Invalid flags in a RegExp literal should be an early SyntaxError
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
2
3         Invalid flags in a RegExp literal should be an early SyntaxError
4         https://bugs.webkit.org/show_bug.cgi?id=195514
5
6         Reviewed by Darin Adler.
7
8         * test262/expectations.yaml:
9         Mark 4 test cases as passing.
10
11         * stress/regexp-syntax-error-invalid-flags.js:
12         * stress/regress-161995.js: Removed.
13         Update existing test, merging in an older test for the same behavior.
14
15 2019-03-08  Mark Lam  <mark.lam@apple.com>
16
17         Stack overflow crash in JSC::JSObject::hasInstance.
18         https://bugs.webkit.org/show_bug.cgi?id=195458
19         <rdar://problem/48710195>
20
21         Reviewed by Yusuke Suzuki.
22
23         * stress/stack-overflow-in-custom-hasInstance.js: Added.
24
25 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
26
27         op_check_tdz does not def its argument
28         https://bugs.webkit.org/show_bug.cgi?id=192880
29         <rdar://problem/46221598>
30
31         Reviewed by Saam Barati.
32
33         * microbenchmarks/let-for-in.js: Added.
34         (foo):
35
36 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
37
38         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
39         https://bugs.webkit.org/show_bug.cgi?id=195429
40
41         Reviewed by Saam Barati.
42
43         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
44         (foo):
45         * stress/string-from-char-code-255.js: Added.
46
47 2019-03-06  Mark Lam  <mark.lam@apple.com>
48
49         Fix incorrect handling of try-finally completion values.
50         https://bugs.webkit.org/show_bug.cgi?id=195131
51         <rdar://problem/46222079>
52
53         Reviewed by Saam Barati and Yusuke Suzuki.
54
55         Added many permutations of new test case to test-finally.js.  test-finally.js has
56         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
57         tests passes there as well.
58
59         * stress/test-finally.js:
60
61 2019-03-06  Saam Barati  <sbarati@apple.com>
62
63         Air::reportUsedRegisters must padInterference
64         https://bugs.webkit.org/show_bug.cgi?id=195303
65         <rdar://problem/48270343>
66
67         Reviewed by Keith Miller.
68
69         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
70
71 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
72
73         [JSC] AI should not propagate AbstractValue relying on constant folding phase
74         https://bugs.webkit.org/show_bug.cgi?id=195375
75
76         Reviewed by Saam Barati.
77
78         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
79         (let.array):
80
81 2019-03-05  Saam barati  <sbarati@apple.com>
82
83         op_switch_char broken for rope strings after JSRopeString layout rewrite
84         https://bugs.webkit.org/show_bug.cgi?id=195339
85         <rdar://problem/48592545>
86
87         Reviewed by Yusuke Suzuki.
88
89         * stress/switch-on-char-llint-rope.js: Added.
90
91 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
92
93         [JSC] Store bits for JSRopeString in 3 stores
94         https://bugs.webkit.org/show_bug.cgi?id=195234
95
96         Reviewed by Saam Barati.
97
98         * stress/null-rope-and-collectors.js: Added.
99
100 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
101
102         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
103         https://bugs.webkit.org/show_bug.cgi?id=195207
104
105         Unreviewed. After test runtime was reduced in r242213, test can be
106         run again on ARM/MIPS.
107
108         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
109
110 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
111
112         [JSC] sizeof(JSString) should be 16
113         https://bugs.webkit.org/show_bug.cgi?id=194375
114
115         Reviewed by Saam Barati.
116
117         * microbenchmarks/make-rope.js: Added.
118         (makeRope):
119         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
120         (returnRope.helper): Deleted.
121         (returnRope): Deleted.
122
123 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
124
125         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
126         https://bugs.webkit.org/show_bug.cgi?id=195144
127
128         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
129         Change the number from 1e8 to 1e5.
130
131         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
132         (foo):
133
134 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
135
136         Test times out on ARM/MIPS
137         https://bugs.webkit.org/show_bug.cgi?id=195168
138
139         Unreviewed. Skip test on ARM/MIPS.
140
141         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
142
143 2019-02-27  Mark Lam  <mark.lam@apple.com>
144
145         The parser is failing to record the token location of new in new.target.
146         https://bugs.webkit.org/show_bug.cgi?id=195127
147         <rdar://problem/39645578>
148
149         Reviewed by Yusuke Suzuki.
150
151         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
152
153 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
154
155         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
156         https://bugs.webkit.org/show_bug.cgi?id=195144
157         <rdar://problem/47595961>
158
159         Reviewed by Mark Lam.
160
161         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
162         (bar):
163         (foo):
164         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
165         (bar):
166         (foo):
167
168 2019-02-27  Robin Morisset  <rmorisset@apple.com>
169
170         DFG: Loop-invariant code motion (LICM) should not hoist dead code
171         https://bugs.webkit.org/show_bug.cgi?id=194945
172         <rdar://problem/48311657>
173
174         Reviewed by Mark Lam.
175
176         * stress/licm-dead-code.js: Added.
177
178 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
179
180         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
181         https://bugs.webkit.org/show_bug.cgi?id=194677
182         <rdar://problem/48112492>
183
184         Reviewed by Mark Lam.
185
186         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
187         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
188         it immediately fails due the large size.
189
190         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
191         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
192         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
193         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
194
195         This patch changes the test to produce 16bit string from String.fromCharCode.
196
197         * stress/regress-178386.js:
198
199 2019-02-26  Mark Lam  <mark.lam@apple.com>
200
201         wasmToJS() should purify incoming NaNs.
202         https://bugs.webkit.org/show_bug.cgi?id=194807
203         <rdar://problem/48189132>
204
205         Reviewed by Saam Barati.
206
207         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
208
209 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
210
211         [JSC] Repeat string created from Array.prototype.join() take too much memory
212         https://bugs.webkit.org/show_bug.cgi?id=193912
213
214         Reviewed by Saam Barati.
215
216         Added a test and a microbenchmark for corner cases of
217         Array.prototype.join() with an uninitialized array.
218
219         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
220         * stress/array-prototype-join-uninitialized.js: Added.
221         (testArray):
222         (testABC):
223         (B):
224         (C):
225
226 2019-02-22  Robin Morisset  <rmorisset@apple.com>
227
228         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
229         https://bugs.webkit.org/show_bug.cgi?id=194953
230         <rdar://problem/47595253>
231
232         Reviewed by Saam Barati.
233
234         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
235
236         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
237
238 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
239
240         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
241         https://bugs.webkit.org/show_bug.cgi?id=172848
242         <rdar://problem/25709212>
243
244         Reviewed by Mark Lam.
245
246         * typeProfiler/inheritance.js:
247         Rewrite the test slightly for clarity. The hoisting was confusing.
248
249         * heapProfiler/class-names.js: Added.
250         (MyES5Class):
251         (MyES6Class):
252         (MyES6Subclass):
253         Test object types and improved class names.
254
255         * heapProfiler/driver/driver.js:
256         (CheapHeapSnapshotNode):
257         (CheapHeapSnapshot):
258         (createCheapHeapSnapshot):
259         (HeapSnapshot):
260         (createHeapSnapshot):
261         Update snapshot parsing from version 1 to version 2.
262
263 2019-02-19  Truitt Savell  <tsavell@apple.com>
264
265         Unreviewed, rolling out r241784.
266
267         Broke all OpenSource builds.
268
269         Reverted changeset:
270
271         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
272         instances view"
273         https://bugs.webkit.org/show_bug.cgi?id=172848
274         https://trac.webkit.org/changeset/241784
275
276 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
277
278         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
279         https://bugs.webkit.org/show_bug.cgi?id=172848
280         <rdar://problem/25709212>
281
282         Reviewed by Mark Lam.
283
284         * typeProfiler/inheritance.js:
285         Rewrite the test slightly for clarity. The hoisting was confusing.
286
287         * heapProfiler/class-names.js: Added.
288         (MyES5Class):
289         (MyES6Class):
290         (MyES6Subclass):
291         Test object types and improved class names.
292
293         * heapProfiler/driver/driver.js:
294         (CheapHeapSnapshotNode):
295         (CheapHeapSnapshot):
296         (createCheapHeapSnapshot):
297         (HeapSnapshot):
298         (createHeapSnapshot):
299         Update snapshot parsing from version 1 to version 2.
300
301 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
302
303         [ARM] Fix crash with sampling profiler
304         https://bugs.webkit.org/show_bug.cgi?id=194772
305
306         Reviewed by Mark Lam.
307
308         Do not skip test since crash with sampling profiler is now fixed.
309
310         * stress/sampling-profiler-richards.js:
311
312 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
313
314         [JSC] Add LazyClassStructure::getInitializedOnMainThread
315         https://bugs.webkit.org/show_bug.cgi?id=194784
316         <rdar://problem/48154820>
317
318         Reviewed by Mark Lam.
319
320         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
321         (getProperties):
322         (getRandomProperty):
323         (i.catch):
324
325 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
326
327         [ARM] Test gardening: Test running out of executable memory
328         https://bugs.webkit.org/show_bug.cgi?id=194771
329
330         Unreviewed. Do not run test without LLInt, test is running out of executable
331         memory on ARM otherwise.
332
333         * stress/tagged-template-object-collect.js:
334
335 2019-02-18  Tomas Popela  <tpopela@redhat.com>
336
337         Unreviewed, skip the test on platforms without sampling profiler
338
339         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
340         (platformSupportsSamplingProfiler.foo):
341         (platformSupportsSamplingProfiler.test):
342         (platformSupportsSamplingProfiler):
343         (foo): Deleted.
344         (test): Deleted.
345
346 2019-02-17  Saam Barati  <sbarati@apple.com>
347
348         Deadlock when adding a Structure property transition and then doing incremental marking
349         https://bugs.webkit.org/show_bug.cgi?id=194767
350
351         Reviewed by Mark Lam.
352
353         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
354
355 2019-02-15  Michael Saboff  <msaboff@apple.com>
356
357         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
358         https://bugs.webkit.org/show_bug.cgi?id=194558
359
360         Reviewed by Saam Barati.
361
362         New regression test.
363
364         * stress/regexp-unicode-within-string.js: Added.
365
366 2019-02-15  Mark Lam  <mark.lam@apple.com>
367
368         SamplingProfiler::stackTracesAsJSON() should escape strings.
369         https://bugs.webkit.org/show_bug.cgi?id=194649
370         <rdar://problem/48072386>
371
372         Reviewed by Saam Barati.
373
374         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
375         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
376         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
377         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
378
379 2019-02-15  Robin Morisset  <rmorisset@apple.com>
380         CodeBlock::jettison should clear related watchpoints
381         https://bugs.webkit.org/show_bug.cgi?id=194544
382
383         Reviewed by Mark Lam.
384
385         * stress/regexp-replace-double-watchpoint.js: Added.
386         (foo):
387
388 2019-02-15  Saam barati  <sbarati@apple.com>
389
390         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
391         https://bugs.webkit.org/show_bug.cgi?id=194036
392
393         Reviewed by Yusuke Suzuki.
394
395         * stress/tail-call-many-arguments.js: Added.
396         (foo):
397         (bar):
398
399 2019-02-14  Saam Barati  <sbarati@apple.com>
400
401         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
402         https://bugs.webkit.org/show_bug.cgi?id=194583
403         <rdar://problem/48028140>
404
405         Reviewed by Yusuke Suzuki.
406
407         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
408
409 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
410
411         [JSC] String.fromCharCode's slow path always generates 16bit string
412         https://bugs.webkit.org/show_bug.cgi?id=194466
413
414         Reviewed by Keith Miller.
415
416         * stress/string-from-char-code-slow-path.js: Added.
417         (shouldBe):
418         (testWithLength):
419
420 2019-02-08  Saam barati  <sbarati@apple.com>
421
422         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
423         https://bugs.webkit.org/show_bug.cgi?id=194334
424         <rdar://problem/47844327>
425
426         Reviewed by Mark Lam.
427
428         * stress/check-in-bounds-should-be-a-child-use.js: Added.
429         (func):
430
431 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
432
433         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
434         https://bugs.webkit.org/show_bug.cgi?id=194369
435         <rdar://problem/47813087>
436
437         Reviewed by Saam Barati.
438
439         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
440         (A):
441
442 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
443
444         [JSC] PrivateName to PublicName hash table is wasteful
445         https://bugs.webkit.org/show_bug.cgi?id=194277
446
447         Reviewed by Michael Saboff.
448
449         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
450
451         * ChakraCore.yaml:
452
453 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
454
455         [ARM] Test running out of executable memory
456         https://bugs.webkit.org/show_bug.cgi?id=194285
457
458         Unreviewed. Do no execute test with LLInt disabled, test runs out of
459         executable memory otherwise.
460
461         * stress/class-subclassing-function.js:
462
463 2019-02-04  Robin Morisset  <rmorisset@apple.com>
464
465         when lowering AssertNotEmpty, create the value before creating the patchpoint
466         https://bugs.webkit.org/show_bug.cgi?id=194231
467
468         Reviewed by Saam Barati.
469
470         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
471         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
472         So even tiny changes to this test can change the path code taken.
473
474         * stress/assert-not-empty.js: Added.
475         (foo):
476
477 2019-02-01  Mark Lam  <mark.lam@apple.com>
478
479         Remove invalid assertion in DFG's compileDoubleRep().
480         https://bugs.webkit.org/show_bug.cgi?id=194130
481         <rdar://problem/47699474>
482
483         Reviewed by Saam Barati.
484
485         * stress/constant-fold-double-rep-into-double-constant.js: Added.
486
487 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
488
489         Import latest Test262 updates.
490
491         Rubber-stamped by Keith Miller.
492
493         * test262.yaml: Deleted.
494         * test262/config.yaml:
495         * test262/expectations.yaml:
496         * test262/latest-changes-summary.txt:
497         * test262/test/:
498         * test262/test262-Revision.txt:
499
500 2019-01-30  Robin Morisset  <rmorisset@apple.com>
501
502         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
503         https://bugs.webkit.org/show_bug.cgi?id=194050
504         <rdar://problem/47595592>
505
506         Reviewed by Yusuke Suzuki.
507
508         * stress/object-keys-osr-exit.js: Added.
509         (foo):
510         (catch):
511
512 2019-01-29  Mark Lam  <mark.lam@apple.com>
513
514         ValueRecovery::recover() should purify NaN values it recovers.
515         https://bugs.webkit.org/show_bug.cgi?id=193978
516         <rdar://problem/47625488>
517
518         Reviewed by Saam Barati.
519
520         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
521
522 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
523
524         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
525         https://bugs.webkit.org/show_bug.cgi?id=193713
526
527         * stress/try-get-by-id-should-spill-registers-dfg.js:
528         (let.f.createBuiltin):
529
530 2019-01-28  Mark Lam  <mark.lam@apple.com>
531
532         ToString node actually does GC.
533         https://bugs.webkit.org/show_bug.cgi?id=193920
534         <rdar://problem/46695900>
535
536         Reviewed by Yusuke Suzuki.
537
538         * stress/dfg-to-string-on-int-does-gc.js: Added.
539         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
540         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
541
542 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
543
544         [JSC] NativeErrorConstructor should not have own IsoSubspace
545         https://bugs.webkit.org/show_bug.cgi?id=193713
546
547         Reviewed by Saam Barati.
548
549         Remove @Error use.
550
551         * stress/try-get-by-id-should-spill-registers-dfg.js:
552         (let.f.createBuiltin):
553
554 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
555
556         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
557         https://bugs.webkit.org/show_bug.cgi?id=190693
558
559         Reviewed by Michael Saboff.
560
561         * stress/regress-190693.js: Added.
562         (truth):
563         (assert):
564         (shouldThrowInvalidConstAssignment):
565         (taz):
566
567 2019-01-24  Saam Barati  <sbarati@apple.com>
568
569         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
570         https://bugs.webkit.org/show_bug.cgi?id=193751
571         <rdar://problem/47280215>
572
573         Reviewed by Michael Saboff.
574
575         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
576         (let.thing):
577         (foo.let.hello):
578         (foo):
579
580 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
581
582         [JSC] Reenable baseline JIT on mips
583         https://bugs.webkit.org/show_bug.cgi?id=192983
584
585         Reviewed by Mark Lam.
586
587         Added a new test for a case that was triggering a RELEASE_ASSERT when
588         testing.
589         Disable some slow tests that were already disabled for arm and x86.
590
591         * stress/json-parse-big-object.js: Added.
592         * stress/new-largeish-contiguous-array-with-size.js:
593         * stress/op_add.js:
594         * stress/op_bitand.js:
595         * stress/op_bitor.js:
596         * stress/op_bitxor.js:
597         * stress/op_lshift-ConstVar.js:
598         * stress/op_lshift-VarConst.js:
599         * stress/op_lshift-VarVar.js:
600         * stress/op_mod-ConstVar.js:
601         * stress/op_mod-VarConst.js:
602         * stress/op_mod-VarVar.js:
603         * stress/op_mul-ConstVar.js:
604         * stress/op_mul-VarConst.js:
605         * stress/op_mul-VarVar.js:
606         * stress/op_rshift-ConstVar.js:
607         * stress/op_rshift-VarConst.js:
608         * stress/op_rshift-VarVar.js:
609         * stress/op_sub-ConstVar.js:
610         * stress/op_sub-VarConst.js:
611         * stress/op_sub-VarVar.js:
612         * stress/op_urshift-ConstVar.js:
613         * stress/op_urshift-VarConst.js:
614         * stress/op_urshift-VarVar.js:
615         * stress/sampling-profiler-richards.js:
616         * stress/spread-forward-call-varargs-stack-overflow.js:
617
618 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
619
620         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
621         https://bugs.webkit.org/show_bug.cgi?id=193711
622         <rdar://problem/47250262>
623
624         Reviewed by Saam Barati.
625
626         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
627         (shouldBe):
628         (foo):
629         (bar):
630         (baz):
631
632 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
633
634         Unreviewed, fix initial global lexical binding epoch
635         https://bugs.webkit.org/show_bug.cgi?id=193603
636         <rdar://problem/47380869>
637
638         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
639         (f1.f2.f3.f4):
640         (f1.f2.f3):
641         (f1.f2):
642         (f1):
643
644 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
645
646         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
647         https://bugs.webkit.org/show_bug.cgi?id=193709
648         <rdar://problem/47363838>
649
650         Unreviewed, rollout to watch the tests.
651
652         * stress/object-tostring-changed-proto.js: Removed.
653         * stress/object-tostring-changed.js: Removed.
654         * stress/object-tostring-misc.js: Removed.
655         * stress/object-tostring-other.js: Removed.
656         * stress/object-tostring-untyped.js: Removed.
657
658 2019-01-22  Saam Barati  <sbarati@apple.com>
659
660         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
661
662         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
663         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
664         (testUncheckedLessThanZero):
665         (testUncheckedLessThanOrEqualZero):
666         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
667         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
668
669 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
670
671         [JSC] Invalidate old scope operations using global lexical binding epoch
672         https://bugs.webkit.org/show_bug.cgi?id=193603
673         <rdar://problem/47380869>
674
675         Reviewed by Saam Barati.
676
677         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
678         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
679         (shouldThrow):
680         (bar):
681         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
682         (shouldBe):
683         (get1):
684         (get2):
685         (get1If):
686         (get2If):
687         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
688         (shouldThrow):
689         (foo):
690
691 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
692
693         Unreviewed, roll out r240220 due to date-format-xparb regression
694         https://bugs.webkit.org/show_bug.cgi?id=193603
695
696         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
697         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
698         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
699         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
700
701 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
702
703         DoesGC rule is wrong for nodes with BigIntUse
704         https://bugs.webkit.org/show_bug.cgi?id=193652
705
706         Reviewed by Saam Barati.
707
708         * stress/big-int-value-op-update-gc-rules.js: Added.
709         (assert):
710         (doesGCAdd):
711         (doesGCSub):
712         (doesGCDiv):
713         (doesGCMul):
714         (doesGCBitAnd):
715         (doesGCBitOr):
716         (doesGCBitXor):
717
718 2019-01-20  Saam Barati  <sbarati@apple.com>
719
720         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
721         https://bugs.webkit.org/show_bug.cgi?id=193644
722         <rdar://problem/46209745>
723
724         Reviewed by Yusuke Suzuki.
725
726         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
727         (foo):
728         * stress/data-view-set-intrinsic-undefined-result.js: Added.
729         (foo):
730         (bar):
731
732 2019-01-20  Saam Barati  <sbarati@apple.com>
733
734         MovHint must merge NodeBytecodeUsesAsValue for its child
735         https://bugs.webkit.org/show_bug.cgi?id=186916
736         <rdar://problem/41396612>
737
738         Reviewed by Yusuke Suzuki.
739
740         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
741         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
742
743 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
744
745         [JSC] Invalidate old scope operations using global lexical binding epoch
746         https://bugs.webkit.org/show_bug.cgi?id=193603
747         <rdar://problem/47380869>
748
749         Reviewed by Saam Barati.
750
751         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
752         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
753         (shouldThrow):
754         (bar):
755         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
756         (shouldBe):
757         (get1):
758         (get2):
759         (get1If):
760         (get2If):
761         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
762         (shouldThrow):
763         (foo):
764
765 2019-01-17  Saam barati  <sbarati@apple.com>
766
767         StringObjectUse should not be a structure check for the original string object structure
768         https://bugs.webkit.org/show_bug.cgi?id=193483
769         <rdar://problem/47280522>
770
771         Reviewed by Yusuke Suzuki.
772
773         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
774         (foo):
775         (a.valueOf.0):
776
777 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
778
779         [JSC] ToThis omission in DFGByteCodeParser is wrong
780         https://bugs.webkit.org/show_bug.cgi?id=193513
781         <rdar://problem/45842236>
782
783         Reviewed by Saam Barati.
784
785         * stress/to-this-omission-with-different-strict-modes.js: Added.
786         (thisA):
787         (thisAStrictWrapper):
788
789 2019-01-15  Mark Lam  <mark.lam@apple.com>
790
791         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
792         https://bugs.webkit.org/show_bug.cgi?id=193423
793         <rdar://problem/46209355>
794
795         Reviewed by Saam Barati.
796
797         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
798         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
799         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
800         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
801
802 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
803
804         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
805         https://bugs.webkit.org/show_bug.cgi?id=193438
806         <rdar://problem/45581249>
807
808         Reviewed by Saam Barati and Keith Miller.
809
810         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
811         Then, GetByVal(String) crashed.
812
813         * stress/string-get-by-val-lowering.js: Added.
814         (shouldBe):
815         (test):
816         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
817         (Hello):
818         (foo):
819
820 2019-01-15  Tomas Popela  <tpopela@redhat.com>
821
822         Unreviewed, skip JIT tests if it's not enabled
823
824         * stress/bit-op-with-object-returning-int32.js:
825
826 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
827
828         DFGByteCodeParser rules for bitwise operations should consider type of their operands
829         https://bugs.webkit.org/show_bug.cgi?id=192966
830
831         Reviewed by Yusuke Suzuki.
832
833         * stress/bit-op-with-object-returning-int32.js: Added.
834
835 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
836
837         Skip a slow test and a flakey test on arm
838
839         Unreviewed gardening.
840
841         * typeProfiler/getter-richards.js:
842         this test always times out, it used to be always skipped on arm and
843         mips, but got accidentally enabled by r237919 now that we have DFG on
844         arm. Also skipping on mips as we plan to soon enable DFG for it too.
845
846 2019-01-14  Keith Miller  <keith_miller@apple.com>
847
848         Skip type-check-hoisting-phase-hoist... with no jit
849         https://bugs.webkit.org/show_bug.cgi?id=193421
850
851         Reviewed by Mark Lam.
852
853         It's timing out the 32-bit bots and takes 330 seconds
854         on my machine when run by itself.
855
856         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
857
858 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
859
860         [JSC] AI should check the given constant's array type when folding GetByVal into constant
861         https://bugs.webkit.org/show_bug.cgi?id=193413
862         <rdar://problem/46092389>
863
864         Reviewed by Keith Miller.
865
866         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
867         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
868         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
869         but GetByVal does not have appropriate ArrayModes, JSC crashes.
870
871         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
872         (compareArray):
873
874 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
875
876         [BigInt] Literal parsing is crashing when used inside a Object Literal
877         https://bugs.webkit.org/show_bug.cgi?id=193404
878
879         Reviewed by Yusuke Suzuki.
880
881         * stress/big-int-literal-inside-literal-object.js: Added.
882
883 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
884
885         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
886         https://bugs.webkit.org/show_bug.cgi?id=193372
887
888         Reviewed by Saam Barati.
889
890         * stress/typed-array-array-modes-profile.js: Added.
891         (foo):
892
893 2019-01-14  Mark Lam  <mark.lam@apple.com>
894
895         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
896         https://bugs.webkit.org/show_bug.cgi?id=193402
897         <rdar://problem/46012309>
898
899         Reviewed by Keith Miller.
900
901         * stress/regexp-compile-oom.js:
902         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
903           is enabled.  As a result, it will fail on cloop builds though there is no bug.
904
905 2019-01-11  Saam barati  <sbarati@apple.com>
906
907         DFG combined liveness can be wrong for terminal basic blocks
908         https://bugs.webkit.org/show_bug.cgi?id=193304
909         <rdar://problem/45268632>
910
911         Reviewed by Yusuke Suzuki.
912
913         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
914
915 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
916
917         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
918         https://bugs.webkit.org/show_bug.cgi?id=193308
919         <rdar://problem/45546542>
920
921         Reviewed by Saam Barati.
922
923         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
924         (shouldThrow):
925         (shouldBe):
926         (foo):
927         (get shouldThrow):
928         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
929         (shouldThrow):
930         (shouldBe):
931         (foo):
932         (get shouldBe):
933         (get shouldThrow):
934         (get return):
935         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
936         (shouldThrow):
937         (shouldBe):
938         (foo):
939         (get shouldBe):
940         (get shouldThrow):
941         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
942         (shouldThrow):
943         (shouldBe):
944         (foo):
945         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
946         (shouldThrow):
947         (shouldBe):
948         (foo):
949         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
950         (shouldThrow):
951         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
952         (shouldThrow):
953         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
954         (shouldThrow):
955         (shouldBe):
956         (foo):
957         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
958         (shouldThrow):
959         (shouldBe):
960         (foo):
961         (get shouldBe):
962         (get shouldThrow):
963         (get return):
964         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
965         (shouldThrow):
966         (shouldBe):
967         (foo):
968         (get shouldBe):
969         (get shouldThrow):
970         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
971         (shouldThrow):
972         (shouldBe):
973         (foo):
974         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
975         (shouldThrow):
976         (shouldBe):
977         (foo):
978
979 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
980
981         Enable DFG on ARM/Linux again
982         https://bugs.webkit.org/show_bug.cgi?id=192496
983
984         Reviewed by Yusuke Suzuki.
985
986         Test wasn't really skipped before moving the line with skip
987         to the top.
988
989         * stress/regress-192717.js:
990
991 2019-01-10  Commit Queue  <commit-queue@webkit.org>
992
993         Unreviewed, rolling out r239825.
994         https://bugs.webkit.org/show_bug.cgi?id=193330
995
996         Broke tests on armv7/linux bots (Requested by guijemont on
997         #webkit).
998
999         Reverted changeset:
1000
1001         "Enable DFG on ARM/Linux again"
1002         https://bugs.webkit.org/show_bug.cgi?id=192496
1003         https://trac.webkit.org/changeset/239825
1004
1005 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1006
1007         Enable DFG on ARM/Linux again
1008         https://bugs.webkit.org/show_bug.cgi?id=192496
1009
1010         Reviewed by Yusuke Suzuki.
1011
1012         Test wasn't really skipped before moving the line with skip
1013         to the top.
1014
1015         * stress/regress-192717.js:
1016
1017 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1018
1019         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1020         https://bugs.webkit.org/show_bug.cgi?id=193127
1021
1022         Reviewed by Saam Barati.
1023
1024         * stress/array-species-create-should-handle-masquerader.js: Added.
1025         (shouldThrow):
1026         * stress/is-undefined-or-null-builtin.js: Added.
1027         (shouldBe):
1028         (isUndefinedOrNull.vm.createBuiltin):
1029
1030 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1031
1032         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1033         https://bugs.webkit.org/show_bug.cgi?id=193221
1034
1035         Reviewed by Mark Lam.
1036
1037         * stress/put-by-id-flags.js: Added.
1038         (f):
1039         (g):
1040         (numberOfDFGCompiles):
1041
1042 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1043
1044         Baseline version of get_by_id may corrupt metadata
1045         https://bugs.webkit.org/show_bug.cgi?id=193085
1046         <rdar://problem/23453006>
1047
1048         Reviewed by Saam Barati.
1049
1050         * stress/get-by-id-change-mode.js: Added.
1051         (forEach):
1052
1053 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1054
1055         [JSC] Optimize Object.prototype.toString
1056         https://bugs.webkit.org/show_bug.cgi?id=193031
1057
1058         Reviewed by Saam Barati.
1059
1060         * stress/object-tostring-changed-proto.js: Added.
1061         (shouldBe):
1062         (test):
1063         * stress/object-tostring-changed.js: Added.
1064         (shouldBe):
1065         (test):
1066         * stress/object-tostring-misc.js: Added.
1067         (shouldBe):
1068         (test):
1069         (i.switch):
1070         * stress/object-tostring-other.js: Added.
1071         (shouldBe):
1072         (test):
1073         * stress/object-tostring-untyped.js: Added.
1074         (shouldBe):
1075         (test):
1076         (i.switch):
1077
1078 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1079
1080         test262-runner misbehaves when test file YAML has a trailing space
1081         https://bugs.webkit.org/show_bug.cgi?id=193053
1082
1083         Reviewed by Yusuke Suzuki.
1084
1085         * test262/expectations.yaml:
1086         Mark two dozen tests as passing (and correct the output of another).
1087
1088 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1089
1090         Unreviewed, JSTests gardening with memoryLimited
1091
1092         * stress/string-overflow-createError.js:
1093
1094 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1095
1096         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1097         https://bugs.webkit.org/show_bug.cgi?id=193050
1098
1099         Reviewed by Yusuke Suzuki.
1100
1101         * test262.yaml:
1102         * test262/expectations.yaml:
1103         Mark 16 tests as passing.
1104
1105 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1106
1107         [BigInt] Support BigInt in JSON.stringify
1108         https://bugs.webkit.org/show_bug.cgi?id=192624
1109
1110         Reviewed by Saam Barati.
1111
1112         * stress/big-int-json-stringify-to-json.js: Added.
1113         (shouldBe):
1114         (shouldThrow):
1115         (BigInt.prototype.toJSON):
1116         (shouldBe.JSON.stringify):
1117         * stress/big-int-json-stringify.js: Added.
1118         (shouldBe):
1119         (shouldThrow):
1120
1121 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1122
1123         [JSC] Implement "well-formed JSON.stringify" proposal
1124         https://bugs.webkit.org/show_bug.cgi?id=191677
1125
1126         Reviewed by Darin Adler.
1127
1128         * stress/json-surrogate-pair.js: Added.
1129         (shouldBe):
1130         * test262/expectations.yaml:
1131
1132 2018-12-20  Keith Miller  <keith_miller@apple.com>
1133
1134         Add support for globalThis
1135         https://bugs.webkit.org/show_bug.cgi?id=165171
1136
1137         Reviewed by Mark Lam.
1138
1139         * test262/config.yaml:
1140
1141 2018-12-19  Keith Miller  <keith_miller@apple.com>
1142
1143         Update test262 configuration to not run tests dependent on ICU version.
1144         https://bugs.webkit.org/show_bug.cgi?id=192920
1145
1146         Reviewed by Saam Barati.
1147
1148         * test262/expectations.yaml:
1149
1150 2018-12-20  Mark Lam  <mark.lam@apple.com>
1151
1152         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1153         https://bugs.webkit.org/show_bug.cgi?id=192939
1154         <rdar://problem/46869516>
1155
1156         Reviewed by Keith Miller.
1157
1158         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1159
1160 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1161
1162         WTF::String and StringImpl overflow MaxLength
1163         https://bugs.webkit.org/show_bug.cgi?id=192853
1164         <rdar://problem/45726906>
1165
1166         Reviewed by Mark Lam.
1167
1168         * stress/string-16bit-repeat-overflow.js: Added.
1169         (catch):
1170
1171 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1172
1173         Unreviewed follow-up to r192914.
1174
1175         * test262/expectations.yaml:
1176         Add the last 20 missing expectations.
1177
1178 2018-12-19  Keith Miller  <keith_miller@apple.com>
1179
1180         Fix test262 expectations
1181         https://bugs.webkit.org/show_bug.cgi?id=192914
1182
1183         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1184
1185         * test262/expectations.yaml:
1186
1187 2018-12-19  Keith Miller  <keith_miller@apple.com>
1188
1189         Update test262 tests.
1190         https://bugs.webkit.org/show_bug.cgi?id=192907
1191
1192         Rubber stamped by Mark Lam.
1193
1194         * test262/*: Omitted because prepare-changelog crashes.
1195
1196 2018-12-19  Mark Lam  <mark.lam@apple.com>
1197
1198         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1199         https://bugs.webkit.org/show_bug.cgi?id=192464
1200         <rdar://problem/46519455>
1201
1202         Reviewed by Saam Barati.
1203
1204         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1205         microbenchmark.
1206
1207         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1208         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1209
1210 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1211
1212         String overflow in JSC::createError results in ASSERT in WTF::makeString
1213         https://bugs.webkit.org/show_bug.cgi?id=192833
1214         <rdar://problem/45706868>
1215
1216         Reviewed by Mark Lam.
1217
1218         * stress/string-overflow-createError.js: Added.
1219
1220 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1221
1222         Error message for `-x ** y` contains a typo.
1223         https://bugs.webkit.org/show_bug.cgi?id=192832
1224
1225         Reviewed by Saam Barati.
1226
1227         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1228         (assert.assert.return.throws):
1229         * stress/pow-expects-update-expression-on-lhs.js:
1230         (throw.new.Error):
1231         Update test expectations which match against the exact error message.
1232
1233 2018-12-18  Mark Lam  <mark.lam@apple.com>
1234
1235         Gardening: test options fix.
1236         https://bugs.webkit.org/show_bug.cgi?id=192822
1237
1238         Unreviewed.
1239
1240         * stress/json-stringify-string-builder-overflow.js:
1241
1242 2018-12-18  Mark Lam  <mark.lam@apple.com>
1243
1244         JSON.stringify() should throw OOM on StringBuilder overflows.
1245         https://bugs.webkit.org/show_bug.cgi?id=192822
1246         <rdar://problem/46670577>
1247
1248         Reviewed by Saam Barati.
1249
1250         * stress/json-stringify-string-builder-overflow.js: Added.
1251
1252 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1253
1254         Redeclaration of var over let/const/class should be a syntax error.
1255         https://bugs.webkit.org/show_bug.cgi?id=192298
1256
1257         Reviewed by Keith Miller.
1258
1259         * test262.yaml:
1260         * test262/expectations.yaml:
1261         Mark 46 tests as passing.
1262
1263         * stress/block-scope-redeclarations.js:
1264         Add some new tests.
1265
1266         * stress/for-in-invalidate-context-weird-assignments.js:
1267         * stress/for-in-tests.js:
1268         Replace tests for outdated behavior with tests for SyntaxError.
1269
1270         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1271         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1272         Update expectations.
1273
1274 2018-12-18  Mark Lam  <mark.lam@apple.com>
1275
1276         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1277         https://bugs.webkit.org/show_bug.cgi?id=191374
1278         <rdar://problem/46525447>
1279
1280         Reviewed by Yusuke Suzuki.
1281
1282         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1283
1284         * stress/elidable-new-object-roflcopter-then-exit.js:
1285
1286 2018-12-17  Mark Lam  <mark.lam@apple.com>
1287
1288         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1289         https://bugs.webkit.org/show_bug.cgi?id=192019
1290         <rdar://problem/46525456>
1291
1292         Reviewed by Yusuke Suzuki.
1293
1294         The test runs too slow on 32-bit.
1295
1296         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1297
1298 2018-12-17  Mark Lam  <mark.lam@apple.com>
1299
1300         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1301         https://bugs.webkit.org/show_bug.cgi?id=191373
1302         <rdar://problem/46525458>
1303
1304         Reviewed by Yusuke Suzuki.
1305
1306         The test is already slow running with a JIT on 64-bit.  It will always timeout
1307         on 32-bit without a JIT.
1308
1309         * stress/materialize-regexp-cyclic-regexp.js:
1310
1311 2018-12-17  Mark Lam  <mark.lam@apple.com>
1312
1313         Array unshift/shift should not race against the AI in the compiler thread.
1314         https://bugs.webkit.org/show_bug.cgi?id=192795
1315         <rdar://problem/46724263>
1316
1317         Reviewed by Saam Barati.
1318
1319         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1320
1321 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1322
1323         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1324         https://bugs.webkit.org/show_bug.cgi?id=190047
1325
1326         Reviewed by Saam Barati.
1327
1328         * stress/object-keys-cached-zero.js: Added.
1329         (shouldBe):
1330         (test):
1331         * stress/object-keys-changed-attribute.js: Added.
1332         (shouldBe):
1333         (test):
1334         * stress/object-keys-changed-index.js: Added.
1335         (shouldBe):
1336         (test):
1337         * stress/object-keys-changed.js: Added.
1338         (shouldBe):
1339         (test):
1340         * stress/object-keys-indexed-non-cache.js: Added.
1341         (shouldBe):
1342         (test):
1343         * stress/object-keys-overrides-get-property-names.js: Added.
1344         (shouldBe):
1345         (test):
1346         (noInline):
1347
1348 2018-12-17  Mark Lam  <mark.lam@apple.com>
1349
1350         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1351         https://bugs.webkit.org/show_bug.cgi?id=192779
1352         <rdar://problem/46775869>
1353
1354         Reviewed by Saam Barati.
1355
1356         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1357
1358 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1359
1360         Unreviewed test gardening, address a syntax error in a new test.
1361
1362         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1363
1364 2018-12-17  Mark Lam  <mark.lam@apple.com>
1365
1366         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1367         https://bugs.webkit.org/show_bug.cgi?id=192776
1368         <rdar://problem/46772368>
1369
1370         Reviewed by Keith Miller.
1371
1372         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1373
1374 2018-12-17  Mark Lam  <mark.lam@apple.com>
1375
1376         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1377         https://bugs.webkit.org/show_bug.cgi?id=192770
1378         <rdar://problem/46449037>
1379
1380         Reviewed by Keith Miller.
1381
1382         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1383
1384 2018-12-14  Mark Lam  <mark.lam@apple.com>
1385
1386         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1387         https://bugs.webkit.org/show_bug.cgi?id=192717
1388         <rdar://problem/46660677>
1389
1390         Reviewed by Saam Barati.
1391
1392         * stress/regress-192717.js: Added.
1393
1394 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1395
1396         Unreviewed, rolling out r239153, r239154, and r239155.
1397         https://bugs.webkit.org/show_bug.cgi?id=192715
1398
1399         Caused flaky GC-related crashes seen with layout tests
1400         (Requested by ryanhaddad on #webkit).
1401
1402         Reverted changesets:
1403
1404         "[JSC] Optimize Object.keys by caching own keys results in
1405         StructureRareData"
1406         https://bugs.webkit.org/show_bug.cgi?id=190047
1407         https://trac.webkit.org/changeset/239153
1408
1409         "Unreviewed, build fix after r239153"
1410         https://bugs.webkit.org/show_bug.cgi?id=190047
1411         https://trac.webkit.org/changeset/239154
1412
1413         "Unreviewed, build fix after r239153, part 2"
1414         https://bugs.webkit.org/show_bug.cgi?id=190047
1415         https://trac.webkit.org/changeset/239155
1416
1417 2018-12-14  Keith Miller  <keith_miller@apple.com>
1418
1419         Callers of JSString::getIndex should check for OOM exceptions
1420         https://bugs.webkit.org/show_bug.cgi?id=192709
1421
1422         Reviewed by Mark Lam.
1423
1424         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1425
1426 2018-12-13  Mark Lam  <mark.lam@apple.com>
1427
1428         Add a missing exception check.
1429         https://bugs.webkit.org/show_bug.cgi?id=192626
1430         <rdar://problem/46662163>
1431
1432         Reviewed by Keith Miller.
1433
1434         * stress/regress-192626.js: Added.
1435
1436 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1437
1438         [BigInt] Add ValueDiv into DFG
1439         https://bugs.webkit.org/show_bug.cgi?id=186178
1440
1441         Reviewed by Yusuke Suzuki.
1442
1443         * stress/big-int-div-jit-osr.js: Added.
1444         * stress/big-int-div-jit-untyped.js: Added.
1445         * stress/value-div-fixup-int32-big-int.js: Added.
1446
1447 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1448
1449         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1450         https://bugs.webkit.org/show_bug.cgi?id=190047
1451
1452         Reviewed by Keith Miller.
1453
1454         * stress/object-keys-cached-zero.js: Added.
1455         (shouldBe):
1456         (test):
1457         * stress/object-keys-changed-attribute.js: Added.
1458         (shouldBe):
1459         (test):
1460         * stress/object-keys-changed-index.js: Added.
1461         (shouldBe):
1462         (test):
1463         * stress/object-keys-changed.js: Added.
1464         (shouldBe):
1465         (test):
1466         * stress/object-keys-indexed-non-cache.js: Added.
1467         (shouldBe):
1468         (test):
1469         * stress/object-keys-overrides-get-property-names.js: Added.
1470         (shouldBe):
1471         (test):
1472         (noInline):
1473
1474 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1475
1476         [DFG][FTL] Add NewSymbol
1477         https://bugs.webkit.org/show_bug.cgi?id=192620
1478
1479         Reviewed by Saam Barati.
1480
1481         * microbenchmarks/symbol-creation.js: Added.
1482         (test):
1483         * stress/symbol-description-identity.js: Added.
1484         (shouldBe):
1485         (test):
1486         * stress/symbol-identity.js: Added.
1487         (shouldBe):
1488         (test):
1489         * stress/symbol-with-description-throw-error.js: Added.
1490         (shouldBe):
1491         (shouldThrow):
1492         (test):
1493         (object.toString):
1494
1495 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1496
1497         [BigInt] Implement DFG/FTL typeof for BigInt
1498         https://bugs.webkit.org/show_bug.cgi?id=192619
1499
1500         Reviewed by Keith Miller.
1501
1502         * stress/big-int-boolean-proven-type.js: Added.
1503         (assert):
1504         (bool):
1505         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1506         (assert):
1507         (typeOf):
1508         (i.switch):
1509         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1510         (assert):
1511         (typeOf):
1512         * stress/big-int-type-of.js:
1513         (typeOf):
1514         (func):
1515
1516 2018-12-10  Mark Lam  <mark.lam@apple.com>
1517
1518         PropertyAttribute needs a CustomValue bit.
1519         https://bugs.webkit.org/show_bug.cgi?id=191993
1520         <rdar://problem/46264467>
1521
1522         Reviewed by Saam Barati.
1523
1524         * stress/regress-191993.js: Added.
1525
1526 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1527
1528         [BigInt] Add ValueMul into DFG
1529         https://bugs.webkit.org/show_bug.cgi?id=186175
1530
1531         Reviewed by Yusuke Suzuki.
1532
1533         * stress/big-int-mul-jit-osr.js: Added.
1534         * stress/big-int-mul-jit-untyped.js: Added.
1535         * stress/value-mul-fixup-int32-big-int.js: Added.
1536
1537 2018-12-06  Keith Miller  <keith_miller@apple.com>
1538
1539         stress/big-wasm-memory tests failing on 32-bit JSC bot
1540         https://bugs.webkit.org/show_bug.cgi?id=192020
1541
1542         Reviewed by Saam Barati.
1543
1544         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1545         the wasm stress tests if the WebAssembly object does not exist.
1546
1547         * stress/big-wasm-memory-grow-no-max.js:
1548         (test.foo):
1549         (test):
1550         (foo): Deleted.
1551         (catch): Deleted.
1552         * stress/big-wasm-memory-grow.js:
1553         (test.foo):
1554         (test):
1555         (foo): Deleted.
1556         (catch): Deleted.
1557         * stress/big-wasm-memory.js:
1558         (test.foo):
1559         (test):
1560         (foo): Deleted.
1561         (catch): Deleted.
1562
1563 2018-12-05  Mark Lam  <mark.lam@apple.com>
1564
1565         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1566         https://bugs.webkit.org/show_bug.cgi?id=192441
1567         <rdar://problem/46480355>
1568
1569         Reviewed by Saam Barati.
1570
1571         * stress/regress-192441.js: Added.
1572
1573 2018-12-04  Mark Lam  <mark.lam@apple.com>
1574
1575         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1576         https://bugs.webkit.org/show_bug.cgi?id=192386
1577         <rdar://problem/46445516>
1578
1579         Reviewed by Saam Barati.
1580
1581         * stress/regress-192386.js: Added.
1582
1583 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1584
1585         [ESNext][BigInt] Support logic operations
1586         https://bugs.webkit.org/show_bug.cgi?id=179903
1587
1588         Reviewed by Yusuke Suzuki.
1589
1590         * stress/big-int-branch-usage.js: Added.
1591         * stress/big-int-logical-and.js: Added.
1592         * stress/big-int-logical-not.js: Added.
1593         * stress/big-int-logical-or.js: Added.
1594
1595 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1596
1597         Unreviewed, rolling out r238833.
1598
1599         Breaks macOS and iOS debug builds.
1600
1601         Reverted changeset:
1602
1603         "[ESNext][BigInt] Support logic operations"
1604         https://bugs.webkit.org/show_bug.cgi?id=179903
1605         https://trac.webkit.org/changeset/238833
1606
1607 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1608
1609         [ESNext][BigInt] Support logic operations
1610         https://bugs.webkit.org/show_bug.cgi?id=179903
1611
1612         Reviewed by Yusuke Suzuki.
1613
1614         * stress/big-int-branch-usage.js: Added.
1615         * stress/big-int-logical-and.js: Added.
1616         * stress/big-int-logical-not.js: Added.
1617         * stress/big-int-logical-or.js: Added.
1618
1619 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1620
1621         [ESNext][BigInt] Implement support for "<<" and ">>"
1622         https://bugs.webkit.org/show_bug.cgi?id=186233
1623
1624         Reviewed by Yusuke Suzuki.
1625
1626         * stress/big-int-left-shift-general.js: Added.
1627         * stress/big-int-left-shift-range-error.js: Added.
1628         * stress/big-int-left-shift-type-error.js: Added.
1629         * stress/big-int-left-shift-wrapped-value.js: Added.
1630         * stress/big-int-right-shift-general.js: Added.
1631         * stress/big-int-right-shift-type-error.js: Added.
1632         * stress/big-int-right-shift-wrapped-value.js: Added.
1633         * stress/left-shift-to-primitive-precedence.js: Added.
1634         * stress/right-shift-to-primitive-precedence.js: Added.
1635
1636 2018-11-30  Dean Jackson  <dino@apple.com>
1637
1638         Add first-class support for .mjs files in jsc binary
1639         https://bugs.webkit.org/show_bug.cgi?id=192190
1640         <rdar://problem/46375715>
1641
1642         Reviewed by Keith Miller.
1643
1644         * stress/simple-module.mjs: Added.
1645         * stress/simple-script.js: Added.
1646
1647 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1648
1649         [BigInt] Implement ValueBitXor into DFG
1650         https://bugs.webkit.org/show_bug.cgi?id=190264
1651
1652         Reviewed by Yusuke Suzuki.
1653
1654         * stress/big-int-bitwise-xor-jit.js: Added.
1655         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1656         * stress/big-int-bitwise-xor-untyped.js: Added.
1657
1658 2018-11-27  Saam barati  <sbarati@apple.com>
1659
1660         r238510 broke scopes of size zero
1661         https://bugs.webkit.org/show_bug.cgi?id=192033
1662         <rdar://problem/46281734>
1663
1664         Reviewed by Keith Miller.
1665
1666         * stress/r238510-bad-loop.js: Added.
1667         (foo):
1668
1669 2018-11-27  Mark Lam  <mark.lam@apple.com>
1670
1671         [Re-landing] NaNs read from Wasm code needs to be be purified.
1672         https://bugs.webkit.org/show_bug.cgi?id=191056
1673         <rdar://problem/45660341>
1674
1675         Reviewed by Filip Pizlo.
1676
1677         * wasm/regress/regress-191056.js: Added.
1678
1679 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1680
1681         Unreviewed, rolling out r238509.
1682
1683         Causes JSC tests to fail on iOS.
1684
1685         Reverted changeset:
1686
1687         "NaNs read from Wasm code needs to be be purified."
1688         https://bugs.webkit.org/show_bug.cgi?id=191056
1689         https://trac.webkit.org/changeset/238509
1690
1691 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1692
1693         Re-introduce op_bitnot
1694         https://bugs.webkit.org/show_bug.cgi?id=190923
1695
1696         Reviewed by Yusuke Suzuki.
1697
1698         * stress/bit-not-must-generate.js: Added.
1699         * stress/bitwise-not-no-int32.js: Added.
1700
1701 2018-11-26  Saam barati  <sbarati@apple.com>
1702
1703         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1704         https://bugs.webkit.org/show_bug.cgi?id=191956
1705         <rdar://problem/45665806>
1706
1707         Reviewed by Yusuke Suzuki.
1708
1709         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1710         (bar):
1711         (foo):
1712
1713 2018-11-26  Saam barati  <sbarati@apple.com>
1714
1715         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1716         https://bugs.webkit.org/show_bug.cgi?id=191958
1717         <rdar://problem/46221877>
1718
1719         Reviewed by Yusuke Suzuki.
1720
1721         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1722         (x):
1723         (foo):
1724
1725 2018-11-26  Mark Lam  <mark.lam@apple.com>
1726
1727         NaNs read from Wasm code needs to be be purified.
1728         https://bugs.webkit.org/show_bug.cgi?id=191056
1729         <rdar://problem/45660341>
1730
1731         Reviewed by Filip Pizlo.
1732
1733         * wasm/regress/regress-191056.js: Added.
1734
1735 2018-11-26  Michael Saboff  <msaboff@apple.com>
1736
1737         32-bit JSC test failure: stress/regexp-compile-oom.js
1738         https://bugs.webkit.org/show_bug.cgi?id=191375
1739
1740         Reviewed by Mark Lam.
1741
1742         Disabled the test for 32 bit platforms.
1743
1744         * stress/regexp-compile-oom.js:
1745
1746 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1747
1748         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1749         https://bugs.webkit.org/show_bug.cgi?id=191716
1750         <rdar://problem/45723878>
1751
1752         Reviewed by Saam Barati.
1753
1754         * stress/regress-187373.js: Added.
1755         (async.fn):
1756
1757 2018-11-21  Saam barati  <sbarati@apple.com>
1758
1759         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1760         https://bugs.webkit.org/show_bug.cgi?id=191897
1761         <rdar://problem/45871998>
1762
1763         Reviewed by Mark Lam.
1764
1765         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1766         (bar):
1767         (foo):
1768
1769 2018-11-21  Saam barati  <sbarati@apple.com>
1770
1771         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1772         https://bugs.webkit.org/show_bug.cgi?id=191895
1773         <rdar://problem/46167406>
1774
1775         Reviewed by Mark Lam.
1776
1777         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1778         (foo):
1779         (bar):
1780
1781 2018-11-21  Mark Lam  <mark.lam@apple.com>
1782
1783         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1784         https://bugs.webkit.org/show_bug.cgi?id=191776
1785         <rdar://problem/46152851>
1786
1787         Reviewed by Saam Barati.
1788
1789         * stress/big-wasm-memory-grow-no-max.js:
1790         * stress/big-wasm-memory-grow.js:
1791         * stress/big-wasm-memory.js:
1792         - updated these to expect an OutOfMemoryError.
1793
1794         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1795         (Binary.prototype.emit_u8):
1796         (Binary.prototype.emit_u32v):
1797         (Binary.prototype.emit_header):
1798         (Binary.prototype.emit_section):
1799         (Binary):
1800         (WasmModuleBuilder):
1801         (WasmModuleBuilder.prototype.addMemory):
1802         (WasmModuleBuilder.prototype.toArray):
1803         (WasmModuleBuilder.prototype.toBuffer):
1804         (WasmModuleBuilder.prototype.instantiate):
1805         (catch):
1806         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1807         (catch):
1808
1809 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1810
1811         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1812         https://bugs.webkit.org/show_bug.cgi?id=190836
1813
1814         Reviewed by Saam Barati and Yusuke Suzuki.
1815
1816         * stress/big-int-out-of-memory-tests.js: Added.
1817
1818 2018-11-20  Mark Lam  <mark.lam@apple.com>
1819
1820         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1821         https://bugs.webkit.org/show_bug.cgi?id=191856
1822         <rdar://problem/46089992>
1823
1824         Reviewed by Yusuke Suzuki.
1825
1826         * stress/regress-191856.js: Added.
1827         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1828
1829 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1830
1831         Enable JIT on ARM/Linux
1832         https://bugs.webkit.org/show_bug.cgi?id=191548
1833
1834         Reviewed by Yusuke Suzuki.
1835
1836         Disable test on system with limited memory. Program was killed by
1837         the OS before the exception was thrown.
1838
1839         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1840
1841 2018-11-20  Saam barati  <sbarati@apple.com>
1842
1843         Merging an IC variant may lead to the IC status containing overlapping structure sets
1844         https://bugs.webkit.org/show_bug.cgi?id=191869
1845         <rdar://problem/45403453>
1846
1847         Reviewed by Mark Lam.
1848
1849         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1850
1851 2018-11-19  Mark Lam  <mark.lam@apple.com>
1852
1853         globalFuncImportModule() should return a promise when it clears exceptions.
1854         https://bugs.webkit.org/show_bug.cgi?id=191792
1855         <rdar://problem/46090763>
1856
1857         Reviewed by Michael Saboff.
1858
1859         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1860
1861 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1862
1863         Skip new memory-hungry tests on memory limited devices
1864
1865         Unreviewed gardening.
1866
1867         * stress/big-wasm-memory-grow-no-max.js:
1868         * stress/big-wasm-memory-grow.js:
1869         * stress/big-wasm-memory.js:
1870
1871 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1872
1873         Unreviewed, rolling in the rest of r237254
1874         https://bugs.webkit.org/show_bug.cgi?id=190340
1875
1876         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1877         * stress/function-cache-with-parameters-end-position.js: Added.
1878         (shouldBe):
1879         (shouldThrow):
1880         (i.anonymous):
1881         * stress/function-constructor-name.js: Added.
1882         (shouldBe):
1883         (GeneratorFunction):
1884         (AsyncFunction.async):
1885         (AsyncGeneratorFunction.async):
1886         (anonymous):
1887         (async.anonymous):
1888         * test262/expectations.yaml:
1889
1890 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1891
1892         All users of ArrayBuffer should agree on the same max size
1893         https://bugs.webkit.org/show_bug.cgi?id=191771
1894
1895         Reviewed by Mark Lam.
1896
1897         * stress/big-wasm-memory-grow-no-max.js: Added.
1898         (foo):
1899         (catch):
1900         * stress/big-wasm-memory-grow.js: Added.
1901         (foo):
1902         (catch):
1903         * stress/big-wasm-memory.js: Added.
1904         (foo):
1905         (catch):
1906
1907 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1908
1909         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1910         run for each JSC config since they're regression tests for runtime bugs.
1911
1912         * stress/json-stringified-overflow-2.js:
1913         * stress/json-stringified-overflow.js:
1914
1915 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1916
1917         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1918         config since they're regression tests for runtime bugs.
1919
1920         * stress/large-unshift-splice.js:
1921         * stress/regress-185888.js:
1922
1923 2018-11-16  Saam Barati  <sbarati@apple.com>
1924
1925         KnownCellUse should also have SpecCellCheck as its type filter
1926         https://bugs.webkit.org/show_bug.cgi?id=191729
1927         <rdar://problem/45872852>
1928
1929         Reviewed by Filip Pizlo.
1930
1931         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1932         (C):
1933
1934 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1935
1936         Fix assertion failure on BytecodeGenerator::recordOpcode
1937         https://bugs.webkit.org/show_bug.cgi?id=191724
1938         <rdar://problem/45724395>
1939
1940         Reviewed by Saam Barati.
1941
1942         * stress/regress-187373-2.js: Added.
1943         (foo):
1944
1945 2018-11-15  Mark Lam  <mark.lam@apple.com>
1946
1947         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1948         https://bugs.webkit.org/show_bug.cgi?id=191730
1949         <rdar://problem/46048517>
1950
1951         Reviewed by Saam Barati.
1952
1953         * stress/regress-187006.js: Removed.
1954           - this test is invalid because its sole purpose is to test for the non-spec
1955             compliant behavior that we just fixed.
1956
1957         * stress/regress-191730.js: Added.
1958
1959 2018-11-15  Mark Lam  <mark.lam@apple.com>
1960
1961         RegExp operations should not take fast patch if lastIndex is not numeric.
1962         https://bugs.webkit.org/show_bug.cgi?id=191731
1963         <rdar://problem/46017305>
1964
1965         Reviewed by Saam Barati.
1966
1967         * stress/regress-191731.js: Added.
1968
1969 2018-11-13  Saam Barati  <sbarati@apple.com>
1970
1971         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1972         https://bugs.webkit.org/show_bug.cgi?id=191600
1973
1974         Reviewed by Mark Lam.
1975
1976         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1977         (foo):
1978         (test):
1979         (bar):
1980
1981 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1982
1983         Unreviewed, rolling out r238132.
1984
1985         The test added with this change is timing out on Debug JSC
1986         bots.
1987
1988         Reverted changeset:
1989
1990         "[BigInt] JSBigInt::createWithLength should throw when length
1991         is greater than JSBigInt::maxLength"
1992         https://bugs.webkit.org/show_bug.cgi?id=190836
1993         https://trac.webkit.org/changeset/238132
1994
1995 2018-11-13  Mark Lam  <mark.lam@apple.com>
1996
1997         Add OOM detection to StringPrototype's substituteBackreferences().
1998         https://bugs.webkit.org/show_bug.cgi?id=191563
1999         <rdar://problem/45720428>
2000
2001         Reviewed by Saam Barati.
2002
2003         * stress/regress-191563.js: Added.
2004
2005 2018-11-13  Mark Lam  <mark.lam@apple.com>
2006
2007         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2008         https://bugs.webkit.org/show_bug.cgi?id=191579
2009         <rdar://problem/45942472>
2010
2011         Reviewed by Saam Barati.
2012
2013         * stress/regress-191579.js: Added.
2014
2015 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2016
2017         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2018         https://bugs.webkit.org/show_bug.cgi?id=190836
2019
2020         Reviewed by Saam Barati.
2021
2022         * stress/big-int-out-of-memory-tests.js: Added.
2023
2024 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2025
2026         U+180E is no longer a whitespace character
2027         https://bugs.webkit.org/show_bug.cgi?id=191415
2028
2029         Reviewed by Saam Barati.
2030
2031         * ChakraCore/test/es5/regexSpace.baseline:
2032         * ChakraCore/test/es6/unicode_whitespace.js:
2033         Update tests to latest version.
2034         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2035
2036         * test262.yaml:
2037         * test262/config.yaml:
2038         * test262/expectations.yaml:
2039         Update expectations.
2040
2041 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2042
2043         [BigInt] Add support to BigInt into ValueAdd
2044         https://bugs.webkit.org/show_bug.cgi?id=186177
2045
2046         Reviewed by Keith Miller.
2047
2048         * stress/big-int-negate-jit.js:
2049         * stress/value-add-big-int-and-string.js: Added.
2050         * stress/value-add-big-int-prediction-propagation.js: Added.
2051         * stress/value-add-big-int-untyped.js: Added.
2052
2053 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2054
2055         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2056         https://bugs.webkit.org/show_bug.cgi?id=191184
2057
2058         Reviewed by Saam Barati.
2059
2060         Most tests were failing due to timeouts, since they are too slow to
2061         run on CLoop. The exceptions are:
2062
2063         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2064         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2065         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2066         to change the stack size since CLoop requires it to be page aligned.
2067
2068         * microbenchmarks/array-push-1.js:
2069         * microbenchmarks/array-push-2.js:
2070         * microbenchmarks/elidable-new-object-dag.js:
2071         * microbenchmarks/elidable-new-object-roflcopter.js:
2072         * microbenchmarks/elidable-new-object-tree.js:
2073         * microbenchmarks/getter-richards.js:
2074         * microbenchmarks/sinkable-new-object-dag.js:
2075         * microbenchmarks/string-concat-long-convert.js:
2076         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2077         * slowMicrobenchmarks/array-push-3.js:
2078         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2079         * slowMicrobenchmarks/spread-small-array.js:
2080         * slowMicrobenchmarks/undefined-property-access.js:
2081         * stress/activation-sink-default-value-tdz-error.js:
2082         * stress/activation-sink-default-value.js:
2083         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2084         * stress/activation-sink-osrexit-default-value.js:
2085         * stress/activation-sink-osrexit.js:
2086         * stress/activation-sink.js:
2087         * stress/allow-math-ic-b3-code-duplication.js:
2088         * stress/array-push-multiple-int32.js:
2089         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2090         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2091         * stress/arrowfunction-lexical-this-activation-sink.js:
2092         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2093         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2094         * stress/elide-new-object-dag-then-exit.js:
2095         * stress/materialize-regexp-cyclic.js:
2096         * stress/new-regex-inline.js:
2097         * stress/op_add.js:
2098         * stress/op_bitand.js:
2099         * stress/op_bitor.js:
2100         * stress/op_bitxor.js:
2101         * stress/op_div-ConstVar.js:
2102         * stress/op_div-VarConst.js:
2103         * stress/op_div-VarVar.js:
2104         * stress/op_lshift-ConstVar.js:
2105         * stress/op_lshift-VarConst.js:
2106         * stress/op_lshift-VarVar.js:
2107         * stress/op_mod-ConstVar.js:
2108         * stress/op_mod-VarConst.js:
2109         * stress/op_mod-VarVar.js:
2110         * stress/op_mul-ConstVar.js:
2111         * stress/op_mul-VarConst.js:
2112         * stress/op_mul-VarVar.js:
2113         * stress/op_rshift-ConstVar.js:
2114         * stress/op_rshift-VarConst.js:
2115         * stress/op_rshift-VarVar.js:
2116         * stress/op_sub-ConstVar.js:
2117         * stress/op_sub-VarConst.js:
2118         * stress/op_sub-VarVar.js:
2119         * stress/op_urshift-ConstVar.js:
2120         * stress/op_urshift-VarConst.js:
2121         * stress/op_urshift-VarVar.js:
2122         * stress/proxy-get-set-correct-receiver.js:
2123         * stress/regress-179562.js:
2124         * stress/rest-parameter-many-arguments.js:
2125         * stress/sampling-profiler-richards.js:
2126         * stress/splay-flash-access-1ms.js:
2127         * stress/tailCallForwardArguments.js:
2128         * stress/typed-array-get-by-val-profiling.js:
2129         * typeProfiler/getter-richards.js:
2130
2131 2018-11-06  Michael Saboff  <msaboff@apple.com>
2132
2133         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2134         https://bugs.webkit.org/show_bug.cgi?id=191271
2135
2136         Reviewed by Saam Barati.
2137
2138         Added more test cases and made all test cases run with the same deeply recursive stack
2139         instead of finding that same point for each test case.
2140
2141         * stress/regexp-compile-oom.js:
2142         (prototype.runTest):
2143         (recurseAndTest):
2144         (testList.push.new.TestAndExpectedException):
2145
2146 2018-11-05  Michael Saboff  <msaboff@apple.com>
2147
2148         Unreviewed build fix for linux.
2149
2150         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2151
2152 2018-11-02  Michael Saboff  <msaboff@apple.com>
2153
2154         Rolling in r237753 with unreviewed build fix.
2155
2156         Fixed issues with DECLARE_THROW_SCOPE placement.
2157
2158 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2159
2160         Unreviewed, rolling out r237753.
2161
2162         Introduced JSC test failures
2163
2164         Reverted changeset:
2165
2166         "Running out of stack space not properly handled in
2167         RegExp::compile() and its callers"
2168         https://bugs.webkit.org/show_bug.cgi?id=191206
2169         https://trac.webkit.org/changeset/237753
2170
2171 2018-11-02  Michael Saboff  <msaboff@apple.com>
2172
2173         Running out of stack space not properly handled in RegExp::compile() and its callers
2174         https://bugs.webkit.org/show_bug.cgi?id=191206
2175
2176         Reviewed by Filip Pizlo.
2177
2178         New regression test.
2179
2180         * stress/regexp-compile-oom.js: Added.
2181         (recurseAndTest):
2182
2183 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2184
2185         Skip tests on arm/mips that time out now we're running on CLoop
2186
2187         Unreviewed gardening.
2188
2189         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2190         time out on the bots and need to be disabled. There's more tests
2191         disabled on arm because the timeout is longer on the mips bot (as the
2192         device is slower to start with), so many of the tests don't time out
2193         there.
2194
2195         * microbenchmarks/getter-richards.js: disable on arm and mips.
2196         * stress/op_add.js: disable on arm.
2197         * stress/op_bitand.js: disable on arm.
2198         * stress/op_bitor.js: disable on arm.
2199         * stress/op_bitxor.js: disable on arm.
2200         * stress/op_lshift-ConstVar.js: disable on arm.
2201         * stress/op_lshift-VarConst.js: disable on arm.
2202         * stress/op_lshift-VarVar.js: disable on arm.
2203         * stress/op_mod-ConstVar.js: disable on arm.
2204         * stress/op_mod-VarConst.js: disable on arm.
2205         * stress/op_mod-VarVar.js: disable on arm.
2206         * stress/op_mul-ConstVar.js: disable on arm.
2207         * stress/op_mul-VarConst.js: disable on arm.
2208         * stress/op_mul-VarVar.js: disable on arm.
2209         * stress/op_rshift-ConstVar.js: disable on arm.
2210         * stress/op_rshift-VarConst.js: disable on arm.
2211         * stress/op_rshift-VarVar.js: disable on arm.
2212         * stress/op_sub-ConstVar.js: disable on arm.
2213         * stress/op_sub-VarConst.js: disable on arm.
2214         * stress/op_sub-VarVar.js: disable on arm.
2215         * stress/op_urshift-ConstVar.js: disable on arm.
2216         * stress/op_urshift-VarConst.js: disable on arm.
2217         * stress/op_urshift-VarVar.js: disable on arm.
2218         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2219         * stress/value-to-boolean.js: disable on arm and mips.
2220
2221 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2222
2223         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2224         https://bugs.webkit.org/show_bug.cgi?id=191108
2225         <rdar://problem/45690700>
2226
2227         Reviewed by Saam Barati.
2228
2229         * stress/wide-op_catch.js: Added.
2230         (catch):
2231
2232 2018-10-29  Mark Lam  <mark.lam@apple.com>
2233
2234         Correctly detect string overflow when using the 'Function' constructor.
2235         https://bugs.webkit.org/show_bug.cgi?id=184883
2236         <rdar://problem/36320331>
2237
2238         Reviewed by Saam Barati.
2239
2240         I've verified that this passes on 32-bit as well.
2241
2242         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2243
2244 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2245
2246         Add support for GetStack FlushedDouble
2247         https://bugs.webkit.org/show_bug.cgi?id=191012
2248         <rdar://problem/45265141>
2249
2250         Reviewed by Saam Barati.
2251
2252         * stress/get-stack-double.js: Added.
2253         (bar):
2254         (noInline):
2255
2256 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2257
2258         New bytecode format for JSC
2259         https://bugs.webkit.org/show_bug.cgi?id=187373
2260         <rdar://problem/44186758>
2261
2262         Reviewed by Filip Pizlo.
2263
2264         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2265
2266         * stress/maximum-inline-capacity.js: Added.
2267         (test1):
2268         (test3.Foo):
2269         (test3):
2270
2271 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2272
2273         Unreviewed, rolling out r237479 and r237484.
2274         https://bugs.webkit.org/show_bug.cgi?id=190978
2275
2276         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2277
2278         Reverted changesets:
2279
2280         "New bytecode format for JSC"
2281         https://bugs.webkit.org/show_bug.cgi?id=187373
2282         https://trac.webkit.org/changeset/237479
2283
2284         "Gardening: Build fix after r237479."
2285         https://bugs.webkit.org/show_bug.cgi?id=187373
2286         https://trac.webkit.org/changeset/237484
2287
2288 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2289
2290         New bytecode format for JSC
2291         https://bugs.webkit.org/show_bug.cgi?id=187373
2292         <rdar://problem/44186758>
2293
2294         Reviewed by Filip Pizlo.
2295
2296         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2297
2298         * stress/maximum-inline-capacity.js: Added.
2299         (test1):
2300         (test3.Foo):
2301         (test3):
2302
2303 2018-10-26  Mark Lam  <mark.lam@apple.com>
2304
2305         Fix missing edge cases with JSGlobalObjects having a bad time.
2306         https://bugs.webkit.org/show_bug.cgi?id=189028
2307         <rdar://problem/45204939>
2308
2309         Reviewed by Saam Barati.
2310
2311         * stress/regress-189028.js: Added.
2312
2313 2018-10-22  Mark Lam  <mark.lam@apple.com>
2314
2315         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2316         https://bugs.webkit.org/show_bug.cgi?id=190515
2317         <rdar://problem/45222379>
2318
2319         Rubber-stamped by Saam Barati.
2320
2321         Adding another test.
2322
2323         * stress/regress-190515-2.js: Added.
2324
2325 2018-10-22  Mark Lam  <mark.lam@apple.com>
2326
2327         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2328         https://bugs.webkit.org/show_bug.cgi?id=190515
2329         <rdar://problem/45222379>
2330
2331         Reviewed by Saam Barati.
2332
2333         * stress/regress-190515.js: Added.
2334
2335 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2336
2337         Unreviewed, rolling out r237254.
2338         https://bugs.webkit.org/show_bug.cgi?id=190760
2339
2340         "It regresses JetStream 2 by 5% on some iOS devices"
2341         (Requested by saamyjoon on #webkit).
2342
2343         Reverted changeset:
2344
2345         "[JSC] JSC should have "parseFunction" to optimize Function
2346         constructor"
2347         https://bugs.webkit.org/show_bug.cgi?id=190340
2348         https://trac.webkit.org/changeset/237254
2349
2350 2018-10-19  Saam Barati  <sbarati@apple.com>
2351
2352         vmCall should check if we exit before emitting an OSR exit due to exceptions
2353         https://bugs.webkit.org/show_bug.cgi?id=190740
2354         <rdar://problem/45220139>
2355
2356         Reviewed by Mark Lam.
2357
2358         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2359         (foo):
2360
2361 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2362
2363         [ESNext][BigInt] Implement support for "^"
2364         https://bugs.webkit.org/show_bug.cgi?id=186235
2365
2366         Reviewed by Yusuke Suzuki.
2367
2368         * stress/big-int-bitwise-xor-general.js: Added.
2369         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2370         * stress/big-int-bitwise-xor-type-error.js: Added.
2371         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2372
2373 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2374
2375         [BigInt] Add ValueSub into DFG
2376         https://bugs.webkit.org/show_bug.cgi?id=186176
2377
2378         Reviewed by Yusuke Suzuki.
2379
2380         * stress/big-int-subtraction-jit.js:
2381         * stress/value-sub-big-int-prediction-propagation.js: Added.
2382         * stress/value-sub-big-int-untyped.js: Added.
2383         * stress/value-sub-spec-none-case.js: Added.
2384
2385 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2386
2387         [JSC] JSC should have "parseFunction" to optimize Function constructor
2388         https://bugs.webkit.org/show_bug.cgi?id=190340
2389
2390         Reviewed by Mark Lam.
2391
2392         This patch fixes the line number of syntax errors raised by the Function constructor,
2393         since we now parse the final code only once. And we no longer use block statement
2394         for Function constructor's parsing.
2395
2396         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2397         * stress/function-cache-with-parameters-end-position.js: Added.
2398         (shouldBe):
2399         (shouldThrow):
2400         (i.anonymous):
2401         * stress/function-constructor-name.js: Added.
2402         (shouldBe):
2403         (GeneratorFunction):
2404         (AsyncFunction.async):
2405         (AsyncGeneratorFunction.async):
2406         (anonymous):
2407         (async.anonymous):
2408         * test262/expectations.yaml:
2409
2410 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2411
2412         Unreviewed, rolling out r237242.
2413         https://bugs.webkit.org/show_bug.cgi?id=190701
2414
2415         it breaks "stress/sampling-profiler-basic.js" (Requested by
2416         caiolima on #webkit).
2417
2418         Reverted changeset:
2419
2420         "[BigInt] Add ValueSub into DFG"
2421         https://bugs.webkit.org/show_bug.cgi?id=186176
2422         https://trac.webkit.org/changeset/237242
2423
2424 2018-10-17  Keith Miller  <keith_miller@apple.com>
2425
2426         AI does not clear Phantom allocation nodes.
2427         https://bugs.webkit.org/show_bug.cgi?id=190694
2428
2429         Reviewed by Saam Barati.
2430
2431         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2432         (Day):
2433         (DaysInYear):
2434         (TimeInYear):
2435         (TimeFromYear):
2436         (DayFromYear):
2437         (InLeapYear):
2438         (YearFromTime):
2439         (WeekDay):
2440         (DaylightSavingTA):
2441         (GetSecondSundayInMarch):
2442         (TimeInMonth):
2443
2444 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2445
2446         [BigInt] Add ValueSub into DFG
2447         https://bugs.webkit.org/show_bug.cgi?id=186176
2448
2449         Reviewed by Yusuke Suzuki.
2450
2451         * stress/big-int-subtraction-jit.js:
2452         * stress/value-sub-big-int-prediction-propagation.js: Added.
2453         * stress/value-sub-big-int-untyped.js: Added.
2454
2455 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2456
2457         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2458         https://bugs.webkit.org/show_bug.cgi?id=190611
2459
2460         Reviewed by Saam Barati.
2461
2462         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2463         to improve test runtime. On ARM/MIPS this test even timed out when running all
2464         tests.
2465
2466         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2467         (test):
2468
2469 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2470
2471         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2472
2473         Unreviewed gardening.
2474
2475         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2476
2477 2018-10-15  Saam barati  <sbarati@apple.com>
2478
2479         Emit fjcvtzs on ARM64E on Darwin
2480         https://bugs.webkit.org/show_bug.cgi?id=184023
2481
2482         Reviewed by Yusuke Suzuki and Filip Pizlo.
2483
2484         * stress/double-to-int32-NaN.js: Added.
2485         (assert):
2486         (foo):
2487
2488 2018-10-15  Saam Barati  <sbarati@apple.com>
2489
2490         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2491         https://bugs.webkit.org/show_bug.cgi?id=190262
2492         <rdar://problem/44986241>
2493
2494         Reviewed by Mark Lam.
2495
2496         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2497         (test):
2498         * stress/slice-array-storage-with-holes.js: Added.
2499         (main):
2500
2501 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2502
2503         Unreviewed, rolling out r237054.
2504         https://bugs.webkit.org/show_bug.cgi?id=190593
2505
2506         "this regressed JetStream 2 by 6% on iOS" (Requested by
2507         saamyjoon on #webkit).
2508
2509         Reverted changeset:
2510
2511         "[JSC] JSC should have "parseFunction" to optimize Function
2512         constructor"
2513         https://bugs.webkit.org/show_bug.cgi?id=190340
2514         https://trac.webkit.org/changeset/237054
2515
2516 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2517
2518         [JSC] JSON.stringify can accept call-with-no-arguments
2519         https://bugs.webkit.org/show_bug.cgi?id=190343
2520
2521         Reviewed by Mark Lam.
2522
2523         * stress/json-stringify-no-arguments.js: Added.
2524         (shouldBe):
2525
2526 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2527
2528         [JSC] JSC should have "parseFunction" to optimize Function constructor
2529         https://bugs.webkit.org/show_bug.cgi?id=190340
2530
2531         Reviewed by Mark Lam.
2532
2533         This patch fixes the line number of syntax errors raised by the Function constructor,
2534         since we now parse the final code only once. And we no longer use block statement
2535         for Function constructor's parsing.
2536
2537         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2538         * stress/function-cache-with-parameters-end-position.js: Added.
2539         (shouldBe):
2540         (shouldThrow):
2541         (i.anonymous):
2542         * stress/function-constructor-name.js: Added.
2543         (shouldBe):
2544         (GeneratorFunction):
2545         (AsyncFunction.async):
2546         (AsyncGeneratorFunction.async):
2547         (anonymous):
2548         (async.anonymous):
2549         * test262/expectations.yaml:
2550
2551 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2552
2553         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2554         https://bugs.webkit.org/show_bug.cgi?id=190426
2555
2556         Unreviewed gardening.
2557
2558         * stress/sampling-profiler-richards.js:
2559
2560 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2561
2562         [ESNext][BigInt] Implement support for "|"
2563         https://bugs.webkit.org/show_bug.cgi?id=186229
2564
2565         Reviewed by Yusuke Suzuki.
2566
2567         * stress/big-int-bitwise-and-jit.js:
2568         * stress/big-int-bitwise-or-general.js: Added.
2569         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2570         * stress/big-int-bitwise-or-jit.js: Added.
2571         * stress/big-int-bitwise-or-memory-stress.js: Added.
2572         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2573         * stress/big-int-bitwise-or-type-error.js: Added.
2574         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2575
2576 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2577
2578         Skip test on systems with limited memory
2579         https://bugs.webkit.org/show_bug.cgi?id=190310
2580
2581         Invoking runDefault adds test to runlist, skipping the test in the next
2582         line does not prevent the test from executing. Change order of lines such
2583         that runDefault is only executed if test is not executed.
2584
2585         Reviewed by Mark Lam.
2586
2587         * stress/regress-190187.js:
2588
2589 2018-10-03  Saam barati  <sbarati@apple.com>
2590
2591         lowXYZ in FTLLower should always filter the type of the incoming edge
2592         https://bugs.webkit.org/show_bug.cgi?id=189939
2593         <rdar://problem/44407030>
2594
2595         Reviewed by Michael Saboff.
2596
2597         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2598         (foo):
2599         (test):
2600
2601 2018-10-03  Mark Lam  <mark.lam@apple.com>
2602
2603         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2604         https://bugs.webkit.org/show_bug.cgi?id=190187
2605         <rdar://problem/42512909>
2606
2607         Reviewed by Michael Saboff.
2608
2609         * stress/regress-190187.js: Added.
2610
2611 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2612
2613         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2614         https://bugs.webkit.org/show_bug.cgi?id=190033
2615
2616         Reviewed by Yusuke Suzuki.
2617
2618         * stress/big-int-to-string.js:
2619
2620 2018-10-01  Mark Lam  <mark.lam@apple.com>
2621
2622         Function.toString() should also copy the source code Functions that are class definitions.
2623         https://bugs.webkit.org/show_bug.cgi?id=190186
2624         <rdar://problem/44733360>
2625
2626         Reviewed by Saam Barati.
2627
2628         * stress/regress-190186.js: Added.
2629
2630 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2631
2632         Split NaN-check into separate test
2633         https://bugs.webkit.org/show_bug.cgi?id=190010
2634
2635         Reviewed by Saam Barati.
2636
2637         DataView exposes NaN-representation, which is not necessarily the same on each
2638         architecture. Therefore move the check of the NaN-representation into its own
2639         file such that we can disable this test on MIPS where NaN-representation can be
2640         different on older CPUs.
2641
2642         * stress/dataview-jit-set-nan.js: Added.
2643         (assert):
2644         (test.storeLittleEndian):
2645         (test.storeBigEndian):
2646         (test.store):
2647         (test):
2648         * stress/dataview-jit-set.js:
2649         (test5):
2650
2651 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2652
2653         Unreviewed, rolling out r236647.
2654         https://bugs.webkit.org/show_bug.cgi?id=190124
2655
2656         Breaking test stress/big-int-to-string.js (Requested by
2657         caiolima_ on #webkit).
2658
2659         Reverted changeset:
2660
2661         "[BigInt] BigInt.proptotype.toString is broken when radix is
2662         power of 2"
2663         https://bugs.webkit.org/show_bug.cgi?id=190033
2664         https://trac.webkit.org/changeset/236647
2665
2666 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2667
2668         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2669         https://bugs.webkit.org/show_bug.cgi?id=190033
2670
2671         Reviewed by Yusuke Suzuki.
2672
2673         * stress/big-int-to-string.js:
2674
2675 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2676
2677         [ESNext][BigInt] Implement support for "&"
2678         https://bugs.webkit.org/show_bug.cgi?id=186228
2679
2680         Reviewed by Yusuke Suzuki.
2681
2682         * stress/big-int-bitwise-and-general.js: Added.
2683         (assert):
2684         (assert.sameValue):
2685         * stress/big-int-bitwise-and-jit.js: Added.
2686         (let.assert.sameValue):
2687         (bigIntBitAnd):
2688         * stress/big-int-bitwise-and-memory-stress.js: Added.
2689         (assert):
2690         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2691         (assert.sameValue):
2692         (let.o.Symbol.toPrimitive):
2693         (catch):
2694         * stress/big-int-bitwise-and-type-error.js: Added.
2695         (assert):
2696         (assertThrowTypeError):
2697         (let.o.valueOf):
2698         (o.valueOf):
2699         (o.toString):
2700         (o.Symbol.toPrimitive):
2701         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2702         (assert.sameValue):
2703         (testBitAnd):
2704         (let.o.Symbol.toPrimitive):
2705         (o.valueOf):
2706         (o.toString):
2707
2708 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2709
2710         JSC test stress/jsc-read.js doesn't support CRLF
2711         https://bugs.webkit.org/show_bug.cgi?id=190063
2712
2713         Reviewed by Yusuke Suzuki.
2714
2715         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2716
2717         * stress/jsc-read.js:
2718         (test):
2719
2720 2018-09-27  Saam barati  <sbarati@apple.com>
2721
2722         Verify the contents of AssemblerBuffer on arm64e
2723         https://bugs.webkit.org/show_bug.cgi?id=190057
2724         <rdar://problem/38916630>
2725
2726         Reviewed by Mark Lam.
2727
2728         * stress/regress-189132.js:
2729
2730 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2731
2732         Disable test without LLInt on ARMv7
2733         https://bugs.webkit.org/show_bug.cgi?id=190037
2734
2735         Reviewed by Mark Lam.
2736
2737         Test runs out of executable memory on ARMv7, do not run
2738         this test without LLInt enabled.
2739
2740         * stress/regress-169445.js:
2741
2742 2018-09-26  Keith Miller  <keith_miller@apple.com>
2743
2744         We should zero unused property storage when rebalancing array storage.
2745         https://bugs.webkit.org/show_bug.cgi?id=188151
2746
2747         Reviewed by Michael Saboff.
2748
2749         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2750
2751 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2752
2753         [JSC] Optimize Array#lastIndexOf
2754         https://bugs.webkit.org/show_bug.cgi?id=189780
2755
2756         Reviewed by Saam Barati.
2757
2758         * stress/array-lastindexof-array-prototype-trap.js: Added.
2759         (shouldBe):
2760         (AncestorArray.prototype.get 2):
2761         (AncestorArray):
2762         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2763         (shouldBe):
2764         * stress/array-lastindexof-hole-nan.js: Added.
2765         (shouldBe):
2766         (throw.new.Error):
2767         * stress/array-lastindexof-infinity.js: Added.
2768         (shouldBe):
2769         (throw.new.Error):
2770         * stress/array-lastindexof-negative-zero.js: Added.
2771         (shouldBe):
2772         (throw.new.Error):
2773         * stress/array-lastindexof-own-getter.js: Added.
2774         (shouldBe):
2775         (throw.new.Error.get array):
2776         (get array):
2777         * stress/array-lastindexof-prototype-trap.js: Added.
2778         (shouldBe):
2779         (DerivedArray.prototype.get 2):
2780         (DerivedArray):
2781
2782 2018-09-25  Saam Barati  <sbarati@apple.com>
2783
2784         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2785         https://bugs.webkit.org/show_bug.cgi?id=189940
2786         <rdar://problem/43640987>
2787
2788         Reviewed by Mark Lam.
2789
2790         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2791
2792 2018-09-24  Saam Barati  <sbarati@apple.com>
2793
2794         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2795         https://bugs.webkit.org/show_bug.cgi?id=189922
2796         <rdar://problem/44651275>
2797
2798         Reviewed by Mark Lam.
2799
2800         * stress/array-indexof-fast-path-effects.js: Added.
2801         * stress/array-indexof-cached-length.js: Added.
2802
2803 2018-09-24  Saam barati  <sbarati@apple.com>
2804
2805         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2806         https://bugs.webkit.org/show_bug.cgi?id=189682
2807         <rdar://problem/43557315>
2808
2809         Reviewed by Mark Lam.
2810
2811         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2812         (foo):
2813
2814 2018-09-22  Saam barati  <sbarati@apple.com>
2815
2816         The sampling should not use Strong<CodeBlock> in its machineLocation field
2817         https://bugs.webkit.org/show_bug.cgi?id=189319
2818
2819         Reviewed by Filip Pizlo.
2820
2821         * stress/sampling-profiler-richards.js: Added.
2822
2823 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2824
2825         [JSC] Optimize Array#indexOf in C++ runtime
2826         https://bugs.webkit.org/show_bug.cgi?id=189507
2827
2828         Reviewed by Saam Barati.
2829
2830         * stress/array-indexof-array-prototype-trap.js: Added.
2831         (shouldBe):
2832         (AncestorArray.prototype.get 2):
2833         (AncestorArray):
2834         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2835         (shouldBe):
2836         * stress/array-indexof-hole-nan.js: Added.
2837         (shouldBe):
2838         (throw.new.Error):
2839         * stress/array-indexof-infinity.js: Added.
2840         (shouldBe):
2841         (throw.new.Error):
2842         * stress/array-indexof-negative-zero.js: Added.
2843         (shouldBe):
2844         (throw.new.Error):
2845         * stress/array-indexof-own-getter.js: Added.
2846         (shouldBe):
2847         (throw.new.Error.get array):
2848         (get array):
2849         * stress/array-indexof-prototype-trap.js: Added.
2850         (shouldBe):
2851         (DerivedArray.prototype.get 2):
2852         (DerivedArray):
2853
2854 2018-09-19  Saam barati  <sbarati@apple.com>
2855
2856         AI rule for MultiPutByOffset executes its effects in the wrong order
2857         https://bugs.webkit.org/show_bug.cgi?id=189757
2858         <rdar://problem/43535257>
2859
2860         Reviewed by Michael Saboff.
2861
2862         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2863         (foo):
2864         (Foo):
2865         (g):
2866
2867 2018-09-17  Mark Lam  <mark.lam@apple.com>
2868
2869         Ensure that ForInContexts are invalidated if their loop local is over-written.
2870         https://bugs.webkit.org/show_bug.cgi?id=189571
2871         <rdar://problem/44402277>
2872
2873         Reviewed by Saam Barati.
2874
2875         * stress/regress-189571.js: Added.
2876
2877 2018-09-17  Saam barati  <sbarati@apple.com>
2878
2879         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2880         https://bugs.webkit.org/show_bug.cgi?id=189676
2881         <rdar://problem/39682897>
2882
2883         Reviewed by Michael Saboff.
2884
2885         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2886         (A):
2887         (K):
2888         (i.catch):
2889
2890 2018-09-14  Saam barati  <sbarati@apple.com>
2891
2892         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2893         https://bugs.webkit.org/show_bug.cgi?id=189628
2894         <rdar://problem/39481690>
2895
2896         Reviewed by Mark Lam.
2897
2898         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2899         (foo):
2900
2901 2018-09-11  Mark Lam  <mark.lam@apple.com>
2902
2903         Test for array initialization in arrayProtoFuncSplice.
2904         https://bugs.webkit.org/show_bug.cgi?id=170253
2905         <rdar://problem/31328773>
2906
2907         Rubber-stamped by Saam Barati.
2908
2909         * stress/regress-170253.js: Added.
2910
2911 2018-09-11  Mark Lam  <mark.lam@apple.com>
2912
2913         Test for IntlObject initialization.
2914         https://bugs.webkit.org/show_bug.cgi?id=170251
2915         <rdar://problem/31328419>
2916
2917         Rubber-stamped by Saam Barati.
2918
2919         * stress/regress-170251.js: Added.
2920
2921 2018-09-11  Mark Lam  <mark.lam@apple.com>
2922
2923         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2924         https://bugs.webkit.org/show_bug.cgi?id=169889
2925         <rdar://problem/31155607>
2926
2927         Reviewed by Saam Barati.
2928
2929         * stress/regress-169889-array-concat.js: Added.
2930         * stress/regress-169889-array-concat1.js: Added.
2931         * stress/regress-169889-array-slice.js: Added.
2932
2933 2018-09-11  Mark Lam  <mark.lam@apple.com>
2934
2935         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2936         https://bugs.webkit.org/show_bug.cgi?id=169445
2937         <rdar://problem/30957435>
2938
2939         Reviewed by Saam Barati.
2940
2941         * stress/regress-169445.js: Added.
2942         (let.gun.eval.A):
2943         (let.gun.eval.B.C):
2944         (let.gun.eval.B.C.prototype.trigger):
2945         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2946         (let.gun.eval.B):
2947         (let.gun.eval):
2948
2949 == Rolled over to ChangeLog-2018-09-11 ==