[JSC] Grown region of WasmTable should be initialized with null
[WebKit-https.git] / JSTests / ChangeLog
1 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Grown region of WasmTable should be initialized with null
4         https://bugs.webkit.org/show_bug.cgi?id=198903
5
6         Reviewed by Saam Barati.
7
8         * wasm/stress/wasm-table-grow-initialize.js: Added.
9         (shouldBe):
10
11 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
12
13         Yarr bytecode compilation failure should be gracefully handled
14         https://bugs.webkit.org/show_bug.cgi?id=198700
15
16         Reviewed by Michael Saboff.
17
18         * stress/regexp-bytecode-compilation-fail.js: Added.
19         (shouldThrow):
20
21 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
22
23         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
24         https://bugs.webkit.org/show_bug.cgi?id=198770
25
26         Reviewed by Saam Barati.
27
28         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
29         (test):
30
31 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
32
33         JSC should throw if proxy set returns falsish in strict mode context
34         https://bugs.webkit.org/show_bug.cgi?id=177398
35
36         Reviewed by Yusuke Suzuki.
37
38         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
39         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
40
41         * stress/proxy-set.js: Add 2 test cases.
42         * stress/regexp-match-proxy.js: Fix test.
43         * stress/regexp-replace-proxy.js: Fix test.
44
45 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
46
47         Error message for non-callable Proxy `construct` trap is misleading
48         https://bugs.webkit.org/show_bug.cgi?id=198637
49
50         Reviewed by Saam Barati.
51
52         * stress/proxy-construct.js:
53
54 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
55
56         AI BitURShift's result should not be unsigned
57         https://bugs.webkit.org/show_bug.cgi?id=198689
58         <rdar://problem/51550063>
59
60         Reviewed by Saam Barati.
61
62         * stress/urshift-int32-overflow.js: Added.
63         (foo.):
64         (foo):
65
66 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
67
68         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
69
70         Unreviewed gardening.
71
72         * stress/ftl-gettypedarrayoffset-wasteful.js:
73         Skipped on arm/linux as it always times out on the bot since a change
74         between r246270 and r246278 inclusive.
75
76 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
77
78         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
79         https://bugs.webkit.org/show_bug.cgi?id=198023
80
81         Reviewed by Saam Barati.
82
83         * stress/reparsing-unlinked-codeblock.js: Added.
84         (shouldBe):
85         (hello):
86
87 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
88
89         [JSC] Use mergePrediction in ValuePow prediction propagation
90         https://bugs.webkit.org/show_bug.cgi?id=198648
91
92         Reviewed by Saam Barati.
93
94         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
95
96 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
97
98         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
99         https://bugs.webkit.org/show_bug.cgi?id=198581
100         <rdar://problem/51099753>
101
102         Reviewed by Saam Barati.
103
104         * stress/global-object-proto-getter.js: Added.
105         (f):
106         (test):
107
108 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
109
110         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
111         https://bugs.webkit.org/show_bug.cgi?id=198398
112
113         Reviewed by Saam Barati.
114
115         * wasm/references/anyref_table.js: Added.
116         (string_appeared_here.doGCSet):
117         (doGCTest):
118         (doGCSet.doGCTest.let.count.0.doBarrierSet):
119         * wasm/references/anyref_table_import.js: Added.
120         (makeImport):
121         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
122         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
123         * wasm/references/is_null_error.js: Removed.
124         * wasm/references/validation.js: Added.
125         (assert.throws.new.WebAssembly.Module.bin):
126         (assert.throws):
127         * wasm/wasm.json:
128
129 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
130
131         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
132         https://bugs.webkit.org/show_bug.cgi?id=198106
133
134         Reviewed by Saam Barati.
135
136         * wasm/regress/selectf64.js: Added.
137         * wasm/regress/selectf64.wasm: Added.
138         * wasm/regress/selectf64.wat: Added.
139
140 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
141
142         Argument elimination should check transitive dependents for interference
143         https://bugs.webkit.org/show_bug.cgi?id=198520
144         <rdar://problem/50863343>
145
146         Reviewed by Filip Pizlo.
147
148         * stress/argument-elimination-inline-rest-past-kill.js: Added.
149         (f2):
150         (f3):
151
152 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
153
154         Argument elimination should check for negative indices in GetByVal
155         https://bugs.webkit.org/show_bug.cgi?id=198302
156         <rdar://problem/51188095>
157
158         Reviewed by Filip Pizlo.
159
160         * stress/eliminate-arguments-negative-rest-access.js: Added.
161         (inlinee):
162         (opt):
163
164 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
165
166         [ESNext][BigInt] Implement support for "**"
167         https://bugs.webkit.org/show_bug.cgi?id=190799
168
169         Reviewed by Saam Barati.
170
171         * stress/big-int-exp-basic.js: Added.
172         * stress/big-int-exp-jit-osr.js: Added.
173         * stress/big-int-exp-jit-untyped.js: Added.
174         * stress/big-int-exp-jit.js: Added.
175         * stress/big-int-exp-negative-exponent.js: Added.
176         * stress/big-int-exp-to-primitive.js: Added.
177         * stress/big-int-exp-type-error.js: Added.
178         * stress/big-int-exp-wrapped-value.js: Added.
179         * stress/value-pow-ai-rule.js: Added.
180
181 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
182
183         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
184         https://bugs.webkit.org/show_bug.cgi?id=197979
185
186         Reviewed by Filip Pizlo.
187
188         * stress/16bit-code.js: Added.
189         (shouldBe):
190         * stress/32bit-code.js: Added.
191         (shouldBe):
192
193 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
194
195         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
196         https://bugs.webkit.org/show_bug.cgi?id=198355
197
198         Reviewed by Saam Barati.
199
200         * wasm/references/is_null.js:
201
202 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
203
204         [PlayStation] Skip additional tests on PlayStation
205         https://bugs.webkit.org/show_bug.cgi?id=198352
206
207         Reviewed by Don Olmstead.
208
209         Skip pow test on PlayStation due to behavior difference in standard library.
210         Skip incremental marking test due to OOM on PlayStation systems.
211
212         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
213         * stress/math-pow-with-constants.js:
214         * stress/pow-with-constants.js:
215
216 2019-05-28  Dean Jackson  <dino@apple.com>
217
218         Implement Promise.allSettled
219         https://bugs.webkit.org/show_bug.cgi?id=197600
220         <rdar://problem/50483885>
221
222         Reviewed by Keith Miller.
223
224         Start testing Promise.allSettled. We pass most of the tests.
225         The ones that fail are similar to the Promise.all tests we already fail.
226
227         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
228         * test262/expectations.yaml: Add new expectations for allSettled tests.
229
230 2019-05-28  Michael Saboff  <msaboff@apple.com>
231
232         [YARR] Properly handle RegExp's that require large ParenContext space
233         https://bugs.webkit.org/show_bug.cgi?id=198065
234
235         Reviewed by Keith Miller.
236
237         New test.
238
239         * stress/regexp-large-paren-context.js: Added.
240         (testLargeRegExp):
241
242 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
243
244         JITOperations putByVal should mark negative array indices as out-of-bounds
245         https://bugs.webkit.org/show_bug.cgi?id=198271
246
247         Reviewed by Saam Barati.
248
249         * microbenchmarks/get-by-val-negative-array-index.js:
250         (foo):
251         Update the getByVal microbenchmark added in r245769. This now shows that r245769
252         is 4.2x faster than the previous commit.
253
254         * microbenchmarks/put-by-val-negative-array-index.js: Added.
255         (foo):
256
257 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
258
259         JITOperations getByVal should mark negative array indices as out-of-bounds
260         https://bugs.webkit.org/show_bug.cgi?id=198229
261
262         Reviewed by Saam Barati.
263
264         * microbenchmarks/get-by-val-negative-array-index.js: Added.
265         (foo):
266
267 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
268
269         [WASM-References] Support Anyref in globals
270         https://bugs.webkit.org/show_bug.cgi?id=198102
271
272         Reviewed by Saam Barati.
273
274         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
275
276         * wasm/Builder.js:
277         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
278         * wasm/Builder_WebAssemblyBinary.js:
279         (const.putInitExpr):
280         * wasm/references/anyref_globals.js: Added.
281         (GetGlobal.0.End.End.WebAssembly):
282         (5.doGCSet):
283         (doGCTest):
284         (doGCSet.doGCTest.let.count.0.doBarrierSet):
285
286 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
287
288         DFG::OSREntry should not perform arity check
289         https://bugs.webkit.org/show_bug.cgi?id=198189
290
291         Reviewed by Saam Barati.
292
293         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
294         (foo):
295
296 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
297
298         [PlayStation] Skip additional tests on PlayStation
299         https://bugs.webkit.org/show_bug.cgi?id=198145
300
301         Reviewed by Ross Kirsling.
302
303         * exceptionFuzz.yaml:
304         Add skip on hostOS playstation
305         * executableAllocationFuzz.yaml:
306         Add skip on hostOS playstation
307
308 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
309
310         createListFromArrayLike should throw if value is not an object
311         https://bugs.webkit.org/show_bug.cgi?id=198138
312
313         Reviewed by Yusuke Suzuki.
314
315         * stress/create-list-from-array-like-not-object.js: Added.
316         (testValid):
317         (testInvalid):
318         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
319         (opt):
320         * stress/proxy-proto-enumerator.js: Added.
321         (main):
322         * stress/proxy-proto-own-keys.js: Added.
323         (assert):
324         (ownKeys):
325
326 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
327
328         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
329         https://bugs.webkit.org/show_bug.cgi?id=197809
330
331         Reviewed by Michael Saboff.
332
333         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
334         (foo):
335
336 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
337
338         [ESNext] Implement support for Numeric Separators
339         https://bugs.webkit.org/show_bug.cgi?id=196351
340
341         Reviewed by Keith Miller.
342
343         * stress/numeric-literal-separators.js: Added.
344         Add tests for feature.
345
346         * test262/expectations.yaml:
347         Mark 60 test cases as passing.
348
349 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
350
351         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
352         https://bugs.webkit.org/show_bug.cgi?id=198120
353         <rdar://problem/49668795>
354
355         Reviewed by Michael Saboff.
356
357         * stress/get-array-length-concurrently-change-mode.js: Added.
358         (main):
359
360 2019-05-22  Commit Queue  <commit-queue@webkit.org>
361
362         Unreviewed, rolling out r245634.
363         https://bugs.webkit.org/show_bug.cgi?id=198140
364
365         'This patch makes JSC crash on launch in debug builds'
366         (Requested by tadeuzagallo on #webkit).
367
368         Reverted changeset:
369
370         "[ESNext] Implement support for Numeric Separators"
371         https://bugs.webkit.org/show_bug.cgi?id=196351
372         https://trac.webkit.org/changeset/245634
373
374 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
375
376         Stack-buffer-overflow in decodeURIComponent
377         https://bugs.webkit.org/show_bug.cgi?id=198109
378         <rdar://problem/50397550>
379
380         Reviewed by Michael Saboff.
381
382         * stress/decode-uri-icu-count-trail-bytes.js: Added.
383         (i.j.try.i.toString):
384         (i.j.catch):
385
386 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
387
388         Don't clear PropertyNameArray in Proxy code
389         https://bugs.webkit.org/show_bug.cgi?id=197691
390
391         Reviewed by Saam Barati.
392
393         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
394         (shouldBe):
395         (opt):
396
397 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
398
399         [ESNext] Implement support for Numeric Separators
400         https://bugs.webkit.org/show_bug.cgi?id=196351
401
402         Reviewed by Keith Miller.
403
404         * stress/numeric-literal-separators.js: Added.
405         Add tests for feature.
406
407         * test262/expectations.yaml:
408         Mark 60 test cases as passing.
409
410 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
411
412         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
413         https://bugs.webkit.org/show_bug.cgi?id=198101
414
415         Reviewed by Michael Saboff.
416
417         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
418         (shouldBe):
419
420 2019-05-20  Keith Miller  <keith_miller@apple.com>
421
422         Cleanup Yarr regexp code around paren contexts.
423         https://bugs.webkit.org/show_bug.cgi?id=198063
424
425         Reviewed by Yusuke Suzuki.
426
427         * stress/regexp-many-named-sequential-capture-groups.js: Added.
428         (i.s):
429         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
430
431 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
432
433         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
434         https://bugs.webkit.org/show_bug.cgi?id=197969
435
436         Reviewed by Keith Miller.
437
438         Support the anyref type in Builder.js, plus add some extra error logging.
439         Add new folder for wasm references tests.
440
441         * wasm.yaml:
442         * wasm/Builder.js:
443         (const._isValidValue):
444         * wasm/references/anyref_modules.js: Added.
445         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
446         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
447         (Call.3.RefIsNull.End.End.WebAssembly):
448         (undefined):
449         * wasm/references/is_null.js: Added.
450         * wasm/references/is_null_error.js: Added.
451         * wasm/spec-harness/index.js:
452         * wasm/wasm.json:
453
454 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
455
456         [JSC] Invalid AssignmentTargetType should be an early error.
457         https://bugs.webkit.org/show_bug.cgi?id=197603
458
459         Reviewed by Keith Miller.
460
461         * test262/expectations.yaml:
462         Update expectations to reflect new SyntaxErrors.
463         (Ideally, these should all be viewed as passing in the near future.)
464
465         * stress/async-await-basic.js:
466         * stress/big-int-literals.js:
467         Update tests to reflect new SyntaxErrors.
468
469         * ChakraCore.yaml:
470         * ChakraCore/test/EH/try6.baseline-jsc:
471         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
472         Update baselines to reflect new SyntaxErrors.
473
474 2019-05-15  Saam Barati  <sbarati@apple.com>
475
476         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
477         https://bugs.webkit.org/show_bug.cgi?id=197855
478         <rdar://problem/50236506>
479
480         Reviewed by Michael Saboff.
481
482         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
483         (f0):
484         (bar):
485         (foo):
486         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
487         (f1):
488         (f2):
489         (foo):
490
491 2019-05-14  Keith Miller  <keith_miller@apple.com>
492
493         Fix issue with byteOffset on ARM64E
494         https://bugs.webkit.org/show_bug.cgi?id=197884
495
496         Reviewed by Saam Barati.
497
498         We didn't have any tests that run with non-byte/non-zero offset
499         typed arrays.
500
501         * stress/ftl-gettypedarrayoffset-wasteful.js:
502
503 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
504
505         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
506         https://bugs.webkit.org/show_bug.cgi?id=197833
507
508         Reviewed by Darin Adler.
509
510         * stress/generator-name.js: Added.
511         (shouldBe):
512         (gen):
513         (catch):
514
515 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
516
517         JSObject::getOwnPropertyDescriptor is missing an exception check
518         https://bugs.webkit.org/show_bug.cgi?id=197693
519         <rdar://problem/50441784>
520
521         Reviewed by Saam Barati.
522
523         * stress/proxy-spread.js: Added.
524         (foo):
525
526 2019-05-10  Saam barati  <sbarati@apple.com>
527
528         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
529         https://bugs.webkit.org/show_bug.cgi?id=197807
530         <rdar://problem/50530400>
531
532         Reviewed by Yusuke Suzuki.
533
534         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
535         (test.getInstance):
536         (test):
537
538 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
539
540         [Test262] Unreviewed expectations update following r245188.
541
542         * test262/config.yaml:
543         * test262/expectations.yaml:
544
545         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
546         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
547         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
548         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
549         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
550         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
551         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
552         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
553         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
554         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
555         These files have invalid YAML comments. Will also submit corrections back to Test262.
556
557 2019-05-10  Keith Miller  <keith_miller@apple.com>
558
559         Update test262 tests.
560
561         Rubber-stamped by Yusuke Suzuki.
562
563         * test262/*: mega-patch too many things to list individually.
564
565 2019-05-09  Keith Miller  <keith_miller@apple.com>
566
567         Unreview, fix test to have a try-catch.
568
569         * stress/many-nested-functions-parser-stack-overflow.js:
570         (catch):
571
572 2019-05-09  Keith Miller  <keith_miller@apple.com>
573
574         parseStatementListItem needs a stack overflow check
575         https://bugs.webkit.org/show_bug.cgi?id=197749
576
577         Reviewed by Saam Barati.
578
579         * stress/many-nested-functions-parser-stack-overflow.js: Added.
580
581 2019-05-08  Saam barati  <sbarati@apple.com>
582
583         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
584         https://bugs.webkit.org/show_bug.cgi?id=197715
585         <rdar://problem/50399252>
586
587         Reviewed by Filip Pizlo.
588
589         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
590         (foo):
591         (bar):
592
593 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
594
595         Unreviewed, rolling out r245068.
596
597         Caused debug layout tests to exit early due to an assertion
598         failure.
599
600         Reverted changeset:
601
602         "All prototypes should call didBecomePrototype()"
603         https://bugs.webkit.org/show_bug.cgi?id=196315
604         https://trac.webkit.org/changeset/245068
605
606 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
607
608         Invalid DFG JIT genereation in high CPU usage state
609         https://bugs.webkit.org/show_bug.cgi?id=197453
610
611         Reviewed by Saam Barati.
612
613         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
614         (trigger):
615         (main):
616
617 2019-05-08  Robin Morisset  <rmorisset@apple.com>
618
619         All prototypes should call didBecomePrototype()
620         https://bugs.webkit.org/show_bug.cgi?id=196315
621
622         Reviewed by Saam Barati.
623
624         This changelog already landed, but the commit was missing the actual changes.
625
626         * stress/function-prototype-indexed-accessor.js: Added.
627
628 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
629
630         [BigInt] Add ValueMod into DFG
631         https://bugs.webkit.org/show_bug.cgi?id=186174
632
633         Reviewed by Saam Barati.
634
635         * microbenchmarks/mod-untyped.js: Added.
636         * stress/big-int-mod-osr.js: Added.
637         * stress/value-div-ai-rule.js: Added.
638         * stress/value-mod-ai-rule.js: Added.
639
640 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
641
642         [JSC] DFG_ASSERT failed in lowInt52
643         https://bugs.webkit.org/show_bug.cgi?id=197569
644
645         Reviewed by Saam Barati.
646
647         * stress/getstack-int52.js: Added.
648         (opt):
649         (main):
650
651 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
652
653         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
654         https://bugs.webkit.org/show_bug.cgi?id=197479
655
656         Reviewed by Saam Barati.
657
658         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
659         (shouldBe):
660
661 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
662
663         TemplateObject passed to template literal tags are not always identical for the same source location.
664         https://bugs.webkit.org/show_bug.cgi?id=190756
665
666         Reviewed by Saam Barati.
667
668         * complex.yaml:
669         * complex/tagged-template-regeneration-after.js: Added.
670         (shouldBe):
671         * complex/tagged-template-regeneration.js: Added.
672         (call):
673         (test):
674         * modules/tagged-template-inside-module.js: Added.
675         (from.string_appeared_here.call):
676         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
677         (call):
678         (export.otherTaggedTemplates):
679         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
680         (shouldBe):
681         (call):
682         (poly):
683         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
684         (shouldBe):
685         (call):
686         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
687         (shouldBe):
688         (call):
689         (test):
690         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
691         (shouldBe):
692         (call):
693         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
694         (shouldBe):
695         (call):
696         * stress/tagged-templates-in-multiple-functions.js: Added.
697         (shouldBe):
698         (call):
699         (a):
700         (b):
701         (c):
702         * stress/tagged-templates-with-same-start-offset.js: Added.
703         (shouldBe):
704
705 2019-05-07  Robin Morisset  <rmorisset@apple.com>
706
707         All prototypes should call didBecomePrototype()
708         https://bugs.webkit.org/show_bug.cgi?id=196315
709
710         Reviewed by Saam Barati.
711
712         * stress/function-prototype-indexed-accessor.js: Added.
713
714 2019-05-07  Commit Queue  <commit-queue@webkit.org>
715
716         Unreviewed, rolling out r244978.
717         https://bugs.webkit.org/show_bug.cgi?id=197671
718
719         TemplateObject map should use start/end offsets (Requested by
720         yusukesuzuki on #webkit).
721
722         Reverted changeset:
723
724         "TemplateObject passed to template literal tags are not always
725         identical for the same source location."
726         https://bugs.webkit.org/show_bug.cgi?id=190756
727         https://trac.webkit.org/changeset/244978
728
729 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
730
731         tryCachePutByID should not crash if target offset changes
732         https://bugs.webkit.org/show_bug.cgi?id=197311
733         <rdar://problem/48033612>
734
735         Reviewed by Filip Pizlo.
736
737         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
738         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
739
740         * stress/cache-put-by-id-delete-prototype.js: Added.
741         (A.prototype.set y):
742         (A):
743         (B.prototype.set y):
744         (B):
745         (C):
746         * stress/cache-put-by-id-different-__proto__.js: Added.
747         (A.prototype.set y):
748         (A):
749         (B1):
750         (B2.prototype.set y):
751         (B2):
752         (C):
753         (D):
754         * stress/cache-put-by-id-different-attributes.js: Added.
755         (Foo):
756         (set x):
757         * stress/cache-put-by-id-different-offset.js: Added.
758         (Foo):
759         (set x):
760         * stress/cache-put-by-id-insert-prototype.js: Added.
761         (A.prototype.set y):
762         (A):
763         (C):
764         * stress/cache-put-by-id-poly-proto.js: Added.
765         (Foo):
766         (set _):
767         (createBar.Bar):
768         (createBar):
769
770 2019-05-07  Saam Barati  <sbarati@apple.com>
771
772         Don't OSR enter into an FTL CodeBlock that has been jettisoned
773         https://bugs.webkit.org/show_bug.cgi?id=197531
774         <rdar://problem/50162379>
775
776         Reviewed by Yusuke Suzuki.
777
778         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
779
780 2019-05-06  Dean Jackson  <dino@apple.com>
781
782         Update test262 expectations for Proxy passes
783         https://bugs.webkit.org/show_bug.cgi?id=197628
784
785         Reviewed by Yusuke Suzuki.
786
787         There are two consistent passes in Proxy.ownKeys.
788
789         * test262/expectations.yaml:
790
791 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
792
793         [JSC] We should check OOM for description string of Symbol
794         https://bugs.webkit.org/show_bug.cgi?id=197634
795
796         Reviewed by Keith Miller.
797
798         * stress/check-symbol-description-oom.js: Added.
799         (shouldThrow):
800
801 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
802
803         Unreviewed, land one more test
804         https://bugs.webkit.org/show_bug.cgi?id=197587
805
806         * stress/setter-frame-flush.js: Added.
807         (setter):
808         (foo):
809         (bar):
810
811 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
812
813         TemplateObject passed to template literal tags are not always identical for the same source location.
814         https://bugs.webkit.org/show_bug.cgi?id=190756
815
816         Reviewed by Saam Barati.
817
818         * complex.yaml:
819         * complex/tagged-template-regeneration-after.js: Added.
820         (shouldBe):
821         * complex/tagged-template-regeneration.js: Added.
822         (call):
823         (test):
824         * modules/tagged-template-inside-module.js: Added.
825         (from.string_appeared_here.call):
826         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
827         (call):
828         (export.otherTaggedTemplates):
829         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
830         (shouldBe):
831         (call):
832         (poly):
833         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
834         (shouldBe):
835         (call):
836         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
837         (shouldBe):
838         (call):
839         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
840         (shouldBe):
841         (call):
842         * stress/tagged-templates-in-multiple-functions.js: Added.
843         (shouldBe):
844         (call):
845         (a):
846         (b):
847         (c):
848
849 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
850
851         [PlayStation] JSC Stress tests failing due to timezone printing
852         https://bugs.webkit.org/show_bug.cgi?id=197615
853
854         PlayStation's strftime does not give timezone strings, which
855         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
856         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
857         which causes diff failures with the expectations. Add expectations
858         without the timezone string and use those on playstation.
859
860         Reviewed by Ross Kirsling.
861
862         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
863         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
864         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
865         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
866
867 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
868
869         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
870         https://bugs.webkit.org/show_bug.cgi?id=197587
871
872         Reviewed by Sam Weinig.
873
874         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
875
876         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
877
878 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
879
880         TypedArrays should not store properties that are canonical numeric indices
881         https://bugs.webkit.org/show_bug.cgi?id=197228
882         <rdar://problem/49557381>
883
884         Reviewed by Saam Barati.
885
886         * stress/array-species-config-array-constructor.js:
887         (test):
888         * stress/put-direct-index-broken-2.js:
889         * stress/typed-array-canonical-numeric-index-string.js: Added.
890         (makeTest.assert):
891         (makeTest):
892         (const.testInvalidIndices.makeTest.set assert):
893         (const.testInvalidIndices.makeTest):
894         (const.makeTestValidIndex.configurable.set assert):
895         (const.makeTestValidIndex.configurable):
896         * stress/typedarray-access-monomorphic-neutered.js:
897         (checkNoException):
898         (testNoException):
899         (testFTLNoException):
900         * stress/typedarray-access-neutered.js:
901         (testNoException):
902         * stress/typedarray-getownproperty-not-configurable.js:
903         (foo):
904         * test262/expectations.yaml:
905
906 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
907
908         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
909         https://bugs.webkit.org/show_bug.cgi?id=197584
910
911         Reviewed by Saam Barati.
912
913         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
914         (X):
915         (foo):
916
917 2019-05-03  Michael Saboff  <msaboff@apple.com>
918
919         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
920         https://bugs.webkit.org/show_bug.cgi?id=197586
921
922         Reviewed by Keith Miller.
923
924         We should only run one config of this test and only when we think we'll have the memory.
925
926         * stress/json-stringify-string-builder-overflow.js:
927
928 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
929
930         [JSC] Generator CodeBlock generation should be idempotent
931         https://bugs.webkit.org/show_bug.cgi?id=197552
932
933         Reviewed by Keith Miller.
934
935         Add complex.yaml, which controls how to run JSC shell more.
936         We split test files into two to run macro task between them which allows debugger to be attached to VM.
937
938         * complex.yaml: Added.
939         * complex/generator-regeneration-after.js: Added.
940         * complex/generator-regeneration.js: Added.
941         (gen):
942
943 2019-05-02  Michael Saboff  <msaboff@apple.com>
944
945         Unreviewed rollout of r244862.
946
947         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
948
949 2019-05-01  Saam barati  <sbarati@apple.com>
950
951         Baseline JIT should do argument value profiling after checking for stack overflow
952         https://bugs.webkit.org/show_bug.cgi?id=197052
953         <rdar://problem/50009602>
954
955         Reviewed by Yusuke Suzuki.
956
957         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
958
959 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
960
961         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
962         https://bugs.webkit.org/show_bug.cgi?id=197405
963
964         Reviewed by Saam Barati.
965
966         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
967         (foo):
968         (test):
969         (i.o.get f):
970         (i.o.set f):
971
972 2019-05-01  Michael Saboff  <msaboff@apple.com>
973
974         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
975         https://bugs.webkit.org/show_bug.cgi?id=197485
976
977         Reviewed by Saam Barati.
978
979         New test.
980
981         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
982         (foo):
983
984 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
985
986         Unreviewed correction to Test262 expectations following r244828.
987
988         * test262/expectations.yaml:
989
990 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
991
992         Add memory-limited skipping to some tests generating very large strings
993         https://bugs.webkit.org/show_bug.cgi?id=197437
994
995         Reviewed by Ross Kirsling.
996
997         * stress/StringObject-define-length-getter-rope-string-oom.js:
998         * stress/create-error-out-of-memory-rope-string.js:
999         * stress/string-16bit-repeat-overflow.js:
1000
1001 2019-04-30  Commit Queue  <commit-queue@webkit.org>
1002
1003         Unreviewed, rolling out r244806.
1004         https://bugs.webkit.org/show_bug.cgi?id=197446
1005
1006         Causing Test262 and JSC test failures on multiple builds
1007         (Requested by ShawnRoberts on #webkit).
1008
1009         Reverted changeset:
1010
1011         "TypeArrays should not store properties that are canonical
1012         numeric indices"
1013         https://bugs.webkit.org/show_bug.cgi?id=197228
1014         https://trac.webkit.org/changeset/244806
1015
1016 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
1017
1018         TypeArrays should not store properties that are canonical numeric indices
1019         https://bugs.webkit.org/show_bug.cgi?id=197228
1020         <rdar://problem/49557381>
1021
1022         Reviewed by Darin Adler.
1023
1024         * stress/typed-array-canonical-numeric-index-string.js: Added.
1025         (makeTest.assert):
1026         (makeTest):
1027         (const.testInvalidIndices.makeTest.set assert):
1028         (const.testInvalidIndices.makeTest):
1029         (const.testValidIndices.makeTest.set assert):
1030         (const.testValidIndices.makeTest):
1031
1032 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
1033
1034         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
1035         https://bugs.webkit.org/show_bug.cgi?id=197362
1036
1037         Reviewed by Saam Barati.
1038
1039         * stress/map-with-nan.js: Added.
1040         (shouldBe):
1041         (div):
1042         (NaN1):
1043         (NaN2):
1044         (NaN3):
1045         (NaN4):
1046         (NaN1NoInline):
1047         (NaN2NoInline):
1048         (NaN3NoInline):
1049         (NaN4NoInline):
1050         (test1):
1051         (test2):
1052         (test3):
1053         (test4):
1054         * stress/set-with-nan.js: Added.
1055         (shouldBe):
1056         (div):
1057         (NaN1):
1058         (NaN2):
1059         (NaN3):
1060         (NaN4):
1061         (NaN1NoInline):
1062         (NaN2NoInline):
1063         (NaN3NoInline):
1064         (NaN4NoInline):
1065         (test2):
1066         (test4):
1067
1068 2019-04-26  Commit Queue  <commit-queue@webkit.org>
1069
1070         Unreviewed, rolling out r244708.
1071         https://bugs.webkit.org/show_bug.cgi?id=197334
1072
1073         "Broke the debug build" (Requested by rmorisset on #webkit).
1074
1075         Reverted changeset:
1076
1077         "All prototypes should call didBecomePrototype()"
1078         https://bugs.webkit.org/show_bug.cgi?id=196315
1079         https://trac.webkit.org/changeset/244708
1080
1081 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
1082
1083         [JSC] linkPolymorphicCall now does GC
1084         https://bugs.webkit.org/show_bug.cgi?id=197306
1085
1086         Reviewed by Saam Barati.
1087
1088         * stress/link-polymorphic-call-can-gc.js: Added.
1089         (module):
1090         (instance):
1091
1092 2019-04-26  Robin Morisset  <rmorisset@apple.com>
1093
1094         All prototypes should call didBecomePrototype()
1095         https://bugs.webkit.org/show_bug.cgi?id=196315
1096
1097         Reviewed by Saam Barati.
1098
1099         * stress/function-prototype-indexed-accessor.js: Added.
1100
1101 2019-04-23  Saam Barati  <sbarati@apple.com>
1102
1103         LICM incorrectly assumes it'll never insert a node which provably OSR exits
1104         https://bugs.webkit.org/show_bug.cgi?id=196721
1105         <rdar://problem/49556479> 
1106
1107         Reviewed by Filip Pizlo.
1108
1109         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
1110         (foo):
1111
1112 2019-04-19  Saam Barati  <sbarati@apple.com>
1113
1114         AbstractValue can represent more than int52
1115         https://bugs.webkit.org/show_bug.cgi?id=197118
1116         <rdar://problem/49969960>
1117
1118         Reviewed by Michael Saboff.
1119
1120         * stress/abstract-value-can-include-int52.js: Added.
1121         (foo):
1122         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
1123
1124 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
1125
1126         [WTF] StringBuilder should set correct m_is8Bit flag when merging
1127         https://bugs.webkit.org/show_bug.cgi?id=197053
1128
1129         Reviewed by Saam Barati.
1130
1131         * stress/merge-string-builder-in-dfg.js: Added.
1132         (foo):
1133
1134 2019-04-16  Caitlin Potter  <caitp@igalia.com>
1135
1136         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
1137         https://bugs.webkit.org/show_bug.cgi?id=176810
1138
1139         Reviewed by Saam Barati.
1140
1141         Add tests for the DontEnum filtering, and variations of other tests
1142         take the DontEnum-filtering path.
1143
1144         * stress/proxy-own-keys.js:
1145         (i.catch):
1146         (set assert):
1147         (set add):
1148         (let.set new):
1149         (get let):
1150
1151 2019-04-15  Saam barati  <sbarati@apple.com>
1152
1153         Modify how we do SetArgument when we inline varargs calls
1154         https://bugs.webkit.org/show_bug.cgi?id=196712
1155         <rdar://problem/49605012>
1156
1157         Reviewed by Michael Saboff.
1158
1159         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
1160         (foo):
1161
1162 2019-04-15  Saam barati  <sbarati@apple.com>
1163
1164         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
1165         https://bugs.webkit.org/show_bug.cgi?id=196945
1166         <rdar://problem/49802750>
1167
1168         Reviewed by Filip Pizlo.
1169
1170         * stress/get-by-offset-should-use-correct-child.js: Added.
1171         (foo.bar):
1172         (foo):
1173
1174 2019-04-15  Robin Morisset  <rmorisset@apple.com>
1175
1176         DFG should be able to constant fold Object.create() with a constant prototype operand
1177         https://bugs.webkit.org/show_bug.cgi?id=196886
1178
1179         Reviewed by Yusuke Suzuki.
1180
1181         Note that this new benchmark does not currently see a speedup with inlining removed.
1182         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
1183
1184         * microbenchmarks/object-create-constant-prototype.js: Added.
1185         (test):
1186
1187 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
1188
1189         Incremental bytecode cache should not append function updates when loaded from memory
1190         https://bugs.webkit.org/show_bug.cgi?id=196865
1191
1192         Reviewed by Filip Pizlo.
1193
1194         * stress/bytecode-cache-shared-code-block.js: Added.
1195         (b):
1196         (program):
1197
1198 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
1199
1200         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
1201         https://bugs.webkit.org/show_bug.cgi?id=196880
1202
1203         Reviewed by Yusuke Suzuki.
1204
1205         * stress/bytecode-cache-syntax-error.js: Added.
1206         (catch):
1207
1208 2019-04-12  Saam barati  <sbarati@apple.com>
1209
1210         r244079 logically broke shouldSpeculateInt52
1211         https://bugs.webkit.org/show_bug.cgi?id=196884
1212
1213         Reviewed by Yusuke Suzuki.
1214
1215         * microbenchmarks/int52-rand-function.js: Added.
1216         (Math.random):
1217
1218 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
1219
1220         [JSC] op_has_indexed_property should not assume subscript part is Uint32
1221         https://bugs.webkit.org/show_bug.cgi?id=196850
1222
1223         Reviewed by Saam Barati.
1224
1225         * stress/has-indexed-property-should-accept-non-int32.js: Added.
1226         (foo):
1227
1228 2019-04-11  Saam barati  <sbarati@apple.com>
1229
1230         Remove invalid assertion in operationInstanceOfCustom
1231         https://bugs.webkit.org/show_bug.cgi?id=196842
1232         <rdar://problem/49725493>
1233
1234         Reviewed by Michael Saboff.
1235
1236         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
1237
1238 2019-04-10  Saam Barati  <sbarati@apple.com>
1239
1240         AbstractValue::validateOSREntryValue is wrong for Int52 constants
1241         https://bugs.webkit.org/show_bug.cgi?id=196801
1242         <rdar://problem/49771122>
1243
1244         Reviewed by Yusuke Suzuki.
1245
1246         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
1247
1248 2019-04-10  Robin Morisset  <rmorisset@apple.com>
1249
1250         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
1251         https://bugs.webkit.org/show_bug.cgi?id=196746
1252
1253         Reviewed by Yusuke Suzuki.
1254
1255         * stress/cyclic-define-properties.js: Added.
1256         (foo):
1257
1258 2019-04-09  Saam barati  <sbarati@apple.com>
1259
1260         Clean up Int52 code and some bugs in it
1261         https://bugs.webkit.org/show_bug.cgi?id=196639
1262         <rdar://problem/49515757>
1263
1264         Reviewed by Yusuke Suzuki.
1265
1266         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
1267
1268 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
1269
1270         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
1271         https://bugs.webkit.org/show_bug.cgi?id=196708
1272         <rdar://problem/49556803>
1273
1274         Reviewed by Yusuke Suzuki.
1275
1276         * stress/proxy-getter-stack-overflow.js: Added.
1277         (const.handler.get target):
1278         (const.handler.has):
1279         (try.with):
1280         (catch):
1281
1282 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1283
1284         [JSC] DFG should respect node's strict flag
1285         https://bugs.webkit.org/show_bug.cgi?id=196617
1286
1287         Reviewed by Saam Barati.
1288
1289         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
1290         (shouldEqual):
1291         (makeUnwriteableUnconfigurableObject):
1292         (runTest):
1293         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
1294         (shouldBe):
1295         (shouldThrow):
1296         (with.result):
1297         (with.putValueStrict):
1298         (with.putValueSloppy):
1299
1300 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1301
1302         [JSC] isRope jump in StringSlice should not jump over register allocations
1303         https://bugs.webkit.org/show_bug.cgi?id=196716
1304
1305         Reviewed by Saam Barati.
1306
1307         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
1308         (foo.bar):
1309         (foo):
1310
1311 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1312
1313         [JSC] to_index_string should not assume incoming value is Uint32
1314         https://bugs.webkit.org/show_bug.cgi?id=196713
1315
1316         Reviewed by Saam Barati.
1317
1318         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
1319         (foo):
1320
1321 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1322
1323         [JSC] Add more tests for r243966
1324         https://bugs.webkit.org/show_bug.cgi?id=196711
1325
1326         Reviewed by Saam Barati.
1327
1328         Adding one more test for r243966 fix. The added test will not crash after r243966.
1329
1330         * stress/stress-cleared-calllinkinfo.js: Added.
1331         (runNearStackLimit.t):
1332         (runNearStackLimit):
1333         (repeat):
1334         (cls):
1335         (let.item.of.array.runNearStackLimit):
1336
1337 2019-04-08  Saam Barati  <sbarati@apple.com>
1338
1339         WebAssembly.RuntimeError missing exception check
1340         https://bugs.webkit.org/show_bug.cgi?id=196700
1341         <rdar://problem/49693932>
1342
1343         Reviewed by Yusuke Suzuki.
1344
1345         * wasm/js-api/runtime-error-should-exception-check.js: Added.
1346
1347 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1348
1349         Unreviewed, rolling in r243948 with test fix
1350         https://bugs.webkit.org/show_bug.cgi?id=196486
1351
1352         * stress/arrow-function-and-use-strict-directive.js: Added.
1353         * stress/arrow-function-syntax.js: Added.
1354         (checkSyntax):
1355         (checkSyntaxError):
1356
1357 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
1358
1359         Unreviewed, rolling out r243948.
1360
1361         Caused inspector/runtime/parse.html to fail
1362
1363         Reverted changeset:
1364
1365         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
1366         https://bugs.webkit.org/show_bug.cgi?id=196486
1367         https://trac.webkit.org/changeset/243948
1368
1369 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
1370
1371         Unreviewed, rolling out r243943.
1372
1373         Caused test262 failures.
1374
1375         Reverted changeset:
1376
1377         "[JSC] Filter DontEnum properties in
1378         ProxyObject::getOwnPropertyNames()"
1379         https://bugs.webkit.org/show_bug.cgi?id=176810
1380         https://trac.webkit.org/changeset/243943
1381
1382 2019-04-07  Michael Saboff  <msaboff@apple.com>
1383
1384         REGRESSION (r243642): Crash in reddit.com page
1385         https://bugs.webkit.org/show_bug.cgi?id=196684
1386
1387         Reviewed by Geoffrey Garen.
1388
1389         New regression test.
1390
1391         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
1392
1393 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
1394
1395         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
1396         https://bugs.webkit.org/show_bug.cgi?id=196683
1397
1398         Reviewed by Saam Barati.
1399
1400         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
1401         (foo):
1402
1403 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
1404
1405         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
1406         https://bugs.webkit.org/show_bug.cgi?id=196582
1407
1408         Reviewed by Saam Barati.
1409
1410         * stress/add-overflow-check-with-three-same-registers.js: Added.
1411         (foo):
1412         (Number.prototype.valueOf):
1413         (runWithNumber):
1414
1415 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
1416
1417         Unreviewed, rolling out r243665.
1418
1419         Caused iOS JSC tests to exit with an exception.
1420
1421         Reverted changeset:
1422
1423         "Assertion failed in JSC::createError"
1424         https://bugs.webkit.org/show_bug.cgi?id=196305
1425         https://trac.webkit.org/changeset/243665
1426
1427 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
1428
1429         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
1430         https://bugs.webkit.org/show_bug.cgi?id=196486
1431
1432         Reviewed by Saam Barati.
1433
1434         * stress/arrow-function-and-use-strict-directive.js: Added.
1435         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
1436         (checkSyntax):
1437         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
1438
1439 2019-04-05  Caitlin Potter  <caitp@igalia.com>
1440
1441         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
1442         https://bugs.webkit.org/show_bug.cgi?id=176810
1443
1444         Reviewed by Saam Barati.
1445
1446         Add tests for the DontEnum filtering, and variations of other tests
1447         take the DontEnum-filtering path.
1448
1449         * stress/proxy-own-keys.js:
1450         (i.catch):
1451         (set assert):
1452         (set add):
1453         (let.set new):
1454         (get let):
1455
1456 2019-04-05  Caitlin Potter  <caitp@igalia.com>
1457
1458         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
1459         https://bugs.webkit.org/show_bug.cgi?id=185211
1460
1461         Reviewed by Saam Barati.
1462
1463         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
1464
1465         This changes several assertions to expect a TypeError to be thrown (in some cases,
1466         changing thee expected message).
1467
1468         * es6/Proxy_ownKeys_duplicates.js:
1469         (handler):
1470         (shouldThrow):
1471         (test):
1472         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
1473         (shouldThrow):
1474         * stress/proxy-own-keys.js:
1475         (i.catch):
1476         (assert):
1477
1478 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1479
1480         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
1481         https://bugs.webkit.org/show_bug.cgi?id=196631
1482
1483         Reviewed by Saam Barati.
1484
1485         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
1486         (assert):
1487         (test):
1488         (foo):
1489
1490 2019-04-04  Saam Barati  <sbarati@apple.com>
1491
1492         Unreviewed. Make the test from r243906 catch the thrown exceptions.
1493
1494         * stress/inferred-types-regex-matches-array.js:
1495
1496 2019-04-04  Saam Barati  <sbarati@apple.com>
1497
1498         createRegExpMatchesArray does not respect inferred types
1499         https://bugs.webkit.org/show_bug.cgi?id=193287
1500
1501         Reviewed by Yusuke Suzuki.
1502
1503         This checks in the test case for 193287. This issue was discovered by
1504         Samuel GroƟ of Google Project Zero.
1505
1506         * stress/inferred-types-regex-matches-array.js: Added.
1507
1508 2019-04-04  Saam barati  <sbarati@apple.com>
1509
1510         Teach Call ICs how to call Wasm
1511         https://bugs.webkit.org/show_bug.cgi?id=196387
1512
1513         Reviewed by Filip Pizlo.
1514
1515         * wasm/function-tests/stack-trace.js:
1516
1517 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
1518
1519         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
1520         https://bugs.webkit.org/show_bug.cgi?id=194944
1521
1522         Reviewed by Keith Miller.
1523
1524         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
1525
1526 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1527
1528         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
1529         https://bugs.webkit.org/show_bug.cgi?id=196409
1530
1531         Reviewed by Saam Barati.
1532
1533         * stress/bytecode-cache-cached-string-impl.js: Added.
1534         (f):
1535         (g):
1536         * stress/bytecode-cache-run-string.js: Added.
1537
1538 2019-04-03  Robin Morisset  <rmorisset@apple.com>
1539
1540         B3 should use associativity to optimize expression trees
1541         https://bugs.webkit.org/show_bug.cgi?id=194081
1542
1543         Reviewed by Filip Pizlo.
1544
1545         Added three microbenchmarks:
1546         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
1547         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
1548           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
1549         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
1550
1551         * microbenchmarks/add-tree.js: Added.
1552         * microbenchmarks/bit-or-tree.js: Added.
1553         * microbenchmarks/bit-xor-tree.js: Added.
1554
1555 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1556
1557         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
1558         https://bugs.webkit.org/show_bug.cgi?id=196574
1559
1560         Reviewed by Saam Barati.
1561
1562         * stress/string-index-of-exception-check.js: Added.
1563         (blurType):
1564         (1.forEach):
1565
1566 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
1567
1568         Assertion failed in JSC::createError
1569         https://bugs.webkit.org/show_bug.cgi?id=196305
1570         <rdar://problem/49387382>
1571
1572         Reviewed by Saam Barati.
1573
1574         * stress/create-error-out-of-memory-rope-string-2.js: Added.
1575         (assert):
1576         (catch):
1577
1578 2019-03-28  Saam Barati  <sbarati@apple.com>
1579
1580         BackwardsGraph needs to consider back edges as the backward's root successor
1581         https://bugs.webkit.org/show_bug.cgi?id=195991
1582
1583         Reviewed by Filip Pizlo.
1584
1585         * stress/map-b3-licm-infinite-loop.js: Added.
1586
1587 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
1588
1589         CodeBlock::jettison() should disallow repatching its own calls
1590         https://bugs.webkit.org/show_bug.cgi?id=196359
1591         <rdar://problem/48973663>
1592
1593         Reviewed by Saam Barati.
1594
1595         * stress/call-link-info-osrexit-repatch.js: Added.
1596         (foo):
1597
1598 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
1599
1600         [JSC] imports-oom.js intermittently fails
1601         https://bugs.webkit.org/show_bug.cgi?id=196373
1602
1603         Reviewed by Saam Barati.
1604
1605         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
1606         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
1607         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
1608         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
1609         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
1610
1611         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
1612         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
1613
1614         * wasm/lowExecutableMemory/imports-oom.js:
1615
1616 2019-03-27  Saam Barati  <sbarati@apple.com>
1617
1618         validateOSREntryValue with Int52 should box the value being checked into double format
1619         https://bugs.webkit.org/show_bug.cgi?id=196313
1620         <rdar://problem/49306703>
1621
1622         Reviewed by Yusuke Suzuki.
1623
1624         * stress/validate-int-52-ai-state.js: Added.
1625
1626 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
1627
1628         [JSC] Owner of watchpoints should validate at GC finalizing phase
1629         https://bugs.webkit.org/show_bug.cgi?id=195827
1630
1631         Reviewed by Filip Pizlo.
1632
1633         * stress/gc-should-reap-dead-watchpoints.js: Added.
1634         (foo):
1635         (A.prototype.y):
1636         (A):
1637
1638 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
1639
1640         Skip WebAssembly test on 32-bit systems
1641         https://bugs.webkit.org/show_bug.cgi?id=196206
1642
1643         Reviewed by Saam Barati.
1644
1645         Invoking runDefault executes test immediately even though
1646         that test should be skipped due to missing WASM support.
1647         Therefore remove runDefault.
1648
1649         * wasm/regress/web-assembly-link-error-exception-check.js:
1650
1651 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
1652
1653         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
1654         https://bugs.webkit.org/show_bug.cgi?id=196217
1655
1656         Reviewed by Saam Barati.
1657
1658         Re-enable all NaN tests for f32.min, f64.min and f64.max.
1659
1660         * wasm/spec-tests/f32.wast.js:
1661         * wasm/spec-tests/f64.wast.js:
1662         * wasm/wasm.json:
1663
1664 2019-03-25  Keith Miller  <keith_miller@apple.com>
1665
1666         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
1667         https://bugs.webkit.org/show_bug.cgi?id=196176
1668
1669         Reviewed by Saam Barati.
1670
1671         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
1672         (main.v10):
1673         (main):
1674
1675 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
1676
1677         WebAssembly: f32.max with NaN generates incorrect result
1678         https://bugs.webkit.org/show_bug.cgi?id=175691
1679         <rdar://problem/33952228>
1680
1681         Reviewed by Saam Barati.
1682
1683         Enable all f32.max NaN tests
1684
1685         * wasm/spec-tests/f32.wast.js:
1686         * wasm/wasm.json:
1687
1688 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
1689
1690         [JSC] Move test into directory for WASM tests
1691         https://bugs.webkit.org/show_bug.cgi?id=196187
1692
1693         Reviewed by Mark Lam.
1694
1695         Move Test into wasm-directory. Otherwise this test
1696         is also executed on systems without WASM support.
1697
1698         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
1699
1700 2019-03-23  Mark Lam  <mark.lam@apple.com>
1701
1702         Rolling out r243032 and r243071 because the fix is incorrect.
1703         https://bugs.webkit.org/show_bug.cgi?id=195892
1704         <rdar://problem/48981239>
1705
1706         Not reviewed.
1707
1708         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
1709
1710 2019-03-22  Mark Lam  <mark.lam@apple.com>
1711
1712         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
1713         https://bugs.webkit.org/show_bug.cgi?id=196154
1714         <rdar://problem/49145307>
1715
1716         Reviewed by Filip Pizlo.
1717
1718         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
1719         There's no need to run this test on more than 1 test configuration.
1720
1721         * stress/typed-array-lastIndexOf-exception-check.js: Added.
1722         * stress/web-assembly-link-error-exception-check.js:
1723
1724 2019-03-22  Mark Lam  <mark.lam@apple.com>
1725
1726         Placate exception check validation in constructJSWebAssemblyLinkError().
1727         https://bugs.webkit.org/show_bug.cgi?id=196152
1728         <rdar://problem/49145257>
1729
1730         Reviewed by Michael Saboff.
1731
1732         * stress/web-assembly-link-error-exception-check.js: Added.
1733
1734 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
1735
1736         Skip tests running out of memory on ARM/MIPS
1737         https://bugs.webkit.org/show_bug.cgi?id=196131
1738
1739         Unreviewed. Skip test if memory is limited.
1740
1741         * microbenchmarks/put-by-val-direct-large-index.js:
1742
1743 2019-03-21  Mark Lam  <mark.lam@apple.com>
1744
1745         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
1746         https://bugs.webkit.org/show_bug.cgi?id=196116
1747         <rdar://problem/48976951>
1748
1749         Reviewed by Filip Pizlo.
1750
1751         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
1752
1753 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
1754
1755         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
1756         https://bugs.webkit.org/show_bug.cgi?id=196078
1757         <rdar://problem/35925380>
1758
1759         Reviewed by Mark Lam.
1760
1761         Add a new benchmark that allocates several objects and invokes put_by_val_direct
1762         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
1763
1764         * microbenchmarks/put-by-val-direct-large-index.js: Added.
1765
1766 2019-03-21  Mark Lam  <mark.lam@apple.com>
1767
1768         Placate exception check validation in operationArrayIndexOfString().
1769         https://bugs.webkit.org/show_bug.cgi?id=196067
1770         <rdar://problem/49056572>
1771
1772         Reviewed by Michael Saboff.
1773
1774         * stress/string-equal-exception-check.js: Added.
1775
1776 2019-03-21  Mark Lam  <mark.lam@apple.com>
1777
1778         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
1779         https://bugs.webkit.org/show_bug.cgi?id=196055
1780         <rdar://problem/49067448>
1781
1782         Reviewed by Yusuke Suzuki.
1783
1784         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
1785
1786 2019-03-20  Saam Barati  <sbarati@apple.com>
1787
1788         typeOfDoubleSum is wrong for when NaN can be produced
1789         https://bugs.webkit.org/show_bug.cgi?id=196030
1790
1791         Reviewed by Filip Pizlo.
1792
1793         * stress/double-add-sub-mul-can-produce-nan.js: Added.
1794         (assert):
1795         (noInline.sub):
1796         (noInline):
1797         (assert.mul):
1798         (assert.add):
1799
1800 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
1801
1802         Update the test to ensure OutOfMemoryError is thrown as intended
1803         https://bugs.webkit.org/show_bug.cgi?id=196032
1804         <rdar://problem/46842740>
1805
1806         Rubber stamped by Saam Barati.
1807
1808         * stress/create-error-out-of-memory-rope-string.js:
1809         (assert):
1810         (catch):
1811
1812 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
1813
1814         JSC::createError needs to check for OOM in errorDescriptionForValue
1815         https://bugs.webkit.org/show_bug.cgi?id=196032
1816         <rdar://problem/46842740>
1817
1818         Reviewed by Mark Lam.
1819
1820         * stress/create-error-out-of-memory-rope-string.js: Added.
1821
1822 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
1823
1824         Unreviewed, reduce # of iterations to avoid timing out after r242991
1825         https://bugs.webkit.org/show_bug.cgi?id=195791
1826
1827         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
1828
1829         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
1830
1831 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
1832
1833         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
1834         https://bugs.webkit.org/show_bug.cgi?id=195950
1835
1836         Unreviewed, reducing the amount of memory used on this test to avoid
1837         OOM on devices with memory restrictions.
1838
1839         * microbenchmarks/generate-multiple-llint-entrypoints.js:
1840
1841 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
1842
1843         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
1844         https://bugs.webkit.org/show_bug.cgi?id=194648
1845
1846         Reviewed by Keith Miller.
1847
1848         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
1849
1850 2019-03-18  Mark Lam  <mark.lam@apple.com>
1851
1852         Missing a ThrowScope release in JSObject::toString().
1853         https://bugs.webkit.org/show_bug.cgi?id=195893
1854         <rdar://problem/48970986>
1855
1856         Reviewed by Michael Saboff.
1857
1858         * stress/to-string-exception-check-release.js: Added.
1859
1860 2019-03-18  Mark Lam  <mark.lam@apple.com>
1861
1862         Structure::flattenDictionary() should clear unused property slots.
1863         https://bugs.webkit.org/show_bug.cgi?id=195871
1864         <rdar://problem/48959497>
1865
1866         Reviewed by Michael Saboff.
1867
1868         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
1869
1870 2019-03-15  Mark Lam  <mark.lam@apple.com>
1871
1872         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
1873         https://bugs.webkit.org/show_bug.cgi?id=195827
1874         <rdar://problem/48845513>
1875
1876         Reviewed by Filip Pizlo.
1877
1878         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
1879
1880 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
1881
1882         [ARM,MIPS] Skip slow tests
1883         https://bugs.webkit.org/show_bug.cgi?id=195799
1884
1885         Unreviewed, test does not finish on ARM and MIPS within the
1886         timeout limit.
1887
1888         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
1889
1890 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
1891
1892         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
1893         https://bugs.webkit.org/show_bug.cgi?id=195791
1894         <rdar://problem/48806130>
1895
1896         Reviewed by Mark Lam.
1897
1898         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
1899         (foo):
1900
1901 2019-03-14  Saam barati  <sbarati@apple.com>
1902
1903         We can't remove code after ForceOSRExit until after FixupPhase
1904         https://bugs.webkit.org/show_bug.cgi?id=186916
1905         <rdar://problem/41396612>
1906
1907         Reviewed by Yusuke Suzuki.
1908
1909         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
1910         (foo):
1911         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1912         (foo):
1913
1914 2019-03-13  Michael Saboff  <msaboff@apple.com>
1915
1916         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
1917         https://bugs.webkit.org/show_bug.cgi?id=195735
1918
1919         Reviewed by Mark Lam.
1920
1921         New regression test.
1922
1923         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
1924         (foo):
1925         (bar):
1926
1927 2019-03-14  Saam barati  <sbarati@apple.com>
1928
1929         Fixup uses KnownInt32 incorrectly in some nodes
1930         https://bugs.webkit.org/show_bug.cgi?id=195279
1931         <rdar://problem/47915654>
1932
1933         Reviewed by Yusuke Suzuki.
1934
1935         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
1936         (foo):
1937
1938 2019-03-14  Keith Miller  <keith_miller@apple.com>
1939
1940         DFG liveness can't skip tail caller inline frames
1941         https://bugs.webkit.org/show_bug.cgi?id=195715
1942
1943         Reviewed by Saam Barati.
1944
1945         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
1946         (i.foo):
1947
1948 2019-03-13  Mark Lam  <mark.lam@apple.com>
1949
1950         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
1951         https://bugs.webkit.org/show_bug.cgi?id=195415
1952
1953         Not reviewed.
1954
1955         Changed these tests to only run the default configuration.
1956         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
1957         There's no strong need to run this test on that variant.
1958
1959         * stress/dfg-to-string-on-int-does-gc.js:
1960         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
1961
1962 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
1963
1964         String overflow when using StringBuilder in JSC::createError
1965         https://bugs.webkit.org/show_bug.cgi?id=194957
1966
1967         Reviewed by Mark Lam.
1968
1969         Add test string-overflow-createError-bulder.js that overflows
1970         StringBuilder in notAFunctionSourceAppender. The second new test
1971         string-overflow-createError-fit.js has an error message that doesn't
1972         overflow, it still failed since the String's capacity can't be doubled.
1973         Run test string-overflow-createError.js only in the default
1974         configuration to reduce memory consumption when running the test
1975         in all configurations on multiple CPUs in parallel.
1976
1977         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
1978         (catch):
1979         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
1980         (catch):
1981         * stress/string-overflow-createError.js:
1982
1983 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
1984
1985         [JSC] OSR entry should respect abstract values in addition to flush formats
1986         https://bugs.webkit.org/show_bug.cgi?id=195653
1987
1988         Reviewed by Mark Lam.
1989
1990         * stress/osr-entry-locals-none.js: Added.
1991
1992 2019-03-12  Michael Saboff  <msaboff@apple.com>
1993
1994         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
1995         https://bugs.webkit.org/show_bug.cgi?id=195613
1996
1997         Reviewed by Mark Lam.
1998
1999         New regression test.
2000
2001         * stress/regexp-backref-inbounds.js: Added.
2002         (testRegExp):
2003
2004 2019-03-12  Mark Lam  <mark.lam@apple.com>
2005
2006         The HasIndexedProperty node does GC.
2007         https://bugs.webkit.org/show_bug.cgi?id=195559
2008         <rdar://problem/48767923>
2009
2010         Reviewed by Yusuke Suzuki.
2011
2012         * stress/HasIndexedProperty-does-gc.js: Added.
2013
2014 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
2015
2016         [ESNext][BigInt] Implement "~" unary operation
2017         https://bugs.webkit.org/show_bug.cgi?id=182216
2018
2019         Reviewed by Keith Miller.
2020
2021         * stress/big-int-bit-not-general.js: Added.
2022         * stress/big-int-bitwise-not-jit.js: Added.
2023         * stress/big-int-bitwise-not-wrapped-value.js: Added.
2024         * stress/bit-op-with-object-returning-int32.js:
2025         * stress/bitwise-not-fixup-rules.js: Added.
2026         * stress/value-bit-not-ai-rule.js: Added.
2027
2028 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
2029
2030         Invalid flags in a RegExp literal should be an early SyntaxError
2031         https://bugs.webkit.org/show_bug.cgi?id=195514
2032
2033         Reviewed by Darin Adler.
2034
2035         * test262/expectations.yaml:
2036         Mark 4 test cases as passing.
2037
2038         * stress/regexp-syntax-error-invalid-flags.js:
2039         * stress/regress-161995.js: Removed.
2040         Update existing test, merging in an older test for the same behavior.
2041
2042 2019-03-08  Mark Lam  <mark.lam@apple.com>
2043
2044         Stack overflow crash in JSC::JSObject::hasInstance.
2045         https://bugs.webkit.org/show_bug.cgi?id=195458
2046         <rdar://problem/48710195>
2047
2048         Reviewed by Yusuke Suzuki.
2049
2050         * stress/stack-overflow-in-custom-hasInstance.js: Added.
2051
2052 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
2053
2054         op_check_tdz does not def its argument
2055         https://bugs.webkit.org/show_bug.cgi?id=192880
2056         <rdar://problem/46221598>
2057
2058         Reviewed by Saam Barati.
2059
2060         * microbenchmarks/let-for-in.js: Added.
2061         (foo):
2062
2063 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
2064
2065         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
2066         https://bugs.webkit.org/show_bug.cgi?id=195429
2067
2068         Reviewed by Saam Barati.
2069
2070         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
2071         (foo):
2072         * stress/string-from-char-code-255.js: Added.
2073
2074 2019-03-06  Mark Lam  <mark.lam@apple.com>
2075
2076         Fix incorrect handling of try-finally completion values.
2077         https://bugs.webkit.org/show_bug.cgi?id=195131
2078         <rdar://problem/46222079>
2079
2080         Reviewed by Saam Barati and Yusuke Suzuki.
2081
2082         Added many permutations of new test case to test-finally.js.  test-finally.js has
2083         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
2084         tests passes there as well.
2085
2086         * stress/test-finally.js:
2087
2088 2019-03-06  Saam Barati  <sbarati@apple.com>
2089
2090         Air::reportUsedRegisters must padInterference
2091         https://bugs.webkit.org/show_bug.cgi?id=195303
2092         <rdar://problem/48270343>
2093
2094         Reviewed by Keith Miller.
2095
2096         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
2097
2098 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
2099
2100         [JSC] AI should not propagate AbstractValue relying on constant folding phase
2101         https://bugs.webkit.org/show_bug.cgi?id=195375
2102
2103         Reviewed by Saam Barati.
2104
2105         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
2106         (let.array):
2107
2108 2019-03-05  Saam barati  <sbarati@apple.com>
2109
2110         op_switch_char broken for rope strings after JSRopeString layout rewrite
2111         https://bugs.webkit.org/show_bug.cgi?id=195339
2112         <rdar://problem/48592545>
2113
2114         Reviewed by Yusuke Suzuki.
2115
2116         * stress/switch-on-char-llint-rope.js: Added.
2117
2118 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
2119
2120         [JSC] Store bits for JSRopeString in 3 stores
2121         https://bugs.webkit.org/show_bug.cgi?id=195234
2122
2123         Reviewed by Saam Barati.
2124
2125         * stress/null-rope-and-collectors.js: Added.
2126
2127 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
2128
2129         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
2130         https://bugs.webkit.org/show_bug.cgi?id=195207
2131
2132         Unreviewed. After test runtime was reduced in r242213, test can be
2133         run again on ARM/MIPS.
2134
2135         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
2136
2137 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
2138
2139         [JSC] sizeof(JSString) should be 16
2140         https://bugs.webkit.org/show_bug.cgi?id=194375
2141
2142         Reviewed by Saam Barati.
2143
2144         * microbenchmarks/make-rope.js: Added.
2145         (makeRope):
2146         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
2147         (returnRope.helper): Deleted.
2148         (returnRope): Deleted.
2149
2150 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
2151
2152         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
2153         https://bugs.webkit.org/show_bug.cgi?id=195144
2154
2155         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
2156         Change the number from 1e8 to 1e5.
2157
2158         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
2159         (foo):
2160
2161 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
2162
2163         Test times out on ARM/MIPS
2164         https://bugs.webkit.org/show_bug.cgi?id=195168
2165
2166         Unreviewed. Skip test on ARM/MIPS.
2167
2168         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
2169
2170 2019-02-27  Mark Lam  <mark.lam@apple.com>
2171
2172         The parser is failing to record the token location of new in new.target.
2173         https://bugs.webkit.org/show_bug.cgi?id=195127
2174         <rdar://problem/39645578>
2175
2176         Reviewed by Yusuke Suzuki.
2177
2178         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
2179
2180 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
2181
2182         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
2183         https://bugs.webkit.org/show_bug.cgi?id=195144
2184         <rdar://problem/47595961>
2185
2186         Reviewed by Mark Lam.
2187
2188         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
2189         (bar):
2190         (foo):
2191         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
2192         (bar):
2193         (foo):
2194
2195 2019-02-27  Robin Morisset  <rmorisset@apple.com>
2196
2197         DFG: Loop-invariant code motion (LICM) should not hoist dead code
2198         https://bugs.webkit.org/show_bug.cgi?id=194945
2199         <rdar://problem/48311657>
2200
2201         Reviewed by Mark Lam.
2202
2203         * stress/licm-dead-code.js: Added.
2204
2205 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
2206
2207         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
2208         https://bugs.webkit.org/show_bug.cgi?id=194677
2209         <rdar://problem/48112492>
2210
2211         Reviewed by Mark Lam.
2212
2213         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
2214         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
2215         it immediately fails due the large size.
2216
2217         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
2218         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
2219         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
2220         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
2221
2222         This patch changes the test to produce 16bit string from String.fromCharCode.
2223
2224         * stress/regress-178386.js:
2225
2226 2019-02-26  Mark Lam  <mark.lam@apple.com>
2227
2228         wasmToJS() should purify incoming NaNs.
2229         https://bugs.webkit.org/show_bug.cgi?id=194807
2230         <rdar://problem/48189132>
2231
2232         Reviewed by Saam Barati.
2233
2234         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
2235
2236 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
2237
2238         [JSC] Repeat string created from Array.prototype.join() take too much memory
2239         https://bugs.webkit.org/show_bug.cgi?id=193912
2240
2241         Reviewed by Saam Barati.
2242
2243         Added a test and a microbenchmark for corner cases of
2244         Array.prototype.join() with an uninitialized array.
2245
2246         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
2247         * stress/array-prototype-join-uninitialized.js: Added.
2248         (testArray):
2249         (testABC):
2250         (B):
2251         (C):
2252
2253 2019-02-22  Robin Morisset  <rmorisset@apple.com>
2254
2255         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
2256         https://bugs.webkit.org/show_bug.cgi?id=194953
2257         <rdar://problem/47595253>
2258
2259         Reviewed by Saam Barati.
2260
2261         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
2262
2263         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
2264
2265 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2266
2267         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
2268         https://bugs.webkit.org/show_bug.cgi?id=172848
2269         <rdar://problem/25709212>
2270
2271         Reviewed by Mark Lam.
2272
2273         * typeProfiler/inheritance.js:
2274         Rewrite the test slightly for clarity. The hoisting was confusing.
2275
2276         * heapProfiler/class-names.js: Added.
2277         (MyES5Class):
2278         (MyES6Class):
2279         (MyES6Subclass):
2280         Test object types and improved class names.
2281
2282         * heapProfiler/driver/driver.js:
2283         (CheapHeapSnapshotNode):
2284         (CheapHeapSnapshot):
2285         (createCheapHeapSnapshot):
2286         (HeapSnapshot):
2287         (createHeapSnapshot):
2288         Update snapshot parsing from version 1 to version 2.
2289
2290 2019-02-19  Truitt Savell  <tsavell@apple.com>
2291
2292         Unreviewed, rolling out r241784.
2293
2294         Broke all OpenSource builds.
2295
2296         Reverted changeset:
2297
2298         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
2299         instances view"
2300         https://bugs.webkit.org/show_bug.cgi?id=172848
2301         https://trac.webkit.org/changeset/241784
2302
2303 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2304
2305         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
2306         https://bugs.webkit.org/show_bug.cgi?id=172848
2307         <rdar://problem/25709212>
2308
2309         Reviewed by Mark Lam.
2310
2311         * typeProfiler/inheritance.js:
2312         Rewrite the test slightly for clarity. The hoisting was confusing.
2313
2314         * heapProfiler/class-names.js: Added.
2315         (MyES5Class):
2316         (MyES6Class):
2317         (MyES6Subclass):
2318         Test object types and improved class names.
2319
2320         * heapProfiler/driver/driver.js:
2321         (CheapHeapSnapshotNode):
2322         (CheapHeapSnapshot):
2323         (createCheapHeapSnapshot):
2324         (HeapSnapshot):
2325         (createHeapSnapshot):
2326         Update snapshot parsing from version 1 to version 2.
2327
2328 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
2329
2330         [ARM] Fix crash with sampling profiler
2331         https://bugs.webkit.org/show_bug.cgi?id=194772
2332
2333         Reviewed by Mark Lam.
2334
2335         Do not skip test since crash with sampling profiler is now fixed.
2336
2337         * stress/sampling-profiler-richards.js:
2338
2339 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
2340
2341         [JSC] Add LazyClassStructure::getInitializedOnMainThread
2342         https://bugs.webkit.org/show_bug.cgi?id=194784
2343         <rdar://problem/48154820>
2344
2345         Reviewed by Mark Lam.
2346
2347         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
2348         (getProperties):
2349         (getRandomProperty):
2350         (i.catch):
2351
2352 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
2353
2354         [ARM] Test gardening: Test running out of executable memory
2355         https://bugs.webkit.org/show_bug.cgi?id=194771
2356
2357         Unreviewed. Do not run test without LLInt, test is running out of executable
2358         memory on ARM otherwise.
2359
2360         * stress/tagged-template-object-collect.js:
2361
2362 2019-02-18  Tomas Popela  <tpopela@redhat.com>
2363
2364         Unreviewed, skip the test on platforms without sampling profiler
2365
2366         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
2367         (platformSupportsSamplingProfiler.foo):
2368         (platformSupportsSamplingProfiler.test):
2369         (platformSupportsSamplingProfiler):
2370         (foo): Deleted.
2371         (test): Deleted.
2372
2373 2019-02-17  Saam Barati  <sbarati@apple.com>
2374
2375         Deadlock when adding a Structure property transition and then doing incremental marking
2376         https://bugs.webkit.org/show_bug.cgi?id=194767
2377
2378         Reviewed by Mark Lam.
2379
2380         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
2381
2382 2019-02-15  Michael Saboff  <msaboff@apple.com>
2383
2384         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
2385         https://bugs.webkit.org/show_bug.cgi?id=194558
2386
2387         Reviewed by Saam Barati.
2388
2389         New regression test.
2390
2391         * stress/regexp-unicode-within-string.js: Added.
2392
2393 2019-02-15  Mark Lam  <mark.lam@apple.com>
2394
2395         SamplingProfiler::stackTracesAsJSON() should escape strings.
2396         https://bugs.webkit.org/show_bug.cgi?id=194649
2397         <rdar://problem/48072386>
2398
2399         Reviewed by Saam Barati.
2400
2401         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
2402         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
2403         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
2404         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
2405
2406 2019-02-15  Robin Morisset  <rmorisset@apple.com>
2407         CodeBlock::jettison should clear related watchpoints
2408         https://bugs.webkit.org/show_bug.cgi?id=194544
2409
2410         Reviewed by Mark Lam.
2411
2412         * stress/regexp-replace-double-watchpoint.js: Added.
2413         (foo):
2414
2415 2019-02-15  Saam barati  <sbarati@apple.com>
2416
2417         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
2418         https://bugs.webkit.org/show_bug.cgi?id=194036
2419
2420         Reviewed by Yusuke Suzuki.
2421
2422         * stress/tail-call-many-arguments.js: Added.
2423         (foo):
2424         (bar):
2425
2426 2019-02-14  Saam Barati  <sbarati@apple.com>
2427
2428         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
2429         https://bugs.webkit.org/show_bug.cgi?id=194583
2430         <rdar://problem/48028140>
2431
2432         Reviewed by Yusuke Suzuki.
2433
2434         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
2435
2436 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
2437
2438         [JSC] String.fromCharCode's slow path always generates 16bit string
2439         https://bugs.webkit.org/show_bug.cgi?id=194466
2440
2441         Reviewed by Keith Miller.
2442
2443         * stress/string-from-char-code-slow-path.js: Added.
2444         (shouldBe):
2445         (testWithLength):
2446
2447 2019-02-08  Saam barati  <sbarati@apple.com>
2448
2449         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
2450         https://bugs.webkit.org/show_bug.cgi?id=194334
2451         <rdar://problem/47844327>
2452
2453         Reviewed by Mark Lam.
2454
2455         * stress/check-in-bounds-should-be-a-child-use.js: Added.
2456         (func):
2457
2458 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
2459
2460         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
2461         https://bugs.webkit.org/show_bug.cgi?id=194369
2462         <rdar://problem/47813087>
2463
2464         Reviewed by Saam Barati.
2465
2466         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
2467         (A):
2468
2469 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
2470
2471         [JSC] PrivateName to PublicName hash table is wasteful
2472         https://bugs.webkit.org/show_bug.cgi?id=194277
2473
2474         Reviewed by Michael Saboff.
2475
2476         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
2477
2478         * ChakraCore.yaml:
2479
2480 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
2481
2482         [ARM] Test running out of executable memory
2483         https://bugs.webkit.org/show_bug.cgi?id=194285
2484
2485         Unreviewed. Do no execute test with LLInt disabled, test runs out of
2486         executable memory otherwise.
2487
2488         * stress/class-subclassing-function.js:
2489
2490 2019-02-04  Robin Morisset  <rmorisset@apple.com>
2491
2492         when lowering AssertNotEmpty, create the value before creating the patchpoint
2493         https://bugs.webkit.org/show_bug.cgi?id=194231
2494
2495         Reviewed by Saam Barati.
2496
2497         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
2498         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
2499         So even tiny changes to this test can change the path code taken.
2500
2501         * stress/assert-not-empty.js: Added.
2502         (foo):
2503
2504 2019-02-01  Mark Lam  <mark.lam@apple.com>
2505
2506         Remove invalid assertion in DFG's compileDoubleRep().
2507         https://bugs.webkit.org/show_bug.cgi?id=194130
2508         <rdar://problem/47699474>
2509
2510         Reviewed by Saam Barati.
2511
2512         * stress/constant-fold-double-rep-into-double-constant.js: Added.
2513
2514 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
2515
2516         Import latest Test262 updates.
2517
2518         Rubber-stamped by Keith Miller.
2519
2520         * test262.yaml: Deleted.
2521         * test262/config.yaml:
2522         * test262/expectations.yaml:
2523         * test262/latest-changes-summary.txt:
2524         * test262/test/:
2525         * test262/test262-Revision.txt:
2526
2527 2019-01-30  Robin Morisset  <rmorisset@apple.com>
2528
2529         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
2530         https://bugs.webkit.org/show_bug.cgi?id=194050
2531         <rdar://problem/47595592>
2532
2533         Reviewed by Yusuke Suzuki.
2534
2535         * stress/object-keys-osr-exit.js: Added.
2536         (foo):
2537         (catch):
2538
2539 2019-01-29  Mark Lam  <mark.lam@apple.com>
2540
2541         ValueRecovery::recover() should purify NaN values it recovers.
2542         https://bugs.webkit.org/show_bug.cgi?id=193978
2543         <rdar://problem/47625488>
2544
2545         Reviewed by Saam Barati.
2546
2547         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
2548
2549 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
2550
2551         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
2552         https://bugs.webkit.org/show_bug.cgi?id=193713
2553
2554         * stress/try-get-by-id-should-spill-registers-dfg.js:
2555         (let.f.createBuiltin):
2556
2557 2019-01-28  Mark Lam  <mark.lam@apple.com>
2558
2559         ToString node actually does GC.
2560         https://bugs.webkit.org/show_bug.cgi?id=193920
2561         <rdar://problem/46695900>
2562
2563         Reviewed by Yusuke Suzuki.
2564
2565         * stress/dfg-to-string-on-int-does-gc.js: Added.
2566         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
2567         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
2568
2569 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
2570
2571         [JSC] NativeErrorConstructor should not have own IsoSubspace
2572         https://bugs.webkit.org/show_bug.cgi?id=193713
2573
2574         Reviewed by Saam Barati.
2575
2576         Remove @Error use.
2577
2578         * stress/try-get-by-id-should-spill-registers-dfg.js:
2579         (let.f.createBuiltin):
2580
2581 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
2582
2583         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
2584         https://bugs.webkit.org/show_bug.cgi?id=190693
2585
2586         Reviewed by Michael Saboff.
2587
2588         * stress/regress-190693.js: Added.
2589         (truth):
2590         (assert):
2591         (shouldThrowInvalidConstAssignment):
2592         (taz):
2593
2594 2019-01-24  Saam Barati  <sbarati@apple.com>
2595
2596         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
2597         https://bugs.webkit.org/show_bug.cgi?id=193751
2598         <rdar://problem/47280215>
2599
2600         Reviewed by Michael Saboff.
2601
2602         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
2603         (let.thing):
2604         (foo.let.hello):
2605         (foo):
2606
2607 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
2608
2609         [JSC] Reenable baseline JIT on mips
2610         https://bugs.webkit.org/show_bug.cgi?id=192983
2611
2612         Reviewed by Mark Lam.
2613
2614         Added a new test for a case that was triggering a RELEASE_ASSERT when
2615         testing.
2616         Disable some slow tests that were already disabled for arm and x86.
2617
2618         * stress/json-parse-big-object.js: Added.
2619         * stress/new-largeish-contiguous-array-with-size.js:
2620         * stress/op_add.js:
2621         * stress/op_bitand.js:
2622         * stress/op_bitor.js:
2623         * stress/op_bitxor.js:
2624         * stress/op_lshift-ConstVar.js:
2625         * stress/op_lshift-VarConst.js:
2626         * stress/op_lshift-VarVar.js:
2627         * stress/op_mod-ConstVar.js:
2628         * stress/op_mod-VarConst.js:
2629         * stress/op_mod-VarVar.js:
2630         * stress/op_mul-ConstVar.js:
2631         * stress/op_mul-VarConst.js:
2632         * stress/op_mul-VarVar.js:
2633         * stress/op_rshift-ConstVar.js:
2634         * stress/op_rshift-VarConst.js:
2635         * stress/op_rshift-VarVar.js:
2636         * stress/op_sub-ConstVar.js:
2637         * stress/op_sub-VarConst.js:
2638         * stress/op_sub-VarVar.js:
2639         * stress/op_urshift-ConstVar.js:
2640         * stress/op_urshift-VarConst.js:
2641         * stress/op_urshift-VarVar.js:
2642         * stress/sampling-profiler-richards.js:
2643         * stress/spread-forward-call-varargs-stack-overflow.js:
2644
2645 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
2646
2647         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
2648         https://bugs.webkit.org/show_bug.cgi?id=193711
2649         <rdar://problem/47250262>
2650
2651         Reviewed by Saam Barati.
2652
2653         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
2654         (shouldBe):
2655         (foo):
2656         (bar):
2657         (baz):
2658
2659 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
2660
2661         Unreviewed, fix initial global lexical binding epoch
2662         https://bugs.webkit.org/show_bug.cgi?id=193603
2663         <rdar://problem/47380869>
2664
2665         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
2666         (f1.f2.f3.f4):
2667         (f1.f2.f3):
2668         (f1.f2):
2669         (f1):
2670
2671 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
2672
2673         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
2674         https://bugs.webkit.org/show_bug.cgi?id=193709
2675         <rdar://problem/47363838>
2676
2677         Unreviewed, rollout to watch the tests.
2678
2679         * stress/object-tostring-changed-proto.js: Removed.
2680         * stress/object-tostring-changed.js: Removed.
2681         * stress/object-tostring-misc.js: Removed.
2682         * stress/object-tostring-other.js: Removed.
2683         * stress/object-tostring-untyped.js: Removed.
2684
2685 2019-01-22  Saam Barati  <sbarati@apple.com>
2686
2687         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
2688
2689         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
2690         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
2691         (testUncheckedLessThanZero):
2692         (testUncheckedLessThanOrEqualZero):
2693         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
2694         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
2695
2696 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
2697
2698         [JSC] Invalidate old scope operations using global lexical binding epoch
2699         https://bugs.webkit.org/show_bug.cgi?id=193603
2700         <rdar://problem/47380869>
2701
2702         Reviewed by Saam Barati.
2703
2704         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
2705         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
2706         (shouldThrow):
2707         (bar):
2708         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
2709         (shouldBe):
2710         (get1):
2711         (get2):
2712         (get1If):
2713         (get2If):
2714         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
2715         (shouldThrow):
2716         (foo):
2717
2718 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
2719
2720         Unreviewed, roll out r240220 due to date-format-xparb regression
2721         https://bugs.webkit.org/show_bug.cgi?id=193603
2722
2723         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
2724         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
2725         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
2726         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
2727
2728 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
2729
2730         DoesGC rule is wrong for nodes with BigIntUse
2731         https://bugs.webkit.org/show_bug.cgi?id=193652
2732
2733         Reviewed by Saam Barati.
2734
2735         * stress/big-int-value-op-update-gc-rules.js: Added.
2736         (assert):
2737         (doesGCAdd):
2738         (doesGCSub):
2739         (doesGCDiv):
2740         (doesGCMul):
2741         (doesGCBitAnd):
2742         (doesGCBitOr):
2743         (doesGCBitXor):
2744
2745 2019-01-20  Saam Barati  <sbarati@apple.com>
2746
2747         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
2748         https://bugs.webkit.org/show_bug.cgi?id=193644
2749         <rdar://problem/46209745>
2750
2751         Reviewed by Yusuke Suzuki.
2752
2753         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
2754         (foo):
2755         * stress/data-view-set-intrinsic-undefined-result.js: Added.
2756         (foo):
2757         (bar):
2758
2759 2019-01-20  Saam Barati  <sbarati@apple.com>
2760
2761         MovHint must merge NodeBytecodeUsesAsValue for its child
2762         https://bugs.webkit.org/show_bug.cgi?id=186916
2763         <rdar://problem/41396612>
2764
2765         Reviewed by Yusuke Suzuki.
2766
2767         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
2768         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
2769
2770 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
2771
2772         [JSC] Invalidate old scope operations using global lexical binding epoch
2773         https://bugs.webkit.org/show_bug.cgi?id=193603
2774         <rdar://problem/47380869>
2775
2776         Reviewed by Saam Barati.
2777
2778         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
2779         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
2780         (shouldThrow):
2781         (bar):
2782         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
2783         (shouldBe):
2784         (get1):
2785         (get2):
2786         (get1If):
2787         (get2If):
2788         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
2789         (shouldThrow):
2790         (foo):
2791
2792 2019-01-17  Saam barati  <sbarati@apple.com>
2793
2794         StringObjectUse should not be a structure check for the original string object structure
2795         https://bugs.webkit.org/show_bug.cgi?id=193483
2796         <rdar://problem/47280522>
2797
2798         Reviewed by Yusuke Suzuki.
2799
2800         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
2801         (foo):
2802         (a.valueOf.0):
2803
2804 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2805
2806         [JSC] ToThis omission in DFGByteCodeParser is wrong
2807         https://bugs.webkit.org/show_bug.cgi?id=193513
2808         <rdar://problem/45842236>
2809
2810         Reviewed by Saam Barati.
2811
2812         * stress/to-this-omission-with-different-strict-modes.js: Added.
2813         (thisA):
2814         (thisAStrictWrapper):
2815
2816 2019-01-15  Mark Lam  <mark.lam@apple.com>
2817
2818         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
2819         https://bugs.webkit.org/show_bug.cgi?id=193423
2820         <rdar://problem/46209355>
2821
2822         Reviewed by Saam Barati.
2823
2824         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
2825         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
2826         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
2827         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
2828
2829 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2830
2831         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
2832         https://bugs.webkit.org/show_bug.cgi?id=193438
2833         <rdar://problem/45581249>
2834
2835         Reviewed by Saam Barati and Keith Miller.
2836
2837         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
2838         Then, GetByVal(String) crashed.
2839
2840         * stress/string-get-by-val-lowering.js: Added.
2841         (shouldBe):
2842         (test):
2843         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
2844         (Hello):
2845         (foo):
2846
2847 2019-01-15  Tomas Popela  <tpopela@redhat.com>
2848
2849         Unreviewed, skip JIT tests if it's not enabled
2850
2851         * stress/bit-op-with-object-returning-int32.js:
2852
2853 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
2854
2855         DFGByteCodeParser rules for bitwise operations should consider type of their operands
2856         https://bugs.webkit.org/show_bug.cgi?id=192966
2857
2858         Reviewed by Yusuke Suzuki.
2859
2860         * stress/bit-op-with-object-returning-int32.js: Added.
2861
2862 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
2863
2864         Skip a slow test and a flakey test on arm
2865
2866         Unreviewed gardening.
2867
2868         * typeProfiler/getter-richards.js:
2869         this test always times out, it used to be always skipped on arm and
2870         mips, but got accidentally enabled by r237919 now that we have DFG on
2871         arm. Also skipping on mips as we plan to soon enable DFG for it too.
2872
2873 2019-01-14  Keith Miller  <keith_miller@apple.com>
2874
2875         Skip type-check-hoisting-phase-hoist... with no jit
2876         https://bugs.webkit.org/show_bug.cgi?id=193421
2877
2878         Reviewed by Mark Lam.
2879
2880         It's timing out the 32-bit bots and takes 330 seconds
2881         on my machine when run by itself.
2882
2883         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
2884
2885 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2886
2887         [JSC] AI should check the given constant's array type when folding GetByVal into constant
2888         https://bugs.webkit.org/show_bug.cgi?id=193413
2889         <rdar://problem/46092389>
2890
2891         Reviewed by Keith Miller.
2892
2893         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
2894         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
2895         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
2896         but GetByVal does not have appropriate ArrayModes, JSC crashes.
2897
2898         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
2899         (compareArray):
2900
2901 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
2902
2903         [BigInt] Literal parsing is crashing when used inside a Object Literal
2904         https://bugs.webkit.org/show_bug.cgi?id=193404
2905
2906         Reviewed by Yusuke Suzuki.
2907
2908         * stress/big-int-literal-inside-literal-object.js: Added.
2909
2910 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2911
2912         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
2913         https://bugs.webkit.org/show_bug.cgi?id=193372
2914
2915         Reviewed by Saam Barati.
2916
2917         * stress/typed-array-array-modes-profile.js: Added.
2918         (foo):
2919
2920 2019-01-14  Mark Lam  <mark.lam@apple.com>
2921
2922         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
2923         https://bugs.webkit.org/show_bug.cgi?id=193402
2924         <rdar://problem/46012309>
2925
2926         Reviewed by Keith Miller.
2927
2928         * stress/regexp-compile-oom.js:
2929         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
2930           is enabled.  As a result, it will fail on cloop builds though there is no bug.
2931
2932 2019-01-11  Saam barati  <sbarati@apple.com>
2933
2934         DFG combined liveness can be wrong for terminal basic blocks
2935         https://bugs.webkit.org/show_bug.cgi?id=193304
2936         <rdar://problem/45268632>
2937
2938         Reviewed by Yusuke Suzuki.
2939
2940         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
2941
2942 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2943
2944         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
2945         https://bugs.webkit.org/show_bug.cgi?id=193308
2946         <rdar://problem/45546542>
2947
2948         Reviewed by Saam Barati.
2949
2950         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
2951         (shouldThrow):
2952         (shouldBe):
2953         (foo):
2954         (get shouldThrow):
2955         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
2956         (shouldThrow):
2957         (shouldBe):
2958         (foo):
2959         (get shouldBe):
2960         (get shouldThrow):
2961         (get return):
2962         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
2963         (shouldThrow):
2964         (shouldBe):
2965         (foo):
2966         (get shouldBe):
2967         (get shouldThrow):
2968         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
2969         (shouldThrow):
2970         (shouldBe):
2971         (foo):
2972         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
2973         (shouldThrow):
2974         (shouldBe):
2975         (foo):
2976         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
2977         (shouldThrow):
2978         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
2979         (shouldThrow):
2980         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
2981         (shouldThrow):
2982         (shouldBe):
2983         (foo):
2984         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
2985         (shouldThrow):
2986         (shouldBe):
2987         (foo):
2988         (get shouldBe):
2989         (get shouldThrow):
2990         (get return):
2991         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
2992         (shouldThrow):
2993         (shouldBe):
2994         (foo):
2995         (get shouldBe):
2996         (get shouldThrow):
2997         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
2998         (shouldThrow):
2999         (shouldBe):
3000         (foo):
3001         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
3002         (shouldThrow):
3003         (shouldBe):
3004         (foo):
3005
3006 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
3007
3008         Enable DFG on ARM/Linux again
3009         https://bugs.webkit.org/show_bug.cgi?id=192496
3010
3011         Reviewed by Yusuke Suzuki.
3012
3013         Test wasn't really skipped before moving the line with skip
3014         to the top.
3015
3016         * stress/regress-192717.js:
3017
3018 2019-01-10  Commit Queue  <commit-queue@webkit.org>
3019
3020         Unreviewed, rolling out r239825.
3021         https://bugs.webkit.org/show_bug.cgi?id=193330
3022
3023         Broke tests on armv7/linux bots (Requested by guijemont on
3024         #webkit).
3025
3026         Reverted changeset:
3027
3028         "Enable DFG on ARM/Linux again"
3029         https://bugs.webkit.org/show_bug.cgi?id=192496
3030         https://trac.webkit.org/changeset/239825
3031
3032 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
3033
3034         Enable DFG on ARM/Linux again
3035         https://bugs.webkit.org/show_bug.cgi?id=192496
3036
3037         Reviewed by Yusuke Suzuki.
3038
3039         Test wasn't really skipped before moving the line with skip
3040         to the top.
3041
3042         * stress/regress-192717.js:
3043
3044 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3045
3046         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
3047         https://bugs.webkit.org/show_bug.cgi?id=193127
3048
3049         Reviewed by Saam Barati.
3050
3051         * stress/array-species-create-should-handle-masquerader.js: Added.
3052         (shouldThrow):
3053         * stress/is-undefined-or-null-builtin.js: Added.
3054         (shouldBe):
3055         (isUndefinedOrNull.vm.createBuiltin):
3056
3057 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
3058
3059         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
3060         https://bugs.webkit.org/show_bug.cgi?id=193221
3061
3062         Reviewed by Mark Lam.
3063
3064         * stress/put-by-id-flags.js: Added.
3065         (f):
3066         (g):
3067         (numberOfDFGCompiles):
3068
3069 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
3070
3071         Baseline version of get_by_id may corrupt metadata
3072         https://bugs.webkit.org/show_bug.cgi?id=193085
3073         <rdar://problem/23453006>
3074
3075         Reviewed by Saam Barati.
3076
3077         * stress/get-by-id-change-mode.js: Added.
3078         (forEach):
3079
3080 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3081
3082         [JSC] Optimize Object.prototype.toString
3083         https://bugs.webkit.org/show_bug.cgi?id=193031
3084
3085         Reviewed by Saam Barati.
3086
3087         * stress/object-tostring-changed-proto.js: Added.
3088         (shouldBe):
3089         (test):
3090         * stress/object-tostring-changed.js: Added.
3091         (shouldBe):
3092         (test):
3093         * stress/object-tostring-misc.js: Added.
3094         (shouldBe):
3095         (test):
3096         (i.switch):
3097         * stress/object-tostring-other.js: Added.
3098         (shouldBe):
3099         (test):
3100         * stress/object-tostring-untyped.js: Added.
3101         (shouldBe):
3102         (test):
3103         (i.switch):
3104
3105 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
3106
3107         test262-runner misbehaves when test file YAML has a trailing space
3108         https://bugs.webkit.org/show_bug.cgi?id=193053
3109
3110         Reviewed by Yusuke Suzuki.
3111
3112         * test262/expectations.yaml:
3113         Mark two dozen tests as passing (and correct the output of another).
3114
3115 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3116
3117         Unreviewed, JSTests gardening with memoryLimited
3118
3119         * stress/string-overflow-createError.js:
3120
3121 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
3122
3123         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
3124         https://bugs.webkit.org/show_bug.cgi?id=193050
3125
3126         Reviewed by Yusuke Suzuki.
3127
3128         * test262.yaml:
3129         * test262/expectations.yaml:
3130         Mark 16 tests as passing.
3131
3132 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3133
3134         [BigInt] Support BigInt in JSON.stringify
3135         https://bugs.webkit.org/show_bug.cgi?id=192624
3136
3137         Reviewed by Saam Barati.
3138
3139         * stress/big-int-json-stringify-to-json.js: Added.
3140         (shouldBe):
3141         (shouldThrow):
3142         (BigInt.prototype.toJSON):
3143         (shouldBe.JSON.stringify):
3144         * stress/big-int-json-stringify.js: Added.
3145         (shouldBe):
3146         (shouldThrow):
3147
3148 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3149
3150         [JSC] Implement "well-formed JSON.stringify" proposal
3151         https://bugs.webkit.org/show_bug.cgi?id=191677
3152
3153         Reviewed by Darin Adler.
3154
3155         * stress/json-surrogate-pair.js: Added.
3156         (shouldBe):
3157         * test262/expectations.yaml:
3158
3159 2018-12-20  Keith Miller  <keith_miller@apple.com>
3160
3161         Add support for globalThis
3162         https://bugs.webkit.org/show_bug.cgi?id=165171
3163
3164         Reviewed by Mark Lam.
3165
3166         * test262/config.yaml:
3167
3168 2018-12-19  Keith Miller  <keith_miller@apple.com>
3169
3170         Update test262 configuration to not run tests dependent on ICU version.
3171         https://bugs.webkit.org/show_bug.cgi?id=192920
3172
3173         Reviewed by Saam Barati.
3174
3175         * test262/expectations.yaml:
3176
3177 2018-12-20  Mark Lam  <mark.lam@apple.com>
3178
3179         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
3180         https://bugs.webkit.org/show_bug.cgi?id=192939
3181         <rdar://problem/46869516>
3182
3183         Reviewed by Keith Miller.
3184
3185         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
3186
3187 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
3188
3189         WTF::String and StringImpl overflow MaxLength
3190         https://bugs.webkit.org/show_bug.cgi?id=192853
3191         <rdar://problem/45726906>
3192
3193         Reviewed by Mark Lam.
3194
3195         * stress/string-16bit-repeat-overflow.js: Added.
3196         (catch):
3197
3198 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
3199
3200         Unreviewed follow-up to r192914.
3201
3202         * test262/expectations.yaml:
3203         Add the last 20 missing expectations.
3204
3205 2018-12-19  Keith Miller  <keith_miller@apple.com>
3206
3207         Fix test262 expectations
3208         https://bugs.webkit.org/show_bug.cgi?id=192914
3209
3210         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
3211
3212         * test262/expectations.yaml:
3213
3214 2018-12-19  Keith Miller  <keith_miller@apple.com>
3215
3216         Update test262 tests.
3217         https://bugs.webkit.org/show_bug.cgi?id=192907
3218
3219         Rubber stamped by Mark Lam.
3220
3221         * test262/*: Omitted because prepare-changelog crashes.
3222
3223 2018-12-19  Mark Lam  <mark.lam@apple.com>
3224
3225         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
3226         https://bugs.webkit.org/show_bug.cgi?id=192464
3227         <rdar://problem/46519455>
3228
3229         Reviewed by Saam Barati.
3230
3231         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
3232         microbenchmark.
3233
3234         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
3235         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
3236
3237 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
3238
3239         String overflow in JSC::createError results in ASSERT in WTF::makeString
3240         https://bugs.webkit.org/show_bug.cgi?id=192833
3241         <rdar://problem/45706868>
3242
3243         Reviewed by Mark Lam.
3244
3245         * stress/string-overflow-createError.js: Added.
3246
3247 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
3248
3249         Error message for `-x ** y` contains a typo.
3250         https://bugs.webkit.org/show_bug.cgi?id=192832
3251
3252         Reviewed by Saam Barati.
3253
3254         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
3255         (assert.assert.return.throws):
3256         * stress/pow-expects-update-expression-on-lhs.js:
3257         (throw.new.Error):
3258         Update test expectations which match against the exact error message.
3259
3260 2018-12-18  Mark Lam  <mark.lam@apple.com>
3261
3262         Gardening: test options fix.
3263         https://bugs.webkit.org/show_bug.cgi?id=192822
3264
3265         Unreviewed.
3266
3267         * stress/json-stringify-string-builder-overflow.js:
3268
3269 2018-12-18  Mark Lam  <mark.lam@apple.com>
3270
3271         JSON.stringify() should throw OOM on StringBuilder overflows.
3272         https://bugs.webkit.org/show_bug.cgi?id=192822
3273         <rdar://problem/46670577>
3274
3275         Reviewed by Saam Barati.
3276
3277         * stress/json-stringify-string-builder-overflow.js: Added.
3278
3279 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
3280
3281         Redeclaration of var over let/const/class should be a syntax error.
3282         https://bugs.webkit.org/show_bug.cgi?id=192298
3283
3284         Reviewed by Keith Miller.
3285
3286         * test262.yaml:
3287         * test262/expectations.yaml:
3288         Mark 46 tests as passing.
3289
3290         * stress/block-scope-redeclarations.js:
3291         Add some new tests.
3292
3293         * stress/for-in-invalidate-context-weird-assignments.js:
3294         * stress/for-in-tests.js:
3295         Replace tests for outdated behavior with tests for SyntaxError.
3296
3297         * ChakraCore/test/LetConst/defer3.baseline-jsc:
3298         * ChakraCore/test/LetConst/letvar.baseline-jsc:
3299         Update expectations.
3300
3301 2018-12-18  Mark Lam  <mark.lam@apple.com>
3302
3303         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
3304         https://bugs.webkit.org/show_bug.cgi?id=191374
3305         <rdar://problem/46525447>
3306
3307         Reviewed by Yusuke Suzuki.
3308
3309         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
3310
3311         * stress/elidable-new-object-roflcopter-then-exit.js:
3312
3313 2018-12-17  Mark Lam  <mark.lam@apple.com>
3314
3315         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
3316         https://bugs.webkit.org/show_bug.cgi?id=192019
3317         <rdar://problem/46525456>
3318
3319         Reviewed by Yusuke Suzuki.
3320
3321         The test runs too slow on 32-bit.
3322
3323         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
3324
3325 2018-12-17  Mark Lam  <mark.lam@apple.com>
3326
3327         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
3328         https://bugs.webkit.org/show_bug.cgi?id=191373
3329         <rdar://problem/46525458>
3330
3331         Reviewed by Yusuke Suzuki.
3332
3333         The test is already slow running with a JIT on 64-bit.  It will always timeout
3334         on 32-bit without a JIT.
3335
3336         * stress/materialize-regexp-cyclic-regexp.js:
3337
3338 2018-12-17  Mark Lam  <mark.lam@apple.com>
3339
3340         Array unshift/shift should not race against the AI in the compiler thread.
3341         https://bugs.webkit.org/show_bug.cgi?id=192795
3342         <rdar://problem/46724263>
3343
3344         Reviewed by Saam Barati.
3345
3346         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
3347
3348 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3349
3350         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
3351         https://bugs.webkit.org/show_bug.cgi?id=190047
3352
3353         Reviewed by Saam Barati.
3354
3355         * stress/object-keys-cached-zero.js: Added.
3356         (shouldBe):
3357         (test):
3358         * stress/object-keys-changed-attribute.js: Added.
3359         (shouldBe):
3360         (test):
3361         * stress/object-keys-changed-index.js: Added.
3362         (shouldBe):
3363         (test):
3364         * stress/object-keys-changed.js: Added.
3365         (shouldBe):
3366         (test):
3367         * stress/object-keys-indexed-non-cache.js: Added.
3368         (shouldBe):
3369         (test):
3370         * stress/object-keys-overrides-get-property-names.js: Added.
3371         (shouldBe):
3372         (test):
3373         (noInline):
3374
3375 2018-12-17  Mark Lam  <mark.lam@apple.com>
3376
3377         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
3378         https://bugs.webkit.org/show_bug.cgi?id=192779
3379         <rdar://problem/46775869>
3380
3381         Reviewed by Saam Barati.
3382
3383         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
3384
3385 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
3386
3387         Unreviewed test gardening, address a syntax error in a new test.
3388
3389         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
3390
3391 2018-12-17  Mark Lam  <mark.lam@apple.com>
3392
3393         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
3394         https://bugs.webkit.org/show_bug.cgi?id=192776
3395         <rdar://problem/46772368>
3396
3397         Reviewed by Keith Miller.
3398
3399         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
3400
3401 2018-12-17  Mark Lam  <mark.lam@apple.com>
3402
3403         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
3404         https://bugs.webkit.org/show_bug.cgi?id=192770
3405         <rdar://problem/46449037>
3406
3407         Reviewed by Keith Miller.
3408
3409         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
3410
3411 2018-12-14  Mark Lam  <mark.lam@apple.com>
3412
3413         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
3414         https://bugs.webkit.org/show_bug.cgi?id=192717
3415         <rdar://problem/46660677>
3416
3417         Reviewed by Saam Barati.
3418
3419         * stress/regress-192717.js: Added.
3420
3421 2018-12-14  Commit Queue  <commit-queue@webkit.org>
3422
3423         Unreviewed, rolling out r239153, r239154, and r239155.
3424         https://bugs.webkit.org/show_bug.cgi?id=192715
3425
3426         Caused flaky GC-related crashes seen with layout tests
3427         (Requested by ryanhaddad on #webkit).
3428
3429         Reverted changesets:
3430
3431         "[JSC] Optimize Object.keys by caching own keys results in
3432         StructureRareData"
3433         https://bugs.webkit.org/show_bug.cgi?id=190047
3434         https://trac.webkit.org/changeset/239153
3435
3436         "Unreviewed, build fix after r239153"
3437         https://bugs.webkit.org/show_bug.cgi?id=190047
3438         https://trac.webkit.org/changeset/239154
3439
3440         "Unreviewed, build fix after r239153, part 2"
3441         https://bugs.webkit.org/show_bug.cgi?id=190047
3442         https://trac.webkit.org/changeset/239155
3443
3444 2018-12-14  Keith Miller  <keith_miller@apple.com>
3445
3446         Callers of JSString::getIndex should check for OOM exceptions
3447         https://bugs.webkit.org/show_bug.cgi?id=192709
3448
3449         Reviewed by Mark Lam.
3450
3451         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
3452
3453 2018-12-13  Mark Lam  <mark.lam@apple.com>
3454
3455         Add a missing exception check.
3456         https://bugs.webkit.org/show_bug.cgi?id=192626
3457         <rdar://problem/46662163>
3458
3459         Reviewed by Keith Miller.
3460
3461         * stress/regress-192626.js: Added.
3462
3463 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
3464
3465         [BigInt] Add ValueDiv into DFG
3466         https://bugs.webkit.org/show_bug.cgi?id=186178
3467
3468         Reviewed by Yusuke Suzuki.
3469
3470         * stress/big-int-div-jit-osr.js: Added.
3471         * stress/big-int-div-jit-untyped.js: Added.
3472         * stress/value-div-fixup-int32-big-int.js: Added.
3473
3474 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3475
3476         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
3477         https://bugs.webkit.org/show_bug.cgi?id=190047
3478
3479         Reviewed by Keith Miller.
3480
3481         * stress/object-keys-cached-zero.js: Added.
3482         (shouldBe):
3483         (test):
3484         * stress/object-keys-changed-attribute.js: Added.
3485         (shouldBe):
3486         (test):
3487         * stress/object-keys-changed-index.js: Added.
3488         (shouldBe):
3489         (test):
3490         * stress/object-keys-changed.js: Added.
3491         (shouldBe):
3492         (test):
3493         * stress/object-keys-indexed-non-cache.js: Added.
3494         (shouldBe):
3495         (test):
3496         * stress/object-keys-overrides-get-property-names.js: Added.
3497         (shouldBe):
3498         (test):
3499         (noInline):
3500
3501 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3502
3503         [DFG][FTL] Add NewSymbol
3504         https://bugs.webkit.org/show_bug.cgi?id=192620
3505
3506         Reviewed by Saam Barati.
3507
3508         * microbenchmarks/symbol-creation.js: Added.
3509         (test):
3510         * stress/symbol-description-identity.js: Added.
3511         (shouldBe):
3512         (test):
3513         * stress/symbol-identity.js: Added.
3514         (shouldBe):
3515         (test):
3516         * stress/symbol-with-description-throw-error.js: Added.
3517         (shouldBe):
3518         (shouldThrow):
3519         (test):
3520         (object.toString):
3521
3522 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3523
3524         [BigInt] Implement DFG/FTL typeof for BigInt
3525         https://bugs.webkit.org/show_bug.cgi?id=192619
3526
3527         Reviewed by Keith Miller.
3528
3529         * stress/big-int-boolean-proven-type.js: Added.
3530         (assert):
3531         (bool):
3532         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
3533         (assert):
3534         (typeOf):
3535         (i.switch):
3536         * stress/big-int-type-of-proven-type-non-constant.js: Added.
3537         (assert):
3538         (typeOf):
3539         * stress/big-int-type-of.js:
3540         (typeOf):
3541         (func):
3542
3543 2018-12-10  Mark Lam  <mark.lam@apple.com>
3544
3545         PropertyAttribute needs a CustomValue bit.
3546         https://bugs.webkit.org/show_bug.cgi?id=191993
3547         <rdar://problem/46264467>
3548
3549         Reviewed by Saam Barati.
3550
3551         * stress/regress-191993.js: Added.
3552
3553 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
3554
3555         [BigInt] Add ValueMul into DFG
3556         https://bugs.webkit.org/show_bug.cgi?id=186175
3557
3558         Reviewed by Yusuke Suzuki.
3559
3560         * stress/big-int-mul-jit-osr.js: Added.
3561         * stress/big-int-mul-jit-untyped.js: Added.
3562         * stress/value-mul-fixup-int32-big-int.js: Added.
3563
3564 2018-12-06  Keith Miller  <keith_miller@apple.com>
3565
3566         stress/big-wasm-memory tests failing on 32-bit JSC bot
3567         https://bugs.webkit.org/show_bug.cgi?id=192020
3568
3569         Reviewed by Saam Barati.
3570
3571         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
3572         the wasm stress tests if the WebAssembly object does not exist.
3573
3574         * stress/big-wasm-memory-grow-no-max.js:
3575         (test.foo):
3576         (test):
3577         (foo): Deleted.
3578         (catch): Deleted.
3579         * stress/big-wasm-memory-grow.js:
3580         (test.foo):
3581         (test):
3582         (foo): Deleted.
3583         (catch): Deleted.
3584         * stress/big-wasm-memory.js:
3585         (test.foo):
3586         (test):
3587         (foo): Deleted.
3588         (catch): Deleted.
3589
3590 2018-12-05  Mark Lam  <mark.lam@apple.com>
3591
3592         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
3593         https://bugs.webkit.org/show_bug.cgi?id=192441
3594         <rdar://problem/46480355>
3595
3596         Reviewed by Saam Barati.
3597
3598         * stress/regress-192441.js: Added.
3599
3600 2018-12-04  Mark Lam  <mark.lam@apple.com>
3601
3602         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
3603         https://bugs.webkit.org/show_bug.cgi?id=192386
3604         <rdar://problem/46445516>
3605
3606         Reviewed by Saam Barati.
3607
3608         * stress/regress-192386.js: Added.
3609
3610 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
3611
3612         [ESNext][BigInt] Support logic operations
3613         https://bugs.webkit.org/show_bug.cgi?id=179903
3614
3615         Reviewed by Yusuke Suzuki.
3616
3617         * stress/big-int-branch-usage.js: Added.
3618         * stress/big-int-logical-and.js: Added.
3619         * stress/big-int-logical-not.js: Added.
3620         * stress/big-int-logical-or.js: Added.
3621
3622 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
3623
3624         Unreviewed, rolling out r238833.
3625
3626         Breaks macOS and iOS debug builds.
3627
3628         Reverted changeset:
3629
3630         "[ESNext][BigInt] Support logic operations"
3631         https://bugs.webkit.org/show_bug.cgi?id=179903
3632         https://trac.webkit.org/changeset/238833
3633
3634 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
3635
3636         [ESNext][BigInt] Support logic operations
3637         https://bugs.webkit.org/show_bug.cgi?id=179903
3638
3639         Reviewed by Yusuke Suzuki.
3640
3641         * stress/big-int-branch-usage.js: Added.
3642         * stress/big-int-logical-and.js: Added.
3643         * stress/big-int-logical-not.js: Added.
3644         * stress/big-int-logical-or.js: Added.
3645
3646 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
3647
3648         [ESNext][BigInt] Implement support for "<<" and ">>"
3649         https://bugs.webkit.org/show_bug.cgi?id=186233
3650
3651         Reviewed by Yusuke Suzuki.
3652
3653         * stress/big-int-left-shift-general.js: Added.
3654         * stress/big-int-left-shift-range-error.js: Added.
3655         * stress/big-int-left-shift-type-error.js: Added.
3656         * stress/big-int-left-shift-wrapped-value.js: Added.
3657         * stress/big-int-right-shift-general.js: Added.
3658         * stress/big-int-right-shift-type-error.js: Added.
3659         * stress/big-int-right-shift-wrapped-value.js: Added.
3660         * stress/left-shift-to-primitive-precedence.js: Added.
3661         * stress/right-shift-to-primitive-precedence.js: Added.
3662
3663 2018-11-30  Dean Jackson  <dino@apple.com>
3664
3665         Add first-class support for .mjs files in jsc binary
3666         https://bugs.webkit.org/show_bug.cgi?id=192190
3667         <rdar://problem/46375715>
3668
3669         Reviewed by Keith Miller.
3670
3671         * stress/simple-module.mjs: Added.
3672         * stress/simple-script.js: Added.
3673
3674 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
3675
3676         [BigInt] Implement ValueBitXor into DFG
3677         https://bugs.webkit.org/show_bug.cgi?id=190264
3678
3679         Reviewed by Yusuke Suzuki.
3680
3681         * stress/big-int-bitwise-xor-jit.js: Added.
3682         * stress/big-int-bitwise-xor-memory-stress.js: Added.
3683         * stress/big-int-bitwise-xor-untyped.js: Added.
3684
3685 2018-11-27  Saam barati  <sbarati@apple.com>
3686
3687         r238510 broke scopes of size zero
3688         https://bugs.webkit.org/show_bug.cgi?id=192033
3689         <rdar://problem/46281734>
3690
3691         Reviewed by Keith Miller.
3692
3693         * stress/r238510-bad-loop.js: Added.
3694         (foo):
3695
3696 2018-11-27  Mark Lam  <mark.lam@apple.com>
3697
3698         [Re-landing] NaNs read from Wasm code needs to be be purified.
3699         https://bugs.webkit.org/show_bug.cgi?id=191056
3700         <rdar://problem/45660341>
3701
3702         Reviewed by Filip Pizlo.
3703
3704         * wasm/regress/regress-191056.js: Added.
3705
3706 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
3707
3708         Unreviewed, rolling out r238509.
3709
3710         Causes JSC tests to fail on iOS.
3711
3712         Reverted changeset:
3713
3714         "NaNs read from Wasm code needs to be be purified."
3715         https://bugs.webkit.org/show_bug.cgi?id=191056
3716         https://trac.webkit.org/changeset/238509
3717
3718 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
3719
3720         Re-introduce op_bitnot
3721         https://bugs.webkit.org/show_bug.cgi?id=190923
3722
3723         Reviewed by Yusuke Suzuki.
3724
3725         * stress/bit-not-must-generate.js: Added.
3726         * stress/bitwise-not-no-int32.js: Added.
3727
3728 2018-11-26  Saam barati  <sbarati@apple.com>
3729
3730         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
3731         https://bugs.webkit.org/show_bug.cgi?id=191956
3732         <rdar://problem/45665806>
3733
3734         Reviewed by Yusuke Suzuki.
3735
3736         * stress/end-basic-block-set-local-should-filter-type.js: Added.
3737         (bar):
3738         (foo):
3739
3740 2018-11-26  Saam barati  <sbarati@apple.com>
3741
3742         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
3743         https://bugs.webkit.org/show_bug.cgi?id=191958
3744         <rdar://problem/46221877>
3745
3746         Reviewed by Yusuke Suzuki.
3747
3748         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
3749         (x):
3750         (foo):
3751
3752 2018-11-26  Mark Lam  <mark.lam@apple.com>
3753
3754         NaNs read from Wasm code needs to be be purified.
3755         https://bugs.webkit.org/show_bug.cgi?id=191056
3756         <rdar://problem/45660341>
3757
3758         Reviewed by Filip Pizlo.
3759
3760         * wasm/regress/regress-191056.js: Added.
3761
3762 2018-11-26  Michael Saboff  <msaboff@apple.com>
3763
3764         32-bit JSC test failure: stress/regexp-compile-oom.js
3765         https://bugs.webkit.org/show_bug.cgi?id=191375
3766
3767         Reviewed by Mark Lam.
3768
3769         Disabled the test for 32 bit platforms.
3770
3771         * stress/regexp-compile-oom.js:
3772
3773 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
3774
3775         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
3776         https://bugs.webkit.org/show_bug.cgi?id=191716
3777         <rdar://problem/45723878>
3778
3779         Reviewed by Saam Barati.
3780
3781         * stress/regress-187373.js: Added.
3782         (async.fn):
3783
3784 2018-11-21  Saam barati  <sbarati@apple.com>
3785
3786         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
3787         https://bugs.webkit.org/show_bug.cgi?id=191897
3788         <rdar://problem/45871998>
3789
3790         Reviewed by Mark Lam.
3791
3792         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
3793         (bar):