[JSC] Retain PrivateName of Symbol before passing it to operations potentially incurr...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
4         https://bugs.webkit.org/show_bug.cgi?id=195791
5         <rdar://problem/48806130>
6
7         Reviewed by Mark Lam.
8
9         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
10         (foo):
11
12 2019-03-14  Saam barati  <sbarati@apple.com>
13
14         We can't remove code after ForceOSRExit until after FixupPhase
15         https://bugs.webkit.org/show_bug.cgi?id=186916
16         <rdar://problem/41396612>
17
18         Reviewed by Yusuke Suzuki.
19
20         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
21         (foo):
22         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
23         (foo):
24
25 2019-03-13  Michael Saboff  <msaboff@apple.com>
26
27         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
28         https://bugs.webkit.org/show_bug.cgi?id=195735
29
30         Reviewed by Mark Lam.
31
32         New regression test.
33
34         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
35         (foo):
36         (bar):
37
38 2019-03-14  Saam barati  <sbarati@apple.com>
39
40         Fixup uses KnownInt32 incorrectly in some nodes
41         https://bugs.webkit.org/show_bug.cgi?id=195279
42         <rdar://problem/47915654>
43
44         Reviewed by Yusuke Suzuki.
45
46         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
47         (foo):
48
49 2019-03-14  Keith Miller  <keith_miller@apple.com>
50
51         DFG liveness can't skip tail caller inline frames
52         https://bugs.webkit.org/show_bug.cgi?id=195715
53
54         Reviewed by Saam Barati.
55
56         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
57         (i.foo):
58
59 2019-03-13  Mark Lam  <mark.lam@apple.com>
60
61         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
62         https://bugs.webkit.org/show_bug.cgi?id=195415
63
64         Not reviewed.
65
66         Changed these tests to only run the default configuration.
67         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
68         There's no strong need to run this test on that variant.
69
70         * stress/dfg-to-string-on-int-does-gc.js:
71         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
72
73 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
74
75         String overflow when using StringBuilder in JSC::createError
76         https://bugs.webkit.org/show_bug.cgi?id=194957
77
78         Reviewed by Mark Lam.
79
80         Add test string-overflow-createError-bulder.js that overflows
81         StringBuilder in notAFunctionSourceAppender. The second new test
82         string-overflow-createError-fit.js has an error message that doesn't
83         overflow, it still failed since the String's capacity can't be doubled.
84         Run test string-overflow-createError.js only in the default
85         configuration to reduce memory consumption when running the test
86         in all configurations on multiple CPUs in parallel.
87
88         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
89         (catch):
90         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
91         (catch):
92         * stress/string-overflow-createError.js:
93
94 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
95
96         [JSC] OSR entry should respect abstract values in addition to flush formats
97         https://bugs.webkit.org/show_bug.cgi?id=195653
98
99         Reviewed by Mark Lam.
100
101         * stress/osr-entry-locals-none.js: Added.
102
103 2019-03-12  Michael Saboff  <msaboff@apple.com>
104
105         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
106         https://bugs.webkit.org/show_bug.cgi?id=195613
107
108         Reviewed by Mark Lam.
109
110         New regression test.
111
112         * stress/regexp-backref-inbounds.js: Added.
113         (testRegExp):
114
115 2019-03-12  Mark Lam  <mark.lam@apple.com>
116
117         The HasIndexedProperty node does GC.
118         https://bugs.webkit.org/show_bug.cgi?id=195559
119         <rdar://problem/48767923>
120
121         Reviewed by Yusuke Suzuki.
122
123         * stress/HasIndexedProperty-does-gc.js: Added.
124
125 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
126
127         [ESNext][BigInt] Implement "~" unary operation
128         https://bugs.webkit.org/show_bug.cgi?id=182216
129
130         Reviewed by Keith Miller.
131
132         * stress/big-int-bit-not-general.js: Added.
133         * stress/big-int-bitwise-not-jit.js: Added.
134         * stress/big-int-bitwise-not-wrapped-value.js: Added.
135         * stress/bit-op-with-object-returning-int32.js:
136         * stress/bitwise-not-fixup-rules.js: Added.
137         * stress/value-bit-not-ai-rule.js: Added.
138
139 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
140
141         Invalid flags in a RegExp literal should be an early SyntaxError
142         https://bugs.webkit.org/show_bug.cgi?id=195514
143
144         Reviewed by Darin Adler.
145
146         * test262/expectations.yaml:
147         Mark 4 test cases as passing.
148
149         * stress/regexp-syntax-error-invalid-flags.js:
150         * stress/regress-161995.js: Removed.
151         Update existing test, merging in an older test for the same behavior.
152
153 2019-03-08  Mark Lam  <mark.lam@apple.com>
154
155         Stack overflow crash in JSC::JSObject::hasInstance.
156         https://bugs.webkit.org/show_bug.cgi?id=195458
157         <rdar://problem/48710195>
158
159         Reviewed by Yusuke Suzuki.
160
161         * stress/stack-overflow-in-custom-hasInstance.js: Added.
162
163 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
164
165         op_check_tdz does not def its argument
166         https://bugs.webkit.org/show_bug.cgi?id=192880
167         <rdar://problem/46221598>
168
169         Reviewed by Saam Barati.
170
171         * microbenchmarks/let-for-in.js: Added.
172         (foo):
173
174 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
175
176         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
177         https://bugs.webkit.org/show_bug.cgi?id=195429
178
179         Reviewed by Saam Barati.
180
181         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
182         (foo):
183         * stress/string-from-char-code-255.js: Added.
184
185 2019-03-06  Mark Lam  <mark.lam@apple.com>
186
187         Fix incorrect handling of try-finally completion values.
188         https://bugs.webkit.org/show_bug.cgi?id=195131
189         <rdar://problem/46222079>
190
191         Reviewed by Saam Barati and Yusuke Suzuki.
192
193         Added many permutations of new test case to test-finally.js.  test-finally.js has
194         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
195         tests passes there as well.
196
197         * stress/test-finally.js:
198
199 2019-03-06  Saam Barati  <sbarati@apple.com>
200
201         Air::reportUsedRegisters must padInterference
202         https://bugs.webkit.org/show_bug.cgi?id=195303
203         <rdar://problem/48270343>
204
205         Reviewed by Keith Miller.
206
207         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
208
209 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
210
211         [JSC] AI should not propagate AbstractValue relying on constant folding phase
212         https://bugs.webkit.org/show_bug.cgi?id=195375
213
214         Reviewed by Saam Barati.
215
216         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
217         (let.array):
218
219 2019-03-05  Saam barati  <sbarati@apple.com>
220
221         op_switch_char broken for rope strings after JSRopeString layout rewrite
222         https://bugs.webkit.org/show_bug.cgi?id=195339
223         <rdar://problem/48592545>
224
225         Reviewed by Yusuke Suzuki.
226
227         * stress/switch-on-char-llint-rope.js: Added.
228
229 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
230
231         [JSC] Store bits for JSRopeString in 3 stores
232         https://bugs.webkit.org/show_bug.cgi?id=195234
233
234         Reviewed by Saam Barati.
235
236         * stress/null-rope-and-collectors.js: Added.
237
238 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
239
240         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
241         https://bugs.webkit.org/show_bug.cgi?id=195207
242
243         Unreviewed. After test runtime was reduced in r242213, test can be
244         run again on ARM/MIPS.
245
246         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
247
248 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
249
250         [JSC] sizeof(JSString) should be 16
251         https://bugs.webkit.org/show_bug.cgi?id=194375
252
253         Reviewed by Saam Barati.
254
255         * microbenchmarks/make-rope.js: Added.
256         (makeRope):
257         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
258         (returnRope.helper): Deleted.
259         (returnRope): Deleted.
260
261 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
262
263         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
264         https://bugs.webkit.org/show_bug.cgi?id=195144
265
266         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
267         Change the number from 1e8 to 1e5.
268
269         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
270         (foo):
271
272 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
273
274         Test times out on ARM/MIPS
275         https://bugs.webkit.org/show_bug.cgi?id=195168
276
277         Unreviewed. Skip test on ARM/MIPS.
278
279         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
280
281 2019-02-27  Mark Lam  <mark.lam@apple.com>
282
283         The parser is failing to record the token location of new in new.target.
284         https://bugs.webkit.org/show_bug.cgi?id=195127
285         <rdar://problem/39645578>
286
287         Reviewed by Yusuke Suzuki.
288
289         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
290
291 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
292
293         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
294         https://bugs.webkit.org/show_bug.cgi?id=195144
295         <rdar://problem/47595961>
296
297         Reviewed by Mark Lam.
298
299         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
300         (bar):
301         (foo):
302         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
303         (bar):
304         (foo):
305
306 2019-02-27  Robin Morisset  <rmorisset@apple.com>
307
308         DFG: Loop-invariant code motion (LICM) should not hoist dead code
309         https://bugs.webkit.org/show_bug.cgi?id=194945
310         <rdar://problem/48311657>
311
312         Reviewed by Mark Lam.
313
314         * stress/licm-dead-code.js: Added.
315
316 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
317
318         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
319         https://bugs.webkit.org/show_bug.cgi?id=194677
320         <rdar://problem/48112492>
321
322         Reviewed by Mark Lam.
323
324         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
325         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
326         it immediately fails due the large size.
327
328         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
329         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
330         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
331         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
332
333         This patch changes the test to produce 16bit string from String.fromCharCode.
334
335         * stress/regress-178386.js:
336
337 2019-02-26  Mark Lam  <mark.lam@apple.com>
338
339         wasmToJS() should purify incoming NaNs.
340         https://bugs.webkit.org/show_bug.cgi?id=194807
341         <rdar://problem/48189132>
342
343         Reviewed by Saam Barati.
344
345         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
346
347 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
348
349         [JSC] Repeat string created from Array.prototype.join() take too much memory
350         https://bugs.webkit.org/show_bug.cgi?id=193912
351
352         Reviewed by Saam Barati.
353
354         Added a test and a microbenchmark for corner cases of
355         Array.prototype.join() with an uninitialized array.
356
357         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
358         * stress/array-prototype-join-uninitialized.js: Added.
359         (testArray):
360         (testABC):
361         (B):
362         (C):
363
364 2019-02-22  Robin Morisset  <rmorisset@apple.com>
365
366         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
367         https://bugs.webkit.org/show_bug.cgi?id=194953
368         <rdar://problem/47595253>
369
370         Reviewed by Saam Barati.
371
372         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
373
374         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
375
376 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
377
378         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
379         https://bugs.webkit.org/show_bug.cgi?id=172848
380         <rdar://problem/25709212>
381
382         Reviewed by Mark Lam.
383
384         * typeProfiler/inheritance.js:
385         Rewrite the test slightly for clarity. The hoisting was confusing.
386
387         * heapProfiler/class-names.js: Added.
388         (MyES5Class):
389         (MyES6Class):
390         (MyES6Subclass):
391         Test object types and improved class names.
392
393         * heapProfiler/driver/driver.js:
394         (CheapHeapSnapshotNode):
395         (CheapHeapSnapshot):
396         (createCheapHeapSnapshot):
397         (HeapSnapshot):
398         (createHeapSnapshot):
399         Update snapshot parsing from version 1 to version 2.
400
401 2019-02-19  Truitt Savell  <tsavell@apple.com>
402
403         Unreviewed, rolling out r241784.
404
405         Broke all OpenSource builds.
406
407         Reverted changeset:
408
409         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
410         instances view"
411         https://bugs.webkit.org/show_bug.cgi?id=172848
412         https://trac.webkit.org/changeset/241784
413
414 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
415
416         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
417         https://bugs.webkit.org/show_bug.cgi?id=172848
418         <rdar://problem/25709212>
419
420         Reviewed by Mark Lam.
421
422         * typeProfiler/inheritance.js:
423         Rewrite the test slightly for clarity. The hoisting was confusing.
424
425         * heapProfiler/class-names.js: Added.
426         (MyES5Class):
427         (MyES6Class):
428         (MyES6Subclass):
429         Test object types and improved class names.
430
431         * heapProfiler/driver/driver.js:
432         (CheapHeapSnapshotNode):
433         (CheapHeapSnapshot):
434         (createCheapHeapSnapshot):
435         (HeapSnapshot):
436         (createHeapSnapshot):
437         Update snapshot parsing from version 1 to version 2.
438
439 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
440
441         [ARM] Fix crash with sampling profiler
442         https://bugs.webkit.org/show_bug.cgi?id=194772
443
444         Reviewed by Mark Lam.
445
446         Do not skip test since crash with sampling profiler is now fixed.
447
448         * stress/sampling-profiler-richards.js:
449
450 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
451
452         [JSC] Add LazyClassStructure::getInitializedOnMainThread
453         https://bugs.webkit.org/show_bug.cgi?id=194784
454         <rdar://problem/48154820>
455
456         Reviewed by Mark Lam.
457
458         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
459         (getProperties):
460         (getRandomProperty):
461         (i.catch):
462
463 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
464
465         [ARM] Test gardening: Test running out of executable memory
466         https://bugs.webkit.org/show_bug.cgi?id=194771
467
468         Unreviewed. Do not run test without LLInt, test is running out of executable
469         memory on ARM otherwise.
470
471         * stress/tagged-template-object-collect.js:
472
473 2019-02-18  Tomas Popela  <tpopela@redhat.com>
474
475         Unreviewed, skip the test on platforms without sampling profiler
476
477         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
478         (platformSupportsSamplingProfiler.foo):
479         (platformSupportsSamplingProfiler.test):
480         (platformSupportsSamplingProfiler):
481         (foo): Deleted.
482         (test): Deleted.
483
484 2019-02-17  Saam Barati  <sbarati@apple.com>
485
486         Deadlock when adding a Structure property transition and then doing incremental marking
487         https://bugs.webkit.org/show_bug.cgi?id=194767
488
489         Reviewed by Mark Lam.
490
491         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
492
493 2019-02-15  Michael Saboff  <msaboff@apple.com>
494
495         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
496         https://bugs.webkit.org/show_bug.cgi?id=194558
497
498         Reviewed by Saam Barati.
499
500         New regression test.
501
502         * stress/regexp-unicode-within-string.js: Added.
503
504 2019-02-15  Mark Lam  <mark.lam@apple.com>
505
506         SamplingProfiler::stackTracesAsJSON() should escape strings.
507         https://bugs.webkit.org/show_bug.cgi?id=194649
508         <rdar://problem/48072386>
509
510         Reviewed by Saam Barati.
511
512         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
513         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
514         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
515         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
516
517 2019-02-15  Robin Morisset  <rmorisset@apple.com>
518         CodeBlock::jettison should clear related watchpoints
519         https://bugs.webkit.org/show_bug.cgi?id=194544
520
521         Reviewed by Mark Lam.
522
523         * stress/regexp-replace-double-watchpoint.js: Added.
524         (foo):
525
526 2019-02-15  Saam barati  <sbarati@apple.com>
527
528         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
529         https://bugs.webkit.org/show_bug.cgi?id=194036
530
531         Reviewed by Yusuke Suzuki.
532
533         * stress/tail-call-many-arguments.js: Added.
534         (foo):
535         (bar):
536
537 2019-02-14  Saam Barati  <sbarati@apple.com>
538
539         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
540         https://bugs.webkit.org/show_bug.cgi?id=194583
541         <rdar://problem/48028140>
542
543         Reviewed by Yusuke Suzuki.
544
545         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
546
547 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
548
549         [JSC] String.fromCharCode's slow path always generates 16bit string
550         https://bugs.webkit.org/show_bug.cgi?id=194466
551
552         Reviewed by Keith Miller.
553
554         * stress/string-from-char-code-slow-path.js: Added.
555         (shouldBe):
556         (testWithLength):
557
558 2019-02-08  Saam barati  <sbarati@apple.com>
559
560         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
561         https://bugs.webkit.org/show_bug.cgi?id=194334
562         <rdar://problem/47844327>
563
564         Reviewed by Mark Lam.
565
566         * stress/check-in-bounds-should-be-a-child-use.js: Added.
567         (func):
568
569 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
570
571         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
572         https://bugs.webkit.org/show_bug.cgi?id=194369
573         <rdar://problem/47813087>
574
575         Reviewed by Saam Barati.
576
577         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
578         (A):
579
580 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
581
582         [JSC] PrivateName to PublicName hash table is wasteful
583         https://bugs.webkit.org/show_bug.cgi?id=194277
584
585         Reviewed by Michael Saboff.
586
587         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
588
589         * ChakraCore.yaml:
590
591 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
592
593         [ARM] Test running out of executable memory
594         https://bugs.webkit.org/show_bug.cgi?id=194285
595
596         Unreviewed. Do no execute test with LLInt disabled, test runs out of
597         executable memory otherwise.
598
599         * stress/class-subclassing-function.js:
600
601 2019-02-04  Robin Morisset  <rmorisset@apple.com>
602
603         when lowering AssertNotEmpty, create the value before creating the patchpoint
604         https://bugs.webkit.org/show_bug.cgi?id=194231
605
606         Reviewed by Saam Barati.
607
608         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
609         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
610         So even tiny changes to this test can change the path code taken.
611
612         * stress/assert-not-empty.js: Added.
613         (foo):
614
615 2019-02-01  Mark Lam  <mark.lam@apple.com>
616
617         Remove invalid assertion in DFG's compileDoubleRep().
618         https://bugs.webkit.org/show_bug.cgi?id=194130
619         <rdar://problem/47699474>
620
621         Reviewed by Saam Barati.
622
623         * stress/constant-fold-double-rep-into-double-constant.js: Added.
624
625 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
626
627         Import latest Test262 updates.
628
629         Rubber-stamped by Keith Miller.
630
631         * test262.yaml: Deleted.
632         * test262/config.yaml:
633         * test262/expectations.yaml:
634         * test262/latest-changes-summary.txt:
635         * test262/test/:
636         * test262/test262-Revision.txt:
637
638 2019-01-30  Robin Morisset  <rmorisset@apple.com>
639
640         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
641         https://bugs.webkit.org/show_bug.cgi?id=194050
642         <rdar://problem/47595592>
643
644         Reviewed by Yusuke Suzuki.
645
646         * stress/object-keys-osr-exit.js: Added.
647         (foo):
648         (catch):
649
650 2019-01-29  Mark Lam  <mark.lam@apple.com>
651
652         ValueRecovery::recover() should purify NaN values it recovers.
653         https://bugs.webkit.org/show_bug.cgi?id=193978
654         <rdar://problem/47625488>
655
656         Reviewed by Saam Barati.
657
658         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
659
660 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
661
662         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
663         https://bugs.webkit.org/show_bug.cgi?id=193713
664
665         * stress/try-get-by-id-should-spill-registers-dfg.js:
666         (let.f.createBuiltin):
667
668 2019-01-28  Mark Lam  <mark.lam@apple.com>
669
670         ToString node actually does GC.
671         https://bugs.webkit.org/show_bug.cgi?id=193920
672         <rdar://problem/46695900>
673
674         Reviewed by Yusuke Suzuki.
675
676         * stress/dfg-to-string-on-int-does-gc.js: Added.
677         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
678         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
679
680 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
681
682         [JSC] NativeErrorConstructor should not have own IsoSubspace
683         https://bugs.webkit.org/show_bug.cgi?id=193713
684
685         Reviewed by Saam Barati.
686
687         Remove @Error use.
688
689         * stress/try-get-by-id-should-spill-registers-dfg.js:
690         (let.f.createBuiltin):
691
692 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
693
694         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
695         https://bugs.webkit.org/show_bug.cgi?id=190693
696
697         Reviewed by Michael Saboff.
698
699         * stress/regress-190693.js: Added.
700         (truth):
701         (assert):
702         (shouldThrowInvalidConstAssignment):
703         (taz):
704
705 2019-01-24  Saam Barati  <sbarati@apple.com>
706
707         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
708         https://bugs.webkit.org/show_bug.cgi?id=193751
709         <rdar://problem/47280215>
710
711         Reviewed by Michael Saboff.
712
713         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
714         (let.thing):
715         (foo.let.hello):
716         (foo):
717
718 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
719
720         [JSC] Reenable baseline JIT on mips
721         https://bugs.webkit.org/show_bug.cgi?id=192983
722
723         Reviewed by Mark Lam.
724
725         Added a new test for a case that was triggering a RELEASE_ASSERT when
726         testing.
727         Disable some slow tests that were already disabled for arm and x86.
728
729         * stress/json-parse-big-object.js: Added.
730         * stress/new-largeish-contiguous-array-with-size.js:
731         * stress/op_add.js:
732         * stress/op_bitand.js:
733         * stress/op_bitor.js:
734         * stress/op_bitxor.js:
735         * stress/op_lshift-ConstVar.js:
736         * stress/op_lshift-VarConst.js:
737         * stress/op_lshift-VarVar.js:
738         * stress/op_mod-ConstVar.js:
739         * stress/op_mod-VarConst.js:
740         * stress/op_mod-VarVar.js:
741         * stress/op_mul-ConstVar.js:
742         * stress/op_mul-VarConst.js:
743         * stress/op_mul-VarVar.js:
744         * stress/op_rshift-ConstVar.js:
745         * stress/op_rshift-VarConst.js:
746         * stress/op_rshift-VarVar.js:
747         * stress/op_sub-ConstVar.js:
748         * stress/op_sub-VarConst.js:
749         * stress/op_sub-VarVar.js:
750         * stress/op_urshift-ConstVar.js:
751         * stress/op_urshift-VarConst.js:
752         * stress/op_urshift-VarVar.js:
753         * stress/sampling-profiler-richards.js:
754         * stress/spread-forward-call-varargs-stack-overflow.js:
755
756 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
757
758         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
759         https://bugs.webkit.org/show_bug.cgi?id=193711
760         <rdar://problem/47250262>
761
762         Reviewed by Saam Barati.
763
764         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
765         (shouldBe):
766         (foo):
767         (bar):
768         (baz):
769
770 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
771
772         Unreviewed, fix initial global lexical binding epoch
773         https://bugs.webkit.org/show_bug.cgi?id=193603
774         <rdar://problem/47380869>
775
776         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
777         (f1.f2.f3.f4):
778         (f1.f2.f3):
779         (f1.f2):
780         (f1):
781
782 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
783
784         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
785         https://bugs.webkit.org/show_bug.cgi?id=193709
786         <rdar://problem/47363838>
787
788         Unreviewed, rollout to watch the tests.
789
790         * stress/object-tostring-changed-proto.js: Removed.
791         * stress/object-tostring-changed.js: Removed.
792         * stress/object-tostring-misc.js: Removed.
793         * stress/object-tostring-other.js: Removed.
794         * stress/object-tostring-untyped.js: Removed.
795
796 2019-01-22  Saam Barati  <sbarati@apple.com>
797
798         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
799
800         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
801         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
802         (testUncheckedLessThanZero):
803         (testUncheckedLessThanOrEqualZero):
804         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
805         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
806
807 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
808
809         [JSC] Invalidate old scope operations using global lexical binding epoch
810         https://bugs.webkit.org/show_bug.cgi?id=193603
811         <rdar://problem/47380869>
812
813         Reviewed by Saam Barati.
814
815         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
816         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
817         (shouldThrow):
818         (bar):
819         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
820         (shouldBe):
821         (get1):
822         (get2):
823         (get1If):
824         (get2If):
825         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
826         (shouldThrow):
827         (foo):
828
829 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
830
831         Unreviewed, roll out r240220 due to date-format-xparb regression
832         https://bugs.webkit.org/show_bug.cgi?id=193603
833
834         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
835         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
836         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
837         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
838
839 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
840
841         DoesGC rule is wrong for nodes with BigIntUse
842         https://bugs.webkit.org/show_bug.cgi?id=193652
843
844         Reviewed by Saam Barati.
845
846         * stress/big-int-value-op-update-gc-rules.js: Added.
847         (assert):
848         (doesGCAdd):
849         (doesGCSub):
850         (doesGCDiv):
851         (doesGCMul):
852         (doesGCBitAnd):
853         (doesGCBitOr):
854         (doesGCBitXor):
855
856 2019-01-20  Saam Barati  <sbarati@apple.com>
857
858         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
859         https://bugs.webkit.org/show_bug.cgi?id=193644
860         <rdar://problem/46209745>
861
862         Reviewed by Yusuke Suzuki.
863
864         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
865         (foo):
866         * stress/data-view-set-intrinsic-undefined-result.js: Added.
867         (foo):
868         (bar):
869
870 2019-01-20  Saam Barati  <sbarati@apple.com>
871
872         MovHint must merge NodeBytecodeUsesAsValue for its child
873         https://bugs.webkit.org/show_bug.cgi?id=186916
874         <rdar://problem/41396612>
875
876         Reviewed by Yusuke Suzuki.
877
878         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
879         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
880
881 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
882
883         [JSC] Invalidate old scope operations using global lexical binding epoch
884         https://bugs.webkit.org/show_bug.cgi?id=193603
885         <rdar://problem/47380869>
886
887         Reviewed by Saam Barati.
888
889         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
890         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
891         (shouldThrow):
892         (bar):
893         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
894         (shouldBe):
895         (get1):
896         (get2):
897         (get1If):
898         (get2If):
899         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
900         (shouldThrow):
901         (foo):
902
903 2019-01-17  Saam barati  <sbarati@apple.com>
904
905         StringObjectUse should not be a structure check for the original string object structure
906         https://bugs.webkit.org/show_bug.cgi?id=193483
907         <rdar://problem/47280522>
908
909         Reviewed by Yusuke Suzuki.
910
911         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
912         (foo):
913         (a.valueOf.0):
914
915 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
916
917         [JSC] ToThis omission in DFGByteCodeParser is wrong
918         https://bugs.webkit.org/show_bug.cgi?id=193513
919         <rdar://problem/45842236>
920
921         Reviewed by Saam Barati.
922
923         * stress/to-this-omission-with-different-strict-modes.js: Added.
924         (thisA):
925         (thisAStrictWrapper):
926
927 2019-01-15  Mark Lam  <mark.lam@apple.com>
928
929         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
930         https://bugs.webkit.org/show_bug.cgi?id=193423
931         <rdar://problem/46209355>
932
933         Reviewed by Saam Barati.
934
935         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
936         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
937         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
938         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
939
940 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
941
942         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
943         https://bugs.webkit.org/show_bug.cgi?id=193438
944         <rdar://problem/45581249>
945
946         Reviewed by Saam Barati and Keith Miller.
947
948         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
949         Then, GetByVal(String) crashed.
950
951         * stress/string-get-by-val-lowering.js: Added.
952         (shouldBe):
953         (test):
954         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
955         (Hello):
956         (foo):
957
958 2019-01-15  Tomas Popela  <tpopela@redhat.com>
959
960         Unreviewed, skip JIT tests if it's not enabled
961
962         * stress/bit-op-with-object-returning-int32.js:
963
964 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
965
966         DFGByteCodeParser rules for bitwise operations should consider type of their operands
967         https://bugs.webkit.org/show_bug.cgi?id=192966
968
969         Reviewed by Yusuke Suzuki.
970
971         * stress/bit-op-with-object-returning-int32.js: Added.
972
973 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
974
975         Skip a slow test and a flakey test on arm
976
977         Unreviewed gardening.
978
979         * typeProfiler/getter-richards.js:
980         this test always times out, it used to be always skipped on arm and
981         mips, but got accidentally enabled by r237919 now that we have DFG on
982         arm. Also skipping on mips as we plan to soon enable DFG for it too.
983
984 2019-01-14  Keith Miller  <keith_miller@apple.com>
985
986         Skip type-check-hoisting-phase-hoist... with no jit
987         https://bugs.webkit.org/show_bug.cgi?id=193421
988
989         Reviewed by Mark Lam.
990
991         It's timing out the 32-bit bots and takes 330 seconds
992         on my machine when run by itself.
993
994         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
995
996 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
997
998         [JSC] AI should check the given constant's array type when folding GetByVal into constant
999         https://bugs.webkit.org/show_bug.cgi?id=193413
1000         <rdar://problem/46092389>
1001
1002         Reviewed by Keith Miller.
1003
1004         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1005         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1006         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1007         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1008
1009         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1010         (compareArray):
1011
1012 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1013
1014         [BigInt] Literal parsing is crashing when used inside a Object Literal
1015         https://bugs.webkit.org/show_bug.cgi?id=193404
1016
1017         Reviewed by Yusuke Suzuki.
1018
1019         * stress/big-int-literal-inside-literal-object.js: Added.
1020
1021 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1022
1023         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1024         https://bugs.webkit.org/show_bug.cgi?id=193372
1025
1026         Reviewed by Saam Barati.
1027
1028         * stress/typed-array-array-modes-profile.js: Added.
1029         (foo):
1030
1031 2019-01-14  Mark Lam  <mark.lam@apple.com>
1032
1033         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1034         https://bugs.webkit.org/show_bug.cgi?id=193402
1035         <rdar://problem/46012309>
1036
1037         Reviewed by Keith Miller.
1038
1039         * stress/regexp-compile-oom.js:
1040         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1041           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1042
1043 2019-01-11  Saam barati  <sbarati@apple.com>
1044
1045         DFG combined liveness can be wrong for terminal basic blocks
1046         https://bugs.webkit.org/show_bug.cgi?id=193304
1047         <rdar://problem/45268632>
1048
1049         Reviewed by Yusuke Suzuki.
1050
1051         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1052
1053 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1054
1055         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1056         https://bugs.webkit.org/show_bug.cgi?id=193308
1057         <rdar://problem/45546542>
1058
1059         Reviewed by Saam Barati.
1060
1061         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1062         (shouldThrow):
1063         (shouldBe):
1064         (foo):
1065         (get shouldThrow):
1066         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1067         (shouldThrow):
1068         (shouldBe):
1069         (foo):
1070         (get shouldBe):
1071         (get shouldThrow):
1072         (get return):
1073         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1074         (shouldThrow):
1075         (shouldBe):
1076         (foo):
1077         (get shouldBe):
1078         (get shouldThrow):
1079         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1080         (shouldThrow):
1081         (shouldBe):
1082         (foo):
1083         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1084         (shouldThrow):
1085         (shouldBe):
1086         (foo):
1087         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1088         (shouldThrow):
1089         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1090         (shouldThrow):
1091         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1092         (shouldThrow):
1093         (shouldBe):
1094         (foo):
1095         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1096         (shouldThrow):
1097         (shouldBe):
1098         (foo):
1099         (get shouldBe):
1100         (get shouldThrow):
1101         (get return):
1102         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1103         (shouldThrow):
1104         (shouldBe):
1105         (foo):
1106         (get shouldBe):
1107         (get shouldThrow):
1108         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1109         (shouldThrow):
1110         (shouldBe):
1111         (foo):
1112         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1113         (shouldThrow):
1114         (shouldBe):
1115         (foo):
1116
1117 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1118
1119         Enable DFG on ARM/Linux again
1120         https://bugs.webkit.org/show_bug.cgi?id=192496
1121
1122         Reviewed by Yusuke Suzuki.
1123
1124         Test wasn't really skipped before moving the line with skip
1125         to the top.
1126
1127         * stress/regress-192717.js:
1128
1129 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1130
1131         Unreviewed, rolling out r239825.
1132         https://bugs.webkit.org/show_bug.cgi?id=193330
1133
1134         Broke tests on armv7/linux bots (Requested by guijemont on
1135         #webkit).
1136
1137         Reverted changeset:
1138
1139         "Enable DFG on ARM/Linux again"
1140         https://bugs.webkit.org/show_bug.cgi?id=192496
1141         https://trac.webkit.org/changeset/239825
1142
1143 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1144
1145         Enable DFG on ARM/Linux again
1146         https://bugs.webkit.org/show_bug.cgi?id=192496
1147
1148         Reviewed by Yusuke Suzuki.
1149
1150         Test wasn't really skipped before moving the line with skip
1151         to the top.
1152
1153         * stress/regress-192717.js:
1154
1155 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1156
1157         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1158         https://bugs.webkit.org/show_bug.cgi?id=193127
1159
1160         Reviewed by Saam Barati.
1161
1162         * stress/array-species-create-should-handle-masquerader.js: Added.
1163         (shouldThrow):
1164         * stress/is-undefined-or-null-builtin.js: Added.
1165         (shouldBe):
1166         (isUndefinedOrNull.vm.createBuiltin):
1167
1168 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1169
1170         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1171         https://bugs.webkit.org/show_bug.cgi?id=193221
1172
1173         Reviewed by Mark Lam.
1174
1175         * stress/put-by-id-flags.js: Added.
1176         (f):
1177         (g):
1178         (numberOfDFGCompiles):
1179
1180 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1181
1182         Baseline version of get_by_id may corrupt metadata
1183         https://bugs.webkit.org/show_bug.cgi?id=193085
1184         <rdar://problem/23453006>
1185
1186         Reviewed by Saam Barati.
1187
1188         * stress/get-by-id-change-mode.js: Added.
1189         (forEach):
1190
1191 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1192
1193         [JSC] Optimize Object.prototype.toString
1194         https://bugs.webkit.org/show_bug.cgi?id=193031
1195
1196         Reviewed by Saam Barati.
1197
1198         * stress/object-tostring-changed-proto.js: Added.
1199         (shouldBe):
1200         (test):
1201         * stress/object-tostring-changed.js: Added.
1202         (shouldBe):
1203         (test):
1204         * stress/object-tostring-misc.js: Added.
1205         (shouldBe):
1206         (test):
1207         (i.switch):
1208         * stress/object-tostring-other.js: Added.
1209         (shouldBe):
1210         (test):
1211         * stress/object-tostring-untyped.js: Added.
1212         (shouldBe):
1213         (test):
1214         (i.switch):
1215
1216 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1217
1218         test262-runner misbehaves when test file YAML has a trailing space
1219         https://bugs.webkit.org/show_bug.cgi?id=193053
1220
1221         Reviewed by Yusuke Suzuki.
1222
1223         * test262/expectations.yaml:
1224         Mark two dozen tests as passing (and correct the output of another).
1225
1226 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1227
1228         Unreviewed, JSTests gardening with memoryLimited
1229
1230         * stress/string-overflow-createError.js:
1231
1232 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1233
1234         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1235         https://bugs.webkit.org/show_bug.cgi?id=193050
1236
1237         Reviewed by Yusuke Suzuki.
1238
1239         * test262.yaml:
1240         * test262/expectations.yaml:
1241         Mark 16 tests as passing.
1242
1243 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1244
1245         [BigInt] Support BigInt in JSON.stringify
1246         https://bugs.webkit.org/show_bug.cgi?id=192624
1247
1248         Reviewed by Saam Barati.
1249
1250         * stress/big-int-json-stringify-to-json.js: Added.
1251         (shouldBe):
1252         (shouldThrow):
1253         (BigInt.prototype.toJSON):
1254         (shouldBe.JSON.stringify):
1255         * stress/big-int-json-stringify.js: Added.
1256         (shouldBe):
1257         (shouldThrow):
1258
1259 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1260
1261         [JSC] Implement "well-formed JSON.stringify" proposal
1262         https://bugs.webkit.org/show_bug.cgi?id=191677
1263
1264         Reviewed by Darin Adler.
1265
1266         * stress/json-surrogate-pair.js: Added.
1267         (shouldBe):
1268         * test262/expectations.yaml:
1269
1270 2018-12-20  Keith Miller  <keith_miller@apple.com>
1271
1272         Add support for globalThis
1273         https://bugs.webkit.org/show_bug.cgi?id=165171
1274
1275         Reviewed by Mark Lam.
1276
1277         * test262/config.yaml:
1278
1279 2018-12-19  Keith Miller  <keith_miller@apple.com>
1280
1281         Update test262 configuration to not run tests dependent on ICU version.
1282         https://bugs.webkit.org/show_bug.cgi?id=192920
1283
1284         Reviewed by Saam Barati.
1285
1286         * test262/expectations.yaml:
1287
1288 2018-12-20  Mark Lam  <mark.lam@apple.com>
1289
1290         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1291         https://bugs.webkit.org/show_bug.cgi?id=192939
1292         <rdar://problem/46869516>
1293
1294         Reviewed by Keith Miller.
1295
1296         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1297
1298 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1299
1300         WTF::String and StringImpl overflow MaxLength
1301         https://bugs.webkit.org/show_bug.cgi?id=192853
1302         <rdar://problem/45726906>
1303
1304         Reviewed by Mark Lam.
1305
1306         * stress/string-16bit-repeat-overflow.js: Added.
1307         (catch):
1308
1309 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1310
1311         Unreviewed follow-up to r192914.
1312
1313         * test262/expectations.yaml:
1314         Add the last 20 missing expectations.
1315
1316 2018-12-19  Keith Miller  <keith_miller@apple.com>
1317
1318         Fix test262 expectations
1319         https://bugs.webkit.org/show_bug.cgi?id=192914
1320
1321         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1322
1323         * test262/expectations.yaml:
1324
1325 2018-12-19  Keith Miller  <keith_miller@apple.com>
1326
1327         Update test262 tests.
1328         https://bugs.webkit.org/show_bug.cgi?id=192907
1329
1330         Rubber stamped by Mark Lam.
1331
1332         * test262/*: Omitted because prepare-changelog crashes.
1333
1334 2018-12-19  Mark Lam  <mark.lam@apple.com>
1335
1336         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1337         https://bugs.webkit.org/show_bug.cgi?id=192464
1338         <rdar://problem/46519455>
1339
1340         Reviewed by Saam Barati.
1341
1342         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1343         microbenchmark.
1344
1345         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1346         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1347
1348 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1349
1350         String overflow in JSC::createError results in ASSERT in WTF::makeString
1351         https://bugs.webkit.org/show_bug.cgi?id=192833
1352         <rdar://problem/45706868>
1353
1354         Reviewed by Mark Lam.
1355
1356         * stress/string-overflow-createError.js: Added.
1357
1358 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1359
1360         Error message for `-x ** y` contains a typo.
1361         https://bugs.webkit.org/show_bug.cgi?id=192832
1362
1363         Reviewed by Saam Barati.
1364
1365         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1366         (assert.assert.return.throws):
1367         * stress/pow-expects-update-expression-on-lhs.js:
1368         (throw.new.Error):
1369         Update test expectations which match against the exact error message.
1370
1371 2018-12-18  Mark Lam  <mark.lam@apple.com>
1372
1373         Gardening: test options fix.
1374         https://bugs.webkit.org/show_bug.cgi?id=192822
1375
1376         Unreviewed.
1377
1378         * stress/json-stringify-string-builder-overflow.js:
1379
1380 2018-12-18  Mark Lam  <mark.lam@apple.com>
1381
1382         JSON.stringify() should throw OOM on StringBuilder overflows.
1383         https://bugs.webkit.org/show_bug.cgi?id=192822
1384         <rdar://problem/46670577>
1385
1386         Reviewed by Saam Barati.
1387
1388         * stress/json-stringify-string-builder-overflow.js: Added.
1389
1390 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1391
1392         Redeclaration of var over let/const/class should be a syntax error.
1393         https://bugs.webkit.org/show_bug.cgi?id=192298
1394
1395         Reviewed by Keith Miller.
1396
1397         * test262.yaml:
1398         * test262/expectations.yaml:
1399         Mark 46 tests as passing.
1400
1401         * stress/block-scope-redeclarations.js:
1402         Add some new tests.
1403
1404         * stress/for-in-invalidate-context-weird-assignments.js:
1405         * stress/for-in-tests.js:
1406         Replace tests for outdated behavior with tests for SyntaxError.
1407
1408         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1409         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1410         Update expectations.
1411
1412 2018-12-18  Mark Lam  <mark.lam@apple.com>
1413
1414         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1415         https://bugs.webkit.org/show_bug.cgi?id=191374
1416         <rdar://problem/46525447>
1417
1418         Reviewed by Yusuke Suzuki.
1419
1420         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1421
1422         * stress/elidable-new-object-roflcopter-then-exit.js:
1423
1424 2018-12-17  Mark Lam  <mark.lam@apple.com>
1425
1426         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1427         https://bugs.webkit.org/show_bug.cgi?id=192019
1428         <rdar://problem/46525456>
1429
1430         Reviewed by Yusuke Suzuki.
1431
1432         The test runs too slow on 32-bit.
1433
1434         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1435
1436 2018-12-17  Mark Lam  <mark.lam@apple.com>
1437
1438         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1439         https://bugs.webkit.org/show_bug.cgi?id=191373
1440         <rdar://problem/46525458>
1441
1442         Reviewed by Yusuke Suzuki.
1443
1444         The test is already slow running with a JIT on 64-bit.  It will always timeout
1445         on 32-bit without a JIT.
1446
1447         * stress/materialize-regexp-cyclic-regexp.js:
1448
1449 2018-12-17  Mark Lam  <mark.lam@apple.com>
1450
1451         Array unshift/shift should not race against the AI in the compiler thread.
1452         https://bugs.webkit.org/show_bug.cgi?id=192795
1453         <rdar://problem/46724263>
1454
1455         Reviewed by Saam Barati.
1456
1457         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1458
1459 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1460
1461         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1462         https://bugs.webkit.org/show_bug.cgi?id=190047
1463
1464         Reviewed by Saam Barati.
1465
1466         * stress/object-keys-cached-zero.js: Added.
1467         (shouldBe):
1468         (test):
1469         * stress/object-keys-changed-attribute.js: Added.
1470         (shouldBe):
1471         (test):
1472         * stress/object-keys-changed-index.js: Added.
1473         (shouldBe):
1474         (test):
1475         * stress/object-keys-changed.js: Added.
1476         (shouldBe):
1477         (test):
1478         * stress/object-keys-indexed-non-cache.js: Added.
1479         (shouldBe):
1480         (test):
1481         * stress/object-keys-overrides-get-property-names.js: Added.
1482         (shouldBe):
1483         (test):
1484         (noInline):
1485
1486 2018-12-17  Mark Lam  <mark.lam@apple.com>
1487
1488         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1489         https://bugs.webkit.org/show_bug.cgi?id=192779
1490         <rdar://problem/46775869>
1491
1492         Reviewed by Saam Barati.
1493
1494         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1495
1496 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1497
1498         Unreviewed test gardening, address a syntax error in a new test.
1499
1500         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1501
1502 2018-12-17  Mark Lam  <mark.lam@apple.com>
1503
1504         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1505         https://bugs.webkit.org/show_bug.cgi?id=192776
1506         <rdar://problem/46772368>
1507
1508         Reviewed by Keith Miller.
1509
1510         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1511
1512 2018-12-17  Mark Lam  <mark.lam@apple.com>
1513
1514         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1515         https://bugs.webkit.org/show_bug.cgi?id=192770
1516         <rdar://problem/46449037>
1517
1518         Reviewed by Keith Miller.
1519
1520         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1521
1522 2018-12-14  Mark Lam  <mark.lam@apple.com>
1523
1524         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1525         https://bugs.webkit.org/show_bug.cgi?id=192717
1526         <rdar://problem/46660677>
1527
1528         Reviewed by Saam Barati.
1529
1530         * stress/regress-192717.js: Added.
1531
1532 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1533
1534         Unreviewed, rolling out r239153, r239154, and r239155.
1535         https://bugs.webkit.org/show_bug.cgi?id=192715
1536
1537         Caused flaky GC-related crashes seen with layout tests
1538         (Requested by ryanhaddad on #webkit).
1539
1540         Reverted changesets:
1541
1542         "[JSC] Optimize Object.keys by caching own keys results in
1543         StructureRareData"
1544         https://bugs.webkit.org/show_bug.cgi?id=190047
1545         https://trac.webkit.org/changeset/239153
1546
1547         "Unreviewed, build fix after r239153"
1548         https://bugs.webkit.org/show_bug.cgi?id=190047
1549         https://trac.webkit.org/changeset/239154
1550
1551         "Unreviewed, build fix after r239153, part 2"
1552         https://bugs.webkit.org/show_bug.cgi?id=190047
1553         https://trac.webkit.org/changeset/239155
1554
1555 2018-12-14  Keith Miller  <keith_miller@apple.com>
1556
1557         Callers of JSString::getIndex should check for OOM exceptions
1558         https://bugs.webkit.org/show_bug.cgi?id=192709
1559
1560         Reviewed by Mark Lam.
1561
1562         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1563
1564 2018-12-13  Mark Lam  <mark.lam@apple.com>
1565
1566         Add a missing exception check.
1567         https://bugs.webkit.org/show_bug.cgi?id=192626
1568         <rdar://problem/46662163>
1569
1570         Reviewed by Keith Miller.
1571
1572         * stress/regress-192626.js: Added.
1573
1574 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1575
1576         [BigInt] Add ValueDiv into DFG
1577         https://bugs.webkit.org/show_bug.cgi?id=186178
1578
1579         Reviewed by Yusuke Suzuki.
1580
1581         * stress/big-int-div-jit-osr.js: Added.
1582         * stress/big-int-div-jit-untyped.js: Added.
1583         * stress/value-div-fixup-int32-big-int.js: Added.
1584
1585 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1586
1587         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1588         https://bugs.webkit.org/show_bug.cgi?id=190047
1589
1590         Reviewed by Keith Miller.
1591
1592         * stress/object-keys-cached-zero.js: Added.
1593         (shouldBe):
1594         (test):
1595         * stress/object-keys-changed-attribute.js: Added.
1596         (shouldBe):
1597         (test):
1598         * stress/object-keys-changed-index.js: Added.
1599         (shouldBe):
1600         (test):
1601         * stress/object-keys-changed.js: Added.
1602         (shouldBe):
1603         (test):
1604         * stress/object-keys-indexed-non-cache.js: Added.
1605         (shouldBe):
1606         (test):
1607         * stress/object-keys-overrides-get-property-names.js: Added.
1608         (shouldBe):
1609         (test):
1610         (noInline):
1611
1612 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1613
1614         [DFG][FTL] Add NewSymbol
1615         https://bugs.webkit.org/show_bug.cgi?id=192620
1616
1617         Reviewed by Saam Barati.
1618
1619         * microbenchmarks/symbol-creation.js: Added.
1620         (test):
1621         * stress/symbol-description-identity.js: Added.
1622         (shouldBe):
1623         (test):
1624         * stress/symbol-identity.js: Added.
1625         (shouldBe):
1626         (test):
1627         * stress/symbol-with-description-throw-error.js: Added.
1628         (shouldBe):
1629         (shouldThrow):
1630         (test):
1631         (object.toString):
1632
1633 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1634
1635         [BigInt] Implement DFG/FTL typeof for BigInt
1636         https://bugs.webkit.org/show_bug.cgi?id=192619
1637
1638         Reviewed by Keith Miller.
1639
1640         * stress/big-int-boolean-proven-type.js: Added.
1641         (assert):
1642         (bool):
1643         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1644         (assert):
1645         (typeOf):
1646         (i.switch):
1647         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1648         (assert):
1649         (typeOf):
1650         * stress/big-int-type-of.js:
1651         (typeOf):
1652         (func):
1653
1654 2018-12-10  Mark Lam  <mark.lam@apple.com>
1655
1656         PropertyAttribute needs a CustomValue bit.
1657         https://bugs.webkit.org/show_bug.cgi?id=191993
1658         <rdar://problem/46264467>
1659
1660         Reviewed by Saam Barati.
1661
1662         * stress/regress-191993.js: Added.
1663
1664 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1665
1666         [BigInt] Add ValueMul into DFG
1667         https://bugs.webkit.org/show_bug.cgi?id=186175
1668
1669         Reviewed by Yusuke Suzuki.
1670
1671         * stress/big-int-mul-jit-osr.js: Added.
1672         * stress/big-int-mul-jit-untyped.js: Added.
1673         * stress/value-mul-fixup-int32-big-int.js: Added.
1674
1675 2018-12-06  Keith Miller  <keith_miller@apple.com>
1676
1677         stress/big-wasm-memory tests failing on 32-bit JSC bot
1678         https://bugs.webkit.org/show_bug.cgi?id=192020
1679
1680         Reviewed by Saam Barati.
1681
1682         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1683         the wasm stress tests if the WebAssembly object does not exist.
1684
1685         * stress/big-wasm-memory-grow-no-max.js:
1686         (test.foo):
1687         (test):
1688         (foo): Deleted.
1689         (catch): Deleted.
1690         * stress/big-wasm-memory-grow.js:
1691         (test.foo):
1692         (test):
1693         (foo): Deleted.
1694         (catch): Deleted.
1695         * stress/big-wasm-memory.js:
1696         (test.foo):
1697         (test):
1698         (foo): Deleted.
1699         (catch): Deleted.
1700
1701 2018-12-05  Mark Lam  <mark.lam@apple.com>
1702
1703         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1704         https://bugs.webkit.org/show_bug.cgi?id=192441
1705         <rdar://problem/46480355>
1706
1707         Reviewed by Saam Barati.
1708
1709         * stress/regress-192441.js: Added.
1710
1711 2018-12-04  Mark Lam  <mark.lam@apple.com>
1712
1713         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1714         https://bugs.webkit.org/show_bug.cgi?id=192386
1715         <rdar://problem/46445516>
1716
1717         Reviewed by Saam Barati.
1718
1719         * stress/regress-192386.js: Added.
1720
1721 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1722
1723         [ESNext][BigInt] Support logic operations
1724         https://bugs.webkit.org/show_bug.cgi?id=179903
1725
1726         Reviewed by Yusuke Suzuki.
1727
1728         * stress/big-int-branch-usage.js: Added.
1729         * stress/big-int-logical-and.js: Added.
1730         * stress/big-int-logical-not.js: Added.
1731         * stress/big-int-logical-or.js: Added.
1732
1733 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1734
1735         Unreviewed, rolling out r238833.
1736
1737         Breaks macOS and iOS debug builds.
1738
1739         Reverted changeset:
1740
1741         "[ESNext][BigInt] Support logic operations"
1742         https://bugs.webkit.org/show_bug.cgi?id=179903
1743         https://trac.webkit.org/changeset/238833
1744
1745 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1746
1747         [ESNext][BigInt] Support logic operations
1748         https://bugs.webkit.org/show_bug.cgi?id=179903
1749
1750         Reviewed by Yusuke Suzuki.
1751
1752         * stress/big-int-branch-usage.js: Added.
1753         * stress/big-int-logical-and.js: Added.
1754         * stress/big-int-logical-not.js: Added.
1755         * stress/big-int-logical-or.js: Added.
1756
1757 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1758
1759         [ESNext][BigInt] Implement support for "<<" and ">>"
1760         https://bugs.webkit.org/show_bug.cgi?id=186233
1761
1762         Reviewed by Yusuke Suzuki.
1763
1764         * stress/big-int-left-shift-general.js: Added.
1765         * stress/big-int-left-shift-range-error.js: Added.
1766         * stress/big-int-left-shift-type-error.js: Added.
1767         * stress/big-int-left-shift-wrapped-value.js: Added.
1768         * stress/big-int-right-shift-general.js: Added.
1769         * stress/big-int-right-shift-type-error.js: Added.
1770         * stress/big-int-right-shift-wrapped-value.js: Added.
1771         * stress/left-shift-to-primitive-precedence.js: Added.
1772         * stress/right-shift-to-primitive-precedence.js: Added.
1773
1774 2018-11-30  Dean Jackson  <dino@apple.com>
1775
1776         Add first-class support for .mjs files in jsc binary
1777         https://bugs.webkit.org/show_bug.cgi?id=192190
1778         <rdar://problem/46375715>
1779
1780         Reviewed by Keith Miller.
1781
1782         * stress/simple-module.mjs: Added.
1783         * stress/simple-script.js: Added.
1784
1785 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1786
1787         [BigInt] Implement ValueBitXor into DFG
1788         https://bugs.webkit.org/show_bug.cgi?id=190264
1789
1790         Reviewed by Yusuke Suzuki.
1791
1792         * stress/big-int-bitwise-xor-jit.js: Added.
1793         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1794         * stress/big-int-bitwise-xor-untyped.js: Added.
1795
1796 2018-11-27  Saam barati  <sbarati@apple.com>
1797
1798         r238510 broke scopes of size zero
1799         https://bugs.webkit.org/show_bug.cgi?id=192033
1800         <rdar://problem/46281734>
1801
1802         Reviewed by Keith Miller.
1803
1804         * stress/r238510-bad-loop.js: Added.
1805         (foo):
1806
1807 2018-11-27  Mark Lam  <mark.lam@apple.com>
1808
1809         [Re-landing] NaNs read from Wasm code needs to be be purified.
1810         https://bugs.webkit.org/show_bug.cgi?id=191056
1811         <rdar://problem/45660341>
1812
1813         Reviewed by Filip Pizlo.
1814
1815         * wasm/regress/regress-191056.js: Added.
1816
1817 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1818
1819         Unreviewed, rolling out r238509.
1820
1821         Causes JSC tests to fail on iOS.
1822
1823         Reverted changeset:
1824
1825         "NaNs read from Wasm code needs to be be purified."
1826         https://bugs.webkit.org/show_bug.cgi?id=191056
1827         https://trac.webkit.org/changeset/238509
1828
1829 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1830
1831         Re-introduce op_bitnot
1832         https://bugs.webkit.org/show_bug.cgi?id=190923
1833
1834         Reviewed by Yusuke Suzuki.
1835
1836         * stress/bit-not-must-generate.js: Added.
1837         * stress/bitwise-not-no-int32.js: Added.
1838
1839 2018-11-26  Saam barati  <sbarati@apple.com>
1840
1841         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1842         https://bugs.webkit.org/show_bug.cgi?id=191956
1843         <rdar://problem/45665806>
1844
1845         Reviewed by Yusuke Suzuki.
1846
1847         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1848         (bar):
1849         (foo):
1850
1851 2018-11-26  Saam barati  <sbarati@apple.com>
1852
1853         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1854         https://bugs.webkit.org/show_bug.cgi?id=191958
1855         <rdar://problem/46221877>
1856
1857         Reviewed by Yusuke Suzuki.
1858
1859         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1860         (x):
1861         (foo):
1862
1863 2018-11-26  Mark Lam  <mark.lam@apple.com>
1864
1865         NaNs read from Wasm code needs to be be purified.
1866         https://bugs.webkit.org/show_bug.cgi?id=191056
1867         <rdar://problem/45660341>
1868
1869         Reviewed by Filip Pizlo.
1870
1871         * wasm/regress/regress-191056.js: Added.
1872
1873 2018-11-26  Michael Saboff  <msaboff@apple.com>
1874
1875         32-bit JSC test failure: stress/regexp-compile-oom.js
1876         https://bugs.webkit.org/show_bug.cgi?id=191375
1877
1878         Reviewed by Mark Lam.
1879
1880         Disabled the test for 32 bit platforms.
1881
1882         * stress/regexp-compile-oom.js:
1883
1884 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1885
1886         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1887         https://bugs.webkit.org/show_bug.cgi?id=191716
1888         <rdar://problem/45723878>
1889
1890         Reviewed by Saam Barati.
1891
1892         * stress/regress-187373.js: Added.
1893         (async.fn):
1894
1895 2018-11-21  Saam barati  <sbarati@apple.com>
1896
1897         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1898         https://bugs.webkit.org/show_bug.cgi?id=191897
1899         <rdar://problem/45871998>
1900
1901         Reviewed by Mark Lam.
1902
1903         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1904         (bar):
1905         (foo):
1906
1907 2018-11-21  Saam barati  <sbarati@apple.com>
1908
1909         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1910         https://bugs.webkit.org/show_bug.cgi?id=191895
1911         <rdar://problem/46167406>
1912
1913         Reviewed by Mark Lam.
1914
1915         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1916         (foo):
1917         (bar):
1918
1919 2018-11-21  Mark Lam  <mark.lam@apple.com>
1920
1921         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1922         https://bugs.webkit.org/show_bug.cgi?id=191776
1923         <rdar://problem/46152851>
1924
1925         Reviewed by Saam Barati.
1926
1927         * stress/big-wasm-memory-grow-no-max.js:
1928         * stress/big-wasm-memory-grow.js:
1929         * stress/big-wasm-memory.js:
1930         - updated these to expect an OutOfMemoryError.
1931
1932         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1933         (Binary.prototype.emit_u8):
1934         (Binary.prototype.emit_u32v):
1935         (Binary.prototype.emit_header):
1936         (Binary.prototype.emit_section):
1937         (Binary):
1938         (WasmModuleBuilder):
1939         (WasmModuleBuilder.prototype.addMemory):
1940         (WasmModuleBuilder.prototype.toArray):
1941         (WasmModuleBuilder.prototype.toBuffer):
1942         (WasmModuleBuilder.prototype.instantiate):
1943         (catch):
1944         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1945         (catch):
1946
1947 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1948
1949         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1950         https://bugs.webkit.org/show_bug.cgi?id=190836
1951
1952         Reviewed by Saam Barati and Yusuke Suzuki.
1953
1954         * stress/big-int-out-of-memory-tests.js: Added.
1955
1956 2018-11-20  Mark Lam  <mark.lam@apple.com>
1957
1958         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1959         https://bugs.webkit.org/show_bug.cgi?id=191856
1960         <rdar://problem/46089992>
1961
1962         Reviewed by Yusuke Suzuki.
1963
1964         * stress/regress-191856.js: Added.
1965         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1966
1967 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1968
1969         Enable JIT on ARM/Linux
1970         https://bugs.webkit.org/show_bug.cgi?id=191548
1971
1972         Reviewed by Yusuke Suzuki.
1973
1974         Disable test on system with limited memory. Program was killed by
1975         the OS before the exception was thrown.
1976
1977         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1978
1979 2018-11-20  Saam barati  <sbarati@apple.com>
1980
1981         Merging an IC variant may lead to the IC status containing overlapping structure sets
1982         https://bugs.webkit.org/show_bug.cgi?id=191869
1983         <rdar://problem/45403453>
1984
1985         Reviewed by Mark Lam.
1986
1987         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1988
1989 2018-11-19  Mark Lam  <mark.lam@apple.com>
1990
1991         globalFuncImportModule() should return a promise when it clears exceptions.
1992         https://bugs.webkit.org/show_bug.cgi?id=191792
1993         <rdar://problem/46090763>
1994
1995         Reviewed by Michael Saboff.
1996
1997         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1998
1999 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2000
2001         Skip new memory-hungry tests on memory limited devices
2002
2003         Unreviewed gardening.
2004
2005         * stress/big-wasm-memory-grow-no-max.js:
2006         * stress/big-wasm-memory-grow.js:
2007         * stress/big-wasm-memory.js:
2008
2009 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2010
2011         Unreviewed, rolling in the rest of r237254
2012         https://bugs.webkit.org/show_bug.cgi?id=190340
2013
2014         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2015         * stress/function-cache-with-parameters-end-position.js: Added.
2016         (shouldBe):
2017         (shouldThrow):
2018         (i.anonymous):
2019         * stress/function-constructor-name.js: Added.
2020         (shouldBe):
2021         (GeneratorFunction):
2022         (AsyncFunction.async):
2023         (AsyncGeneratorFunction.async):
2024         (anonymous):
2025         (async.anonymous):
2026         * test262/expectations.yaml:
2027
2028 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2029
2030         All users of ArrayBuffer should agree on the same max size
2031         https://bugs.webkit.org/show_bug.cgi?id=191771
2032
2033         Reviewed by Mark Lam.
2034
2035         * stress/big-wasm-memory-grow-no-max.js: Added.
2036         (foo):
2037         (catch):
2038         * stress/big-wasm-memory-grow.js: Added.
2039         (foo):
2040         (catch):
2041         * stress/big-wasm-memory.js: Added.
2042         (foo):
2043         (catch):
2044
2045 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2046
2047         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2048         run for each JSC config since they're regression tests for runtime bugs.
2049
2050         * stress/json-stringified-overflow-2.js:
2051         * stress/json-stringified-overflow.js:
2052
2053 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2054
2055         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2056         config since they're regression tests for runtime bugs.
2057
2058         * stress/large-unshift-splice.js:
2059         * stress/regress-185888.js:
2060
2061 2018-11-16  Saam Barati  <sbarati@apple.com>
2062
2063         KnownCellUse should also have SpecCellCheck as its type filter
2064         https://bugs.webkit.org/show_bug.cgi?id=191729
2065         <rdar://problem/45872852>
2066
2067         Reviewed by Filip Pizlo.
2068
2069         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2070         (C):
2071
2072 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2073
2074         Fix assertion failure on BytecodeGenerator::recordOpcode
2075         https://bugs.webkit.org/show_bug.cgi?id=191724
2076         <rdar://problem/45724395>
2077
2078         Reviewed by Saam Barati.
2079
2080         * stress/regress-187373-2.js: Added.
2081         (foo):
2082
2083 2018-11-15  Mark Lam  <mark.lam@apple.com>
2084
2085         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2086         https://bugs.webkit.org/show_bug.cgi?id=191730
2087         <rdar://problem/46048517>
2088
2089         Reviewed by Saam Barati.
2090
2091         * stress/regress-187006.js: Removed.
2092           - this test is invalid because its sole purpose is to test for the non-spec
2093             compliant behavior that we just fixed.
2094
2095         * stress/regress-191730.js: Added.
2096
2097 2018-11-15  Mark Lam  <mark.lam@apple.com>
2098
2099         RegExp operations should not take fast patch if lastIndex is not numeric.
2100         https://bugs.webkit.org/show_bug.cgi?id=191731
2101         <rdar://problem/46017305>
2102
2103         Reviewed by Saam Barati.
2104
2105         * stress/regress-191731.js: Added.
2106
2107 2018-11-13  Saam Barati  <sbarati@apple.com>
2108
2109         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2110         https://bugs.webkit.org/show_bug.cgi?id=191600
2111
2112         Reviewed by Mark Lam.
2113
2114         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2115         (foo):
2116         (test):
2117         (bar):
2118
2119 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2120
2121         Unreviewed, rolling out r238132.
2122
2123         The test added with this change is timing out on Debug JSC
2124         bots.
2125
2126         Reverted changeset:
2127
2128         "[BigInt] JSBigInt::createWithLength should throw when length
2129         is greater than JSBigInt::maxLength"
2130         https://bugs.webkit.org/show_bug.cgi?id=190836
2131         https://trac.webkit.org/changeset/238132
2132
2133 2018-11-13  Mark Lam  <mark.lam@apple.com>
2134
2135         Add OOM detection to StringPrototype's substituteBackreferences().
2136         https://bugs.webkit.org/show_bug.cgi?id=191563
2137         <rdar://problem/45720428>
2138
2139         Reviewed by Saam Barati.
2140
2141         * stress/regress-191563.js: Added.
2142
2143 2018-11-13  Mark Lam  <mark.lam@apple.com>
2144
2145         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2146         https://bugs.webkit.org/show_bug.cgi?id=191579
2147         <rdar://problem/45942472>
2148
2149         Reviewed by Saam Barati.
2150
2151         * stress/regress-191579.js: Added.
2152
2153 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2154
2155         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2156         https://bugs.webkit.org/show_bug.cgi?id=190836
2157
2158         Reviewed by Saam Barati.
2159
2160         * stress/big-int-out-of-memory-tests.js: Added.
2161
2162 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2163
2164         U+180E is no longer a whitespace character
2165         https://bugs.webkit.org/show_bug.cgi?id=191415
2166
2167         Reviewed by Saam Barati.
2168
2169         * ChakraCore/test/es5/regexSpace.baseline:
2170         * ChakraCore/test/es6/unicode_whitespace.js:
2171         Update tests to latest version.
2172         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2173
2174         * test262.yaml:
2175         * test262/config.yaml:
2176         * test262/expectations.yaml:
2177         Update expectations.
2178
2179 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2180
2181         [BigInt] Add support to BigInt into ValueAdd
2182         https://bugs.webkit.org/show_bug.cgi?id=186177
2183
2184         Reviewed by Keith Miller.
2185
2186         * stress/big-int-negate-jit.js:
2187         * stress/value-add-big-int-and-string.js: Added.
2188         * stress/value-add-big-int-prediction-propagation.js: Added.
2189         * stress/value-add-big-int-untyped.js: Added.
2190
2191 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2192
2193         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2194         https://bugs.webkit.org/show_bug.cgi?id=191184
2195
2196         Reviewed by Saam Barati.
2197
2198         Most tests were failing due to timeouts, since they are too slow to
2199         run on CLoop. The exceptions are:
2200
2201         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2202         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2203         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2204         to change the stack size since CLoop requires it to be page aligned.
2205
2206         * microbenchmarks/array-push-1.js:
2207         * microbenchmarks/array-push-2.js:
2208         * microbenchmarks/elidable-new-object-dag.js:
2209         * microbenchmarks/elidable-new-object-roflcopter.js:
2210         * microbenchmarks/elidable-new-object-tree.js:
2211         * microbenchmarks/getter-richards.js:
2212         * microbenchmarks/sinkable-new-object-dag.js:
2213         * microbenchmarks/string-concat-long-convert.js:
2214         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2215         * slowMicrobenchmarks/array-push-3.js:
2216         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2217         * slowMicrobenchmarks/spread-small-array.js:
2218         * slowMicrobenchmarks/undefined-property-access.js:
2219         * stress/activation-sink-default-value-tdz-error.js:
2220         * stress/activation-sink-default-value.js:
2221         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2222         * stress/activation-sink-osrexit-default-value.js:
2223         * stress/activation-sink-osrexit.js:
2224         * stress/activation-sink.js:
2225         * stress/allow-math-ic-b3-code-duplication.js:
2226         * stress/array-push-multiple-int32.js:
2227         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2228         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2229         * stress/arrowfunction-lexical-this-activation-sink.js:
2230         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2231         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2232         * stress/elide-new-object-dag-then-exit.js:
2233         * stress/materialize-regexp-cyclic.js:
2234         * stress/new-regex-inline.js:
2235         * stress/op_add.js:
2236         * stress/op_bitand.js:
2237         * stress/op_bitor.js:
2238         * stress/op_bitxor.js:
2239         * stress/op_div-ConstVar.js:
2240         * stress/op_div-VarConst.js:
2241         * stress/op_div-VarVar.js:
2242         * stress/op_lshift-ConstVar.js:
2243         * stress/op_lshift-VarConst.js:
2244         * stress/op_lshift-VarVar.js:
2245         * stress/op_mod-ConstVar.js:
2246         * stress/op_mod-VarConst.js:
2247         * stress/op_mod-VarVar.js:
2248         * stress/op_mul-ConstVar.js:
2249         * stress/op_mul-VarConst.js:
2250         * stress/op_mul-VarVar.js:
2251         * stress/op_rshift-ConstVar.js:
2252         * stress/op_rshift-VarConst.js:
2253         * stress/op_rshift-VarVar.js:
2254         * stress/op_sub-ConstVar.js:
2255         * stress/op_sub-VarConst.js:
2256         * stress/op_sub-VarVar.js:
2257         * stress/op_urshift-ConstVar.js:
2258         * stress/op_urshift-VarConst.js:
2259         * stress/op_urshift-VarVar.js:
2260         * stress/proxy-get-set-correct-receiver.js:
2261         * stress/regress-179562.js:
2262         * stress/rest-parameter-many-arguments.js:
2263         * stress/sampling-profiler-richards.js:
2264         * stress/splay-flash-access-1ms.js:
2265         * stress/tailCallForwardArguments.js:
2266         * stress/typed-array-get-by-val-profiling.js:
2267         * typeProfiler/getter-richards.js:
2268
2269 2018-11-06  Michael Saboff  <msaboff@apple.com>
2270
2271         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2272         https://bugs.webkit.org/show_bug.cgi?id=191271
2273
2274         Reviewed by Saam Barati.
2275
2276         Added more test cases and made all test cases run with the same deeply recursive stack
2277         instead of finding that same point for each test case.
2278
2279         * stress/regexp-compile-oom.js:
2280         (prototype.runTest):
2281         (recurseAndTest):
2282         (testList.push.new.TestAndExpectedException):
2283
2284 2018-11-05  Michael Saboff  <msaboff@apple.com>
2285
2286         Unreviewed build fix for linux.
2287
2288         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2289
2290 2018-11-02  Michael Saboff  <msaboff@apple.com>
2291
2292         Rolling in r237753 with unreviewed build fix.
2293
2294         Fixed issues with DECLARE_THROW_SCOPE placement.
2295
2296 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2297
2298         Unreviewed, rolling out r237753.
2299
2300         Introduced JSC test failures
2301
2302         Reverted changeset:
2303
2304         "Running out of stack space not properly handled in
2305         RegExp::compile() and its callers"
2306         https://bugs.webkit.org/show_bug.cgi?id=191206
2307         https://trac.webkit.org/changeset/237753
2308
2309 2018-11-02  Michael Saboff  <msaboff@apple.com>
2310
2311         Running out of stack space not properly handled in RegExp::compile() and its callers
2312         https://bugs.webkit.org/show_bug.cgi?id=191206
2313
2314         Reviewed by Filip Pizlo.
2315
2316         New regression test.
2317
2318         * stress/regexp-compile-oom.js: Added.
2319         (recurseAndTest):
2320
2321 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2322
2323         Skip tests on arm/mips that time out now we're running on CLoop
2324
2325         Unreviewed gardening.
2326
2327         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2328         time out on the bots and need to be disabled. There's more tests
2329         disabled on arm because the timeout is longer on the mips bot (as the
2330         device is slower to start with), so many of the tests don't time out
2331         there.
2332
2333         * microbenchmarks/getter-richards.js: disable on arm and mips.
2334         * stress/op_add.js: disable on arm.
2335         * stress/op_bitand.js: disable on arm.
2336         * stress/op_bitor.js: disable on arm.
2337         * stress/op_bitxor.js: disable on arm.
2338         * stress/op_lshift-ConstVar.js: disable on arm.
2339         * stress/op_lshift-VarConst.js: disable on arm.
2340         * stress/op_lshift-VarVar.js: disable on arm.
2341         * stress/op_mod-ConstVar.js: disable on arm.
2342         * stress/op_mod-VarConst.js: disable on arm.
2343         * stress/op_mod-VarVar.js: disable on arm.
2344         * stress/op_mul-ConstVar.js: disable on arm.
2345         * stress/op_mul-VarConst.js: disable on arm.
2346         * stress/op_mul-VarVar.js: disable on arm.
2347         * stress/op_rshift-ConstVar.js: disable on arm.
2348         * stress/op_rshift-VarConst.js: disable on arm.
2349         * stress/op_rshift-VarVar.js: disable on arm.
2350         * stress/op_sub-ConstVar.js: disable on arm.
2351         * stress/op_sub-VarConst.js: disable on arm.
2352         * stress/op_sub-VarVar.js: disable on arm.
2353         * stress/op_urshift-ConstVar.js: disable on arm.
2354         * stress/op_urshift-VarConst.js: disable on arm.
2355         * stress/op_urshift-VarVar.js: disable on arm.
2356         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2357         * stress/value-to-boolean.js: disable on arm and mips.
2358
2359 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2360
2361         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2362         https://bugs.webkit.org/show_bug.cgi?id=191108
2363         <rdar://problem/45690700>
2364
2365         Reviewed by Saam Barati.
2366
2367         * stress/wide-op_catch.js: Added.
2368         (catch):
2369
2370 2018-10-29  Mark Lam  <mark.lam@apple.com>
2371
2372         Correctly detect string overflow when using the 'Function' constructor.
2373         https://bugs.webkit.org/show_bug.cgi?id=184883
2374         <rdar://problem/36320331>
2375
2376         Reviewed by Saam Barati.
2377
2378         I've verified that this passes on 32-bit as well.
2379
2380         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2381
2382 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2383
2384         Add support for GetStack FlushedDouble
2385         https://bugs.webkit.org/show_bug.cgi?id=191012
2386         <rdar://problem/45265141>
2387
2388         Reviewed by Saam Barati.
2389
2390         * stress/get-stack-double.js: Added.
2391         (bar):
2392         (noInline):
2393
2394 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2395
2396         New bytecode format for JSC
2397         https://bugs.webkit.org/show_bug.cgi?id=187373
2398         <rdar://problem/44186758>
2399
2400         Reviewed by Filip Pizlo.
2401
2402         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2403
2404         * stress/maximum-inline-capacity.js: Added.
2405         (test1):
2406         (test3.Foo):
2407         (test3):
2408
2409 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2410
2411         Unreviewed, rolling out r237479 and r237484.
2412         https://bugs.webkit.org/show_bug.cgi?id=190978
2413
2414         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2415
2416         Reverted changesets:
2417
2418         "New bytecode format for JSC"
2419         https://bugs.webkit.org/show_bug.cgi?id=187373
2420         https://trac.webkit.org/changeset/237479
2421
2422         "Gardening: Build fix after r237479."
2423         https://bugs.webkit.org/show_bug.cgi?id=187373
2424         https://trac.webkit.org/changeset/237484
2425
2426 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2427
2428         New bytecode format for JSC
2429         https://bugs.webkit.org/show_bug.cgi?id=187373
2430         <rdar://problem/44186758>
2431
2432         Reviewed by Filip Pizlo.
2433
2434         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2435
2436         * stress/maximum-inline-capacity.js: Added.
2437         (test1):
2438         (test3.Foo):
2439         (test3):
2440
2441 2018-10-26  Mark Lam  <mark.lam@apple.com>
2442
2443         Fix missing edge cases with JSGlobalObjects having a bad time.
2444         https://bugs.webkit.org/show_bug.cgi?id=189028
2445         <rdar://problem/45204939>
2446
2447         Reviewed by Saam Barati.
2448
2449         * stress/regress-189028.js: Added.
2450
2451 2018-10-22  Mark Lam  <mark.lam@apple.com>
2452
2453         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2454         https://bugs.webkit.org/show_bug.cgi?id=190515
2455         <rdar://problem/45222379>
2456
2457         Rubber-stamped by Saam Barati.
2458
2459         Adding another test.
2460
2461         * stress/regress-190515-2.js: Added.
2462
2463 2018-10-22  Mark Lam  <mark.lam@apple.com>
2464
2465         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2466         https://bugs.webkit.org/show_bug.cgi?id=190515
2467         <rdar://problem/45222379>
2468
2469         Reviewed by Saam Barati.
2470
2471         * stress/regress-190515.js: Added.
2472
2473 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2474
2475         Unreviewed, rolling out r237254.
2476         https://bugs.webkit.org/show_bug.cgi?id=190760
2477
2478         "It regresses JetStream 2 by 5% on some iOS devices"
2479         (Requested by saamyjoon on #webkit).
2480
2481         Reverted changeset:
2482
2483         "[JSC] JSC should have "parseFunction" to optimize Function
2484         constructor"
2485         https://bugs.webkit.org/show_bug.cgi?id=190340
2486         https://trac.webkit.org/changeset/237254
2487
2488 2018-10-19  Saam Barati  <sbarati@apple.com>
2489
2490         vmCall should check if we exit before emitting an OSR exit due to exceptions
2491         https://bugs.webkit.org/show_bug.cgi?id=190740
2492         <rdar://problem/45220139>
2493
2494         Reviewed by Mark Lam.
2495
2496         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2497         (foo):
2498
2499 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2500
2501         [ESNext][BigInt] Implement support for "^"
2502         https://bugs.webkit.org/show_bug.cgi?id=186235
2503
2504         Reviewed by Yusuke Suzuki.
2505
2506         * stress/big-int-bitwise-xor-general.js: Added.
2507         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2508         * stress/big-int-bitwise-xor-type-error.js: Added.
2509         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2510
2511 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2512
2513         [BigInt] Add ValueSub into DFG
2514         https://bugs.webkit.org/show_bug.cgi?id=186176
2515
2516         Reviewed by Yusuke Suzuki.
2517
2518         * stress/big-int-subtraction-jit.js:
2519         * stress/value-sub-big-int-prediction-propagation.js: Added.
2520         * stress/value-sub-big-int-untyped.js: Added.
2521         * stress/value-sub-spec-none-case.js: Added.
2522
2523 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2524
2525         [JSC] JSC should have "parseFunction" to optimize Function constructor
2526         https://bugs.webkit.org/show_bug.cgi?id=190340
2527
2528         Reviewed by Mark Lam.
2529
2530         This patch fixes the line number of syntax errors raised by the Function constructor,
2531         since we now parse the final code only once. And we no longer use block statement
2532         for Function constructor's parsing.
2533
2534         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2535         * stress/function-cache-with-parameters-end-position.js: Added.
2536         (shouldBe):
2537         (shouldThrow):
2538         (i.anonymous):
2539         * stress/function-constructor-name.js: Added.
2540         (shouldBe):
2541         (GeneratorFunction):
2542         (AsyncFunction.async):
2543         (AsyncGeneratorFunction.async):
2544         (anonymous):
2545         (async.anonymous):
2546         * test262/expectations.yaml:
2547
2548 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2549
2550         Unreviewed, rolling out r237242.
2551         https://bugs.webkit.org/show_bug.cgi?id=190701
2552
2553         it breaks "stress/sampling-profiler-basic.js" (Requested by
2554         caiolima on #webkit).
2555
2556         Reverted changeset:
2557
2558         "[BigInt] Add ValueSub into DFG"
2559         https://bugs.webkit.org/show_bug.cgi?id=186176
2560         https://trac.webkit.org/changeset/237242
2561
2562 2018-10-17  Keith Miller  <keith_miller@apple.com>
2563
2564         AI does not clear Phantom allocation nodes.
2565         https://bugs.webkit.org/show_bug.cgi?id=190694
2566
2567         Reviewed by Saam Barati.
2568
2569         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2570         (Day):
2571         (DaysInYear):
2572         (TimeInYear):
2573         (TimeFromYear):
2574         (DayFromYear):
2575         (InLeapYear):
2576         (YearFromTime):
2577         (WeekDay):
2578         (DaylightSavingTA):
2579         (GetSecondSundayInMarch):
2580         (TimeInMonth):
2581
2582 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2583
2584         [BigInt] Add ValueSub into DFG
2585         https://bugs.webkit.org/show_bug.cgi?id=186176
2586
2587         Reviewed by Yusuke Suzuki.
2588
2589         * stress/big-int-subtraction-jit.js:
2590         * stress/value-sub-big-int-prediction-propagation.js: Added.
2591         * stress/value-sub-big-int-untyped.js: Added.
2592
2593 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2594
2595         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2596         https://bugs.webkit.org/show_bug.cgi?id=190611
2597
2598         Reviewed by Saam Barati.
2599
2600         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2601         to improve test runtime. On ARM/MIPS this test even timed out when running all
2602         tests.
2603
2604         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2605         (test):
2606
2607 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2608
2609         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2610
2611         Unreviewed gardening.
2612
2613         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2614
2615 2018-10-15  Saam barati  <sbarati@apple.com>
2616
2617         Emit fjcvtzs on ARM64E on Darwin
2618         https://bugs.webkit.org/show_bug.cgi?id=184023
2619
2620         Reviewed by Yusuke Suzuki and Filip Pizlo.
2621
2622         * stress/double-to-int32-NaN.js: Added.
2623         (assert):
2624         (foo):
2625
2626 2018-10-15  Saam Barati  <sbarati@apple.com>
2627
2628         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2629         https://bugs.webkit.org/show_bug.cgi?id=190262
2630         <rdar://problem/44986241>
2631
2632         Reviewed by Mark Lam.
2633
2634         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2635         (test):
2636         * stress/slice-array-storage-with-holes.js: Added.
2637         (main):
2638
2639 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2640
2641         Unreviewed, rolling out r237054.
2642         https://bugs.webkit.org/show_bug.cgi?id=190593
2643
2644         "this regressed JetStream 2 by 6% on iOS" (Requested by
2645         saamyjoon on #webkit).
2646
2647         Reverted changeset:
2648
2649         "[JSC] JSC should have "parseFunction" to optimize Function
2650         constructor"
2651         https://bugs.webkit.org/show_bug.cgi?id=190340
2652         https://trac.webkit.org/changeset/237054
2653
2654 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2655
2656         [JSC] JSON.stringify can accept call-with-no-arguments
2657         https://bugs.webkit.org/show_bug.cgi?id=190343
2658
2659         Reviewed by Mark Lam.
2660
2661         * stress/json-stringify-no-arguments.js: Added.
2662         (shouldBe):
2663
2664 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2665
2666         [JSC] JSC should have "parseFunction" to optimize Function constructor
2667         https://bugs.webkit.org/show_bug.cgi?id=190340
2668
2669         Reviewed by Mark Lam.
2670
2671         This patch fixes the line number of syntax errors raised by the Function constructor,
2672         since we now parse the final code only once. And we no longer use block statement
2673         for Function constructor's parsing.
2674
2675         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2676         * stress/function-cache-with-parameters-end-position.js: Added.
2677         (shouldBe):
2678         (shouldThrow):
2679         (i.anonymous):
2680         * stress/function-constructor-name.js: Added.
2681         (shouldBe):
2682         (GeneratorFunction):
2683         (AsyncFunction.async):
2684         (AsyncGeneratorFunction.async):
2685         (anonymous):
2686         (async.anonymous):
2687         * test262/expectations.yaml:
2688
2689 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2690
2691         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2692         https://bugs.webkit.org/show_bug.cgi?id=190426
2693
2694         Unreviewed gardening.
2695
2696         * stress/sampling-profiler-richards.js:
2697
2698 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2699
2700         [ESNext][BigInt] Implement support for "|"
2701         https://bugs.webkit.org/show_bug.cgi?id=186229
2702
2703         Reviewed by Yusuke Suzuki.
2704
2705         * stress/big-int-bitwise-and-jit.js:
2706         * stress/big-int-bitwise-or-general.js: Added.
2707         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2708         * stress/big-int-bitwise-or-jit.js: Added.
2709         * stress/big-int-bitwise-or-memory-stress.js: Added.
2710         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2711         * stress/big-int-bitwise-or-type-error.js: Added.
2712         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2713
2714 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2715
2716         Skip test on systems with limited memory
2717         https://bugs.webkit.org/show_bug.cgi?id=190310
2718
2719         Invoking runDefault adds test to runlist, skipping the test in the next
2720         line does not prevent the test from executing. Change order of lines such
2721         that runDefault is only executed if test is not executed.
2722
2723         Reviewed by Mark Lam.
2724
2725         * stress/regress-190187.js:
2726
2727 2018-10-03  Saam barati  <sbarati@apple.com>
2728
2729         lowXYZ in FTLLower should always filter the type of the incoming edge
2730         https://bugs.webkit.org/show_bug.cgi?id=189939
2731         <rdar://problem/44407030>
2732
2733         Reviewed by Michael Saboff.
2734
2735         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2736         (foo):
2737         (test):
2738
2739 2018-10-03  Mark Lam  <mark.lam@apple.com>
2740
2741         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2742         https://bugs.webkit.org/show_bug.cgi?id=190187
2743         <rdar://problem/42512909>
2744
2745         Reviewed by Michael Saboff.
2746
2747         * stress/regress-190187.js: Added.
2748
2749 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2750
2751         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2752         https://bugs.webkit.org/show_bug.cgi?id=190033
2753
2754         Reviewed by Yusuke Suzuki.
2755
2756         * stress/big-int-to-string.js:
2757
2758 2018-10-01  Mark Lam  <mark.lam@apple.com>
2759
2760         Function.toString() should also copy the source code Functions that are class definitions.
2761         https://bugs.webkit.org/show_bug.cgi?id=190186
2762         <rdar://problem/44733360>
2763
2764         Reviewed by Saam Barati.
2765
2766         * stress/regress-190186.js: Added.
2767
2768 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2769
2770         Split NaN-check into separate test
2771         https://bugs.webkit.org/show_bug.cgi?id=190010
2772
2773         Reviewed by Saam Barati.
2774
2775         DataView exposes NaN-representation, which is not necessarily the same on each
2776         architecture. Therefore move the check of the NaN-representation into its own
2777         file such that we can disable this test on MIPS where NaN-representation can be
2778         different on older CPUs.
2779
2780         * stress/dataview-jit-set-nan.js: Added.
2781         (assert):
2782         (test.storeLittleEndian):
2783         (test.storeBigEndian):
2784         (test.store):
2785         (test):
2786         * stress/dataview-jit-set.js:
2787         (test5):
2788
2789 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2790
2791         Unreviewed, rolling out r236647.
2792         https://bugs.webkit.org/show_bug.cgi?id=190124
2793
2794         Breaking test stress/big-int-to-string.js (Requested by
2795         caiolima_ on #webkit).
2796
2797         Reverted changeset:
2798
2799         "[BigInt] BigInt.proptotype.toString is broken when radix is
2800         power of 2"
2801         https://bugs.webkit.org/show_bug.cgi?id=190033
2802         https://trac.webkit.org/changeset/236647
2803
2804 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2805
2806         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2807         https://bugs.webkit.org/show_bug.cgi?id=190033
2808
2809         Reviewed by Yusuke Suzuki.
2810
2811         * stress/big-int-to-string.js:
2812
2813 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2814
2815         [ESNext][BigInt] Implement support for "&"
2816         https://bugs.webkit.org/show_bug.cgi?id=186228
2817
2818         Reviewed by Yusuke Suzuki.
2819
2820         * stress/big-int-bitwise-and-general.js: Added.
2821         (assert):
2822         (assert.sameValue):
2823         * stress/big-int-bitwise-and-jit.js: Added.
2824         (let.assert.sameValue):
2825         (bigIntBitAnd):
2826         * stress/big-int-bitwise-and-memory-stress.js: Added.
2827         (assert):
2828         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2829         (assert.sameValue):
2830         (let.o.Symbol.toPrimitive):
2831         (catch):
2832         * stress/big-int-bitwise-and-type-error.js: Added.
2833         (assert):
2834         (assertThrowTypeError):
2835         (let.o.valueOf):
2836         (o.valueOf):
2837         (o.toString):
2838         (o.Symbol.toPrimitive):
2839         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2840         (assert.sameValue):
2841         (testBitAnd):
2842         (let.o.Symbol.toPrimitive):
2843         (o.valueOf):
2844         (o.toString):
2845
2846 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2847
2848         JSC test stress/jsc-read.js doesn't support CRLF
2849         https://bugs.webkit.org/show_bug.cgi?id=190063
2850
2851         Reviewed by Yusuke Suzuki.
2852
2853         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2854
2855         * stress/jsc-read.js:
2856         (test):
2857
2858 2018-09-27  Saam barati  <sbarati@apple.com>
2859
2860         Verify the contents of AssemblerBuffer on arm64e
2861         https://bugs.webkit.org/show_bug.cgi?id=190057
2862         <rdar://problem/38916630>
2863
2864         Reviewed by Mark Lam.
2865
2866         * stress/regress-189132.js:
2867
2868 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2869
2870         Disable test without LLInt on ARMv7
2871         https://bugs.webkit.org/show_bug.cgi?id=190037
2872
2873         Reviewed by Mark Lam.
2874
2875         Test runs out of executable memory on ARMv7, do not run
2876         this test without LLInt enabled.
2877
2878         * stress/regress-169445.js:
2879
2880 2018-09-26  Keith Miller  <keith_miller@apple.com>
2881
2882         We should zero unused property storage when rebalancing array storage.
2883         https://bugs.webkit.org/show_bug.cgi?id=188151
2884
2885         Reviewed by Michael Saboff.
2886
2887         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2888
2889 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2890
2891         [JSC] Optimize Array#lastIndexOf
2892         https://bugs.webkit.org/show_bug.cgi?id=189780
2893
2894         Reviewed by Saam Barati.
2895
2896         * stress/array-lastindexof-array-prototype-trap.js: Added.
2897         (shouldBe):
2898         (AncestorArray.prototype.get 2):
2899         (AncestorArray):
2900         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2901         (shouldBe):
2902         * stress/array-lastindexof-hole-nan.js: Added.
2903         (shouldBe):
2904         (throw.new.Error):
2905         * stress/array-lastindexof-infinity.js: Added.
2906         (shouldBe):
2907         (throw.new.Error):
2908         * stress/array-lastindexof-negative-zero.js: Added.
2909         (shouldBe):
2910         (throw.new.Error):
2911         * stress/array-lastindexof-own-getter.js: Added.
2912         (shouldBe):
2913         (throw.new.Error.get array):
2914         (get array):
2915         * stress/array-lastindexof-prototype-trap.js: Added.
2916         (shouldBe):
2917         (DerivedArray.prototype.get 2):
2918         (DerivedArray):
2919
2920 2018-09-25  Saam Barati  <sbarati@apple.com>
2921
2922         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2923         https://bugs.webkit.org/show_bug.cgi?id=189940
2924         <rdar://problem/43640987>
2925
2926         Reviewed by Mark Lam.
2927
2928         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2929
2930 2018-09-24  Saam Barati  <sbarati@apple.com>
2931
2932         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2933         https://bugs.webkit.org/show_bug.cgi?id=189922
2934         <rdar://problem/44651275>
2935
2936         Reviewed by Mark Lam.
2937
2938         * stress/array-indexof-fast-path-effects.js: Added.
2939         * stress/array-indexof-cached-length.js: Added.
2940
2941 2018-09-24  Saam barati  <sbarati@apple.com>
2942
2943         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2944         https://bugs.webkit.org/show_bug.cgi?id=189682
2945         <rdar://problem/43557315>
2946
2947         Reviewed by Mark Lam.
2948
2949         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2950         (foo):
2951
2952 2018-09-22  Saam barati  <sbarati@apple.com>
2953
2954         The sampling should not use Strong<CodeBlock> in its machineLocation field
2955         https://bugs.webkit.org/show_bug.cgi?id=189319
2956
2957         Reviewed by Filip Pizlo.
2958
2959         * stress/sampling-profiler-richards.js: Added.
2960
2961 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2962
2963         [JSC] Optimize Array#indexOf in C++ runtime
2964         https://bugs.webkit.org/show_bug.cgi?id=189507
2965
2966         Reviewed by Saam Barati.
2967
2968         * stress/array-indexof-array-prototype-trap.js: Added.
2969         (shouldBe):
2970         (AncestorArray.prototype.get 2):
2971         (AncestorArray):
2972         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2973         (shouldBe):
2974         * stress/array-indexof-hole-nan.js: Added.
2975         (shouldBe):
2976         (throw.new.Error):
2977         * stress/array-indexof-infinity.js: Added.
2978         (shouldBe):
2979         (throw.new.Error):
2980         * stress/array-indexof-negative-zero.js: Added.
2981         (shouldBe):
2982         (throw.new.Error):
2983         * stress/array-indexof-own-getter.js: Added.
2984         (shouldBe):
2985         (throw.new.Error.get array):
2986         (get array):
2987         * stress/array-indexof-prototype-trap.js: Added.
2988         (shouldBe):
2989         (DerivedArray.prototype.get 2):
2990         (DerivedArray):
2991
2992 2018-09-19  Saam barati  <sbarati@apple.com>
2993
2994         AI rule for MultiPutByOffset executes its effects in the wrong order
2995         https://bugs.webkit.org/show_bug.cgi?id=189757
2996         <rdar://problem/43535257>
2997
2998         Reviewed by Michael Saboff.
2999
3000         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3001         (foo):
3002         (Foo):
3003         (g):
3004
3005 2018-09-17  Mark Lam  <mark.lam@apple.com>
3006
3007         Ensure that ForInContexts are invalidated if their loop local is over-written.
3008         https://bugs.webkit.org/show_bug.cgi?id=189571
3009         <rdar://problem/44402277>
3010
3011         Reviewed by Saam Barati.
3012
3013         * stress/regress-189571.js: Added.
3014
3015 2018-09-17  Saam barati  <sbarati@apple.com>
3016
3017         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3018         https://bugs.webkit.org/show_bug.cgi?id=189676
3019         <rdar://problem/39682897>
3020
3021         Reviewed by Michael Saboff.
3022
3023         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3024         (A):
3025         (K):
3026         (i.catch):
3027
3028 2018-09-14  Saam barati  <sbarati@apple.com>
3029
3030         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3031         https://bugs.webkit.org/show_bug.cgi?id=189628
3032         <rdar://problem/39481690>
3033
3034         Reviewed by Mark Lam.
3035
3036         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3037         (foo):
3038
3039 2018-09-11  Mark Lam  <mark.lam@apple.com>
3040
3041         Test for array initialization in arrayProtoFuncSplice.
3042         https://bugs.webkit.org/show_bug.cgi?id=170253
3043         <rdar://problem/31328773>
3044
3045         Rubber-stamped by Saam Barati.
3046
3047         * stress/regress-170253.js: Added.
3048
3049 2018-09-11  Mark Lam  <mark.lam@apple.com>
3050
3051         Test for IntlObject initialization.
3052         https://bugs.webkit.org/show_bug.cgi?id=170251
3053         <rdar://problem/31328419>
3054
3055         Rubber-stamped by Saam Barati.
3056
3057         * stress/regress-170251.js: Added.
3058
3059 2018-09-11  Mark Lam  <mark.lam@apple.com>
3060
3061         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3062         https://bugs.webkit.org/show_bug.cgi?id=169889
3063         <rdar://problem/31155607>
3064
3065         Reviewed by Saam Barati.
3066
3067         * stress/regress-169889-array-concat.js: Added.
3068         * stress/regress-169889-array-concat1.js: Added.
3069         * stress/regress-169889-array-slice.js: Added.
3070
3071 2018-09-11  Mark Lam  <mark.lam@apple.com>
3072
3073         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3074         https://bugs.webkit.org/show_bug.cgi?id=169445
3075         <rdar://problem/30957435>
3076
3077         Reviewed by Saam Barati.
3078
3079         * stress/regress-169445.js: Added.
3080         (let.gun.eval.A):
3081         (let.gun.eval.B.C):
3082         (let.gun.eval.B.C.prototype.trigger):
3083         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3084         (let.gun.eval.B):
3085         (let.gun.eval):
3086
3087 == Rolled over to ChangeLog-2018-09-11 ==