug.cgi?id=193713
2071
2072         Reviewed by Saam Barati.
2073
2074         Remove @Error use.
2075
2076         * stress/try-get-by-id-should-spill-registers-dfg.js:
2077         (let.f.createBuiltin):
2078
2079 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
2080
2081         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
2082         https://bugs.webkit.org/show_bug.cgi?id=190693
2083
2084         Reviewed by Michael Saboff.
2085
2086         * stress/regress-190693.js: Added.
2087         (truth):
2088         (assert):
2089         (shouldThrowInvalidConstAssignment):
2090         (taz):
2091
2092 2019-01-24  Saam Barati  <sbarati@apple.com>
2093
2094         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
2095         https://bugs.webkit.org/show_bug.cgi?id=193751
2096         <rdar://problem/47280215>
2097
2098         Reviewed by Michael Saboff.
2099
2100         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
2101         (let.thing):
2102         (foo.let.hello):
2103         (foo):
2104
2105 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
2106
2107         [JSC] Reenable baseline JIT on mips
2108         https://bugs.webkit.org/show_bug.cgi?id=192983
2109
2110         Reviewed by Mark Lam.
2111
2112         Added a new test for a case that was triggering a RELEASE_ASSERT when
2113         testing.
2114         Disable some slow tests that were already disabled for arm and x86.
2115
2116         * stress/json-parse-big-object.js: Added.
2117         * stress/new-largeish-contiguous-array-with-size.js:
2118         * stress/op_add.js:
2119         * stress/op_bitand.js:
2120         * stress/op_bitor.js:
2121         * stress/op_bitxor.js:
2122         * stress/op_lshift-ConstVar.js:
2123         * stress/op_lshift-VarConst.js:
2124         * stress/op_lshift-VarVar.js:
2125         * stress/op_mod-ConstVar.js:
2126         * stress/op_mod-VarConst.js:
2127         * stress/op_mod-VarVar.js:
2128         * stress/op_mul-ConstVar.js:
2129         * stress/op_mul-VarConst.js:
2130         * stress/op_mul-VarVar.js:
2131         * stress/op_rshift-ConstVar.js:
2132         * stress/op_rshift-VarConst.js:
2133         * stress/op_rshift-VarVar.js:
2134         * stress/op_sub-ConstVar.js:
2135         * stress/op_sub-VarConst.js:
2136         * stress/op_sub-VarVar.js:
2137         * stress/op_urshift-ConstVar.js:
2138         * stress/op_urshift-VarConst.js:
2139         * stress/op_urshift-VarVar.js:
2140         * stress/sampling-profiler-richards.js:
2141         * stress/spread-forward-call-varargs-stack-overflow.js:
2142
2143 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
2144
2145         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
2146         https://bugs.webkit.org/show_bug.cgi?id=193711
2147         <rdar://problem/47250262>
2148
2149         Reviewed by Saam Barati.
2150
2151         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
2152         (shouldBe):
2153         (foo):
2154         (bar):
2155         (baz):
2156
2157 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
2158
2159         Unreviewed, fix initial global lexical binding epoch
2160         https://bugs.webkit.org/show_bug.cgi?id=193603
2161         <rdar://problem/47380869>
2162
2163         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
2164         (f1.f2.f3.f4):
2165         (f1.f2.f3):
2166         (f1.f2):
2167         (f1):
2168
2169 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
2170
2171         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
2172         https://bugs.webkit.org/show_bug.cgi?id=193709
2173         <rdar://problem/47363838>
2174
2175         Unreviewed, rollout to watch the tests.
2176
2177         * stress/object-tostring-changed-proto.js: Removed.
2178         * stress/object-tostring-changed.js: Removed.
2179         * stress/object-tostring-misc.js: Removed.
2180         * stress/object-tostring-other.js: Removed.
2181         * stress/object-tostring-untyped.js: Removed.
2182
2183 2019-01-22  Saam Barati  <sbarati@apple.com>
2184
2185         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
2186
2187         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
2188         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
2189         (testUncheckedLessThanZero):
2190         (testUncheckedLessThanOrEqualZero):
2191         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
2192         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
2193
2194 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
2195
2196         [JSC] Invalidate old scope operations using global lexical binding epoch
2197         https://bugs.webkit.org/show_bug.cgi?id=193603
2198         <rdar://problem/47380869>
2199
2200         Reviewed by Saam Barati.
2201
2202         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
2203         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
2204         (shouldThrow):
2205         (bar):
2206         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
2207         (shouldBe):
2208         (get1):
2209         (get2):
2210         (get1If):
2211         (get2If):
2212         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
2213         (shouldThrow):
2214         (foo):
2215
2216 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
2217
2218         Unreviewed, roll out r240220 due to date-format-xparb regression
2219         https://bugs.webkit.org/show_bug.cgi?id=193603
2220
2221         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
2222         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
2223         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
2224         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
2225
2226 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
2227
2228         DoesGC rule is wrong for nodes with BigIntUse
2229         https://bugs.webkit.org/show_bug.cgi?id=193652
2230
2231         Reviewed by Saam Barati.
2232
2233         * stress/big-int-value-op-update-gc-rules.js: Added.
2234         (assert):
2235         (doesGCAdd):
2236         (doesGCSub):
2237         (doesGCDiv):
2238         (doesGCMul):
2239         (doesGCBitAnd):
2240         (doesGCBitOr):
2241         (doesGCBitXor):
2242
2243 2019-01-20  Saam Barati  <sbarati@apple.com>
2244
2245         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
2246         https://bugs.webkit.org/show_bug.cgi?id=193644
2247         <rdar://problem/46209745>
2248
2249         Reviewed by Yusuke Suzuki.
2250
2251         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
2252         (foo):
2253         * stress/data-view-set-intrinsic-undefined-result.js: Added.
2254         (foo):
2255         (bar):
2256
2257 2019-01-20  Saam Barati  <sbarati@apple.com>
2258
2259         MovHint must merge NodeBytecodeUsesAsValue for its child
2260         https://bugs.webkit.org/show_bug.cgi?id=186916
2261         <rdar://problem/41396612>
2262
2263         Reviewed by Yusuke Suzuki.
2264
2265         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
2266         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
2267
2268 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
2269
2270         [JSC] Invalidate old scope operations using global lexical binding epoch
2271         https://bugs.webkit.org/show_bug.cgi?id=193603
2272         <rdar://problem/47380869>
2273
2274         Reviewed by Saam Barati.
2275
2276         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
2277         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
2278         (shouldThrow):
2279         (bar):
2280         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
2281         (shouldBe):
2282         (get1):
2283         (get2):
2284         (get1If):
2285         (get2If):
2286         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
2287         (shouldThrow):
2288         (foo):
2289
2290 2019-01-17  Saam barati  <sbarati@apple.com>
2291
2292         StringObjectUse should not be a structure check for the original string object structure
2293         https://bugs.webkit.org/show_bug.cgi?id=193483
2294         <rdar://problem/47280522>
2295
2296         Reviewed by Yusuke Suzuki.
2297
2298         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
2299         (foo):
2300         (a.valueOf.0):
2301
2302 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2303
2304         [JSC] ToThis omission in DFGByteCodeParser is wrong
2305         https://bugs.webkit.org/show_bug.cgi?id=193513
2306         <rdar://problem/45842236>
2307
2308         Reviewed by Saam Barati.
2309
2310         * stress/to-this-omission-with-different-strict-modes.js: Added.
2311         (thisA):
2312         (thisAStrictWrapper):
2313
2314 2019-01-15  Mark Lam  <mark.lam@apple.com>
2315
2316         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
2317         https://bugs.webkit.org/show_bug.cgi?id=193423
2318         <rdar://problem/46209355>
2319
2320         Reviewed by Saam Barati.
2321
2322         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
2323         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
2324         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
2325         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
2326
2327 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2328
2329         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
2330         https://bugs.webkit.org/show_bug.cgi?id=193438
2331         <rdar://problem/45581249>
2332
2333         Reviewed by Saam Barati and Keith Miller.
2334
2335         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
2336         Then, GetByVal(String) crashed.
2337
2338         * stress/string-get-by-val-lowering.js: Added.
2339         (shouldBe):
2340         (test):
2341         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
2342         (Hello):
2343         (foo):
2344
2345 2019-01-15  Tomas Popela  <tpopela@redhat.com>
2346
2347         Unreviewed, skip JIT tests if it's not enabled
2348
2349         * stress/bit-op-with-object-returning-int32.js:
2350
2351 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
2352
2353         DFGByteCodeParser rules for bitwise operations should consider type of their operands
2354         https://bugs.webkit.org/show_bug.cgi?id=192966
2355
2356         Reviewed by Yusuke Suzuki.
2357
2358         * stress/bit-op-with-object-returning-int32.js: Added.
2359
2360 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
2361
2362         Skip a slow test and a flakey test on arm
2363
2364         Unreviewed gardening.
2365
2366         * typeProfiler/getter-richards.js:
2367         this test always times out, it used to be always skipped on arm and
2368         mips, but got accidentally enabled by r237919 now that we have DFG on
2369         arm. Also skipping on mips as we plan to soon enable DFG for it too.
2370
2371 2019-01-14  Keith Miller  <keith_miller@apple.com>
2372
2373         Skip type-check-hoisting-phase-hoist... with no jit
2374         https://bugs.webkit.org/show_bug.cgi?id=193421
2375
2376         Reviewed by Mark Lam.
2377
2378         It's timing out the 32-bit bots and takes 330 seconds
2379         on my machine when run by itself.
2380
2381         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
2382
2383 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2384
2385         [JSC] AI should check the given constant's array type when folding GetByVal into constant
2386         https://bugs.webkit.org/show_bug.cgi?id=193413
2387         <rdar://problem/46092389>
2388
2389         Reviewed by Keith Miller.
2390
2391         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
2392         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
2393         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
2394         but GetByVal does not have appropriate ArrayModes, JSC crashes.
2395
2396         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
2397         (compareArray):
2398
2399 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
2400
2401         [BigInt] Literal parsing is crashing when used inside a Object Literal
2402         https://bugs.webkit.org/show_bug.cgi?id=193404
2403
2404         Reviewed by Yusuke Suzuki.
2405
2406         * stress/big-int-literal-inside-literal-object.js: Added.
2407
2408 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2409
2410         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
2411         https://bugs.webkit.org/show_bug.cgi?id=193372
2412
2413         Reviewed by Saam Barati.
2414
2415         * stress/typed-array-array-modes-profile.js: Added.
2416         (foo):
2417
2418 2019-01-14  Mark Lam  <mark.lam@apple.com>
2419
2420         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
2421         https://bugs.webkit.org/show_bug.cgi?id=193402
2422         <rdar://problem/46012309>
2423
2424         Reviewed by Keith Miller.
2425
2426         * stress/regexp-compile-oom.js:
2427         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
2428           is enabled.  As a result, it will fail on cloop builds though there is no bug.
2429
2430 2019-01-11  Saam barati  <sbarati@apple.com>
2431
2432         DFG combined liveness can be wrong for terminal basic blocks
2433         https://bugs.webkit.org/show_bug.cgi?id=193304
2434         <rdar://problem/45268632>
2435
2436         Reviewed by Yusuke Suzuki.
2437
2438         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
2439
2440 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2441
2442         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
2443         https://bugs.webkit.org/show_bug.cgi?id=193308
2444         <rdar://problem/45546542>
2445
2446         Reviewed by Saam Barati.
2447
2448         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
2449         (shouldThrow):
2450         (shouldBe):
2451         (foo):
2452         (get shouldThrow):
2453         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
2454         (shouldThrow):
2455         (shouldBe):
2456         (foo):
2457         (get shouldBe):
2458         (get shouldThrow):
2459         (get return):
2460         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
2461         (shouldThrow):
2462         (shouldBe):
2463         (foo):
2464         (get shouldBe):
2465         (get shouldThrow):
2466         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
2467         (shouldThrow):
2468         (shouldBe):
2469         (foo):
2470         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
2471         (shouldThrow):
2472         (shouldBe):
2473         (foo):
2474         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
2475         (shouldThrow):
2476         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
2477         (shouldThrow):
2478         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
2479         (shouldThrow):
2480         (shouldBe):
2481         (foo):
2482         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
2483         (shouldThrow):
2484         (shouldBe):
2485         (foo):
2486         (get shouldBe):
2487         (get shouldThrow):
2488         (get return):
2489         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
2490         (shouldThrow):
2491         (shouldBe):
2492         (foo):
2493         (get shouldBe):
2494         (get shouldThrow):
2495         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
2496         (shouldThrow):
2497         (shouldBe):
2498         (foo):
2499         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
2500         (shouldThrow):
2501         (shouldBe):
2502         (foo):
2503
2504 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
2505
2506         Enable DFG on ARM/Linux again
2507         https://bugs.webkit.org/show_bug.cgi?id=192496
2508
2509         Reviewed by Yusuke Suzuki.
2510
2511         Test wasn't really skipped before moving the line with skip
2512         to the top.
2513
2514         * stress/regress-192717.js:
2515
2516 2019-01-10  Commit Queue  <commit-queue@webkit.org>
2517
2518         Unreviewed, rolling out r239825.
2519         https://bugs.webkit.org/show_bug.cgi?id=193330
2520
2521         Broke tests on armv7/linux bots (Requested by guijemont on
2522         #webkit).
2523
2524         Reverted changeset:
2525
2526         "Enable DFG on ARM/Linux again"
2527         https://bugs.webkit.org/show_bug.cgi?id=192496
2528         https://trac.webkit.org/changeset/239825
2529
2530 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
2531
2532         Enable DFG on ARM/Linux again
2533         https://bugs.webkit.org/show_bug.cgi?id=192496
2534
2535         Reviewed by Yusuke Suzuki.
2536
2537         Test wasn't really skipped before moving the line with skip
2538         to the top.
2539
2540         * stress/regress-192717.js:
2541
2542 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2543
2544         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
2545         https://bugs.webkit.org/show_bug.cgi?id=193127
2546
2547         Reviewed by Saam Barati.
2548
2549         * stress/array-species-create-should-handle-masquerader.js: Added.
2550         (shouldThrow):
2551         * stress/is-undefined-or-null-builtin.js: Added.
2552         (shouldBe):
2553         (isUndefinedOrNull.vm.createBuiltin):
2554
2555 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
2556
2557         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
2558         https://bugs.webkit.org/show_bug.cgi?id=193221
2559
2560         Reviewed by Mark Lam.
2561
2562         * stress/put-by-id-flags.js: Added.
2563         (f):
2564         (g):
2565         (numberOfDFGCompiles):
2566
2567 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
2568
2569         Baseline version of get_by_id may corrupt metadata
2570         https://bugs.webkit.org/show_bug.cgi?id=193085
2571         <rdar://problem/23453006>
2572
2573         Reviewed by Saam Barati.
2574
2575         * stress/get-by-id-change-mode.js: Added.
2576         (forEach):
2577
2578 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2579
2580         [JSC] Optimize Object.prototype.toString
2581         https://bugs.webkit.org/show_bug.cgi?id=193031
2582
2583         Reviewed by Saam Barati.
2584
2585         * stress/object-tostring-changed-proto.js: Added.
2586         (shouldBe):
2587         (test):
2588         * stress/object-tostring-changed.js: Added.
2589         (shouldBe):
2590         (test):
2591         * stress/object-tostring-misc.js: Added.
2592         (shouldBe):
2593         (test):
2594         (i.switch):
2595         * stress/object-tostring-other.js: Added.
2596         (shouldBe):
2597         (test):
2598         * stress/object-tostring-untyped.js: Added.
2599         (shouldBe):
2600         (test):
2601         (i.switch):
2602
2603 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
2604
2605         test262-runner misbehaves when test file YAML has a trailing space
2606         https://bugs.webkit.org/show_bug.cgi?id=193053
2607
2608         Reviewed by Yusuke Suzuki.
2609
2610         * test262/expectations.yaml:
2611         Mark two dozen tests as passing (and correct the output of another).
2612
2613 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2614
2615         Unreviewed, JSTests gardening with memoryLimited
2616
2617         * stress/string-overflow-createError.js:
2618
2619 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
2620
2621         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
2622         https://bugs.webkit.org/show_bug.cgi?id=193050
2623
2624         Reviewed by Yusuke Suzuki.
2625
2626         * test262.yaml:
2627         * test262/expectations.yaml:
2628         Mark 16 tests as passing.
2629
2630 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2631
2632         [BigInt] Support BigInt in JSON.stringify
2633         https://bugs.webkit.org/show_bug.cgi?id=192624
2634
2635         Reviewed by Saam Barati.
2636
2637         * stress/big-int-json-stringify-to-json.js: Added.
2638         (shouldBe):
2639         (shouldThrow):
2640         (BigInt.prototype.toJSON):
2641         (shouldBe.JSON.stringify):
2642         * stress/big-int-json-stringify.js: Added.
2643         (shouldBe):
2644         (shouldThrow):
2645
2646 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2647
2648         [JSC] Implement "well-formed JSON.stringify" proposal
2649         https://bugs.webkit.org/show_bug.cgi?id=191677
2650
2651         Reviewed by Darin Adler.
2652
2653         * stress/json-surrogate-pair.js: Added.
2654         (shouldBe):
2655         * test262/expectations.yaml:
2656
2657 2018-12-20  Keith Miller  <keith_miller@apple.com>
2658
2659         Add support for globalThis
2660         https://bugs.webkit.org/show_bug.cgi?id=165171
2661
2662         Reviewed by Mark Lam.
2663
2664         * test262/config.yaml:
2665
2666 2018-12-19  Keith Miller  <keith_miller@apple.com>
2667
2668         Update test262 configuration to not run tests dependent on ICU version.
2669         https://bugs.webkit.org/show_bug.cgi?id=192920
2670
2671         Reviewed by Saam Barati.
2672
2673         * test262/expectations.yaml:
2674
2675 2018-12-20  Mark Lam  <mark.lam@apple.com>
2676
2677         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
2678         https://bugs.webkit.org/show_bug.cgi?id=192939
2679         <rdar://problem/46869516>
2680
2681         Reviewed by Keith Miller.
2682
2683         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
2684
2685 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
2686
2687         WTF::String and StringImpl overflow MaxLength
2688         https://bugs.webkit.org/show_bug.cgi?id=192853
2689         <rdar://problem/45726906>
2690
2691         Reviewed by Mark Lam.
2692
2693         * stress/string-16bit-repeat-overflow.js: Added.
2694         (catch):
2695
2696 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
2697
2698         Unreviewed follow-up to r192914.
2699
2700         * test262/expectations.yaml:
2701         Add the last 20 missing expectations.
2702
2703 2018-12-19  Keith Miller  <keith_miller@apple.com>
2704
2705         Fix test262 expectations
2706         https://bugs.webkit.org/show_bug.cgi?id=192914
2707
2708         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
2709
2710         * test262/expectations.yaml:
2711
2712 2018-12-19  Keith Miller  <keith_miller@apple.com>
2713
2714         Update test262 tests.
2715         https://bugs.webkit.org/show_bug.cgi?id=192907
2716
2717         Rubber stamped by Mark Lam.
2718
2719         * test262/*: Omitted because prepare-changelog crashes.
2720
2721 2018-12-19  Mark Lam  <mark.lam@apple.com>
2722
2723         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
2724         https://bugs.webkit.org/show_bug.cgi?id=192464
2725         <rdar://problem/46519455>
2726
2727         Reviewed by Saam Barati.
2728
2729         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
2730         microbenchmark.
2731
2732         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
2733         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
2734
2735 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
2736
2737         String overflow in JSC::createError results in ASSERT in WTF::makeString
2738         https://bugs.webkit.org/show_bug.cgi?id=192833
2739         <rdar://problem/45706868>
2740
2741         Reviewed by Mark Lam.
2742
2743         * stress/string-overflow-createError.js: Added.
2744
2745 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2746
2747         Error message for `-x ** y` contains a typo.
2748         https://bugs.webkit.org/show_bug.cgi?id=192832
2749
2750         Reviewed by Saam Barati.
2751
2752         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2753         (assert.assert.return.throws):
2754         * stress/pow-expects-update-expression-on-lhs.js:
2755         (throw.new.Error):
2756         Update test expectations which match against the exact error message.
2757
2758 2018-12-18  Mark Lam  <mark.lam@apple.com>
2759
2760         Gardening: test options fix.
2761         https://bugs.webkit.org/show_bug.cgi?id=192822
2762
2763         Unreviewed.
2764
2765         * stress/json-stringify-string-builder-overflow.js:
2766
2767 2018-12-18  Mark Lam  <mark.lam@apple.com>
2768
2769         JSON.stringify() should throw OOM on StringBuilder overflows.
2770         https://bugs.webkit.org/show_bug.cgi?id=192822
2771         <rdar://problem/46670577>
2772
2773         Reviewed by Saam Barati.
2774
2775         * stress/json-stringify-string-builder-overflow.js: Added.
2776
2777 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2778
2779         Redeclaration of var over let/const/class should be a syntax error.
2780         https://bugs.webkit.org/show_bug.cgi?id=192298
2781
2782         Reviewed by Keith Miller.
2783
2784         * test262.yaml:
2785         * test262/expectations.yaml:
2786         Mark 46 tests as passing.
2787
2788         * stress/block-scope-redeclarations.js:
2789         Add some new tests.
2790
2791         * stress/for-in-invalidate-context-weird-assignments.js:
2792         * stress/for-in-tests.js:
2793         Replace tests for outdated behavior with tests for SyntaxError.
2794
2795         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2796         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2797         Update expectations.
2798
2799 2018-12-18  Mark Lam  <mark.lam@apple.com>
2800
2801         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2802         https://bugs.webkit.org/show_bug.cgi?id=191374
2803         <rdar://problem/46525447>
2804
2805         Reviewed by Yusuke Suzuki.
2806
2807         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2808
2809         * stress/elidable-new-object-roflcopter-then-exit.js:
2810
2811 2018-12-17  Mark Lam  <mark.lam@apple.com>
2812
2813         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2814         https://bugs.webkit.org/show_bug.cgi?id=192019
2815         <rdar://problem/46525456>
2816
2817         Reviewed by Yusuke Suzuki.
2818
2819         The test runs too slow on 32-bit.
2820
2821         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2822
2823 2018-12-17  Mark Lam  <mark.lam@apple.com>
2824
2825         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2826         https://bugs.webkit.org/show_bug.cgi?id=191373
2827         <rdar://problem/46525458>
2828
2829         Reviewed by Yusuke Suzuki.
2830
2831         The test is already slow running with a JIT on 64-bit.  It will always timeout
2832         on 32-bit without a JIT.
2833
2834         * stress/materialize-regexp-cyclic-regexp.js:
2835
2836 2018-12-17  Mark Lam  <mark.lam@apple.com>
2837
2838         Array unshift/shift should not race against the AI in the compiler thread.
2839         https://bugs.webkit.org/show_bug.cgi?id=192795
2840         <rdar://problem/46724263>
2841
2842         Reviewed by Saam Barati.
2843
2844         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2845
2846 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2847
2848         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2849         https://bugs.webkit.org/show_bug.cgi?id=190047
2850
2851         Reviewed by Saam Barati.
2852
2853         * stress/object-keys-cached-zero.js: Added.
2854         (shouldBe):
2855         (test):
2856         * stress/object-keys-changed-attribute.js: Added.
2857         (shouldBe):
2858         (test):
2859         * stress/object-keys-changed-index.js: Added.
2860         (shouldBe):
2861         (test):
2862         * stress/object-keys-changed.js: Added.
2863         (shouldBe):
2864         (test):
2865         * stress/object-keys-indexed-non-cache.js: Added.
2866         (shouldBe):
2867         (test):
2868         * stress/object-keys-overrides-get-property-names.js: Added.
2869         (shouldBe):
2870         (test):
2871         (noInline):
2872
2873 2018-12-17  Mark Lam  <mark.lam@apple.com>
2874
2875         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2876         https://bugs.webkit.org/show_bug.cgi?id=192779
2877         <rdar://problem/46775869>
2878
2879         Reviewed by Saam Barati.
2880
2881         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2882
2883 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2884
2885         Unreviewed test gardening, address a syntax error in a new test.
2886
2887         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2888
2889 2018-12-17  Mark Lam  <mark.lam@apple.com>
2890
2891         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2892         https://bugs.webkit.org/show_bug.cgi?id=192776
2893         <rdar://problem/46772368>
2894
2895         Reviewed by Keith Miller.
2896
2897         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2898
2899 2018-12-17  Mark Lam  <mark.lam@apple.com>
2900
2901         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2902         https://bugs.webkit.org/show_bug.cgi?id=192770
2903         <rdar://problem/46449037>
2904
2905         Reviewed by Keith Miller.
2906
2907         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2908
2909 2018-12-14  Mark Lam  <mark.lam@apple.com>
2910
2911         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2912         https://bugs.webkit.org/show_bug.cgi?id=192717
2913         <rdar://problem/46660677>
2914
2915         Reviewed by Saam Barati.
2916
2917         * stress/regress-192717.js: Added.
2918
2919 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2920
2921         Unreviewed, rolling out r239153, r239154, and r239155.
2922         https://bugs.webkit.org/show_bug.cgi?id=192715
2923
2924         Caused flaky GC-related crashes seen with layout tests
2925         (Requested by ryanhaddad on #webkit).
2926
2927         Reverted changesets:
2928
2929         "[JSC] Optimize Object.keys by caching own keys results in
2930         StructureRareData"
2931         https://bugs.webkit.org/show_bug.cgi?id=190047
2932         https://trac.webkit.org/changeset/239153
2933
2934         "Unreviewed, build fix after r239153"
2935         https://bugs.webkit.org/show_bug.cgi?id=190047
2936         https://trac.webkit.org/changeset/239154
2937
2938         "Unreviewed, build fix after r239153, part 2"
2939         https://bugs.webkit.org/show_bug.cgi?id=190047
2940         https://trac.webkit.org/changeset/239155
2941
2942 2018-12-14  Keith Miller  <keith_miller@apple.com>
2943
2944         Callers of JSString::getIndex should check for OOM exceptions
2945         https://bugs.webkit.org/show_bug.cgi?id=192709
2946
2947         Reviewed by Mark Lam.
2948
2949         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2950
2951 2018-12-13  Mark Lam  <mark.lam@apple.com>
2952
2953         Add a missing exception check.
2954         https://bugs.webkit.org/show_bug.cgi?id=192626
2955         <rdar://problem/46662163>
2956
2957         Reviewed by Keith Miller.
2958
2959         * stress/regress-192626.js: Added.
2960
2961 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2962
2963         [BigInt] Add ValueDiv into DFG
2964         https://bugs.webkit.org/show_bug.cgi?id=186178
2965
2966         Reviewed by Yusuke Suzuki.
2967
2968         * stress/big-int-div-jit-osr.js: Added.
2969         * stress/big-int-div-jit-untyped.js: Added.
2970         * stress/value-div-fixup-int32-big-int.js: Added.
2971
2972 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2973
2974         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2975         https://bugs.webkit.org/show_bug.cgi?id=190047
2976
2977         Reviewed by Keith Miller.
2978
2979         * stress/object-keys-cached-zero.js: Added.
2980         (shouldBe):
2981         (test):
2982         * stress/object-keys-changed-attribute.js: Added.
2983         (shouldBe):
2984         (test):
2985         * stress/object-keys-changed-index.js: Added.
2986         (shouldBe):
2987         (test):
2988         * stress/object-keys-changed.js: Added.
2989         (shouldBe):
2990         (test):
2991         * stress/object-keys-indexed-non-cache.js: Added.
2992         (shouldBe):
2993         (test):
2994         * stress/object-keys-overrides-get-property-names.js: Added.
2995         (shouldBe):
2996         (test):
2997         (noInline):
2998
2999 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3000
3001         [DFG][FTL] Add NewSymbol
3002         https://bugs.webkit.org/show_bug.cgi?id=192620
3003
3004         Reviewed by Saam Barati.
3005
3006         * microbenchmarks/symbol-creation.js: Added.
3007         (test):
3008         * stress/symbol-description-identity.js: Added.
3009         (shouldBe):
3010         (test):
3011         * stress/symbol-identity.js: Added.
3012         (shouldBe):
3013         (test):
3014         * stress/symbol-with-description-throw-error.js: Added.
3015         (shouldBe):
3016         (shouldThrow):
3017         (test):
3018         (object.toString):
3019
3020 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3021
3022         [BigInt] Implement DFG/FTL typeof for BigInt
3023         https://bugs.webkit.org/show_bug.cgi?id=192619
3024
3025         Reviewed by Keith Miller.
3026
3027         * stress/big-int-boolean-proven-type.js: Added.
3028         (assert):
3029         (bool):
3030         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
3031         (assert):
3032         (typeOf):
3033         (i.switch):
3034         * stress/big-int-type-of-proven-type-non-constant.js: Added.
3035         (assert):
3036         (typeOf):
3037         * stress/big-int-type-of.js:
3038         (typeOf):
3039         (func):
3040
3041 2018-12-10  Mark Lam  <mark.lam@apple.com>
3042
3043         PropertyAttribute needs a CustomValue bit.
3044         https://bugs.webkit.org/show_bug.cgi?id=191993
3045         <rdar://problem/46264467>
3046
3047         Reviewed by Saam Barati.
3048
3049         * stress/regress-191993.js: Added.
3050
3051 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
3052
3053         [BigInt] Add ValueMul into DFG
3054         https://bugs.webkit.org/show_bug.cgi?id=186175
3055
3056         Reviewed by Yusuke Suzuki.
3057
3058         * stress/big-int-mul-jit-osr.js: Added.
3059         * stress/big-int-mul-jit-untyped.js: Added.
3060         * stress/value-mul-fixup-int32-big-int.js: Added.
3061
3062 2018-12-06  Keith Miller  <keith_miller@apple.com>
3063
3064         stress/big-wasm-memory tests failing on 32-bit JSC bot
3065         https://bugs.webkit.org/show_bug.cgi?id=192020
3066
3067         Reviewed by Saam Barati.
3068
3069         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
3070         the wasm stress tests if the WebAssembly object does not exist.
3071
3072         * stress/big-wasm-memory-grow-no-max.js:
3073         (test.foo):
3074         (test):
3075         (foo): Deleted.
3076         (catch): Deleted.
3077         * stress/big-wasm-memory-grow.js:
3078         (test.foo):
3079         (test):
3080         (foo): Deleted.
3081         (catch): Deleted.
3082         * stress/big-wasm-memory.js:
3083         (test.foo):
3084         (test):
3085         (foo): Deleted.
3086         (catch): Deleted.
3087
3088 2018-12-05  Mark Lam  <mark.lam@apple.com>
3089
3090         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
3091         https://bugs.webkit.org/show_bug.cgi?id=192441
3092         <rdar://problem/46480355>
3093
3094         Reviewed by Saam Barati.
3095
3096         * stress/regress-192441.js: Added.
3097
3098 2018-12-04  Mark Lam  <mark.lam@apple.com>
3099
3100         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
3101         https://bugs.webkit.org/show_bug.cgi?id=192386
3102         <rdar://problem/46445516>
3103
3104         Reviewed by Saam Barati.
3105
3106         * stress/regress-192386.js: Added.
3107
3108 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
3109
3110         [ESNext][BigInt] Support logic operations
3111         https://bugs.webkit.org/show_bug.cgi?id=179903
3112
3113         Reviewed by Yusuke Suzuki.
3114
3115         * stress/big-int-branch-usage.js: Added.
3116         * stress/big-int-logical-and.js: Added.
3117         * stress/big-int-logical-not.js: Added.
3118         * stress/big-int-logical-or.js: Added.
3119
3120 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
3121
3122         Unreviewed, rolling out r238833.
3123
3124         Breaks macOS and iOS debug builds.
3125
3126         Reverted changeset:
3127
3128         "[ESNext][BigInt] Support logic operations"
3129         https://bugs.webkit.org/show_bug.cgi?id=179903
3130         https://trac.webkit.org/changeset/238833
3131
3132 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
3133
3134         [ESNext][BigInt] Support logic operations
3135         https://bugs.webkit.org/show_bug.cgi?id=179903
3136
3137         Reviewed by Yusuke Suzuki.
3138
3139         * stress/big-int-branch-usage.js: Added.
3140         * stress/big-int-logical-and.js: Added.
3141         * stress/big-int-logical-not.js: Added.
3142         * stress/big-int-logical-or.js: Added.
3143
3144 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
3145
3146         [ESNext][BigInt] Implement support for "<<" and ">>"
3147         https://bugs.webkit.org/show_bug.cgi?id=186233
3148
3149         Reviewed by Yusuke Suzuki.
3150
3151         * stress/big-int-left-shift-general.js: Added.
3152         * stress/big-int-left-shift-range-error.js: Added.
3153         * stress/big-int-left-shift-type-error.js: Added.
3154         * stress/big-int-left-shift-wrapped-value.js: Added.
3155         * stress/big-int-right-shift-general.js: Added.
3156         * stress/big-int-right-shift-type-error.js: Added.
3157         * stress/big-int-right-shift-wrapped-value.js: Added.
3158         * stress/left-shift-to-primitive-precedence.js: Added.
3159         * stress/right-shift-to-primitive-precedence.js: Added.
3160
3161 2018-11-30  Dean Jackson  <dino@apple.com>
3162
3163         Add first-class support for .mjs files in jsc binary
3164         https://bugs.webkit.org/show_bug.cgi?id=192190
3165         <rdar://problem/46375715>
3166
3167         Reviewed by Keith Miller.
3168
3169         * stress/simple-module.mjs: Added.
3170         * stress/simple-script.js: Added.
3171
3172 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
3173
3174         [BigInt] Implement ValueBitXor into DFG
3175         https://bugs.webkit.org/show_bug.cgi?id=190264
3176
3177         Reviewed by Yusuke Suzuki.
3178
3179         * stress/big-int-bitwise-xor-jit.js: Added.
3180         * stress/big-int-bitwise-xor-memory-stress.js: Added.
3181         * stress/big-int-bitwise-xor-untyped.js: Added.
3182
3183 2018-11-27  Saam barati  <sbarati@apple.com>
3184
3185         r238510 broke scopes of size zero
3186         https://bugs.webkit.org/show_bug.cgi?id=192033
3187         <rdar://problem/46281734>
3188
3189         Reviewed by Keith Miller.
3190
3191         * stress/r238510-bad-loop.js: Added.
3192         (foo):
3193
3194 2018-11-27  Mark Lam  <mark.lam@apple.com>
3195
3196         [Re-landing] NaNs read from Wasm code needs to be be purified.
3197         https://bugs.webkit.org/show_bug.cgi?id=191056
3198         <rdar://problem/45660341>
3199
3200         Reviewed by Filip Pizlo.
3201
3202         * wasm/regress/regress-191056.js: Added.
3203
3204 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
3205
3206         Unreviewed, rolling out r238509.
3207
3208         Causes JSC tests to fail on iOS.
3209
3210         Reverted changeset:
3211
3212         "NaNs read from Wasm code needs to be be purified."
3213         https://bugs.webkit.org/show_bug.cgi?id=191056
3214         https://trac.webkit.org/changeset/238509
3215
3216 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
3217
3218         Re-introduce op_bitnot
3219         https://bugs.webkit.org/show_bug.cgi?id=190923
3220
3221         Reviewed by Yusuke Suzuki.
3222
3223         * stress/bit-not-must-generate.js: Added.
3224         * stress/bitwise-not-no-int32.js: Added.
3225
3226 2018-11-26  Saam barati  <sbarati@apple.com>
3227
3228         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
3229         https://bugs.webkit.org/show_bug.cgi?id=191956
3230         <rdar://problem/45665806>
3231
3232         Reviewed by Yusuke Suzuki.
3233
3234         * stress/end-basic-block-set-local-should-filter-type.js: Added.
3235         (bar):
3236         (foo):
3237
3238 2018-11-26  Saam barati  <sbarati@apple.com>
3239
3240         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
3241         https://bugs.webkit.org/show_bug.cgi?id=191958
3242         <rdar://problem/46221877>
3243
3244         Reviewed by Yusuke Suzuki.
3245
3246         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
3247         (x):
3248         (foo):
3249
3250 2018-11-26  Mark Lam  <mark.lam@apple.com>
3251
3252         NaNs read from Wasm code needs to be be purified.
3253         https://bugs.webkit.org/show_bug.cgi?id=191056
3254         <rdar://problem/45660341>
3255
3256         Reviewed by Filip Pizlo.
3257
3258         * wasm/regress/regress-191056.js: Added.
3259
3260 2018-11-26  Michael Saboff  <msaboff@apple.com>
3261
3262         32-bit JSC test failure: stress/regexp-compile-oom.js
3263         https://bugs.webkit.org/show_bug.cgi?id=191375
3264
3265         Reviewed by Mark Lam.
3266
3267         Disabled the test for 32 bit platforms.
3268
3269         * stress/regexp-compile-oom.js:
3270
3271 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
3272
3273         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
3274         https://bugs.webkit.org/show_bug.cgi?id=191716
3275         <rdar://problem/45723878>
3276
3277         Reviewed by Saam Barati.
3278
3279         * stress/regress-187373.js: Added.
3280         (async.fn):
3281
3282 2018-11-21  Saam barati  <sbarati@apple.com>
3283
3284         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
3285         https://bugs.webkit.org/show_bug.cgi?id=191897
3286         <rdar://problem/45871998>
3287
3288         Reviewed by Mark Lam.
3289
3290         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
3291         (bar):
3292         (foo):
3293
3294 2018-11-21  Saam barati  <sbarati@apple.com>
3295
3296         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
3297         https://bugs.webkit.org/show_bug.cgi?id=191895
3298         <rdar://problem/46167406>
3299
3300         Reviewed by Mark Lam.
3301
3302         * stress/known-cell-use-needs-type-check-assertion.js: Added.
3303         (foo):
3304         (bar):
3305
3306 2018-11-21  Mark Lam  <mark.lam@apple.com>
3307
3308         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
3309         https://bugs.webkit.org/show_bug.cgi?id=191776
3310         <rdar://problem/46152851>
3311
3312         Reviewed by Saam Barati.
3313
3314         * stress/big-wasm-memory-grow-no-max.js:
3315         * stress/big-wasm-memory-grow.js:
3316         * stress/big-wasm-memory.js:
3317         - updated these to expect an OutOfMemoryError.
3318
3319         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
3320         (Binary.prototype.emit_u8):
3321         (Binary.prototype.emit_u32v):
3322         (Binary.prototype.emit_header):
3323         (Binary.prototype.emit_section):
3324         (Binary):
3325         (WasmModuleBuilder):
3326         (WasmModuleBuilder.prototype.addMemory):
3327         (WasmModuleBuilder.prototype.toArray):
3328         (WasmModuleBuilder.prototype.toBuffer):
3329         (WasmModuleBuilder.prototype.instantiate):
3330         (catch):
3331         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
3332         (catch):
3333
3334 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
3335
3336         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
3337         https://bugs.webkit.org/show_bug.cgi?id=190836
3338
3339         Reviewed by Saam Barati and Yusuke Suzuki.
3340
3341         * stress/big-int-out-of-memory-tests.js: Added.
3342
3343 2018-11-20  Mark Lam  <mark.lam@apple.com>
3344
3345         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
3346         https://bugs.webkit.org/show_bug.cgi?id=191856
3347         <rdar://problem/46089992>
3348
3349         Reviewed by Yusuke Suzuki.
3350
3351         * stress/regress-191856.js: Added.
3352         - this test is skipped for now until we have a fix for webkit.org/b/191855.
3353
3354 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
3355
3356         Enable JIT on ARM/Linux
3357         https://bugs.webkit.org/show_bug.cgi?id=191548
3358
3359         Reviewed by Yusuke Suzuki.
3360
3361         Disable test on system with limited memory. Program was killed by
3362         the OS before the exception was thrown.
3363
3364         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
3365
3366 2018-11-20  Saam barati  <sbarati@apple.com>
3367
3368         Merging an IC variant may lead to the IC status containing overlapping structure sets
3369         https://bugs.webkit.org/show_bug.cgi?id=191869
3370         <rdar://problem/45403453>
3371
3372         Reviewed by Mark Lam.
3373
3374         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
3375
3376 2018-11-19  Mark Lam  <mark.lam@apple.com>
3377
3378         globalFuncImportModule() should return a promise when it clears exceptions.
3379         https://bugs.webkit.org/show_bug.cgi?id=191792
3380         <rdar://problem/46090763>
3381
3382         Reviewed by Michael Saboff.
3383
3384         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
3385
3386 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
3387
3388         Skip new memory-hungry tests on memory limited devices
3389
3390         Unreviewed gardening.
3391
3392         * stress/big-wasm-memory-grow-no-max.js:
3393         * stress/big-wasm-memory-grow.js:
3394         * stress/big-wasm-memory.js:
3395
3396 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3397
3398         Unreviewed, rolling in the rest of r237254
3399         https://bugs.webkit.org/show_bug.cgi?id=190340
3400
3401         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3402         * stress/function-cache-with-parameters-end-position.js: Added.
3403         (shouldBe):
3404         (shouldThrow):
3405         (i.anonymous):
3406         * stress/function-constructor-name.js: Added.
3407         (shouldBe):
3408         (GeneratorFunction):
3409         (AsyncFunction.async):
3410         (AsyncGeneratorFunction.async):
3411         (anonymous):
3412         (async.anonymous):
3413         * test262/expectations.yaml:
3414
3415 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
3416
3417         All users of ArrayBuffer should agree on the same max size
3418         https://bugs.webkit.org/show_bug.cgi?id=191771
3419
3420         Reviewed by Mark Lam.
3421
3422         * stress/big-wasm-memory-grow-no-max.js: Added.
3423         (foo):
3424         (catch):
3425         * stress/big-wasm-memory-grow.js: Added.
3426         (foo):
3427         (catch):
3428         * stress/big-wasm-memory.js: Added.
3429         (foo):
3430         (catch):
3431
3432 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
3433
3434         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
3435         run for each JSC config since they're regression tests for runtime bugs.
3436
3437         * stress/json-stringified-overflow-2.js:
3438         * stress/json-stringified-overflow.js:
3439
3440 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
3441
3442         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
3443         config since they're regression tests for runtime bugs.
3444
3445         * stress/large-unshift-splice.js:
3446         * stress/regress-185888.js:
3447
3448 2018-11-16  Saam Barati  <sbarati@apple.com>
3449
3450         KnownCellUse should also have SpecCellCheck as its type filter
3451         https://bugs.webkit.org/show_bug.cgi?id=191729
3452         <rdar://problem/45872852>
3453
3454         Reviewed by Filip Pizlo.
3455
3456         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
3457         (C):
3458
3459 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
3460
3461         Fix assertion failure on BytecodeGenerator::recordOpcode
3462         https://bugs.webkit.org/show_bug.cgi?id=191724
3463         <rdar://problem/45724395>
3464
3465         Reviewed by Saam Barati.
3466
3467         * stress/regress-187373-2.js: Added.
3468         (foo):
3469
3470 2018-11-15  Mark Lam  <mark.lam@apple.com>
3471
3472         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
3473         https://bugs.webkit.org/show_bug.cgi?id=191730
3474         <rdar://problem/46048517>
3475
3476         Reviewed by Saam Barati.
3477
3478         * stress/regress-187006.js: Removed.
3479           - this test is invalid because its sole purpose is to test for the non-spec
3480             compliant behavior that we just fixed.
3481
3482         * stress/regress-191730.js: Added.
3483
3484 2018-11-15  Mark Lam  <mark.lam@apple.com>
3485
3486         RegExp operations should not take fast patch if lastIndex is not numeric.
3487         https://bugs.webkit.org/show_bug.cgi?id=191731
3488         <rdar://problem/46017305>
3489
3490         Reviewed by Saam Barati.
3491
3492         * stress/regress-191731.js: Added.
3493
3494 2018-11-13  Saam Barati  <sbarati@apple.com>
3495
3496         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
3497         https://bugs.webkit.org/show_bug.cgi?id=191600
3498
3499         Reviewed by Mark Lam.
3500
3501         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
3502         (foo):
3503         (test):
3504         (bar):
3505
3506 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
3507
3508         Unreviewed, rolling out r238132.
3509
3510         The test added with this change is timing out on Debug JSC
3511         bots.
3512
3513         Reverted changeset:
3514
3515         "[BigInt] JSBigInt::createWithLength should throw when length
3516         is greater than JSBigInt::maxLength"
3517         https://bugs.webkit.org/show_bug.cgi?id=190836
3518         https://trac.webkit.org/changeset/238132
3519
3520 2018-11-13  Mark Lam  <mark.lam@apple.com>
3521
3522         Add OOM detection to StringPrototype's substituteBackreferences().
3523         https://bugs.webkit.org/show_bug.cgi?id=191563
3524         <rdar://problem/45720428>
3525
3526         Reviewed by Saam Barati.
3527
3528         * stress/regress-191563.js: Added.
3529
3530 2018-11-13  Mark Lam  <mark.lam@apple.com>
3531
3532         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
3533         https://bugs.webkit.org/show_bug.cgi?id=191579
3534         <rdar://problem/45942472>
3535
3536         Reviewed by Saam Barati.
3537
3538         * stress/regress-191579.js: Added.
3539
3540 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
3541
3542         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
3543         https://bugs.webkit.org/show_bug.cgi?id=190836
3544
3545         Reviewed by Saam Barati.
3546
3547         * stress/big-int-out-of-memory-tests.js: Added.
3548
3549 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
3550
3551         U+180E is no longer a whitespace character
3552         https://bugs.webkit.org/show_bug.cgi?id=191415
3553
3554         Reviewed by Saam Barati.
3555
3556         * ChakraCore/test/es5/regexSpace.baseline:
3557         * ChakraCore/test/es6/unicode_whitespace.js:
3558         Update tests to latest version.
3559         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
3560
3561         * test262.yaml:
3562         * test262/config.yaml:
3563         * test262/expectations.yaml:
3564         Update expectations.
3565
3566 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
3567
3568         [BigInt] Add support to BigInt into ValueAdd
3569         https://bugs.webkit.org/show_bug.cgi?id=186177
3570
3571         Reviewed by Keith Miller.
3572
3573         * stress/big-int-negate-jit.js:
3574         * stress/value-add-big-int-and-string.js: Added.
3575         * stress/value-add-big-int-prediction-propagation.js: Added.
3576         * stress/value-add-big-int-untyped.js: Added.
3577
3578 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
3579
3580         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
3581         https://bugs.webkit.org/show_bug.cgi?id=191184
3582
3583         Reviewed by Saam Barati.
3584
3585         Most tests were failing due to timeouts, since they are too slow to
3586         run on CLoop. The exceptions are:
3587
3588         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
3589         dont-crash-on-stack-overflow-when-parsing-builtin.js and
3590         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
3591         to change the stack size since CLoop requires it to be page aligned.
3592
3593         * microbenchmarks/array-push-1.js:
3594         * microbenchmarks/array-push-2.js:
3595         * microbenchmarks/elidable-new-object-dag.js:
3596         * microbenchmarks/elidable-new-object-roflcopter.js:
3597         * microbenchmarks/elidable-new-object-tree.js:
3598         * microbenchmarks/getter-richards.js:
3599         * microbenchmarks/sinkable-new-object-dag.js:
3600         * microbenchmarks/string-concat-long-convert.js:
3601         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
3602         * slowMicrobenchmarks/array-push-3.js:
3603         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
3604         * slowMicrobenchmarks/spread-small-array.js:
3605         * slowMicrobenchmarks/undefined-property-access.js:
3606         * stress/activation-sink-default-value-tdz-error.js:
3607         * stress/activation-sink-default-value.js:
3608         * stress/activation-sink-osrexit-default-value-tdz-error.js:
3609         * stress/activation-sink-osrexit-default-value.js:
3610         * stress/activation-sink-osrexit.js:
3611         * stress/activation-sink.js:
3612         * stress/allow-math-ic-b3-code-duplication.js:
3613         * stress/array-push-multiple-int32.js:
3614         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
3615         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
3616         * stress/arrowfunction-lexical-this-activation-sink.js:
3617         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
3618         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
3619         * stress/elide-new-object-dag-then-exit.js:
3620         * stress/materialize-regexp-cyclic.js:
3621         * stress/new-regex-inline.js:
3622         * stress/op_add.js:
3623         * stress/op_bitand.js:
3624         * stress/op_bitor.js:
3625         * stress/op_bitxor.js:
3626         * stress/op_div-ConstVar.js:
3627         * stress/op_div-VarConst.js:
3628         * stress/op_div-VarVar.js:
3629         * stress/op_lshift-ConstVar.js:
3630         * stress/op_lshift-VarConst.js:
3631         * stress/op_lshift-VarVar.js:
3632         * stress/op_mod-ConstVar.js:
3633         * stress/op_mod-VarConst.js:
3634         * stress/op_mod-VarVar.js:
3635         * stress/op_mul-ConstVar.js:
3636         * stress/op_mul-VarConst.js:
3637         * stress/op_mul-VarVar.js:
3638         * stress/op_rshift-ConstVar.js:
3639         * stress/op_rshift-VarConst.js:
3640         * stress/op_rshift-VarVar.js:
3641         * stress/op_sub-ConstVar.js:
3642         * stress/op_sub-VarConst.js:
3643         * stress/op_sub-VarVar.js:
3644         * stress/op_urshift-ConstVar.js:
3645         * stress/op_urshift-VarConst.js:
3646         * stress/op_urshift-VarVar.js:
3647         * stress/proxy-get-set-correct-receiver.js:
3648         * stress/regress-179562.js:
3649         * stress/rest-parameter-many-arguments.js:
3650         * stress/sampling-profiler-richards.js:
3651         * stress/splay-flash-access-1ms.js:
3652         * stress/tailCallForwardArguments.js:
3653         * stress/typed-array-get-by-val-profiling.js:
3654         * typeProfiler/getter-richards.js:
3655
3656 2018-11-06  Michael Saboff  <msaboff@apple.com>
3657
3658         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
3659         https://bugs.webkit.org/show_bug.cgi?id=191271
3660
3661         Reviewed by Saam Barati.
3662
3663         Added more test cases and made all test cases run with the same deeply recursive stack
3664         instead of finding that same point for each test case.
3665
3666         * stress/regexp-compile-oom.js:
3667         (prototype.runTest):
3668         (recurseAndTest):
3669         (testList.push.new.TestAndExpectedException):
3670
3671 2018-11-05  Michael Saboff  <msaboff@apple.com>
3672
3673         Unreviewed build fix for linux.
3674
3675         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
3676
3677 2018-11-02  Michael Saboff  <msaboff@apple.com>
3678
3679         Rolling in r237753 with unreviewed build fix.
3680
3681         Fixed issues with DECLARE_THROW_SCOPE placement.
3682
3683 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
3684
3685         Unreviewed, rolling out r237753.
3686
3687         Introduced JSC test failures
3688
3689         Reverted changeset:
3690
3691         "Running out of stack space not properly handled in
3692         RegExp::compile() and its callers"
3693         https://bugs.webkit.org/show_bug.cgi?id=191206
3694         https://trac.webkit.org/changeset/237753
3695
3696 2018-11-02  Michael Saboff  <msaboff@apple.com>
3697
3698         Running out of stack space not properly handled in RegExp::compile() and its callers
3699         https://bugs.webkit.org/show_bug.cgi?id=191206
3700
3701         Reviewed by Filip Pizlo.
3702
3703         New regression test.
3704
3705         * stress/regexp-compile-oom.js: Added.
3706         (recurseAndTest):
3707
3708 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
3709
3710         Skip tests on arm/mips that time out now we're running on CLoop
3711
3712         Unreviewed gardening.
3713
3714         Since the JIT is temporarily disabled on 32-bit platforms, these tests
3715         time out on the bots and need to be disabled. There's more tests
3716         disabled on arm because the timeout is longer on the mips bot (as the
3717         device is slower to start with), so many of the tests don't time out
3718         there.
3719
3720         * microbenchmarks/getter-richards.js: disable on arm and mips.
3721         * stress/op_add.js: disable on arm.
3722         * stress/op_bitand.js: disable on arm.
3723         * stress/op_bitor.js: disable on arm.
3724         * stress/op_bitxor.js: disable on arm.
3725         * stress/op_lshift-ConstVar.js: disable on arm.
3726         * stress/op_lshift-VarConst.js: disable on arm.
3727         * stress/op_lshift-VarVar.js: disable on arm.
3728         * stress/op_mod-ConstVar.js: disable on arm.
3729         * stress/op_mod-VarConst.js: disable on arm.
3730         * stress/op_mod-VarVar.js: disable on arm.
3731         * stress/op_mul-ConstVar.js: disable on arm.
3732         * stress/op_mul-VarConst.js: disable on arm.
3733         * stress/op_mul-VarVar.js: disable on arm.
3734         * stress/op_rshift-ConstVar.js: disable on arm.
3735         * stress/op_rshift-VarConst.js: disable on arm.
3736         * stress/op_rshift-VarVar.js: disable on arm.
3737         * stress/op_sub-ConstVar.js: disable on arm.
3738         * stress/op_sub-VarConst.js: disable on arm.
3739         * stress/op_sub-VarVar.js: disable on arm.
3740         * stress/op_urshift-ConstVar.js: disable on arm.
3741         * stress/op_urshift-VarConst.js: disable on arm.
3742         * stress/op_urshift-VarVar.js: disable on arm.
3743         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
3744         * stress/value-to-boolean.js: disable on arm and mips.
3745
3746 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3747
3748         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3749         https://bugs.webkit.org/show_bug.cgi?id=191108
3750         <rdar://problem/45690700>
3751
3752         Reviewed by Saam Barati.
3753
3754         * stress/wide-op_catch.js: Added.
3755         (catch):
3756
3757 2018-10-29  Mark Lam  <mark.lam@apple.com>
3758
3759         Correctly detect string overflow when using the 'Function' constructor.
3760         https://bugs.webkit.org/show_bug.cgi?id=184883
3761         <rdar://problem/36320331>
3762
3763         Reviewed by Saam Barati.
3764
3765         I've verified that this passes on 32-bit as well.
3766
3767         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3768
3769 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3770
3771         Add support for GetStack FlushedDouble
3772         https://bugs.webkit.org/show_bug.cgi?id=191012
3773         <rdar://problem/45265141>
3774
3775         Reviewed by Saam Barati.
3776
3777         * stress/get-stack-double.js: Added.
3778         (bar):
3779         (noInline):
3780
3781 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3782
3783         New bytecode format for JSC
3784         https://bugs.webkit.org/show_bug.cgi?id=187373
3785         <rdar://problem/44186758>
3786
3787         Reviewed by Filip Pizlo.
3788
3789         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3790
3791         * stress/maximum-inline-capacity.js: Added.
3792         (test1):
3793         (test3.Foo):
3794         (test3):
3795
3796 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3797
3798         Unreviewed, rolling out r237479 and r237484.
3799         https://bugs.webkit.org/show_bug.cgi?id=190978
3800
3801         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3802
3803         Reverted changesets:
3804
3805         "New bytecode format for JSC"
3806         https://bugs.webkit.org/show_bug.cgi?id=187373
3807         https://trac.webkit.org/changeset/237479
3808
3809         "Gardening: Build fix after r237479."
3810         https://bugs.webkit.org/show_bug.cgi?id=187373
3811         https://trac.webkit.org/changeset/237484
3812
3813 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3814
3815         New bytecode format for JSC
3816         https://bugs.webkit.org/show_bug.cgi?id=187373
3817         <rdar://problem/44186758>
3818
3819         Reviewed by Filip Pizlo.
3820
3821         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3822
3823         * stress/maximum-inline-capacity.js: Added.
3824         (test1):
3825         (test3.Foo):
3826         (test3):
3827
3828 2018-10-26  Mark Lam  <mark.lam@apple.com>
3829
3830         Fix missing edge cases with JSGlobalObjects having a bad time.
3831         https://bugs.webkit.org/show_bug.cgi?id=189028
3832         <rdar://problem/45204939>
3833
3834         Reviewed by Saam Barati.
3835
3836         * stress/regress-189028.js: Added.
3837
3838 2018-10-22  Mark Lam  <mark.lam@apple.com>
3839
3840         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3841         https://bugs.webkit.org/show_bug.cgi?id=190515
3842         <rdar://problem/45222379>
3843
3844         Rubber-stamped by Saam Barati.
3845
3846         Adding another test.
3847
3848         * stress/regress-190515-2.js: Added.
3849
3850 2018-10-22  Mark Lam  <mark.lam@apple.com>
3851
3852         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3853         https://bugs.webkit.org/show_bug.cgi?id=190515
3854         <rdar://problem/45222379>
3855
3856         Reviewed by Saam Barati.
3857
3858         * stress/regress-190515.js: Added.
3859
3860 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3861
3862         Unreviewed, rolling out r237254.
3863         https://bugs.webkit.org/show_bug.cgi?id=190760
3864
3865         "It regresses JetStream 2 by 5% on some iOS devices"
3866         (Requested by saamyjoon on #webkit).
3867
3868         Reverted changeset:
3869
3870         "[JSC] JSC should have "parseFunction" to optimize Function
3871         constructor"
3872         https://bugs.webkit.org/show_bug.cgi?id=190340
3873         https://trac.webkit.org/changeset/237254
3874
3875 2018-10-19  Saam Barati  <sbarati@apple.com>
3876
3877         vmCall should check if we exit before emitting an OSR exit due to exceptions
3878         https://bugs.webkit.org/show_bug.cgi?id=190740
3879         <rdar://problem/45220139>
3880
3881         Reviewed by Mark Lam.
3882
3883         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3884         (foo):
3885
3886 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3887
3888         [ESNext][BigInt] Implement support for "^"
3889         https://bugs.webkit.org/show_bug.cgi?id=186235
3890
3891         Reviewed by Yusuke Suzuki.
3892
3893         * stress/big-int-bitwise-xor-general.js: Added.
3894         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3895         * stress/big-int-bitwise-xor-type-error.js: Added.
3896         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3897
3898 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3899
3900         [BigInt] Add ValueSub into DFG
3901         https://bugs.webkit.org/show_bug.cgi?id=186176
3902
3903         Reviewed by Yusuke Suzuki.
3904
3905         * stress/big-int-subtraction-jit.js:
3906         * stress/value-sub-big-int-prediction-propagation.js: Added.
3907         * stress/value-sub-big-int-untyped.js: Added.
3908         * stress/value-sub-spec-none-case.js: Added.
3909
3910 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3911
3912         [JSC] JSC should have "parseFunction" to optimize Function constructor
3913         https://bugs.webkit.org/show_bug.cgi?id=190340
3914
3915         Reviewed by Mark Lam.
3916
3917         This patch fixes the line number of syntax errors raised by the Function constructor,
3918         since we now parse the final code only once. And we no longer use block statement
3919         for Function constructor's parsing.
3920
3921         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3922         * stress/function-cache-with-parameters-end-position.js: Added.
3923         (shouldBe):
3924         (shouldThrow):
3925         (i.anonymous):
3926         * stress/function-constructor-name.js: Added.
3927         (shouldBe):
3928         (GeneratorFunction):
3929         (AsyncFunction.async):
3930         (AsyncGeneratorFunction.async):
3931         (anonymous):
3932         (async.anonymous):
3933         * test262/expectations.yaml:
3934
3935 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3936
3937         Unreviewed, rolling out r237242.
3938         https://bugs.webkit.org/show_bug.cgi?id=190701
3939
3940         it breaks "stress/sampling-profiler-basic.js" (Requested by
3941         caiolima on #webkit).
3942
3943         Reverted changeset:
3944
3945         "[BigInt] Add ValueSub into DFG"
3946         https://bugs.webkit.org/show_bug.cgi?id=186176
3947         https://trac.webkit.org/changeset/237242
3948
3949 2018-10-17  Keith Miller  <keith_miller@apple.com>
3950
3951         AI does not clear Phantom allocation nodes.
3952         https://bugs.webkit.org/show_bug.cgi?id=190694
3953
3954         Reviewed by Saam Barati.
3955
3956         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3957         (Day):
3958         (DaysInYear):
3959         (TimeInYear):
3960         (TimeFromYear):
3961         (DayFromYear):
3962         (InLeapYear):
3963         (YearFromTime):
3964         (WeekDay):
3965         (DaylightSavingTA):
3966         (GetSecondSundayInMarch):
3967         (TimeInMonth):
3968
3969 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3970
3971         [BigInt] Add ValueSub into DFG
3972         https://bugs.webkit.org/show_bug.cgi?id=186176
3973
3974         Reviewed by Yusuke Suzuki.
3975
3976         * stress/big-int-subtraction-jit.js:
3977         * stress/value-sub-big-int-prediction-propagation.js: Added.
3978         * stress/value-sub-big-int-untyped.js: Added.
3979
3980 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3981
3982         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3983         https://bugs.webkit.org/show_bug.cgi?id=190611
3984
3985         Reviewed by Saam Barati.
3986
3987         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3988         to improve test runtime. On ARM/MIPS this test even timed out when running all
3989         tests.
3990
3991         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3992         (test):
3993
3994 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3995
3996         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3997
3998         Unreviewed gardening.
3999
4000         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
4001
4002 2018-10-15  Saam barati  <sbarati@apple.com>
4003
4004         Emit fjcvtzs on ARM64E on Darwin
4005         https://bugs.webkit.org/show_bug.cgi?id=184023
4006
4007         Reviewed by Yusuke Suzuki and Filip Pizlo.
4008
4009         * stress/double-to-int32-NaN.js: Added.
4010         (assert):
4011         (foo):
4012
4013 2018-10-15  Saam Barati  <sbarati@apple.com>
4014
4015         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
4016         https://bugs.webkit.org/show_bug.cgi?id=190262
4017         <rdar://problem/44986241>
4018
4019         Reviewed by Mark Lam.
4020
4021         * stress/array-prototype-concat-of-long-spliced-arrays.js:
4022         (test):
4023         * stress/slice-array-storage-with-holes.js: Added.
4024         (main):
4025
4026 2018-10-15  Commit Queue  <commit-queue@webkit.org>
4027
4028         Unreviewed, rolling out r237054.
4029         https://bugs.webkit.org/show_bug.cgi?id=190593
4030
4031         "this regressed JetStream 2 by 6% on iOS" (Requested by
4032         saamyjoon on #webkit).
4033
4034         Reverted changeset:
4035
4036         "[JSC] JSC should have "parseFunction" to optimize Function
4037         constructor"
4038         https://bugs.webkit.org/show_bug.cgi?id=190340
4039         https://trac.webkit.org/changeset/237054
4040
4041 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
4042
4043         [JSC] JSON.stringify can accept call-with-no-arguments
4044         https://bugs.webkit.org/show_bug.cgi?id=190343
4045
4046         Reviewed by Mark Lam.
4047
4048         * stress/json-stringify-no-arguments.js: Added.
4049         (shouldBe):
4050
4051 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
4052
4053         [JSC] JSC should have "parseFunction" to optimize Function constructor
4054         https://bugs.webkit.org/show_bug.cgi?id=190340
4055
4056         Reviewed by Mark Lam.
4057
4058         This patch fixes the line number of syntax errors raised by the Function constructor,
4059         since we now parse the final code only once. And we no longer use block statement
4060         for Function constructor's parsing.
4061
4062         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
4063         * stress/function-cache-with-parameters-end-position.js: Added.
4064         (shouldBe):
4065         (shouldThrow):
4066         (i.anonymous):
4067         * stress/function-constructor-name.js: Added.
4068         (shouldBe):
4069         (GeneratorFunction):
4070         (AsyncFunction.async):
4071         (AsyncGeneratorFunction.async):
4072         (anonymous):
4073         (async.anonymous):
4074         * test262/expectations.yaml:
4075
4076 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
4077
4078         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
4079         https://bugs.webkit.org/show_bug.cgi?id=190426
4080
4081         Unreviewed gardening.
4082
4083         * stress/sampling-profiler-richards.js:
4084
4085 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
4086
4087         [ESNext][BigInt] Implement support for "|"
4088         https://bugs.webkit.org/show_bug.cgi?id=186229
4089
4090         Reviewed by Yusuke Suzuki.
4091
4092         * stress/big-int-bitwise-and-jit.js:
4093         * stress/big-int-bitwise-or-general.js: Added.
4094         * stress/big-int-bitwise-or-jit-untyped.js: Added.
4095         * stress/big-int-bitwise-or-jit.js: Added.
4096         * stress/big-int-bitwise-or-memory-stress.js: Added.
4097         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
4098         * stress/big-int-bitwise-or-type-error.js: Added.
4099         * stress/big-int-bitwise-or-wrapped-value.js: Added.
4100
4101 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
4102
4103         Skip test on systems with limited memory
4104         https://bugs.webkit.org/show_bug.cgi?id=190310
4105
4106         Invoking runDefault adds test to runlist, skipping the test in the next
4107         line does not prevent the test from executing. Change order of lines such
4108         that runDefault is only executed if test is not executed.
4109
4110         Reviewed by Mark Lam.
4111
4112         * stress/regress-190187.js:
4113
4114 2018-10-03  Saam barati  <sbarati@apple.com>
4115
4116         lowXYZ in FTLLower should always filter the type of the incoming edge
4117         https://bugs.webkit.org/show_bug.cgi?id=189939
4118         <rdar://problem/44407030>
4119
4120         Reviewed by Michael Saboff.
4121
4122         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
4123         (foo):
4124         (test):
4125
4126 2018-10-03  Mark Lam  <mark.lam@apple.com>
4127
4128         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
4129         https://bugs.webkit.org/show_bug.cgi?id=190187
4130         <rdar://problem/42512909>
4131
4132         Reviewed by Michael Saboff.
4133
4134         * stress/regress-190187.js: Added.
4135
4136 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
4137
4138         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
4139         https://bugs.webkit.org/show_bug.cgi?id=190033
4140
4141         Reviewed by Yusuke Suzuki.
4142
4143         * stress/big-int-to-string.js:
4144
4145 2018-10-01  Mark Lam  <mark.lam@apple.com>
4146
4147         Function.toString() should also copy the source code Functions that are class definitions.
4148         https://bugs.webkit.org/show_bug.cgi?id=190186
4149         <rdar://problem/44733360>
4150
4151         Reviewed by Saam Barati.
4152
4153         * stress/regress-190186.js: Added.
4154
4155 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
4156
4157         Split NaN-check into separate test
4158         https://bugs.webkit.org/show_bug.cgi?id=190010
4159
4160         Reviewed by Saam Barati.
4161
4162         DataView exposes NaN-representation, which is not necessarily the same on each
4163         architecture. Therefore move the check of the NaN-representation into its own
4164         file such that we can disable this test on MIPS where NaN-representation can be
4165         different on older CPUs.
4166
4167         * stress/dataview-jit-set-nan.js: Added.
4168         (assert):
4169         (test.storeLittleEndian):
4170         (test.storeBigEndian):
4171         (test.store):
4172         (test):
4173         * stress/dataview-jit-set.js:
4174         (test5):
4175
4176 2018-10-01  Commit Queue  <commit-queue@webkit.org>
4177
4178         Unreviewed, rolling out r236647.
4179         https://bugs.webkit.org/show_bug.cgi?id=190124
4180
4181         Breaking test stress/big-int-to-string.js (Requested by
4182         caiolima_ on #webkit).
4183
4184         Reverted changeset:
4185
4186         "[BigInt] BigInt.proptotype.toString is broken when radix is
4187         power of 2"
4188         https://bugs.webkit.org/show_bug.cgi?id=190033
4189         https://trac.webkit.org/changeset/236647
4190
4191 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
4192
4193         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
4194         https://bugs.webkit.org/show_bug.cgi?id=190033
4195
4196         Reviewed by Yusuke Suzuki.
4197
4198         * stress/big-int-to-string.js:
4199
4200 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
4201
4202         [ESNext][BigInt] Implement support for "&"
4203         https://bugs.webkit.org/show_bug.cgi?id=186228
4204
4205         Reviewed by Yusuke Suzuki.
4206
4207         * stress/big-int-bitwise-and-general.js: Added.
4208         (assert):
4209         (assert.sameValue):
4210         * stress/big-int-bitwise-and-jit.js: Added.
4211         (let.assert.sameValue):
4212         (bigIntBitAnd):
4213         * stress/big-int-bitwise-and-memory-stress.js: Added.
4214         (assert):
4215         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
4216         (assert.sameValue):
4217         (let.o.Symbol.toPrimitive):
4218         (catch):
4219         * stress/big-int-bitwise-and-type-error.js: Added.
4220         (assert):
4221         (assertThrowTypeError):
4222         (let.o.valueOf):
4223         (o.valueOf):
4224         (o.toString):
4225         (o.Symbol.toPrimitive):
4226         * stress/big-int-bitwise-and-wrapped-value.js: Added.
4227         (assert.sameValue):
4228         (testBitAnd):
4229         (let.o.Symbol.toPrimitive):
4230         (o.valueOf):
4231         (o.toString):
4232
4233 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
4234
4235         JSC test stress/jsc-read.js doesn't support CRLF
4236         https://bugs.webkit.org/show_bug.cgi?id=190063
4237
4238         Reviewed by Yusuke Suzuki.
4239
4240         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
4241
4242         * stress/jsc-read.js:
4243         (test):
4244
4245 2018-09-27  Saam barati  <sbarati@apple.com>
4246
4247         Verify the contents of AssemblerBuffer on arm64e
4248         https://bugs.webkit.org/show_bug.cgi?id=190057
4249         <rdar://problem/38916630>
4250
4251         Reviewed by Mark Lam.
4252
4253         * stress/regress-189132.js:
4254
4255 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
4256
4257         Disable test without LLInt on ARMv7
4258         https://bugs.webkit.org/show_bug.cgi?id=190037
4259
4260         Reviewed by Mark Lam.
4261
4262         Test runs out of executable memory on ARMv7, do not run
4263         this test without LLInt enabled.
4264
4265         * stress/regress-169445.js:
4266
4267 2018-09-26  Keith Miller  <keith_miller@apple.com>
4268
4269         We should zero unused property storage when rebalancing array storage.
4270         https://bugs.webkit.org/show_bug.cgi?id=188151
4271
4272         Reviewed by Michael Saboff.
4273
4274         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
4275
4276 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
4277
4278         [JSC] Optimize Array#lastIndexOf
4279         https://bugs.webkit.org/show_bug.cgi?id=189780
4280
4281         Reviewed by Saam Barati.
4282
4283         * stress/array-lastindexof-array-prototype-trap.js: Added.
4284         (shouldBe):
4285         (AncestorArray.prototype.get 2):
4286         (AncestorArray):
4287         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
4288         (shouldBe):
4289         * stress/array-lastindexof-hole-nan.js: Added.
4290         (shouldBe):
4291         (throw.new.Error):
4292         * stress/array-lastindexof-infinity.js: Added.
4293         (shouldBe):
4294         (throw.new.Error):
4295         * stress/array-lastindexof-negative-zero.js: Added.
4296         (shouldBe):
4297         (throw.new.Error):
4298         * stress/array-lastindexof-own-getter.js: Added.
4299         (shouldBe):
4300         (throw.new.Error.get array):
4301         (get array):
4302         * stress/array-lastindexof-prototype-trap.js: Added.
4303         (shouldBe):
4304         (DerivedArray.prototype.get 2):
4305         (DerivedArray):
4306
4307 2018-09-25  Saam Barati  <sbarati@apple.com>
4308
4309         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
4310         https://bugs.webkit.org/show_bug.cgi?id=189940
4311         <rdar://problem/43640987>
4312
4313         Reviewed by Mark Lam.
4314
4315         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
4316
4317 2018-09-24  Saam Barati  <sbarati@apple.com>
4318
4319         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
4320         https://bugs.webkit.org/show_bug.cgi?id=189922
4321         <rdar://problem/44651275>
4322
4323         Reviewed by Mark Lam.
4324
4325         * stress/array-indexof-fast-path-effects.js: Added.
4326         * stress/array-indexof-cached-length.js: Added.
4327
4328 2018-09-24  Saam barati  <sbarati@apple.com>
4329
4330         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
4331         https://bugs.webkit.org/show_bug.cgi?id=189682
4332         <rdar://problem/43557315>
4333
4334         Reviewed by Mark Lam.
4335
4336         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
4337         (foo):
4338
4339 2018-09-22  Saam barati  <sbarati@apple.com>
4340
4341         The sampling should not use Strong<CodeBlock> in its machineLocation field
4342         https://bugs.webkit.org/show_bug.cgi?id=189319
4343
4344         Reviewed by Filip Pizlo.
4345
4346         * stress/sampling-profiler-richards.js: Added.
4347
4348 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
4349
4350         [JSC] Optimize Array#indexOf in C++ runtime
4351         https://bugs.webkit.org/show_bug.cgi?id=189507
4352
4353         Reviewed by Saam Barati.
4354
4355         * stress/array-indexof-array-prototype-trap.js: Added.
4356         (shouldBe):
4357         (AncestorArray.prototype.get 2):
4358         (AncestorArray):
4359         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
4360         (shouldBe):
4361         * stress/array-indexof-hole-nan.js: Added.
4362         (shouldBe):
4363         (throw.new.Error):
4364         * stress/array-indexof-infinity.js: Added.
4365         (shouldBe):
4366         (throw.new.Error):
4367         * stress/array-indexof-negative-zero.js: Added.
4368         (shouldBe):
4369         (throw.new.Error):
4370         * stress/array-indexof-own-getter.js: Added.
4371         (shouldBe):
4372         (throw.new.Error.get array):
4373         (get array):
4374         * stress/array-indexof-prototype-trap.js: Added.
4375         (shouldBe):
4376         (DerivedArray.prototype.get 2):
4377         (DerivedArray):
4378
4379 2018-09-19  Saam barati  <sbarati@apple.com>
4380
4381         AI rule for MultiPutByOffset executes its effects in the wrong order
4382         https://bugs.webkit.org/show_bug.cgi?id=189757
4383         <rdar://problem/43535257>
4384
4385         Reviewed by Michael Saboff.
4386
4387         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
4388         (foo):
4389         (Foo):
4390         (g):
4391
4392 2018-09-17  Mark Lam  <mark.lam@apple.com>
4393
4394         Ensure that ForInContexts are invalidated if their loop local is over-written.
4395         https://bugs.webkit.org/show_bug.cgi?id=189571
4396         <rdar://problem/44402277>
4397
4398         Reviewed by Saam Barati.
4399
4400         * stress/regress-189571.js: Added.
4401
4402 2018-09-17  Saam barati  <sbarati@apple.com>
4403
4404         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
4405         https://bugs.webkit.org/show_bug.cgi?id=189676
4406         <rdar://problem/39682897>
4407
4408         Reviewed by Michael Saboff.
4409
4410         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
4411         (A):
4412         (K):
4413         (i.catch):
4414
4415 2018-09-14  Saam barati  <sbarati@apple.com>
4416
4417         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
4418         https://bugs.webkit.org/show_bug.cgi?id=189628
4419         <rdar://problem/39481690>
4420
4421         Reviewed by Mark Lam.
4422
4423         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
4424         (foo):
4425
4426 2018-09-11  Mark Lam  <mark.lam@apple.com>
4427
4428         Test for array initialization in arrayProtoFuncSplice.
4429         https://bugs.webkit.org/show_bug.cgi?id=170253
4430         <rdar://problem/31328773>
4431
4432         Rubber-stamped by Saam Barati.
4433
4434         * stress/regress-170253.js: Added.
4435
4436 2018-09-11  Mark Lam  <mark.lam@apple.com>
4437
4438         Test for IntlObject initialization.
4439         https://bugs.webkit.org/show_bug.cgi?id=170251
4440         <rdar://problem/31328419>
4441
4442         Rubber-stamped by Saam Barati.
4443
4444         * stress/regress-170251.js: Added.
4445
4446 2018-09-11  Mark Lam  <mark.lam@apple.com>
4447
4448         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
4449         https://bugs.webkit.org/show_bug.cgi?id=169889
4450         <rdar://problem/31155607>
4451
4452         Reviewed by Saam Barati.
4453
4454         * stress/regress-169889-array-concat.js: Added.
4455         * stress/regress-169889-array-concat1.js: Added.
4456         * stress/regress-169889-array-slice.js: Added.
4457
4458 2018-09-11  Mark Lam  <mark.lam@apple.com>
4459
4460         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
4461         https://bugs.webkit.org/show_bug.cgi?id=169445
4462         <rdar://problem/30957435>
4463
4464         Reviewed by Saam Barati.
4465
4466         * stress/regress-169445.js: Added.
4467         (let.gun.eval.A):
4468         (let.gun.eval.B.C):
4469         (let.gun.eval.B.C.prototype.trigger):
4470         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
4471         (let.gun.eval.B):
4472         (let.gun.eval):
4473
4474 == Rolled over to ChangeLog-2018-09-11 ==