Modify how we do SetArgument when we inline varargs calls
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-15  Saam barati  <sbarati@apple.com>
2
3         Modify how we do SetArgument when we inline varargs calls
4         https://bugs.webkit.org/show_bug.cgi?id=196712
5         <rdar://problem/49605012>
6
7         Reviewed by Michael Saboff.
8
9         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
10         (foo):
11
12 2019-04-15  Saam barati  <sbarati@apple.com>
13
14         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
15         https://bugs.webkit.org/show_bug.cgi?id=196945
16         <rdar://problem/49802750>
17
18         Reviewed by Filip Pizlo.
19
20         * stress/get-by-offset-should-use-correct-child.js: Added.
21         (foo.bar):
22         (foo):
23
24 2019-04-15  Robin Morisset  <rmorisset@apple.com>
25
26         DFG should be able to constant fold Object.create() with a constant prototype operand
27         https://bugs.webkit.org/show_bug.cgi?id=196886
28
29         Reviewed by Yusuke Suzuki.
30
31         Note that this new benchmark does not currently see a speedup with inlining removed.
32         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
33
34         * microbenchmarks/object-create-constant-prototype.js: Added.
35         (test):
36
37 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
38
39         Incremental bytecode cache should not append function updates when loaded from memory
40         https://bugs.webkit.org/show_bug.cgi?id=196865
41
42         Reviewed by Filip Pizlo.
43
44         * stress/bytecode-cache-shared-code-block.js: Added.
45         (b):
46         (program):
47
48 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
49
50         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
51         https://bugs.webkit.org/show_bug.cgi?id=196880
52
53         Reviewed by Yusuke Suzuki.
54
55         * stress/bytecode-cache-syntax-error.js: Added.
56         (catch):
57
58 2019-04-12  Saam barati  <sbarati@apple.com>
59
60         r244079 logically broke shouldSpeculateInt52
61         https://bugs.webkit.org/show_bug.cgi?id=196884
62
63         Reviewed by Yusuke Suzuki.
64
65         * microbenchmarks/int52-rand-function.js: Added.
66         (Math.random):
67
68 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
69
70         [JSC] op_has_indexed_property should not assume subscript part is Uint32
71         https://bugs.webkit.org/show_bug.cgi?id=196850
72
73         Reviewed by Saam Barati.
74
75         * stress/has-indexed-property-should-accept-non-int32.js: Added.
76         (foo):
77
78 2019-04-11  Saam barati  <sbarati@apple.com>
79
80         Remove invalid assertion in operationInstanceOfCustom
81         https://bugs.webkit.org/show_bug.cgi?id=196842
82         <rdar://problem/49725493>
83
84         Reviewed by Michael Saboff.
85
86         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
87
88 2019-04-10  Saam Barati  <sbarati@apple.com>
89
90         AbstractValue::validateOSREntryValue is wrong for Int52 constants
91         https://bugs.webkit.org/show_bug.cgi?id=196801
92         <rdar://problem/49771122>
93
94         Reviewed by Yusuke Suzuki.
95
96         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
97
98 2019-04-10  Robin Morisset  <rmorisset@apple.com>
99
100         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
101         https://bugs.webkit.org/show_bug.cgi?id=196746
102
103         Reviewed by Yusuke Suzuki.
104
105         * stress/cyclic-define-properties.js: Added.
106         (foo):
107
108 2019-04-09  Saam barati  <sbarati@apple.com>
109
110         Clean up Int52 code and some bugs in it
111         https://bugs.webkit.org/show_bug.cgi?id=196639
112         <rdar://problem/49515757>
113
114         Reviewed by Yusuke Suzuki.
115
116         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
117
118 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
119
120         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
121         https://bugs.webkit.org/show_bug.cgi?id=196708
122         <rdar://problem/49556803>
123
124         Reviewed by Yusuke Suzuki.
125
126         * stress/proxy-getter-stack-overflow.js: Added.
127         (const.handler.get target):
128         (const.handler.has):
129         (try.with):
130         (catch):
131
132 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
133
134         [JSC] DFG should respect node's strict flag
135         https://bugs.webkit.org/show_bug.cgi?id=196617
136
137         Reviewed by Saam Barati.
138
139         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
140         (shouldEqual):
141         (makeUnwriteableUnconfigurableObject):
142         (runTest):
143         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
144         (shouldBe):
145         (shouldThrow):
146         (with.result):
147         (with.putValueStrict):
148         (with.putValueSloppy):
149
150 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
151
152         [JSC] isRope jump in StringSlice should not jump over register allocations
153         https://bugs.webkit.org/show_bug.cgi?id=196716
154
155         Reviewed by Saam Barati.
156
157         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
158         (foo.bar):
159         (foo):
160
161 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
162
163         [JSC] to_index_string should not assume incoming value is Uint32
164         https://bugs.webkit.org/show_bug.cgi?id=196713
165
166         Reviewed by Saam Barati.
167
168         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
169         (foo):
170
171 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
172
173         [JSC] Add more tests for r243966
174         https://bugs.webkit.org/show_bug.cgi?id=196711
175
176         Reviewed by Saam Barati.
177
178         Adding one more test for r243966 fix. The added test will not crash after r243966.
179
180         * stress/stress-cleared-calllinkinfo.js: Added.
181         (runNearStackLimit.t):
182         (runNearStackLimit):
183         (repeat):
184         (cls):
185         (let.item.of.array.runNearStackLimit):
186
187 2019-04-08  Saam Barati  <sbarati@apple.com>
188
189         WebAssembly.RuntimeError missing exception check
190         https://bugs.webkit.org/show_bug.cgi?id=196700
191         <rdar://problem/49693932>
192
193         Reviewed by Yusuke Suzuki.
194
195         * wasm/js-api/runtime-error-should-exception-check.js: Added.
196
197 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
198
199         Unreviewed, rolling in r243948 with test fix
200         https://bugs.webkit.org/show_bug.cgi?id=196486
201
202         * stress/arrow-function-and-use-strict-directive.js: Added.
203         * stress/arrow-function-syntax.js: Added.
204         (checkSyntax):
205         (checkSyntaxError):
206
207 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
208
209         Unreviewed, rolling out r243948.
210
211         Caused inspector/runtime/parse.html to fail
212
213         Reverted changeset:
214
215         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
216         https://bugs.webkit.org/show_bug.cgi?id=196486
217         https://trac.webkit.org/changeset/243948
218
219 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
220
221         Unreviewed, rolling out r243943.
222
223         Caused test262 failures.
224
225         Reverted changeset:
226
227         "[JSC] Filter DontEnum properties in
228         ProxyObject::getOwnPropertyNames()"
229         https://bugs.webkit.org/show_bug.cgi?id=176810
230         https://trac.webkit.org/changeset/243943
231
232 2019-04-07  Michael Saboff  <msaboff@apple.com>
233
234         REGRESSION (r243642): Crash in reddit.com page
235         https://bugs.webkit.org/show_bug.cgi?id=196684
236
237         Reviewed by Geoffrey Garen.
238
239         New regression test.
240
241         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
242
243 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
244
245         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
246         https://bugs.webkit.org/show_bug.cgi?id=196683
247
248         Reviewed by Saam Barati.
249
250         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
251         (foo):
252
253 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
254
255         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
256         https://bugs.webkit.org/show_bug.cgi?id=196582
257
258         Reviewed by Saam Barati.
259
260         * stress/add-overflow-check-with-three-same-registers.js: Added.
261         (foo):
262         (Number.prototype.valueOf):
263         (runWithNumber):
264
265 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
266
267         Unreviewed, rolling out r243665.
268
269         Caused iOS JSC tests to exit with an exception.
270
271         Reverted changeset:
272
273         "Assertion failed in JSC::createError"
274         https://bugs.webkit.org/show_bug.cgi?id=196305
275         https://trac.webkit.org/changeset/243665
276
277 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
278
279         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
280         https://bugs.webkit.org/show_bug.cgi?id=196486
281
282         Reviewed by Saam Barati.
283
284         * stress/arrow-function-and-use-strict-directive.js: Added.
285         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
286         (checkSyntax):
287         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
288
289 2019-04-05  Caitlin Potter  <caitp@igalia.com>
290
291         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
292         https://bugs.webkit.org/show_bug.cgi?id=176810
293
294         Reviewed by Saam Barati.
295
296         Add tests for the DontEnum filtering, and variations of other tests
297         take the DontEnum-filtering path.
298
299         * stress/proxy-own-keys.js:
300         (i.catch):
301         (set assert):
302         (set add):
303         (let.set new):
304         (get let):
305
306 2019-04-05  Caitlin Potter  <caitp@igalia.com>
307
308         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
309         https://bugs.webkit.org/show_bug.cgi?id=185211
310
311         Reviewed by Saam Barati.
312
313         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
314
315         This changes several assertions to expect a TypeError to be thrown (in some cases,
316         changing thee expected message).
317
318         * es6/Proxy_ownKeys_duplicates.js:
319         (handler):
320         (shouldThrow):
321         (test):
322         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
323         (shouldThrow):
324         * stress/proxy-own-keys.js:
325         (i.catch):
326         (assert):
327
328 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
329
330         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
331         https://bugs.webkit.org/show_bug.cgi?id=196631
332
333         Reviewed by Saam Barati.
334
335         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
336         (assert):
337         (test):
338         (foo):
339
340 2019-04-04  Saam Barati  <sbarati@apple.com>
341
342         Unreviewed. Make the test from r243906 catch the thrown exceptions.
343
344         * stress/inferred-types-regex-matches-array.js:
345
346 2019-04-04  Saam Barati  <sbarati@apple.com>
347
348         createRegExpMatchesArray does not respect inferred types
349         https://bugs.webkit.org/show_bug.cgi?id=193287
350
351         Reviewed by Yusuke Suzuki.
352
353         This checks in the test case for 193287. This issue was discovered by
354         Samuel GroƟ of Google Project Zero.
355
356         * stress/inferred-types-regex-matches-array.js: Added.
357
358 2019-04-04  Saam barati  <sbarati@apple.com>
359
360         Teach Call ICs how to call Wasm
361         https://bugs.webkit.org/show_bug.cgi?id=196387
362
363         Reviewed by Filip Pizlo.
364
365         * wasm/function-tests/stack-trace.js:
366
367 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
368
369         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
370         https://bugs.webkit.org/show_bug.cgi?id=194944
371
372         Reviewed by Keith Miller.
373
374         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
375
376 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
377
378         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
379         https://bugs.webkit.org/show_bug.cgi?id=196409
380
381         Reviewed by Saam Barati.
382
383         * stress/bytecode-cache-cached-string-impl.js: Added.
384         (f):
385         (g):
386         * stress/bytecode-cache-run-string.js: Added.
387
388 2019-04-03  Robin Morisset  <rmorisset@apple.com>
389
390         B3 should use associativity to optimize expression trees
391         https://bugs.webkit.org/show_bug.cgi?id=194081
392
393         Reviewed by Filip Pizlo.
394
395         Added three microbenchmarks:
396         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
397         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
398           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
399         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
400
401         * microbenchmarks/add-tree.js: Added.
402         * microbenchmarks/bit-or-tree.js: Added.
403         * microbenchmarks/bit-xor-tree.js: Added.
404
405 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
406
407         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
408         https://bugs.webkit.org/show_bug.cgi?id=196574
409
410         Reviewed by Saam Barati.
411
412         * stress/string-index-of-exception-check.js: Added.
413         (blurType):
414         (1.forEach):
415
416 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
417
418         Assertion failed in JSC::createError
419         https://bugs.webkit.org/show_bug.cgi?id=196305
420         <rdar://problem/49387382>
421
422         Reviewed by Saam Barati.
423
424         * stress/create-error-out-of-memory-rope-string-2.js: Added.
425         (assert):
426         (catch):
427
428 2019-03-28  Saam Barati  <sbarati@apple.com>
429
430         BackwardsGraph needs to consider back edges as the backward's root successor
431         https://bugs.webkit.org/show_bug.cgi?id=195991
432
433         Reviewed by Filip Pizlo.
434
435         * stress/map-b3-licm-infinite-loop.js: Added.
436
437 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
438
439         CodeBlock::jettison() should disallow repatching its own calls
440         https://bugs.webkit.org/show_bug.cgi?id=196359
441         <rdar://problem/48973663>
442
443         Reviewed by Saam Barati.
444
445         * stress/call-link-info-osrexit-repatch.js: Added.
446         (foo):
447
448 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
449
450         [JSC] imports-oom.js intermittently fails
451         https://bugs.webkit.org/show_bug.cgi?id=196373
452
453         Reviewed by Saam Barati.
454
455         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
456         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
457         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
458         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
459         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
460
461         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
462         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
463
464         * wasm/lowExecutableMemory/imports-oom.js:
465
466 2019-03-27  Saam Barati  <sbarati@apple.com>
467
468         validateOSREntryValue with Int52 should box the value being checked into double format
469         https://bugs.webkit.org/show_bug.cgi?id=196313
470         <rdar://problem/49306703>
471
472         Reviewed by Yusuke Suzuki.
473
474         * stress/validate-int-52-ai-state.js: Added.
475
476 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
477
478         [JSC] Owner of watchpoints should validate at GC finalizing phase
479         https://bugs.webkit.org/show_bug.cgi?id=195827
480
481         Reviewed by Filip Pizlo.
482
483         * stress/gc-should-reap-dead-watchpoints.js: Added.
484         (foo):
485         (A.prototype.y):
486         (A):
487
488 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
489
490         Skip WebAssembly test on 32-bit systems
491         https://bugs.webkit.org/show_bug.cgi?id=196206
492
493         Reviewed by Saam Barati.
494
495         Invoking runDefault executes test immediately even though
496         that test should be skipped due to missing WASM support.
497         Therefore remove runDefault.
498
499         * wasm/regress/web-assembly-link-error-exception-check.js:
500
501 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
502
503         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
504         https://bugs.webkit.org/show_bug.cgi?id=196217
505
506         Reviewed by Saam Barati.
507
508         Re-enable all NaN tests for f32.min, f64.min and f64.max.
509
510         * wasm/spec-tests/f32.wast.js:
511         * wasm/spec-tests/f64.wast.js:
512         * wasm/wasm.json:
513
514 2019-03-25  Keith Miller  <keith_miller@apple.com>
515
516         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
517         https://bugs.webkit.org/show_bug.cgi?id=196176
518
519         Reviewed by Saam Barati.
520
521         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
522         (main.v10):
523         (main):
524
525 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
526
527         WebAssembly: f32.max with NaN generates incorrect result
528         https://bugs.webkit.org/show_bug.cgi?id=175691
529         <rdar://problem/33952228>
530
531         Reviewed by Saam Barati.
532
533         Enable all f32.max NaN tests
534
535         * wasm/spec-tests/f32.wast.js:
536         * wasm/wasm.json:
537
538 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
539
540         [JSC] Move test into directory for WASM tests
541         https://bugs.webkit.org/show_bug.cgi?id=196187
542
543         Reviewed by Mark Lam.
544
545         Move Test into wasm-directory. Otherwise this test
546         is also executed on systems without WASM support.
547
548         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
549
550 2019-03-23  Mark Lam  <mark.lam@apple.com>
551
552         Rolling out r243032 and r243071 because the fix is incorrect.
553         https://bugs.webkit.org/show_bug.cgi?id=195892
554         <rdar://problem/48981239>
555
556         Not reviewed.
557
558         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
559
560 2019-03-22  Mark Lam  <mark.lam@apple.com>
561
562         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
563         https://bugs.webkit.org/show_bug.cgi?id=196154
564         <rdar://problem/49145307>
565
566         Reviewed by Filip Pizlo.
567
568         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
569         There's no need to run this test on more than 1 test configuration.
570
571         * stress/typed-array-lastIndexOf-exception-check.js: Added.
572         * stress/web-assembly-link-error-exception-check.js:
573
574 2019-03-22  Mark Lam  <mark.lam@apple.com>
575
576         Placate exception check validation in constructJSWebAssemblyLinkError().
577         https://bugs.webkit.org/show_bug.cgi?id=196152
578         <rdar://problem/49145257>
579
580         Reviewed by Michael Saboff.
581
582         * stress/web-assembly-link-error-exception-check.js: Added.
583
584 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
585
586         Skip tests running out of memory on ARM/MIPS
587         https://bugs.webkit.org/show_bug.cgi?id=196131
588
589         Unreviewed. Skip test if memory is limited.
590
591         * microbenchmarks/put-by-val-direct-large-index.js:
592
593 2019-03-21  Mark Lam  <mark.lam@apple.com>
594
595         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
596         https://bugs.webkit.org/show_bug.cgi?id=196116
597         <rdar://problem/48976951>
598
599         Reviewed by Filip Pizlo.
600
601         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
602
603 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
604
605         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
606         https://bugs.webkit.org/show_bug.cgi?id=196078
607         <rdar://problem/35925380>
608
609         Reviewed by Mark Lam.
610
611         Add a new benchmark that allocates several objects and invokes put_by_val_direct
612         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
613
614         * microbenchmarks/put-by-val-direct-large-index.js: Added.
615
616 2019-03-21  Mark Lam  <mark.lam@apple.com>
617
618         Placate exception check validation in operationArrayIndexOfString().
619         https://bugs.webkit.org/show_bug.cgi?id=196067
620         <rdar://problem/49056572>
621
622         Reviewed by Michael Saboff.
623
624         * stress/string-equal-exception-check.js: Added.
625
626 2019-03-21  Mark Lam  <mark.lam@apple.com>
627
628         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
629         https://bugs.webkit.org/show_bug.cgi?id=196055
630         <rdar://problem/49067448>
631
632         Reviewed by Yusuke Suzuki.
633
634         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
635
636 2019-03-20  Saam Barati  <sbarati@apple.com>
637
638         typeOfDoubleSum is wrong for when NaN can be produced
639         https://bugs.webkit.org/show_bug.cgi?id=196030
640
641         Reviewed by Filip Pizlo.
642
643         * stress/double-add-sub-mul-can-produce-nan.js: Added.
644         (assert):
645         (noInline.sub):
646         (noInline):
647         (assert.mul):
648         (assert.add):
649
650 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
651
652         Update the test to ensure OutOfMemoryError is thrown as intended
653         https://bugs.webkit.org/show_bug.cgi?id=196032
654         <rdar://problem/46842740>
655
656         Rubber stamped by Saam Barati.
657
658         * stress/create-error-out-of-memory-rope-string.js:
659         (assert):
660         (catch):
661
662 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
663
664         JSC::createError needs to check for OOM in errorDescriptionForValue
665         https://bugs.webkit.org/show_bug.cgi?id=196032
666         <rdar://problem/46842740>
667
668         Reviewed by Mark Lam.
669
670         * stress/create-error-out-of-memory-rope-string.js: Added.
671
672 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
673
674         Unreviewed, reduce # of iterations to avoid timing out after r242991
675         https://bugs.webkit.org/show_bug.cgi?id=195791
676
677         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
678
679         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
680
681 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
682
683         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
684         https://bugs.webkit.org/show_bug.cgi?id=195950
685
686         Unreviewed, reducing the amount of memory used on this test to avoid
687         OOM on devices with memory restrictions.
688
689         * microbenchmarks/generate-multiple-llint-entrypoints.js:
690
691 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
692
693         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
694         https://bugs.webkit.org/show_bug.cgi?id=194648
695
696         Reviewed by Keith Miller.
697
698         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
699
700 2019-03-18  Mark Lam  <mark.lam@apple.com>
701
702         Missing a ThrowScope release in JSObject::toString().
703         https://bugs.webkit.org/show_bug.cgi?id=195893
704         <rdar://problem/48970986>
705
706         Reviewed by Michael Saboff.
707
708         * stress/to-string-exception-check-release.js: Added.
709
710 2019-03-18  Mark Lam  <mark.lam@apple.com>
711
712         Structure::flattenDictionary() should clear unused property slots.
713         https://bugs.webkit.org/show_bug.cgi?id=195871
714         <rdar://problem/48959497>
715
716         Reviewed by Michael Saboff.
717
718         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
719
720 2019-03-15  Mark Lam  <mark.lam@apple.com>
721
722         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
723         https://bugs.webkit.org/show_bug.cgi?id=195827
724         <rdar://problem/48845513>
725
726         Reviewed by Filip Pizlo.
727
728         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
729
730 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
731
732         [ARM,MIPS] Skip slow tests
733         https://bugs.webkit.org/show_bug.cgi?id=195799
734
735         Unreviewed, test does not finish on ARM and MIPS within the
736         timeout limit.
737
738         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
739
740 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
741
742         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
743         https://bugs.webkit.org/show_bug.cgi?id=195791
744         <rdar://problem/48806130>
745
746         Reviewed by Mark Lam.
747
748         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
749         (foo):
750
751 2019-03-14  Saam barati  <sbarati@apple.com>
752
753         We can't remove code after ForceOSRExit until after FixupPhase
754         https://bugs.webkit.org/show_bug.cgi?id=186916
755         <rdar://problem/41396612>
756
757         Reviewed by Yusuke Suzuki.
758
759         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
760         (foo):
761         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
762         (foo):
763
764 2019-03-13  Michael Saboff  <msaboff@apple.com>
765
766         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
767         https://bugs.webkit.org/show_bug.cgi?id=195735
768
769         Reviewed by Mark Lam.
770
771         New regression test.
772
773         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
774         (foo):
775         (bar):
776
777 2019-03-14  Saam barati  <sbarati@apple.com>
778
779         Fixup uses KnownInt32 incorrectly in some nodes
780         https://bugs.webkit.org/show_bug.cgi?id=195279
781         <rdar://problem/47915654>
782
783         Reviewed by Yusuke Suzuki.
784
785         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
786         (foo):
787
788 2019-03-14  Keith Miller  <keith_miller@apple.com>
789
790         DFG liveness can't skip tail caller inline frames
791         https://bugs.webkit.org/show_bug.cgi?id=195715
792
793         Reviewed by Saam Barati.
794
795         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
796         (i.foo):
797
798 2019-03-13  Mark Lam  <mark.lam@apple.com>
799
800         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
801         https://bugs.webkit.org/show_bug.cgi?id=195415
802
803         Not reviewed.
804
805         Changed these tests to only run the default configuration.
806         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
807         There's no strong need to run this test on that variant.
808
809         * stress/dfg-to-string-on-int-does-gc.js:
810         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
811
812 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
813
814         String overflow when using StringBuilder in JSC::createError
815         https://bugs.webkit.org/show_bug.cgi?id=194957
816
817         Reviewed by Mark Lam.
818
819         Add test string-overflow-createError-bulder.js that overflows
820         StringBuilder in notAFunctionSourceAppender. The second new test
821         string-overflow-createError-fit.js has an error message that doesn't
822         overflow, it still failed since the String's capacity can't be doubled.
823         Run test string-overflow-createError.js only in the default
824         configuration to reduce memory consumption when running the test
825         in all configurations on multiple CPUs in parallel.
826
827         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
828         (catch):
829         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
830         (catch):
831         * stress/string-overflow-createError.js:
832
833 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
834
835         [JSC] OSR entry should respect abstract values in addition to flush formats
836         https://bugs.webkit.org/show_bug.cgi?id=195653
837
838         Reviewed by Mark Lam.
839
840         * stress/osr-entry-locals-none.js: Added.
841
842 2019-03-12  Michael Saboff  <msaboff@apple.com>
843
844         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
845         https://bugs.webkit.org/show_bug.cgi?id=195613
846
847         Reviewed by Mark Lam.
848
849         New regression test.
850
851         * stress/regexp-backref-inbounds.js: Added.
852         (testRegExp):
853
854 2019-03-12  Mark Lam  <mark.lam@apple.com>
855
856         The HasIndexedProperty node does GC.
857         https://bugs.webkit.org/show_bug.cgi?id=195559
858         <rdar://problem/48767923>
859
860         Reviewed by Yusuke Suzuki.
861
862         * stress/HasIndexedProperty-does-gc.js: Added.
863
864 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
865
866         [ESNext][BigInt] Implement "~" unary operation
867         https://bugs.webkit.org/show_bug.cgi?id=182216
868
869         Reviewed by Keith Miller.
870
871         * stress/big-int-bit-not-general.js: Added.
872         * stress/big-int-bitwise-not-jit.js: Added.
873         * stress/big-int-bitwise-not-wrapped-value.js: Added.
874         * stress/bit-op-with-object-returning-int32.js:
875         * stress/bitwise-not-fixup-rules.js: Added.
876         * stress/value-bit-not-ai-rule.js: Added.
877
878 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
879
880         Invalid flags in a RegExp literal should be an early SyntaxError
881         https://bugs.webkit.org/show_bug.cgi?id=195514
882
883         Reviewed by Darin Adler.
884
885         * test262/expectations.yaml:
886         Mark 4 test cases as passing.
887
888         * stress/regexp-syntax-error-invalid-flags.js:
889         * stress/regress-161995.js: Removed.
890         Update existing test, merging in an older test for the same behavior.
891
892 2019-03-08  Mark Lam  <mark.lam@apple.com>
893
894         Stack overflow crash in JSC::JSObject::hasInstance.
895         https://bugs.webkit.org/show_bug.cgi?id=195458
896         <rdar://problem/48710195>
897
898         Reviewed by Yusuke Suzuki.
899
900         * stress/stack-overflow-in-custom-hasInstance.js: Added.
901
902 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
903
904         op_check_tdz does not def its argument
905         https://bugs.webkit.org/show_bug.cgi?id=192880
906         <rdar://problem/46221598>
907
908         Reviewed by Saam Barati.
909
910         * microbenchmarks/let-for-in.js: Added.
911         (foo):
912
913 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
914
915         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
916         https://bugs.webkit.org/show_bug.cgi?id=195429
917
918         Reviewed by Saam Barati.
919
920         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
921         (foo):
922         * stress/string-from-char-code-255.js: Added.
923
924 2019-03-06  Mark Lam  <mark.lam@apple.com>
925
926         Fix incorrect handling of try-finally completion values.
927         https://bugs.webkit.org/show_bug.cgi?id=195131
928         <rdar://problem/46222079>
929
930         Reviewed by Saam Barati and Yusuke Suzuki.
931
932         Added many permutations of new test case to test-finally.js.  test-finally.js has
933         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
934         tests passes there as well.
935
936         * stress/test-finally.js:
937
938 2019-03-06  Saam Barati  <sbarati@apple.com>
939
940         Air::reportUsedRegisters must padInterference
941         https://bugs.webkit.org/show_bug.cgi?id=195303
942         <rdar://problem/48270343>
943
944         Reviewed by Keith Miller.
945
946         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
947
948 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
949
950         [JSC] AI should not propagate AbstractValue relying on constant folding phase
951         https://bugs.webkit.org/show_bug.cgi?id=195375
952
953         Reviewed by Saam Barati.
954
955         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
956         (let.array):
957
958 2019-03-05  Saam barati  <sbarati@apple.com>
959
960         op_switch_char broken for rope strings after JSRopeString layout rewrite
961         https://bugs.webkit.org/show_bug.cgi?id=195339
962         <rdar://problem/48592545>
963
964         Reviewed by Yusuke Suzuki.
965
966         * stress/switch-on-char-llint-rope.js: Added.
967
968 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
969
970         [JSC] Store bits for JSRopeString in 3 stores
971         https://bugs.webkit.org/show_bug.cgi?id=195234
972
973         Reviewed by Saam Barati.
974
975         * stress/null-rope-and-collectors.js: Added.
976
977 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
978
979         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
980         https://bugs.webkit.org/show_bug.cgi?id=195207
981
982         Unreviewed. After test runtime was reduced in r242213, test can be
983         run again on ARM/MIPS.
984
985         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
986
987 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
988
989         [JSC] sizeof(JSString) should be 16
990         https://bugs.webkit.org/show_bug.cgi?id=194375
991
992         Reviewed by Saam Barati.
993
994         * microbenchmarks/make-rope.js: Added.
995         (makeRope):
996         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
997         (returnRope.helper): Deleted.
998         (returnRope): Deleted.
999
1000 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1001
1002         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
1003         https://bugs.webkit.org/show_bug.cgi?id=195144
1004
1005         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
1006         Change the number from 1e8 to 1e5.
1007
1008         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1009         (foo):
1010
1011 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
1012
1013         Test times out on ARM/MIPS
1014         https://bugs.webkit.org/show_bug.cgi?id=195168
1015
1016         Unreviewed. Skip test on ARM/MIPS.
1017
1018         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1019
1020 2019-02-27  Mark Lam  <mark.lam@apple.com>
1021
1022         The parser is failing to record the token location of new in new.target.
1023         https://bugs.webkit.org/show_bug.cgi?id=195127
1024         <rdar://problem/39645578>
1025
1026         Reviewed by Yusuke Suzuki.
1027
1028         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
1029
1030 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
1031
1032         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
1033         https://bugs.webkit.org/show_bug.cgi?id=195144
1034         <rdar://problem/47595961>
1035
1036         Reviewed by Mark Lam.
1037
1038         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
1039         (bar):
1040         (foo):
1041         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
1042         (bar):
1043         (foo):
1044
1045 2019-02-27  Robin Morisset  <rmorisset@apple.com>
1046
1047         DFG: Loop-invariant code motion (LICM) should not hoist dead code
1048         https://bugs.webkit.org/show_bug.cgi?id=194945
1049         <rdar://problem/48311657>
1050
1051         Reviewed by Mark Lam.
1052
1053         * stress/licm-dead-code.js: Added.
1054
1055 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
1056
1057         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
1058         https://bugs.webkit.org/show_bug.cgi?id=194677
1059         <rdar://problem/48112492>
1060
1061         Reviewed by Mark Lam.
1062
1063         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
1064         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
1065         it immediately fails due the large size.
1066
1067         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
1068         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
1069         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
1070         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
1071
1072         This patch changes the test to produce 16bit string from String.fromCharCode.
1073
1074         * stress/regress-178386.js:
1075
1076 2019-02-26  Mark Lam  <mark.lam@apple.com>
1077
1078         wasmToJS() should purify incoming NaNs.
1079         https://bugs.webkit.org/show_bug.cgi?id=194807
1080         <rdar://problem/48189132>
1081
1082         Reviewed by Saam Barati.
1083
1084         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
1085
1086 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
1087
1088         [JSC] Repeat string created from Array.prototype.join() take too much memory
1089         https://bugs.webkit.org/show_bug.cgi?id=193912
1090
1091         Reviewed by Saam Barati.
1092
1093         Added a test and a microbenchmark for corner cases of
1094         Array.prototype.join() with an uninitialized array.
1095
1096         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1097         * stress/array-prototype-join-uninitialized.js: Added.
1098         (testArray):
1099         (testABC):
1100         (B):
1101         (C):
1102
1103 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1104
1105         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1106         https://bugs.webkit.org/show_bug.cgi?id=194953
1107         <rdar://problem/47595253>
1108
1109         Reviewed by Saam Barati.
1110
1111         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1112
1113         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1114
1115 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1116
1117         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1118         https://bugs.webkit.org/show_bug.cgi?id=172848
1119         <rdar://problem/25709212>
1120
1121         Reviewed by Mark Lam.
1122
1123         * typeProfiler/inheritance.js:
1124         Rewrite the test slightly for clarity. The hoisting was confusing.
1125
1126         * heapProfiler/class-names.js: Added.
1127         (MyES5Class):
1128         (MyES6Class):
1129         (MyES6Subclass):
1130         Test object types and improved class names.
1131
1132         * heapProfiler/driver/driver.js:
1133         (CheapHeapSnapshotNode):
1134         (CheapHeapSnapshot):
1135         (createCheapHeapSnapshot):
1136         (HeapSnapshot):
1137         (createHeapSnapshot):
1138         Update snapshot parsing from version 1 to version 2.
1139
1140 2019-02-19  Truitt Savell  <tsavell@apple.com>
1141
1142         Unreviewed, rolling out r241784.
1143
1144         Broke all OpenSource builds.
1145
1146         Reverted changeset:
1147
1148         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1149         instances view"
1150         https://bugs.webkit.org/show_bug.cgi?id=172848
1151         https://trac.webkit.org/changeset/241784
1152
1153 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1154
1155         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1156         https://bugs.webkit.org/show_bug.cgi?id=172848
1157         <rdar://problem/25709212>
1158
1159         Reviewed by Mark Lam.
1160
1161         * typeProfiler/inheritance.js:
1162         Rewrite the test slightly for clarity. The hoisting was confusing.
1163
1164         * heapProfiler/class-names.js: Added.
1165         (MyES5Class):
1166         (MyES6Class):
1167         (MyES6Subclass):
1168         Test object types and improved class names.
1169
1170         * heapProfiler/driver/driver.js:
1171         (CheapHeapSnapshotNode):
1172         (CheapHeapSnapshot):
1173         (createCheapHeapSnapshot):
1174         (HeapSnapshot):
1175         (createHeapSnapshot):
1176         Update snapshot parsing from version 1 to version 2.
1177
1178 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1179
1180         [ARM] Fix crash with sampling profiler
1181         https://bugs.webkit.org/show_bug.cgi?id=194772
1182
1183         Reviewed by Mark Lam.
1184
1185         Do not skip test since crash with sampling profiler is now fixed.
1186
1187         * stress/sampling-profiler-richards.js:
1188
1189 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1190
1191         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1192         https://bugs.webkit.org/show_bug.cgi?id=194784
1193         <rdar://problem/48154820>
1194
1195         Reviewed by Mark Lam.
1196
1197         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1198         (getProperties):
1199         (getRandomProperty):
1200         (i.catch):
1201
1202 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1203
1204         [ARM] Test gardening: Test running out of executable memory
1205         https://bugs.webkit.org/show_bug.cgi?id=194771
1206
1207         Unreviewed. Do not run test without LLInt, test is running out of executable
1208         memory on ARM otherwise.
1209
1210         * stress/tagged-template-object-collect.js:
1211
1212 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1213
1214         Unreviewed, skip the test on platforms without sampling profiler
1215
1216         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1217         (platformSupportsSamplingProfiler.foo):
1218         (platformSupportsSamplingProfiler.test):
1219         (platformSupportsSamplingProfiler):
1220         (foo): Deleted.
1221         (test): Deleted.
1222
1223 2019-02-17  Saam Barati  <sbarati@apple.com>
1224
1225         Deadlock when adding a Structure property transition and then doing incremental marking
1226         https://bugs.webkit.org/show_bug.cgi?id=194767
1227
1228         Reviewed by Mark Lam.
1229
1230         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1231
1232 2019-02-15  Michael Saboff  <msaboff@apple.com>
1233
1234         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1235         https://bugs.webkit.org/show_bug.cgi?id=194558
1236
1237         Reviewed by Saam Barati.
1238
1239         New regression test.
1240
1241         * stress/regexp-unicode-within-string.js: Added.
1242
1243 2019-02-15  Mark Lam  <mark.lam@apple.com>
1244
1245         SamplingProfiler::stackTracesAsJSON() should escape strings.
1246         https://bugs.webkit.org/show_bug.cgi?id=194649
1247         <rdar://problem/48072386>
1248
1249         Reviewed by Saam Barati.
1250
1251         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1252         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1253         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1254         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1255
1256 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1257         CodeBlock::jettison should clear related watchpoints
1258         https://bugs.webkit.org/show_bug.cgi?id=194544
1259
1260         Reviewed by Mark Lam.
1261
1262         * stress/regexp-replace-double-watchpoint.js: Added.
1263         (foo):
1264
1265 2019-02-15  Saam barati  <sbarati@apple.com>
1266
1267         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1268         https://bugs.webkit.org/show_bug.cgi?id=194036
1269
1270         Reviewed by Yusuke Suzuki.
1271
1272         * stress/tail-call-many-arguments.js: Added.
1273         (foo):
1274         (bar):
1275
1276 2019-02-14  Saam Barati  <sbarati@apple.com>
1277
1278         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1279         https://bugs.webkit.org/show_bug.cgi?id=194583
1280         <rdar://problem/48028140>
1281
1282         Reviewed by Yusuke Suzuki.
1283
1284         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1285
1286 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1287
1288         [JSC] String.fromCharCode's slow path always generates 16bit string
1289         https://bugs.webkit.org/show_bug.cgi?id=194466
1290
1291         Reviewed by Keith Miller.
1292
1293         * stress/string-from-char-code-slow-path.js: Added.
1294         (shouldBe):
1295         (testWithLength):
1296
1297 2019-02-08  Saam barati  <sbarati@apple.com>
1298
1299         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1300         https://bugs.webkit.org/show_bug.cgi?id=194334
1301         <rdar://problem/47844327>
1302
1303         Reviewed by Mark Lam.
1304
1305         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1306         (func):
1307
1308 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1309
1310         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1311         https://bugs.webkit.org/show_bug.cgi?id=194369
1312         <rdar://problem/47813087>
1313
1314         Reviewed by Saam Barati.
1315
1316         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1317         (A):
1318
1319 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1320
1321         [JSC] PrivateName to PublicName hash table is wasteful
1322         https://bugs.webkit.org/show_bug.cgi?id=194277
1323
1324         Reviewed by Michael Saboff.
1325
1326         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1327
1328         * ChakraCore.yaml:
1329
1330 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1331
1332         [ARM] Test running out of executable memory
1333         https://bugs.webkit.org/show_bug.cgi?id=194285
1334
1335         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1336         executable memory otherwise.
1337
1338         * stress/class-subclassing-function.js:
1339
1340 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1341
1342         when lowering AssertNotEmpty, create the value before creating the patchpoint
1343         https://bugs.webkit.org/show_bug.cgi?id=194231
1344
1345         Reviewed by Saam Barati.
1346
1347         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1348         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1349         So even tiny changes to this test can change the path code taken.
1350
1351         * stress/assert-not-empty.js: Added.
1352         (foo):
1353
1354 2019-02-01  Mark Lam  <mark.lam@apple.com>
1355
1356         Remove invalid assertion in DFG's compileDoubleRep().
1357         https://bugs.webkit.org/show_bug.cgi?id=194130
1358         <rdar://problem/47699474>
1359
1360         Reviewed by Saam Barati.
1361
1362         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1363
1364 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1365
1366         Import latest Test262 updates.
1367
1368         Rubber-stamped by Keith Miller.
1369
1370         * test262.yaml: Deleted.
1371         * test262/config.yaml:
1372         * test262/expectations.yaml:
1373         * test262/latest-changes-summary.txt:
1374         * test262/test/:
1375         * test262/test262-Revision.txt:
1376
1377 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1378
1379         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1380         https://bugs.webkit.org/show_bug.cgi?id=194050
1381         <rdar://problem/47595592>
1382
1383         Reviewed by Yusuke Suzuki.
1384
1385         * stress/object-keys-osr-exit.js: Added.
1386         (foo):
1387         (catch):
1388
1389 2019-01-29  Mark Lam  <mark.lam@apple.com>
1390
1391         ValueRecovery::recover() should purify NaN values it recovers.
1392         https://bugs.webkit.org/show_bug.cgi?id=193978
1393         <rdar://problem/47625488>
1394
1395         Reviewed by Saam Barati.
1396
1397         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1398
1399 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1400
1401         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1402         https://bugs.webkit.org/show_bug.cgi?id=193713
1403
1404         * stress/try-get-by-id-should-spill-registers-dfg.js:
1405         (let.f.createBuiltin):
1406
1407 2019-01-28  Mark Lam  <mark.lam@apple.com>
1408
1409         ToString node actually does GC.
1410         https://bugs.webkit.org/show_bug.cgi?id=193920
1411         <rdar://problem/46695900>
1412
1413         Reviewed by Yusuke Suzuki.
1414
1415         * stress/dfg-to-string-on-int-does-gc.js: Added.
1416         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1417         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1418
1419 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1420
1421         [JSC] NativeErrorConstructor should not have own IsoSubspace
1422         https://bugs.webkit.org/show_bug.cgi?id=193713
1423
1424         Reviewed by Saam Barati.
1425
1426         Remove @Error use.
1427
1428         * stress/try-get-by-id-should-spill-registers-dfg.js:
1429         (let.f.createBuiltin):
1430
1431 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1432
1433         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1434         https://bugs.webkit.org/show_bug.cgi?id=190693
1435
1436         Reviewed by Michael Saboff.
1437
1438         * stress/regress-190693.js: Added.
1439         (truth):
1440         (assert):
1441         (shouldThrowInvalidConstAssignment):
1442         (taz):
1443
1444 2019-01-24  Saam Barati  <sbarati@apple.com>
1445
1446         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1447         https://bugs.webkit.org/show_bug.cgi?id=193751
1448         <rdar://problem/47280215>
1449
1450         Reviewed by Michael Saboff.
1451
1452         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1453         (let.thing):
1454         (foo.let.hello):
1455         (foo):
1456
1457 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1458
1459         [JSC] Reenable baseline JIT on mips
1460         https://bugs.webkit.org/show_bug.cgi?id=192983
1461
1462         Reviewed by Mark Lam.
1463
1464         Added a new test for a case that was triggering a RELEASE_ASSERT when
1465         testing.
1466         Disable some slow tests that were already disabled for arm and x86.
1467
1468         * stress/json-parse-big-object.js: Added.
1469         * stress/new-largeish-contiguous-array-with-size.js:
1470         * stress/op_add.js:
1471         * stress/op_bitand.js:
1472         * stress/op_bitor.js:
1473         * stress/op_bitxor.js:
1474         * stress/op_lshift-ConstVar.js:
1475         * stress/op_lshift-VarConst.js:
1476         * stress/op_lshift-VarVar.js:
1477         * stress/op_mod-ConstVar.js:
1478         * stress/op_mod-VarConst.js:
1479         * stress/op_mod-VarVar.js:
1480         * stress/op_mul-ConstVar.js:
1481         * stress/op_mul-VarConst.js:
1482         * stress/op_mul-VarVar.js:
1483         * stress/op_rshift-ConstVar.js:
1484         * stress/op_rshift-VarConst.js:
1485         * stress/op_rshift-VarVar.js:
1486         * stress/op_sub-ConstVar.js:
1487         * stress/op_sub-VarConst.js:
1488         * stress/op_sub-VarVar.js:
1489         * stress/op_urshift-ConstVar.js:
1490         * stress/op_urshift-VarConst.js:
1491         * stress/op_urshift-VarVar.js:
1492         * stress/sampling-profiler-richards.js:
1493         * stress/spread-forward-call-varargs-stack-overflow.js:
1494
1495 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1496
1497         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1498         https://bugs.webkit.org/show_bug.cgi?id=193711
1499         <rdar://problem/47250262>
1500
1501         Reviewed by Saam Barati.
1502
1503         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1504         (shouldBe):
1505         (foo):
1506         (bar):
1507         (baz):
1508
1509 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1510
1511         Unreviewed, fix initial global lexical binding epoch
1512         https://bugs.webkit.org/show_bug.cgi?id=193603
1513         <rdar://problem/47380869>
1514
1515         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1516         (f1.f2.f3.f4):
1517         (f1.f2.f3):
1518         (f1.f2):
1519         (f1):
1520
1521 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1522
1523         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1524         https://bugs.webkit.org/show_bug.cgi?id=193709
1525         <rdar://problem/47363838>
1526
1527         Unreviewed, rollout to watch the tests.
1528
1529         * stress/object-tostring-changed-proto.js: Removed.
1530         * stress/object-tostring-changed.js: Removed.
1531         * stress/object-tostring-misc.js: Removed.
1532         * stress/object-tostring-other.js: Removed.
1533         * stress/object-tostring-untyped.js: Removed.
1534
1535 2019-01-22  Saam Barati  <sbarati@apple.com>
1536
1537         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1538
1539         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1540         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1541         (testUncheckedLessThanZero):
1542         (testUncheckedLessThanOrEqualZero):
1543         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1544         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1545
1546 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1547
1548         [JSC] Invalidate old scope operations using global lexical binding epoch
1549         https://bugs.webkit.org/show_bug.cgi?id=193603
1550         <rdar://problem/47380869>
1551
1552         Reviewed by Saam Barati.
1553
1554         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1555         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1556         (shouldThrow):
1557         (bar):
1558         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1559         (shouldBe):
1560         (get1):
1561         (get2):
1562         (get1If):
1563         (get2If):
1564         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1565         (shouldThrow):
1566         (foo):
1567
1568 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1569
1570         Unreviewed, roll out r240220 due to date-format-xparb regression
1571         https://bugs.webkit.org/show_bug.cgi?id=193603
1572
1573         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1574         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1575         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1576         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1577
1578 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1579
1580         DoesGC rule is wrong for nodes with BigIntUse
1581         https://bugs.webkit.org/show_bug.cgi?id=193652
1582
1583         Reviewed by Saam Barati.
1584
1585         * stress/big-int-value-op-update-gc-rules.js: Added.
1586         (assert):
1587         (doesGCAdd):
1588         (doesGCSub):
1589         (doesGCDiv):
1590         (doesGCMul):
1591         (doesGCBitAnd):
1592         (doesGCBitOr):
1593         (doesGCBitXor):
1594
1595 2019-01-20  Saam Barati  <sbarati@apple.com>
1596
1597         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1598         https://bugs.webkit.org/show_bug.cgi?id=193644
1599         <rdar://problem/46209745>
1600
1601         Reviewed by Yusuke Suzuki.
1602
1603         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1604         (foo):
1605         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1606         (foo):
1607         (bar):
1608
1609 2019-01-20  Saam Barati  <sbarati@apple.com>
1610
1611         MovHint must merge NodeBytecodeUsesAsValue for its child
1612         https://bugs.webkit.org/show_bug.cgi?id=186916
1613         <rdar://problem/41396612>
1614
1615         Reviewed by Yusuke Suzuki.
1616
1617         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1618         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1619
1620 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1621
1622         [JSC] Invalidate old scope operations using global lexical binding epoch
1623         https://bugs.webkit.org/show_bug.cgi?id=193603
1624         <rdar://problem/47380869>
1625
1626         Reviewed by Saam Barati.
1627
1628         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1629         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1630         (shouldThrow):
1631         (bar):
1632         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1633         (shouldBe):
1634         (get1):
1635         (get2):
1636         (get1If):
1637         (get2If):
1638         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1639         (shouldThrow):
1640         (foo):
1641
1642 2019-01-17  Saam barati  <sbarati@apple.com>
1643
1644         StringObjectUse should not be a structure check for the original string object structure
1645         https://bugs.webkit.org/show_bug.cgi?id=193483
1646         <rdar://problem/47280522>
1647
1648         Reviewed by Yusuke Suzuki.
1649
1650         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1651         (foo):
1652         (a.valueOf.0):
1653
1654 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1655
1656         [JSC] ToThis omission in DFGByteCodeParser is wrong
1657         https://bugs.webkit.org/show_bug.cgi?id=193513
1658         <rdar://problem/45842236>
1659
1660         Reviewed by Saam Barati.
1661
1662         * stress/to-this-omission-with-different-strict-modes.js: Added.
1663         (thisA):
1664         (thisAStrictWrapper):
1665
1666 2019-01-15  Mark Lam  <mark.lam@apple.com>
1667
1668         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1669         https://bugs.webkit.org/show_bug.cgi?id=193423
1670         <rdar://problem/46209355>
1671
1672         Reviewed by Saam Barati.
1673
1674         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1675         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1676         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1677         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1678
1679 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1680
1681         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1682         https://bugs.webkit.org/show_bug.cgi?id=193438
1683         <rdar://problem/45581249>
1684
1685         Reviewed by Saam Barati and Keith Miller.
1686
1687         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1688         Then, GetByVal(String) crashed.
1689
1690         * stress/string-get-by-val-lowering.js: Added.
1691         (shouldBe):
1692         (test):
1693         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1694         (Hello):
1695         (foo):
1696
1697 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1698
1699         Unreviewed, skip JIT tests if it's not enabled
1700
1701         * stress/bit-op-with-object-returning-int32.js:
1702
1703 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1704
1705         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1706         https://bugs.webkit.org/show_bug.cgi?id=192966
1707
1708         Reviewed by Yusuke Suzuki.
1709
1710         * stress/bit-op-with-object-returning-int32.js: Added.
1711
1712 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1713
1714         Skip a slow test and a flakey test on arm
1715
1716         Unreviewed gardening.
1717
1718         * typeProfiler/getter-richards.js:
1719         this test always times out, it used to be always skipped on arm and
1720         mips, but got accidentally enabled by r237919 now that we have DFG on
1721         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1722
1723 2019-01-14  Keith Miller  <keith_miller@apple.com>
1724
1725         Skip type-check-hoisting-phase-hoist... with no jit
1726         https://bugs.webkit.org/show_bug.cgi?id=193421
1727
1728         Reviewed by Mark Lam.
1729
1730         It's timing out the 32-bit bots and takes 330 seconds
1731         on my machine when run by itself.
1732
1733         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1734
1735 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1736
1737         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1738         https://bugs.webkit.org/show_bug.cgi?id=193413
1739         <rdar://problem/46092389>
1740
1741         Reviewed by Keith Miller.
1742
1743         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1744         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1745         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1746         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1747
1748         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1749         (compareArray):
1750
1751 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1752
1753         [BigInt] Literal parsing is crashing when used inside a Object Literal
1754         https://bugs.webkit.org/show_bug.cgi?id=193404
1755
1756         Reviewed by Yusuke Suzuki.
1757
1758         * stress/big-int-literal-inside-literal-object.js: Added.
1759
1760 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1761
1762         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1763         https://bugs.webkit.org/show_bug.cgi?id=193372
1764
1765         Reviewed by Saam Barati.
1766
1767         * stress/typed-array-array-modes-profile.js: Added.
1768         (foo):
1769
1770 2019-01-14  Mark Lam  <mark.lam@apple.com>
1771
1772         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1773         https://bugs.webkit.org/show_bug.cgi?id=193402
1774         <rdar://problem/46012309>
1775
1776         Reviewed by Keith Miller.
1777
1778         * stress/regexp-compile-oom.js:
1779         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1780           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1781
1782 2019-01-11  Saam barati  <sbarati@apple.com>
1783
1784         DFG combined liveness can be wrong for terminal basic blocks
1785         https://bugs.webkit.org/show_bug.cgi?id=193304
1786         <rdar://problem/45268632>
1787
1788         Reviewed by Yusuke Suzuki.
1789
1790         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1791
1792 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1793
1794         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1795         https://bugs.webkit.org/show_bug.cgi?id=193308
1796         <rdar://problem/45546542>
1797
1798         Reviewed by Saam Barati.
1799
1800         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1801         (shouldThrow):
1802         (shouldBe):
1803         (foo):
1804         (get shouldThrow):
1805         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1806         (shouldThrow):
1807         (shouldBe):
1808         (foo):
1809         (get shouldBe):
1810         (get shouldThrow):
1811         (get return):
1812         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1813         (shouldThrow):
1814         (shouldBe):
1815         (foo):
1816         (get shouldBe):
1817         (get shouldThrow):
1818         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1819         (shouldThrow):
1820         (shouldBe):
1821         (foo):
1822         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1823         (shouldThrow):
1824         (shouldBe):
1825         (foo):
1826         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1827         (shouldThrow):
1828         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1829         (shouldThrow):
1830         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1831         (shouldThrow):
1832         (shouldBe):
1833         (foo):
1834         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1835         (shouldThrow):
1836         (shouldBe):
1837         (foo):
1838         (get shouldBe):
1839         (get shouldThrow):
1840         (get return):
1841         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1842         (shouldThrow):
1843         (shouldBe):
1844         (foo):
1845         (get shouldBe):
1846         (get shouldThrow):
1847         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1848         (shouldThrow):
1849         (shouldBe):
1850         (foo):
1851         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1852         (shouldThrow):
1853         (shouldBe):
1854         (foo):
1855
1856 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1857
1858         Enable DFG on ARM/Linux again
1859         https://bugs.webkit.org/show_bug.cgi?id=192496
1860
1861         Reviewed by Yusuke Suzuki.
1862
1863         Test wasn't really skipped before moving the line with skip
1864         to the top.
1865
1866         * stress/regress-192717.js:
1867
1868 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1869
1870         Unreviewed, rolling out r239825.
1871         https://bugs.webkit.org/show_bug.cgi?id=193330
1872
1873         Broke tests on armv7/linux bots (Requested by guijemont on
1874         #webkit).
1875
1876         Reverted changeset:
1877
1878         "Enable DFG on ARM/Linux again"
1879         https://bugs.webkit.org/show_bug.cgi?id=192496
1880         https://trac.webkit.org/changeset/239825
1881
1882 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1883
1884         Enable DFG on ARM/Linux again
1885         https://bugs.webkit.org/show_bug.cgi?id=192496
1886
1887         Reviewed by Yusuke Suzuki.
1888
1889         Test wasn't really skipped before moving the line with skip
1890         to the top.
1891
1892         * stress/regress-192717.js:
1893
1894 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1895
1896         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1897         https://bugs.webkit.org/show_bug.cgi?id=193127
1898
1899         Reviewed by Saam Barati.
1900
1901         * stress/array-species-create-should-handle-masquerader.js: Added.
1902         (shouldThrow):
1903         * stress/is-undefined-or-null-builtin.js: Added.
1904         (shouldBe):
1905         (isUndefinedOrNull.vm.createBuiltin):
1906
1907 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1908
1909         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1910         https://bugs.webkit.org/show_bug.cgi?id=193221
1911
1912         Reviewed by Mark Lam.
1913
1914         * stress/put-by-id-flags.js: Added.
1915         (f):
1916         (g):
1917         (numberOfDFGCompiles):
1918
1919 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1920
1921         Baseline version of get_by_id may corrupt metadata
1922         https://bugs.webkit.org/show_bug.cgi?id=193085
1923         <rdar://problem/23453006>
1924
1925         Reviewed by Saam Barati.
1926
1927         * stress/get-by-id-change-mode.js: Added.
1928         (forEach):
1929
1930 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1931
1932         [JSC] Optimize Object.prototype.toString
1933         https://bugs.webkit.org/show_bug.cgi?id=193031
1934
1935         Reviewed by Saam Barati.
1936
1937         * stress/object-tostring-changed-proto.js: Added.
1938         (shouldBe):
1939         (test):
1940         * stress/object-tostring-changed.js: Added.
1941         (shouldBe):
1942         (test):
1943         * stress/object-tostring-misc.js: Added.
1944         (shouldBe):
1945         (test):
1946         (i.switch):
1947         * stress/object-tostring-other.js: Added.
1948         (shouldBe):
1949         (test):
1950         * stress/object-tostring-untyped.js: Added.
1951         (shouldBe):
1952         (test):
1953         (i.switch):
1954
1955 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1956
1957         test262-runner misbehaves when test file YAML has a trailing space
1958         https://bugs.webkit.org/show_bug.cgi?id=193053
1959
1960         Reviewed by Yusuke Suzuki.
1961
1962         * test262/expectations.yaml:
1963         Mark two dozen tests as passing (and correct the output of another).
1964
1965 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1966
1967         Unreviewed, JSTests gardening with memoryLimited
1968
1969         * stress/string-overflow-createError.js:
1970
1971 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1972
1973         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1974         https://bugs.webkit.org/show_bug.cgi?id=193050
1975
1976         Reviewed by Yusuke Suzuki.
1977
1978         * test262.yaml:
1979         * test262/expectations.yaml:
1980         Mark 16 tests as passing.
1981
1982 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1983
1984         [BigInt] Support BigInt in JSON.stringify
1985         https://bugs.webkit.org/show_bug.cgi?id=192624
1986
1987         Reviewed by Saam Barati.
1988
1989         * stress/big-int-json-stringify-to-json.js: Added.
1990         (shouldBe):
1991         (shouldThrow):
1992         (BigInt.prototype.toJSON):
1993         (shouldBe.JSON.stringify):
1994         * stress/big-int-json-stringify.js: Added.
1995         (shouldBe):
1996         (shouldThrow):
1997
1998 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1999
2000         [JSC] Implement "well-formed JSON.stringify" proposal
2001         https://bugs.webkit.org/show_bug.cgi?id=191677
2002
2003         Reviewed by Darin Adler.
2004
2005         * stress/json-surrogate-pair.js: Added.
2006         (shouldBe):
2007         * test262/expectations.yaml:
2008
2009 2018-12-20  Keith Miller  <keith_miller@apple.com>
2010
2011         Add support for globalThis
2012         https://bugs.webkit.org/show_bug.cgi?id=165171
2013
2014         Reviewed by Mark Lam.
2015
2016         * test262/config.yaml:
2017
2018 2018-12-19  Keith Miller  <keith_miller@apple.com>
2019
2020         Update test262 configuration to not run tests dependent on ICU version.
2021         https://bugs.webkit.org/show_bug.cgi?id=192920
2022
2023         Reviewed by Saam Barati.
2024
2025         * test262/expectations.yaml:
2026
2027 2018-12-20  Mark Lam  <mark.lam@apple.com>
2028
2029         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
2030         https://bugs.webkit.org/show_bug.cgi?id=192939
2031         <rdar://problem/46869516>
2032
2033         Reviewed by Keith Miller.
2034
2035         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
2036
2037 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
2038
2039         WTF::String and StringImpl overflow MaxLength
2040         https://bugs.webkit.org/show_bug.cgi?id=192853
2041         <rdar://problem/45726906>
2042
2043         Reviewed by Mark Lam.
2044
2045         * stress/string-16bit-repeat-overflow.js: Added.
2046         (catch):
2047
2048 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
2049
2050         Unreviewed follow-up to r192914.
2051
2052         * test262/expectations.yaml:
2053         Add the last 20 missing expectations.
2054
2055 2018-12-19  Keith Miller  <keith_miller@apple.com>
2056
2057         Fix test262 expectations
2058         https://bugs.webkit.org/show_bug.cgi?id=192914
2059
2060         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
2061
2062         * test262/expectations.yaml:
2063
2064 2018-12-19  Keith Miller  <keith_miller@apple.com>
2065
2066         Update test262 tests.
2067         https://bugs.webkit.org/show_bug.cgi?id=192907
2068
2069         Rubber stamped by Mark Lam.
2070
2071         * test262/*: Omitted because prepare-changelog crashes.
2072
2073 2018-12-19  Mark Lam  <mark.lam@apple.com>
2074
2075         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
2076         https://bugs.webkit.org/show_bug.cgi?id=192464
2077         <rdar://problem/46519455>
2078
2079         Reviewed by Saam Barati.
2080
2081         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
2082         microbenchmark.
2083
2084         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
2085         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
2086
2087 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
2088
2089         String overflow in JSC::createError results in ASSERT in WTF::makeString
2090         https://bugs.webkit.org/show_bug.cgi?id=192833
2091         <rdar://problem/45706868>
2092
2093         Reviewed by Mark Lam.
2094
2095         * stress/string-overflow-createError.js: Added.
2096
2097 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2098
2099         Error message for `-x ** y` contains a typo.
2100         https://bugs.webkit.org/show_bug.cgi?id=192832
2101
2102         Reviewed by Saam Barati.
2103
2104         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2105         (assert.assert.return.throws):
2106         * stress/pow-expects-update-expression-on-lhs.js:
2107         (throw.new.Error):
2108         Update test expectations which match against the exact error message.
2109
2110 2018-12-18  Mark Lam  <mark.lam@apple.com>
2111
2112         Gardening: test options fix.
2113         https://bugs.webkit.org/show_bug.cgi?id=192822
2114
2115         Unreviewed.
2116
2117         * stress/json-stringify-string-builder-overflow.js:
2118
2119 2018-12-18  Mark Lam  <mark.lam@apple.com>
2120
2121         JSON.stringify() should throw OOM on StringBuilder overflows.
2122         https://bugs.webkit.org/show_bug.cgi?id=192822
2123         <rdar://problem/46670577>
2124
2125         Reviewed by Saam Barati.
2126
2127         * stress/json-stringify-string-builder-overflow.js: Added.
2128
2129 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2130
2131         Redeclaration of var over let/const/class should be a syntax error.
2132         https://bugs.webkit.org/show_bug.cgi?id=192298
2133
2134         Reviewed by Keith Miller.
2135
2136         * test262.yaml:
2137         * test262/expectations.yaml:
2138         Mark 46 tests as passing.
2139
2140         * stress/block-scope-redeclarations.js:
2141         Add some new tests.
2142
2143         * stress/for-in-invalidate-context-weird-assignments.js:
2144         * stress/for-in-tests.js:
2145         Replace tests for outdated behavior with tests for SyntaxError.
2146
2147         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2148         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2149         Update expectations.
2150
2151 2018-12-18  Mark Lam  <mark.lam@apple.com>
2152
2153         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2154         https://bugs.webkit.org/show_bug.cgi?id=191374
2155         <rdar://problem/46525447>
2156
2157         Reviewed by Yusuke Suzuki.
2158
2159         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2160
2161         * stress/elidable-new-object-roflcopter-then-exit.js:
2162
2163 2018-12-17  Mark Lam  <mark.lam@apple.com>
2164
2165         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2166         https://bugs.webkit.org/show_bug.cgi?id=192019
2167         <rdar://problem/46525456>
2168
2169         Reviewed by Yusuke Suzuki.
2170
2171         The test runs too slow on 32-bit.
2172
2173         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2174
2175 2018-12-17  Mark Lam  <mark.lam@apple.com>
2176
2177         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2178         https://bugs.webkit.org/show_bug.cgi?id=191373
2179         <rdar://problem/46525458>
2180
2181         Reviewed by Yusuke Suzuki.
2182
2183         The test is already slow running with a JIT on 64-bit.  It will always timeout
2184         on 32-bit without a JIT.
2185
2186         * stress/materialize-regexp-cyclic-regexp.js:
2187
2188 2018-12-17  Mark Lam  <mark.lam@apple.com>
2189
2190         Array unshift/shift should not race against the AI in the compiler thread.
2191         https://bugs.webkit.org/show_bug.cgi?id=192795
2192         <rdar://problem/46724263>
2193
2194         Reviewed by Saam Barati.
2195
2196         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2197
2198 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2199
2200         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2201         https://bugs.webkit.org/show_bug.cgi?id=190047
2202
2203         Reviewed by Saam Barati.
2204
2205         * stress/object-keys-cached-zero.js: Added.
2206         (shouldBe):
2207         (test):
2208         * stress/object-keys-changed-attribute.js: Added.
2209         (shouldBe):
2210         (test):
2211         * stress/object-keys-changed-index.js: Added.
2212         (shouldBe):
2213         (test):
2214         * stress/object-keys-changed.js: Added.
2215         (shouldBe):
2216         (test):
2217         * stress/object-keys-indexed-non-cache.js: Added.
2218         (shouldBe):
2219         (test):
2220         * stress/object-keys-overrides-get-property-names.js: Added.
2221         (shouldBe):
2222         (test):
2223         (noInline):
2224
2225 2018-12-17  Mark Lam  <mark.lam@apple.com>
2226
2227         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2228         https://bugs.webkit.org/show_bug.cgi?id=192779
2229         <rdar://problem/46775869>
2230
2231         Reviewed by Saam Barati.
2232
2233         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2234
2235 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2236
2237         Unreviewed test gardening, address a syntax error in a new test.
2238
2239         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2240
2241 2018-12-17  Mark Lam  <mark.lam@apple.com>
2242
2243         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2244         https://bugs.webkit.org/show_bug.cgi?id=192776
2245         <rdar://problem/46772368>
2246
2247         Reviewed by Keith Miller.
2248
2249         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2250
2251 2018-12-17  Mark Lam  <mark.lam@apple.com>
2252
2253         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2254         https://bugs.webkit.org/show_bug.cgi?id=192770
2255         <rdar://problem/46449037>
2256
2257         Reviewed by Keith Miller.
2258
2259         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2260
2261 2018-12-14  Mark Lam  <mark.lam@apple.com>
2262
2263         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2264         https://bugs.webkit.org/show_bug.cgi?id=192717
2265         <rdar://problem/46660677>
2266
2267         Reviewed by Saam Barati.
2268
2269         * stress/regress-192717.js: Added.
2270
2271 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2272
2273         Unreviewed, rolling out r239153, r239154, and r239155.
2274         https://bugs.webkit.org/show_bug.cgi?id=192715
2275
2276         Caused flaky GC-related crashes seen with layout tests
2277         (Requested by ryanhaddad on #webkit).
2278
2279         Reverted changesets:
2280
2281         "[JSC] Optimize Object.keys by caching own keys results in
2282         StructureRareData"
2283         https://bugs.webkit.org/show_bug.cgi?id=190047
2284         https://trac.webkit.org/changeset/239153
2285
2286         "Unreviewed, build fix after r239153"
2287         https://bugs.webkit.org/show_bug.cgi?id=190047
2288         https://trac.webkit.org/changeset/239154
2289
2290         "Unreviewed, build fix after r239153, part 2"
2291         https://bugs.webkit.org/show_bug.cgi?id=190047
2292         https://trac.webkit.org/changeset/239155
2293
2294 2018-12-14  Keith Miller  <keith_miller@apple.com>
2295
2296         Callers of JSString::getIndex should check for OOM exceptions
2297         https://bugs.webkit.org/show_bug.cgi?id=192709
2298
2299         Reviewed by Mark Lam.
2300
2301         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2302
2303 2018-12-13  Mark Lam  <mark.lam@apple.com>
2304
2305         Add a missing exception check.
2306         https://bugs.webkit.org/show_bug.cgi?id=192626
2307         <rdar://problem/46662163>
2308
2309         Reviewed by Keith Miller.
2310
2311         * stress/regress-192626.js: Added.
2312
2313 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2314
2315         [BigInt] Add ValueDiv into DFG
2316         https://bugs.webkit.org/show_bug.cgi?id=186178
2317
2318         Reviewed by Yusuke Suzuki.
2319
2320         * stress/big-int-div-jit-osr.js: Added.
2321         * stress/big-int-div-jit-untyped.js: Added.
2322         * stress/value-div-fixup-int32-big-int.js: Added.
2323
2324 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2325
2326         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2327         https://bugs.webkit.org/show_bug.cgi?id=190047
2328
2329         Reviewed by Keith Miller.
2330
2331         * stress/object-keys-cached-zero.js: Added.
2332         (shouldBe):
2333         (test):
2334         * stress/object-keys-changed-attribute.js: Added.
2335         (shouldBe):
2336         (test):
2337         * stress/object-keys-changed-index.js: Added.
2338         (shouldBe):
2339         (test):
2340         * stress/object-keys-changed.js: Added.
2341         (shouldBe):
2342         (test):
2343         * stress/object-keys-indexed-non-cache.js: Added.
2344         (shouldBe):
2345         (test):
2346         * stress/object-keys-overrides-get-property-names.js: Added.
2347         (shouldBe):
2348         (test):
2349         (noInline):
2350
2351 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2352
2353         [DFG][FTL] Add NewSymbol
2354         https://bugs.webkit.org/show_bug.cgi?id=192620
2355
2356         Reviewed by Saam Barati.
2357
2358         * microbenchmarks/symbol-creation.js: Added.
2359         (test):
2360         * stress/symbol-description-identity.js: Added.
2361         (shouldBe):
2362         (test):
2363         * stress/symbol-identity.js: Added.
2364         (shouldBe):
2365         (test):
2366         * stress/symbol-with-description-throw-error.js: Added.
2367         (shouldBe):
2368         (shouldThrow):
2369         (test):
2370         (object.toString):
2371
2372 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2373
2374         [BigInt] Implement DFG/FTL typeof for BigInt
2375         https://bugs.webkit.org/show_bug.cgi?id=192619
2376
2377         Reviewed by Keith Miller.
2378
2379         * stress/big-int-boolean-proven-type.js: Added.
2380         (assert):
2381         (bool):
2382         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2383         (assert):
2384         (typeOf):
2385         (i.switch):
2386         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2387         (assert):
2388         (typeOf):
2389         * stress/big-int-type-of.js:
2390         (typeOf):
2391         (func):
2392
2393 2018-12-10  Mark Lam  <mark.lam@apple.com>
2394
2395         PropertyAttribute needs a CustomValue bit.
2396         https://bugs.webkit.org/show_bug.cgi?id=191993
2397         <rdar://problem/46264467>
2398
2399         Reviewed by Saam Barati.
2400
2401         * stress/regress-191993.js: Added.
2402
2403 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2404
2405         [BigInt] Add ValueMul into DFG
2406         https://bugs.webkit.org/show_bug.cgi?id=186175
2407
2408         Reviewed by Yusuke Suzuki.
2409
2410         * stress/big-int-mul-jit-osr.js: Added.
2411         * stress/big-int-mul-jit-untyped.js: Added.
2412         * stress/value-mul-fixup-int32-big-int.js: Added.
2413
2414 2018-12-06  Keith Miller  <keith_miller@apple.com>
2415
2416         stress/big-wasm-memory tests failing on 32-bit JSC bot
2417         https://bugs.webkit.org/show_bug.cgi?id=192020
2418
2419         Reviewed by Saam Barati.
2420
2421         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2422         the wasm stress tests if the WebAssembly object does not exist.
2423
2424         * stress/big-wasm-memory-grow-no-max.js:
2425         (test.foo):
2426         (test):
2427         (foo): Deleted.
2428         (catch): Deleted.
2429         * stress/big-wasm-memory-grow.js:
2430         (test.foo):
2431         (test):
2432         (foo): Deleted.
2433         (catch): Deleted.
2434         * stress/big-wasm-memory.js:
2435         (test.foo):
2436         (test):
2437         (foo): Deleted.
2438         (catch): Deleted.
2439
2440 2018-12-05  Mark Lam  <mark.lam@apple.com>
2441
2442         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2443         https://bugs.webkit.org/show_bug.cgi?id=192441
2444         <rdar://problem/46480355>
2445
2446         Reviewed by Saam Barati.
2447
2448         * stress/regress-192441.js: Added.
2449
2450 2018-12-04  Mark Lam  <mark.lam@apple.com>
2451
2452         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2453         https://bugs.webkit.org/show_bug.cgi?id=192386
2454         <rdar://problem/46445516>
2455
2456         Reviewed by Saam Barati.
2457
2458         * stress/regress-192386.js: Added.
2459
2460 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2461
2462         [ESNext][BigInt] Support logic operations
2463         https://bugs.webkit.org/show_bug.cgi?id=179903
2464
2465         Reviewed by Yusuke Suzuki.
2466
2467         * stress/big-int-branch-usage.js: Added.
2468         * stress/big-int-logical-and.js: Added.
2469         * stress/big-int-logical-not.js: Added.
2470         * stress/big-int-logical-or.js: Added.
2471
2472 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2473
2474         Unreviewed, rolling out r238833.
2475
2476         Breaks macOS and iOS debug builds.
2477
2478         Reverted changeset:
2479
2480         "[ESNext][BigInt] Support logic operations"
2481         https://bugs.webkit.org/show_bug.cgi?id=179903
2482         https://trac.webkit.org/changeset/238833
2483
2484 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2485
2486         [ESNext][BigInt] Support logic operations
2487         https://bugs.webkit.org/show_bug.cgi?id=179903
2488
2489         Reviewed by Yusuke Suzuki.
2490
2491         * stress/big-int-branch-usage.js: Added.
2492         * stress/big-int-logical-and.js: Added.
2493         * stress/big-int-logical-not.js: Added.
2494         * stress/big-int-logical-or.js: Added.
2495
2496 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2497
2498         [ESNext][BigInt] Implement support for "<<" and ">>"
2499         https://bugs.webkit.org/show_bug.cgi?id=186233
2500
2501         Reviewed by Yusuke Suzuki.
2502
2503         * stress/big-int-left-shift-general.js: Added.
2504         * stress/big-int-left-shift-range-error.js: Added.
2505         * stress/big-int-left-shift-type-error.js: Added.
2506         * stress/big-int-left-shift-wrapped-value.js: Added.
2507         * stress/big-int-right-shift-general.js: Added.
2508         * stress/big-int-right-shift-type-error.js: Added.
2509         * stress/big-int-right-shift-wrapped-value.js: Added.
2510         * stress/left-shift-to-primitive-precedence.js: Added.
2511         * stress/right-shift-to-primitive-precedence.js: Added.
2512
2513 2018-11-30  Dean Jackson  <dino@apple.com>
2514
2515         Add first-class support for .mjs files in jsc binary
2516         https://bugs.webkit.org/show_bug.cgi?id=192190
2517         <rdar://problem/46375715>
2518
2519         Reviewed by Keith Miller.
2520
2521         * stress/simple-module.mjs: Added.
2522         * stress/simple-script.js: Added.
2523
2524 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2525
2526         [BigInt] Implement ValueBitXor into DFG
2527         https://bugs.webkit.org/show_bug.cgi?id=190264
2528
2529         Reviewed by Yusuke Suzuki.
2530
2531         * stress/big-int-bitwise-xor-jit.js: Added.
2532         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2533         * stress/big-int-bitwise-xor-untyped.js: Added.
2534
2535 2018-11-27  Saam barati  <sbarati@apple.com>
2536
2537         r238510 broke scopes of size zero
2538         https://bugs.webkit.org/show_bug.cgi?id=192033
2539         <rdar://problem/46281734>
2540
2541         Reviewed by Keith Miller.
2542
2543         * stress/r238510-bad-loop.js: Added.
2544         (foo):
2545
2546 2018-11-27  Mark Lam  <mark.lam@apple.com>
2547
2548         [Re-landing] NaNs read from Wasm code needs to be be purified.
2549         https://bugs.webkit.org/show_bug.cgi?id=191056
2550         <rdar://problem/45660341>
2551
2552         Reviewed by Filip Pizlo.
2553
2554         * wasm/regress/regress-191056.js: Added.
2555
2556 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2557
2558         Unreviewed, rolling out r238509.
2559
2560         Causes JSC tests to fail on iOS.
2561
2562         Reverted changeset:
2563
2564         "NaNs read from Wasm code needs to be be purified."
2565         https://bugs.webkit.org/show_bug.cgi?id=191056
2566         https://trac.webkit.org/changeset/238509
2567
2568 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2569
2570         Re-introduce op_bitnot
2571         https://bugs.webkit.org/show_bug.cgi?id=190923
2572
2573         Reviewed by Yusuke Suzuki.
2574
2575         * stress/bit-not-must-generate.js: Added.
2576         * stress/bitwise-not-no-int32.js: Added.
2577
2578 2018-11-26  Saam barati  <sbarati@apple.com>
2579
2580         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2581         https://bugs.webkit.org/show_bug.cgi?id=191956
2582         <rdar://problem/45665806>
2583
2584         Reviewed by Yusuke Suzuki.
2585
2586         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2587         (bar):
2588         (foo):
2589
2590 2018-11-26  Saam barati  <sbarati@apple.com>
2591
2592         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2593         https://bugs.webkit.org/show_bug.cgi?id=191958
2594         <rdar://problem/46221877>
2595
2596         Reviewed by Yusuke Suzuki.
2597
2598         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2599         (x):
2600         (foo):
2601
2602 2018-11-26  Mark Lam  <mark.lam@apple.com>
2603
2604         NaNs read from Wasm code needs to be be purified.
2605         https://bugs.webkit.org/show_bug.cgi?id=191056
2606         <rdar://problem/45660341>
2607
2608         Reviewed by Filip Pizlo.
2609
2610         * wasm/regress/regress-191056.js: Added.
2611
2612 2018-11-26  Michael Saboff  <msaboff@apple.com>
2613
2614         32-bit JSC test failure: stress/regexp-compile-oom.js
2615         https://bugs.webkit.org/show_bug.cgi?id=191375
2616
2617         Reviewed by Mark Lam.
2618
2619         Disabled the test for 32 bit platforms.
2620
2621         * stress/regexp-compile-oom.js:
2622
2623 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2624
2625         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2626         https://bugs.webkit.org/show_bug.cgi?id=191716
2627         <rdar://problem/45723878>
2628
2629         Reviewed by Saam Barati.
2630
2631         * stress/regress-187373.js: Added.
2632         (async.fn):
2633
2634 2018-11-21  Saam barati  <sbarati@apple.com>
2635
2636         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2637         https://bugs.webkit.org/show_bug.cgi?id=191897
2638         <rdar://problem/45871998>
2639
2640         Reviewed by Mark Lam.
2641
2642         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2643         (bar):
2644         (foo):
2645
2646 2018-11-21  Saam barati  <sbarati@apple.com>
2647
2648         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2649         https://bugs.webkit.org/show_bug.cgi?id=191895
2650         <rdar://problem/46167406>
2651
2652         Reviewed by Mark Lam.
2653
2654         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2655         (foo):
2656         (bar):
2657
2658 2018-11-21  Mark Lam  <mark.lam@apple.com>
2659
2660         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2661         https://bugs.webkit.org/show_bug.cgi?id=191776
2662         <rdar://problem/46152851>
2663
2664         Reviewed by Saam Barati.
2665
2666         * stress/big-wasm-memory-grow-no-max.js:
2667         * stress/big-wasm-memory-grow.js:
2668         * stress/big-wasm-memory.js:
2669         - updated these to expect an OutOfMemoryError.
2670
2671         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2672         (Binary.prototype.emit_u8):
2673         (Binary.prototype.emit_u32v):
2674         (Binary.prototype.emit_header):
2675         (Binary.prototype.emit_section):
2676         (Binary):
2677         (WasmModuleBuilder):
2678         (WasmModuleBuilder.prototype.addMemory):
2679         (WasmModuleBuilder.prototype.toArray):
2680         (WasmModuleBuilder.prototype.toBuffer):
2681         (WasmModuleBuilder.prototype.instantiate):
2682         (catch):
2683         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2684         (catch):
2685
2686 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2687
2688         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2689         https://bugs.webkit.org/show_bug.cgi?id=190836
2690
2691         Reviewed by Saam Barati and Yusuke Suzuki.
2692
2693         * stress/big-int-out-of-memory-tests.js: Added.
2694
2695 2018-11-20  Mark Lam  <mark.lam@apple.com>
2696
2697         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2698         https://bugs.webkit.org/show_bug.cgi?id=191856
2699         <rdar://problem/46089992>
2700
2701         Reviewed by Yusuke Suzuki.
2702
2703         * stress/regress-191856.js: Added.
2704         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2705
2706 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2707
2708         Enable JIT on ARM/Linux
2709         https://bugs.webkit.org/show_bug.cgi?id=191548
2710
2711         Reviewed by Yusuke Suzuki.
2712
2713         Disable test on system with limited memory. Program was killed by
2714         the OS before the exception was thrown.
2715
2716         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2717
2718 2018-11-20  Saam barati  <sbarati@apple.com>
2719
2720         Merging an IC variant may lead to the IC status containing overlapping structure sets
2721         https://bugs.webkit.org/show_bug.cgi?id=191869
2722         <rdar://problem/45403453>
2723
2724         Reviewed by Mark Lam.
2725
2726         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2727
2728 2018-11-19  Mark Lam  <mark.lam@apple.com>
2729
2730         globalFuncImportModule() should return a promise when it clears exceptions.
2731         https://bugs.webkit.org/show_bug.cgi?id=191792
2732         <rdar://problem/46090763>
2733
2734         Reviewed by Michael Saboff.
2735
2736         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2737
2738 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2739
2740         Skip new memory-hungry tests on memory limited devices
2741
2742         Unreviewed gardening.
2743
2744         * stress/big-wasm-memory-grow-no-max.js:
2745         * stress/big-wasm-memory-grow.js:
2746         * stress/big-wasm-memory.js:
2747
2748 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2749
2750         Unreviewed, rolling in the rest of r237254
2751         https://bugs.webkit.org/show_bug.cgi?id=190340
2752
2753         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2754         * stress/function-cache-with-parameters-end-position.js: Added.
2755         (shouldBe):
2756         (shouldThrow):
2757         (i.anonymous):
2758         * stress/function-constructor-name.js: Added.
2759         (shouldBe):
2760         (GeneratorFunction):
2761         (AsyncFunction.async):
2762         (AsyncGeneratorFunction.async):
2763         (anonymous):
2764         (async.anonymous):
2765         * test262/expectations.yaml:
2766
2767 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2768
2769         All users of ArrayBuffer should agree on the same max size
2770         https://bugs.webkit.org/show_bug.cgi?id=191771
2771
2772         Reviewed by Mark Lam.
2773
2774         * stress/big-wasm-memory-grow-no-max.js: Added.
2775         (foo):
2776         (catch):
2777         * stress/big-wasm-memory-grow.js: Added.
2778         (foo):
2779         (catch):
2780         * stress/big-wasm-memory.js: Added.
2781         (foo):
2782         (catch):
2783
2784 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2785
2786         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2787         run for each JSC config since they're regression tests for runtime bugs.
2788
2789         * stress/json-stringified-overflow-2.js:
2790         * stress/json-stringified-overflow.js:
2791
2792 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2793
2794         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2795         config since they're regression tests for runtime bugs.
2796
2797         * stress/large-unshift-splice.js:
2798         * stress/regress-185888.js:
2799
2800 2018-11-16  Saam Barati  <sbarati@apple.com>
2801
2802         KnownCellUse should also have SpecCellCheck as its type filter
2803         https://bugs.webkit.org/show_bug.cgi?id=191729
2804         <rdar://problem/45872852>
2805
2806         Reviewed by Filip Pizlo.
2807
2808         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2809         (C):
2810
2811 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2812
2813         Fix assertion failure on BytecodeGenerator::recordOpcode
2814         https://bugs.webkit.org/show_bug.cgi?id=191724
2815         <rdar://problem/45724395>
2816
2817         Reviewed by Saam Barati.
2818
2819         * stress/regress-187373-2.js: Added.
2820         (foo):
2821
2822 2018-11-15  Mark Lam  <mark.lam@apple.com>
2823
2824         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2825         https://bugs.webkit.org/show_bug.cgi?id=191730
2826         <rdar://problem/46048517>
2827
2828         Reviewed by Saam Barati.
2829
2830         * stress/regress-187006.js: Removed.
2831           - this test is invalid because its sole purpose is to test for the non-spec
2832             compliant behavior that we just fixed.
2833
2834         * stress/regress-191730.js: Added.
2835
2836 2018-11-15  Mark Lam  <mark.lam@apple.com>
2837
2838         RegExp operations should not take fast patch if lastIndex is not numeric.
2839         https://bugs.webkit.org/show_bug.cgi?id=191731
2840         <rdar://problem/46017305>
2841
2842         Reviewed by Saam Barati.
2843
2844         * stress/regress-191731.js: Added.
2845
2846 2018-11-13  Saam Barati  <sbarati@apple.com>
2847
2848         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2849         https://bugs.webkit.org/show_bug.cgi?id=191600
2850
2851         Reviewed by Mark Lam.
2852
2853         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2854         (foo):
2855         (test):
2856         (bar):
2857
2858 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2859
2860         Unreviewed, rolling out r238132.
2861
2862         The test added with this change is timing out on Debug JSC
2863         bots.
2864
2865         Reverted changeset:
2866
2867         "[BigInt] JSBigInt::createWithLength should throw when length
2868         is greater than JSBigInt::maxLength"
2869         https://bugs.webkit.org/show_bug.cgi?id=190836
2870         https://trac.webkit.org/changeset/238132
2871
2872 2018-11-13  Mark Lam  <mark.lam@apple.com>
2873
2874         Add OOM detection to StringPrototype's substituteBackreferences().
2875         https://bugs.webkit.org/show_bug.cgi?id=191563
2876         <rdar://problem/45720428>
2877
2878         Reviewed by Saam Barati.
2879
2880         * stress/regress-191563.js: Added.
2881
2882 2018-11-13  Mark Lam  <mark.lam@apple.com>
2883
2884         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2885         https://bugs.webkit.org/show_bug.cgi?id=191579
2886         <rdar://problem/45942472>
2887
2888         Reviewed by Saam Barati.
2889
2890         * stress/regress-191579.js: Added.
2891
2892 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2893
2894         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2895         https://bugs.webkit.org/show_bug.cgi?id=190836
2896
2897         Reviewed by Saam Barati.
2898
2899         * stress/big-int-out-of-memory-tests.js: Added.
2900
2901 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2902
2903         U+180E is no longer a whitespace character
2904         https://bugs.webkit.org/show_bug.cgi?id=191415
2905
2906         Reviewed by Saam Barati.
2907
2908         * ChakraCore/test/es5/regexSpace.baseline:
2909         * ChakraCore/test/es6/unicode_whitespace.js:
2910         Update tests to latest version.
2911         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2912
2913         * test262.yaml:
2914         * test262/config.yaml:
2915         * test262/expectations.yaml:
2916         Update expectations.
2917
2918 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2919
2920         [BigInt] Add support to BigInt into ValueAdd
2921         https://bugs.webkit.org/show_bug.cgi?id=186177
2922
2923         Reviewed by Keith Miller.
2924
2925         * stress/big-int-negate-jit.js:
2926         * stress/value-add-big-int-and-string.js: Added.
2927         * stress/value-add-big-int-prediction-propagation.js: Added.
2928         * stress/value-add-big-int-untyped.js: Added.
2929
2930 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2931
2932         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2933         https://bugs.webkit.org/show_bug.cgi?id=191184
2934
2935         Reviewed by Saam Barati.
2936
2937         Most tests were failing due to timeouts, since they are too slow to
2938         run on CLoop. The exceptions are:
2939
2940         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2941         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2942         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2943         to change the stack size since CLoop requires it to be page aligned.
2944
2945         * microbenchmarks/array-push-1.js:
2946         * microbenchmarks/array-push-2.js:
2947         * microbenchmarks/elidable-new-object-dag.js:
2948         * microbenchmarks/elidable-new-object-roflcopter.js:
2949         * microbenchmarks/elidable-new-object-tree.js:
2950         * microbenchmarks/getter-richards.js:
2951         * microbenchmarks/sinkable-new-object-dag.js:
2952         * microbenchmarks/string-concat-long-convert.js:
2953         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2954         * slowMicrobenchmarks/array-push-3.js:
2955         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2956         * slowMicrobenchmarks/spread-small-array.js:
2957         * slowMicrobenchmarks/undefined-property-access.js:
2958         * stress/activation-sink-default-value-tdz-error.js:
2959         * stress/activation-sink-default-value.js:
2960         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2961         * stress/activation-sink-osrexit-default-value.js:
2962         * stress/activation-sink-osrexit.js:
2963         * stress/activation-sink.js:
2964         * stress/allow-math-ic-b3-code-duplication.js:
2965         * stress/array-push-multiple-int32.js:
2966         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2967         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2968         * stress/arrowfunction-lexical-this-activation-sink.js:
2969         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2970         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2971         * stress/elide-new-object-dag-then-exit.js:
2972         * stress/materialize-regexp-cyclic.js:
2973         * stress/new-regex-inline.js:
2974         * stress/op_add.js:
2975         * stress/op_bitand.js:
2976         * stress/op_bitor.js:
2977         * stress/op_bitxor.js:
2978         * stress/op_div-ConstVar.js:
2979         * stress/op_div-VarConst.js:
2980         * stress/op_div-VarVar.js:
2981         * stress/op_lshift-ConstVar.js:
2982         * stress/op_lshift-VarConst.js:
2983         * stress/op_lshift-VarVar.js:
2984         * stress/op_mod-ConstVar.js:
2985         * stress/op_mod-VarConst.js:
2986         * stress/op_mod-VarVar.js:
2987         * stress/op_mul-ConstVar.js:
2988         * stress/op_mul-VarConst.js:
2989         * stress/op_mul-VarVar.js:
2990         * stress/op_rshift-ConstVar.js:
2991         * stress/op_rshift-VarConst.js:
2992         * stress/op_rshift-VarVar.js:
2993         * stress/op_sub-ConstVar.js:
2994         * stress/op_sub-VarConst.js:
2995         * stress/op_sub-VarVar.js:
2996         * stress/op_urshift-ConstVar.js:
2997         * stress/op_urshift-VarConst.js:
2998         * stress/op_urshift-VarVar.js:
2999         * stress/proxy-get-set-correct-receiver.js:
3000         * stress/regress-179562.js:
3001         * stress/rest-parameter-many-arguments.js:
3002         * stress/sampling-profiler-richards.js:
3003         * stress/splay-flash-access-1ms.js:
3004         * stress/tailCallForwardArguments.js:
3005         * stress/typed-array-get-by-val-profiling.js:
3006         * typeProfiler/getter-richards.js:
3007
3008 2018-11-06  Michael Saboff  <msaboff@apple.com>
3009
3010         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
3011         https://bugs.webkit.org/show_bug.cgi?id=191271
3012
3013         Reviewed by Saam Barati.
3014
3015         Added more test cases and made all test cases run with the same deeply recursive stack
3016         instead of finding that same point for each test case.
3017
3018         * stress/regexp-compile-oom.js:
3019         (prototype.runTest):
3020         (recurseAndTest):
3021         (testList.push.new.TestAndExpectedException):
3022
3023 2018-11-05  Michael Saboff  <msaboff@apple.com>
3024
3025         Unreviewed build fix for linux.
3026
3027         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
3028
3029 2018-11-02  Michael Saboff  <msaboff@apple.com>
3030
3031         Rolling in r237753 with unreviewed build fix.
3032
3033         Fixed issues with DECLARE_THROW_SCOPE placement.
3034
3035 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
3036
3037         Unreviewed, rolling out r237753.
3038
3039         Introduced JSC test failures
3040
3041         Reverted changeset:
3042
3043         "Running out of stack space not properly handled in
3044         RegExp::compile() and its callers"
3045         https://bugs.webkit.org/show_bug.cgi?id=191206
3046         https://trac.webkit.org/changeset/237753
3047
3048 2018-11-02  Michael Saboff  <msaboff@apple.com>
3049
3050         Running out of stack space not properly handled in RegExp::compile() and its callers
3051         https://bugs.webkit.org/show_bug.cgi?id=191206
3052
3053         Reviewed by Filip Pizlo.
3054
3055         New regression test.
3056
3057         * stress/regexp-compile-oom.js: Added.
3058         (recurseAndTest):
3059
3060 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
3061
3062         Skip tests on arm/mips that time out now we're running on CLoop
3063
3064         Unreviewed gardening.
3065
3066         Since the JIT is temporarily disabled on 32-bit platforms, these tests
3067         time out on the bots and need to be disabled. There's more tests
3068         disabled on arm because the timeout is longer on the mips bot (as the
3069         device is slower to start with), so many of the tests don't time out
3070         there.
3071
3072         * microbenchmarks/getter-richards.js: disable on arm and mips.
3073         * stress/op_add.js: disable on arm.
3074         * stress/op_bitand.js: disable on arm.
3075         * stress/op_bitor.js: disable on arm.
3076         * stress/op_bitxor.js: disable on arm.
3077         * stress/op_lshift-ConstVar.js: disable on arm.
3078         * stress/op_lshift-VarConst.js: disable on arm.
3079         * stress/op_lshift-VarVar.js: disable on arm.
3080         * stress/op_mod-ConstVar.js: disable on arm.
3081         * stress/op_mod-VarConst.js: disable on arm.
3082         * stress/op_mod-VarVar.js: disable on arm.
3083         * stress/op_mul-ConstVar.js: disable on arm.
3084         * stress/op_mul-VarConst.js: disable on arm.
3085         * stress/op_mul-VarVar.js: disable on arm.
3086         * stress/op_rshift-ConstVar.js: disable on arm.
3087         * stress/op_rshift-VarConst.js: disable on arm.
3088         * stress/op_rshift-VarVar.js: disable on arm.
3089         * stress/op_sub-ConstVar.js: disable on arm.
3090         * stress/op_sub-VarConst.js: disable on arm.
3091         * stress/op_sub-VarVar.js: disable on arm.
3092         * stress/op_urshift-ConstVar.js: disable on arm.
3093         * stress/op_urshift-VarConst.js: disable on arm.
3094         * stress/op_urshift-VarVar.js: disable on arm.
3095         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
3096         * stress/value-to-boolean.js: disable on arm and mips.
3097
3098 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3099
3100         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3101         https://bugs.webkit.org/show_bug.cgi?id=191108
3102         <rdar://problem/45690700>
3103
3104         Reviewed by Saam Barati.
3105
3106         * stress/wide-op_catch.js: Added.
3107         (catch):
3108
3109 2018-10-29  Mark Lam  <mark.lam@apple.com>
3110
3111         Correctly detect string overflow when using the 'Function' constructor.
3112         https://bugs.webkit.org/show_bug.cgi?id=184883
3113         <rdar://problem/36320331>
3114
3115         Reviewed by Saam Barati.
3116
3117         I've verified that this passes on 32-bit as well.
3118
3119         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3120
3121 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3122
3123         Add support for GetStack FlushedDouble
3124         https://bugs.webkit.org/show_bug.cgi?id=191012
3125         <rdar://problem/45265141>
3126
3127         Reviewed by Saam Barati.
3128
3129         * stress/get-stack-double.js: Added.
3130         (bar):
3131         (noInline):
3132
3133 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3134
3135         New bytecode format for JSC
3136         https://bugs.webkit.org/show_bug.cgi?id=187373
3137         <rdar://problem/44186758>
3138
3139         Reviewed by Filip Pizlo.
3140
3141         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3142
3143         * stress/maximum-inline-capacity.js: Added.
3144         (test1):
3145         (test3.Foo):
3146         (test3):
3147
3148 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3149
3150         Unreviewed, rolling out r237479 and r237484.
3151         https://bugs.webkit.org/show_bug.cgi?id=190978
3152
3153         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3154
3155         Reverted changesets:
3156
3157         "New bytecode format for JSC"
3158         https://bugs.webkit.org/show_bug.cgi?id=187373
3159         https://trac.webkit.org/changeset/237479
3160
3161         "Gardening: Build fix after r237479."
3162         https://bugs.webkit.org/show_bug.cgi?id=187373
3163         https://trac.webkit.org/changeset/237484
3164
3165 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3166
3167         New bytecode format for JSC
3168         https://bugs.webkit.org/show_bug.cgi?id=187373
3169         <rdar://problem/44186758>
3170
3171         Reviewed by Filip Pizlo.
3172
3173         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3174
3175         * stress/maximum-inline-capacity.js: Added.
3176         (test1):
3177         (test3.Foo):
3178         (test3):
3179
3180 2018-10-26  Mark Lam  <mark.lam@apple.com>
3181
3182         Fix missing edge cases with JSGlobalObjects having a bad time.
3183         https://bugs.webkit.org/show_bug.cgi?id=189028
3184         <rdar://problem/45204939>
3185
3186         Reviewed by Saam Barati.
3187
3188         * stress/regress-189028.js: Added.
3189
3190 2018-10-22  Mark Lam  <mark.lam@apple.com>
3191
3192         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3193         https://bugs.webkit.org/show_bug.cgi?id=190515
3194         <rdar://problem/45222379>
3195
3196         Rubber-stamped by Saam Barati.
3197
3198         Adding another test.
3199
3200         * stress/regress-190515-2.js: Added.
3201
3202 2018-10-22  Mark Lam  <mark.lam@apple.com>
3203
3204         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3205         https://bugs.webkit.org/show_bug.cgi?id=190515
3206         <rdar://problem/45222379>
3207
3208         Reviewed by Saam Barati.
3209
3210         * stress/regress-190515.js: Added.
3211
3212 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3213
3214         Unreviewed, rolling out r237254.
3215         https://bugs.webkit.org/show_bug.cgi?id=190760
3216
3217         "It regresses JetStream 2 by 5% on some iOS devices"
3218         (Requested by saamyjoon on #webkit).
3219
3220         Reverted changeset:
3221
3222         "[JSC] JSC should have "parseFunction" to optimize Function
3223         constructor"
3224         https://bugs.webkit.org/show_bug.cgi?id=190340
3225         https://trac.webkit.org/changeset/237254
3226
3227 2018-10-19  Saam Barati  <sbarati@apple.com>
3228
3229         vmCall should check if we exit before emitting an OSR exit due to exceptions
3230         https://bugs.webkit.org/show_bug.cgi?id=190740
3231         <rdar://problem/45220139>
3232
3233         Reviewed by Mark Lam.
3234
3235         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3236         (foo):
3237
3238 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3239
3240         [ESNext][BigInt] Implement support for "^"
3241         https://bugs.webkit.org/show_bug.cgi?id=186235
3242
3243         Reviewed by Yusuke Suzuki.
3244
3245         * stress/big-int-bitwise-xor-general.js: Added.
3246         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3247         * stress/big-int-bitwise-xor-type-error.js: Added.
3248         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3249
3250 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3251
3252         [BigInt] Add ValueSub into DFG
3253         https://bugs.webkit.org/show_bug.cgi?id=186176
3254
3255         Reviewed by Yusuke Suzuki.
3256
3257         * stress/big-int-subtraction-jit.js:
3258         * stress/value-sub-big-int-prediction-propagation.js: Added.
3259         * stress/value-sub-big-int-untyped.js: Added.
3260         * stress/value-sub-spec-none-case.js: Added.
3261
3262 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3263
3264         [JSC] JSC should have "parseFunction" to optimize Function constructor
3265         https://bugs.webkit.org/show_bug.cgi?id=190340
3266
3267         Reviewed by Mark Lam.
3268
3269         This patch fixes the line number of syntax errors raised by the Function constructor,
3270         since we now parse the final code only once. And we no longer use block statement
3271         for Function constructor's parsing.
3272
3273         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3274         * stress/function-cache-with-parameters-end-position.js: Added.
3275         (shouldBe):
3276         (shouldThrow):
3277         (i.anonymous):
3278         * stress/function-constructor-name.js: Added.
3279         (shouldBe):
3280         (GeneratorFunction):
3281         (AsyncFunction.async):
3282         (AsyncGeneratorFunction.async):
3283         (anonymous):
3284         (async.anonymous):
3285         * test262/expectations.yaml:
3286
3287 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3288
3289         Unreviewed, rolling out r237242.
3290         https://bugs.webkit.org/show_bug.cgi?id=190701
3291
3292         it breaks "stress/sampling-profiler-basic.js" (Requested by
3293         caiolima on #webkit).
3294
3295         Reverted changeset:
3296
3297         "[BigInt] Add ValueSub into DFG"
3298         https://bugs.webkit.org/show_bug.cgi?id=186176
3299         https://trac.webkit.org/changeset/237242
3300
3301 2018-10-17  Keith Miller  <keith_miller@apple.com>
3302
3303         AI does not clear Phantom allocation nodes.
3304         https://bugs.webkit.org/show_bug.cgi?id=190694
3305
3306         Reviewed by Saam Barati.
3307
3308         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3309         (Day):
3310         (DaysInYear):
3311         (TimeInYear):
3312         (TimeFromYear):
3313         (DayFromYear):
3314         (InLeapYear):
3315         (YearFromTime):
3316         (WeekDay):
3317         (DaylightSavingTA):
3318         (GetSecondSundayInMarch):
3319         (TimeInMonth):
3320
3321 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3322
3323         [BigInt] Add ValueSub into DFG
3324         https://bugs.webkit.org/show_bug.cgi?id=186176
3325
3326         Reviewed by Yusuke Suzuki.
3327
3328         * stress/big-int-subtraction-jit.js:
3329         * stress/value-sub-big-int-prediction-propagation.js: Added.
3330         * stress/value-sub-big-int-untyped.js: Added.
3331
3332 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3333
3334         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3335         https://bugs.webkit.org/show_bug.cgi?id=190611
3336
3337         Reviewed by Saam Barati.
3338
3339         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3340         to improve test runtime. On ARM/MIPS this test even timed out when running all
3341         tests.
3342
3343         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3344         (test):
3345
3346 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3347
3348         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3349
3350         Unreviewed gardening.
3351
3352         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3353
3354 2018-10-15  Saam barati  <sbarati@apple.com>
3355
3356         Emit fjcvtzs on ARM64E on Darwin
3357         https://bugs.webkit.org/show_bug.cgi?id=184023
3358
3359         Reviewed by Yusuke Suzuki and Filip Pizlo.
3360
3361         * stress/double-to-int32-NaN.js: Added.
3362         (assert):
3363         (foo):
3364
3365 2018-10-15  Saam Barati  <sbarati@apple.com>
3366
3367         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3368         https://bugs.webkit.org/show_bug.cgi?id=190262
3369         <rdar://problem/44986241>
3370
3371         Reviewed by Mark Lam.
3372
3373         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3374         (test):
3375         * stress/slice-array-storage-with-holes.js: Added.
3376         (main):
3377
3378 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3379
3380         Unreviewed, rolling out r237054.
3381         https://bugs.webkit.org/show_bug.cgi?id=190593
3382
3383         "this regressed JetStream 2 by 6% on iOS" (Requested by
3384         saamyjoon on #webkit).
3385
3386         Reverted changeset:
3387
3388         "[JSC] JSC should have "parseFunction" to optimize Function
3389         constructor"
3390         https://bugs.webkit.org/show_bug.cgi?id=190340
3391         https://trac.webkit.org/changeset/237054
3392
3393 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3394
3395         [JSC] JSON.stringify can accept call-with-no-arguments
3396         https://bugs.webkit.org/show_bug.cgi?id=190343
3397
3398         Reviewed by Mark Lam.
3399
3400         * stress/json-stringify-no-arguments.js: Added.
3401         (shouldBe):
3402
3403 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3404
3405         [JSC] JSC should have "parseFunction" to optimize Function constructor
3406         https://bugs.webkit.org/show_bug.cgi?id=190340
3407
3408         Reviewed by Mark Lam.
3409
3410         This patch fixes the line number of syntax errors raised by the Function constructor,
3411         since we now parse the final code only once. And we no longer use block statement
3412         for Function constructor's parsing.
3413
3414         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3415         * stress/function-cache-with-parameters-end-position.js: Added.
3416         (shouldBe):
3417         (shouldThrow):
3418         (i.anonymous):
3419         * stress/function-constructor-name.js: Added.
3420         (shouldBe):
3421         (GeneratorFunction):
3422         (AsyncFunction.async):
3423         (AsyncGeneratorFunction.async):
3424         (anonymous):
3425         (async.anonymous):
3426         * test262/expectations.yaml:
3427
3428 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3429
3430         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3431         https://bugs.webkit.org/show_bug.cgi?id=190426
3432
3433         Unreviewed gardening.
3434
3435         * stress/sampling-profiler-richards.js:
3436
3437 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3438
3439         [ESNext][BigInt] Implement support for "|"
3440         https://bugs.webkit.org/show_bug.cgi?id=186229
3441
3442         Reviewed by Yusuke Suzuki.
3443
3444         * stress/big-int-bitwise-and-jit.js:
3445         * stress/big-int-bitwise-or-general.js: Added.
3446         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3447         * stress/big-int-bitwise-or-jit.js: Added.
3448         * stress/big-int-bitwise-or-memory-stress.js: Added.
3449         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3450         * stress/big-int-bitwise-or-type-error.js: Added.
3451         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3452
3453 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3454
3455         Skip test on systems with limited memory
3456         https://bugs.webkit.org/show_bug.cgi?id=190310
3457
3458         Invoking runDefault adds test to runlist, skipping the test in the next
3459         line does not prevent the test from executing. Change order of lines such
3460         that runDefault is only executed if test is not executed.
3461
3462         Reviewed by Mark Lam.
3463
3464         * stress/regress-190187.js:
3465
3466 2018-10-03  Saam barati  <sbarati@apple.com>
3467
3468         lowXYZ in FTLLower should always filter the type of the incoming edge
3469         https://bugs.webkit.org/show_bug.cgi?id=189939
3470         <rdar://problem/44407030>
3471
3472         Reviewed by Michael Saboff.
3473
3474         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3475         (foo):
3476         (test):
3477
3478 2018-10-03  Mark Lam  <mark.lam@apple.com>
3479
3480         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3481         https://bugs.webkit.org/show_bug.cgi?id=190187
3482         <rdar://problem/42512909>
3483
3484         Reviewed by Michael Saboff.
3485
3486         * stress/regress-190187.js: Added.
3487
3488 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3489
3490         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3491         https://bugs.webkit.org/show_bug.cgi?id=190033
3492
3493         Reviewed by Yusuke Suzuki.
3494
3495         * stress/big-int-to-string.js:
3496
3497 2018-10-01  Mark Lam  <mark.lam@apple.com>
3498
3499         Function.toString() should also copy the source code Functions that are class definitions.
3500         https://bugs.webkit.org/show_bug.cgi?id=190186
3501         <rdar://problem/44733360>
3502
3503         Reviewed by Saam Barati.
3504
3505         * stress/regress-190186.js: Added.
3506
3507 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3508
3509         Split NaN-check into separate test
3510         https://bugs.webkit.org/show_bug.cgi?id=190010
3511
3512         Reviewed by Saam Barati.
3513
3514         DataView exposes NaN-representation, which is not necessarily the same on each
3515         architecture. Therefore move the check of the NaN-representation into its own
3516         file such that we can disable this test on MIPS where NaN-representation can be
3517         different on older CPUs.
3518
3519         * stress/dataview-jit-set-nan.js: Added.
3520         (assert):
3521         (test.storeLittleEndian):
3522         (test.storeBigEndian):
3523         (test.store):
3524         (test):
3525         * stress/dataview-jit-set.js:
3526         (test5):
3527
3528 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3529
3530         Unreviewed, rolling out r236647.
3531         https://bugs.webkit.org/show_bug.cgi?id=190124
3532
3533         Breaking test stress/big-int-to-string.js (Requested by
3534         caiolima_ on #webkit).
3535
3536         Reverted changeset:
3537
3538         "[BigInt] BigInt.proptotype.toString is broken when radix is
3539         power of 2"
3540         https://bugs.webkit.org/show_bug.cgi?id=190033
3541         https://trac.webkit.org/changeset/236647
3542
3543 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3544
3545         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3546         https://bugs.webkit.org/show_bug.cgi?id=190033
3547
3548         Reviewed by Yusuke Suzuki.
3549
3550         * stress/big-int-to-string.js:
3551
3552 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3553
3554         [ESNext][BigInt] Implement support for "&"
3555         https://bugs.webkit.org/show_bug.cgi?id=186228
3556
3557         Reviewed by Yusuke Suzuki.
3558
3559         * stress/big-int-bitwise-and-general.js: Added.
3560         (assert):
3561         (assert.sameValue):
3562         * stress/big-int-bitwise-and-jit.js: Added.
3563         (let.assert.sameValue):
3564         (bigIntBitAnd):
3565         * stress/big-int-bitwise-and-memory-stress.js: Added.
3566         (assert):
3567         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3568         (assert.sameValue):
3569         (let.o.Symbol.toPrimitive):
3570         (catch):
3571         * stress/big-int-bitwise-and-type-error.js: Added.
3572         (assert):
3573         (assertThrowTypeError):
3574         (let.o.valueOf):
3575         (o.valueOf):
3576         (o.toString):
3577         (o.Symbol.toPrimitive):
3578         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3579         (assert.sameValue):
3580         (testBitAnd):
3581         (let.o.Symbol.toPrimitive):
3582         (o.valueOf):
3583         (o.toString):
3584
3585 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3586
3587         JSC test stress/jsc-read.js doesn't support CRLF
3588         https://bugs.webkit.org/show_bug.cgi?id=190063
3589
3590         Reviewed by Yusuke Suzuki.
3591
3592         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3593
3594         * stress/jsc-read.js:
3595         (test):
3596
3597 2018-09-27  Saam barati  <sbarati@apple.com>
3598
3599         Verify the contents of AssemblerBuffer on arm64e
3600         https://bugs.webkit.org/show_bug.cgi?id=190057
3601         <rdar://problem/38916630>
3602
3603         Reviewed by Mark Lam.
3604
3605         * stress/regress-189132.js:
3606
3607 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3608
3609         Disable test without LLInt on ARMv7
3610         https://bugs.webkit.org/show_bug.cgi?id=190037
3611
3612         Reviewed by Mark Lam.
3613
3614         Test runs out of executable memory on ARMv7, do not run
3615         this test without LLInt enabled.
3616
3617         * stress/regress-169445.js:
3618
3619 2018-09-26  Keith Miller  <keith_miller@apple.com>
3620
3621         We should zero unused property storage when rebalancing array storage.
3622         https://bugs.webkit.org/show_bug.cgi?id=188151
3623
3624         Reviewed by Michael Saboff.
3625
3626         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3627
3628 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3629
3630         [JSC] Optimize Array#lastIndexOf
3631         https://bugs.webkit.org/show_bug.cgi?id=189780
3632
3633         Reviewed by Saam Barati.
3634
3635         * stress/array-lastindexof-array-prototype-trap.js: Added.
3636         (shouldBe):
3637         (AncestorArray.prototype.get 2):
3638         (AncestorArray):
3639         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3640         (shouldBe):
3641         * stress/array-lastindexof-hole-nan.js: Added.
3642         (shouldBe):
3643         (throw.new.Error):
3644         * stress/array-lastindexof-infinity.js: Added.
3645         (shouldBe):
3646         (throw.new.Error):
3647         * stress/array-lastindexof-negative-zero.js: Added.
3648         (shouldBe):
3649         (throw.new.Error):
3650         * stress/array-lastindexof-own-getter.js: Added.
3651         (shouldBe):
3652         (throw.new.Error.get array):
3653         (get array):
3654         * stress/array-lastindexof-prototype-trap.js: Added.
3655         (shouldBe):
3656         (DerivedArray.prototype.get 2):
3657         (DerivedArray):
3658
3659 2018-09-25  Saam Barati  <sbarati@apple.com>
3660
3661         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3662         https://bugs.webkit.org/show_bug.cgi?id=189940
3663         <rdar://problem/43640987>
3664
3665         Reviewed by Mark Lam.
3666
3667         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3668
3669 2018-09-24  Saam Barati  <sbarati@apple.com>
3670
3671         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3672         https://bugs.webkit.org/show_bug.cgi?id=189922
3673         <rdar://problem/44651275>
3674
3675         Reviewed by Mark Lam.
3676
3677         * stress/array-indexof-fast-path-effects.js: Added.
3678         * stress/array-indexof-cached-length.js: Added.
3679
3680 2018-09-24  Saam barati  <sbarati@apple.com>
3681
3682         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3683         https://bugs.webkit.org/show_bug.cgi?id=189682
3684         <rdar://problem/43557315>
3685
3686         Reviewed by Mark Lam.
3687
3688         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3689         (foo):
3690
3691 2018-09-22  Saam barati  <sbarati@apple.com>
3692
3693         The sampling should not use Strong<CodeBlock> in its machineLocation field
3694         https://bugs.webkit.org/show_bug.cgi?id=189319
3695
3696         Reviewed by Filip Pizlo.
3697
3698         * stress/sampling-profiler-richards.js: Added.
3699
3700 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3701
3702         [JSC] Optimize Array#indexOf in C++ runtime
3703         https://bugs.webkit.org/show_bug.cgi?id=189507
3704
3705         Reviewed by Saam Barati.
3706
3707         * stress/array-indexof-array-prototype-trap.js: Added.
3708         (shouldBe):
3709         (AncestorArray.prototype.get 2):
3710         (AncestorArray):
3711         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3712         (shouldBe):
3713         * stress/array-indexof-hole-nan.js: Added.
3714         (shouldBe):
3715         (throw.new.Error):
3716         * stress/array-indexof-infinity.js: Added.
3717         (shouldBe):
3718         (throw.new.Error):
3719         * stress/array-indexof-negative-zero.js: Added.
3720         (shouldBe):
3721         (throw.new.Error):
3722         * stress/array-indexof-own-getter.js: Added.
3723         (shouldBe):
3724         (throw.new.Error.get array):
3725         (get array):
3726         * stress/array-indexof-prototype-trap.js: Added.
3727         (shouldBe):
3728         (DerivedArray.prototype.get 2):
3729         (DerivedArray):
3730
3731 2018-09-19  Saam barati  <sbarati@apple.com>
3732
3733         AI rule for MultiPutByOffset executes its effects in the wrong order
3734         https://bugs.webkit.org/show_bug.cgi?id=189757
3735         <rdar://problem/43535257>
3736
3737         Reviewed by Michael Saboff.
3738
3739         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3740         (foo):
3741         (Foo):
3742         (g):
3743
3744 2018-09-17  Mark Lam  <mark.lam@apple.com>
3745
3746         Ensure that ForInContexts are invalidated if their loop local is over-written.
3747         https://bugs.webkit.org/show_bug.cgi?id=189571
3748         <rdar://problem/44402277>
3749
3750         Reviewed by Saam Barati.
3751
3752         * stress/regress-189571.js: Added.
3753
3754 2018-09-17  Saam barati  <sbarati@apple.com>
3755
3756         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3757         https://bugs.webkit.org/show_bug.cgi?id=189676
3758         <rdar://problem/39682897>
3759
3760         Reviewed by Michael Saboff.
3761
3762         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3763         (A):
3764         (K):
3765         (i.catch):
3766
3767 2018-09-14  Saam barati  <sbarati@apple.com>
3768
3769         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3770         https://bugs.webkit.org/show_bug.cgi?id=189628
3771         <rdar://problem/39481690>
3772
3773         Reviewed by Mark Lam.
3774
3775         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3776         (foo):
3777
3778 2018-09-11  Mark Lam  <mark.lam@apple.com>
3779
3780         Test for array initialization in arrayProtoFuncSplice.
3781         https://bugs.webkit.org/show_bug.cgi?id=170253
3782         <rdar://problem/31328773>
3783
3784         Rubber-stamped by Saam Barati.
3785
3786         * stress/regress-170253.js: Added.
3787
3788 2018-09-11  Mark Lam  <mark.lam@apple.com>
3789
3790         Test for IntlObject initialization.
3791         https://bugs.webkit.org/show_bug.cgi?id=170251
3792         <rdar://problem/31328419>
3793
3794         Rubber-stamped by Saam Barati.
3795
3796         * stress/regress-170251.js: Added.
3797
3798 2018-09-11  Mark Lam  <mark.lam@apple.com>
3799
3800         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3801         https://bugs.webkit.org/show_bug.cgi?id=169889
3802         <rdar://problem/31155607>
3803
3804         Reviewed by Saam Barati.
3805
3806         * stress/regress-169889-array-concat.js: Added.
3807         * stress/regress-169889-array-concat1.js: Added.
3808         * stress/regress-169889-array-slice.js: Added.
3809
3810 2018-09-11  Mark Lam  <mark.lam@apple.com>
3811
3812         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3813         https://bugs.webkit.org/show_bug.cgi?id=169445
3814         <rdar://problem/30957435>
3815
3816         Reviewed by Saam Barati.
3817
3818         * stress/regress-169445.js: Added.
3819         (let.gun.eval.A):
3820         (let.gun.eval.B.C):
3821         (let.gun.eval.B.C.prototype.trigger):
3822         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3823         (let.gun.eval.B):
3824         (let.gun.eval):
3825
3826 == Rolled over to ChangeLog-2018-09-11 ==