CodeBlock::jettison() should disallow repatching its own calls
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
2
3         CodeBlock::jettison() should disallow repatching its own calls
4         https://bugs.webkit.org/show_bug.cgi?id=196359
5         <rdar://problem/48973663>
6
7         Reviewed by Saam Barati.
8
9         * stress/call-link-info-osrexit-repatch.js: Added.
10         (foo):
11
12 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
13
14         [JSC] imports-oom.js intermittently fails
15         https://bugs.webkit.org/show_bug.cgi?id=196373
16
17         Reviewed by Saam Barati.
18
19         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
20         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
21         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
22         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
23         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
24
25         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
26         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
27
28         * wasm/lowExecutableMemory/imports-oom.js:
29
30 2019-03-27  Saam Barati  <sbarati@apple.com>
31
32         validateOSREntryValue with Int52 should box the value being checked into double format
33         https://bugs.webkit.org/show_bug.cgi?id=196313
34         <rdar://problem/49306703>
35
36         Reviewed by Yusuke Suzuki.
37
38         * stress/validate-int-52-ai-state.js: Added.
39
40 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
41
42         [JSC] Owner of watchpoints should validate at GC finalizing phase
43         https://bugs.webkit.org/show_bug.cgi?id=195827
44
45         Reviewed by Filip Pizlo.
46
47         * stress/gc-should-reap-dead-watchpoints.js: Added.
48         (foo):
49         (A.prototype.y):
50         (A):
51
52 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
53
54         Skip WebAssembly test on 32-bit systems
55         https://bugs.webkit.org/show_bug.cgi?id=196206
56
57         Reviewed by Saam Barati.
58
59         Invoking runDefault executes test immediately even though
60         that test should be skipped due to missing WASM support.
61         Therefore remove runDefault.
62
63         * wasm/regress/web-assembly-link-error-exception-check.js:
64
65 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
66
67         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
68         https://bugs.webkit.org/show_bug.cgi?id=196217
69
70         Reviewed by Saam Barati.
71
72         Re-enable all NaN tests for f32.min, f64.min and f64.max.
73
74         * wasm/spec-tests/f32.wast.js:
75         * wasm/spec-tests/f64.wast.js:
76         * wasm/wasm.json:
77
78 2019-03-25  Keith Miller  <keith_miller@apple.com>
79
80         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
81         https://bugs.webkit.org/show_bug.cgi?id=196176
82
83         Reviewed by Saam Barati.
84
85         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
86         (main.v10):
87         (main):
88
89 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
90
91         WebAssembly: f32.max with NaN generates incorrect result
92         https://bugs.webkit.org/show_bug.cgi?id=175691
93         <rdar://problem/33952228>
94
95         Reviewed by Saam Barati.
96
97         Enable all f32.max NaN tests
98
99         * wasm/spec-tests/f32.wast.js:
100         * wasm/wasm.json:
101
102 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
103
104         [JSC] Move test into directory for WASM tests
105         https://bugs.webkit.org/show_bug.cgi?id=196187
106
107         Reviewed by Mark Lam.
108
109         Move Test into wasm-directory. Otherwise this test
110         is also executed on systems without WASM support.
111
112         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
113
114 2019-03-23  Mark Lam  <mark.lam@apple.com>
115
116         Rolling out r243032 and r243071 because the fix is incorrect.
117         https://bugs.webkit.org/show_bug.cgi?id=195892
118         <rdar://problem/48981239>
119
120         Not reviewed.
121
122         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
123
124 2019-03-22  Mark Lam  <mark.lam@apple.com>
125
126         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
127         https://bugs.webkit.org/show_bug.cgi?id=196154
128         <rdar://problem/49145307>
129
130         Reviewed by Filip Pizlo.
131
132         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
133         There's no need to run this test on more than 1 test configuration.
134
135         * stress/typed-array-lastIndexOf-exception-check.js: Added.
136         * stress/web-assembly-link-error-exception-check.js:
137
138 2019-03-22  Mark Lam  <mark.lam@apple.com>
139
140         Placate exception check validation in constructJSWebAssemblyLinkError().
141         https://bugs.webkit.org/show_bug.cgi?id=196152
142         <rdar://problem/49145257>
143
144         Reviewed by Michael Saboff.
145
146         * stress/web-assembly-link-error-exception-check.js: Added.
147
148 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
149
150         Skip tests running out of memory on ARM/MIPS
151         https://bugs.webkit.org/show_bug.cgi?id=196131
152
153         Unreviewed. Skip test if memory is limited.
154
155         * microbenchmarks/put-by-val-direct-large-index.js:
156
157 2019-03-21  Mark Lam  <mark.lam@apple.com>
158
159         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
160         https://bugs.webkit.org/show_bug.cgi?id=196116
161         <rdar://problem/48976951>
162
163         Reviewed by Filip Pizlo.
164
165         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
166
167 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
168
169         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
170         https://bugs.webkit.org/show_bug.cgi?id=196078
171         <rdar://problem/35925380>
172
173         Reviewed by Mark Lam.
174
175         Add a new benchmark that allocates several objects and invokes put_by_val_direct
176         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
177
178         * microbenchmarks/put-by-val-direct-large-index.js: Added.
179
180 2019-03-21  Mark Lam  <mark.lam@apple.com>
181
182         Placate exception check validation in operationArrayIndexOfString().
183         https://bugs.webkit.org/show_bug.cgi?id=196067
184         <rdar://problem/49056572>
185
186         Reviewed by Michael Saboff.
187
188         * stress/string-equal-exception-check.js: Added.
189
190 2019-03-21  Mark Lam  <mark.lam@apple.com>
191
192         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
193         https://bugs.webkit.org/show_bug.cgi?id=196055
194         <rdar://problem/49067448>
195
196         Reviewed by Yusuke Suzuki.
197
198         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
199
200 2019-03-20  Saam Barati  <sbarati@apple.com>
201
202         typeOfDoubleSum is wrong for when NaN can be produced
203         https://bugs.webkit.org/show_bug.cgi?id=196030
204
205         Reviewed by Filip Pizlo.
206
207         * stress/double-add-sub-mul-can-produce-nan.js: Added.
208         (assert):
209         (noInline.sub):
210         (noInline):
211         (assert.mul):
212         (assert.add):
213
214 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
215
216         Update the test to ensure OutOfMemoryError is thrown as intended
217         https://bugs.webkit.org/show_bug.cgi?id=196032
218         <rdar://problem/46842740>
219
220         Rubber stamped by Saam Barati.
221
222         * stress/create-error-out-of-memory-rope-string.js:
223         (assert):
224         (catch):
225
226 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
227
228         JSC::createError needs to check for OOM in errorDescriptionForValue
229         https://bugs.webkit.org/show_bug.cgi?id=196032
230         <rdar://problem/46842740>
231
232         Reviewed by Mark Lam.
233
234         * stress/create-error-out-of-memory-rope-string.js: Added.
235
236 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
237
238         Unreviewed, reduce # of iterations to avoid timing out after r242991
239         https://bugs.webkit.org/show_bug.cgi?id=195791
240
241         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
242
243         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
244
245 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
246
247         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
248         https://bugs.webkit.org/show_bug.cgi?id=195950
249
250         Unreviewed, reducing the amount of memory used on this test to avoid
251         OOM on devices with memory restrictions.
252
253         * microbenchmarks/generate-multiple-llint-entrypoints.js:
254
255 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
256
257         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
258         https://bugs.webkit.org/show_bug.cgi?id=194648
259
260         Reviewed by Keith Miller.
261
262         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
263
264 2019-03-18  Mark Lam  <mark.lam@apple.com>
265
266         Missing a ThrowScope release in JSObject::toString().
267         https://bugs.webkit.org/show_bug.cgi?id=195893
268         <rdar://problem/48970986>
269
270         Reviewed by Michael Saboff.
271
272         * stress/to-string-exception-check-release.js: Added.
273
274 2019-03-18  Mark Lam  <mark.lam@apple.com>
275
276         Structure::flattenDictionary() should clear unused property slots.
277         https://bugs.webkit.org/show_bug.cgi?id=195871
278         <rdar://problem/48959497>
279
280         Reviewed by Michael Saboff.
281
282         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
283
284 2019-03-15  Mark Lam  <mark.lam@apple.com>
285
286         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
287         https://bugs.webkit.org/show_bug.cgi?id=195827
288         <rdar://problem/48845513>
289
290         Reviewed by Filip Pizlo.
291
292         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
293
294 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
295
296         [ARM,MIPS] Skip slow tests
297         https://bugs.webkit.org/show_bug.cgi?id=195799
298
299         Unreviewed, test does not finish on ARM and MIPS within the
300         timeout limit.
301
302         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
303
304 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
305
306         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
307         https://bugs.webkit.org/show_bug.cgi?id=195791
308         <rdar://problem/48806130>
309
310         Reviewed by Mark Lam.
311
312         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
313         (foo):
314
315 2019-03-14  Saam barati  <sbarati@apple.com>
316
317         We can't remove code after ForceOSRExit until after FixupPhase
318         https://bugs.webkit.org/show_bug.cgi?id=186916
319         <rdar://problem/41396612>
320
321         Reviewed by Yusuke Suzuki.
322
323         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
324         (foo):
325         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
326         (foo):
327
328 2019-03-13  Michael Saboff  <msaboff@apple.com>
329
330         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
331         https://bugs.webkit.org/show_bug.cgi?id=195735
332
333         Reviewed by Mark Lam.
334
335         New regression test.
336
337         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
338         (foo):
339         (bar):
340
341 2019-03-14  Saam barati  <sbarati@apple.com>
342
343         Fixup uses KnownInt32 incorrectly in some nodes
344         https://bugs.webkit.org/show_bug.cgi?id=195279
345         <rdar://problem/47915654>
346
347         Reviewed by Yusuke Suzuki.
348
349         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
350         (foo):
351
352 2019-03-14  Keith Miller  <keith_miller@apple.com>
353
354         DFG liveness can't skip tail caller inline frames
355         https://bugs.webkit.org/show_bug.cgi?id=195715
356
357         Reviewed by Saam Barati.
358
359         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
360         (i.foo):
361
362 2019-03-13  Mark Lam  <mark.lam@apple.com>
363
364         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
365         https://bugs.webkit.org/show_bug.cgi?id=195415
366
367         Not reviewed.
368
369         Changed these tests to only run the default configuration.
370         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
371         There's no strong need to run this test on that variant.
372
373         * stress/dfg-to-string-on-int-does-gc.js:
374         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
375
376 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
377
378         String overflow when using StringBuilder in JSC::createError
379         https://bugs.webkit.org/show_bug.cgi?id=194957
380
381         Reviewed by Mark Lam.
382
383         Add test string-overflow-createError-bulder.js that overflows
384         StringBuilder in notAFunctionSourceAppender. The second new test
385         string-overflow-createError-fit.js has an error message that doesn't
386         overflow, it still failed since the String's capacity can't be doubled.
387         Run test string-overflow-createError.js only in the default
388         configuration to reduce memory consumption when running the test
389         in all configurations on multiple CPUs in parallel.
390
391         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
392         (catch):
393         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
394         (catch):
395         * stress/string-overflow-createError.js:
396
397 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
398
399         [JSC] OSR entry should respect abstract values in addition to flush formats
400         https://bugs.webkit.org/show_bug.cgi?id=195653
401
402         Reviewed by Mark Lam.
403
404         * stress/osr-entry-locals-none.js: Added.
405
406 2019-03-12  Michael Saboff  <msaboff@apple.com>
407
408         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
409         https://bugs.webkit.org/show_bug.cgi?id=195613
410
411         Reviewed by Mark Lam.
412
413         New regression test.
414
415         * stress/regexp-backref-inbounds.js: Added.
416         (testRegExp):
417
418 2019-03-12  Mark Lam  <mark.lam@apple.com>
419
420         The HasIndexedProperty node does GC.
421         https://bugs.webkit.org/show_bug.cgi?id=195559
422         <rdar://problem/48767923>
423
424         Reviewed by Yusuke Suzuki.
425
426         * stress/HasIndexedProperty-does-gc.js: Added.
427
428 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
429
430         [ESNext][BigInt] Implement "~" unary operation
431         https://bugs.webkit.org/show_bug.cgi?id=182216
432
433         Reviewed by Keith Miller.
434
435         * stress/big-int-bit-not-general.js: Added.
436         * stress/big-int-bitwise-not-jit.js: Added.
437         * stress/big-int-bitwise-not-wrapped-value.js: Added.
438         * stress/bit-op-with-object-returning-int32.js:
439         * stress/bitwise-not-fixup-rules.js: Added.
440         * stress/value-bit-not-ai-rule.js: Added.
441
442 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
443
444         Invalid flags in a RegExp literal should be an early SyntaxError
445         https://bugs.webkit.org/show_bug.cgi?id=195514
446
447         Reviewed by Darin Adler.
448
449         * test262/expectations.yaml:
450         Mark 4 test cases as passing.
451
452         * stress/regexp-syntax-error-invalid-flags.js:
453         * stress/regress-161995.js: Removed.
454         Update existing test, merging in an older test for the same behavior.
455
456 2019-03-08  Mark Lam  <mark.lam@apple.com>
457
458         Stack overflow crash in JSC::JSObject::hasInstance.
459         https://bugs.webkit.org/show_bug.cgi?id=195458
460         <rdar://problem/48710195>
461
462         Reviewed by Yusuke Suzuki.
463
464         * stress/stack-overflow-in-custom-hasInstance.js: Added.
465
466 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
467
468         op_check_tdz does not def its argument
469         https://bugs.webkit.org/show_bug.cgi?id=192880
470         <rdar://problem/46221598>
471
472         Reviewed by Saam Barati.
473
474         * microbenchmarks/let-for-in.js: Added.
475         (foo):
476
477 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
478
479         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
480         https://bugs.webkit.org/show_bug.cgi?id=195429
481
482         Reviewed by Saam Barati.
483
484         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
485         (foo):
486         * stress/string-from-char-code-255.js: Added.
487
488 2019-03-06  Mark Lam  <mark.lam@apple.com>
489
490         Fix incorrect handling of try-finally completion values.
491         https://bugs.webkit.org/show_bug.cgi?id=195131
492         <rdar://problem/46222079>
493
494         Reviewed by Saam Barati and Yusuke Suzuki.
495
496         Added many permutations of new test case to test-finally.js.  test-finally.js has
497         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
498         tests passes there as well.
499
500         * stress/test-finally.js:
501
502 2019-03-06  Saam Barati  <sbarati@apple.com>
503
504         Air::reportUsedRegisters must padInterference
505         https://bugs.webkit.org/show_bug.cgi?id=195303
506         <rdar://problem/48270343>
507
508         Reviewed by Keith Miller.
509
510         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
511
512 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
513
514         [JSC] AI should not propagate AbstractValue relying on constant folding phase
515         https://bugs.webkit.org/show_bug.cgi?id=195375
516
517         Reviewed by Saam Barati.
518
519         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
520         (let.array):
521
522 2019-03-05  Saam barati  <sbarati@apple.com>
523
524         op_switch_char broken for rope strings after JSRopeString layout rewrite
525         https://bugs.webkit.org/show_bug.cgi?id=195339
526         <rdar://problem/48592545>
527
528         Reviewed by Yusuke Suzuki.
529
530         * stress/switch-on-char-llint-rope.js: Added.
531
532 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
533
534         [JSC] Store bits for JSRopeString in 3 stores
535         https://bugs.webkit.org/show_bug.cgi?id=195234
536
537         Reviewed by Saam Barati.
538
539         * stress/null-rope-and-collectors.js: Added.
540
541 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
542
543         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
544         https://bugs.webkit.org/show_bug.cgi?id=195207
545
546         Unreviewed. After test runtime was reduced in r242213, test can be
547         run again on ARM/MIPS.
548
549         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
550
551 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
552
553         [JSC] sizeof(JSString) should be 16
554         https://bugs.webkit.org/show_bug.cgi?id=194375
555
556         Reviewed by Saam Barati.
557
558         * microbenchmarks/make-rope.js: Added.
559         (makeRope):
560         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
561         (returnRope.helper): Deleted.
562         (returnRope): Deleted.
563
564 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
565
566         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
567         https://bugs.webkit.org/show_bug.cgi?id=195144
568
569         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
570         Change the number from 1e8 to 1e5.
571
572         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
573         (foo):
574
575 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
576
577         Test times out on ARM/MIPS
578         https://bugs.webkit.org/show_bug.cgi?id=195168
579
580         Unreviewed. Skip test on ARM/MIPS.
581
582         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
583
584 2019-02-27  Mark Lam  <mark.lam@apple.com>
585
586         The parser is failing to record the token location of new in new.target.
587         https://bugs.webkit.org/show_bug.cgi?id=195127
588         <rdar://problem/39645578>
589
590         Reviewed by Yusuke Suzuki.
591
592         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
593
594 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
595
596         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
597         https://bugs.webkit.org/show_bug.cgi?id=195144
598         <rdar://problem/47595961>
599
600         Reviewed by Mark Lam.
601
602         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
603         (bar):
604         (foo):
605         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
606         (bar):
607         (foo):
608
609 2019-02-27  Robin Morisset  <rmorisset@apple.com>
610
611         DFG: Loop-invariant code motion (LICM) should not hoist dead code
612         https://bugs.webkit.org/show_bug.cgi?id=194945
613         <rdar://problem/48311657>
614
615         Reviewed by Mark Lam.
616
617         * stress/licm-dead-code.js: Added.
618
619 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
620
621         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
622         https://bugs.webkit.org/show_bug.cgi?id=194677
623         <rdar://problem/48112492>
624
625         Reviewed by Mark Lam.
626
627         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
628         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
629         it immediately fails due the large size.
630
631         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
632         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
633         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
634         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
635
636         This patch changes the test to produce 16bit string from String.fromCharCode.
637
638         * stress/regress-178386.js:
639
640 2019-02-26  Mark Lam  <mark.lam@apple.com>
641
642         wasmToJS() should purify incoming NaNs.
643         https://bugs.webkit.org/show_bug.cgi?id=194807
644         <rdar://problem/48189132>
645
646         Reviewed by Saam Barati.
647
648         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
649
650 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
651
652         [JSC] Repeat string created from Array.prototype.join() take too much memory
653         https://bugs.webkit.org/show_bug.cgi?id=193912
654
655         Reviewed by Saam Barati.
656
657         Added a test and a microbenchmark for corner cases of
658         Array.prototype.join() with an uninitialized array.
659
660         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
661         * stress/array-prototype-join-uninitialized.js: Added.
662         (testArray):
663         (testABC):
664         (B):
665         (C):
666
667 2019-02-22  Robin Morisset  <rmorisset@apple.com>
668
669         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
670         https://bugs.webkit.org/show_bug.cgi?id=194953
671         <rdar://problem/47595253>
672
673         Reviewed by Saam Barati.
674
675         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
676
677         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
678
679 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
680
681         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
682         https://bugs.webkit.org/show_bug.cgi?id=172848
683         <rdar://problem/25709212>
684
685         Reviewed by Mark Lam.
686
687         * typeProfiler/inheritance.js:
688         Rewrite the test slightly for clarity. The hoisting was confusing.
689
690         * heapProfiler/class-names.js: Added.
691         (MyES5Class):
692         (MyES6Class):
693         (MyES6Subclass):
694         Test object types and improved class names.
695
696         * heapProfiler/driver/driver.js:
697         (CheapHeapSnapshotNode):
698         (CheapHeapSnapshot):
699         (createCheapHeapSnapshot):
700         (HeapSnapshot):
701         (createHeapSnapshot):
702         Update snapshot parsing from version 1 to version 2.
703
704 2019-02-19  Truitt Savell  <tsavell@apple.com>
705
706         Unreviewed, rolling out r241784.
707
708         Broke all OpenSource builds.
709
710         Reverted changeset:
711
712         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
713         instances view"
714         https://bugs.webkit.org/show_bug.cgi?id=172848
715         https://trac.webkit.org/changeset/241784
716
717 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
718
719         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
720         https://bugs.webkit.org/show_bug.cgi?id=172848
721         <rdar://problem/25709212>
722
723         Reviewed by Mark Lam.
724
725         * typeProfiler/inheritance.js:
726         Rewrite the test slightly for clarity. The hoisting was confusing.
727
728         * heapProfiler/class-names.js: Added.
729         (MyES5Class):
730         (MyES6Class):
731         (MyES6Subclass):
732         Test object types and improved class names.
733
734         * heapProfiler/driver/driver.js:
735         (CheapHeapSnapshotNode):
736         (CheapHeapSnapshot):
737         (createCheapHeapSnapshot):
738         (HeapSnapshot):
739         (createHeapSnapshot):
740         Update snapshot parsing from version 1 to version 2.
741
742 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
743
744         [ARM] Fix crash with sampling profiler
745         https://bugs.webkit.org/show_bug.cgi?id=194772
746
747         Reviewed by Mark Lam.
748
749         Do not skip test since crash with sampling profiler is now fixed.
750
751         * stress/sampling-profiler-richards.js:
752
753 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
754
755         [JSC] Add LazyClassStructure::getInitializedOnMainThread
756         https://bugs.webkit.org/show_bug.cgi?id=194784
757         <rdar://problem/48154820>
758
759         Reviewed by Mark Lam.
760
761         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
762         (getProperties):
763         (getRandomProperty):
764         (i.catch):
765
766 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
767
768         [ARM] Test gardening: Test running out of executable memory
769         https://bugs.webkit.org/show_bug.cgi?id=194771
770
771         Unreviewed. Do not run test without LLInt, test is running out of executable
772         memory on ARM otherwise.
773
774         * stress/tagged-template-object-collect.js:
775
776 2019-02-18  Tomas Popela  <tpopela@redhat.com>
777
778         Unreviewed, skip the test on platforms without sampling profiler
779
780         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
781         (platformSupportsSamplingProfiler.foo):
782         (platformSupportsSamplingProfiler.test):
783         (platformSupportsSamplingProfiler):
784         (foo): Deleted.
785         (test): Deleted.
786
787 2019-02-17  Saam Barati  <sbarati@apple.com>
788
789         Deadlock when adding a Structure property transition and then doing incremental marking
790         https://bugs.webkit.org/show_bug.cgi?id=194767
791
792         Reviewed by Mark Lam.
793
794         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
795
796 2019-02-15  Michael Saboff  <msaboff@apple.com>
797
798         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
799         https://bugs.webkit.org/show_bug.cgi?id=194558
800
801         Reviewed by Saam Barati.
802
803         New regression test.
804
805         * stress/regexp-unicode-within-string.js: Added.
806
807 2019-02-15  Mark Lam  <mark.lam@apple.com>
808
809         SamplingProfiler::stackTracesAsJSON() should escape strings.
810         https://bugs.webkit.org/show_bug.cgi?id=194649
811         <rdar://problem/48072386>
812
813         Reviewed by Saam Barati.
814
815         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
816         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
817         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
818         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
819
820 2019-02-15  Robin Morisset  <rmorisset@apple.com>
821         CodeBlock::jettison should clear related watchpoints
822         https://bugs.webkit.org/show_bug.cgi?id=194544
823
824         Reviewed by Mark Lam.
825
826         * stress/regexp-replace-double-watchpoint.js: Added.
827         (foo):
828
829 2019-02-15  Saam barati  <sbarati@apple.com>
830
831         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
832         https://bugs.webkit.org/show_bug.cgi?id=194036
833
834         Reviewed by Yusuke Suzuki.
835
836         * stress/tail-call-many-arguments.js: Added.
837         (foo):
838         (bar):
839
840 2019-02-14  Saam Barati  <sbarati@apple.com>
841
842         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
843         https://bugs.webkit.org/show_bug.cgi?id=194583
844         <rdar://problem/48028140>
845
846         Reviewed by Yusuke Suzuki.
847
848         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
849
850 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
851
852         [JSC] String.fromCharCode's slow path always generates 16bit string
853         https://bugs.webkit.org/show_bug.cgi?id=194466
854
855         Reviewed by Keith Miller.
856
857         * stress/string-from-char-code-slow-path.js: Added.
858         (shouldBe):
859         (testWithLength):
860
861 2019-02-08  Saam barati  <sbarati@apple.com>
862
863         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
864         https://bugs.webkit.org/show_bug.cgi?id=194334
865         <rdar://problem/47844327>
866
867         Reviewed by Mark Lam.
868
869         * stress/check-in-bounds-should-be-a-child-use.js: Added.
870         (func):
871
872 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
873
874         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
875         https://bugs.webkit.org/show_bug.cgi?id=194369
876         <rdar://problem/47813087>
877
878         Reviewed by Saam Barati.
879
880         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
881         (A):
882
883 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
884
885         [JSC] PrivateName to PublicName hash table is wasteful
886         https://bugs.webkit.org/show_bug.cgi?id=194277
887
888         Reviewed by Michael Saboff.
889
890         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
891
892         * ChakraCore.yaml:
893
894 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
895
896         [ARM] Test running out of executable memory
897         https://bugs.webkit.org/show_bug.cgi?id=194285
898
899         Unreviewed. Do no execute test with LLInt disabled, test runs out of
900         executable memory otherwise.
901
902         * stress/class-subclassing-function.js:
903
904 2019-02-04  Robin Morisset  <rmorisset@apple.com>
905
906         when lowering AssertNotEmpty, create the value before creating the patchpoint
907         https://bugs.webkit.org/show_bug.cgi?id=194231
908
909         Reviewed by Saam Barati.
910
911         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
912         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
913         So even tiny changes to this test can change the path code taken.
914
915         * stress/assert-not-empty.js: Added.
916         (foo):
917
918 2019-02-01  Mark Lam  <mark.lam@apple.com>
919
920         Remove invalid assertion in DFG's compileDoubleRep().
921         https://bugs.webkit.org/show_bug.cgi?id=194130
922         <rdar://problem/47699474>
923
924         Reviewed by Saam Barati.
925
926         * stress/constant-fold-double-rep-into-double-constant.js: Added.
927
928 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
929
930         Import latest Test262 updates.
931
932         Rubber-stamped by Keith Miller.
933
934         * test262.yaml: Deleted.
935         * test262/config.yaml:
936         * test262/expectations.yaml:
937         * test262/latest-changes-summary.txt:
938         * test262/test/:
939         * test262/test262-Revision.txt:
940
941 2019-01-30  Robin Morisset  <rmorisset@apple.com>
942
943         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
944         https://bugs.webkit.org/show_bug.cgi?id=194050
945         <rdar://problem/47595592>
946
947         Reviewed by Yusuke Suzuki.
948
949         * stress/object-keys-osr-exit.js: Added.
950         (foo):
951         (catch):
952
953 2019-01-29  Mark Lam  <mark.lam@apple.com>
954
955         ValueRecovery::recover() should purify NaN values it recovers.
956         https://bugs.webkit.org/show_bug.cgi?id=193978
957         <rdar://problem/47625488>
958
959         Reviewed by Saam Barati.
960
961         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
962
963 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
964
965         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
966         https://bugs.webkit.org/show_bug.cgi?id=193713
967
968         * stress/try-get-by-id-should-spill-registers-dfg.js:
969         (let.f.createBuiltin):
970
971 2019-01-28  Mark Lam  <mark.lam@apple.com>
972
973         ToString node actually does GC.
974         https://bugs.webkit.org/show_bug.cgi?id=193920
975         <rdar://problem/46695900>
976
977         Reviewed by Yusuke Suzuki.
978
979         * stress/dfg-to-string-on-int-does-gc.js: Added.
980         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
981         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
982
983 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
984
985         [JSC] NativeErrorConstructor should not have own IsoSubspace
986         https://bugs.webkit.org/show_bug.cgi?id=193713
987
988         Reviewed by Saam Barati.
989
990         Remove @Error use.
991
992         * stress/try-get-by-id-should-spill-registers-dfg.js:
993         (let.f.createBuiltin):
994
995 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
996
997         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
998         https://bugs.webkit.org/show_bug.cgi?id=190693
999
1000         Reviewed by Michael Saboff.
1001
1002         * stress/regress-190693.js: Added.
1003         (truth):
1004         (assert):
1005         (shouldThrowInvalidConstAssignment):
1006         (taz):
1007
1008 2019-01-24  Saam Barati  <sbarati@apple.com>
1009
1010         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1011         https://bugs.webkit.org/show_bug.cgi?id=193751
1012         <rdar://problem/47280215>
1013
1014         Reviewed by Michael Saboff.
1015
1016         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1017         (let.thing):
1018         (foo.let.hello):
1019         (foo):
1020
1021 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1022
1023         [JSC] Reenable baseline JIT on mips
1024         https://bugs.webkit.org/show_bug.cgi?id=192983
1025
1026         Reviewed by Mark Lam.
1027
1028         Added a new test for a case that was triggering a RELEASE_ASSERT when
1029         testing.
1030         Disable some slow tests that were already disabled for arm and x86.
1031
1032         * stress/json-parse-big-object.js: Added.
1033         * stress/new-largeish-contiguous-array-with-size.js:
1034         * stress/op_add.js:
1035         * stress/op_bitand.js:
1036         * stress/op_bitor.js:
1037         * stress/op_bitxor.js:
1038         * stress/op_lshift-ConstVar.js:
1039         * stress/op_lshift-VarConst.js:
1040         * stress/op_lshift-VarVar.js:
1041         * stress/op_mod-ConstVar.js:
1042         * stress/op_mod-VarConst.js:
1043         * stress/op_mod-VarVar.js:
1044         * stress/op_mul-ConstVar.js:
1045         * stress/op_mul-VarConst.js:
1046         * stress/op_mul-VarVar.js:
1047         * stress/op_rshift-ConstVar.js:
1048         * stress/op_rshift-VarConst.js:
1049         * stress/op_rshift-VarVar.js:
1050         * stress/op_sub-ConstVar.js:
1051         * stress/op_sub-VarConst.js:
1052         * stress/op_sub-VarVar.js:
1053         * stress/op_urshift-ConstVar.js:
1054         * stress/op_urshift-VarConst.js:
1055         * stress/op_urshift-VarVar.js:
1056         * stress/sampling-profiler-richards.js:
1057         * stress/spread-forward-call-varargs-stack-overflow.js:
1058
1059 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1060
1061         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1062         https://bugs.webkit.org/show_bug.cgi?id=193711
1063         <rdar://problem/47250262>
1064
1065         Reviewed by Saam Barati.
1066
1067         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1068         (shouldBe):
1069         (foo):
1070         (bar):
1071         (baz):
1072
1073 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1074
1075         Unreviewed, fix initial global lexical binding epoch
1076         https://bugs.webkit.org/show_bug.cgi?id=193603
1077         <rdar://problem/47380869>
1078
1079         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1080         (f1.f2.f3.f4):
1081         (f1.f2.f3):
1082         (f1.f2):
1083         (f1):
1084
1085 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1086
1087         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1088         https://bugs.webkit.org/show_bug.cgi?id=193709
1089         <rdar://problem/47363838>
1090
1091         Unreviewed, rollout to watch the tests.
1092
1093         * stress/object-tostring-changed-proto.js: Removed.
1094         * stress/object-tostring-changed.js: Removed.
1095         * stress/object-tostring-misc.js: Removed.
1096         * stress/object-tostring-other.js: Removed.
1097         * stress/object-tostring-untyped.js: Removed.
1098
1099 2019-01-22  Saam Barati  <sbarati@apple.com>
1100
1101         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1102
1103         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1104         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1105         (testUncheckedLessThanZero):
1106         (testUncheckedLessThanOrEqualZero):
1107         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1108         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1109
1110 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1111
1112         [JSC] Invalidate old scope operations using global lexical binding epoch
1113         https://bugs.webkit.org/show_bug.cgi?id=193603
1114         <rdar://problem/47380869>
1115
1116         Reviewed by Saam Barati.
1117
1118         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1119         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1120         (shouldThrow):
1121         (bar):
1122         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1123         (shouldBe):
1124         (get1):
1125         (get2):
1126         (get1If):
1127         (get2If):
1128         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1129         (shouldThrow):
1130         (foo):
1131
1132 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1133
1134         Unreviewed, roll out r240220 due to date-format-xparb regression
1135         https://bugs.webkit.org/show_bug.cgi?id=193603
1136
1137         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1138         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1139         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1140         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1141
1142 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1143
1144         DoesGC rule is wrong for nodes with BigIntUse
1145         https://bugs.webkit.org/show_bug.cgi?id=193652
1146
1147         Reviewed by Saam Barati.
1148
1149         * stress/big-int-value-op-update-gc-rules.js: Added.
1150         (assert):
1151         (doesGCAdd):
1152         (doesGCSub):
1153         (doesGCDiv):
1154         (doesGCMul):
1155         (doesGCBitAnd):
1156         (doesGCBitOr):
1157         (doesGCBitXor):
1158
1159 2019-01-20  Saam Barati  <sbarati@apple.com>
1160
1161         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1162         https://bugs.webkit.org/show_bug.cgi?id=193644
1163         <rdar://problem/46209745>
1164
1165         Reviewed by Yusuke Suzuki.
1166
1167         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1168         (foo):
1169         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1170         (foo):
1171         (bar):
1172
1173 2019-01-20  Saam Barati  <sbarati@apple.com>
1174
1175         MovHint must merge NodeBytecodeUsesAsValue for its child
1176         https://bugs.webkit.org/show_bug.cgi?id=186916
1177         <rdar://problem/41396612>
1178
1179         Reviewed by Yusuke Suzuki.
1180
1181         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1182         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1183
1184 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1185
1186         [JSC] Invalidate old scope operations using global lexical binding epoch
1187         https://bugs.webkit.org/show_bug.cgi?id=193603
1188         <rdar://problem/47380869>
1189
1190         Reviewed by Saam Barati.
1191
1192         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1193         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1194         (shouldThrow):
1195         (bar):
1196         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1197         (shouldBe):
1198         (get1):
1199         (get2):
1200         (get1If):
1201         (get2If):
1202         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1203         (shouldThrow):
1204         (foo):
1205
1206 2019-01-17  Saam barati  <sbarati@apple.com>
1207
1208         StringObjectUse should not be a structure check for the original string object structure
1209         https://bugs.webkit.org/show_bug.cgi?id=193483
1210         <rdar://problem/47280522>
1211
1212         Reviewed by Yusuke Suzuki.
1213
1214         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1215         (foo):
1216         (a.valueOf.0):
1217
1218 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1219
1220         [JSC] ToThis omission in DFGByteCodeParser is wrong
1221         https://bugs.webkit.org/show_bug.cgi?id=193513
1222         <rdar://problem/45842236>
1223
1224         Reviewed by Saam Barati.
1225
1226         * stress/to-this-omission-with-different-strict-modes.js: Added.
1227         (thisA):
1228         (thisAStrictWrapper):
1229
1230 2019-01-15  Mark Lam  <mark.lam@apple.com>
1231
1232         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1233         https://bugs.webkit.org/show_bug.cgi?id=193423
1234         <rdar://problem/46209355>
1235
1236         Reviewed by Saam Barati.
1237
1238         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1239         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1240         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1241         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1242
1243 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1244
1245         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1246         https://bugs.webkit.org/show_bug.cgi?id=193438
1247         <rdar://problem/45581249>
1248
1249         Reviewed by Saam Barati and Keith Miller.
1250
1251         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1252         Then, GetByVal(String) crashed.
1253
1254         * stress/string-get-by-val-lowering.js: Added.
1255         (shouldBe):
1256         (test):
1257         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1258         (Hello):
1259         (foo):
1260
1261 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1262
1263         Unreviewed, skip JIT tests if it's not enabled
1264
1265         * stress/bit-op-with-object-returning-int32.js:
1266
1267 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1268
1269         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1270         https://bugs.webkit.org/show_bug.cgi?id=192966
1271
1272         Reviewed by Yusuke Suzuki.
1273
1274         * stress/bit-op-with-object-returning-int32.js: Added.
1275
1276 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1277
1278         Skip a slow test and a flakey test on arm
1279
1280         Unreviewed gardening.
1281
1282         * typeProfiler/getter-richards.js:
1283         this test always times out, it used to be always skipped on arm and
1284         mips, but got accidentally enabled by r237919 now that we have DFG on
1285         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1286
1287 2019-01-14  Keith Miller  <keith_miller@apple.com>
1288
1289         Skip type-check-hoisting-phase-hoist... with no jit
1290         https://bugs.webkit.org/show_bug.cgi?id=193421
1291
1292         Reviewed by Mark Lam.
1293
1294         It's timing out the 32-bit bots and takes 330 seconds
1295         on my machine when run by itself.
1296
1297         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1298
1299 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1300
1301         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1302         https://bugs.webkit.org/show_bug.cgi?id=193413
1303         <rdar://problem/46092389>
1304
1305         Reviewed by Keith Miller.
1306
1307         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1308         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1309         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1310         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1311
1312         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1313         (compareArray):
1314
1315 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1316
1317         [BigInt] Literal parsing is crashing when used inside a Object Literal
1318         https://bugs.webkit.org/show_bug.cgi?id=193404
1319
1320         Reviewed by Yusuke Suzuki.
1321
1322         * stress/big-int-literal-inside-literal-object.js: Added.
1323
1324 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1325
1326         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1327         https://bugs.webkit.org/show_bug.cgi?id=193372
1328
1329         Reviewed by Saam Barati.
1330
1331         * stress/typed-array-array-modes-profile.js: Added.
1332         (foo):
1333
1334 2019-01-14  Mark Lam  <mark.lam@apple.com>
1335
1336         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1337         https://bugs.webkit.org/show_bug.cgi?id=193402
1338         <rdar://problem/46012309>
1339
1340         Reviewed by Keith Miller.
1341
1342         * stress/regexp-compile-oom.js:
1343         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1344           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1345
1346 2019-01-11  Saam barati  <sbarati@apple.com>
1347
1348         DFG combined liveness can be wrong for terminal basic blocks
1349         https://bugs.webkit.org/show_bug.cgi?id=193304
1350         <rdar://problem/45268632>
1351
1352         Reviewed by Yusuke Suzuki.
1353
1354         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1355
1356 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1357
1358         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1359         https://bugs.webkit.org/show_bug.cgi?id=193308
1360         <rdar://problem/45546542>
1361
1362         Reviewed by Saam Barati.
1363
1364         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1365         (shouldThrow):
1366         (shouldBe):
1367         (foo):
1368         (get shouldThrow):
1369         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1370         (shouldThrow):
1371         (shouldBe):
1372         (foo):
1373         (get shouldBe):
1374         (get shouldThrow):
1375         (get return):
1376         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1377         (shouldThrow):
1378         (shouldBe):
1379         (foo):
1380         (get shouldBe):
1381         (get shouldThrow):
1382         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1383         (shouldThrow):
1384         (shouldBe):
1385         (foo):
1386         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1387         (shouldThrow):
1388         (shouldBe):
1389         (foo):
1390         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1391         (shouldThrow):
1392         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1393         (shouldThrow):
1394         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1395         (shouldThrow):
1396         (shouldBe):
1397         (foo):
1398         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1399         (shouldThrow):
1400         (shouldBe):
1401         (foo):
1402         (get shouldBe):
1403         (get shouldThrow):
1404         (get return):
1405         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1406         (shouldThrow):
1407         (shouldBe):
1408         (foo):
1409         (get shouldBe):
1410         (get shouldThrow):
1411         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1412         (shouldThrow):
1413         (shouldBe):
1414         (foo):
1415         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1416         (shouldThrow):
1417         (shouldBe):
1418         (foo):
1419
1420 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1421
1422         Enable DFG on ARM/Linux again
1423         https://bugs.webkit.org/show_bug.cgi?id=192496
1424
1425         Reviewed by Yusuke Suzuki.
1426
1427         Test wasn't really skipped before moving the line with skip
1428         to the top.
1429
1430         * stress/regress-192717.js:
1431
1432 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1433
1434         Unreviewed, rolling out r239825.
1435         https://bugs.webkit.org/show_bug.cgi?id=193330
1436
1437         Broke tests on armv7/linux bots (Requested by guijemont on
1438         #webkit).
1439
1440         Reverted changeset:
1441
1442         "Enable DFG on ARM/Linux again"
1443         https://bugs.webkit.org/show_bug.cgi?id=192496
1444         https://trac.webkit.org/changeset/239825
1445
1446 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1447
1448         Enable DFG on ARM/Linux again
1449         https://bugs.webkit.org/show_bug.cgi?id=192496
1450
1451         Reviewed by Yusuke Suzuki.
1452
1453         Test wasn't really skipped before moving the line with skip
1454         to the top.
1455
1456         * stress/regress-192717.js:
1457
1458 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1459
1460         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1461         https://bugs.webkit.org/show_bug.cgi?id=193127
1462
1463         Reviewed by Saam Barati.
1464
1465         * stress/array-species-create-should-handle-masquerader.js: Added.
1466         (shouldThrow):
1467         * stress/is-undefined-or-null-builtin.js: Added.
1468         (shouldBe):
1469         (isUndefinedOrNull.vm.createBuiltin):
1470
1471 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1472
1473         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1474         https://bugs.webkit.org/show_bug.cgi?id=193221
1475
1476         Reviewed by Mark Lam.
1477
1478         * stress/put-by-id-flags.js: Added.
1479         (f):
1480         (g):
1481         (numberOfDFGCompiles):
1482
1483 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1484
1485         Baseline version of get_by_id may corrupt metadata
1486         https://bugs.webkit.org/show_bug.cgi?id=193085
1487         <rdar://problem/23453006>
1488
1489         Reviewed by Saam Barati.
1490
1491         * stress/get-by-id-change-mode.js: Added.
1492         (forEach):
1493
1494 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1495
1496         [JSC] Optimize Object.prototype.toString
1497         https://bugs.webkit.org/show_bug.cgi?id=193031
1498
1499         Reviewed by Saam Barati.
1500
1501         * stress/object-tostring-changed-proto.js: Added.
1502         (shouldBe):
1503         (test):
1504         * stress/object-tostring-changed.js: Added.
1505         (shouldBe):
1506         (test):
1507         * stress/object-tostring-misc.js: Added.
1508         (shouldBe):
1509         (test):
1510         (i.switch):
1511         * stress/object-tostring-other.js: Added.
1512         (shouldBe):
1513         (test):
1514         * stress/object-tostring-untyped.js: Added.
1515         (shouldBe):
1516         (test):
1517         (i.switch):
1518
1519 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1520
1521         test262-runner misbehaves when test file YAML has a trailing space
1522         https://bugs.webkit.org/show_bug.cgi?id=193053
1523
1524         Reviewed by Yusuke Suzuki.
1525
1526         * test262/expectations.yaml:
1527         Mark two dozen tests as passing (and correct the output of another).
1528
1529 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1530
1531         Unreviewed, JSTests gardening with memoryLimited
1532
1533         * stress/string-overflow-createError.js:
1534
1535 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1536
1537         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1538         https://bugs.webkit.org/show_bug.cgi?id=193050
1539
1540         Reviewed by Yusuke Suzuki.
1541
1542         * test262.yaml:
1543         * test262/expectations.yaml:
1544         Mark 16 tests as passing.
1545
1546 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1547
1548         [BigInt] Support BigInt in JSON.stringify
1549         https://bugs.webkit.org/show_bug.cgi?id=192624
1550
1551         Reviewed by Saam Barati.
1552
1553         * stress/big-int-json-stringify-to-json.js: Added.
1554         (shouldBe):
1555         (shouldThrow):
1556         (BigInt.prototype.toJSON):
1557         (shouldBe.JSON.stringify):
1558         * stress/big-int-json-stringify.js: Added.
1559         (shouldBe):
1560         (shouldThrow):
1561
1562 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1563
1564         [JSC] Implement "well-formed JSON.stringify" proposal
1565         https://bugs.webkit.org/show_bug.cgi?id=191677
1566
1567         Reviewed by Darin Adler.
1568
1569         * stress/json-surrogate-pair.js: Added.
1570         (shouldBe):
1571         * test262/expectations.yaml:
1572
1573 2018-12-20  Keith Miller  <keith_miller@apple.com>
1574
1575         Add support for globalThis
1576         https://bugs.webkit.org/show_bug.cgi?id=165171
1577
1578         Reviewed by Mark Lam.
1579
1580         * test262/config.yaml:
1581
1582 2018-12-19  Keith Miller  <keith_miller@apple.com>
1583
1584         Update test262 configuration to not run tests dependent on ICU version.
1585         https://bugs.webkit.org/show_bug.cgi?id=192920
1586
1587         Reviewed by Saam Barati.
1588
1589         * test262/expectations.yaml:
1590
1591 2018-12-20  Mark Lam  <mark.lam@apple.com>
1592
1593         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1594         https://bugs.webkit.org/show_bug.cgi?id=192939
1595         <rdar://problem/46869516>
1596
1597         Reviewed by Keith Miller.
1598
1599         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1600
1601 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1602
1603         WTF::String and StringImpl overflow MaxLength
1604         https://bugs.webkit.org/show_bug.cgi?id=192853
1605         <rdar://problem/45726906>
1606
1607         Reviewed by Mark Lam.
1608
1609         * stress/string-16bit-repeat-overflow.js: Added.
1610         (catch):
1611
1612 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1613
1614         Unreviewed follow-up to r192914.
1615
1616         * test262/expectations.yaml:
1617         Add the last 20 missing expectations.
1618
1619 2018-12-19  Keith Miller  <keith_miller@apple.com>
1620
1621         Fix test262 expectations
1622         https://bugs.webkit.org/show_bug.cgi?id=192914
1623
1624         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1625
1626         * test262/expectations.yaml:
1627
1628 2018-12-19  Keith Miller  <keith_miller@apple.com>
1629
1630         Update test262 tests.
1631         https://bugs.webkit.org/show_bug.cgi?id=192907
1632
1633         Rubber stamped by Mark Lam.
1634
1635         * test262/*: Omitted because prepare-changelog crashes.
1636
1637 2018-12-19  Mark Lam  <mark.lam@apple.com>
1638
1639         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1640         https://bugs.webkit.org/show_bug.cgi?id=192464
1641         <rdar://problem/46519455>
1642
1643         Reviewed by Saam Barati.
1644
1645         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1646         microbenchmark.
1647
1648         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1649         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1650
1651 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1652
1653         String overflow in JSC::createError results in ASSERT in WTF::makeString
1654         https://bugs.webkit.org/show_bug.cgi?id=192833
1655         <rdar://problem/45706868>
1656
1657         Reviewed by Mark Lam.
1658
1659         * stress/string-overflow-createError.js: Added.
1660
1661 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1662
1663         Error message for `-x ** y` contains a typo.
1664         https://bugs.webkit.org/show_bug.cgi?id=192832
1665
1666         Reviewed by Saam Barati.
1667
1668         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1669         (assert.assert.return.throws):
1670         * stress/pow-expects-update-expression-on-lhs.js:
1671         (throw.new.Error):
1672         Update test expectations which match against the exact error message.
1673
1674 2018-12-18  Mark Lam  <mark.lam@apple.com>
1675
1676         Gardening: test options fix.
1677         https://bugs.webkit.org/show_bug.cgi?id=192822
1678
1679         Unreviewed.
1680
1681         * stress/json-stringify-string-builder-overflow.js:
1682
1683 2018-12-18  Mark Lam  <mark.lam@apple.com>
1684
1685         JSON.stringify() should throw OOM on StringBuilder overflows.
1686         https://bugs.webkit.org/show_bug.cgi?id=192822
1687         <rdar://problem/46670577>
1688
1689         Reviewed by Saam Barati.
1690
1691         * stress/json-stringify-string-builder-overflow.js: Added.
1692
1693 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1694
1695         Redeclaration of var over let/const/class should be a syntax error.
1696         https://bugs.webkit.org/show_bug.cgi?id=192298
1697
1698         Reviewed by Keith Miller.
1699
1700         * test262.yaml:
1701         * test262/expectations.yaml:
1702         Mark 46 tests as passing.
1703
1704         * stress/block-scope-redeclarations.js:
1705         Add some new tests.
1706
1707         * stress/for-in-invalidate-context-weird-assignments.js:
1708         * stress/for-in-tests.js:
1709         Replace tests for outdated behavior with tests for SyntaxError.
1710
1711         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1712         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1713         Update expectations.
1714
1715 2018-12-18  Mark Lam  <mark.lam@apple.com>
1716
1717         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1718         https://bugs.webkit.org/show_bug.cgi?id=191374
1719         <rdar://problem/46525447>
1720
1721         Reviewed by Yusuke Suzuki.
1722
1723         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1724
1725         * stress/elidable-new-object-roflcopter-then-exit.js:
1726
1727 2018-12-17  Mark Lam  <mark.lam@apple.com>
1728
1729         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1730         https://bugs.webkit.org/show_bug.cgi?id=192019
1731         <rdar://problem/46525456>
1732
1733         Reviewed by Yusuke Suzuki.
1734
1735         The test runs too slow on 32-bit.
1736
1737         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1738
1739 2018-12-17  Mark Lam  <mark.lam@apple.com>
1740
1741         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1742         https://bugs.webkit.org/show_bug.cgi?id=191373
1743         <rdar://problem/46525458>
1744
1745         Reviewed by Yusuke Suzuki.
1746
1747         The test is already slow running with a JIT on 64-bit.  It will always timeout
1748         on 32-bit without a JIT.
1749
1750         * stress/materialize-regexp-cyclic-regexp.js:
1751
1752 2018-12-17  Mark Lam  <mark.lam@apple.com>
1753
1754         Array unshift/shift should not race against the AI in the compiler thread.
1755         https://bugs.webkit.org/show_bug.cgi?id=192795
1756         <rdar://problem/46724263>
1757
1758         Reviewed by Saam Barati.
1759
1760         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1761
1762 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1763
1764         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1765         https://bugs.webkit.org/show_bug.cgi?id=190047
1766
1767         Reviewed by Saam Barati.
1768
1769         * stress/object-keys-cached-zero.js: Added.
1770         (shouldBe):
1771         (test):
1772         * stress/object-keys-changed-attribute.js: Added.
1773         (shouldBe):
1774         (test):
1775         * stress/object-keys-changed-index.js: Added.
1776         (shouldBe):
1777         (test):
1778         * stress/object-keys-changed.js: Added.
1779         (shouldBe):
1780         (test):
1781         * stress/object-keys-indexed-non-cache.js: Added.
1782         (shouldBe):
1783         (test):
1784         * stress/object-keys-overrides-get-property-names.js: Added.
1785         (shouldBe):
1786         (test):
1787         (noInline):
1788
1789 2018-12-17  Mark Lam  <mark.lam@apple.com>
1790
1791         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1792         https://bugs.webkit.org/show_bug.cgi?id=192779
1793         <rdar://problem/46775869>
1794
1795         Reviewed by Saam Barati.
1796
1797         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1798
1799 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1800
1801         Unreviewed test gardening, address a syntax error in a new test.
1802
1803         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1804
1805 2018-12-17  Mark Lam  <mark.lam@apple.com>
1806
1807         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1808         https://bugs.webkit.org/show_bug.cgi?id=192776
1809         <rdar://problem/46772368>
1810
1811         Reviewed by Keith Miller.
1812
1813         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1814
1815 2018-12-17  Mark Lam  <mark.lam@apple.com>
1816
1817         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1818         https://bugs.webkit.org/show_bug.cgi?id=192770
1819         <rdar://problem/46449037>
1820
1821         Reviewed by Keith Miller.
1822
1823         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1824
1825 2018-12-14  Mark Lam  <mark.lam@apple.com>
1826
1827         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1828         https://bugs.webkit.org/show_bug.cgi?id=192717
1829         <rdar://problem/46660677>
1830
1831         Reviewed by Saam Barati.
1832
1833         * stress/regress-192717.js: Added.
1834
1835 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1836
1837         Unreviewed, rolling out r239153, r239154, and r239155.
1838         https://bugs.webkit.org/show_bug.cgi?id=192715
1839
1840         Caused flaky GC-related crashes seen with layout tests
1841         (Requested by ryanhaddad on #webkit).
1842
1843         Reverted changesets:
1844
1845         "[JSC] Optimize Object.keys by caching own keys results in
1846         StructureRareData"
1847         https://bugs.webkit.org/show_bug.cgi?id=190047
1848         https://trac.webkit.org/changeset/239153
1849
1850         "Unreviewed, build fix after r239153"
1851         https://bugs.webkit.org/show_bug.cgi?id=190047
1852         https://trac.webkit.org/changeset/239154
1853
1854         "Unreviewed, build fix after r239153, part 2"
1855         https://bugs.webkit.org/show_bug.cgi?id=190047
1856         https://trac.webkit.org/changeset/239155
1857
1858 2018-12-14  Keith Miller  <keith_miller@apple.com>
1859
1860         Callers of JSString::getIndex should check for OOM exceptions
1861         https://bugs.webkit.org/show_bug.cgi?id=192709
1862
1863         Reviewed by Mark Lam.
1864
1865         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1866
1867 2018-12-13  Mark Lam  <mark.lam@apple.com>
1868
1869         Add a missing exception check.
1870         https://bugs.webkit.org/show_bug.cgi?id=192626
1871         <rdar://problem/46662163>
1872
1873         Reviewed by Keith Miller.
1874
1875         * stress/regress-192626.js: Added.
1876
1877 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1878
1879         [BigInt] Add ValueDiv into DFG
1880         https://bugs.webkit.org/show_bug.cgi?id=186178
1881
1882         Reviewed by Yusuke Suzuki.
1883
1884         * stress/big-int-div-jit-osr.js: Added.
1885         * stress/big-int-div-jit-untyped.js: Added.
1886         * stress/value-div-fixup-int32-big-int.js: Added.
1887
1888 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1889
1890         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1891         https://bugs.webkit.org/show_bug.cgi?id=190047
1892
1893         Reviewed by Keith Miller.
1894
1895         * stress/object-keys-cached-zero.js: Added.
1896         (shouldBe):
1897         (test):
1898         * stress/object-keys-changed-attribute.js: Added.
1899         (shouldBe):
1900         (test):
1901         * stress/object-keys-changed-index.js: Added.
1902         (shouldBe):
1903         (test):
1904         * stress/object-keys-changed.js: Added.
1905         (shouldBe):
1906         (test):
1907         * stress/object-keys-indexed-non-cache.js: Added.
1908         (shouldBe):
1909         (test):
1910         * stress/object-keys-overrides-get-property-names.js: Added.
1911         (shouldBe):
1912         (test):
1913         (noInline):
1914
1915 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1916
1917         [DFG][FTL] Add NewSymbol
1918         https://bugs.webkit.org/show_bug.cgi?id=192620
1919
1920         Reviewed by Saam Barati.
1921
1922         * microbenchmarks/symbol-creation.js: Added.
1923         (test):
1924         * stress/symbol-description-identity.js: Added.
1925         (shouldBe):
1926         (test):
1927         * stress/symbol-identity.js: Added.
1928         (shouldBe):
1929         (test):
1930         * stress/symbol-with-description-throw-error.js: Added.
1931         (shouldBe):
1932         (shouldThrow):
1933         (test):
1934         (object.toString):
1935
1936 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1937
1938         [BigInt] Implement DFG/FTL typeof for BigInt
1939         https://bugs.webkit.org/show_bug.cgi?id=192619
1940
1941         Reviewed by Keith Miller.
1942
1943         * stress/big-int-boolean-proven-type.js: Added.
1944         (assert):
1945         (bool):
1946         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1947         (assert):
1948         (typeOf):
1949         (i.switch):
1950         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1951         (assert):
1952         (typeOf):
1953         * stress/big-int-type-of.js:
1954         (typeOf):
1955         (func):
1956
1957 2018-12-10  Mark Lam  <mark.lam@apple.com>
1958
1959         PropertyAttribute needs a CustomValue bit.
1960         https://bugs.webkit.org/show_bug.cgi?id=191993
1961         <rdar://problem/46264467>
1962
1963         Reviewed by Saam Barati.
1964
1965         * stress/regress-191993.js: Added.
1966
1967 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1968
1969         [BigInt] Add ValueMul into DFG
1970         https://bugs.webkit.org/show_bug.cgi?id=186175
1971
1972         Reviewed by Yusuke Suzuki.
1973
1974         * stress/big-int-mul-jit-osr.js: Added.
1975         * stress/big-int-mul-jit-untyped.js: Added.
1976         * stress/value-mul-fixup-int32-big-int.js: Added.
1977
1978 2018-12-06  Keith Miller  <keith_miller@apple.com>
1979
1980         stress/big-wasm-memory tests failing on 32-bit JSC bot
1981         https://bugs.webkit.org/show_bug.cgi?id=192020
1982
1983         Reviewed by Saam Barati.
1984
1985         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1986         the wasm stress tests if the WebAssembly object does not exist.
1987
1988         * stress/big-wasm-memory-grow-no-max.js:
1989         (test.foo):
1990         (test):
1991         (foo): Deleted.
1992         (catch): Deleted.
1993         * stress/big-wasm-memory-grow.js:
1994         (test.foo):
1995         (test):
1996         (foo): Deleted.
1997         (catch): Deleted.
1998         * stress/big-wasm-memory.js:
1999         (test.foo):
2000         (test):
2001         (foo): Deleted.
2002         (catch): Deleted.
2003
2004 2018-12-05  Mark Lam  <mark.lam@apple.com>
2005
2006         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2007         https://bugs.webkit.org/show_bug.cgi?id=192441
2008         <rdar://problem/46480355>
2009
2010         Reviewed by Saam Barati.
2011
2012         * stress/regress-192441.js: Added.
2013
2014 2018-12-04  Mark Lam  <mark.lam@apple.com>
2015
2016         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2017         https://bugs.webkit.org/show_bug.cgi?id=192386
2018         <rdar://problem/46445516>
2019
2020         Reviewed by Saam Barati.
2021
2022         * stress/regress-192386.js: Added.
2023
2024 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2025
2026         [ESNext][BigInt] Support logic operations
2027         https://bugs.webkit.org/show_bug.cgi?id=179903
2028
2029         Reviewed by Yusuke Suzuki.
2030
2031         * stress/big-int-branch-usage.js: Added.
2032         * stress/big-int-logical-and.js: Added.
2033         * stress/big-int-logical-not.js: Added.
2034         * stress/big-int-logical-or.js: Added.
2035
2036 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2037
2038         Unreviewed, rolling out r238833.
2039
2040         Breaks macOS and iOS debug builds.
2041
2042         Reverted changeset:
2043
2044         "[ESNext][BigInt] Support logic operations"
2045         https://bugs.webkit.org/show_bug.cgi?id=179903
2046         https://trac.webkit.org/changeset/238833
2047
2048 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2049
2050         [ESNext][BigInt] Support logic operations
2051         https://bugs.webkit.org/show_bug.cgi?id=179903
2052
2053         Reviewed by Yusuke Suzuki.
2054
2055         * stress/big-int-branch-usage.js: Added.
2056         * stress/big-int-logical-and.js: Added.
2057         * stress/big-int-logical-not.js: Added.
2058         * stress/big-int-logical-or.js: Added.
2059
2060 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2061
2062         [ESNext][BigInt] Implement support for "<<" and ">>"
2063         https://bugs.webkit.org/show_bug.cgi?id=186233
2064
2065         Reviewed by Yusuke Suzuki.
2066
2067         * stress/big-int-left-shift-general.js: Added.
2068         * stress/big-int-left-shift-range-error.js: Added.
2069         * stress/big-int-left-shift-type-error.js: Added.
2070         * stress/big-int-left-shift-wrapped-value.js: Added.
2071         * stress/big-int-right-shift-general.js: Added.
2072         * stress/big-int-right-shift-type-error.js: Added.
2073         * stress/big-int-right-shift-wrapped-value.js: Added.
2074         * stress/left-shift-to-primitive-precedence.js: Added.
2075         * stress/right-shift-to-primitive-precedence.js: Added.
2076
2077 2018-11-30  Dean Jackson  <dino@apple.com>
2078
2079         Add first-class support for .mjs files in jsc binary
2080         https://bugs.webkit.org/show_bug.cgi?id=192190
2081         <rdar://problem/46375715>
2082
2083         Reviewed by Keith Miller.
2084
2085         * stress/simple-module.mjs: Added.
2086         * stress/simple-script.js: Added.
2087
2088 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2089
2090         [BigInt] Implement ValueBitXor into DFG
2091         https://bugs.webkit.org/show_bug.cgi?id=190264
2092
2093         Reviewed by Yusuke Suzuki.
2094
2095         * stress/big-int-bitwise-xor-jit.js: Added.
2096         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2097         * stress/big-int-bitwise-xor-untyped.js: Added.
2098
2099 2018-11-27  Saam barati  <sbarati@apple.com>
2100
2101         r238510 broke scopes of size zero
2102         https://bugs.webkit.org/show_bug.cgi?id=192033
2103         <rdar://problem/46281734>
2104
2105         Reviewed by Keith Miller.
2106
2107         * stress/r238510-bad-loop.js: Added.
2108         (foo):
2109
2110 2018-11-27  Mark Lam  <mark.lam@apple.com>
2111
2112         [Re-landing] NaNs read from Wasm code needs to be be purified.
2113         https://bugs.webkit.org/show_bug.cgi?id=191056
2114         <rdar://problem/45660341>
2115
2116         Reviewed by Filip Pizlo.
2117
2118         * wasm/regress/regress-191056.js: Added.
2119
2120 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2121
2122         Unreviewed, rolling out r238509.
2123
2124         Causes JSC tests to fail on iOS.
2125
2126         Reverted changeset:
2127
2128         "NaNs read from Wasm code needs to be be purified."
2129         https://bugs.webkit.org/show_bug.cgi?id=191056
2130         https://trac.webkit.org/changeset/238509
2131
2132 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2133
2134         Re-introduce op_bitnot
2135         https://bugs.webkit.org/show_bug.cgi?id=190923
2136
2137         Reviewed by Yusuke Suzuki.
2138
2139         * stress/bit-not-must-generate.js: Added.
2140         * stress/bitwise-not-no-int32.js: Added.
2141
2142 2018-11-26  Saam barati  <sbarati@apple.com>
2143
2144         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2145         https://bugs.webkit.org/show_bug.cgi?id=191956
2146         <rdar://problem/45665806>
2147
2148         Reviewed by Yusuke Suzuki.
2149
2150         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2151         (bar):
2152         (foo):
2153
2154 2018-11-26  Saam barati  <sbarati@apple.com>
2155
2156         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2157         https://bugs.webkit.org/show_bug.cgi?id=191958
2158         <rdar://problem/46221877>
2159
2160         Reviewed by Yusuke Suzuki.
2161
2162         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2163         (x):
2164         (foo):
2165
2166 2018-11-26  Mark Lam  <mark.lam@apple.com>
2167
2168         NaNs read from Wasm code needs to be be purified.
2169         https://bugs.webkit.org/show_bug.cgi?id=191056
2170         <rdar://problem/45660341>
2171
2172         Reviewed by Filip Pizlo.
2173
2174         * wasm/regress/regress-191056.js: Added.
2175
2176 2018-11-26  Michael Saboff  <msaboff@apple.com>
2177
2178         32-bit JSC test failure: stress/regexp-compile-oom.js
2179         https://bugs.webkit.org/show_bug.cgi?id=191375
2180
2181         Reviewed by Mark Lam.
2182
2183         Disabled the test for 32 bit platforms.
2184
2185         * stress/regexp-compile-oom.js:
2186
2187 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2188
2189         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2190         https://bugs.webkit.org/show_bug.cgi?id=191716
2191         <rdar://problem/45723878>
2192
2193         Reviewed by Saam Barati.
2194
2195         * stress/regress-187373.js: Added.
2196         (async.fn):
2197
2198 2018-11-21  Saam barati  <sbarati@apple.com>
2199
2200         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2201         https://bugs.webkit.org/show_bug.cgi?id=191897
2202         <rdar://problem/45871998>
2203
2204         Reviewed by Mark Lam.
2205
2206         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2207         (bar):
2208         (foo):
2209
2210 2018-11-21  Saam barati  <sbarati@apple.com>
2211
2212         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2213         https://bugs.webkit.org/show_bug.cgi?id=191895
2214         <rdar://problem/46167406>
2215
2216         Reviewed by Mark Lam.
2217
2218         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2219         (foo):
2220         (bar):
2221
2222 2018-11-21  Mark Lam  <mark.lam@apple.com>
2223
2224         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2225         https://bugs.webkit.org/show_bug.cgi?id=191776
2226         <rdar://problem/46152851>
2227
2228         Reviewed by Saam Barati.
2229
2230         * stress/big-wasm-memory-grow-no-max.js:
2231         * stress/big-wasm-memory-grow.js:
2232         * stress/big-wasm-memory.js:
2233         - updated these to expect an OutOfMemoryError.
2234
2235         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2236         (Binary.prototype.emit_u8):
2237         (Binary.prototype.emit_u32v):
2238         (Binary.prototype.emit_header):
2239         (Binary.prototype.emit_section):
2240         (Binary):
2241         (WasmModuleBuilder):
2242         (WasmModuleBuilder.prototype.addMemory):
2243         (WasmModuleBuilder.prototype.toArray):
2244         (WasmModuleBuilder.prototype.toBuffer):
2245         (WasmModuleBuilder.prototype.instantiate):
2246         (catch):
2247         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2248         (catch):
2249
2250 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2251
2252         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2253         https://bugs.webkit.org/show_bug.cgi?id=190836
2254
2255         Reviewed by Saam Barati and Yusuke Suzuki.
2256
2257         * stress/big-int-out-of-memory-tests.js: Added.
2258
2259 2018-11-20  Mark Lam  <mark.lam@apple.com>
2260
2261         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2262         https://bugs.webkit.org/show_bug.cgi?id=191856
2263         <rdar://problem/46089992>
2264
2265         Reviewed by Yusuke Suzuki.
2266
2267         * stress/regress-191856.js: Added.
2268         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2269
2270 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2271
2272         Enable JIT on ARM/Linux
2273         https://bugs.webkit.org/show_bug.cgi?id=191548
2274
2275         Reviewed by Yusuke Suzuki.
2276
2277         Disable test on system with limited memory. Program was killed by
2278         the OS before the exception was thrown.
2279
2280         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2281
2282 2018-11-20  Saam barati  <sbarati@apple.com>
2283
2284         Merging an IC variant may lead to the IC status containing overlapping structure sets
2285         https://bugs.webkit.org/show_bug.cgi?id=191869
2286         <rdar://problem/45403453>
2287
2288         Reviewed by Mark Lam.
2289
2290         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2291
2292 2018-11-19  Mark Lam  <mark.lam@apple.com>
2293
2294         globalFuncImportModule() should return a promise when it clears exceptions.
2295         https://bugs.webkit.org/show_bug.cgi?id=191792
2296         <rdar://problem/46090763>
2297
2298         Reviewed by Michael Saboff.
2299
2300         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2301
2302 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2303
2304         Skip new memory-hungry tests on memory limited devices
2305
2306         Unreviewed gardening.
2307
2308         * stress/big-wasm-memory-grow-no-max.js:
2309         * stress/big-wasm-memory-grow.js:
2310         * stress/big-wasm-memory.js:
2311
2312 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2313
2314         Unreviewed, rolling in the rest of r237254
2315         https://bugs.webkit.org/show_bug.cgi?id=190340
2316
2317         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2318         * stress/function-cache-with-parameters-end-position.js: Added.
2319         (shouldBe):
2320         (shouldThrow):
2321         (i.anonymous):
2322         * stress/function-constructor-name.js: Added.
2323         (shouldBe):
2324         (GeneratorFunction):
2325         (AsyncFunction.async):
2326         (AsyncGeneratorFunction.async):
2327         (anonymous):
2328         (async.anonymous):
2329         * test262/expectations.yaml:
2330
2331 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2332
2333         All users of ArrayBuffer should agree on the same max size
2334         https://bugs.webkit.org/show_bug.cgi?id=191771
2335
2336         Reviewed by Mark Lam.
2337
2338         * stress/big-wasm-memory-grow-no-max.js: Added.
2339         (foo):
2340         (catch):
2341         * stress/big-wasm-memory-grow.js: Added.
2342         (foo):
2343         (catch):
2344         * stress/big-wasm-memory.js: Added.
2345         (foo):
2346         (catch):
2347
2348 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2349
2350         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2351         run for each JSC config since they're regression tests for runtime bugs.
2352
2353         * stress/json-stringified-overflow-2.js:
2354         * stress/json-stringified-overflow.js:
2355
2356 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2357
2358         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2359         config since they're regression tests for runtime bugs.
2360
2361         * stress/large-unshift-splice.js:
2362         * stress/regress-185888.js:
2363
2364 2018-11-16  Saam Barati  <sbarati@apple.com>
2365
2366         KnownCellUse should also have SpecCellCheck as its type filter
2367         https://bugs.webkit.org/show_bug.cgi?id=191729
2368         <rdar://problem/45872852>
2369
2370         Reviewed by Filip Pizlo.
2371
2372         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2373         (C):
2374
2375 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2376
2377         Fix assertion failure on BytecodeGenerator::recordOpcode
2378         https://bugs.webkit.org/show_bug.cgi?id=191724
2379         <rdar://problem/45724395>
2380
2381         Reviewed by Saam Barati.
2382
2383         * stress/regress-187373-2.js: Added.
2384         (foo):
2385
2386 2018-11-15  Mark Lam  <mark.lam@apple.com>
2387
2388         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2389         https://bugs.webkit.org/show_bug.cgi?id=191730
2390         <rdar://problem/46048517>
2391
2392         Reviewed by Saam Barati.
2393
2394         * stress/regress-187006.js: Removed.
2395           - this test is invalid because its sole purpose is to test for the non-spec
2396             compliant behavior that we just fixed.
2397
2398         * stress/regress-191730.js: Added.
2399
2400 2018-11-15  Mark Lam  <mark.lam@apple.com>
2401
2402         RegExp operations should not take fast patch if lastIndex is not numeric.
2403         https://bugs.webkit.org/show_bug.cgi?id=191731
2404         <rdar://problem/46017305>
2405
2406         Reviewed by Saam Barati.
2407
2408         * stress/regress-191731.js: Added.
2409
2410 2018-11-13  Saam Barati  <sbarati@apple.com>
2411
2412         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2413         https://bugs.webkit.org/show_bug.cgi?id=191600
2414
2415         Reviewed by Mark Lam.
2416
2417         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2418         (foo):
2419         (test):
2420         (bar):
2421
2422 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2423
2424         Unreviewed, rolling out r238132.
2425
2426         The test added with this change is timing out on Debug JSC
2427         bots.
2428
2429         Reverted changeset:
2430
2431         "[BigInt] JSBigInt::createWithLength should throw when length
2432         is greater than JSBigInt::maxLength"
2433         https://bugs.webkit.org/show_bug.cgi?id=190836
2434         https://trac.webkit.org/changeset/238132
2435
2436 2018-11-13  Mark Lam  <mark.lam@apple.com>
2437
2438         Add OOM detection to StringPrototype's substituteBackreferences().
2439         https://bugs.webkit.org/show_bug.cgi?id=191563
2440         <rdar://problem/45720428>
2441
2442         Reviewed by Saam Barati.
2443
2444         * stress/regress-191563.js: Added.
2445
2446 2018-11-13  Mark Lam  <mark.lam@apple.com>
2447
2448         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2449         https://bugs.webkit.org/show_bug.cgi?id=191579
2450         <rdar://problem/45942472>
2451
2452         Reviewed by Saam Barati.
2453
2454         * stress/regress-191579.js: Added.
2455
2456 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2457
2458         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2459         https://bugs.webkit.org/show_bug.cgi?id=190836
2460
2461         Reviewed by Saam Barati.
2462
2463         * stress/big-int-out-of-memory-tests.js: Added.
2464
2465 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2466
2467         U+180E is no longer a whitespace character
2468         https://bugs.webkit.org/show_bug.cgi?id=191415
2469
2470         Reviewed by Saam Barati.
2471
2472         * ChakraCore/test/es5/regexSpace.baseline:
2473         * ChakraCore/test/es6/unicode_whitespace.js:
2474         Update tests to latest version.
2475         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2476
2477         * test262.yaml:
2478         * test262/config.yaml:
2479         * test262/expectations.yaml:
2480         Update expectations.
2481
2482 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2483
2484         [BigInt] Add support to BigInt into ValueAdd
2485         https://bugs.webkit.org/show_bug.cgi?id=186177
2486
2487         Reviewed by Keith Miller.
2488
2489         * stress/big-int-negate-jit.js:
2490         * stress/value-add-big-int-and-string.js: Added.
2491         * stress/value-add-big-int-prediction-propagation.js: Added.
2492         * stress/value-add-big-int-untyped.js: Added.
2493
2494 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2495
2496         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2497         https://bugs.webkit.org/show_bug.cgi?id=191184
2498
2499         Reviewed by Saam Barati.
2500
2501         Most tests were failing due to timeouts, since they are too slow to
2502         run on CLoop. The exceptions are:
2503
2504         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2505         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2506         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2507         to change the stack size since CLoop requires it to be page aligned.
2508
2509         * microbenchmarks/array-push-1.js:
2510         * microbenchmarks/array-push-2.js:
2511         * microbenchmarks/elidable-new-object-dag.js:
2512         * microbenchmarks/elidable-new-object-roflcopter.js:
2513         * microbenchmarks/elidable-new-object-tree.js:
2514         * microbenchmarks/getter-richards.js:
2515         * microbenchmarks/sinkable-new-object-dag.js:
2516         * microbenchmarks/string-concat-long-convert.js:
2517         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2518         * slowMicrobenchmarks/array-push-3.js:
2519         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2520         * slowMicrobenchmarks/spread-small-array.js:
2521         * slowMicrobenchmarks/undefined-property-access.js:
2522         * stress/activation-sink-default-value-tdz-error.js:
2523         * stress/activation-sink-default-value.js:
2524         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2525         * stress/activation-sink-osrexit-default-value.js:
2526         * stress/activation-sink-osrexit.js:
2527         * stress/activation-sink.js:
2528         * stress/allow-math-ic-b3-code-duplication.js:
2529         * stress/array-push-multiple-int32.js:
2530         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2531         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2532         * stress/arrowfunction-lexical-this-activation-sink.js:
2533         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2534         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2535         * stress/elide-new-object-dag-then-exit.js:
2536         * stress/materialize-regexp-cyclic.js:
2537         * stress/new-regex-inline.js:
2538         * stress/op_add.js:
2539         * stress/op_bitand.js:
2540         * stress/op_bitor.js:
2541         * stress/op_bitxor.js:
2542         * stress/op_div-ConstVar.js:
2543         * stress/op_div-VarConst.js:
2544         * stress/op_div-VarVar.js:
2545         * stress/op_lshift-ConstVar.js:
2546         * stress/op_lshift-VarConst.js:
2547         * stress/op_lshift-VarVar.js:
2548         * stress/op_mod-ConstVar.js:
2549         * stress/op_mod-VarConst.js:
2550         * stress/op_mod-VarVar.js:
2551         * stress/op_mul-ConstVar.js:
2552         * stress/op_mul-VarConst.js:
2553         * stress/op_mul-VarVar.js:
2554         * stress/op_rshift-ConstVar.js:
2555         * stress/op_rshift-VarConst.js:
2556         * stress/op_rshift-VarVar.js:
2557         * stress/op_sub-ConstVar.js:
2558         * stress/op_sub-VarConst.js:
2559         * stress/op_sub-VarVar.js:
2560         * stress/op_urshift-ConstVar.js:
2561         * stress/op_urshift-VarConst.js:
2562         * stress/op_urshift-VarVar.js:
2563         * stress/proxy-get-set-correct-receiver.js:
2564         * stress/regress-179562.js:
2565         * stress/rest-parameter-many-arguments.js:
2566         * stress/sampling-profiler-richards.js:
2567         * stress/splay-flash-access-1ms.js:
2568         * stress/tailCallForwardArguments.js:
2569         * stress/typed-array-get-by-val-profiling.js:
2570         * typeProfiler/getter-richards.js:
2571
2572 2018-11-06  Michael Saboff  <msaboff@apple.com>
2573
2574         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2575         https://bugs.webkit.org/show_bug.cgi?id=191271
2576
2577         Reviewed by Saam Barati.
2578
2579         Added more test cases and made all test cases run with the same deeply recursive stack
2580         instead of finding that same point for each test case.
2581
2582         * stress/regexp-compile-oom.js:
2583         (prototype.runTest):
2584         (recurseAndTest):
2585         (testList.push.new.TestAndExpectedException):
2586
2587 2018-11-05  Michael Saboff  <msaboff@apple.com>
2588
2589         Unreviewed build fix for linux.
2590
2591         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2592
2593 2018-11-02  Michael Saboff  <msaboff@apple.com>
2594
2595         Rolling in r237753 with unreviewed build fix.
2596
2597         Fixed issues with DECLARE_THROW_SCOPE placement.
2598
2599 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2600
2601         Unreviewed, rolling out r237753.
2602
2603         Introduced JSC test failures
2604
2605         Reverted changeset:
2606
2607         "Running out of stack space not properly handled in
2608         RegExp::compile() and its callers"
2609         https://bugs.webkit.org/show_bug.cgi?id=191206
2610         https://trac.webkit.org/changeset/237753
2611
2612 2018-11-02  Michael Saboff  <msaboff@apple.com>
2613
2614         Running out of stack space not properly handled in RegExp::compile() and its callers
2615         https://bugs.webkit.org/show_bug.cgi?id=191206
2616
2617         Reviewed by Filip Pizlo.
2618
2619         New regression test.
2620
2621         * stress/regexp-compile-oom.js: Added.
2622         (recurseAndTest):
2623
2624 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2625
2626         Skip tests on arm/mips that time out now we're running on CLoop
2627
2628         Unreviewed gardening.
2629
2630         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2631         time out on the bots and need to be disabled. There's more tests
2632         disabled on arm because the timeout is longer on the mips bot (as the
2633         device is slower to start with), so many of the tests don't time out
2634         there.
2635
2636         * microbenchmarks/getter-richards.js: disable on arm and mips.
2637         * stress/op_add.js: disable on arm.
2638         * stress/op_bitand.js: disable on arm.
2639         * stress/op_bitor.js: disable on arm.
2640         * stress/op_bitxor.js: disable on arm.
2641         * stress/op_lshift-ConstVar.js: disable on arm.
2642         * stress/op_lshift-VarConst.js: disable on arm.
2643         * stress/op_lshift-VarVar.js: disable on arm.
2644         * stress/op_mod-ConstVar.js: disable on arm.
2645         * stress/op_mod-VarConst.js: disable on arm.
2646         * stress/op_mod-VarVar.js: disable on arm.
2647         * stress/op_mul-ConstVar.js: disable on arm.
2648         * stress/op_mul-VarConst.js: disable on arm.
2649         * stress/op_mul-VarVar.js: disable on arm.
2650         * stress/op_rshift-ConstVar.js: disable on arm.
2651         * stress/op_rshift-VarConst.js: disable on arm.
2652         * stress/op_rshift-VarVar.js: disable on arm.
2653         * stress/op_sub-ConstVar.js: disable on arm.
2654         * stress/op_sub-VarConst.js: disable on arm.
2655         * stress/op_sub-VarVar.js: disable on arm.
2656         * stress/op_urshift-ConstVar.js: disable on arm.
2657         * stress/op_urshift-VarConst.js: disable on arm.
2658         * stress/op_urshift-VarVar.js: disable on arm.
2659         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2660         * stress/value-to-boolean.js: disable on arm and mips.
2661
2662 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2663
2664         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2665         https://bugs.webkit.org/show_bug.cgi?id=191108
2666         <rdar://problem/45690700>
2667
2668         Reviewed by Saam Barati.
2669
2670         * stress/wide-op_catch.js: Added.
2671         (catch):
2672
2673 2018-10-29  Mark Lam  <mark.lam@apple.com>
2674
2675         Correctly detect string overflow when using the 'Function' constructor.
2676         https://bugs.webkit.org/show_bug.cgi?id=184883
2677         <rdar://problem/36320331>
2678
2679         Reviewed by Saam Barati.
2680
2681         I've verified that this passes on 32-bit as well.
2682
2683         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2684
2685 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2686
2687         Add support for GetStack FlushedDouble
2688         https://bugs.webkit.org/show_bug.cgi?id=191012
2689         <rdar://problem/45265141>
2690
2691         Reviewed by Saam Barati.
2692
2693         * stress/get-stack-double.js: Added.
2694         (bar):
2695         (noInline):
2696
2697 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2698
2699         New bytecode format for JSC
2700         https://bugs.webkit.org/show_bug.cgi?id=187373
2701         <rdar://problem/44186758>
2702
2703         Reviewed by Filip Pizlo.
2704
2705         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2706
2707         * stress/maximum-inline-capacity.js: Added.
2708         (test1):
2709         (test3.Foo):
2710         (test3):
2711
2712 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2713
2714         Unreviewed, rolling out r237479 and r237484.
2715         https://bugs.webkit.org/show_bug.cgi?id=190978
2716
2717         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2718
2719         Reverted changesets:
2720
2721         "New bytecode format for JSC"
2722         https://bugs.webkit.org/show_bug.cgi?id=187373
2723         https://trac.webkit.org/changeset/237479
2724
2725         "Gardening: Build fix after r237479."
2726         https://bugs.webkit.org/show_bug.cgi?id=187373
2727         https://trac.webkit.org/changeset/237484
2728
2729 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2730
2731         New bytecode format for JSC
2732         https://bugs.webkit.org/show_bug.cgi?id=187373
2733         <rdar://problem/44186758>
2734
2735         Reviewed by Filip Pizlo.
2736
2737         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2738
2739         * stress/maximum-inline-capacity.js: Added.
2740         (test1):
2741         (test3.Foo):
2742         (test3):
2743
2744 2018-10-26  Mark Lam  <mark.lam@apple.com>
2745
2746         Fix missing edge cases with JSGlobalObjects having a bad time.
2747         https://bugs.webkit.org/show_bug.cgi?id=189028
2748         <rdar://problem/45204939>
2749
2750         Reviewed by Saam Barati.
2751
2752         * stress/regress-189028.js: Added.
2753
2754 2018-10-22  Mark Lam  <mark.lam@apple.com>
2755
2756         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2757         https://bugs.webkit.org/show_bug.cgi?id=190515
2758         <rdar://problem/45222379>
2759
2760         Rubber-stamped by Saam Barati.
2761
2762         Adding another test.
2763
2764         * stress/regress-190515-2.js: Added.
2765
2766 2018-10-22  Mark Lam  <mark.lam@apple.com>
2767
2768         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2769         https://bugs.webkit.org/show_bug.cgi?id=190515
2770         <rdar://problem/45222379>
2771
2772         Reviewed by Saam Barati.
2773
2774         * stress/regress-190515.js: Added.
2775
2776 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2777
2778         Unreviewed, rolling out r237254.
2779         https://bugs.webkit.org/show_bug.cgi?id=190760
2780
2781         "It regresses JetStream 2 by 5% on some iOS devices"
2782         (Requested by saamyjoon on #webkit).
2783
2784         Reverted changeset:
2785
2786         "[JSC] JSC should have "parseFunction" to optimize Function
2787         constructor"
2788         https://bugs.webkit.org/show_bug.cgi?id=190340
2789         https://trac.webkit.org/changeset/237254
2790
2791 2018-10-19  Saam Barati  <sbarati@apple.com>
2792
2793         vmCall should check if we exit before emitting an OSR exit due to exceptions
2794         https://bugs.webkit.org/show_bug.cgi?id=190740
2795         <rdar://problem/45220139>
2796
2797         Reviewed by Mark Lam.
2798
2799         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2800         (foo):
2801
2802 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2803
2804         [ESNext][BigInt] Implement support for "^"
2805         https://bugs.webkit.org/show_bug.cgi?id=186235
2806
2807         Reviewed by Yusuke Suzuki.
2808
2809         * stress/big-int-bitwise-xor-general.js: Added.
2810         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2811         * stress/big-int-bitwise-xor-type-error.js: Added.
2812         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2813
2814 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2815
2816         [BigInt] Add ValueSub into DFG
2817         https://bugs.webkit.org/show_bug.cgi?id=186176
2818
2819         Reviewed by Yusuke Suzuki.
2820
2821         * stress/big-int-subtraction-jit.js:
2822         * stress/value-sub-big-int-prediction-propagation.js: Added.
2823         * stress/value-sub-big-int-untyped.js: Added.
2824         * stress/value-sub-spec-none-case.js: Added.
2825
2826 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2827
2828         [JSC] JSC should have "parseFunction" to optimize Function constructor
2829         https://bugs.webkit.org/show_bug.cgi?id=190340
2830
2831         Reviewed by Mark Lam.
2832
2833         This patch fixes the line number of syntax errors raised by the Function constructor,
2834         since we now parse the final code only once. And we no longer use block statement
2835         for Function constructor's parsing.
2836
2837         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2838         * stress/function-cache-with-parameters-end-position.js: Added.
2839         (shouldBe):
2840         (shouldThrow):
2841         (i.anonymous):
2842         * stress/function-constructor-name.js: Added.
2843         (shouldBe):
2844         (GeneratorFunction):
2845         (AsyncFunction.async):
2846         (AsyncGeneratorFunction.async):
2847         (anonymous):
2848         (async.anonymous):
2849         * test262/expectations.yaml:
2850
2851 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2852
2853         Unreviewed, rolling out r237242.
2854         https://bugs.webkit.org/show_bug.cgi?id=190701
2855
2856         it breaks "stress/sampling-profiler-basic.js" (Requested by
2857         caiolima on #webkit).
2858
2859         Reverted changeset:
2860
2861         "[BigInt] Add ValueSub into DFG"
2862         https://bugs.webkit.org/show_bug.cgi?id=186176
2863         https://trac.webkit.org/changeset/237242
2864
2865 2018-10-17  Keith Miller  <keith_miller@apple.com>
2866
2867         AI does not clear Phantom allocation nodes.
2868         https://bugs.webkit.org/show_bug.cgi?id=190694
2869
2870         Reviewed by Saam Barati.
2871
2872         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2873         (Day):
2874         (DaysInYear):
2875         (TimeInYear):
2876         (TimeFromYear):
2877         (DayFromYear):
2878         (InLeapYear):
2879         (YearFromTime):
2880         (WeekDay):
2881         (DaylightSavingTA):
2882         (GetSecondSundayInMarch):
2883         (TimeInMonth):
2884
2885 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2886
2887         [BigInt] Add ValueSub into DFG
2888         https://bugs.webkit.org/show_bug.cgi?id=186176
2889
2890         Reviewed by Yusuke Suzuki.
2891
2892         * stress/big-int-subtraction-jit.js:
2893         * stress/value-sub-big-int-prediction-propagation.js: Added.
2894         * stress/value-sub-big-int-untyped.js: Added.
2895
2896 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2897
2898         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2899         https://bugs.webkit.org/show_bug.cgi?id=190611
2900
2901         Reviewed by Saam Barati.
2902
2903         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2904         to improve test runtime. On ARM/MIPS this test even timed out when running all
2905         tests.
2906
2907         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2908         (test):
2909
2910 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2911
2912         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2913
2914         Unreviewed gardening.
2915
2916         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2917
2918 2018-10-15  Saam barati  <sbarati@apple.com>
2919
2920         Emit fjcvtzs on ARM64E on Darwin
2921         https://bugs.webkit.org/show_bug.cgi?id=184023
2922
2923         Reviewed by Yusuke Suzuki and Filip Pizlo.
2924
2925         * stress/double-to-int32-NaN.js: Added.
2926         (assert):
2927         (foo):
2928
2929 2018-10-15  Saam Barati  <sbarati@apple.com>
2930
2931         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2932         https://bugs.webkit.org/show_bug.cgi?id=190262
2933         <rdar://problem/44986241>
2934
2935         Reviewed by Mark Lam.
2936
2937         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2938         (test):
2939         * stress/slice-array-storage-with-holes.js: Added.
2940         (main):
2941
2942 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2943
2944         Unreviewed, rolling out r237054.
2945         https://bugs.webkit.org/show_bug.cgi?id=190593
2946
2947         "this regressed JetStream 2 by 6% on iOS" (Requested by
2948         saamyjoon on #webkit).
2949
2950         Reverted changeset:
2951
2952         "[JSC] JSC should have "parseFunction" to optimize Function
2953         constructor"
2954         https://bugs.webkit.org/show_bug.cgi?id=190340
2955         https://trac.webkit.org/changeset/237054
2956
2957 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2958
2959         [JSC] JSON.stringify can accept call-with-no-arguments
2960         https://bugs.webkit.org/show_bug.cgi?id=190343
2961
2962         Reviewed by Mark Lam.
2963
2964         * stress/json-stringify-no-arguments.js: Added.
2965         (shouldBe):
2966
2967 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2968
2969         [JSC] JSC should have "parseFunction" to optimize Function constructor
2970         https://bugs.webkit.org/show_bug.cgi?id=190340
2971
2972         Reviewed by Mark Lam.
2973
2974         This patch fixes the line number of syntax errors raised by the Function constructor,
2975         since we now parse the final code only once. And we no longer use block statement
2976         for Function constructor's parsing.
2977
2978         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2979         * stress/function-cache-with-parameters-end-position.js: Added.
2980         (shouldBe):
2981         (shouldThrow):
2982         (i.anonymous):
2983         * stress/function-constructor-name.js: Added.
2984         (shouldBe):
2985         (GeneratorFunction):
2986         (AsyncFunction.async):
2987         (AsyncGeneratorFunction.async):
2988         (anonymous):
2989         (async.anonymous):
2990         * test262/expectations.yaml:
2991
2992 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2993
2994         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2995         https://bugs.webkit.org/show_bug.cgi?id=190426
2996
2997         Unreviewed gardening.
2998
2999         * stress/sampling-profiler-richards.js:
3000
3001 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3002
3003         [ESNext][BigInt] Implement support for "|"
3004         https://bugs.webkit.org/show_bug.cgi?id=186229
3005
3006         Reviewed by Yusuke Suzuki.
3007
3008         * stress/big-int-bitwise-and-jit.js:
3009         * stress/big-int-bitwise-or-general.js: Added.
3010         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3011         * stress/big-int-bitwise-or-jit.js: Added.
3012         * stress/big-int-bitwise-or-memory-stress.js: Added.
3013         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3014         * stress/big-int-bitwise-or-type-error.js: Added.
3015         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3016
3017 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3018
3019         Skip test on systems with limited memory
3020         https://bugs.webkit.org/show_bug.cgi?id=190310
3021
3022         Invoking runDefault adds test to runlist, skipping the test in the next
3023         line does not prevent the test from executing. Change order of lines such
3024         that runDefault is only executed if test is not executed.
3025
3026         Reviewed by Mark Lam.
3027
3028         * stress/regress-190187.js:
3029
3030 2018-10-03  Saam barati  <sbarati@apple.com>
3031
3032         lowXYZ in FTLLower should always filter the type of the incoming edge
3033         https://bugs.webkit.org/show_bug.cgi?id=189939
3034         <rdar://problem/44407030>
3035
3036         Reviewed by Michael Saboff.
3037
3038         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3039         (foo):
3040         (test):
3041
3042 2018-10-03  Mark Lam  <mark.lam@apple.com>
3043
3044         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3045         https://bugs.webkit.org/show_bug.cgi?id=190187
3046         <rdar://problem/42512909>
3047
3048         Reviewed by Michael Saboff.
3049
3050         * stress/regress-190187.js: Added.
3051
3052 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3053
3054         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3055         https://bugs.webkit.org/show_bug.cgi?id=190033
3056
3057         Reviewed by Yusuke Suzuki.
3058
3059         * stress/big-int-to-string.js:
3060
3061 2018-10-01  Mark Lam  <mark.lam@apple.com>
3062
3063         Function.toString() should also copy the source code Functions that are class definitions.
3064         https://bugs.webkit.org/show_bug.cgi?id=190186
3065         <rdar://problem/44733360>
3066
3067         Reviewed by Saam Barati.
3068
3069         * stress/regress-190186.js: Added.
3070
3071 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3072
3073         Split NaN-check into separate test
3074         https://bugs.webkit.org/show_bug.cgi?id=190010
3075
3076         Reviewed by Saam Barati.
3077
3078         DataView exposes NaN-representation, which is not necessarily the same on each
3079         architecture. Therefore move the check of the NaN-representation into its own
3080         file such that we can disable this test on MIPS where NaN-representation can be
3081         different on older CPUs.
3082
3083         * stress/dataview-jit-set-nan.js: Added.
3084         (assert):
3085         (test.storeLittleEndian):
3086         (test.storeBigEndian):
3087         (test.store):
3088         (test):
3089         * stress/dataview-jit-set.js:
3090         (test5):
3091
3092 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3093
3094         Unreviewed, rolling out r236647.
3095         https://bugs.webkit.org/show_bug.cgi?id=190124
3096
3097         Breaking test stress/big-int-to-string.js (Requested by
3098         caiolima_ on #webkit).
3099
3100         Reverted changeset:
3101
3102         "[BigInt] BigInt.proptotype.toString is broken when radix is
3103         power of 2"
3104         https://bugs.webkit.org/show_bug.cgi?id=190033
3105         https://trac.webkit.org/changeset/236647
3106
3107 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3108
3109         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3110         https://bugs.webkit.org/show_bug.cgi?id=190033
3111
3112         Reviewed by Yusuke Suzuki.
3113
3114         * stress/big-int-to-string.js:
3115
3116 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3117
3118         [ESNext][BigInt] Implement support for "&"
3119         https://bugs.webkit.org/show_bug.cgi?id=186228
3120
3121         Reviewed by Yusuke Suzuki.
3122
3123         * stress/big-int-bitwise-and-general.js: Added.
3124         (assert):
3125         (assert.sameValue):
3126         * stress/big-int-bitwise-and-jit.js: Added.
3127         (let.assert.sameValue):
3128         (bigIntBitAnd):
3129         * stress/big-int-bitwise-and-memory-stress.js: Added.
3130         (assert):
3131         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3132         (assert.sameValue):
3133         (let.o.Symbol.toPrimitive):
3134         (catch):
3135         * stress/big-int-bitwise-and-type-error.js: Added.
3136         (assert):
3137         (assertThrowTypeError):
3138         (let.o.valueOf):
3139         (o.valueOf):
3140         (o.toString):
3141         (o.Symbol.toPrimitive):
3142         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3143         (assert.sameValue):
3144         (testBitAnd):
3145         (let.o.Symbol.toPrimitive):
3146         (o.valueOf):
3147         (o.toString):
3148
3149 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3150
3151         JSC test stress/jsc-read.js doesn't support CRLF
3152         https://bugs.webkit.org/show_bug.cgi?id=190063
3153
3154         Reviewed by Yusuke Suzuki.
3155
3156         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3157
3158         * stress/jsc-read.js:
3159         (test):
3160
3161 2018-09-27  Saam barati  <sbarati@apple.com>
3162
3163         Verify the contents of AssemblerBuffer on arm64e
3164         https://bugs.webkit.org/show_bug.cgi?id=190057
3165         <rdar://problem/38916630>
3166
3167         Reviewed by Mark Lam.
3168
3169         * stress/regress-189132.js:
3170
3171 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3172
3173         Disable test without LLInt on ARMv7
3174         https://bugs.webkit.org/show_bug.cgi?id=190037
3175
3176         Reviewed by Mark Lam.
3177
3178         Test runs out of executable memory on ARMv7, do not run
3179         this test without LLInt enabled.
3180
3181         * stress/regress-169445.js:
3182
3183 2018-09-26  Keith Miller  <keith_miller@apple.com>
3184
3185         We should zero unused property storage when rebalancing array storage.
3186         https://bugs.webkit.org/show_bug.cgi?id=188151
3187
3188         Reviewed by Michael Saboff.
3189
3190         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3191
3192 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3193
3194         [JSC] Optimize Array#lastIndexOf
3195         https://bugs.webkit.org/show_bug.cgi?id=189780
3196
3197         Reviewed by Saam Barati.
3198
3199         * stress/array-lastindexof-array-prototype-trap.js: Added.
3200         (shouldBe):
3201         (AncestorArray.prototype.get 2):
3202         (AncestorArray):
3203         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3204         (shouldBe):
3205         * stress/array-lastindexof-hole-nan.js: Added.
3206         (shouldBe):
3207         (throw.new.Error):
3208         * stress/array-lastindexof-infinity.js: Added.
3209         (shouldBe):
3210         (throw.new.Error):
3211         * stress/array-lastindexof-negative-zero.js: Added.
3212         (shouldBe):
3213         (throw.new.Error):
3214         * stress/array-lastindexof-own-getter.js: Added.
3215         (shouldBe):
3216         (throw.new.Error.get array):
3217         (get array):
3218         * stress/array-lastindexof-prototype-trap.js: Added.
3219         (shouldBe):
3220         (DerivedArray.prototype.get 2):
3221         (DerivedArray):
3222
3223 2018-09-25  Saam Barati  <sbarati@apple.com>
3224
3225         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3226         https://bugs.webkit.org/show_bug.cgi?id=189940
3227         <rdar://problem/43640987>
3228
3229         Reviewed by Mark Lam.
3230
3231         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3232
3233 2018-09-24  Saam Barati  <sbarati@apple.com>
3234
3235         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3236         https://bugs.webkit.org/show_bug.cgi?id=189922
3237         <rdar://problem/44651275>
3238
3239         Reviewed by Mark Lam.
3240
3241         * stress/array-indexof-fast-path-effects.js: Added.
3242         * stress/array-indexof-cached-length.js: Added.
3243
3244 2018-09-24  Saam barati  <sbarati@apple.com>
3245
3246         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3247         https://bugs.webkit.org/show_bug.cgi?id=189682
3248         <rdar://problem/43557315>
3249
3250         Reviewed by Mark Lam.
3251
3252         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3253         (foo):
3254
3255 2018-09-22  Saam barati  <sbarati@apple.com>
3256
3257         The sampling should not use Strong<CodeBlock> in its machineLocation field
3258         https://bugs.webkit.org/show_bug.cgi?id=189319
3259
3260         Reviewed by Filip Pizlo.
3261
3262         * stress/sampling-profiler-richards.js: Added.
3263
3264 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3265
3266         [JSC] Optimize Array#indexOf in C++ runtime
3267         https://bugs.webkit.org/show_bug.cgi?id=189507
3268
3269         Reviewed by Saam Barati.
3270
3271         * stress/array-indexof-array-prototype-trap.js: Added.
3272         (shouldBe):
3273         (AncestorArray.prototype.get 2):
3274         (AncestorArray):
3275         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3276         (shouldBe):
3277         * stress/array-indexof-hole-nan.js: Added.
3278         (shouldBe):
3279         (throw.new.Error):
3280         * stress/array-indexof-infinity.js: Added.
3281         (shouldBe):
3282         (throw.new.Error):
3283         * stress/array-indexof-negative-zero.js: Added.
3284         (shouldBe):
3285         (throw.new.Error):
3286         * stress/array-indexof-own-getter.js: Added.
3287         (shouldBe):
3288         (throw.new.Error.get array):
3289         (get array):
3290         * stress/array-indexof-prototype-trap.js: Added.
3291         (shouldBe):
3292         (DerivedArray.prototype.get 2):
3293         (DerivedArray):
3294
3295 2018-09-19  Saam barati  <sbarati@apple.com>
3296
3297         AI rule for MultiPutByOffset executes its effects in the wrong order
3298         https://bugs.webkit.org/show_bug.cgi?id=189757
3299         <rdar://problem/43535257>
3300
3301         Reviewed by Michael Saboff.
3302
3303         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3304         (foo):
3305         (Foo):
3306         (g):
3307
3308 2018-09-17  Mark Lam  <mark.lam@apple.com>
3309
3310         Ensure that ForInContexts are invalidated if their loop local is over-written.
3311         https://bugs.webkit.org/show_bug.cgi?id=189571
3312         <rdar://problem/44402277>
3313
3314         Reviewed by Saam Barati.
3315
3316         * stress/regress-189571.js: Added.
3317
3318 2018-09-17  Saam barati  <sbarati@apple.com>
3319
3320         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3321         https://bugs.webkit.org/show_bug.cgi?id=189676
3322         <rdar://problem/39682897>
3323
3324         Reviewed by Michael Saboff.
3325
3326         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3327         (A):
3328         (K):
3329         (i.catch):
3330
3331 2018-09-14  Saam barati  <sbarati@apple.com>
3332
3333         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3334         https://bugs.webkit.org/show_bug.cgi?id=189628
3335         <rdar://problem/39481690>
3336
3337         Reviewed by Mark Lam.
3338
3339         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3340         (foo):
3341
3342 2018-09-11  Mark Lam  <mark.lam@apple.com>
3343
3344         Test for array initialization in arrayProtoFuncSplice.
3345         https://bugs.webkit.org/show_bug.cgi?id=170253
3346         <rdar://problem/31328773>
3347
3348         Rubber-stamped by Saam Barati.
3349
3350         * stress/regress-170253.js: Added.
3351
3352 2018-09-11  Mark Lam  <mark.lam@apple.com>
3353
3354         Test for IntlObject initialization.
3355         https://bugs.webkit.org/show_bug.cgi?id=170251
3356         <rdar://problem/31328419>
3357
3358         Rubber-stamped by Saam Barati.
3359
3360         * stress/regress-170251.js: Added.
3361
3362 2018-09-11  Mark Lam  <mark.lam@apple.com>
3363
3364         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3365         https://bugs.webkit.org/show_bug.cgi?id=169889
3366         <rdar://problem/31155607>
3367
3368         Reviewed by Saam Barati.
3369
3370         * stress/regress-169889-array-concat.js: Added.
3371         * stress/regress-169889-array-concat1.js: Added.
3372         * stress/regress-169889-array-slice.js: Added.
3373
3374 2018-09-11  Mark Lam  <mark.lam@apple.com>
3375
3376         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3377         https://bugs.webkit.org/show_bug.cgi?id=169445
3378         <rdar://problem/30957435>
3379
3380         Reviewed by Saam Barati.
3381
3382         * stress/regress-169445.js: Added.
3383         (let.gun.eval.A):
3384         (let.gun.eval.B.C):
3385         (let.gun.eval.B.C.prototype.trigger):
3386         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3387         (let.gun.eval.B):
3388         (let.gun.eval):
3389
3390 == Rolled over to ChangeLog-2018-09-11 ==