[JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
[WebKit-https.git] / JSTests / ChangeLog
1 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
4         https://bugs.webkit.org/show_bug.cgi?id=195144
5         <rdar://problem/47595961>
6
7         Reviewed by Mark Lam.
8
9         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
10         (bar):
11         (foo):
12         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
13         (bar):
14         (foo):
15
16 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
17
18         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
19         https://bugs.webkit.org/show_bug.cgi?id=194677
20         <rdar://problem/48112492>
21
22         Reviewed by Mark Lam.
23
24         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
25         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
26         it immediately fails due the large size.
27
28         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
29         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
30         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
31         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
32
33         This patch changes the test to produce 16bit string from String.fromCharCode.
34
35         * stress/regress-178386.js:
36
37 2019-02-26  Mark Lam  <mark.lam@apple.com>
38
39         wasmToJS() should purify incoming NaNs.
40         https://bugs.webkit.org/show_bug.cgi?id=194807
41         <rdar://problem/48189132>
42
43         Reviewed by Saam Barati.
44
45         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
46
47 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
48
49         [JSC] Repeat string created from Array.prototype.join() take too much memory
50         https://bugs.webkit.org/show_bug.cgi?id=193912
51
52         Reviewed by Saam Barati.
53
54         Added a test and a microbenchmark for corner cases of
55         Array.prototype.join() with an uninitialized array.
56
57         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
58         * stress/array-prototype-join-uninitialized.js: Added.
59         (testArray):
60         (testABC):
61         (B):
62         (C):
63
64 2019-02-22  Robin Morisset  <rmorisset@apple.com>
65
66         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
67         https://bugs.webkit.org/show_bug.cgi?id=194953
68         <rdar://problem/47595253>
69
70         Reviewed by Saam Barati.
71
72         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
73
74         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
75
76 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
77
78         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
79         https://bugs.webkit.org/show_bug.cgi?id=172848
80         <rdar://problem/25709212>
81
82         Reviewed by Mark Lam.
83
84         * typeProfiler/inheritance.js:
85         Rewrite the test slightly for clarity. The hoisting was confusing.
86
87         * heapProfiler/class-names.js: Added.
88         (MyES5Class):
89         (MyES6Class):
90         (MyES6Subclass):
91         Test object types and improved class names.
92
93         * heapProfiler/driver/driver.js:
94         (CheapHeapSnapshotNode):
95         (CheapHeapSnapshot):
96         (createCheapHeapSnapshot):
97         (HeapSnapshot):
98         (createHeapSnapshot):
99         Update snapshot parsing from version 1 to version 2.
100
101 2019-02-19  Truitt Savell  <tsavell@apple.com>
102
103         Unreviewed, rolling out r241784.
104
105         Broke all OpenSource builds.
106
107         Reverted changeset:
108
109         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
110         instances view"
111         https://bugs.webkit.org/show_bug.cgi?id=172848
112         https://trac.webkit.org/changeset/241784
113
114 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
115
116         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
117         https://bugs.webkit.org/show_bug.cgi?id=172848
118         <rdar://problem/25709212>
119
120         Reviewed by Mark Lam.
121
122         * typeProfiler/inheritance.js:
123         Rewrite the test slightly for clarity. The hoisting was confusing.
124
125         * heapProfiler/class-names.js: Added.
126         (MyES5Class):
127         (MyES6Class):
128         (MyES6Subclass):
129         Test object types and improved class names.
130
131         * heapProfiler/driver/driver.js:
132         (CheapHeapSnapshotNode):
133         (CheapHeapSnapshot):
134         (createCheapHeapSnapshot):
135         (HeapSnapshot):
136         (createHeapSnapshot):
137         Update snapshot parsing from version 1 to version 2.
138
139 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
140
141         [ARM] Fix crash with sampling profiler
142         https://bugs.webkit.org/show_bug.cgi?id=194772
143
144         Reviewed by Mark Lam.
145
146         Do not skip test since crash with sampling profiler is now fixed.
147
148         * stress/sampling-profiler-richards.js:
149
150 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
151
152         [JSC] Add LazyClassStructure::getInitializedOnMainThread
153         https://bugs.webkit.org/show_bug.cgi?id=194784
154         <rdar://problem/48154820>
155
156         Reviewed by Mark Lam.
157
158         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
159         (getProperties):
160         (getRandomProperty):
161         (i.catch):
162
163 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
164
165         [ARM] Test gardening: Test running out of executable memory
166         https://bugs.webkit.org/show_bug.cgi?id=194771
167
168         Unreviewed. Do not run test without LLInt, test is running out of executable
169         memory on ARM otherwise.
170
171         * stress/tagged-template-object-collect.js:
172
173 2019-02-18  Tomas Popela  <tpopela@redhat.com>
174
175         Unreviewed, skip the test on platforms without sampling profiler
176
177         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
178         (platformSupportsSamplingProfiler.foo):
179         (platformSupportsSamplingProfiler.test):
180         (platformSupportsSamplingProfiler):
181         (foo): Deleted.
182         (test): Deleted.
183
184 2019-02-17  Saam Barati  <sbarati@apple.com>
185
186         Deadlock when adding a Structure property transition and then doing incremental marking
187         https://bugs.webkit.org/show_bug.cgi?id=194767
188
189         Reviewed by Mark Lam.
190
191         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
192
193 2019-02-15  Michael Saboff  <msaboff@apple.com>
194
195         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
196         https://bugs.webkit.org/show_bug.cgi?id=194558
197
198         Reviewed by Saam Barati.
199
200         New regression test.
201
202         * stress/regexp-unicode-within-string.js: Added.
203
204 2019-02-15  Mark Lam  <mark.lam@apple.com>
205
206         SamplingProfiler::stackTracesAsJSON() should escape strings.
207         https://bugs.webkit.org/show_bug.cgi?id=194649
208         <rdar://problem/48072386>
209
210         Reviewed by Saam Barati.
211
212         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
213         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
214         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
215         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
216
217 2019-02-15  Robin Morisset  <rmorisset@apple.com>
218         CodeBlock::jettison should clear related watchpoints
219         https://bugs.webkit.org/show_bug.cgi?id=194544
220
221         Reviewed by Mark Lam.
222
223         * stress/regexp-replace-double-watchpoint.js: Added.
224         (foo):
225
226 2019-02-15  Saam barati  <sbarati@apple.com>
227
228         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
229         https://bugs.webkit.org/show_bug.cgi?id=194036
230
231         Reviewed by Yusuke Suzuki.
232
233         * stress/tail-call-many-arguments.js: Added.
234         (foo):
235         (bar):
236
237 2019-02-14  Saam Barati  <sbarati@apple.com>
238
239         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
240         https://bugs.webkit.org/show_bug.cgi?id=194583
241         <rdar://problem/48028140>
242
243         Reviewed by Yusuke Suzuki.
244
245         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
246
247 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
248
249         [JSC] String.fromCharCode's slow path always generates 16bit string
250         https://bugs.webkit.org/show_bug.cgi?id=194466
251
252         Reviewed by Keith Miller.
253
254         * stress/string-from-char-code-slow-path.js: Added.
255         (shouldBe):
256         (testWithLength):
257
258 2019-02-08  Saam barati  <sbarati@apple.com>
259
260         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
261         https://bugs.webkit.org/show_bug.cgi?id=194334
262         <rdar://problem/47844327>
263
264         Reviewed by Mark Lam.
265
266         * stress/check-in-bounds-should-be-a-child-use.js: Added.
267         (func):
268
269 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
270
271         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
272         https://bugs.webkit.org/show_bug.cgi?id=194369
273         <rdar://problem/47813087>
274
275         Reviewed by Saam Barati.
276
277         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
278         (A):
279
280 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
281
282         [JSC] PrivateName to PublicName hash table is wasteful
283         https://bugs.webkit.org/show_bug.cgi?id=194277
284
285         Reviewed by Michael Saboff.
286
287         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
288
289         * ChakraCore.yaml:
290
291 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
292
293         [ARM] Test running out of executable memory
294         https://bugs.webkit.org/show_bug.cgi?id=194285
295
296         Unreviewed. Do no execute test with LLInt disabled, test runs out of
297         executable memory otherwise.
298
299         * stress/class-subclassing-function.js:
300
301 2019-02-04  Robin Morisset  <rmorisset@apple.com>
302
303         when lowering AssertNotEmpty, create the value before creating the patchpoint
304         https://bugs.webkit.org/show_bug.cgi?id=194231
305
306         Reviewed by Saam Barati.
307
308         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
309         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
310         So even tiny changes to this test can change the path code taken.
311
312         * stress/assert-not-empty.js: Added.
313         (foo):
314
315 2019-02-01  Mark Lam  <mark.lam@apple.com>
316
317         Remove invalid assertion in DFG's compileDoubleRep().
318         https://bugs.webkit.org/show_bug.cgi?id=194130
319         <rdar://problem/47699474>
320
321         Reviewed by Saam Barati.
322
323         * stress/constant-fold-double-rep-into-double-constant.js: Added.
324
325 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
326
327         Import latest Test262 updates.
328
329         Rubber-stamped by Keith Miller.
330
331         * test262.yaml: Deleted.
332         * test262/config.yaml:
333         * test262/expectations.yaml:
334         * test262/latest-changes-summary.txt:
335         * test262/test/:
336         * test262/test262-Revision.txt:
337
338 2019-01-30  Robin Morisset  <rmorisset@apple.com>
339
340         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
341         https://bugs.webkit.org/show_bug.cgi?id=194050
342         <rdar://problem/47595592>
343
344         Reviewed by Yusuke Suzuki.
345
346         * stress/object-keys-osr-exit.js: Added.
347         (foo):
348         (catch):
349
350 2019-01-29  Mark Lam  <mark.lam@apple.com>
351
352         ValueRecovery::recover() should purify NaN values it recovers.
353         https://bugs.webkit.org/show_bug.cgi?id=193978
354         <rdar://problem/47625488>
355
356         Reviewed by Saam Barati.
357
358         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
359
360 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
361
362         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
363         https://bugs.webkit.org/show_bug.cgi?id=193713
364
365         * stress/try-get-by-id-should-spill-registers-dfg.js:
366         (let.f.createBuiltin):
367
368 2019-01-28  Mark Lam  <mark.lam@apple.com>
369
370         ToString node actually does GC.
371         https://bugs.webkit.org/show_bug.cgi?id=193920
372         <rdar://problem/46695900>
373
374         Reviewed by Yusuke Suzuki.
375
376         * stress/dfg-to-string-on-int-does-gc.js: Added.
377         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
378         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
379
380 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
381
382         [JSC] NativeErrorConstructor should not have own IsoSubspace
383         https://bugs.webkit.org/show_bug.cgi?id=193713
384
385         Reviewed by Saam Barati.
386
387         Remove @Error use.
388
389         * stress/try-get-by-id-should-spill-registers-dfg.js:
390         (let.f.createBuiltin):
391
392 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
393
394         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
395         https://bugs.webkit.org/show_bug.cgi?id=190693
396
397         Reviewed by Michael Saboff.
398
399         * stress/regress-190693.js: Added.
400         (truth):
401         (assert):
402         (shouldThrowInvalidConstAssignment):
403         (taz):
404
405 2019-01-24  Saam Barati  <sbarati@apple.com>
406
407         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
408         https://bugs.webkit.org/show_bug.cgi?id=193751
409         <rdar://problem/47280215>
410
411         Reviewed by Michael Saboff.
412
413         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
414         (let.thing):
415         (foo.let.hello):
416         (foo):
417
418 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
419
420         [JSC] Reenable baseline JIT on mips
421         https://bugs.webkit.org/show_bug.cgi?id=192983
422
423         Reviewed by Mark Lam.
424
425         Added a new test for a case that was triggering a RELEASE_ASSERT when
426         testing.
427         Disable some slow tests that were already disabled for arm and x86.
428
429         * stress/json-parse-big-object.js: Added.
430         * stress/new-largeish-contiguous-array-with-size.js:
431         * stress/op_add.js:
432         * stress/op_bitand.js:
433         * stress/op_bitor.js:
434         * stress/op_bitxor.js:
435         * stress/op_lshift-ConstVar.js:
436         * stress/op_lshift-VarConst.js:
437         * stress/op_lshift-VarVar.js:
438         * stress/op_mod-ConstVar.js:
439         * stress/op_mod-VarConst.js:
440         * stress/op_mod-VarVar.js:
441         * stress/op_mul-ConstVar.js:
442         * stress/op_mul-VarConst.js:
443         * stress/op_mul-VarVar.js:
444         * stress/op_rshift-ConstVar.js:
445         * stress/op_rshift-VarConst.js:
446         * stress/op_rshift-VarVar.js:
447         * stress/op_sub-ConstVar.js:
448         * stress/op_sub-VarConst.js:
449         * stress/op_sub-VarVar.js:
450         * stress/op_urshift-ConstVar.js:
451         * stress/op_urshift-VarConst.js:
452         * stress/op_urshift-VarVar.js:
453         * stress/sampling-profiler-richards.js:
454         * stress/spread-forward-call-varargs-stack-overflow.js:
455
456 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
457
458         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
459         https://bugs.webkit.org/show_bug.cgi?id=193711
460         <rdar://problem/47250262>
461
462         Reviewed by Saam Barati.
463
464         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
465         (shouldBe):
466         (foo):
467         (bar):
468         (baz):
469
470 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
471
472         Unreviewed, fix initial global lexical binding epoch
473         https://bugs.webkit.org/show_bug.cgi?id=193603
474         <rdar://problem/47380869>
475
476         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
477         (f1.f2.f3.f4):
478         (f1.f2.f3):
479         (f1.f2):
480         (f1):
481
482 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
483
484         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
485         https://bugs.webkit.org/show_bug.cgi?id=193709
486         <rdar://problem/47363838>
487
488         Unreviewed, rollout to watch the tests.
489
490         * stress/object-tostring-changed-proto.js: Removed.
491         * stress/object-tostring-changed.js: Removed.
492         * stress/object-tostring-misc.js: Removed.
493         * stress/object-tostring-other.js: Removed.
494         * stress/object-tostring-untyped.js: Removed.
495
496 2019-01-22  Saam Barati  <sbarati@apple.com>
497
498         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
499
500         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
501         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
502         (testUncheckedLessThanZero):
503         (testUncheckedLessThanOrEqualZero):
504         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
505         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
506
507 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
508
509         [JSC] Invalidate old scope operations using global lexical binding epoch
510         https://bugs.webkit.org/show_bug.cgi?id=193603
511         <rdar://problem/47380869>
512
513         Reviewed by Saam Barati.
514
515         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
516         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
517         (shouldThrow):
518         (bar):
519         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
520         (shouldBe):
521         (get1):
522         (get2):
523         (get1If):
524         (get2If):
525         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
526         (shouldThrow):
527         (foo):
528
529 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
530
531         Unreviewed, roll out r240220 due to date-format-xparb regression
532         https://bugs.webkit.org/show_bug.cgi?id=193603
533
534         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
535         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
536         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
537         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
538
539 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
540
541         DoesGC rule is wrong for nodes with BigIntUse
542         https://bugs.webkit.org/show_bug.cgi?id=193652
543
544         Reviewed by Saam Barati.
545
546         * stress/big-int-value-op-update-gc-rules.js: Added.
547         (assert):
548         (doesGCAdd):
549         (doesGCSub):
550         (doesGCDiv):
551         (doesGCMul):
552         (doesGCBitAnd):
553         (doesGCBitOr):
554         (doesGCBitXor):
555
556 2019-01-20  Saam Barati  <sbarati@apple.com>
557
558         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
559         https://bugs.webkit.org/show_bug.cgi?id=193644
560         <rdar://problem/46209745>
561
562         Reviewed by Yusuke Suzuki.
563
564         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
565         (foo):
566         * stress/data-view-set-intrinsic-undefined-result.js: Added.
567         (foo):
568         (bar):
569
570 2019-01-20  Saam Barati  <sbarati@apple.com>
571
572         MovHint must merge NodeBytecodeUsesAsValue for its child
573         https://bugs.webkit.org/show_bug.cgi?id=186916
574         <rdar://problem/41396612>
575
576         Reviewed by Yusuke Suzuki.
577
578         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
579         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
580
581 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
582
583         [JSC] Invalidate old scope operations using global lexical binding epoch
584         https://bugs.webkit.org/show_bug.cgi?id=193603
585         <rdar://problem/47380869>
586
587         Reviewed by Saam Barati.
588
589         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
590         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
591         (shouldThrow):
592         (bar):
593         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
594         (shouldBe):
595         (get1):
596         (get2):
597         (get1If):
598         (get2If):
599         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
600         (shouldThrow):
601         (foo):
602
603 2019-01-17  Saam barati  <sbarati@apple.com>
604
605         StringObjectUse should not be a structure check for the original string object structure
606         https://bugs.webkit.org/show_bug.cgi?id=193483
607         <rdar://problem/47280522>
608
609         Reviewed by Yusuke Suzuki.
610
611         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
612         (foo):
613         (a.valueOf.0):
614
615 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
616
617         [JSC] ToThis omission in DFGByteCodeParser is wrong
618         https://bugs.webkit.org/show_bug.cgi?id=193513
619         <rdar://problem/45842236>
620
621         Reviewed by Saam Barati.
622
623         * stress/to-this-omission-with-different-strict-modes.js: Added.
624         (thisA):
625         (thisAStrictWrapper):
626
627 2019-01-15  Mark Lam  <mark.lam@apple.com>
628
629         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
630         https://bugs.webkit.org/show_bug.cgi?id=193423
631         <rdar://problem/46209355>
632
633         Reviewed by Saam Barati.
634
635         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
636         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
637         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
638         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
639
640 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
641
642         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
643         https://bugs.webkit.org/show_bug.cgi?id=193438
644         <rdar://problem/45581249>
645
646         Reviewed by Saam Barati and Keith Miller.
647
648         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
649         Then, GetByVal(String) crashed.
650
651         * stress/string-get-by-val-lowering.js: Added.
652         (shouldBe):
653         (test):
654         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
655         (Hello):
656         (foo):
657
658 2019-01-15  Tomas Popela  <tpopela@redhat.com>
659
660         Unreviewed, skip JIT tests if it's not enabled
661
662         * stress/bit-op-with-object-returning-int32.js:
663
664 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
665
666         DFGByteCodeParser rules for bitwise operations should consider type of their operands
667         https://bugs.webkit.org/show_bug.cgi?id=192966
668
669         Reviewed by Yusuke Suzuki.
670
671         * stress/bit-op-with-object-returning-int32.js: Added.
672
673 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
674
675         Skip a slow test and a flakey test on arm
676
677         Unreviewed gardening.
678
679         * typeProfiler/getter-richards.js:
680         this test always times out, it used to be always skipped on arm and
681         mips, but got accidentally enabled by r237919 now that we have DFG on
682         arm. Also skipping on mips as we plan to soon enable DFG for it too.
683
684 2019-01-14  Keith Miller  <keith_miller@apple.com>
685
686         Skip type-check-hoisting-phase-hoist... with no jit
687         https://bugs.webkit.org/show_bug.cgi?id=193421
688
689         Reviewed by Mark Lam.
690
691         It's timing out the 32-bit bots and takes 330 seconds
692         on my machine when run by itself.
693
694         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
695
696 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
697
698         [JSC] AI should check the given constant's array type when folding GetByVal into constant
699         https://bugs.webkit.org/show_bug.cgi?id=193413
700         <rdar://problem/46092389>
701
702         Reviewed by Keith Miller.
703
704         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
705         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
706         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
707         but GetByVal does not have appropriate ArrayModes, JSC crashes.
708
709         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
710         (compareArray):
711
712 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
713
714         [BigInt] Literal parsing is crashing when used inside a Object Literal
715         https://bugs.webkit.org/show_bug.cgi?id=193404
716
717         Reviewed by Yusuke Suzuki.
718
719         * stress/big-int-literal-inside-literal-object.js: Added.
720
721 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
722
723         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
724         https://bugs.webkit.org/show_bug.cgi?id=193372
725
726         Reviewed by Saam Barati.
727
728         * stress/typed-array-array-modes-profile.js: Added.
729         (foo):
730
731 2019-01-14  Mark Lam  <mark.lam@apple.com>
732
733         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
734         https://bugs.webkit.org/show_bug.cgi?id=193402
735         <rdar://problem/46012309>
736
737         Reviewed by Keith Miller.
738
739         * stress/regexp-compile-oom.js:
740         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
741           is enabled.  As a result, it will fail on cloop builds though there is no bug.
742
743 2019-01-11  Saam barati  <sbarati@apple.com>
744
745         DFG combined liveness can be wrong for terminal basic blocks
746         https://bugs.webkit.org/show_bug.cgi?id=193304
747         <rdar://problem/45268632>
748
749         Reviewed by Yusuke Suzuki.
750
751         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
752
753 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
754
755         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
756         https://bugs.webkit.org/show_bug.cgi?id=193308
757         <rdar://problem/45546542>
758
759         Reviewed by Saam Barati.
760
761         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
762         (shouldThrow):
763         (shouldBe):
764         (foo):
765         (get shouldThrow):
766         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
767         (shouldThrow):
768         (shouldBe):
769         (foo):
770         (get shouldBe):
771         (get shouldThrow):
772         (get return):
773         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
774         (shouldThrow):
775         (shouldBe):
776         (foo):
777         (get shouldBe):
778         (get shouldThrow):
779         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
780         (shouldThrow):
781         (shouldBe):
782         (foo):
783         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
784         (shouldThrow):
785         (shouldBe):
786         (foo):
787         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
788         (shouldThrow):
789         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
790         (shouldThrow):
791         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
792         (shouldThrow):
793         (shouldBe):
794         (foo):
795         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
796         (shouldThrow):
797         (shouldBe):
798         (foo):
799         (get shouldBe):
800         (get shouldThrow):
801         (get return):
802         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
803         (shouldThrow):
804         (shouldBe):
805         (foo):
806         (get shouldBe):
807         (get shouldThrow):
808         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
809         (shouldThrow):
810         (shouldBe):
811         (foo):
812         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
813         (shouldThrow):
814         (shouldBe):
815         (foo):
816
817 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
818
819         Enable DFG on ARM/Linux again
820         https://bugs.webkit.org/show_bug.cgi?id=192496
821
822         Reviewed by Yusuke Suzuki.
823
824         Test wasn't really skipped before moving the line with skip
825         to the top.
826
827         * stress/regress-192717.js:
828
829 2019-01-10  Commit Queue  <commit-queue@webkit.org>
830
831         Unreviewed, rolling out r239825.
832         https://bugs.webkit.org/show_bug.cgi?id=193330
833
834         Broke tests on armv7/linux bots (Requested by guijemont on
835         #webkit).
836
837         Reverted changeset:
838
839         "Enable DFG on ARM/Linux again"
840         https://bugs.webkit.org/show_bug.cgi?id=192496
841         https://trac.webkit.org/changeset/239825
842
843 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
844
845         Enable DFG on ARM/Linux again
846         https://bugs.webkit.org/show_bug.cgi?id=192496
847
848         Reviewed by Yusuke Suzuki.
849
850         Test wasn't really skipped before moving the line with skip
851         to the top.
852
853         * stress/regress-192717.js:
854
855 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
856
857         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
858         https://bugs.webkit.org/show_bug.cgi?id=193127
859
860         Reviewed by Saam Barati.
861
862         * stress/array-species-create-should-handle-masquerader.js: Added.
863         (shouldThrow):
864         * stress/is-undefined-or-null-builtin.js: Added.
865         (shouldBe):
866         (isUndefinedOrNull.vm.createBuiltin):
867
868 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
869
870         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
871         https://bugs.webkit.org/show_bug.cgi?id=193221
872
873         Reviewed by Mark Lam.
874
875         * stress/put-by-id-flags.js: Added.
876         (f):
877         (g):
878         (numberOfDFGCompiles):
879
880 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
881
882         Baseline version of get_by_id may corrupt metadata
883         https://bugs.webkit.org/show_bug.cgi?id=193085
884         <rdar://problem/23453006>
885
886         Reviewed by Saam Barati.
887
888         * stress/get-by-id-change-mode.js: Added.
889         (forEach):
890
891 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
892
893         [JSC] Optimize Object.prototype.toString
894         https://bugs.webkit.org/show_bug.cgi?id=193031
895
896         Reviewed by Saam Barati.
897
898         * stress/object-tostring-changed-proto.js: Added.
899         (shouldBe):
900         (test):
901         * stress/object-tostring-changed.js: Added.
902         (shouldBe):
903         (test):
904         * stress/object-tostring-misc.js: Added.
905         (shouldBe):
906         (test):
907         (i.switch):
908         * stress/object-tostring-other.js: Added.
909         (shouldBe):
910         (test):
911         * stress/object-tostring-untyped.js: Added.
912         (shouldBe):
913         (test):
914         (i.switch):
915
916 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
917
918         test262-runner misbehaves when test file YAML has a trailing space
919         https://bugs.webkit.org/show_bug.cgi?id=193053
920
921         Reviewed by Yusuke Suzuki.
922
923         * test262/expectations.yaml:
924         Mark two dozen tests as passing (and correct the output of another).
925
926 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
927
928         Unreviewed, JSTests gardening with memoryLimited
929
930         * stress/string-overflow-createError.js:
931
932 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
933
934         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
935         https://bugs.webkit.org/show_bug.cgi?id=193050
936
937         Reviewed by Yusuke Suzuki.
938
939         * test262.yaml:
940         * test262/expectations.yaml:
941         Mark 16 tests as passing.
942
943 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
944
945         [BigInt] Support BigInt in JSON.stringify
946         https://bugs.webkit.org/show_bug.cgi?id=192624
947
948         Reviewed by Saam Barati.
949
950         * stress/big-int-json-stringify-to-json.js: Added.
951         (shouldBe):
952         (shouldThrow):
953         (BigInt.prototype.toJSON):
954         (shouldBe.JSON.stringify):
955         * stress/big-int-json-stringify.js: Added.
956         (shouldBe):
957         (shouldThrow):
958
959 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
960
961         [JSC] Implement "well-formed JSON.stringify" proposal
962         https://bugs.webkit.org/show_bug.cgi?id=191677
963
964         Reviewed by Darin Adler.
965
966         * stress/json-surrogate-pair.js: Added.
967         (shouldBe):
968         * test262/expectations.yaml:
969
970 2018-12-20  Keith Miller  <keith_miller@apple.com>
971
972         Add support for globalThis
973         https://bugs.webkit.org/show_bug.cgi?id=165171
974
975         Reviewed by Mark Lam.
976
977         * test262/config.yaml:
978
979 2018-12-19  Keith Miller  <keith_miller@apple.com>
980
981         Update test262 configuration to not run tests dependent on ICU version.
982         https://bugs.webkit.org/show_bug.cgi?id=192920
983
984         Reviewed by Saam Barati.
985
986         * test262/expectations.yaml:
987
988 2018-12-20  Mark Lam  <mark.lam@apple.com>
989
990         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
991         https://bugs.webkit.org/show_bug.cgi?id=192939
992         <rdar://problem/46869516>
993
994         Reviewed by Keith Miller.
995
996         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
997
998 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
999
1000         WTF::String and StringImpl overflow MaxLength
1001         https://bugs.webkit.org/show_bug.cgi?id=192853
1002         <rdar://problem/45726906>
1003
1004         Reviewed by Mark Lam.
1005
1006         * stress/string-16bit-repeat-overflow.js: Added.
1007         (catch):
1008
1009 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1010
1011         Unreviewed follow-up to r192914.
1012
1013         * test262/expectations.yaml:
1014         Add the last 20 missing expectations.
1015
1016 2018-12-19  Keith Miller  <keith_miller@apple.com>
1017
1018         Fix test262 expectations
1019         https://bugs.webkit.org/show_bug.cgi?id=192914
1020
1021         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1022
1023         * test262/expectations.yaml:
1024
1025 2018-12-19  Keith Miller  <keith_miller@apple.com>
1026
1027         Update test262 tests.
1028         https://bugs.webkit.org/show_bug.cgi?id=192907
1029
1030         Rubber stamped by Mark Lam.
1031
1032         * test262/*: Omitted because prepare-changelog crashes.
1033
1034 2018-12-19  Mark Lam  <mark.lam@apple.com>
1035
1036         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1037         https://bugs.webkit.org/show_bug.cgi?id=192464
1038         <rdar://problem/46519455>
1039
1040         Reviewed by Saam Barati.
1041
1042         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1043         microbenchmark.
1044
1045         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1046         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1047
1048 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1049
1050         String overflow in JSC::createError results in ASSERT in WTF::makeString
1051         https://bugs.webkit.org/show_bug.cgi?id=192833
1052         <rdar://problem/45706868>
1053
1054         Reviewed by Mark Lam.
1055
1056         * stress/string-overflow-createError.js: Added.
1057
1058 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1059
1060         Error message for `-x ** y` contains a typo.
1061         https://bugs.webkit.org/show_bug.cgi?id=192832
1062
1063         Reviewed by Saam Barati.
1064
1065         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1066         (assert.assert.return.throws):
1067         * stress/pow-expects-update-expression-on-lhs.js:
1068         (throw.new.Error):
1069         Update test expectations which match against the exact error message.
1070
1071 2018-12-18  Mark Lam  <mark.lam@apple.com>
1072
1073         Gardening: test options fix.
1074         https://bugs.webkit.org/show_bug.cgi?id=192822
1075
1076         Unreviewed.
1077
1078         * stress/json-stringify-string-builder-overflow.js:
1079
1080 2018-12-18  Mark Lam  <mark.lam@apple.com>
1081
1082         JSON.stringify() should throw OOM on StringBuilder overflows.
1083         https://bugs.webkit.org/show_bug.cgi?id=192822
1084         <rdar://problem/46670577>
1085
1086         Reviewed by Saam Barati.
1087
1088         * stress/json-stringify-string-builder-overflow.js: Added.
1089
1090 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1091
1092         Redeclaration of var over let/const/class should be a syntax error.
1093         https://bugs.webkit.org/show_bug.cgi?id=192298
1094
1095         Reviewed by Keith Miller.
1096
1097         * test262.yaml:
1098         * test262/expectations.yaml:
1099         Mark 46 tests as passing.
1100
1101         * stress/block-scope-redeclarations.js:
1102         Add some new tests.
1103
1104         * stress/for-in-invalidate-context-weird-assignments.js:
1105         * stress/for-in-tests.js:
1106         Replace tests for outdated behavior with tests for SyntaxError.
1107
1108         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1109         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1110         Update expectations.
1111
1112 2018-12-18  Mark Lam  <mark.lam@apple.com>
1113
1114         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1115         https://bugs.webkit.org/show_bug.cgi?id=191374
1116         <rdar://problem/46525447>
1117
1118         Reviewed by Yusuke Suzuki.
1119
1120         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1121
1122         * stress/elidable-new-object-roflcopter-then-exit.js:
1123
1124 2018-12-17  Mark Lam  <mark.lam@apple.com>
1125
1126         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1127         https://bugs.webkit.org/show_bug.cgi?id=192019
1128         <rdar://problem/46525456>
1129
1130         Reviewed by Yusuke Suzuki.
1131
1132         The test runs too slow on 32-bit.
1133
1134         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1135
1136 2018-12-17  Mark Lam  <mark.lam@apple.com>
1137
1138         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1139         https://bugs.webkit.org/show_bug.cgi?id=191373
1140         <rdar://problem/46525458>
1141
1142         Reviewed by Yusuke Suzuki.
1143
1144         The test is already slow running with a JIT on 64-bit.  It will always timeout
1145         on 32-bit without a JIT.
1146
1147         * stress/materialize-regexp-cyclic-regexp.js:
1148
1149 2018-12-17  Mark Lam  <mark.lam@apple.com>
1150
1151         Array unshift/shift should not race against the AI in the compiler thread.
1152         https://bugs.webkit.org/show_bug.cgi?id=192795
1153         <rdar://problem/46724263>
1154
1155         Reviewed by Saam Barati.
1156
1157         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1158
1159 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1160
1161         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1162         https://bugs.webkit.org/show_bug.cgi?id=190047
1163
1164         Reviewed by Saam Barati.
1165
1166         * stress/object-keys-cached-zero.js: Added.
1167         (shouldBe):
1168         (test):
1169         * stress/object-keys-changed-attribute.js: Added.
1170         (shouldBe):
1171         (test):
1172         * stress/object-keys-changed-index.js: Added.
1173         (shouldBe):
1174         (test):
1175         * stress/object-keys-changed.js: Added.
1176         (shouldBe):
1177         (test):
1178         * stress/object-keys-indexed-non-cache.js: Added.
1179         (shouldBe):
1180         (test):
1181         * stress/object-keys-overrides-get-property-names.js: Added.
1182         (shouldBe):
1183         (test):
1184         (noInline):
1185
1186 2018-12-17  Mark Lam  <mark.lam@apple.com>
1187
1188         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1189         https://bugs.webkit.org/show_bug.cgi?id=192779
1190         <rdar://problem/46775869>
1191
1192         Reviewed by Saam Barati.
1193
1194         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1195
1196 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1197
1198         Unreviewed test gardening, address a syntax error in a new test.
1199
1200         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1201
1202 2018-12-17  Mark Lam  <mark.lam@apple.com>
1203
1204         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1205         https://bugs.webkit.org/show_bug.cgi?id=192776
1206         <rdar://problem/46772368>
1207
1208         Reviewed by Keith Miller.
1209
1210         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1211
1212 2018-12-17  Mark Lam  <mark.lam@apple.com>
1213
1214         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1215         https://bugs.webkit.org/show_bug.cgi?id=192770
1216         <rdar://problem/46449037>
1217
1218         Reviewed by Keith Miller.
1219
1220         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1221
1222 2018-12-14  Mark Lam  <mark.lam@apple.com>
1223
1224         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1225         https://bugs.webkit.org/show_bug.cgi?id=192717
1226         <rdar://problem/46660677>
1227
1228         Reviewed by Saam Barati.
1229
1230         * stress/regress-192717.js: Added.
1231
1232 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1233
1234         Unreviewed, rolling out r239153, r239154, and r239155.
1235         https://bugs.webkit.org/show_bug.cgi?id=192715
1236
1237         Caused flaky GC-related crashes seen with layout tests
1238         (Requested by ryanhaddad on #webkit).
1239
1240         Reverted changesets:
1241
1242         "[JSC] Optimize Object.keys by caching own keys results in
1243         StructureRareData"
1244         https://bugs.webkit.org/show_bug.cgi?id=190047
1245         https://trac.webkit.org/changeset/239153
1246
1247         "Unreviewed, build fix after r239153"
1248         https://bugs.webkit.org/show_bug.cgi?id=190047
1249         https://trac.webkit.org/changeset/239154
1250
1251         "Unreviewed, build fix after r239153, part 2"
1252         https://bugs.webkit.org/show_bug.cgi?id=190047
1253         https://trac.webkit.org/changeset/239155
1254
1255 2018-12-14  Keith Miller  <keith_miller@apple.com>
1256
1257         Callers of JSString::getIndex should check for OOM exceptions
1258         https://bugs.webkit.org/show_bug.cgi?id=192709
1259
1260         Reviewed by Mark Lam.
1261
1262         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1263
1264 2018-12-13  Mark Lam  <mark.lam@apple.com>
1265
1266         Add a missing exception check.
1267         https://bugs.webkit.org/show_bug.cgi?id=192626
1268         <rdar://problem/46662163>
1269
1270         Reviewed by Keith Miller.
1271
1272         * stress/regress-192626.js: Added.
1273
1274 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1275
1276         [BigInt] Add ValueDiv into DFG
1277         https://bugs.webkit.org/show_bug.cgi?id=186178
1278
1279         Reviewed by Yusuke Suzuki.
1280
1281         * stress/big-int-div-jit-osr.js: Added.
1282         * stress/big-int-div-jit-untyped.js: Added.
1283         * stress/value-div-fixup-int32-big-int.js: Added.
1284
1285 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1286
1287         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1288         https://bugs.webkit.org/show_bug.cgi?id=190047
1289
1290         Reviewed by Keith Miller.
1291
1292         * stress/object-keys-cached-zero.js: Added.
1293         (shouldBe):
1294         (test):
1295         * stress/object-keys-changed-attribute.js: Added.
1296         (shouldBe):
1297         (test):
1298         * stress/object-keys-changed-index.js: Added.
1299         (shouldBe):
1300         (test):
1301         * stress/object-keys-changed.js: Added.
1302         (shouldBe):
1303         (test):
1304         * stress/object-keys-indexed-non-cache.js: Added.
1305         (shouldBe):
1306         (test):
1307         * stress/object-keys-overrides-get-property-names.js: Added.
1308         (shouldBe):
1309         (test):
1310         (noInline):
1311
1312 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1313
1314         [DFG][FTL] Add NewSymbol
1315         https://bugs.webkit.org/show_bug.cgi?id=192620
1316
1317         Reviewed by Saam Barati.
1318
1319         * microbenchmarks/symbol-creation.js: Added.
1320         (test):
1321         * stress/symbol-description-identity.js: Added.
1322         (shouldBe):
1323         (test):
1324         * stress/symbol-identity.js: Added.
1325         (shouldBe):
1326         (test):
1327         * stress/symbol-with-description-throw-error.js: Added.
1328         (shouldBe):
1329         (shouldThrow):
1330         (test):
1331         (object.toString):
1332
1333 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1334
1335         [BigInt] Implement DFG/FTL typeof for BigInt
1336         https://bugs.webkit.org/show_bug.cgi?id=192619
1337
1338         Reviewed by Keith Miller.
1339
1340         * stress/big-int-boolean-proven-type.js: Added.
1341         (assert):
1342         (bool):
1343         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1344         (assert):
1345         (typeOf):
1346         (i.switch):
1347         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1348         (assert):
1349         (typeOf):
1350         * stress/big-int-type-of.js:
1351         (typeOf):
1352         (func):
1353
1354 2018-12-10  Mark Lam  <mark.lam@apple.com>
1355
1356         PropertyAttribute needs a CustomValue bit.
1357         https://bugs.webkit.org/show_bug.cgi?id=191993
1358         <rdar://problem/46264467>
1359
1360         Reviewed by Saam Barati.
1361
1362         * stress/regress-191993.js: Added.
1363
1364 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1365
1366         [BigInt] Add ValueMul into DFG
1367         https://bugs.webkit.org/show_bug.cgi?id=186175
1368
1369         Reviewed by Yusuke Suzuki.
1370
1371         * stress/big-int-mul-jit-osr.js: Added.
1372         * stress/big-int-mul-jit-untyped.js: Added.
1373         * stress/value-mul-fixup-int32-big-int.js: Added.
1374
1375 2018-12-06  Keith Miller  <keith_miller@apple.com>
1376
1377         stress/big-wasm-memory tests failing on 32-bit JSC bot
1378         https://bugs.webkit.org/show_bug.cgi?id=192020
1379
1380         Reviewed by Saam Barati.
1381
1382         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1383         the wasm stress tests if the WebAssembly object does not exist.
1384
1385         * stress/big-wasm-memory-grow-no-max.js:
1386         (test.foo):
1387         (test):
1388         (foo): Deleted.
1389         (catch): Deleted.
1390         * stress/big-wasm-memory-grow.js:
1391         (test.foo):
1392         (test):
1393         (foo): Deleted.
1394         (catch): Deleted.
1395         * stress/big-wasm-memory.js:
1396         (test.foo):
1397         (test):
1398         (foo): Deleted.
1399         (catch): Deleted.
1400
1401 2018-12-05  Mark Lam  <mark.lam@apple.com>
1402
1403         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1404         https://bugs.webkit.org/show_bug.cgi?id=192441
1405         <rdar://problem/46480355>
1406
1407         Reviewed by Saam Barati.
1408
1409         * stress/regress-192441.js: Added.
1410
1411 2018-12-04  Mark Lam  <mark.lam@apple.com>
1412
1413         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1414         https://bugs.webkit.org/show_bug.cgi?id=192386
1415         <rdar://problem/46445516>
1416
1417         Reviewed by Saam Barati.
1418
1419         * stress/regress-192386.js: Added.
1420
1421 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1422
1423         [ESNext][BigInt] Support logic operations
1424         https://bugs.webkit.org/show_bug.cgi?id=179903
1425
1426         Reviewed by Yusuke Suzuki.
1427
1428         * stress/big-int-branch-usage.js: Added.
1429         * stress/big-int-logical-and.js: Added.
1430         * stress/big-int-logical-not.js: Added.
1431         * stress/big-int-logical-or.js: Added.
1432
1433 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1434
1435         Unreviewed, rolling out r238833.
1436
1437         Breaks macOS and iOS debug builds.
1438
1439         Reverted changeset:
1440
1441         "[ESNext][BigInt] Support logic operations"
1442         https://bugs.webkit.org/show_bug.cgi?id=179903
1443         https://trac.webkit.org/changeset/238833
1444
1445 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1446
1447         [ESNext][BigInt] Support logic operations
1448         https://bugs.webkit.org/show_bug.cgi?id=179903
1449
1450         Reviewed by Yusuke Suzuki.
1451
1452         * stress/big-int-branch-usage.js: Added.
1453         * stress/big-int-logical-and.js: Added.
1454         * stress/big-int-logical-not.js: Added.
1455         * stress/big-int-logical-or.js: Added.
1456
1457 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1458
1459         [ESNext][BigInt] Implement support for "<<" and ">>"
1460         https://bugs.webkit.org/show_bug.cgi?id=186233
1461
1462         Reviewed by Yusuke Suzuki.
1463
1464         * stress/big-int-left-shift-general.js: Added.
1465         * stress/big-int-left-shift-range-error.js: Added.
1466         * stress/big-int-left-shift-type-error.js: Added.
1467         * stress/big-int-left-shift-wrapped-value.js: Added.
1468         * stress/big-int-right-shift-general.js: Added.
1469         * stress/big-int-right-shift-type-error.js: Added.
1470         * stress/big-int-right-shift-wrapped-value.js: Added.
1471         * stress/left-shift-to-primitive-precedence.js: Added.
1472         * stress/right-shift-to-primitive-precedence.js: Added.
1473
1474 2018-11-30  Dean Jackson  <dino@apple.com>
1475
1476         Add first-class support for .mjs files in jsc binary
1477         https://bugs.webkit.org/show_bug.cgi?id=192190
1478         <rdar://problem/46375715>
1479
1480         Reviewed by Keith Miller.
1481
1482         * stress/simple-module.mjs: Added.
1483         * stress/simple-script.js: Added.
1484
1485 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1486
1487         [BigInt] Implement ValueBitXor into DFG
1488         https://bugs.webkit.org/show_bug.cgi?id=190264
1489
1490         Reviewed by Yusuke Suzuki.
1491
1492         * stress/big-int-bitwise-xor-jit.js: Added.
1493         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1494         * stress/big-int-bitwise-xor-untyped.js: Added.
1495
1496 2018-11-27  Saam barati  <sbarati@apple.com>
1497
1498         r238510 broke scopes of size zero
1499         https://bugs.webkit.org/show_bug.cgi?id=192033
1500         <rdar://problem/46281734>
1501
1502         Reviewed by Keith Miller.
1503
1504         * stress/r238510-bad-loop.js: Added.
1505         (foo):
1506
1507 2018-11-27  Mark Lam  <mark.lam@apple.com>
1508
1509         [Re-landing] NaNs read from Wasm code needs to be be purified.
1510         https://bugs.webkit.org/show_bug.cgi?id=191056
1511         <rdar://problem/45660341>
1512
1513         Reviewed by Filip Pizlo.
1514
1515         * wasm/regress/regress-191056.js: Added.
1516
1517 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1518
1519         Unreviewed, rolling out r238509.
1520
1521         Causes JSC tests to fail on iOS.
1522
1523         Reverted changeset:
1524
1525         "NaNs read from Wasm code needs to be be purified."
1526         https://bugs.webkit.org/show_bug.cgi?id=191056
1527         https://trac.webkit.org/changeset/238509
1528
1529 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1530
1531         Re-introduce op_bitnot
1532         https://bugs.webkit.org/show_bug.cgi?id=190923
1533
1534         Reviewed by Yusuke Suzuki.
1535
1536         * stress/bit-not-must-generate.js: Added.
1537         * stress/bitwise-not-no-int32.js: Added.
1538
1539 2018-11-26  Saam barati  <sbarati@apple.com>
1540
1541         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1542         https://bugs.webkit.org/show_bug.cgi?id=191956
1543         <rdar://problem/45665806>
1544
1545         Reviewed by Yusuke Suzuki.
1546
1547         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1548         (bar):
1549         (foo):
1550
1551 2018-11-26  Saam barati  <sbarati@apple.com>
1552
1553         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1554         https://bugs.webkit.org/show_bug.cgi?id=191958
1555         <rdar://problem/46221877>
1556
1557         Reviewed by Yusuke Suzuki.
1558
1559         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1560         (x):
1561         (foo):
1562
1563 2018-11-26  Mark Lam  <mark.lam@apple.com>
1564
1565         NaNs read from Wasm code needs to be be purified.
1566         https://bugs.webkit.org/show_bug.cgi?id=191056
1567         <rdar://problem/45660341>
1568
1569         Reviewed by Filip Pizlo.
1570
1571         * wasm/regress/regress-191056.js: Added.
1572
1573 2018-11-26  Michael Saboff  <msaboff@apple.com>
1574
1575         32-bit JSC test failure: stress/regexp-compile-oom.js
1576         https://bugs.webkit.org/show_bug.cgi?id=191375
1577
1578         Reviewed by Mark Lam.
1579
1580         Disabled the test for 32 bit platforms.
1581
1582         * stress/regexp-compile-oom.js:
1583
1584 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1585
1586         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1587         https://bugs.webkit.org/show_bug.cgi?id=191716
1588         <rdar://problem/45723878>
1589
1590         Reviewed by Saam Barati.
1591
1592         * stress/regress-187373.js: Added.
1593         (async.fn):
1594
1595 2018-11-21  Saam barati  <sbarati@apple.com>
1596
1597         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1598         https://bugs.webkit.org/show_bug.cgi?id=191897
1599         <rdar://problem/45871998>
1600
1601         Reviewed by Mark Lam.
1602
1603         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1604         (bar):
1605         (foo):
1606
1607 2018-11-21  Saam barati  <sbarati@apple.com>
1608
1609         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1610         https://bugs.webkit.org/show_bug.cgi?id=191895
1611         <rdar://problem/46167406>
1612
1613         Reviewed by Mark Lam.
1614
1615         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1616         (foo):
1617         (bar):
1618
1619 2018-11-21  Mark Lam  <mark.lam@apple.com>
1620
1621         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1622         https://bugs.webkit.org/show_bug.cgi?id=191776
1623         <rdar://problem/46152851>
1624
1625         Reviewed by Saam Barati.
1626
1627         * stress/big-wasm-memory-grow-no-max.js:
1628         * stress/big-wasm-memory-grow.js:
1629         * stress/big-wasm-memory.js:
1630         - updated these to expect an OutOfMemoryError.
1631
1632         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1633         (Binary.prototype.emit_u8):
1634         (Binary.prototype.emit_u32v):
1635         (Binary.prototype.emit_header):
1636         (Binary.prototype.emit_section):
1637         (Binary):
1638         (WasmModuleBuilder):
1639         (WasmModuleBuilder.prototype.addMemory):
1640         (WasmModuleBuilder.prototype.toArray):
1641         (WasmModuleBuilder.prototype.toBuffer):
1642         (WasmModuleBuilder.prototype.instantiate):
1643         (catch):
1644         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1645         (catch):
1646
1647 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1648
1649         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1650         https://bugs.webkit.org/show_bug.cgi?id=190836
1651
1652         Reviewed by Saam Barati and Yusuke Suzuki.
1653
1654         * stress/big-int-out-of-memory-tests.js: Added.
1655
1656 2018-11-20  Mark Lam  <mark.lam@apple.com>
1657
1658         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1659         https://bugs.webkit.org/show_bug.cgi?id=191856
1660         <rdar://problem/46089992>
1661
1662         Reviewed by Yusuke Suzuki.
1663
1664         * stress/regress-191856.js: Added.
1665         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1666
1667 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1668
1669         Enable JIT on ARM/Linux
1670         https://bugs.webkit.org/show_bug.cgi?id=191548
1671
1672         Reviewed by Yusuke Suzuki.
1673
1674         Disable test on system with limited memory. Program was killed by
1675         the OS before the exception was thrown.
1676
1677         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1678
1679 2018-11-20  Saam barati  <sbarati@apple.com>
1680
1681         Merging an IC variant may lead to the IC status containing overlapping structure sets
1682         https://bugs.webkit.org/show_bug.cgi?id=191869
1683         <rdar://problem/45403453>
1684
1685         Reviewed by Mark Lam.
1686
1687         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1688
1689 2018-11-19  Mark Lam  <mark.lam@apple.com>
1690
1691         globalFuncImportModule() should return a promise when it clears exceptions.
1692         https://bugs.webkit.org/show_bug.cgi?id=191792
1693         <rdar://problem/46090763>
1694
1695         Reviewed by Michael Saboff.
1696
1697         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1698
1699 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1700
1701         Skip new memory-hungry tests on memory limited devices
1702
1703         Unreviewed gardening.
1704
1705         * stress/big-wasm-memory-grow-no-max.js:
1706         * stress/big-wasm-memory-grow.js:
1707         * stress/big-wasm-memory.js:
1708
1709 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1710
1711         Unreviewed, rolling in the rest of r237254
1712         https://bugs.webkit.org/show_bug.cgi?id=190340
1713
1714         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1715         * stress/function-cache-with-parameters-end-position.js: Added.
1716         (shouldBe):
1717         (shouldThrow):
1718         (i.anonymous):
1719         * stress/function-constructor-name.js: Added.
1720         (shouldBe):
1721         (GeneratorFunction):
1722         (AsyncFunction.async):
1723         (AsyncGeneratorFunction.async):
1724         (anonymous):
1725         (async.anonymous):
1726         * test262/expectations.yaml:
1727
1728 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1729
1730         All users of ArrayBuffer should agree on the same max size
1731         https://bugs.webkit.org/show_bug.cgi?id=191771
1732
1733         Reviewed by Mark Lam.
1734
1735         * stress/big-wasm-memory-grow-no-max.js: Added.
1736         (foo):
1737         (catch):
1738         * stress/big-wasm-memory-grow.js: Added.
1739         (foo):
1740         (catch):
1741         * stress/big-wasm-memory.js: Added.
1742         (foo):
1743         (catch):
1744
1745 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1746
1747         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1748         run for each JSC config since they're regression tests for runtime bugs.
1749
1750         * stress/json-stringified-overflow-2.js:
1751         * stress/json-stringified-overflow.js:
1752
1753 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1754
1755         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1756         config since they're regression tests for runtime bugs.
1757
1758         * stress/large-unshift-splice.js:
1759         * stress/regress-185888.js:
1760
1761 2018-11-16  Saam Barati  <sbarati@apple.com>
1762
1763         KnownCellUse should also have SpecCellCheck as its type filter
1764         https://bugs.webkit.org/show_bug.cgi?id=191729
1765         <rdar://problem/45872852>
1766
1767         Reviewed by Filip Pizlo.
1768
1769         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1770         (C):
1771
1772 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1773
1774         Fix assertion failure on BytecodeGenerator::recordOpcode
1775         https://bugs.webkit.org/show_bug.cgi?id=191724
1776         <rdar://problem/45724395>
1777
1778         Reviewed by Saam Barati.
1779
1780         * stress/regress-187373-2.js: Added.
1781         (foo):
1782
1783 2018-11-15  Mark Lam  <mark.lam@apple.com>
1784
1785         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1786         https://bugs.webkit.org/show_bug.cgi?id=191730
1787         <rdar://problem/46048517>
1788
1789         Reviewed by Saam Barati.
1790
1791         * stress/regress-187006.js: Removed.
1792           - this test is invalid because its sole purpose is to test for the non-spec
1793             compliant behavior that we just fixed.
1794
1795         * stress/regress-191730.js: Added.
1796
1797 2018-11-15  Mark Lam  <mark.lam@apple.com>
1798
1799         RegExp operations should not take fast patch if lastIndex is not numeric.
1800         https://bugs.webkit.org/show_bug.cgi?id=191731
1801         <rdar://problem/46017305>
1802
1803         Reviewed by Saam Barati.
1804
1805         * stress/regress-191731.js: Added.
1806
1807 2018-11-13  Saam Barati  <sbarati@apple.com>
1808
1809         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1810         https://bugs.webkit.org/show_bug.cgi?id=191600
1811
1812         Reviewed by Mark Lam.
1813
1814         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1815         (foo):
1816         (test):
1817         (bar):
1818
1819 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1820
1821         Unreviewed, rolling out r238132.
1822
1823         The test added with this change is timing out on Debug JSC
1824         bots.
1825
1826         Reverted changeset:
1827
1828         "[BigInt] JSBigInt::createWithLength should throw when length
1829         is greater than JSBigInt::maxLength"
1830         https://bugs.webkit.org/show_bug.cgi?id=190836
1831         https://trac.webkit.org/changeset/238132
1832
1833 2018-11-13  Mark Lam  <mark.lam@apple.com>
1834
1835         Add OOM detection to StringPrototype's substituteBackreferences().
1836         https://bugs.webkit.org/show_bug.cgi?id=191563
1837         <rdar://problem/45720428>
1838
1839         Reviewed by Saam Barati.
1840
1841         * stress/regress-191563.js: Added.
1842
1843 2018-11-13  Mark Lam  <mark.lam@apple.com>
1844
1845         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1846         https://bugs.webkit.org/show_bug.cgi?id=191579
1847         <rdar://problem/45942472>
1848
1849         Reviewed by Saam Barati.
1850
1851         * stress/regress-191579.js: Added.
1852
1853 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1854
1855         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1856         https://bugs.webkit.org/show_bug.cgi?id=190836
1857
1858         Reviewed by Saam Barati.
1859
1860         * stress/big-int-out-of-memory-tests.js: Added.
1861
1862 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1863
1864         U+180E is no longer a whitespace character
1865         https://bugs.webkit.org/show_bug.cgi?id=191415
1866
1867         Reviewed by Saam Barati.
1868
1869         * ChakraCore/test/es5/regexSpace.baseline:
1870         * ChakraCore/test/es6/unicode_whitespace.js:
1871         Update tests to latest version.
1872         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1873
1874         * test262.yaml:
1875         * test262/config.yaml:
1876         * test262/expectations.yaml:
1877         Update expectations.
1878
1879 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1880
1881         [BigInt] Add support to BigInt into ValueAdd
1882         https://bugs.webkit.org/show_bug.cgi?id=186177
1883
1884         Reviewed by Keith Miller.
1885
1886         * stress/big-int-negate-jit.js:
1887         * stress/value-add-big-int-and-string.js: Added.
1888         * stress/value-add-big-int-prediction-propagation.js: Added.
1889         * stress/value-add-big-int-untyped.js: Added.
1890
1891 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1892
1893         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1894         https://bugs.webkit.org/show_bug.cgi?id=191184
1895
1896         Reviewed by Saam Barati.
1897
1898         Most tests were failing due to timeouts, since they are too slow to
1899         run on CLoop. The exceptions are:
1900
1901         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1902         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1903         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1904         to change the stack size since CLoop requires it to be page aligned.
1905
1906         * microbenchmarks/array-push-1.js:
1907         * microbenchmarks/array-push-2.js:
1908         * microbenchmarks/elidable-new-object-dag.js:
1909         * microbenchmarks/elidable-new-object-roflcopter.js:
1910         * microbenchmarks/elidable-new-object-tree.js:
1911         * microbenchmarks/getter-richards.js:
1912         * microbenchmarks/sinkable-new-object-dag.js:
1913         * microbenchmarks/string-concat-long-convert.js:
1914         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1915         * slowMicrobenchmarks/array-push-3.js:
1916         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1917         * slowMicrobenchmarks/spread-small-array.js:
1918         * slowMicrobenchmarks/undefined-property-access.js:
1919         * stress/activation-sink-default-value-tdz-error.js:
1920         * stress/activation-sink-default-value.js:
1921         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1922         * stress/activation-sink-osrexit-default-value.js:
1923         * stress/activation-sink-osrexit.js:
1924         * stress/activation-sink.js:
1925         * stress/allow-math-ic-b3-code-duplication.js:
1926         * stress/array-push-multiple-int32.js:
1927         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1928         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1929         * stress/arrowfunction-lexical-this-activation-sink.js:
1930         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1931         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1932         * stress/elide-new-object-dag-then-exit.js:
1933         * stress/materialize-regexp-cyclic.js:
1934         * stress/new-regex-inline.js:
1935         * stress/op_add.js:
1936         * stress/op_bitand.js:
1937         * stress/op_bitor.js:
1938         * stress/op_bitxor.js:
1939         * stress/op_div-ConstVar.js:
1940         * stress/op_div-VarConst.js:
1941         * stress/op_div-VarVar.js:
1942         * stress/op_lshift-ConstVar.js:
1943         * stress/op_lshift-VarConst.js:
1944         * stress/op_lshift-VarVar.js:
1945         * stress/op_mod-ConstVar.js:
1946         * stress/op_mod-VarConst.js:
1947         * stress/op_mod-VarVar.js:
1948         * stress/op_mul-ConstVar.js:
1949         * stress/op_mul-VarConst.js:
1950         * stress/op_mul-VarVar.js:
1951         * stress/op_rshift-ConstVar.js:
1952         * stress/op_rshift-VarConst.js:
1953         * stress/op_rshift-VarVar.js:
1954         * stress/op_sub-ConstVar.js:
1955         * stress/op_sub-VarConst.js:
1956         * stress/op_sub-VarVar.js:
1957         * stress/op_urshift-ConstVar.js:
1958         * stress/op_urshift-VarConst.js:
1959         * stress/op_urshift-VarVar.js:
1960         * stress/proxy-get-set-correct-receiver.js:
1961         * stress/regress-179562.js:
1962         * stress/rest-parameter-many-arguments.js:
1963         * stress/sampling-profiler-richards.js:
1964         * stress/splay-flash-access-1ms.js:
1965         * stress/tailCallForwardArguments.js:
1966         * stress/typed-array-get-by-val-profiling.js:
1967         * typeProfiler/getter-richards.js:
1968
1969 2018-11-06  Michael Saboff  <msaboff@apple.com>
1970
1971         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1972         https://bugs.webkit.org/show_bug.cgi?id=191271
1973
1974         Reviewed by Saam Barati.
1975
1976         Added more test cases and made all test cases run with the same deeply recursive stack
1977         instead of finding that same point for each test case.
1978
1979         * stress/regexp-compile-oom.js:
1980         (prototype.runTest):
1981         (recurseAndTest):
1982         (testList.push.new.TestAndExpectedException):
1983
1984 2018-11-05  Michael Saboff  <msaboff@apple.com>
1985
1986         Unreviewed build fix for linux.
1987
1988         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1989
1990 2018-11-02  Michael Saboff  <msaboff@apple.com>
1991
1992         Rolling in r237753 with unreviewed build fix.
1993
1994         Fixed issues with DECLARE_THROW_SCOPE placement.
1995
1996 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1997
1998         Unreviewed, rolling out r237753.
1999
2000         Introduced JSC test failures
2001
2002         Reverted changeset:
2003
2004         "Running out of stack space not properly handled in
2005         RegExp::compile() and its callers"
2006         https://bugs.webkit.org/show_bug.cgi?id=191206
2007         https://trac.webkit.org/changeset/237753
2008
2009 2018-11-02  Michael Saboff  <msaboff@apple.com>
2010
2011         Running out of stack space not properly handled in RegExp::compile() and its callers
2012         https://bugs.webkit.org/show_bug.cgi?id=191206
2013
2014         Reviewed by Filip Pizlo.
2015
2016         New regression test.
2017
2018         * stress/regexp-compile-oom.js: Added.
2019         (recurseAndTest):
2020
2021 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2022
2023         Skip tests on arm/mips that time out now we're running on CLoop
2024
2025         Unreviewed gardening.
2026
2027         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2028         time out on the bots and need to be disabled. There's more tests
2029         disabled on arm because the timeout is longer on the mips bot (as the
2030         device is slower to start with), so many of the tests don't time out
2031         there.
2032
2033         * microbenchmarks/getter-richards.js: disable on arm and mips.
2034         * stress/op_add.js: disable on arm.
2035         * stress/op_bitand.js: disable on arm.
2036         * stress/op_bitor.js: disable on arm.
2037         * stress/op_bitxor.js: disable on arm.
2038         * stress/op_lshift-ConstVar.js: disable on arm.
2039         * stress/op_lshift-VarConst.js: disable on arm.
2040         * stress/op_lshift-VarVar.js: disable on arm.
2041         * stress/op_mod-ConstVar.js: disable on arm.
2042         * stress/op_mod-VarConst.js: disable on arm.
2043         * stress/op_mod-VarVar.js: disable on arm.
2044         * stress/op_mul-ConstVar.js: disable on arm.
2045         * stress/op_mul-VarConst.js: disable on arm.
2046         * stress/op_mul-VarVar.js: disable on arm.
2047         * stress/op_rshift-ConstVar.js: disable on arm.
2048         * stress/op_rshift-VarConst.js: disable on arm.
2049         * stress/op_rshift-VarVar.js: disable on arm.
2050         * stress/op_sub-ConstVar.js: disable on arm.
2051         * stress/op_sub-VarConst.js: disable on arm.
2052         * stress/op_sub-VarVar.js: disable on arm.
2053         * stress/op_urshift-ConstVar.js: disable on arm.
2054         * stress/op_urshift-VarConst.js: disable on arm.
2055         * stress/op_urshift-VarVar.js: disable on arm.
2056         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2057         * stress/value-to-boolean.js: disable on arm and mips.
2058
2059 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2060
2061         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2062         https://bugs.webkit.org/show_bug.cgi?id=191108
2063         <rdar://problem/45690700>
2064
2065         Reviewed by Saam Barati.
2066
2067         * stress/wide-op_catch.js: Added.
2068         (catch):
2069
2070 2018-10-29  Mark Lam  <mark.lam@apple.com>
2071
2072         Correctly detect string overflow when using the 'Function' constructor.
2073         https://bugs.webkit.org/show_bug.cgi?id=184883
2074         <rdar://problem/36320331>
2075
2076         Reviewed by Saam Barati.
2077
2078         I've verified that this passes on 32-bit as well.
2079
2080         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2081
2082 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2083
2084         Add support for GetStack FlushedDouble
2085         https://bugs.webkit.org/show_bug.cgi?id=191012
2086         <rdar://problem/45265141>
2087
2088         Reviewed by Saam Barati.
2089
2090         * stress/get-stack-double.js: Added.
2091         (bar):
2092         (noInline):
2093
2094 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2095
2096         New bytecode format for JSC
2097         https://bugs.webkit.org/show_bug.cgi?id=187373
2098         <rdar://problem/44186758>
2099
2100         Reviewed by Filip Pizlo.
2101
2102         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2103
2104         * stress/maximum-inline-capacity.js: Added.
2105         (test1):
2106         (test3.Foo):
2107         (test3):
2108
2109 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2110
2111         Unreviewed, rolling out r237479 and r237484.
2112         https://bugs.webkit.org/show_bug.cgi?id=190978
2113
2114         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2115
2116         Reverted changesets:
2117
2118         "New bytecode format for JSC"
2119         https://bugs.webkit.org/show_bug.cgi?id=187373
2120         https://trac.webkit.org/changeset/237479
2121
2122         "Gardening: Build fix after r237479."
2123         https://bugs.webkit.org/show_bug.cgi?id=187373
2124         https://trac.webkit.org/changeset/237484
2125
2126 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2127
2128         New bytecode format for JSC
2129         https://bugs.webkit.org/show_bug.cgi?id=187373
2130         <rdar://problem/44186758>
2131
2132         Reviewed by Filip Pizlo.
2133
2134         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2135
2136         * stress/maximum-inline-capacity.js: Added.
2137         (test1):
2138         (test3.Foo):
2139         (test3):
2140
2141 2018-10-26  Mark Lam  <mark.lam@apple.com>
2142
2143         Fix missing edge cases with JSGlobalObjects having a bad time.
2144         https://bugs.webkit.org/show_bug.cgi?id=189028
2145         <rdar://problem/45204939>
2146
2147         Reviewed by Saam Barati.
2148
2149         * stress/regress-189028.js: Added.
2150
2151 2018-10-22  Mark Lam  <mark.lam@apple.com>
2152
2153         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2154         https://bugs.webkit.org/show_bug.cgi?id=190515
2155         <rdar://problem/45222379>
2156
2157         Rubber-stamped by Saam Barati.
2158
2159         Adding another test.
2160
2161         * stress/regress-190515-2.js: Added.
2162
2163 2018-10-22  Mark Lam  <mark.lam@apple.com>
2164
2165         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2166         https://bugs.webkit.org/show_bug.cgi?id=190515
2167         <rdar://problem/45222379>
2168
2169         Reviewed by Saam Barati.
2170
2171         * stress/regress-190515.js: Added.
2172
2173 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2174
2175         Unreviewed, rolling out r237254.
2176         https://bugs.webkit.org/show_bug.cgi?id=190760
2177
2178         "It regresses JetStream 2 by 5% on some iOS devices"
2179         (Requested by saamyjoon on #webkit).
2180
2181         Reverted changeset:
2182
2183         "[JSC] JSC should have "parseFunction" to optimize Function
2184         constructor"
2185         https://bugs.webkit.org/show_bug.cgi?id=190340
2186         https://trac.webkit.org/changeset/237254
2187
2188 2018-10-19  Saam Barati  <sbarati@apple.com>
2189
2190         vmCall should check if we exit before emitting an OSR exit due to exceptions
2191         https://bugs.webkit.org/show_bug.cgi?id=190740
2192         <rdar://problem/45220139>
2193
2194         Reviewed by Mark Lam.
2195
2196         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2197         (foo):
2198
2199 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2200
2201         [ESNext][BigInt] Implement support for "^"
2202         https://bugs.webkit.org/show_bug.cgi?id=186235
2203
2204         Reviewed by Yusuke Suzuki.
2205
2206         * stress/big-int-bitwise-xor-general.js: Added.
2207         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2208         * stress/big-int-bitwise-xor-type-error.js: Added.
2209         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2210
2211 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2212
2213         [BigInt] Add ValueSub into DFG
2214         https://bugs.webkit.org/show_bug.cgi?id=186176
2215
2216         Reviewed by Yusuke Suzuki.
2217
2218         * stress/big-int-subtraction-jit.js:
2219         * stress/value-sub-big-int-prediction-propagation.js: Added.
2220         * stress/value-sub-big-int-untyped.js: Added.
2221         * stress/value-sub-spec-none-case.js: Added.
2222
2223 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2224
2225         [JSC] JSC should have "parseFunction" to optimize Function constructor
2226         https://bugs.webkit.org/show_bug.cgi?id=190340
2227
2228         Reviewed by Mark Lam.
2229
2230         This patch fixes the line number of syntax errors raised by the Function constructor,
2231         since we now parse the final code only once. And we no longer use block statement
2232         for Function constructor's parsing.
2233
2234         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2235         * stress/function-cache-with-parameters-end-position.js: Added.
2236         (shouldBe):
2237         (shouldThrow):
2238         (i.anonymous):
2239         * stress/function-constructor-name.js: Added.
2240         (shouldBe):
2241         (GeneratorFunction):
2242         (AsyncFunction.async):
2243         (AsyncGeneratorFunction.async):
2244         (anonymous):
2245         (async.anonymous):
2246         * test262/expectations.yaml:
2247
2248 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2249
2250         Unreviewed, rolling out r237242.
2251         https://bugs.webkit.org/show_bug.cgi?id=190701
2252
2253         it breaks "stress/sampling-profiler-basic.js" (Requested by
2254         caiolima on #webkit).
2255
2256         Reverted changeset:
2257
2258         "[BigInt] Add ValueSub into DFG"
2259         https://bugs.webkit.org/show_bug.cgi?id=186176
2260         https://trac.webkit.org/changeset/237242
2261
2262 2018-10-17  Keith Miller  <keith_miller@apple.com>
2263
2264         AI does not clear Phantom allocation nodes.
2265         https://bugs.webkit.org/show_bug.cgi?id=190694
2266
2267         Reviewed by Saam Barati.
2268
2269         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2270         (Day):
2271         (DaysInYear):
2272         (TimeInYear):
2273         (TimeFromYear):
2274         (DayFromYear):
2275         (InLeapYear):
2276         (YearFromTime):
2277         (WeekDay):
2278         (DaylightSavingTA):
2279         (GetSecondSundayInMarch):
2280         (TimeInMonth):
2281
2282 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2283
2284         [BigInt] Add ValueSub into DFG
2285         https://bugs.webkit.org/show_bug.cgi?id=186176
2286
2287         Reviewed by Yusuke Suzuki.
2288
2289         * stress/big-int-subtraction-jit.js:
2290         * stress/value-sub-big-int-prediction-propagation.js: Added.
2291         * stress/value-sub-big-int-untyped.js: Added.
2292
2293 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2294
2295         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2296         https://bugs.webkit.org/show_bug.cgi?id=190611
2297
2298         Reviewed by Saam Barati.
2299
2300         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2301         to improve test runtime. On ARM/MIPS this test even timed out when running all
2302         tests.
2303
2304         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2305         (test):
2306
2307 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2308
2309         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2310
2311         Unreviewed gardening.
2312
2313         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2314
2315 2018-10-15  Saam barati  <sbarati@apple.com>
2316
2317         Emit fjcvtzs on ARM64E on Darwin
2318         https://bugs.webkit.org/show_bug.cgi?id=184023
2319
2320         Reviewed by Yusuke Suzuki and Filip Pizlo.
2321
2322         * stress/double-to-int32-NaN.js: Added.
2323         (assert):
2324         (foo):
2325
2326 2018-10-15  Saam Barati  <sbarati@apple.com>
2327
2328         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2329         https://bugs.webkit.org/show_bug.cgi?id=190262
2330         <rdar://problem/44986241>
2331
2332         Reviewed by Mark Lam.
2333
2334         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2335         (test):
2336         * stress/slice-array-storage-with-holes.js: Added.
2337         (main):
2338
2339 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2340
2341         Unreviewed, rolling out r237054.
2342         https://bugs.webkit.org/show_bug.cgi?id=190593
2343
2344         "this regressed JetStream 2 by 6% on iOS" (Requested by
2345         saamyjoon on #webkit).
2346
2347         Reverted changeset:
2348
2349         "[JSC] JSC should have "parseFunction" to optimize Function
2350         constructor"
2351         https://bugs.webkit.org/show_bug.cgi?id=190340
2352         https://trac.webkit.org/changeset/237054
2353
2354 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2355
2356         [JSC] JSON.stringify can accept call-with-no-arguments
2357         https://bugs.webkit.org/show_bug.cgi?id=190343
2358
2359         Reviewed by Mark Lam.
2360
2361         * stress/json-stringify-no-arguments.js: Added.
2362         (shouldBe):
2363
2364 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2365
2366         [JSC] JSC should have "parseFunction" to optimize Function constructor
2367         https://bugs.webkit.org/show_bug.cgi?id=190340
2368
2369         Reviewed by Mark Lam.
2370
2371         This patch fixes the line number of syntax errors raised by the Function constructor,
2372         since we now parse the final code only once. And we no longer use block statement
2373         for Function constructor's parsing.
2374
2375         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2376         * stress/function-cache-with-parameters-end-position.js: Added.
2377         (shouldBe):
2378         (shouldThrow):
2379         (i.anonymous):
2380         * stress/function-constructor-name.js: Added.
2381         (shouldBe):
2382         (GeneratorFunction):
2383         (AsyncFunction.async):
2384         (AsyncGeneratorFunction.async):
2385         (anonymous):
2386         (async.anonymous):
2387         * test262/expectations.yaml:
2388
2389 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2390
2391         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2392         https://bugs.webkit.org/show_bug.cgi?id=190426
2393
2394         Unreviewed gardening.
2395
2396         * stress/sampling-profiler-richards.js:
2397
2398 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2399
2400         [ESNext][BigInt] Implement support for "|"
2401         https://bugs.webkit.org/show_bug.cgi?id=186229
2402
2403         Reviewed by Yusuke Suzuki.
2404
2405         * stress/big-int-bitwise-and-jit.js:
2406         * stress/big-int-bitwise-or-general.js: Added.
2407         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2408         * stress/big-int-bitwise-or-jit.js: Added.
2409         * stress/big-int-bitwise-or-memory-stress.js: Added.
2410         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2411         * stress/big-int-bitwise-or-type-error.js: Added.
2412         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2413
2414 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2415
2416         Skip test on systems with limited memory
2417         https://bugs.webkit.org/show_bug.cgi?id=190310
2418
2419         Invoking runDefault adds test to runlist, skipping the test in the next
2420         line does not prevent the test from executing. Change order of lines such
2421         that runDefault is only executed if test is not executed.
2422
2423         Reviewed by Mark Lam.
2424
2425         * stress/regress-190187.js:
2426
2427 2018-10-03  Saam barati  <sbarati@apple.com>
2428
2429         lowXYZ in FTLLower should always filter the type of the incoming edge
2430         https://bugs.webkit.org/show_bug.cgi?id=189939
2431         <rdar://problem/44407030>
2432
2433         Reviewed by Michael Saboff.
2434
2435         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2436         (foo):
2437         (test):
2438
2439 2018-10-03  Mark Lam  <mark.lam@apple.com>
2440
2441         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2442         https://bugs.webkit.org/show_bug.cgi?id=190187
2443         <rdar://problem/42512909>
2444
2445         Reviewed by Michael Saboff.
2446
2447         * stress/regress-190187.js: Added.
2448
2449 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2450
2451         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2452         https://bugs.webkit.org/show_bug.cgi?id=190033
2453
2454         Reviewed by Yusuke Suzuki.
2455
2456         * stress/big-int-to-string.js:
2457
2458 2018-10-01  Mark Lam  <mark.lam@apple.com>
2459
2460         Function.toString() should also copy the source code Functions that are class definitions.
2461         https://bugs.webkit.org/show_bug.cgi?id=190186
2462         <rdar://problem/44733360>
2463
2464         Reviewed by Saam Barati.
2465
2466         * stress/regress-190186.js: Added.
2467
2468 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2469
2470         Split NaN-check into separate test
2471         https://bugs.webkit.org/show_bug.cgi?id=190010
2472
2473         Reviewed by Saam Barati.
2474
2475         DataView exposes NaN-representation, which is not necessarily the same on each
2476         architecture. Therefore move the check of the NaN-representation into its own
2477         file such that we can disable this test on MIPS where NaN-representation can be
2478         different on older CPUs.
2479
2480         * stress/dataview-jit-set-nan.js: Added.
2481         (assert):
2482         (test.storeLittleEndian):
2483         (test.storeBigEndian):
2484         (test.store):
2485         (test):
2486         * stress/dataview-jit-set.js:
2487         (test5):
2488
2489 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2490
2491         Unreviewed, rolling out r236647.
2492         https://bugs.webkit.org/show_bug.cgi?id=190124
2493
2494         Breaking test stress/big-int-to-string.js (Requested by
2495         caiolima_ on #webkit).
2496
2497         Reverted changeset:
2498
2499         "[BigInt] BigInt.proptotype.toString is broken when radix is
2500         power of 2"
2501         https://bugs.webkit.org/show_bug.cgi?id=190033
2502         https://trac.webkit.org/changeset/236647
2503
2504 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2505
2506         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2507         https://bugs.webkit.org/show_bug.cgi?id=190033
2508
2509         Reviewed by Yusuke Suzuki.
2510
2511         * stress/big-int-to-string.js:
2512
2513 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2514
2515         [ESNext][BigInt] Implement support for "&"
2516         https://bugs.webkit.org/show_bug.cgi?id=186228
2517
2518         Reviewed by Yusuke Suzuki.
2519
2520         * stress/big-int-bitwise-and-general.js: Added.
2521         (assert):
2522         (assert.sameValue):
2523         * stress/big-int-bitwise-and-jit.js: Added.
2524         (let.assert.sameValue):
2525         (bigIntBitAnd):
2526         * stress/big-int-bitwise-and-memory-stress.js: Added.
2527         (assert):
2528         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2529         (assert.sameValue):
2530         (let.o.Symbol.toPrimitive):
2531         (catch):
2532         * stress/big-int-bitwise-and-type-error.js: Added.
2533         (assert):
2534         (assertThrowTypeError):
2535         (let.o.valueOf):
2536         (o.valueOf):
2537         (o.toString):
2538         (o.Symbol.toPrimitive):
2539         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2540         (assert.sameValue):
2541         (testBitAnd):
2542         (let.o.Symbol.toPrimitive):
2543         (o.valueOf):
2544         (o.toString):
2545
2546 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2547
2548         JSC test stress/jsc-read.js doesn't support CRLF
2549         https://bugs.webkit.org/show_bug.cgi?id=190063
2550
2551         Reviewed by Yusuke Suzuki.
2552
2553         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2554
2555         * stress/jsc-read.js:
2556         (test):
2557
2558 2018-09-27  Saam barati  <sbarati@apple.com>
2559
2560         Verify the contents of AssemblerBuffer on arm64e
2561         https://bugs.webkit.org/show_bug.cgi?id=190057
2562         <rdar://problem/38916630>
2563
2564         Reviewed by Mark Lam.
2565
2566         * stress/regress-189132.js:
2567
2568 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2569
2570         Disable test without LLInt on ARMv7
2571         https://bugs.webkit.org/show_bug.cgi?id=190037
2572
2573         Reviewed by Mark Lam.
2574
2575         Test runs out of executable memory on ARMv7, do not run
2576         this test without LLInt enabled.
2577
2578         * stress/regress-169445.js:
2579
2580 2018-09-26  Keith Miller  <keith_miller@apple.com>
2581
2582         We should zero unused property storage when rebalancing array storage.
2583         https://bugs.webkit.org/show_bug.cgi?id=188151
2584
2585         Reviewed by Michael Saboff.
2586
2587         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2588
2589 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2590
2591         [JSC] Optimize Array#lastIndexOf
2592         https://bugs.webkit.org/show_bug.cgi?id=189780
2593
2594         Reviewed by Saam Barati.
2595
2596         * stress/array-lastindexof-array-prototype-trap.js: Added.
2597         (shouldBe):
2598         (AncestorArray.prototype.get 2):
2599         (AncestorArray):
2600         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2601         (shouldBe):
2602         * stress/array-lastindexof-hole-nan.js: Added.
2603         (shouldBe):
2604         (throw.new.Error):
2605         * stress/array-lastindexof-infinity.js: Added.
2606         (shouldBe):
2607         (throw.new.Error):
2608         * stress/array-lastindexof-negative-zero.js: Added.
2609         (shouldBe):
2610         (throw.new.Error):
2611         * stress/array-lastindexof-own-getter.js: Added.
2612         (shouldBe):
2613         (throw.new.Error.get array):
2614         (get array):
2615         * stress/array-lastindexof-prototype-trap.js: Added.
2616         (shouldBe):
2617         (DerivedArray.prototype.get 2):
2618         (DerivedArray):
2619
2620 2018-09-25  Saam Barati  <sbarati@apple.com>
2621
2622         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2623         https://bugs.webkit.org/show_bug.cgi?id=189940
2624         <rdar://problem/43640987>
2625
2626         Reviewed by Mark Lam.
2627
2628         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2629
2630 2018-09-24  Saam Barati  <sbarati@apple.com>
2631
2632         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2633         https://bugs.webkit.org/show_bug.cgi?id=189922
2634         <rdar://problem/44651275>
2635
2636         Reviewed by Mark Lam.
2637
2638         * stress/array-indexof-fast-path-effects.js: Added.
2639         * stress/array-indexof-cached-length.js: Added.
2640
2641 2018-09-24  Saam barati  <sbarati@apple.com>
2642
2643         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2644         https://bugs.webkit.org/show_bug.cgi?id=189682
2645         <rdar://problem/43557315>
2646
2647         Reviewed by Mark Lam.
2648
2649         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2650         (foo):
2651
2652 2018-09-22  Saam barati  <sbarati@apple.com>
2653
2654         The sampling should not use Strong<CodeBlock> in its machineLocation field
2655         https://bugs.webkit.org/show_bug.cgi?id=189319
2656
2657         Reviewed by Filip Pizlo.
2658
2659         * stress/sampling-profiler-richards.js: Added.
2660
2661 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2662
2663         [JSC] Optimize Array#indexOf in C++ runtime
2664         https://bugs.webkit.org/show_bug.cgi?id=189507
2665
2666         Reviewed by Saam Barati.
2667
2668         * stress/array-indexof-array-prototype-trap.js: Added.
2669         (shouldBe):
2670         (AncestorArray.prototype.get 2):
2671         (AncestorArray):
2672         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2673         (shouldBe):
2674         * stress/array-indexof-hole-nan.js: Added.
2675         (shouldBe):
2676         (throw.new.Error):
2677         * stress/array-indexof-infinity.js: Added.
2678         (shouldBe):
2679         (throw.new.Error):
2680         * stress/array-indexof-negative-zero.js: Added.
2681         (shouldBe):
2682         (throw.new.Error):
2683         * stress/array-indexof-own-getter.js: Added.
2684         (shouldBe):
2685         (throw.new.Error.get array):
2686         (get array):
2687         * stress/array-indexof-prototype-trap.js: Added.
2688         (shouldBe):
2689         (DerivedArray.prototype.get 2):
2690         (DerivedArray):
2691
2692 2018-09-19  Saam barati  <sbarati@apple.com>
2693
2694         AI rule for MultiPutByOffset executes its effects in the wrong order
2695         https://bugs.webkit.org/show_bug.cgi?id=189757
2696         <rdar://problem/43535257>
2697
2698         Reviewed by Michael Saboff.
2699
2700         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2701         (foo):
2702         (Foo):
2703         (g):
2704
2705 2018-09-17  Mark Lam  <mark.lam@apple.com>
2706
2707         Ensure that ForInContexts are invalidated if their loop local is over-written.
2708         https://bugs.webkit.org/show_bug.cgi?id=189571
2709         <rdar://problem/44402277>
2710
2711         Reviewed by Saam Barati.
2712
2713         * stress/regress-189571.js: Added.
2714
2715 2018-09-17  Saam barati  <sbarati@apple.com>
2716
2717         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2718         https://bugs.webkit.org/show_bug.cgi?id=189676
2719         <rdar://problem/39682897>
2720
2721         Reviewed by Michael Saboff.
2722
2723         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2724         (A):
2725         (K):
2726         (i.catch):
2727
2728 2018-09-14  Saam barati  <sbarati@apple.com>
2729
2730         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2731         https://bugs.webkit.org/show_bug.cgi?id=189628
2732         <rdar://problem/39481690>
2733
2734         Reviewed by Mark Lam.
2735
2736         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2737         (foo):
2738
2739 2018-09-11  Mark Lam  <mark.lam@apple.com>
2740
2741         Test for array initialization in arrayProtoFuncSplice.
2742         https://bugs.webkit.org/show_bug.cgi?id=170253
2743         <rdar://problem/31328773>
2744
2745         Rubber-stamped by Saam Barati.
2746
2747         * stress/regress-170253.js: Added.
2748
2749 2018-09-11  Mark Lam  <mark.lam@apple.com>
2750
2751         Test for IntlObject initialization.
2752         https://bugs.webkit.org/show_bug.cgi?id=170251
2753         <rdar://problem/31328419>
2754
2755         Rubber-stamped by Saam Barati.
2756
2757         * stress/regress-170251.js: Added.
2758
2759 2018-09-11  Mark Lam  <mark.lam@apple.com>
2760
2761         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2762         https://bugs.webkit.org/show_bug.cgi?id=169889
2763         <rdar://problem/31155607>
2764
2765         Reviewed by Saam Barati.
2766
2767         * stress/regress-169889-array-concat.js: Added.
2768         * stress/regress-169889-array-concat1.js: Added.
2769         * stress/regress-169889-array-slice.js: Added.
2770
2771 2018-09-11  Mark Lam  <mark.lam@apple.com>
2772
2773         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2774         https://bugs.webkit.org/show_bug.cgi?id=169445
2775         <rdar://problem/30957435>
2776
2777         Reviewed by Saam Barati.
2778
2779         * stress/regress-169445.js: Added.
2780         (let.gun.eval.A):
2781         (let.gun.eval.B.C):
2782         (let.gun.eval.B.C.prototype.trigger):
2783         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2784         (let.gun.eval.B):
2785         (let.gun.eval):
2786
2787 == Rolled over to ChangeLog-2018-09-11 ==