ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-25  Keith Miller  <keith_miller@apple.com>
2
3         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
4         https://bugs.webkit.org/show_bug.cgi?id=196176
5
6         Reviewed by Saam Barati.
7
8         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
9         (main.v10):
10         (main):
11
12 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
13
14         WebAssembly: f32.max with NaN generates incorrect result
15         https://bugs.webkit.org/show_bug.cgi?id=175691
16         <rdar://problem/33952228>
17
18         Reviewed by Saam Barati.
19
20         Enable all f32.max NaN tests
21
22         * wasm/spec-tests/f32.wast.js:
23         * wasm/wasm.json:
24
25 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
26
27         [JSC] Move test into directory for WASM tests
28         https://bugs.webkit.org/show_bug.cgi?id=196187
29
30         Reviewed by Mark Lam.
31
32         Move Test into wasm-directory. Otherwise this test
33         is also executed on systems without WASM support.
34
35         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
36
37 2019-03-23  Mark Lam  <mark.lam@apple.com>
38
39         Rolling out r243032 and r243071 because the fix is incorrect.
40         https://bugs.webkit.org/show_bug.cgi?id=195892
41         <rdar://problem/48981239>
42
43         Not reviewed.
44
45         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
46
47 2019-03-22  Mark Lam  <mark.lam@apple.com>
48
49         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
50         https://bugs.webkit.org/show_bug.cgi?id=196154
51         <rdar://problem/49145307>
52
53         Reviewed by Filip Pizlo.
54
55         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
56         There's no need to run this test on more than 1 test configuration.
57
58         * stress/typed-array-lastIndexOf-exception-check.js: Added.
59         * stress/web-assembly-link-error-exception-check.js:
60
61 2019-03-22  Mark Lam  <mark.lam@apple.com>
62
63         Placate exception check validation in constructJSWebAssemblyLinkError().
64         https://bugs.webkit.org/show_bug.cgi?id=196152
65         <rdar://problem/49145257>
66
67         Reviewed by Michael Saboff.
68
69         * stress/web-assembly-link-error-exception-check.js: Added.
70
71 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
72
73         Skip tests running out of memory on ARM/MIPS
74         https://bugs.webkit.org/show_bug.cgi?id=196131
75
76         Unreviewed. Skip test if memory is limited.
77
78         * microbenchmarks/put-by-val-direct-large-index.js:
79
80 2019-03-21  Mark Lam  <mark.lam@apple.com>
81
82         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
83         https://bugs.webkit.org/show_bug.cgi?id=196116
84         <rdar://problem/48976951>
85
86         Reviewed by Filip Pizlo.
87
88         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
89
90 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
91
92         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
93         https://bugs.webkit.org/show_bug.cgi?id=196078
94         <rdar://problem/35925380>
95
96         Reviewed by Mark Lam.
97
98         Add a new benchmark that allocates several objects and invokes put_by_val_direct
99         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
100
101         * microbenchmarks/put-by-val-direct-large-index.js: Added.
102
103 2019-03-21  Mark Lam  <mark.lam@apple.com>
104
105         Placate exception check validation in operationArrayIndexOfString().
106         https://bugs.webkit.org/show_bug.cgi?id=196067
107         <rdar://problem/49056572>
108
109         Reviewed by Michael Saboff.
110
111         * stress/string-equal-exception-check.js: Added.
112
113 2019-03-21  Mark Lam  <mark.lam@apple.com>
114
115         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
116         https://bugs.webkit.org/show_bug.cgi?id=196055
117         <rdar://problem/49067448>
118
119         Reviewed by Yusuke Suzuki.
120
121         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
122
123 2019-03-20  Saam Barati  <sbarati@apple.com>
124
125         typeOfDoubleSum is wrong for when NaN can be produced
126         https://bugs.webkit.org/show_bug.cgi?id=196030
127
128         Reviewed by Filip Pizlo.
129
130         * stress/double-add-sub-mul-can-produce-nan.js: Added.
131         (assert):
132         (noInline.sub):
133         (noInline):
134         (assert.mul):
135         (assert.add):
136
137 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
138
139         Update the test to ensure OutOfMemoryError is thrown as intended
140         https://bugs.webkit.org/show_bug.cgi?id=196032
141         <rdar://problem/46842740>
142
143         Rubber stamped by Saam Barati.
144
145         * stress/create-error-out-of-memory-rope-string.js:
146         (assert):
147         (catch):
148
149 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
150
151         JSC::createError needs to check for OOM in errorDescriptionForValue
152         https://bugs.webkit.org/show_bug.cgi?id=196032
153         <rdar://problem/46842740>
154
155         Reviewed by Mark Lam.
156
157         * stress/create-error-out-of-memory-rope-string.js: Added.
158
159 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
160
161         Unreviewed, reduce # of iterations to avoid timing out after r242991
162         https://bugs.webkit.org/show_bug.cgi?id=195791
163
164         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
165
166         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
167
168 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
169
170         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
171         https://bugs.webkit.org/show_bug.cgi?id=195950
172
173         Unreviewed, reducing the amount of memory used on this test to avoid
174         OOM on devices with memory restrictions.
175
176         * microbenchmarks/generate-multiple-llint-entrypoints.js:
177
178 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
179
180         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
181         https://bugs.webkit.org/show_bug.cgi?id=194648
182
183         Reviewed by Keith Miller.
184
185         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
186
187 2019-03-18  Mark Lam  <mark.lam@apple.com>
188
189         Missing a ThrowScope release in JSObject::toString().
190         https://bugs.webkit.org/show_bug.cgi?id=195893
191         <rdar://problem/48970986>
192
193         Reviewed by Michael Saboff.
194
195         * stress/to-string-exception-check-release.js: Added.
196
197 2019-03-18  Mark Lam  <mark.lam@apple.com>
198
199         Structure::flattenDictionary() should clear unused property slots.
200         https://bugs.webkit.org/show_bug.cgi?id=195871
201         <rdar://problem/48959497>
202
203         Reviewed by Michael Saboff.
204
205         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
206
207 2019-03-15  Mark Lam  <mark.lam@apple.com>
208
209         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
210         https://bugs.webkit.org/show_bug.cgi?id=195827
211         <rdar://problem/48845513>
212
213         Reviewed by Filip Pizlo.
214
215         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
216
217 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
218
219         [ARM,MIPS] Skip slow tests
220         https://bugs.webkit.org/show_bug.cgi?id=195799
221
222         Unreviewed, test does not finish on ARM and MIPS within the
223         timeout limit.
224
225         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
226
227 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
228
229         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
230         https://bugs.webkit.org/show_bug.cgi?id=195791
231         <rdar://problem/48806130>
232
233         Reviewed by Mark Lam.
234
235         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
236         (foo):
237
238 2019-03-14  Saam barati  <sbarati@apple.com>
239
240         We can't remove code after ForceOSRExit until after FixupPhase
241         https://bugs.webkit.org/show_bug.cgi?id=186916
242         <rdar://problem/41396612>
243
244         Reviewed by Yusuke Suzuki.
245
246         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
247         (foo):
248         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
249         (foo):
250
251 2019-03-13  Michael Saboff  <msaboff@apple.com>
252
253         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
254         https://bugs.webkit.org/show_bug.cgi?id=195735
255
256         Reviewed by Mark Lam.
257
258         New regression test.
259
260         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
261         (foo):
262         (bar):
263
264 2019-03-14  Saam barati  <sbarati@apple.com>
265
266         Fixup uses KnownInt32 incorrectly in some nodes
267         https://bugs.webkit.org/show_bug.cgi?id=195279
268         <rdar://problem/47915654>
269
270         Reviewed by Yusuke Suzuki.
271
272         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
273         (foo):
274
275 2019-03-14  Keith Miller  <keith_miller@apple.com>
276
277         DFG liveness can't skip tail caller inline frames
278         https://bugs.webkit.org/show_bug.cgi?id=195715
279
280         Reviewed by Saam Barati.
281
282         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
283         (i.foo):
284
285 2019-03-13  Mark Lam  <mark.lam@apple.com>
286
287         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
288         https://bugs.webkit.org/show_bug.cgi?id=195415
289
290         Not reviewed.
291
292         Changed these tests to only run the default configuration.
293         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
294         There's no strong need to run this test on that variant.
295
296         * stress/dfg-to-string-on-int-does-gc.js:
297         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
298
299 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
300
301         String overflow when using StringBuilder in JSC::createError
302         https://bugs.webkit.org/show_bug.cgi?id=194957
303
304         Reviewed by Mark Lam.
305
306         Add test string-overflow-createError-bulder.js that overflows
307         StringBuilder in notAFunctionSourceAppender. The second new test
308         string-overflow-createError-fit.js has an error message that doesn't
309         overflow, it still failed since the String's capacity can't be doubled.
310         Run test string-overflow-createError.js only in the default
311         configuration to reduce memory consumption when running the test
312         in all configurations on multiple CPUs in parallel.
313
314         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
315         (catch):
316         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
317         (catch):
318         * stress/string-overflow-createError.js:
319
320 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
321
322         [JSC] OSR entry should respect abstract values in addition to flush formats
323         https://bugs.webkit.org/show_bug.cgi?id=195653
324
325         Reviewed by Mark Lam.
326
327         * stress/osr-entry-locals-none.js: Added.
328
329 2019-03-12  Michael Saboff  <msaboff@apple.com>
330
331         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
332         https://bugs.webkit.org/show_bug.cgi?id=195613
333
334         Reviewed by Mark Lam.
335
336         New regression test.
337
338         * stress/regexp-backref-inbounds.js: Added.
339         (testRegExp):
340
341 2019-03-12  Mark Lam  <mark.lam@apple.com>
342
343         The HasIndexedProperty node does GC.
344         https://bugs.webkit.org/show_bug.cgi?id=195559
345         <rdar://problem/48767923>
346
347         Reviewed by Yusuke Suzuki.
348
349         * stress/HasIndexedProperty-does-gc.js: Added.
350
351 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
352
353         [ESNext][BigInt] Implement "~" unary operation
354         https://bugs.webkit.org/show_bug.cgi?id=182216
355
356         Reviewed by Keith Miller.
357
358         * stress/big-int-bit-not-general.js: Added.
359         * stress/big-int-bitwise-not-jit.js: Added.
360         * stress/big-int-bitwise-not-wrapped-value.js: Added.
361         * stress/bit-op-with-object-returning-int32.js:
362         * stress/bitwise-not-fixup-rules.js: Added.
363         * stress/value-bit-not-ai-rule.js: Added.
364
365 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
366
367         Invalid flags in a RegExp literal should be an early SyntaxError
368         https://bugs.webkit.org/show_bug.cgi?id=195514
369
370         Reviewed by Darin Adler.
371
372         * test262/expectations.yaml:
373         Mark 4 test cases as passing.
374
375         * stress/regexp-syntax-error-invalid-flags.js:
376         * stress/regress-161995.js: Removed.
377         Update existing test, merging in an older test for the same behavior.
378
379 2019-03-08  Mark Lam  <mark.lam@apple.com>
380
381         Stack overflow crash in JSC::JSObject::hasInstance.
382         https://bugs.webkit.org/show_bug.cgi?id=195458
383         <rdar://problem/48710195>
384
385         Reviewed by Yusuke Suzuki.
386
387         * stress/stack-overflow-in-custom-hasInstance.js: Added.
388
389 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
390
391         op_check_tdz does not def its argument
392         https://bugs.webkit.org/show_bug.cgi?id=192880
393         <rdar://problem/46221598>
394
395         Reviewed by Saam Barati.
396
397         * microbenchmarks/let-for-in.js: Added.
398         (foo):
399
400 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
401
402         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
403         https://bugs.webkit.org/show_bug.cgi?id=195429
404
405         Reviewed by Saam Barati.
406
407         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
408         (foo):
409         * stress/string-from-char-code-255.js: Added.
410
411 2019-03-06  Mark Lam  <mark.lam@apple.com>
412
413         Fix incorrect handling of try-finally completion values.
414         https://bugs.webkit.org/show_bug.cgi?id=195131
415         <rdar://problem/46222079>
416
417         Reviewed by Saam Barati and Yusuke Suzuki.
418
419         Added many permutations of new test case to test-finally.js.  test-finally.js has
420         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
421         tests passes there as well.
422
423         * stress/test-finally.js:
424
425 2019-03-06  Saam Barati  <sbarati@apple.com>
426
427         Air::reportUsedRegisters must padInterference
428         https://bugs.webkit.org/show_bug.cgi?id=195303
429         <rdar://problem/48270343>
430
431         Reviewed by Keith Miller.
432
433         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
434
435 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
436
437         [JSC] AI should not propagate AbstractValue relying on constant folding phase
438         https://bugs.webkit.org/show_bug.cgi?id=195375
439
440         Reviewed by Saam Barati.
441
442         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
443         (let.array):
444
445 2019-03-05  Saam barati  <sbarati@apple.com>
446
447         op_switch_char broken for rope strings after JSRopeString layout rewrite
448         https://bugs.webkit.org/show_bug.cgi?id=195339
449         <rdar://problem/48592545>
450
451         Reviewed by Yusuke Suzuki.
452
453         * stress/switch-on-char-llint-rope.js: Added.
454
455 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
456
457         [JSC] Store bits for JSRopeString in 3 stores
458         https://bugs.webkit.org/show_bug.cgi?id=195234
459
460         Reviewed by Saam Barati.
461
462         * stress/null-rope-and-collectors.js: Added.
463
464 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
465
466         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
467         https://bugs.webkit.org/show_bug.cgi?id=195207
468
469         Unreviewed. After test runtime was reduced in r242213, test can be
470         run again on ARM/MIPS.
471
472         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
473
474 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
475
476         [JSC] sizeof(JSString) should be 16
477         https://bugs.webkit.org/show_bug.cgi?id=194375
478
479         Reviewed by Saam Barati.
480
481         * microbenchmarks/make-rope.js: Added.
482         (makeRope):
483         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
484         (returnRope.helper): Deleted.
485         (returnRope): Deleted.
486
487 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
488
489         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
490         https://bugs.webkit.org/show_bug.cgi?id=195144
491
492         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
493         Change the number from 1e8 to 1e5.
494
495         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
496         (foo):
497
498 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
499
500         Test times out on ARM/MIPS
501         https://bugs.webkit.org/show_bug.cgi?id=195168
502
503         Unreviewed. Skip test on ARM/MIPS.
504
505         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
506
507 2019-02-27  Mark Lam  <mark.lam@apple.com>
508
509         The parser is failing to record the token location of new in new.target.
510         https://bugs.webkit.org/show_bug.cgi?id=195127
511         <rdar://problem/39645578>
512
513         Reviewed by Yusuke Suzuki.
514
515         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
516
517 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
518
519         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
520         https://bugs.webkit.org/show_bug.cgi?id=195144
521         <rdar://problem/47595961>
522
523         Reviewed by Mark Lam.
524
525         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
526         (bar):
527         (foo):
528         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
529         (bar):
530         (foo):
531
532 2019-02-27  Robin Morisset  <rmorisset@apple.com>
533
534         DFG: Loop-invariant code motion (LICM) should not hoist dead code
535         https://bugs.webkit.org/show_bug.cgi?id=194945
536         <rdar://problem/48311657>
537
538         Reviewed by Mark Lam.
539
540         * stress/licm-dead-code.js: Added.
541
542 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
543
544         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
545         https://bugs.webkit.org/show_bug.cgi?id=194677
546         <rdar://problem/48112492>
547
548         Reviewed by Mark Lam.
549
550         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
551         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
552         it immediately fails due the large size.
553
554         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
555         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
556         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
557         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
558
559         This patch changes the test to produce 16bit string from String.fromCharCode.
560
561         * stress/regress-178386.js:
562
563 2019-02-26  Mark Lam  <mark.lam@apple.com>
564
565         wasmToJS() should purify incoming NaNs.
566         https://bugs.webkit.org/show_bug.cgi?id=194807
567         <rdar://problem/48189132>
568
569         Reviewed by Saam Barati.
570
571         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
572
573 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
574
575         [JSC] Repeat string created from Array.prototype.join() take too much memory
576         https://bugs.webkit.org/show_bug.cgi?id=193912
577
578         Reviewed by Saam Barati.
579
580         Added a test and a microbenchmark for corner cases of
581         Array.prototype.join() with an uninitialized array.
582
583         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
584         * stress/array-prototype-join-uninitialized.js: Added.
585         (testArray):
586         (testABC):
587         (B):
588         (C):
589
590 2019-02-22  Robin Morisset  <rmorisset@apple.com>
591
592         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
593         https://bugs.webkit.org/show_bug.cgi?id=194953
594         <rdar://problem/47595253>
595
596         Reviewed by Saam Barati.
597
598         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
599
600         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
601
602 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
603
604         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
605         https://bugs.webkit.org/show_bug.cgi?id=172848
606         <rdar://problem/25709212>
607
608         Reviewed by Mark Lam.
609
610         * typeProfiler/inheritance.js:
611         Rewrite the test slightly for clarity. The hoisting was confusing.
612
613         * heapProfiler/class-names.js: Added.
614         (MyES5Class):
615         (MyES6Class):
616         (MyES6Subclass):
617         Test object types and improved class names.
618
619         * heapProfiler/driver/driver.js:
620         (CheapHeapSnapshotNode):
621         (CheapHeapSnapshot):
622         (createCheapHeapSnapshot):
623         (HeapSnapshot):
624         (createHeapSnapshot):
625         Update snapshot parsing from version 1 to version 2.
626
627 2019-02-19  Truitt Savell  <tsavell@apple.com>
628
629         Unreviewed, rolling out r241784.
630
631         Broke all OpenSource builds.
632
633         Reverted changeset:
634
635         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
636         instances view"
637         https://bugs.webkit.org/show_bug.cgi?id=172848
638         https://trac.webkit.org/changeset/241784
639
640 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
641
642         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
643         https://bugs.webkit.org/show_bug.cgi?id=172848
644         <rdar://problem/25709212>
645
646         Reviewed by Mark Lam.
647
648         * typeProfiler/inheritance.js:
649         Rewrite the test slightly for clarity. The hoisting was confusing.
650
651         * heapProfiler/class-names.js: Added.
652         (MyES5Class):
653         (MyES6Class):
654         (MyES6Subclass):
655         Test object types and improved class names.
656
657         * heapProfiler/driver/driver.js:
658         (CheapHeapSnapshotNode):
659         (CheapHeapSnapshot):
660         (createCheapHeapSnapshot):
661         (HeapSnapshot):
662         (createHeapSnapshot):
663         Update snapshot parsing from version 1 to version 2.
664
665 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
666
667         [ARM] Fix crash with sampling profiler
668         https://bugs.webkit.org/show_bug.cgi?id=194772
669
670         Reviewed by Mark Lam.
671
672         Do not skip test since crash with sampling profiler is now fixed.
673
674         * stress/sampling-profiler-richards.js:
675
676 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
677
678         [JSC] Add LazyClassStructure::getInitializedOnMainThread
679         https://bugs.webkit.org/show_bug.cgi?id=194784
680         <rdar://problem/48154820>
681
682         Reviewed by Mark Lam.
683
684         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
685         (getProperties):
686         (getRandomProperty):
687         (i.catch):
688
689 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
690
691         [ARM] Test gardening: Test running out of executable memory
692         https://bugs.webkit.org/show_bug.cgi?id=194771
693
694         Unreviewed. Do not run test without LLInt, test is running out of executable
695         memory on ARM otherwise.
696
697         * stress/tagged-template-object-collect.js:
698
699 2019-02-18  Tomas Popela  <tpopela@redhat.com>
700
701         Unreviewed, skip the test on platforms without sampling profiler
702
703         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
704         (platformSupportsSamplingProfiler.foo):
705         (platformSupportsSamplingProfiler.test):
706         (platformSupportsSamplingProfiler):
707         (foo): Deleted.
708         (test): Deleted.
709
710 2019-02-17  Saam Barati  <sbarati@apple.com>
711
712         Deadlock when adding a Structure property transition and then doing incremental marking
713         https://bugs.webkit.org/show_bug.cgi?id=194767
714
715         Reviewed by Mark Lam.
716
717         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
718
719 2019-02-15  Michael Saboff  <msaboff@apple.com>
720
721         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
722         https://bugs.webkit.org/show_bug.cgi?id=194558
723
724         Reviewed by Saam Barati.
725
726         New regression test.
727
728         * stress/regexp-unicode-within-string.js: Added.
729
730 2019-02-15  Mark Lam  <mark.lam@apple.com>
731
732         SamplingProfiler::stackTracesAsJSON() should escape strings.
733         https://bugs.webkit.org/show_bug.cgi?id=194649
734         <rdar://problem/48072386>
735
736         Reviewed by Saam Barati.
737
738         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
739         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
740         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
741         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
742
743 2019-02-15  Robin Morisset  <rmorisset@apple.com>
744         CodeBlock::jettison should clear related watchpoints
745         https://bugs.webkit.org/show_bug.cgi?id=194544
746
747         Reviewed by Mark Lam.
748
749         * stress/regexp-replace-double-watchpoint.js: Added.
750         (foo):
751
752 2019-02-15  Saam barati  <sbarati@apple.com>
753
754         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
755         https://bugs.webkit.org/show_bug.cgi?id=194036
756
757         Reviewed by Yusuke Suzuki.
758
759         * stress/tail-call-many-arguments.js: Added.
760         (foo):
761         (bar):
762
763 2019-02-14  Saam Barati  <sbarati@apple.com>
764
765         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
766         https://bugs.webkit.org/show_bug.cgi?id=194583
767         <rdar://problem/48028140>
768
769         Reviewed by Yusuke Suzuki.
770
771         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
772
773 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
774
775         [JSC] String.fromCharCode's slow path always generates 16bit string
776         https://bugs.webkit.org/show_bug.cgi?id=194466
777
778         Reviewed by Keith Miller.
779
780         * stress/string-from-char-code-slow-path.js: Added.
781         (shouldBe):
782         (testWithLength):
783
784 2019-02-08  Saam barati  <sbarati@apple.com>
785
786         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
787         https://bugs.webkit.org/show_bug.cgi?id=194334
788         <rdar://problem/47844327>
789
790         Reviewed by Mark Lam.
791
792         * stress/check-in-bounds-should-be-a-child-use.js: Added.
793         (func):
794
795 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
796
797         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
798         https://bugs.webkit.org/show_bug.cgi?id=194369
799         <rdar://problem/47813087>
800
801         Reviewed by Saam Barati.
802
803         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
804         (A):
805
806 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
807
808         [JSC] PrivateName to PublicName hash table is wasteful
809         https://bugs.webkit.org/show_bug.cgi?id=194277
810
811         Reviewed by Michael Saboff.
812
813         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
814
815         * ChakraCore.yaml:
816
817 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
818
819         [ARM] Test running out of executable memory
820         https://bugs.webkit.org/show_bug.cgi?id=194285
821
822         Unreviewed. Do no execute test with LLInt disabled, test runs out of
823         executable memory otherwise.
824
825         * stress/class-subclassing-function.js:
826
827 2019-02-04  Robin Morisset  <rmorisset@apple.com>
828
829         when lowering AssertNotEmpty, create the value before creating the patchpoint
830         https://bugs.webkit.org/show_bug.cgi?id=194231
831
832         Reviewed by Saam Barati.
833
834         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
835         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
836         So even tiny changes to this test can change the path code taken.
837
838         * stress/assert-not-empty.js: Added.
839         (foo):
840
841 2019-02-01  Mark Lam  <mark.lam@apple.com>
842
843         Remove invalid assertion in DFG's compileDoubleRep().
844         https://bugs.webkit.org/show_bug.cgi?id=194130
845         <rdar://problem/47699474>
846
847         Reviewed by Saam Barati.
848
849         * stress/constant-fold-double-rep-into-double-constant.js: Added.
850
851 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
852
853         Import latest Test262 updates.
854
855         Rubber-stamped by Keith Miller.
856
857         * test262.yaml: Deleted.
858         * test262/config.yaml:
859         * test262/expectations.yaml:
860         * test262/latest-changes-summary.txt:
861         * test262/test/:
862         * test262/test262-Revision.txt:
863
864 2019-01-30  Robin Morisset  <rmorisset@apple.com>
865
866         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
867         https://bugs.webkit.org/show_bug.cgi?id=194050
868         <rdar://problem/47595592>
869
870         Reviewed by Yusuke Suzuki.
871
872         * stress/object-keys-osr-exit.js: Added.
873         (foo):
874         (catch):
875
876 2019-01-29  Mark Lam  <mark.lam@apple.com>
877
878         ValueRecovery::recover() should purify NaN values it recovers.
879         https://bugs.webkit.org/show_bug.cgi?id=193978
880         <rdar://problem/47625488>
881
882         Reviewed by Saam Barati.
883
884         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
885
886 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
887
888         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
889         https://bugs.webkit.org/show_bug.cgi?id=193713
890
891         * stress/try-get-by-id-should-spill-registers-dfg.js:
892         (let.f.createBuiltin):
893
894 2019-01-28  Mark Lam  <mark.lam@apple.com>
895
896         ToString node actually does GC.
897         https://bugs.webkit.org/show_bug.cgi?id=193920
898         <rdar://problem/46695900>
899
900         Reviewed by Yusuke Suzuki.
901
902         * stress/dfg-to-string-on-int-does-gc.js: Added.
903         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
904         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
905
906 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
907
908         [JSC] NativeErrorConstructor should not have own IsoSubspace
909         https://bugs.webkit.org/show_bug.cgi?id=193713
910
911         Reviewed by Saam Barati.
912
913         Remove @Error use.
914
915         * stress/try-get-by-id-should-spill-registers-dfg.js:
916         (let.f.createBuiltin):
917
918 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
919
920         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
921         https://bugs.webkit.org/show_bug.cgi?id=190693
922
923         Reviewed by Michael Saboff.
924
925         * stress/regress-190693.js: Added.
926         (truth):
927         (assert):
928         (shouldThrowInvalidConstAssignment):
929         (taz):
930
931 2019-01-24  Saam Barati  <sbarati@apple.com>
932
933         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
934         https://bugs.webkit.org/show_bug.cgi?id=193751
935         <rdar://problem/47280215>
936
937         Reviewed by Michael Saboff.
938
939         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
940         (let.thing):
941         (foo.let.hello):
942         (foo):
943
944 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
945
946         [JSC] Reenable baseline JIT on mips
947         https://bugs.webkit.org/show_bug.cgi?id=192983
948
949         Reviewed by Mark Lam.
950
951         Added a new test for a case that was triggering a RELEASE_ASSERT when
952         testing.
953         Disable some slow tests that were already disabled for arm and x86.
954
955         * stress/json-parse-big-object.js: Added.
956         * stress/new-largeish-contiguous-array-with-size.js:
957         * stress/op_add.js:
958         * stress/op_bitand.js:
959         * stress/op_bitor.js:
960         * stress/op_bitxor.js:
961         * stress/op_lshift-ConstVar.js:
962         * stress/op_lshift-VarConst.js:
963         * stress/op_lshift-VarVar.js:
964         * stress/op_mod-ConstVar.js:
965         * stress/op_mod-VarConst.js:
966         * stress/op_mod-VarVar.js:
967         * stress/op_mul-ConstVar.js:
968         * stress/op_mul-VarConst.js:
969         * stress/op_mul-VarVar.js:
970         * stress/op_rshift-ConstVar.js:
971         * stress/op_rshift-VarConst.js:
972         * stress/op_rshift-VarVar.js:
973         * stress/op_sub-ConstVar.js:
974         * stress/op_sub-VarConst.js:
975         * stress/op_sub-VarVar.js:
976         * stress/op_urshift-ConstVar.js:
977         * stress/op_urshift-VarConst.js:
978         * stress/op_urshift-VarVar.js:
979         * stress/sampling-profiler-richards.js:
980         * stress/spread-forward-call-varargs-stack-overflow.js:
981
982 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
983
984         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
985         https://bugs.webkit.org/show_bug.cgi?id=193711
986         <rdar://problem/47250262>
987
988         Reviewed by Saam Barati.
989
990         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
991         (shouldBe):
992         (foo):
993         (bar):
994         (baz):
995
996 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
997
998         Unreviewed, fix initial global lexical binding epoch
999         https://bugs.webkit.org/show_bug.cgi?id=193603
1000         <rdar://problem/47380869>
1001
1002         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1003         (f1.f2.f3.f4):
1004         (f1.f2.f3):
1005         (f1.f2):
1006         (f1):
1007
1008 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1009
1010         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1011         https://bugs.webkit.org/show_bug.cgi?id=193709
1012         <rdar://problem/47363838>
1013
1014         Unreviewed, rollout to watch the tests.
1015
1016         * stress/object-tostring-changed-proto.js: Removed.
1017         * stress/object-tostring-changed.js: Removed.
1018         * stress/object-tostring-misc.js: Removed.
1019         * stress/object-tostring-other.js: Removed.
1020         * stress/object-tostring-untyped.js: Removed.
1021
1022 2019-01-22  Saam Barati  <sbarati@apple.com>
1023
1024         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1025
1026         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1027         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1028         (testUncheckedLessThanZero):
1029         (testUncheckedLessThanOrEqualZero):
1030         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1031         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1032
1033 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1034
1035         [JSC] Invalidate old scope operations using global lexical binding epoch
1036         https://bugs.webkit.org/show_bug.cgi?id=193603
1037         <rdar://problem/47380869>
1038
1039         Reviewed by Saam Barati.
1040
1041         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1042         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1043         (shouldThrow):
1044         (bar):
1045         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1046         (shouldBe):
1047         (get1):
1048         (get2):
1049         (get1If):
1050         (get2If):
1051         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1052         (shouldThrow):
1053         (foo):
1054
1055 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1056
1057         Unreviewed, roll out r240220 due to date-format-xparb regression
1058         https://bugs.webkit.org/show_bug.cgi?id=193603
1059
1060         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1061         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1062         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1063         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1064
1065 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1066
1067         DoesGC rule is wrong for nodes with BigIntUse
1068         https://bugs.webkit.org/show_bug.cgi?id=193652
1069
1070         Reviewed by Saam Barati.
1071
1072         * stress/big-int-value-op-update-gc-rules.js: Added.
1073         (assert):
1074         (doesGCAdd):
1075         (doesGCSub):
1076         (doesGCDiv):
1077         (doesGCMul):
1078         (doesGCBitAnd):
1079         (doesGCBitOr):
1080         (doesGCBitXor):
1081
1082 2019-01-20  Saam Barati  <sbarati@apple.com>
1083
1084         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1085         https://bugs.webkit.org/show_bug.cgi?id=193644
1086         <rdar://problem/46209745>
1087
1088         Reviewed by Yusuke Suzuki.
1089
1090         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1091         (foo):
1092         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1093         (foo):
1094         (bar):
1095
1096 2019-01-20  Saam Barati  <sbarati@apple.com>
1097
1098         MovHint must merge NodeBytecodeUsesAsValue for its child
1099         https://bugs.webkit.org/show_bug.cgi?id=186916
1100         <rdar://problem/41396612>
1101
1102         Reviewed by Yusuke Suzuki.
1103
1104         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1105         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1106
1107 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1108
1109         [JSC] Invalidate old scope operations using global lexical binding epoch
1110         https://bugs.webkit.org/show_bug.cgi?id=193603
1111         <rdar://problem/47380869>
1112
1113         Reviewed by Saam Barati.
1114
1115         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1116         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1117         (shouldThrow):
1118         (bar):
1119         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1120         (shouldBe):
1121         (get1):
1122         (get2):
1123         (get1If):
1124         (get2If):
1125         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1126         (shouldThrow):
1127         (foo):
1128
1129 2019-01-17  Saam barati  <sbarati@apple.com>
1130
1131         StringObjectUse should not be a structure check for the original string object structure
1132         https://bugs.webkit.org/show_bug.cgi?id=193483
1133         <rdar://problem/47280522>
1134
1135         Reviewed by Yusuke Suzuki.
1136
1137         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1138         (foo):
1139         (a.valueOf.0):
1140
1141 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1142
1143         [JSC] ToThis omission in DFGByteCodeParser is wrong
1144         https://bugs.webkit.org/show_bug.cgi?id=193513
1145         <rdar://problem/45842236>
1146
1147         Reviewed by Saam Barati.
1148
1149         * stress/to-this-omission-with-different-strict-modes.js: Added.
1150         (thisA):
1151         (thisAStrictWrapper):
1152
1153 2019-01-15  Mark Lam  <mark.lam@apple.com>
1154
1155         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1156         https://bugs.webkit.org/show_bug.cgi?id=193423
1157         <rdar://problem/46209355>
1158
1159         Reviewed by Saam Barati.
1160
1161         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1162         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1163         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1164         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1165
1166 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1167
1168         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1169         https://bugs.webkit.org/show_bug.cgi?id=193438
1170         <rdar://problem/45581249>
1171
1172         Reviewed by Saam Barati and Keith Miller.
1173
1174         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1175         Then, GetByVal(String) crashed.
1176
1177         * stress/string-get-by-val-lowering.js: Added.
1178         (shouldBe):
1179         (test):
1180         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1181         (Hello):
1182         (foo):
1183
1184 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1185
1186         Unreviewed, skip JIT tests if it's not enabled
1187
1188         * stress/bit-op-with-object-returning-int32.js:
1189
1190 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1191
1192         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1193         https://bugs.webkit.org/show_bug.cgi?id=192966
1194
1195         Reviewed by Yusuke Suzuki.
1196
1197         * stress/bit-op-with-object-returning-int32.js: Added.
1198
1199 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1200
1201         Skip a slow test and a flakey test on arm
1202
1203         Unreviewed gardening.
1204
1205         * typeProfiler/getter-richards.js:
1206         this test always times out, it used to be always skipped on arm and
1207         mips, but got accidentally enabled by r237919 now that we have DFG on
1208         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1209
1210 2019-01-14  Keith Miller  <keith_miller@apple.com>
1211
1212         Skip type-check-hoisting-phase-hoist... with no jit
1213         https://bugs.webkit.org/show_bug.cgi?id=193421
1214
1215         Reviewed by Mark Lam.
1216
1217         It's timing out the 32-bit bots and takes 330 seconds
1218         on my machine when run by itself.
1219
1220         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1221
1222 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1223
1224         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1225         https://bugs.webkit.org/show_bug.cgi?id=193413
1226         <rdar://problem/46092389>
1227
1228         Reviewed by Keith Miller.
1229
1230         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1231         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1232         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1233         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1234
1235         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1236         (compareArray):
1237
1238 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1239
1240         [BigInt] Literal parsing is crashing when used inside a Object Literal
1241         https://bugs.webkit.org/show_bug.cgi?id=193404
1242
1243         Reviewed by Yusuke Suzuki.
1244
1245         * stress/big-int-literal-inside-literal-object.js: Added.
1246
1247 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1248
1249         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1250         https://bugs.webkit.org/show_bug.cgi?id=193372
1251
1252         Reviewed by Saam Barati.
1253
1254         * stress/typed-array-array-modes-profile.js: Added.
1255         (foo):
1256
1257 2019-01-14  Mark Lam  <mark.lam@apple.com>
1258
1259         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1260         https://bugs.webkit.org/show_bug.cgi?id=193402
1261         <rdar://problem/46012309>
1262
1263         Reviewed by Keith Miller.
1264
1265         * stress/regexp-compile-oom.js:
1266         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1267           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1268
1269 2019-01-11  Saam barati  <sbarati@apple.com>
1270
1271         DFG combined liveness can be wrong for terminal basic blocks
1272         https://bugs.webkit.org/show_bug.cgi?id=193304
1273         <rdar://problem/45268632>
1274
1275         Reviewed by Yusuke Suzuki.
1276
1277         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1278
1279 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1280
1281         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1282         https://bugs.webkit.org/show_bug.cgi?id=193308
1283         <rdar://problem/45546542>
1284
1285         Reviewed by Saam Barati.
1286
1287         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1288         (shouldThrow):
1289         (shouldBe):
1290         (foo):
1291         (get shouldThrow):
1292         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1293         (shouldThrow):
1294         (shouldBe):
1295         (foo):
1296         (get shouldBe):
1297         (get shouldThrow):
1298         (get return):
1299         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1300         (shouldThrow):
1301         (shouldBe):
1302         (foo):
1303         (get shouldBe):
1304         (get shouldThrow):
1305         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1306         (shouldThrow):
1307         (shouldBe):
1308         (foo):
1309         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1310         (shouldThrow):
1311         (shouldBe):
1312         (foo):
1313         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1314         (shouldThrow):
1315         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1316         (shouldThrow):
1317         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1318         (shouldThrow):
1319         (shouldBe):
1320         (foo):
1321         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1322         (shouldThrow):
1323         (shouldBe):
1324         (foo):
1325         (get shouldBe):
1326         (get shouldThrow):
1327         (get return):
1328         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1329         (shouldThrow):
1330         (shouldBe):
1331         (foo):
1332         (get shouldBe):
1333         (get shouldThrow):
1334         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1335         (shouldThrow):
1336         (shouldBe):
1337         (foo):
1338         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1339         (shouldThrow):
1340         (shouldBe):
1341         (foo):
1342
1343 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1344
1345         Enable DFG on ARM/Linux again
1346         https://bugs.webkit.org/show_bug.cgi?id=192496
1347
1348         Reviewed by Yusuke Suzuki.
1349
1350         Test wasn't really skipped before moving the line with skip
1351         to the top.
1352
1353         * stress/regress-192717.js:
1354
1355 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1356
1357         Unreviewed, rolling out r239825.
1358         https://bugs.webkit.org/show_bug.cgi?id=193330
1359
1360         Broke tests on armv7/linux bots (Requested by guijemont on
1361         #webkit).
1362
1363         Reverted changeset:
1364
1365         "Enable DFG on ARM/Linux again"
1366         https://bugs.webkit.org/show_bug.cgi?id=192496
1367         https://trac.webkit.org/changeset/239825
1368
1369 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1370
1371         Enable DFG on ARM/Linux again
1372         https://bugs.webkit.org/show_bug.cgi?id=192496
1373
1374         Reviewed by Yusuke Suzuki.
1375
1376         Test wasn't really skipped before moving the line with skip
1377         to the top.
1378
1379         * stress/regress-192717.js:
1380
1381 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1382
1383         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1384         https://bugs.webkit.org/show_bug.cgi?id=193127
1385
1386         Reviewed by Saam Barati.
1387
1388         * stress/array-species-create-should-handle-masquerader.js: Added.
1389         (shouldThrow):
1390         * stress/is-undefined-or-null-builtin.js: Added.
1391         (shouldBe):
1392         (isUndefinedOrNull.vm.createBuiltin):
1393
1394 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1395
1396         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1397         https://bugs.webkit.org/show_bug.cgi?id=193221
1398
1399         Reviewed by Mark Lam.
1400
1401         * stress/put-by-id-flags.js: Added.
1402         (f):
1403         (g):
1404         (numberOfDFGCompiles):
1405
1406 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1407
1408         Baseline version of get_by_id may corrupt metadata
1409         https://bugs.webkit.org/show_bug.cgi?id=193085
1410         <rdar://problem/23453006>
1411
1412         Reviewed by Saam Barati.
1413
1414         * stress/get-by-id-change-mode.js: Added.
1415         (forEach):
1416
1417 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1418
1419         [JSC] Optimize Object.prototype.toString
1420         https://bugs.webkit.org/show_bug.cgi?id=193031
1421
1422         Reviewed by Saam Barati.
1423
1424         * stress/object-tostring-changed-proto.js: Added.
1425         (shouldBe):
1426         (test):
1427         * stress/object-tostring-changed.js: Added.
1428         (shouldBe):
1429         (test):
1430         * stress/object-tostring-misc.js: Added.
1431         (shouldBe):
1432         (test):
1433         (i.switch):
1434         * stress/object-tostring-other.js: Added.
1435         (shouldBe):
1436         (test):
1437         * stress/object-tostring-untyped.js: Added.
1438         (shouldBe):
1439         (test):
1440         (i.switch):
1441
1442 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1443
1444         test262-runner misbehaves when test file YAML has a trailing space
1445         https://bugs.webkit.org/show_bug.cgi?id=193053
1446
1447         Reviewed by Yusuke Suzuki.
1448
1449         * test262/expectations.yaml:
1450         Mark two dozen tests as passing (and correct the output of another).
1451
1452 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1453
1454         Unreviewed, JSTests gardening with memoryLimited
1455
1456         * stress/string-overflow-createError.js:
1457
1458 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1459
1460         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1461         https://bugs.webkit.org/show_bug.cgi?id=193050
1462
1463         Reviewed by Yusuke Suzuki.
1464
1465         * test262.yaml:
1466         * test262/expectations.yaml:
1467         Mark 16 tests as passing.
1468
1469 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1470
1471         [BigInt] Support BigInt in JSON.stringify
1472         https://bugs.webkit.org/show_bug.cgi?id=192624
1473
1474         Reviewed by Saam Barati.
1475
1476         * stress/big-int-json-stringify-to-json.js: Added.
1477         (shouldBe):
1478         (shouldThrow):
1479         (BigInt.prototype.toJSON):
1480         (shouldBe.JSON.stringify):
1481         * stress/big-int-json-stringify.js: Added.
1482         (shouldBe):
1483         (shouldThrow):
1484
1485 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1486
1487         [JSC] Implement "well-formed JSON.stringify" proposal
1488         https://bugs.webkit.org/show_bug.cgi?id=191677
1489
1490         Reviewed by Darin Adler.
1491
1492         * stress/json-surrogate-pair.js: Added.
1493         (shouldBe):
1494         * test262/expectations.yaml:
1495
1496 2018-12-20  Keith Miller  <keith_miller@apple.com>
1497
1498         Add support for globalThis
1499         https://bugs.webkit.org/show_bug.cgi?id=165171
1500
1501         Reviewed by Mark Lam.
1502
1503         * test262/config.yaml:
1504
1505 2018-12-19  Keith Miller  <keith_miller@apple.com>
1506
1507         Update test262 configuration to not run tests dependent on ICU version.
1508         https://bugs.webkit.org/show_bug.cgi?id=192920
1509
1510         Reviewed by Saam Barati.
1511
1512         * test262/expectations.yaml:
1513
1514 2018-12-20  Mark Lam  <mark.lam@apple.com>
1515
1516         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1517         https://bugs.webkit.org/show_bug.cgi?id=192939
1518         <rdar://problem/46869516>
1519
1520         Reviewed by Keith Miller.
1521
1522         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1523
1524 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1525
1526         WTF::String and StringImpl overflow MaxLength
1527         https://bugs.webkit.org/show_bug.cgi?id=192853
1528         <rdar://problem/45726906>
1529
1530         Reviewed by Mark Lam.
1531
1532         * stress/string-16bit-repeat-overflow.js: Added.
1533         (catch):
1534
1535 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1536
1537         Unreviewed follow-up to r192914.
1538
1539         * test262/expectations.yaml:
1540         Add the last 20 missing expectations.
1541
1542 2018-12-19  Keith Miller  <keith_miller@apple.com>
1543
1544         Fix test262 expectations
1545         https://bugs.webkit.org/show_bug.cgi?id=192914
1546
1547         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1548
1549         * test262/expectations.yaml:
1550
1551 2018-12-19  Keith Miller  <keith_miller@apple.com>
1552
1553         Update test262 tests.
1554         https://bugs.webkit.org/show_bug.cgi?id=192907
1555
1556         Rubber stamped by Mark Lam.
1557
1558         * test262/*: Omitted because prepare-changelog crashes.
1559
1560 2018-12-19  Mark Lam  <mark.lam@apple.com>
1561
1562         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1563         https://bugs.webkit.org/show_bug.cgi?id=192464
1564         <rdar://problem/46519455>
1565
1566         Reviewed by Saam Barati.
1567
1568         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1569         microbenchmark.
1570
1571         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1572         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1573
1574 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1575
1576         String overflow in JSC::createError results in ASSERT in WTF::makeString
1577         https://bugs.webkit.org/show_bug.cgi?id=192833
1578         <rdar://problem/45706868>
1579
1580         Reviewed by Mark Lam.
1581
1582         * stress/string-overflow-createError.js: Added.
1583
1584 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1585
1586         Error message for `-x ** y` contains a typo.
1587         https://bugs.webkit.org/show_bug.cgi?id=192832
1588
1589         Reviewed by Saam Barati.
1590
1591         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1592         (assert.assert.return.throws):
1593         * stress/pow-expects-update-expression-on-lhs.js:
1594         (throw.new.Error):
1595         Update test expectations which match against the exact error message.
1596
1597 2018-12-18  Mark Lam  <mark.lam@apple.com>
1598
1599         Gardening: test options fix.
1600         https://bugs.webkit.org/show_bug.cgi?id=192822
1601
1602         Unreviewed.
1603
1604         * stress/json-stringify-string-builder-overflow.js:
1605
1606 2018-12-18  Mark Lam  <mark.lam@apple.com>
1607
1608         JSON.stringify() should throw OOM on StringBuilder overflows.
1609         https://bugs.webkit.org/show_bug.cgi?id=192822
1610         <rdar://problem/46670577>
1611
1612         Reviewed by Saam Barati.
1613
1614         * stress/json-stringify-string-builder-overflow.js: Added.
1615
1616 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1617
1618         Redeclaration of var over let/const/class should be a syntax error.
1619         https://bugs.webkit.org/show_bug.cgi?id=192298
1620
1621         Reviewed by Keith Miller.
1622
1623         * test262.yaml:
1624         * test262/expectations.yaml:
1625         Mark 46 tests as passing.
1626
1627         * stress/block-scope-redeclarations.js:
1628         Add some new tests.
1629
1630         * stress/for-in-invalidate-context-weird-assignments.js:
1631         * stress/for-in-tests.js:
1632         Replace tests for outdated behavior with tests for SyntaxError.
1633
1634         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1635         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1636         Update expectations.
1637
1638 2018-12-18  Mark Lam  <mark.lam@apple.com>
1639
1640         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1641         https://bugs.webkit.org/show_bug.cgi?id=191374
1642         <rdar://problem/46525447>
1643
1644         Reviewed by Yusuke Suzuki.
1645
1646         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1647
1648         * stress/elidable-new-object-roflcopter-then-exit.js:
1649
1650 2018-12-17  Mark Lam  <mark.lam@apple.com>
1651
1652         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1653         https://bugs.webkit.org/show_bug.cgi?id=192019
1654         <rdar://problem/46525456>
1655
1656         Reviewed by Yusuke Suzuki.
1657
1658         The test runs too slow on 32-bit.
1659
1660         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1661
1662 2018-12-17  Mark Lam  <mark.lam@apple.com>
1663
1664         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1665         https://bugs.webkit.org/show_bug.cgi?id=191373
1666         <rdar://problem/46525458>
1667
1668         Reviewed by Yusuke Suzuki.
1669
1670         The test is already slow running with a JIT on 64-bit.  It will always timeout
1671         on 32-bit without a JIT.
1672
1673         * stress/materialize-regexp-cyclic-regexp.js:
1674
1675 2018-12-17  Mark Lam  <mark.lam@apple.com>
1676
1677         Array unshift/shift should not race against the AI in the compiler thread.
1678         https://bugs.webkit.org/show_bug.cgi?id=192795
1679         <rdar://problem/46724263>
1680
1681         Reviewed by Saam Barati.
1682
1683         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1684
1685 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1686
1687         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1688         https://bugs.webkit.org/show_bug.cgi?id=190047
1689
1690         Reviewed by Saam Barati.
1691
1692         * stress/object-keys-cached-zero.js: Added.
1693         (shouldBe):
1694         (test):
1695         * stress/object-keys-changed-attribute.js: Added.
1696         (shouldBe):
1697         (test):
1698         * stress/object-keys-changed-index.js: Added.
1699         (shouldBe):
1700         (test):
1701         * stress/object-keys-changed.js: Added.
1702         (shouldBe):
1703         (test):
1704         * stress/object-keys-indexed-non-cache.js: Added.
1705         (shouldBe):
1706         (test):
1707         * stress/object-keys-overrides-get-property-names.js: Added.
1708         (shouldBe):
1709         (test):
1710         (noInline):
1711
1712 2018-12-17  Mark Lam  <mark.lam@apple.com>
1713
1714         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1715         https://bugs.webkit.org/show_bug.cgi?id=192779
1716         <rdar://problem/46775869>
1717
1718         Reviewed by Saam Barati.
1719
1720         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1721
1722 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1723
1724         Unreviewed test gardening, address a syntax error in a new test.
1725
1726         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1727
1728 2018-12-17  Mark Lam  <mark.lam@apple.com>
1729
1730         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1731         https://bugs.webkit.org/show_bug.cgi?id=192776
1732         <rdar://problem/46772368>
1733
1734         Reviewed by Keith Miller.
1735
1736         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1737
1738 2018-12-17  Mark Lam  <mark.lam@apple.com>
1739
1740         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1741         https://bugs.webkit.org/show_bug.cgi?id=192770
1742         <rdar://problem/46449037>
1743
1744         Reviewed by Keith Miller.
1745
1746         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1747
1748 2018-12-14  Mark Lam  <mark.lam@apple.com>
1749
1750         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1751         https://bugs.webkit.org/show_bug.cgi?id=192717
1752         <rdar://problem/46660677>
1753
1754         Reviewed by Saam Barati.
1755
1756         * stress/regress-192717.js: Added.
1757
1758 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1759
1760         Unreviewed, rolling out r239153, r239154, and r239155.
1761         https://bugs.webkit.org/show_bug.cgi?id=192715
1762
1763         Caused flaky GC-related crashes seen with layout tests
1764         (Requested by ryanhaddad on #webkit).
1765
1766         Reverted changesets:
1767
1768         "[JSC] Optimize Object.keys by caching own keys results in
1769         StructureRareData"
1770         https://bugs.webkit.org/show_bug.cgi?id=190047
1771         https://trac.webkit.org/changeset/239153
1772
1773         "Unreviewed, build fix after r239153"
1774         https://bugs.webkit.org/show_bug.cgi?id=190047
1775         https://trac.webkit.org/changeset/239154
1776
1777         "Unreviewed, build fix after r239153, part 2"
1778         https://bugs.webkit.org/show_bug.cgi?id=190047
1779         https://trac.webkit.org/changeset/239155
1780
1781 2018-12-14  Keith Miller  <keith_miller@apple.com>
1782
1783         Callers of JSString::getIndex should check for OOM exceptions
1784         https://bugs.webkit.org/show_bug.cgi?id=192709
1785
1786         Reviewed by Mark Lam.
1787
1788         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1789
1790 2018-12-13  Mark Lam  <mark.lam@apple.com>
1791
1792         Add a missing exception check.
1793         https://bugs.webkit.org/show_bug.cgi?id=192626
1794         <rdar://problem/46662163>
1795
1796         Reviewed by Keith Miller.
1797
1798         * stress/regress-192626.js: Added.
1799
1800 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1801
1802         [BigInt] Add ValueDiv into DFG
1803         https://bugs.webkit.org/show_bug.cgi?id=186178
1804
1805         Reviewed by Yusuke Suzuki.
1806
1807         * stress/big-int-div-jit-osr.js: Added.
1808         * stress/big-int-div-jit-untyped.js: Added.
1809         * stress/value-div-fixup-int32-big-int.js: Added.
1810
1811 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1812
1813         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1814         https://bugs.webkit.org/show_bug.cgi?id=190047
1815
1816         Reviewed by Keith Miller.
1817
1818         * stress/object-keys-cached-zero.js: Added.
1819         (shouldBe):
1820         (test):
1821         * stress/object-keys-changed-attribute.js: Added.
1822         (shouldBe):
1823         (test):
1824         * stress/object-keys-changed-index.js: Added.
1825         (shouldBe):
1826         (test):
1827         * stress/object-keys-changed.js: Added.
1828         (shouldBe):
1829         (test):
1830         * stress/object-keys-indexed-non-cache.js: Added.
1831         (shouldBe):
1832         (test):
1833         * stress/object-keys-overrides-get-property-names.js: Added.
1834         (shouldBe):
1835         (test):
1836         (noInline):
1837
1838 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1839
1840         [DFG][FTL] Add NewSymbol
1841         https://bugs.webkit.org/show_bug.cgi?id=192620
1842
1843         Reviewed by Saam Barati.
1844
1845         * microbenchmarks/symbol-creation.js: Added.
1846         (test):
1847         * stress/symbol-description-identity.js: Added.
1848         (shouldBe):
1849         (test):
1850         * stress/symbol-identity.js: Added.
1851         (shouldBe):
1852         (test):
1853         * stress/symbol-with-description-throw-error.js: Added.
1854         (shouldBe):
1855         (shouldThrow):
1856         (test):
1857         (object.toString):
1858
1859 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1860
1861         [BigInt] Implement DFG/FTL typeof for BigInt
1862         https://bugs.webkit.org/show_bug.cgi?id=192619
1863
1864         Reviewed by Keith Miller.
1865
1866         * stress/big-int-boolean-proven-type.js: Added.
1867         (assert):
1868         (bool):
1869         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1870         (assert):
1871         (typeOf):
1872         (i.switch):
1873         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1874         (assert):
1875         (typeOf):
1876         * stress/big-int-type-of.js:
1877         (typeOf):
1878         (func):
1879
1880 2018-12-10  Mark Lam  <mark.lam@apple.com>
1881
1882         PropertyAttribute needs a CustomValue bit.
1883         https://bugs.webkit.org/show_bug.cgi?id=191993
1884         <rdar://problem/46264467>
1885
1886         Reviewed by Saam Barati.
1887
1888         * stress/regress-191993.js: Added.
1889
1890 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1891
1892         [BigInt] Add ValueMul into DFG
1893         https://bugs.webkit.org/show_bug.cgi?id=186175
1894
1895         Reviewed by Yusuke Suzuki.
1896
1897         * stress/big-int-mul-jit-osr.js: Added.
1898         * stress/big-int-mul-jit-untyped.js: Added.
1899         * stress/value-mul-fixup-int32-big-int.js: Added.
1900
1901 2018-12-06  Keith Miller  <keith_miller@apple.com>
1902
1903         stress/big-wasm-memory tests failing on 32-bit JSC bot
1904         https://bugs.webkit.org/show_bug.cgi?id=192020
1905
1906         Reviewed by Saam Barati.
1907
1908         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1909         the wasm stress tests if the WebAssembly object does not exist.
1910
1911         * stress/big-wasm-memory-grow-no-max.js:
1912         (test.foo):
1913         (test):
1914         (foo): Deleted.
1915         (catch): Deleted.
1916         * stress/big-wasm-memory-grow.js:
1917         (test.foo):
1918         (test):
1919         (foo): Deleted.
1920         (catch): Deleted.
1921         * stress/big-wasm-memory.js:
1922         (test.foo):
1923         (test):
1924         (foo): Deleted.
1925         (catch): Deleted.
1926
1927 2018-12-05  Mark Lam  <mark.lam@apple.com>
1928
1929         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1930         https://bugs.webkit.org/show_bug.cgi?id=192441
1931         <rdar://problem/46480355>
1932
1933         Reviewed by Saam Barati.
1934
1935         * stress/regress-192441.js: Added.
1936
1937 2018-12-04  Mark Lam  <mark.lam@apple.com>
1938
1939         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1940         https://bugs.webkit.org/show_bug.cgi?id=192386
1941         <rdar://problem/46445516>
1942
1943         Reviewed by Saam Barati.
1944
1945         * stress/regress-192386.js: Added.
1946
1947 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1948
1949         [ESNext][BigInt] Support logic operations
1950         https://bugs.webkit.org/show_bug.cgi?id=179903
1951
1952         Reviewed by Yusuke Suzuki.
1953
1954         * stress/big-int-branch-usage.js: Added.
1955         * stress/big-int-logical-and.js: Added.
1956         * stress/big-int-logical-not.js: Added.
1957         * stress/big-int-logical-or.js: Added.
1958
1959 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1960
1961         Unreviewed, rolling out r238833.
1962
1963         Breaks macOS and iOS debug builds.
1964
1965         Reverted changeset:
1966
1967         "[ESNext][BigInt] Support logic operations"
1968         https://bugs.webkit.org/show_bug.cgi?id=179903
1969         https://trac.webkit.org/changeset/238833
1970
1971 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1972
1973         [ESNext][BigInt] Support logic operations
1974         https://bugs.webkit.org/show_bug.cgi?id=179903
1975
1976         Reviewed by Yusuke Suzuki.
1977
1978         * stress/big-int-branch-usage.js: Added.
1979         * stress/big-int-logical-and.js: Added.
1980         * stress/big-int-logical-not.js: Added.
1981         * stress/big-int-logical-or.js: Added.
1982
1983 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1984
1985         [ESNext][BigInt] Implement support for "<<" and ">>"
1986         https://bugs.webkit.org/show_bug.cgi?id=186233
1987
1988         Reviewed by Yusuke Suzuki.
1989
1990         * stress/big-int-left-shift-general.js: Added.
1991         * stress/big-int-left-shift-range-error.js: Added.
1992         * stress/big-int-left-shift-type-error.js: Added.
1993         * stress/big-int-left-shift-wrapped-value.js: Added.
1994         * stress/big-int-right-shift-general.js: Added.
1995         * stress/big-int-right-shift-type-error.js: Added.
1996         * stress/big-int-right-shift-wrapped-value.js: Added.
1997         * stress/left-shift-to-primitive-precedence.js: Added.
1998         * stress/right-shift-to-primitive-precedence.js: Added.
1999
2000 2018-11-30  Dean Jackson  <dino@apple.com>
2001
2002         Add first-class support for .mjs files in jsc binary
2003         https://bugs.webkit.org/show_bug.cgi?id=192190
2004         <rdar://problem/46375715>
2005
2006         Reviewed by Keith Miller.
2007
2008         * stress/simple-module.mjs: Added.
2009         * stress/simple-script.js: Added.
2010
2011 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2012
2013         [BigInt] Implement ValueBitXor into DFG
2014         https://bugs.webkit.org/show_bug.cgi?id=190264
2015
2016         Reviewed by Yusuke Suzuki.
2017
2018         * stress/big-int-bitwise-xor-jit.js: Added.
2019         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2020         * stress/big-int-bitwise-xor-untyped.js: Added.
2021
2022 2018-11-27  Saam barati  <sbarati@apple.com>
2023
2024         r238510 broke scopes of size zero
2025         https://bugs.webkit.org/show_bug.cgi?id=192033
2026         <rdar://problem/46281734>
2027
2028         Reviewed by Keith Miller.
2029
2030         * stress/r238510-bad-loop.js: Added.
2031         (foo):
2032
2033 2018-11-27  Mark Lam  <mark.lam@apple.com>
2034
2035         [Re-landing] NaNs read from Wasm code needs to be be purified.
2036         https://bugs.webkit.org/show_bug.cgi?id=191056
2037         <rdar://problem/45660341>
2038
2039         Reviewed by Filip Pizlo.
2040
2041         * wasm/regress/regress-191056.js: Added.
2042
2043 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2044
2045         Unreviewed, rolling out r238509.
2046
2047         Causes JSC tests to fail on iOS.
2048
2049         Reverted changeset:
2050
2051         "NaNs read from Wasm code needs to be be purified."
2052         https://bugs.webkit.org/show_bug.cgi?id=191056
2053         https://trac.webkit.org/changeset/238509
2054
2055 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2056
2057         Re-introduce op_bitnot
2058         https://bugs.webkit.org/show_bug.cgi?id=190923
2059
2060         Reviewed by Yusuke Suzuki.
2061
2062         * stress/bit-not-must-generate.js: Added.
2063         * stress/bitwise-not-no-int32.js: Added.
2064
2065 2018-11-26  Saam barati  <sbarati@apple.com>
2066
2067         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2068         https://bugs.webkit.org/show_bug.cgi?id=191956
2069         <rdar://problem/45665806>
2070
2071         Reviewed by Yusuke Suzuki.
2072
2073         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2074         (bar):
2075         (foo):
2076
2077 2018-11-26  Saam barati  <sbarati@apple.com>
2078
2079         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2080         https://bugs.webkit.org/show_bug.cgi?id=191958
2081         <rdar://problem/46221877>
2082
2083         Reviewed by Yusuke Suzuki.
2084
2085         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2086         (x):
2087         (foo):
2088
2089 2018-11-26  Mark Lam  <mark.lam@apple.com>
2090
2091         NaNs read from Wasm code needs to be be purified.
2092         https://bugs.webkit.org/show_bug.cgi?id=191056
2093         <rdar://problem/45660341>
2094
2095         Reviewed by Filip Pizlo.
2096
2097         * wasm/regress/regress-191056.js: Added.
2098
2099 2018-11-26  Michael Saboff  <msaboff@apple.com>
2100
2101         32-bit JSC test failure: stress/regexp-compile-oom.js
2102         https://bugs.webkit.org/show_bug.cgi?id=191375
2103
2104         Reviewed by Mark Lam.
2105
2106         Disabled the test for 32 bit platforms.
2107
2108         * stress/regexp-compile-oom.js:
2109
2110 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2111
2112         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2113         https://bugs.webkit.org/show_bug.cgi?id=191716
2114         <rdar://problem/45723878>
2115
2116         Reviewed by Saam Barati.
2117
2118         * stress/regress-187373.js: Added.
2119         (async.fn):
2120
2121 2018-11-21  Saam barati  <sbarati@apple.com>
2122
2123         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2124         https://bugs.webkit.org/show_bug.cgi?id=191897
2125         <rdar://problem/45871998>
2126
2127         Reviewed by Mark Lam.
2128
2129         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2130         (bar):
2131         (foo):
2132
2133 2018-11-21  Saam barati  <sbarati@apple.com>
2134
2135         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2136         https://bugs.webkit.org/show_bug.cgi?id=191895
2137         <rdar://problem/46167406>
2138
2139         Reviewed by Mark Lam.
2140
2141         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2142         (foo):
2143         (bar):
2144
2145 2018-11-21  Mark Lam  <mark.lam@apple.com>
2146
2147         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2148         https://bugs.webkit.org/show_bug.cgi?id=191776
2149         <rdar://problem/46152851>
2150
2151         Reviewed by Saam Barati.
2152
2153         * stress/big-wasm-memory-grow-no-max.js:
2154         * stress/big-wasm-memory-grow.js:
2155         * stress/big-wasm-memory.js:
2156         - updated these to expect an OutOfMemoryError.
2157
2158         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2159         (Binary.prototype.emit_u8):
2160         (Binary.prototype.emit_u32v):
2161         (Binary.prototype.emit_header):
2162         (Binary.prototype.emit_section):
2163         (Binary):
2164         (WasmModuleBuilder):
2165         (WasmModuleBuilder.prototype.addMemory):
2166         (WasmModuleBuilder.prototype.toArray):
2167         (WasmModuleBuilder.prototype.toBuffer):
2168         (WasmModuleBuilder.prototype.instantiate):
2169         (catch):
2170         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2171         (catch):
2172
2173 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2174
2175         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2176         https://bugs.webkit.org/show_bug.cgi?id=190836
2177
2178         Reviewed by Saam Barati and Yusuke Suzuki.
2179
2180         * stress/big-int-out-of-memory-tests.js: Added.
2181
2182 2018-11-20  Mark Lam  <mark.lam@apple.com>
2183
2184         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2185         https://bugs.webkit.org/show_bug.cgi?id=191856
2186         <rdar://problem/46089992>
2187
2188         Reviewed by Yusuke Suzuki.
2189
2190         * stress/regress-191856.js: Added.
2191         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2192
2193 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2194
2195         Enable JIT on ARM/Linux
2196         https://bugs.webkit.org/show_bug.cgi?id=191548
2197
2198         Reviewed by Yusuke Suzuki.
2199
2200         Disable test on system with limited memory. Program was killed by
2201         the OS before the exception was thrown.
2202
2203         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2204
2205 2018-11-20  Saam barati  <sbarati@apple.com>
2206
2207         Merging an IC variant may lead to the IC status containing overlapping structure sets
2208         https://bugs.webkit.org/show_bug.cgi?id=191869
2209         <rdar://problem/45403453>
2210
2211         Reviewed by Mark Lam.
2212
2213         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2214
2215 2018-11-19  Mark Lam  <mark.lam@apple.com>
2216
2217         globalFuncImportModule() should return a promise when it clears exceptions.
2218         https://bugs.webkit.org/show_bug.cgi?id=191792
2219         <rdar://problem/46090763>
2220
2221         Reviewed by Michael Saboff.
2222
2223         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2224
2225 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2226
2227         Skip new memory-hungry tests on memory limited devices
2228
2229         Unreviewed gardening.
2230
2231         * stress/big-wasm-memory-grow-no-max.js:
2232         * stress/big-wasm-memory-grow.js:
2233         * stress/big-wasm-memory.js:
2234
2235 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2236
2237         Unreviewed, rolling in the rest of r237254
2238         https://bugs.webkit.org/show_bug.cgi?id=190340
2239
2240         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2241         * stress/function-cache-with-parameters-end-position.js: Added.
2242         (shouldBe):
2243         (shouldThrow):
2244         (i.anonymous):
2245         * stress/function-constructor-name.js: Added.
2246         (shouldBe):
2247         (GeneratorFunction):
2248         (AsyncFunction.async):
2249         (AsyncGeneratorFunction.async):
2250         (anonymous):
2251         (async.anonymous):
2252         * test262/expectations.yaml:
2253
2254 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2255
2256         All users of ArrayBuffer should agree on the same max size
2257         https://bugs.webkit.org/show_bug.cgi?id=191771
2258
2259         Reviewed by Mark Lam.
2260
2261         * stress/big-wasm-memory-grow-no-max.js: Added.
2262         (foo):
2263         (catch):
2264         * stress/big-wasm-memory-grow.js: Added.
2265         (foo):
2266         (catch):
2267         * stress/big-wasm-memory.js: Added.
2268         (foo):
2269         (catch):
2270
2271 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2272
2273         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2274         run for each JSC config since they're regression tests for runtime bugs.
2275
2276         * stress/json-stringified-overflow-2.js:
2277         * stress/json-stringified-overflow.js:
2278
2279 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2280
2281         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2282         config since they're regression tests for runtime bugs.
2283
2284         * stress/large-unshift-splice.js:
2285         * stress/regress-185888.js:
2286
2287 2018-11-16  Saam Barati  <sbarati@apple.com>
2288
2289         KnownCellUse should also have SpecCellCheck as its type filter
2290         https://bugs.webkit.org/show_bug.cgi?id=191729
2291         <rdar://problem/45872852>
2292
2293         Reviewed by Filip Pizlo.
2294
2295         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2296         (C):
2297
2298 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2299
2300         Fix assertion failure on BytecodeGenerator::recordOpcode
2301         https://bugs.webkit.org/show_bug.cgi?id=191724
2302         <rdar://problem/45724395>
2303
2304         Reviewed by Saam Barati.
2305
2306         * stress/regress-187373-2.js: Added.
2307         (foo):
2308
2309 2018-11-15  Mark Lam  <mark.lam@apple.com>
2310
2311         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2312         https://bugs.webkit.org/show_bug.cgi?id=191730
2313         <rdar://problem/46048517>
2314
2315         Reviewed by Saam Barati.
2316
2317         * stress/regress-187006.js: Removed.
2318           - this test is invalid because its sole purpose is to test for the non-spec
2319             compliant behavior that we just fixed.
2320
2321         * stress/regress-191730.js: Added.
2322
2323 2018-11-15  Mark Lam  <mark.lam@apple.com>
2324
2325         RegExp operations should not take fast patch if lastIndex is not numeric.
2326         https://bugs.webkit.org/show_bug.cgi?id=191731
2327         <rdar://problem/46017305>
2328
2329         Reviewed by Saam Barati.
2330
2331         * stress/regress-191731.js: Added.
2332
2333 2018-11-13  Saam Barati  <sbarati@apple.com>
2334
2335         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2336         https://bugs.webkit.org/show_bug.cgi?id=191600
2337
2338         Reviewed by Mark Lam.
2339
2340         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2341         (foo):
2342         (test):
2343         (bar):
2344
2345 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2346
2347         Unreviewed, rolling out r238132.
2348
2349         The test added with this change is timing out on Debug JSC
2350         bots.
2351
2352         Reverted changeset:
2353
2354         "[BigInt] JSBigInt::createWithLength should throw when length
2355         is greater than JSBigInt::maxLength"
2356         https://bugs.webkit.org/show_bug.cgi?id=190836
2357         https://trac.webkit.org/changeset/238132
2358
2359 2018-11-13  Mark Lam  <mark.lam@apple.com>
2360
2361         Add OOM detection to StringPrototype's substituteBackreferences().
2362         https://bugs.webkit.org/show_bug.cgi?id=191563
2363         <rdar://problem/45720428>
2364
2365         Reviewed by Saam Barati.
2366
2367         * stress/regress-191563.js: Added.
2368
2369 2018-11-13  Mark Lam  <mark.lam@apple.com>
2370
2371         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2372         https://bugs.webkit.org/show_bug.cgi?id=191579
2373         <rdar://problem/45942472>
2374
2375         Reviewed by Saam Barati.
2376
2377         * stress/regress-191579.js: Added.
2378
2379 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2380
2381         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2382         https://bugs.webkit.org/show_bug.cgi?id=190836
2383
2384         Reviewed by Saam Barati.
2385
2386         * stress/big-int-out-of-memory-tests.js: Added.
2387
2388 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2389
2390         U+180E is no longer a whitespace character
2391         https://bugs.webkit.org/show_bug.cgi?id=191415
2392
2393         Reviewed by Saam Barati.
2394
2395         * ChakraCore/test/es5/regexSpace.baseline:
2396         * ChakraCore/test/es6/unicode_whitespace.js:
2397         Update tests to latest version.
2398         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2399
2400         * test262.yaml:
2401         * test262/config.yaml:
2402         * test262/expectations.yaml:
2403         Update expectations.
2404
2405 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2406
2407         [BigInt] Add support to BigInt into ValueAdd
2408         https://bugs.webkit.org/show_bug.cgi?id=186177
2409
2410         Reviewed by Keith Miller.
2411
2412         * stress/big-int-negate-jit.js:
2413         * stress/value-add-big-int-and-string.js: Added.
2414         * stress/value-add-big-int-prediction-propagation.js: Added.
2415         * stress/value-add-big-int-untyped.js: Added.
2416
2417 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2418
2419         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2420         https://bugs.webkit.org/show_bug.cgi?id=191184
2421
2422         Reviewed by Saam Barati.
2423
2424         Most tests were failing due to timeouts, since they are too slow to
2425         run on CLoop. The exceptions are:
2426
2427         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2428         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2429         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2430         to change the stack size since CLoop requires it to be page aligned.
2431
2432         * microbenchmarks/array-push-1.js:
2433         * microbenchmarks/array-push-2.js:
2434         * microbenchmarks/elidable-new-object-dag.js:
2435         * microbenchmarks/elidable-new-object-roflcopter.js:
2436         * microbenchmarks/elidable-new-object-tree.js:
2437         * microbenchmarks/getter-richards.js:
2438         * microbenchmarks/sinkable-new-object-dag.js:
2439         * microbenchmarks/string-concat-long-convert.js:
2440         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2441         * slowMicrobenchmarks/array-push-3.js:
2442         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2443         * slowMicrobenchmarks/spread-small-array.js:
2444         * slowMicrobenchmarks/undefined-property-access.js:
2445         * stress/activation-sink-default-value-tdz-error.js:
2446         * stress/activation-sink-default-value.js:
2447         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2448         * stress/activation-sink-osrexit-default-value.js:
2449         * stress/activation-sink-osrexit.js:
2450         * stress/activation-sink.js:
2451         * stress/allow-math-ic-b3-code-duplication.js:
2452         * stress/array-push-multiple-int32.js:
2453         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2454         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2455         * stress/arrowfunction-lexical-this-activation-sink.js:
2456         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2457         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2458         * stress/elide-new-object-dag-then-exit.js:
2459         * stress/materialize-regexp-cyclic.js:
2460         * stress/new-regex-inline.js:
2461         * stress/op_add.js:
2462         * stress/op_bitand.js:
2463         * stress/op_bitor.js:
2464         * stress/op_bitxor.js:
2465         * stress/op_div-ConstVar.js:
2466         * stress/op_div-VarConst.js:
2467         * stress/op_div-VarVar.js:
2468         * stress/op_lshift-ConstVar.js:
2469         * stress/op_lshift-VarConst.js:
2470         * stress/op_lshift-VarVar.js:
2471         * stress/op_mod-ConstVar.js:
2472         * stress/op_mod-VarConst.js:
2473         * stress/op_mod-VarVar.js:
2474         * stress/op_mul-ConstVar.js:
2475         * stress/op_mul-VarConst.js:
2476         * stress/op_mul-VarVar.js:
2477         * stress/op_rshift-ConstVar.js:
2478         * stress/op_rshift-VarConst.js:
2479         * stress/op_rshift-VarVar.js:
2480         * stress/op_sub-ConstVar.js:
2481         * stress/op_sub-VarConst.js:
2482         * stress/op_sub-VarVar.js:
2483         * stress/op_urshift-ConstVar.js:
2484         * stress/op_urshift-VarConst.js:
2485         * stress/op_urshift-VarVar.js:
2486         * stress/proxy-get-set-correct-receiver.js:
2487         * stress/regress-179562.js:
2488         * stress/rest-parameter-many-arguments.js:
2489         * stress/sampling-profiler-richards.js:
2490         * stress/splay-flash-access-1ms.js:
2491         * stress/tailCallForwardArguments.js:
2492         * stress/typed-array-get-by-val-profiling.js:
2493         * typeProfiler/getter-richards.js:
2494
2495 2018-11-06  Michael Saboff  <msaboff@apple.com>
2496
2497         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2498         https://bugs.webkit.org/show_bug.cgi?id=191271
2499
2500         Reviewed by Saam Barati.
2501
2502         Added more test cases and made all test cases run with the same deeply recursive stack
2503         instead of finding that same point for each test case.
2504
2505         * stress/regexp-compile-oom.js:
2506         (prototype.runTest):
2507         (recurseAndTest):
2508         (testList.push.new.TestAndExpectedException):
2509
2510 2018-11-05  Michael Saboff  <msaboff@apple.com>
2511
2512         Unreviewed build fix for linux.
2513
2514         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2515
2516 2018-11-02  Michael Saboff  <msaboff@apple.com>
2517
2518         Rolling in r237753 with unreviewed build fix.
2519
2520         Fixed issues with DECLARE_THROW_SCOPE placement.
2521
2522 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2523
2524         Unreviewed, rolling out r237753.
2525
2526         Introduced JSC test failures
2527
2528         Reverted changeset:
2529
2530         "Running out of stack space not properly handled in
2531         RegExp::compile() and its callers"
2532         https://bugs.webkit.org/show_bug.cgi?id=191206
2533         https://trac.webkit.org/changeset/237753
2534
2535 2018-11-02  Michael Saboff  <msaboff@apple.com>
2536
2537         Running out of stack space not properly handled in RegExp::compile() and its callers
2538         https://bugs.webkit.org/show_bug.cgi?id=191206
2539
2540         Reviewed by Filip Pizlo.
2541
2542         New regression test.
2543
2544         * stress/regexp-compile-oom.js: Added.
2545         (recurseAndTest):
2546
2547 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2548
2549         Skip tests on arm/mips that time out now we're running on CLoop
2550
2551         Unreviewed gardening.
2552
2553         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2554         time out on the bots and need to be disabled. There's more tests
2555         disabled on arm because the timeout is longer on the mips bot (as the
2556         device is slower to start with), so many of the tests don't time out
2557         there.
2558
2559         * microbenchmarks/getter-richards.js: disable on arm and mips.
2560         * stress/op_add.js: disable on arm.
2561         * stress/op_bitand.js: disable on arm.
2562         * stress/op_bitor.js: disable on arm.
2563         * stress/op_bitxor.js: disable on arm.
2564         * stress/op_lshift-ConstVar.js: disable on arm.
2565         * stress/op_lshift-VarConst.js: disable on arm.
2566         * stress/op_lshift-VarVar.js: disable on arm.
2567         * stress/op_mod-ConstVar.js: disable on arm.
2568         * stress/op_mod-VarConst.js: disable on arm.
2569         * stress/op_mod-VarVar.js: disable on arm.
2570         * stress/op_mul-ConstVar.js: disable on arm.
2571         * stress/op_mul-VarConst.js: disable on arm.
2572         * stress/op_mul-VarVar.js: disable on arm.
2573         * stress/op_rshift-ConstVar.js: disable on arm.
2574         * stress/op_rshift-VarConst.js: disable on arm.
2575         * stress/op_rshift-VarVar.js: disable on arm.
2576         * stress/op_sub-ConstVar.js: disable on arm.
2577         * stress/op_sub-VarConst.js: disable on arm.
2578         * stress/op_sub-VarVar.js: disable on arm.
2579         * stress/op_urshift-ConstVar.js: disable on arm.
2580         * stress/op_urshift-VarConst.js: disable on arm.
2581         * stress/op_urshift-VarVar.js: disable on arm.
2582         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2583         * stress/value-to-boolean.js: disable on arm and mips.
2584
2585 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2586
2587         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2588         https://bugs.webkit.org/show_bug.cgi?id=191108
2589         <rdar://problem/45690700>
2590
2591         Reviewed by Saam Barati.
2592
2593         * stress/wide-op_catch.js: Added.
2594         (catch):
2595
2596 2018-10-29  Mark Lam  <mark.lam@apple.com>
2597
2598         Correctly detect string overflow when using the 'Function' constructor.
2599         https://bugs.webkit.org/show_bug.cgi?id=184883
2600         <rdar://problem/36320331>
2601
2602         Reviewed by Saam Barati.
2603
2604         I've verified that this passes on 32-bit as well.
2605
2606         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2607
2608 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2609
2610         Add support for GetStack FlushedDouble
2611         https://bugs.webkit.org/show_bug.cgi?id=191012
2612         <rdar://problem/45265141>
2613
2614         Reviewed by Saam Barati.
2615
2616         * stress/get-stack-double.js: Added.
2617         (bar):
2618         (noInline):
2619
2620 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2621
2622         New bytecode format for JSC
2623         https://bugs.webkit.org/show_bug.cgi?id=187373
2624         <rdar://problem/44186758>
2625
2626         Reviewed by Filip Pizlo.
2627
2628         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2629
2630         * stress/maximum-inline-capacity.js: Added.
2631         (test1):
2632         (test3.Foo):
2633         (test3):
2634
2635 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2636
2637         Unreviewed, rolling out r237479 and r237484.
2638         https://bugs.webkit.org/show_bug.cgi?id=190978
2639
2640         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2641
2642         Reverted changesets:
2643
2644         "New bytecode format for JSC"
2645         https://bugs.webkit.org/show_bug.cgi?id=187373
2646         https://trac.webkit.org/changeset/237479
2647
2648         "Gardening: Build fix after r237479."
2649         https://bugs.webkit.org/show_bug.cgi?id=187373
2650         https://trac.webkit.org/changeset/237484
2651
2652 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2653
2654         New bytecode format for JSC
2655         https://bugs.webkit.org/show_bug.cgi?id=187373
2656         <rdar://problem/44186758>
2657
2658         Reviewed by Filip Pizlo.
2659
2660         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2661
2662         * stress/maximum-inline-capacity.js: Added.
2663         (test1):
2664         (test3.Foo):
2665         (test3):
2666
2667 2018-10-26  Mark Lam  <mark.lam@apple.com>
2668
2669         Fix missing edge cases with JSGlobalObjects having a bad time.
2670         https://bugs.webkit.org/show_bug.cgi?id=189028
2671         <rdar://problem/45204939>
2672
2673         Reviewed by Saam Barati.
2674
2675         * stress/regress-189028.js: Added.
2676
2677 2018-10-22  Mark Lam  <mark.lam@apple.com>
2678
2679         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2680         https://bugs.webkit.org/show_bug.cgi?id=190515
2681         <rdar://problem/45222379>
2682
2683         Rubber-stamped by Saam Barati.
2684
2685         Adding another test.
2686
2687         * stress/regress-190515-2.js: Added.
2688
2689 2018-10-22  Mark Lam  <mark.lam@apple.com>
2690
2691         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2692         https://bugs.webkit.org/show_bug.cgi?id=190515
2693         <rdar://problem/45222379>
2694
2695         Reviewed by Saam Barati.
2696
2697         * stress/regress-190515.js: Added.
2698
2699 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2700
2701         Unreviewed, rolling out r237254.
2702         https://bugs.webkit.org/show_bug.cgi?id=190760
2703
2704         "It regresses JetStream 2 by 5% on some iOS devices"
2705         (Requested by saamyjoon on #webkit).
2706
2707         Reverted changeset:
2708
2709         "[JSC] JSC should have "parseFunction" to optimize Function
2710         constructor"
2711         https://bugs.webkit.org/show_bug.cgi?id=190340
2712         https://trac.webkit.org/changeset/237254
2713
2714 2018-10-19  Saam Barati  <sbarati@apple.com>
2715
2716         vmCall should check if we exit before emitting an OSR exit due to exceptions
2717         https://bugs.webkit.org/show_bug.cgi?id=190740
2718         <rdar://problem/45220139>
2719
2720         Reviewed by Mark Lam.
2721
2722         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2723         (foo):
2724
2725 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2726
2727         [ESNext][BigInt] Implement support for "^"
2728         https://bugs.webkit.org/show_bug.cgi?id=186235
2729
2730         Reviewed by Yusuke Suzuki.
2731
2732         * stress/big-int-bitwise-xor-general.js: Added.
2733         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2734         * stress/big-int-bitwise-xor-type-error.js: Added.
2735         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2736
2737 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2738
2739         [BigInt] Add ValueSub into DFG
2740         https://bugs.webkit.org/show_bug.cgi?id=186176
2741
2742         Reviewed by Yusuke Suzuki.
2743
2744         * stress/big-int-subtraction-jit.js:
2745         * stress/value-sub-big-int-prediction-propagation.js: Added.
2746         * stress/value-sub-big-int-untyped.js: Added.
2747         * stress/value-sub-spec-none-case.js: Added.
2748
2749 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2750
2751         [JSC] JSC should have "parseFunction" to optimize Function constructor
2752         https://bugs.webkit.org/show_bug.cgi?id=190340
2753
2754         Reviewed by Mark Lam.
2755
2756         This patch fixes the line number of syntax errors raised by the Function constructor,
2757         since we now parse the final code only once. And we no longer use block statement
2758         for Function constructor's parsing.
2759
2760         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2761         * stress/function-cache-with-parameters-end-position.js: Added.
2762         (shouldBe):
2763         (shouldThrow):
2764         (i.anonymous):
2765         * stress/function-constructor-name.js: Added.
2766         (shouldBe):
2767         (GeneratorFunction):
2768         (AsyncFunction.async):
2769         (AsyncGeneratorFunction.async):
2770         (anonymous):
2771         (async.anonymous):
2772         * test262/expectations.yaml:
2773
2774 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2775
2776         Unreviewed, rolling out r237242.
2777         https://bugs.webkit.org/show_bug.cgi?id=190701
2778
2779         it breaks "stress/sampling-profiler-basic.js" (Requested by
2780         caiolima on #webkit).
2781
2782         Reverted changeset:
2783
2784         "[BigInt] Add ValueSub into DFG"
2785         https://bugs.webkit.org/show_bug.cgi?id=186176
2786         https://trac.webkit.org/changeset/237242
2787
2788 2018-10-17  Keith Miller  <keith_miller@apple.com>
2789
2790         AI does not clear Phantom allocation nodes.
2791         https://bugs.webkit.org/show_bug.cgi?id=190694
2792
2793         Reviewed by Saam Barati.
2794
2795         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2796         (Day):
2797         (DaysInYear):
2798         (TimeInYear):
2799         (TimeFromYear):
2800         (DayFromYear):
2801         (InLeapYear):
2802         (YearFromTime):
2803         (WeekDay):
2804         (DaylightSavingTA):
2805         (GetSecondSundayInMarch):
2806         (TimeInMonth):
2807
2808 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2809
2810         [BigInt] Add ValueSub into DFG
2811         https://bugs.webkit.org/show_bug.cgi?id=186176
2812
2813         Reviewed by Yusuke Suzuki.
2814
2815         * stress/big-int-subtraction-jit.js:
2816         * stress/value-sub-big-int-prediction-propagation.js: Added.
2817         * stress/value-sub-big-int-untyped.js: Added.
2818
2819 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2820
2821         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2822         https://bugs.webkit.org/show_bug.cgi?id=190611
2823
2824         Reviewed by Saam Barati.
2825
2826         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2827         to improve test runtime. On ARM/MIPS this test even timed out when running all
2828         tests.
2829
2830         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2831         (test):
2832
2833 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2834
2835         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2836
2837         Unreviewed gardening.
2838
2839         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2840
2841 2018-10-15  Saam barati  <sbarati@apple.com>
2842
2843         Emit fjcvtzs on ARM64E on Darwin
2844         https://bugs.webkit.org/show_bug.cgi?id=184023
2845
2846         Reviewed by Yusuke Suzuki and Filip Pizlo.
2847
2848         * stress/double-to-int32-NaN.js: Added.
2849         (assert):
2850         (foo):
2851
2852 2018-10-15  Saam Barati  <sbarati@apple.com>
2853
2854         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2855         https://bugs.webkit.org/show_bug.cgi?id=190262
2856         <rdar://problem/44986241>
2857
2858         Reviewed by Mark Lam.
2859
2860         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2861         (test):
2862         * stress/slice-array-storage-with-holes.js: Added.
2863         (main):
2864
2865 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2866
2867         Unreviewed, rolling out r237054.
2868         https://bugs.webkit.org/show_bug.cgi?id=190593
2869
2870         "this regressed JetStream 2 by 6% on iOS" (Requested by
2871         saamyjoon on #webkit).
2872
2873         Reverted changeset:
2874
2875         "[JSC] JSC should have "parseFunction" to optimize Function
2876         constructor"
2877         https://bugs.webkit.org/show_bug.cgi?id=190340
2878         https://trac.webkit.org/changeset/237054
2879
2880 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2881
2882         [JSC] JSON.stringify can accept call-with-no-arguments
2883         https://bugs.webkit.org/show_bug.cgi?id=190343
2884
2885         Reviewed by Mark Lam.
2886
2887         * stress/json-stringify-no-arguments.js: Added.
2888         (shouldBe):
2889
2890 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2891
2892         [JSC] JSC should have "parseFunction" to optimize Function constructor
2893         https://bugs.webkit.org/show_bug.cgi?id=190340
2894
2895         Reviewed by Mark Lam.
2896
2897         This patch fixes the line number of syntax errors raised by the Function constructor,
2898         since we now parse the final code only once. And we no longer use block statement
2899         for Function constructor's parsing.
2900
2901         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2902         * stress/function-cache-with-parameters-end-position.js: Added.
2903         (shouldBe):
2904         (shouldThrow):
2905         (i.anonymous):
2906         * stress/function-constructor-name.js: Added.
2907         (shouldBe):
2908         (GeneratorFunction):
2909         (AsyncFunction.async):
2910         (AsyncGeneratorFunction.async):
2911         (anonymous):
2912         (async.anonymous):
2913         * test262/expectations.yaml:
2914
2915 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2916
2917         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2918         https://bugs.webkit.org/show_bug.cgi?id=190426
2919
2920         Unreviewed gardening.
2921
2922         * stress/sampling-profiler-richards.js:
2923
2924 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2925
2926         [ESNext][BigInt] Implement support for "|"
2927         https://bugs.webkit.org/show_bug.cgi?id=186229
2928
2929         Reviewed by Yusuke Suzuki.
2930
2931         * stress/big-int-bitwise-and-jit.js:
2932         * stress/big-int-bitwise-or-general.js: Added.
2933         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2934         * stress/big-int-bitwise-or-jit.js: Added.
2935         * stress/big-int-bitwise-or-memory-stress.js: Added.
2936         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2937         * stress/big-int-bitwise-or-type-error.js: Added.
2938         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2939
2940 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2941
2942         Skip test on systems with limited memory
2943         https://bugs.webkit.org/show_bug.cgi?id=190310
2944
2945         Invoking runDefault adds test to runlist, skipping the test in the next
2946         line does not prevent the test from executing. Change order of lines such
2947         that runDefault is only executed if test is not executed.
2948
2949         Reviewed by Mark Lam.
2950
2951         * stress/regress-190187.js:
2952
2953 2018-10-03  Saam barati  <sbarati@apple.com>
2954
2955         lowXYZ in FTLLower should always filter the type of the incoming edge
2956         https://bugs.webkit.org/show_bug.cgi?id=189939
2957         <rdar://problem/44407030>
2958
2959         Reviewed by Michael Saboff.
2960
2961         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2962         (foo):
2963         (test):
2964
2965 2018-10-03  Mark Lam  <mark.lam@apple.com>
2966
2967         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2968         https://bugs.webkit.org/show_bug.cgi?id=190187
2969         <rdar://problem/42512909>
2970
2971         Reviewed by Michael Saboff.
2972
2973         * stress/regress-190187.js: Added.
2974
2975 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2976
2977         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2978         https://bugs.webkit.org/show_bug.cgi?id=190033
2979
2980         Reviewed by Yusuke Suzuki.
2981
2982         * stress/big-int-to-string.js:
2983
2984 2018-10-01  Mark Lam  <mark.lam@apple.com>
2985
2986         Function.toString() should also copy the source code Functions that are class definitions.
2987         https://bugs.webkit.org/show_bug.cgi?id=190186
2988         <rdar://problem/44733360>
2989
2990         Reviewed by Saam Barati.
2991
2992         * stress/regress-190186.js: Added.
2993
2994 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2995
2996         Split NaN-check into separate test
2997         https://bugs.webkit.org/show_bug.cgi?id=190010
2998
2999         Reviewed by Saam Barati.
3000
3001         DataView exposes NaN-representation, which is not necessarily the same on each
3002         architecture. Therefore move the check of the NaN-representation into its own
3003         file such that we can disable this test on MIPS where NaN-representation can be
3004         different on older CPUs.
3005
3006         * stress/dataview-jit-set-nan.js: Added.
3007         (assert):
3008         (test.storeLittleEndian):
3009         (test.storeBigEndian):
3010         (test.store):
3011         (test):
3012         * stress/dataview-jit-set.js:
3013         (test5):
3014
3015 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3016
3017         Unreviewed, rolling out r236647.
3018         https://bugs.webkit.org/show_bug.cgi?id=190124
3019
3020         Breaking test stress/big-int-to-string.js (Requested by
3021         caiolima_ on #webkit).
3022
3023         Reverted changeset:
3024
3025         "[BigInt] BigInt.proptotype.toString is broken when radix is
3026         power of 2"
3027         https://bugs.webkit.org/show_bug.cgi?id=190033
3028         https://trac.webkit.org/changeset/236647
3029
3030 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3031
3032         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3033         https://bugs.webkit.org/show_bug.cgi?id=190033
3034
3035         Reviewed by Yusuke Suzuki.
3036
3037         * stress/big-int-to-string.js:
3038
3039 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3040
3041         [ESNext][BigInt] Implement support for "&"
3042         https://bugs.webkit.org/show_bug.cgi?id=186228
3043
3044         Reviewed by Yusuke Suzuki.
3045
3046         * stress/big-int-bitwise-and-general.js: Added.
3047         (assert):
3048         (assert.sameValue):
3049         * stress/big-int-bitwise-and-jit.js: Added.
3050         (let.assert.sameValue):
3051         (bigIntBitAnd):
3052         * stress/big-int-bitwise-and-memory-stress.js: Added.
3053         (assert):
3054         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3055         (assert.sameValue):
3056         (let.o.Symbol.toPrimitive):
3057         (catch):
3058         * stress/big-int-bitwise-and-type-error.js: Added.
3059         (assert):
3060         (assertThrowTypeError):
3061         (let.o.valueOf):
3062         (o.valueOf):
3063         (o.toString):
3064         (o.Symbol.toPrimitive):
3065         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3066         (assert.sameValue):
3067         (testBitAnd):
3068         (let.o.Symbol.toPrimitive):
3069         (o.valueOf):
3070         (o.toString):
3071
3072 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3073
3074         JSC test stress/jsc-read.js doesn't support CRLF
3075         https://bugs.webkit.org/show_bug.cgi?id=190063
3076
3077         Reviewed by Yusuke Suzuki.
3078
3079         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3080
3081         * stress/jsc-read.js:
3082         (test):
3083
3084 2018-09-27  Saam barati  <sbarati@apple.com>
3085
3086         Verify the contents of AssemblerBuffer on arm64e
3087         https://bugs.webkit.org/show_bug.cgi?id=190057
3088         <rdar://problem/38916630>
3089
3090         Reviewed by Mark Lam.
3091
3092         * stress/regress-189132.js:
3093
3094 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3095
3096         Disable test without LLInt on ARMv7
3097         https://bugs.webkit.org/show_bug.cgi?id=190037
3098
3099         Reviewed by Mark Lam.
3100
3101         Test runs out of executable memory on ARMv7, do not run
3102         this test without LLInt enabled.
3103
3104         * stress/regress-169445.js:
3105
3106 2018-09-26  Keith Miller  <keith_miller@apple.com>
3107
3108         We should zero unused property storage when rebalancing array storage.
3109         https://bugs.webkit.org/show_bug.cgi?id=188151
3110
3111         Reviewed by Michael Saboff.
3112
3113         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3114
3115 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3116
3117         [JSC] Optimize Array#lastIndexOf
3118         https://bugs.webkit.org/show_bug.cgi?id=189780
3119
3120         Reviewed by Saam Barati.
3121
3122         * stress/array-lastindexof-array-prototype-trap.js: Added.
3123         (shouldBe):
3124         (AncestorArray.prototype.get 2):
3125         (AncestorArray):
3126         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3127         (shouldBe):
3128         * stress/array-lastindexof-hole-nan.js: Added.
3129         (shouldBe):
3130         (throw.new.Error):
3131         * stress/array-lastindexof-infinity.js: Added.
3132         (shouldBe):
3133         (throw.new.Error):
3134         * stress/array-lastindexof-negative-zero.js: Added.
3135         (shouldBe):
3136         (throw.new.Error):
3137         * stress/array-lastindexof-own-getter.js: Added.
3138         (shouldBe):
3139         (throw.new.Error.get array):
3140         (get array):
3141         * stress/array-lastindexof-prototype-trap.js: Added.
3142         (shouldBe):
3143         (DerivedArray.prototype.get 2):
3144         (DerivedArray):
3145
3146 2018-09-25  Saam Barati  <sbarati@apple.com>
3147
3148         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3149         https://bugs.webkit.org/show_bug.cgi?id=189940
3150         <rdar://problem/43640987>
3151
3152         Reviewed by Mark Lam.
3153
3154         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3155
3156 2018-09-24  Saam Barati  <sbarati@apple.com>
3157
3158         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3159         https://bugs.webkit.org/show_bug.cgi?id=189922
3160         <rdar://problem/44651275>
3161
3162         Reviewed by Mark Lam.
3163
3164         * stress/array-indexof-fast-path-effects.js: Added.
3165         * stress/array-indexof-cached-length.js: Added.
3166
3167 2018-09-24  Saam barati  <sbarati@apple.com>
3168
3169         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3170         https://bugs.webkit.org/show_bug.cgi?id=189682
3171         <rdar://problem/43557315>
3172
3173         Reviewed by Mark Lam.
3174
3175         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3176         (foo):
3177
3178 2018-09-22  Saam barati  <sbarati@apple.com>
3179
3180         The sampling should not use Strong<CodeBlock> in its machineLocation field
3181         https://bugs.webkit.org/show_bug.cgi?id=189319
3182
3183         Reviewed by Filip Pizlo.
3184
3185         * stress/sampling-profiler-richards.js: Added.
3186
3187 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3188
3189         [JSC] Optimize Array#indexOf in C++ runtime
3190         https://bugs.webkit.org/show_bug.cgi?id=189507
3191
3192         Reviewed by Saam Barati.
3193
3194         * stress/array-indexof-array-prototype-trap.js: Added.
3195         (shouldBe):
3196         (AncestorArray.prototype.get 2):
3197         (AncestorArray):
3198         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3199         (shouldBe):
3200         * stress/array-indexof-hole-nan.js: Added.
3201         (shouldBe):
3202         (throw.new.Error):
3203         * stress/array-indexof-infinity.js: Added.
3204         (shouldBe):
3205         (throw.new.Error):
3206         * stress/array-indexof-negative-zero.js: Added.
3207         (shouldBe):
3208         (throw.new.Error):
3209         * stress/array-indexof-own-getter.js: Added.
3210         (shouldBe):
3211         (throw.new.Error.get array):
3212         (get array):
3213         * stress/array-indexof-prototype-trap.js: Added.
3214         (shouldBe):
3215         (DerivedArray.prototype.get 2):
3216         (DerivedArray):
3217
3218 2018-09-19  Saam barati  <sbarati@apple.com>
3219
3220         AI rule for MultiPutByOffset executes its effects in the wrong order
3221         https://bugs.webkit.org/show_bug.cgi?id=189757
3222         <rdar://problem/43535257>
3223
3224         Reviewed by Michael Saboff.
3225
3226         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3227         (foo):
3228         (Foo):
3229         (g):
3230
3231 2018-09-17  Mark Lam  <mark.lam@apple.com>
3232
3233         Ensure that ForInContexts are invalidated if their loop local is over-written.
3234         https://bugs.webkit.org/show_bug.cgi?id=189571
3235         <rdar://problem/44402277>
3236
3237         Reviewed by Saam Barati.
3238
3239         * stress/regress-189571.js: Added.
3240
3241 2018-09-17  Saam barati  <sbarati@apple.com>
3242
3243         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3244         https://bugs.webkit.org/show_bug.cgi?id=189676
3245         <rdar://problem/39682897>
3246
3247         Reviewed by Michael Saboff.
3248
3249         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3250         (A):
3251         (K):
3252         (i.catch):
3253
3254 2018-09-14  Saam barati  <sbarati@apple.com>
3255
3256         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3257         https://bugs.webkit.org/show_bug.cgi?id=189628
3258         <rdar://problem/39481690>
3259
3260         Reviewed by Mark Lam.
3261
3262         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3263         (foo):
3264
3265 2018-09-11  Mark Lam  <mark.lam@apple.com>
3266
3267         Test for array initialization in arrayProtoFuncSplice.
3268         https://bugs.webkit.org/show_bug.cgi?id=170253
3269         <rdar://problem/31328773>
3270
3271         Rubber-stamped by Saam Barati.
3272
3273         * stress/regress-170253.js: Added.
3274
3275 2018-09-11  Mark Lam  <mark.lam@apple.com>
3276
3277         Test for IntlObject initialization.
3278         https://bugs.webkit.org/show_bug.cgi?id=170251
3279         <rdar://problem/31328419>
3280
3281         Rubber-stamped by Saam Barati.
3282
3283         * stress/regress-170251.js: Added.
3284
3285 2018-09-11  Mark Lam  <mark.lam@apple.com>
3286
3287         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3288         https://bugs.webkit.org/show_bug.cgi?id=169889
3289         <rdar://problem/31155607>
3290
3291         Reviewed by Saam Barati.
3292
3293         * stress/regress-169889-array-concat.js: Added.
3294         * stress/regress-169889-array-concat1.js: Added.
3295         * stress/regress-169889-array-slice.js: Added.
3296
3297 2018-09-11  Mark Lam  <mark.lam@apple.com>
3298
3299         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3300         https://bugs.webkit.org/show_bug.cgi?id=169445
3301         <rdar://problem/30957435>
3302
3303         Reviewed by Saam Barati.
3304
3305         * stress/regress-169445.js: Added.
3306         (let.gun.eval.A):
3307         (let.gun.eval.B.C):
3308         (let.gun.eval.B.C.prototype.trigger):
3309         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3310         (let.gun.eval.B):
3311         (let.gun.eval):
3312
3313 == Rolled over to ChangeLog-2018-09-11 ==