REGRESSION (r243642): Crash in reddit.com page
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-07  Michael Saboff  <msaboff@apple.com>
2
3         REGRESSION (r243642): Crash in reddit.com page
4         https://bugs.webkit.org/show_bug.cgi?id=196684
5
6         Reviewed by Geoffrey Garen.
7
8         New regression test.
9
10         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
11
12 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
13
14         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
15         https://bugs.webkit.org/show_bug.cgi?id=196683
16
17         Reviewed by Saam Barati.
18
19         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
20         (foo):
21
22 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
23
24         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
25         https://bugs.webkit.org/show_bug.cgi?id=196582
26
27         Reviewed by Saam Barati.
28
29         * stress/add-overflow-check-with-three-same-registers.js: Added.
30         (foo):
31         (Number.prototype.valueOf):
32         (runWithNumber):
33
34 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
35
36         Unreviewed, rolling out r243665.
37
38         Caused iOS JSC tests to exit with an exception.
39
40         Reverted changeset:
41
42         "Assertion failed in JSC::createError"
43         https://bugs.webkit.org/show_bug.cgi?id=196305
44         https://trac.webkit.org/changeset/243665
45
46 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
47
48         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
49         https://bugs.webkit.org/show_bug.cgi?id=196486
50
51         Reviewed by Saam Barati.
52
53         * stress/arrow-function-and-use-strict-directive.js: Added.
54         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
55         (checkSyntax):
56         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
57
58 2019-04-05  Caitlin Potter  <caitp@igalia.com>
59
60         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
61         https://bugs.webkit.org/show_bug.cgi?id=176810
62
63         Reviewed by Saam Barati.
64
65         Add tests for the DontEnum filtering, and variations of other tests
66         take the DontEnum-filtering path.
67
68         * stress/proxy-own-keys.js:
69         (i.catch):
70         (set assert):
71         (set add):
72         (let.set new):
73         (get let):
74
75 2019-04-05  Caitlin Potter  <caitp@igalia.com>
76
77         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
78         https://bugs.webkit.org/show_bug.cgi?id=185211
79
80         Reviewed by Saam Barati.
81
82         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
83
84         This changes several assertions to expect a TypeError to be thrown (in some cases,
85         changing thee expected message).
86
87         * es6/Proxy_ownKeys_duplicates.js:
88         (handler):
89         (shouldThrow):
90         (test):
91         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
92         (shouldThrow):
93         * stress/proxy-own-keys.js:
94         (i.catch):
95         (assert):
96
97 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
98
99         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
100         https://bugs.webkit.org/show_bug.cgi?id=196631
101
102         Reviewed by Saam Barati.
103
104         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
105         (assert):
106         (test):
107         (foo):
108
109 2019-04-04  Saam Barati  <sbarati@apple.com>
110
111         Unreviewed. Make the test from r243906 catch the thrown exceptions.
112
113         * stress/inferred-types-regex-matches-array.js:
114
115 2019-04-04  Saam Barati  <sbarati@apple.com>
116
117         createRegExpMatchesArray does not respect inferred types
118         https://bugs.webkit.org/show_bug.cgi?id=193287
119
120         Reviewed by Yusuke Suzuki.
121
122         This checks in the test case for 193287. This issue was discovered by
123         Samuel GroƟ of Google Project Zero.
124
125         * stress/inferred-types-regex-matches-array.js: Added.
126
127 2019-04-04  Saam barati  <sbarati@apple.com>
128
129         Teach Call ICs how to call Wasm
130         https://bugs.webkit.org/show_bug.cgi?id=196387
131
132         Reviewed by Filip Pizlo.
133
134         * wasm/function-tests/stack-trace.js:
135
136 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
137
138         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
139         https://bugs.webkit.org/show_bug.cgi?id=194944
140
141         Reviewed by Keith Miller.
142
143         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
144
145 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
146
147         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
148         https://bugs.webkit.org/show_bug.cgi?id=196409
149
150         Reviewed by Saam Barati.
151
152         * stress/bytecode-cache-cached-string-impl.js: Added.
153         (f):
154         (g):
155         * stress/bytecode-cache-run-string.js: Added.
156
157 2019-04-03  Robin Morisset  <rmorisset@apple.com>
158
159         B3 should use associativity to optimize expression trees
160         https://bugs.webkit.org/show_bug.cgi?id=194081
161
162         Reviewed by Filip Pizlo.
163
164         Added three microbenchmarks:
165         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
166         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
167           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
168         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
169
170         * microbenchmarks/add-tree.js: Added.
171         * microbenchmarks/bit-or-tree.js: Added.
172         * microbenchmarks/bit-xor-tree.js: Added.
173
174 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
175
176         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
177         https://bugs.webkit.org/show_bug.cgi?id=196574
178
179         Reviewed by Saam Barati.
180
181         * stress/string-index-of-exception-check.js: Added.
182         (blurType):
183         (1.forEach):
184
185 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
186
187         Assertion failed in JSC::createError
188         https://bugs.webkit.org/show_bug.cgi?id=196305
189         <rdar://problem/49387382>
190
191         Reviewed by Saam Barati.
192
193         * stress/create-error-out-of-memory-rope-string-2.js: Added.
194         (assert):
195         (catch):
196
197 2019-03-28  Saam Barati  <sbarati@apple.com>
198
199         BackwardsGraph needs to consider back edges as the backward's root successor
200         https://bugs.webkit.org/show_bug.cgi?id=195991
201
202         Reviewed by Filip Pizlo.
203
204         * stress/map-b3-licm-infinite-loop.js: Added.
205
206 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
207
208         CodeBlock::jettison() should disallow repatching its own calls
209         https://bugs.webkit.org/show_bug.cgi?id=196359
210         <rdar://problem/48973663>
211
212         Reviewed by Saam Barati.
213
214         * stress/call-link-info-osrexit-repatch.js: Added.
215         (foo):
216
217 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
218
219         [JSC] imports-oom.js intermittently fails
220         https://bugs.webkit.org/show_bug.cgi?id=196373
221
222         Reviewed by Saam Barati.
223
224         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
225         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
226         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
227         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
228         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
229
230         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
231         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
232
233         * wasm/lowExecutableMemory/imports-oom.js:
234
235 2019-03-27  Saam Barati  <sbarati@apple.com>
236
237         validateOSREntryValue with Int52 should box the value being checked into double format
238         https://bugs.webkit.org/show_bug.cgi?id=196313
239         <rdar://problem/49306703>
240
241         Reviewed by Yusuke Suzuki.
242
243         * stress/validate-int-52-ai-state.js: Added.
244
245 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
246
247         [JSC] Owner of watchpoints should validate at GC finalizing phase
248         https://bugs.webkit.org/show_bug.cgi?id=195827
249
250         Reviewed by Filip Pizlo.
251
252         * stress/gc-should-reap-dead-watchpoints.js: Added.
253         (foo):
254         (A.prototype.y):
255         (A):
256
257 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
258
259         Skip WebAssembly test on 32-bit systems
260         https://bugs.webkit.org/show_bug.cgi?id=196206
261
262         Reviewed by Saam Barati.
263
264         Invoking runDefault executes test immediately even though
265         that test should be skipped due to missing WASM support.
266         Therefore remove runDefault.
267
268         * wasm/regress/web-assembly-link-error-exception-check.js:
269
270 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
271
272         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
273         https://bugs.webkit.org/show_bug.cgi?id=196217
274
275         Reviewed by Saam Barati.
276
277         Re-enable all NaN tests for f32.min, f64.min and f64.max.
278
279         * wasm/spec-tests/f32.wast.js:
280         * wasm/spec-tests/f64.wast.js:
281         * wasm/wasm.json:
282
283 2019-03-25  Keith Miller  <keith_miller@apple.com>
284
285         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
286         https://bugs.webkit.org/show_bug.cgi?id=196176
287
288         Reviewed by Saam Barati.
289
290         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
291         (main.v10):
292         (main):
293
294 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
295
296         WebAssembly: f32.max with NaN generates incorrect result
297         https://bugs.webkit.org/show_bug.cgi?id=175691
298         <rdar://problem/33952228>
299
300         Reviewed by Saam Barati.
301
302         Enable all f32.max NaN tests
303
304         * wasm/spec-tests/f32.wast.js:
305         * wasm/wasm.json:
306
307 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
308
309         [JSC] Move test into directory for WASM tests
310         https://bugs.webkit.org/show_bug.cgi?id=196187
311
312         Reviewed by Mark Lam.
313
314         Move Test into wasm-directory. Otherwise this test
315         is also executed on systems without WASM support.
316
317         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
318
319 2019-03-23  Mark Lam  <mark.lam@apple.com>
320
321         Rolling out r243032 and r243071 because the fix is incorrect.
322         https://bugs.webkit.org/show_bug.cgi?id=195892
323         <rdar://problem/48981239>
324
325         Not reviewed.
326
327         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
328
329 2019-03-22  Mark Lam  <mark.lam@apple.com>
330
331         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
332         https://bugs.webkit.org/show_bug.cgi?id=196154
333         <rdar://problem/49145307>
334
335         Reviewed by Filip Pizlo.
336
337         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
338         There's no need to run this test on more than 1 test configuration.
339
340         * stress/typed-array-lastIndexOf-exception-check.js: Added.
341         * stress/web-assembly-link-error-exception-check.js:
342
343 2019-03-22  Mark Lam  <mark.lam@apple.com>
344
345         Placate exception check validation in constructJSWebAssemblyLinkError().
346         https://bugs.webkit.org/show_bug.cgi?id=196152
347         <rdar://problem/49145257>
348
349         Reviewed by Michael Saboff.
350
351         * stress/web-assembly-link-error-exception-check.js: Added.
352
353 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
354
355         Skip tests running out of memory on ARM/MIPS
356         https://bugs.webkit.org/show_bug.cgi?id=196131
357
358         Unreviewed. Skip test if memory is limited.
359
360         * microbenchmarks/put-by-val-direct-large-index.js:
361
362 2019-03-21  Mark Lam  <mark.lam@apple.com>
363
364         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
365         https://bugs.webkit.org/show_bug.cgi?id=196116
366         <rdar://problem/48976951>
367
368         Reviewed by Filip Pizlo.
369
370         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
371
372 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
373
374         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
375         https://bugs.webkit.org/show_bug.cgi?id=196078
376         <rdar://problem/35925380>
377
378         Reviewed by Mark Lam.
379
380         Add a new benchmark that allocates several objects and invokes put_by_val_direct
381         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
382
383         * microbenchmarks/put-by-val-direct-large-index.js: Added.
384
385 2019-03-21  Mark Lam  <mark.lam@apple.com>
386
387         Placate exception check validation in operationArrayIndexOfString().
388         https://bugs.webkit.org/show_bug.cgi?id=196067
389         <rdar://problem/49056572>
390
391         Reviewed by Michael Saboff.
392
393         * stress/string-equal-exception-check.js: Added.
394
395 2019-03-21  Mark Lam  <mark.lam@apple.com>
396
397         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
398         https://bugs.webkit.org/show_bug.cgi?id=196055
399         <rdar://problem/49067448>
400
401         Reviewed by Yusuke Suzuki.
402
403         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
404
405 2019-03-20  Saam Barati  <sbarati@apple.com>
406
407         typeOfDoubleSum is wrong for when NaN can be produced
408         https://bugs.webkit.org/show_bug.cgi?id=196030
409
410         Reviewed by Filip Pizlo.
411
412         * stress/double-add-sub-mul-can-produce-nan.js: Added.
413         (assert):
414         (noInline.sub):
415         (noInline):
416         (assert.mul):
417         (assert.add):
418
419 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
420
421         Update the test to ensure OutOfMemoryError is thrown as intended
422         https://bugs.webkit.org/show_bug.cgi?id=196032
423         <rdar://problem/46842740>
424
425         Rubber stamped by Saam Barati.
426
427         * stress/create-error-out-of-memory-rope-string.js:
428         (assert):
429         (catch):
430
431 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
432
433         JSC::createError needs to check for OOM in errorDescriptionForValue
434         https://bugs.webkit.org/show_bug.cgi?id=196032
435         <rdar://problem/46842740>
436
437         Reviewed by Mark Lam.
438
439         * stress/create-error-out-of-memory-rope-string.js: Added.
440
441 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
442
443         Unreviewed, reduce # of iterations to avoid timing out after r242991
444         https://bugs.webkit.org/show_bug.cgi?id=195791
445
446         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
447
448         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
449
450 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
451
452         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
453         https://bugs.webkit.org/show_bug.cgi?id=195950
454
455         Unreviewed, reducing the amount of memory used on this test to avoid
456         OOM on devices with memory restrictions.
457
458         * microbenchmarks/generate-multiple-llint-entrypoints.js:
459
460 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
461
462         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
463         https://bugs.webkit.org/show_bug.cgi?id=194648
464
465         Reviewed by Keith Miller.
466
467         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
468
469 2019-03-18  Mark Lam  <mark.lam@apple.com>
470
471         Missing a ThrowScope release in JSObject::toString().
472         https://bugs.webkit.org/show_bug.cgi?id=195893
473         <rdar://problem/48970986>
474
475         Reviewed by Michael Saboff.
476
477         * stress/to-string-exception-check-release.js: Added.
478
479 2019-03-18  Mark Lam  <mark.lam@apple.com>
480
481         Structure::flattenDictionary() should clear unused property slots.
482         https://bugs.webkit.org/show_bug.cgi?id=195871
483         <rdar://problem/48959497>
484
485         Reviewed by Michael Saboff.
486
487         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
488
489 2019-03-15  Mark Lam  <mark.lam@apple.com>
490
491         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
492         https://bugs.webkit.org/show_bug.cgi?id=195827
493         <rdar://problem/48845513>
494
495         Reviewed by Filip Pizlo.
496
497         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
498
499 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
500
501         [ARM,MIPS] Skip slow tests
502         https://bugs.webkit.org/show_bug.cgi?id=195799
503
504         Unreviewed, test does not finish on ARM and MIPS within the
505         timeout limit.
506
507         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
508
509 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
510
511         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
512         https://bugs.webkit.org/show_bug.cgi?id=195791
513         <rdar://problem/48806130>
514
515         Reviewed by Mark Lam.
516
517         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
518         (foo):
519
520 2019-03-14  Saam barati  <sbarati@apple.com>
521
522         We can't remove code after ForceOSRExit until after FixupPhase
523         https://bugs.webkit.org/show_bug.cgi?id=186916
524         <rdar://problem/41396612>
525
526         Reviewed by Yusuke Suzuki.
527
528         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
529         (foo):
530         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
531         (foo):
532
533 2019-03-13  Michael Saboff  <msaboff@apple.com>
534
535         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
536         https://bugs.webkit.org/show_bug.cgi?id=195735
537
538         Reviewed by Mark Lam.
539
540         New regression test.
541
542         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
543         (foo):
544         (bar):
545
546 2019-03-14  Saam barati  <sbarati@apple.com>
547
548         Fixup uses KnownInt32 incorrectly in some nodes
549         https://bugs.webkit.org/show_bug.cgi?id=195279
550         <rdar://problem/47915654>
551
552         Reviewed by Yusuke Suzuki.
553
554         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
555         (foo):
556
557 2019-03-14  Keith Miller  <keith_miller@apple.com>
558
559         DFG liveness can't skip tail caller inline frames
560         https://bugs.webkit.org/show_bug.cgi?id=195715
561
562         Reviewed by Saam Barati.
563
564         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
565         (i.foo):
566
567 2019-03-13  Mark Lam  <mark.lam@apple.com>
568
569         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
570         https://bugs.webkit.org/show_bug.cgi?id=195415
571
572         Not reviewed.
573
574         Changed these tests to only run the default configuration.
575         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
576         There's no strong need to run this test on that variant.
577
578         * stress/dfg-to-string-on-int-does-gc.js:
579         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
580
581 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
582
583         String overflow when using StringBuilder in JSC::createError
584         https://bugs.webkit.org/show_bug.cgi?id=194957
585
586         Reviewed by Mark Lam.
587
588         Add test string-overflow-createError-bulder.js that overflows
589         StringBuilder in notAFunctionSourceAppender. The second new test
590         string-overflow-createError-fit.js has an error message that doesn't
591         overflow, it still failed since the String's capacity can't be doubled.
592         Run test string-overflow-createError.js only in the default
593         configuration to reduce memory consumption when running the test
594         in all configurations on multiple CPUs in parallel.
595
596         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
597         (catch):
598         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
599         (catch):
600         * stress/string-overflow-createError.js:
601
602 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
603
604         [JSC] OSR entry should respect abstract values in addition to flush formats
605         https://bugs.webkit.org/show_bug.cgi?id=195653
606
607         Reviewed by Mark Lam.
608
609         * stress/osr-entry-locals-none.js: Added.
610
611 2019-03-12  Michael Saboff  <msaboff@apple.com>
612
613         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
614         https://bugs.webkit.org/show_bug.cgi?id=195613
615
616         Reviewed by Mark Lam.
617
618         New regression test.
619
620         * stress/regexp-backref-inbounds.js: Added.
621         (testRegExp):
622
623 2019-03-12  Mark Lam  <mark.lam@apple.com>
624
625         The HasIndexedProperty node does GC.
626         https://bugs.webkit.org/show_bug.cgi?id=195559
627         <rdar://problem/48767923>
628
629         Reviewed by Yusuke Suzuki.
630
631         * stress/HasIndexedProperty-does-gc.js: Added.
632
633 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
634
635         [ESNext][BigInt] Implement "~" unary operation
636         https://bugs.webkit.org/show_bug.cgi?id=182216
637
638         Reviewed by Keith Miller.
639
640         * stress/big-int-bit-not-general.js: Added.
641         * stress/big-int-bitwise-not-jit.js: Added.
642         * stress/big-int-bitwise-not-wrapped-value.js: Added.
643         * stress/bit-op-with-object-returning-int32.js:
644         * stress/bitwise-not-fixup-rules.js: Added.
645         * stress/value-bit-not-ai-rule.js: Added.
646
647 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
648
649         Invalid flags in a RegExp literal should be an early SyntaxError
650         https://bugs.webkit.org/show_bug.cgi?id=195514
651
652         Reviewed by Darin Adler.
653
654         * test262/expectations.yaml:
655         Mark 4 test cases as passing.
656
657         * stress/regexp-syntax-error-invalid-flags.js:
658         * stress/regress-161995.js: Removed.
659         Update existing test, merging in an older test for the same behavior.
660
661 2019-03-08  Mark Lam  <mark.lam@apple.com>
662
663         Stack overflow crash in JSC::JSObject::hasInstance.
664         https://bugs.webkit.org/show_bug.cgi?id=195458
665         <rdar://problem/48710195>
666
667         Reviewed by Yusuke Suzuki.
668
669         * stress/stack-overflow-in-custom-hasInstance.js: Added.
670
671 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
672
673         op_check_tdz does not def its argument
674         https://bugs.webkit.org/show_bug.cgi?id=192880
675         <rdar://problem/46221598>
676
677         Reviewed by Saam Barati.
678
679         * microbenchmarks/let-for-in.js: Added.
680         (foo):
681
682 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
683
684         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
685         https://bugs.webkit.org/show_bug.cgi?id=195429
686
687         Reviewed by Saam Barati.
688
689         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
690         (foo):
691         * stress/string-from-char-code-255.js: Added.
692
693 2019-03-06  Mark Lam  <mark.lam@apple.com>
694
695         Fix incorrect handling of try-finally completion values.
696         https://bugs.webkit.org/show_bug.cgi?id=195131
697         <rdar://problem/46222079>
698
699         Reviewed by Saam Barati and Yusuke Suzuki.
700
701         Added many permutations of new test case to test-finally.js.  test-finally.js has
702         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
703         tests passes there as well.
704
705         * stress/test-finally.js:
706
707 2019-03-06  Saam Barati  <sbarati@apple.com>
708
709         Air::reportUsedRegisters must padInterference
710         https://bugs.webkit.org/show_bug.cgi?id=195303
711         <rdar://problem/48270343>
712
713         Reviewed by Keith Miller.
714
715         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
716
717 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
718
719         [JSC] AI should not propagate AbstractValue relying on constant folding phase
720         https://bugs.webkit.org/show_bug.cgi?id=195375
721
722         Reviewed by Saam Barati.
723
724         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
725         (let.array):
726
727 2019-03-05  Saam barati  <sbarati@apple.com>
728
729         op_switch_char broken for rope strings after JSRopeString layout rewrite
730         https://bugs.webkit.org/show_bug.cgi?id=195339
731         <rdar://problem/48592545>
732
733         Reviewed by Yusuke Suzuki.
734
735         * stress/switch-on-char-llint-rope.js: Added.
736
737 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
738
739         [JSC] Store bits for JSRopeString in 3 stores
740         https://bugs.webkit.org/show_bug.cgi?id=195234
741
742         Reviewed by Saam Barati.
743
744         * stress/null-rope-and-collectors.js: Added.
745
746 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
747
748         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
749         https://bugs.webkit.org/show_bug.cgi?id=195207
750
751         Unreviewed. After test runtime was reduced in r242213, test can be
752         run again on ARM/MIPS.
753
754         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
755
756 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
757
758         [JSC] sizeof(JSString) should be 16
759         https://bugs.webkit.org/show_bug.cgi?id=194375
760
761         Reviewed by Saam Barati.
762
763         * microbenchmarks/make-rope.js: Added.
764         (makeRope):
765         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
766         (returnRope.helper): Deleted.
767         (returnRope): Deleted.
768
769 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
770
771         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
772         https://bugs.webkit.org/show_bug.cgi?id=195144
773
774         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
775         Change the number from 1e8 to 1e5.
776
777         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
778         (foo):
779
780 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
781
782         Test times out on ARM/MIPS
783         https://bugs.webkit.org/show_bug.cgi?id=195168
784
785         Unreviewed. Skip test on ARM/MIPS.
786
787         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
788
789 2019-02-27  Mark Lam  <mark.lam@apple.com>
790
791         The parser is failing to record the token location of new in new.target.
792         https://bugs.webkit.org/show_bug.cgi?id=195127
793         <rdar://problem/39645578>
794
795         Reviewed by Yusuke Suzuki.
796
797         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
798
799 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
800
801         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
802         https://bugs.webkit.org/show_bug.cgi?id=195144
803         <rdar://problem/47595961>
804
805         Reviewed by Mark Lam.
806
807         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
808         (bar):
809         (foo):
810         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
811         (bar):
812         (foo):
813
814 2019-02-27  Robin Morisset  <rmorisset@apple.com>
815
816         DFG: Loop-invariant code motion (LICM) should not hoist dead code
817         https://bugs.webkit.org/show_bug.cgi?id=194945
818         <rdar://problem/48311657>
819
820         Reviewed by Mark Lam.
821
822         * stress/licm-dead-code.js: Added.
823
824 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
825
826         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
827         https://bugs.webkit.org/show_bug.cgi?id=194677
828         <rdar://problem/48112492>
829
830         Reviewed by Mark Lam.
831
832         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
833         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
834         it immediately fails due the large size.
835
836         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
837         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
838         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
839         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
840
841         This patch changes the test to produce 16bit string from String.fromCharCode.
842
843         * stress/regress-178386.js:
844
845 2019-02-26  Mark Lam  <mark.lam@apple.com>
846
847         wasmToJS() should purify incoming NaNs.
848         https://bugs.webkit.org/show_bug.cgi?id=194807
849         <rdar://problem/48189132>
850
851         Reviewed by Saam Barati.
852
853         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
854
855 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
856
857         [JSC] Repeat string created from Array.prototype.join() take too much memory
858         https://bugs.webkit.org/show_bug.cgi?id=193912
859
860         Reviewed by Saam Barati.
861
862         Added a test and a microbenchmark for corner cases of
863         Array.prototype.join() with an uninitialized array.
864
865         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
866         * stress/array-prototype-join-uninitialized.js: Added.
867         (testArray):
868         (testABC):
869         (B):
870         (C):
871
872 2019-02-22  Robin Morisset  <rmorisset@apple.com>
873
874         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
875         https://bugs.webkit.org/show_bug.cgi?id=194953
876         <rdar://problem/47595253>
877
878         Reviewed by Saam Barati.
879
880         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
881
882         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
883
884 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
885
886         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
887         https://bugs.webkit.org/show_bug.cgi?id=172848
888         <rdar://problem/25709212>
889
890         Reviewed by Mark Lam.
891
892         * typeProfiler/inheritance.js:
893         Rewrite the test slightly for clarity. The hoisting was confusing.
894
895         * heapProfiler/class-names.js: Added.
896         (MyES5Class):
897         (MyES6Class):
898         (MyES6Subclass):
899         Test object types and improved class names.
900
901         * heapProfiler/driver/driver.js:
902         (CheapHeapSnapshotNode):
903         (CheapHeapSnapshot):
904         (createCheapHeapSnapshot):
905         (HeapSnapshot):
906         (createHeapSnapshot):
907         Update snapshot parsing from version 1 to version 2.
908
909 2019-02-19  Truitt Savell  <tsavell@apple.com>
910
911         Unreviewed, rolling out r241784.
912
913         Broke all OpenSource builds.
914
915         Reverted changeset:
916
917         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
918         instances view"
919         https://bugs.webkit.org/show_bug.cgi?id=172848
920         https://trac.webkit.org/changeset/241784
921
922 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
923
924         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
925         https://bugs.webkit.org/show_bug.cgi?id=172848
926         <rdar://problem/25709212>
927
928         Reviewed by Mark Lam.
929
930         * typeProfiler/inheritance.js:
931         Rewrite the test slightly for clarity. The hoisting was confusing.
932
933         * heapProfiler/class-names.js: Added.
934         (MyES5Class):
935         (MyES6Class):
936         (MyES6Subclass):
937         Test object types and improved class names.
938
939         * heapProfiler/driver/driver.js:
940         (CheapHeapSnapshotNode):
941         (CheapHeapSnapshot):
942         (createCheapHeapSnapshot):
943         (HeapSnapshot):
944         (createHeapSnapshot):
945         Update snapshot parsing from version 1 to version 2.
946
947 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
948
949         [ARM] Fix crash with sampling profiler
950         https://bugs.webkit.org/show_bug.cgi?id=194772
951
952         Reviewed by Mark Lam.
953
954         Do not skip test since crash with sampling profiler is now fixed.
955
956         * stress/sampling-profiler-richards.js:
957
958 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
959
960         [JSC] Add LazyClassStructure::getInitializedOnMainThread
961         https://bugs.webkit.org/show_bug.cgi?id=194784
962         <rdar://problem/48154820>
963
964         Reviewed by Mark Lam.
965
966         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
967         (getProperties):
968         (getRandomProperty):
969         (i.catch):
970
971 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
972
973         [ARM] Test gardening: Test running out of executable memory
974         https://bugs.webkit.org/show_bug.cgi?id=194771
975
976         Unreviewed. Do not run test without LLInt, test is running out of executable
977         memory on ARM otherwise.
978
979         * stress/tagged-template-object-collect.js:
980
981 2019-02-18  Tomas Popela  <tpopela@redhat.com>
982
983         Unreviewed, skip the test on platforms without sampling profiler
984
985         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
986         (platformSupportsSamplingProfiler.foo):
987         (platformSupportsSamplingProfiler.test):
988         (platformSupportsSamplingProfiler):
989         (foo): Deleted.
990         (test): Deleted.
991
992 2019-02-17  Saam Barati  <sbarati@apple.com>
993
994         Deadlock when adding a Structure property transition and then doing incremental marking
995         https://bugs.webkit.org/show_bug.cgi?id=194767
996
997         Reviewed by Mark Lam.
998
999         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1000
1001 2019-02-15  Michael Saboff  <msaboff@apple.com>
1002
1003         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1004         https://bugs.webkit.org/show_bug.cgi?id=194558
1005
1006         Reviewed by Saam Barati.
1007
1008         New regression test.
1009
1010         * stress/regexp-unicode-within-string.js: Added.
1011
1012 2019-02-15  Mark Lam  <mark.lam@apple.com>
1013
1014         SamplingProfiler::stackTracesAsJSON() should escape strings.
1015         https://bugs.webkit.org/show_bug.cgi?id=194649
1016         <rdar://problem/48072386>
1017
1018         Reviewed by Saam Barati.
1019
1020         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1021         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1022         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1023         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1024
1025 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1026         CodeBlock::jettison should clear related watchpoints
1027         https://bugs.webkit.org/show_bug.cgi?id=194544
1028
1029         Reviewed by Mark Lam.
1030
1031         * stress/regexp-replace-double-watchpoint.js: Added.
1032         (foo):
1033
1034 2019-02-15  Saam barati  <sbarati@apple.com>
1035
1036         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1037         https://bugs.webkit.org/show_bug.cgi?id=194036
1038
1039         Reviewed by Yusuke Suzuki.
1040
1041         * stress/tail-call-many-arguments.js: Added.
1042         (foo):
1043         (bar):
1044
1045 2019-02-14  Saam Barati  <sbarati@apple.com>
1046
1047         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1048         https://bugs.webkit.org/show_bug.cgi?id=194583
1049         <rdar://problem/48028140>
1050
1051         Reviewed by Yusuke Suzuki.
1052
1053         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1054
1055 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1056
1057         [JSC] String.fromCharCode's slow path always generates 16bit string
1058         https://bugs.webkit.org/show_bug.cgi?id=194466
1059
1060         Reviewed by Keith Miller.
1061
1062         * stress/string-from-char-code-slow-path.js: Added.
1063         (shouldBe):
1064         (testWithLength):
1065
1066 2019-02-08  Saam barati  <sbarati@apple.com>
1067
1068         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1069         https://bugs.webkit.org/show_bug.cgi?id=194334
1070         <rdar://problem/47844327>
1071
1072         Reviewed by Mark Lam.
1073
1074         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1075         (func):
1076
1077 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1078
1079         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1080         https://bugs.webkit.org/show_bug.cgi?id=194369
1081         <rdar://problem/47813087>
1082
1083         Reviewed by Saam Barati.
1084
1085         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1086         (A):
1087
1088 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1089
1090         [JSC] PrivateName to PublicName hash table is wasteful
1091         https://bugs.webkit.org/show_bug.cgi?id=194277
1092
1093         Reviewed by Michael Saboff.
1094
1095         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1096
1097         * ChakraCore.yaml:
1098
1099 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1100
1101         [ARM] Test running out of executable memory
1102         https://bugs.webkit.org/show_bug.cgi?id=194285
1103
1104         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1105         executable memory otherwise.
1106
1107         * stress/class-subclassing-function.js:
1108
1109 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1110
1111         when lowering AssertNotEmpty, create the value before creating the patchpoint
1112         https://bugs.webkit.org/show_bug.cgi?id=194231
1113
1114         Reviewed by Saam Barati.
1115
1116         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1117         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1118         So even tiny changes to this test can change the path code taken.
1119
1120         * stress/assert-not-empty.js: Added.
1121         (foo):
1122
1123 2019-02-01  Mark Lam  <mark.lam@apple.com>
1124
1125         Remove invalid assertion in DFG's compileDoubleRep().
1126         https://bugs.webkit.org/show_bug.cgi?id=194130
1127         <rdar://problem/47699474>
1128
1129         Reviewed by Saam Barati.
1130
1131         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1132
1133 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1134
1135         Import latest Test262 updates.
1136
1137         Rubber-stamped by Keith Miller.
1138
1139         * test262.yaml: Deleted.
1140         * test262/config.yaml:
1141         * test262/expectations.yaml:
1142         * test262/latest-changes-summary.txt:
1143         * test262/test/:
1144         * test262/test262-Revision.txt:
1145
1146 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1147
1148         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1149         https://bugs.webkit.org/show_bug.cgi?id=194050
1150         <rdar://problem/47595592>
1151
1152         Reviewed by Yusuke Suzuki.
1153
1154         * stress/object-keys-osr-exit.js: Added.
1155         (foo):
1156         (catch):
1157
1158 2019-01-29  Mark Lam  <mark.lam@apple.com>
1159
1160         ValueRecovery::recover() should purify NaN values it recovers.
1161         https://bugs.webkit.org/show_bug.cgi?id=193978
1162         <rdar://problem/47625488>
1163
1164         Reviewed by Saam Barati.
1165
1166         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1167
1168 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1169
1170         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1171         https://bugs.webkit.org/show_bug.cgi?id=193713
1172
1173         * stress/try-get-by-id-should-spill-registers-dfg.js:
1174         (let.f.createBuiltin):
1175
1176 2019-01-28  Mark Lam  <mark.lam@apple.com>
1177
1178         ToString node actually does GC.
1179         https://bugs.webkit.org/show_bug.cgi?id=193920
1180         <rdar://problem/46695900>
1181
1182         Reviewed by Yusuke Suzuki.
1183
1184         * stress/dfg-to-string-on-int-does-gc.js: Added.
1185         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1186         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1187
1188 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1189
1190         [JSC] NativeErrorConstructor should not have own IsoSubspace
1191         https://bugs.webkit.org/show_bug.cgi?id=193713
1192
1193         Reviewed by Saam Barati.
1194
1195         Remove @Error use.
1196
1197         * stress/try-get-by-id-should-spill-registers-dfg.js:
1198         (let.f.createBuiltin):
1199
1200 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1201
1202         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1203         https://bugs.webkit.org/show_bug.cgi?id=190693
1204
1205         Reviewed by Michael Saboff.
1206
1207         * stress/regress-190693.js: Added.
1208         (truth):
1209         (assert):
1210         (shouldThrowInvalidConstAssignment):
1211         (taz):
1212
1213 2019-01-24  Saam Barati  <sbarati@apple.com>
1214
1215         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1216         https://bugs.webkit.org/show_bug.cgi?id=193751
1217         <rdar://problem/47280215>
1218
1219         Reviewed by Michael Saboff.
1220
1221         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1222         (let.thing):
1223         (foo.let.hello):
1224         (foo):
1225
1226 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1227
1228         [JSC] Reenable baseline JIT on mips
1229         https://bugs.webkit.org/show_bug.cgi?id=192983
1230
1231         Reviewed by Mark Lam.
1232
1233         Added a new test for a case that was triggering a RELEASE_ASSERT when
1234         testing.
1235         Disable some slow tests that were already disabled for arm and x86.
1236
1237         * stress/json-parse-big-object.js: Added.
1238         * stress/new-largeish-contiguous-array-with-size.js:
1239         * stress/op_add.js:
1240         * stress/op_bitand.js:
1241         * stress/op_bitor.js:
1242         * stress/op_bitxor.js:
1243         * stress/op_lshift-ConstVar.js:
1244         * stress/op_lshift-VarConst.js:
1245         * stress/op_lshift-VarVar.js:
1246         * stress/op_mod-ConstVar.js:
1247         * stress/op_mod-VarConst.js:
1248         * stress/op_mod-VarVar.js:
1249         * stress/op_mul-ConstVar.js:
1250         * stress/op_mul-VarConst.js:
1251         * stress/op_mul-VarVar.js:
1252         * stress/op_rshift-ConstVar.js:
1253         * stress/op_rshift-VarConst.js:
1254         * stress/op_rshift-VarVar.js:
1255         * stress/op_sub-ConstVar.js:
1256         * stress/op_sub-VarConst.js:
1257         * stress/op_sub-VarVar.js:
1258         * stress/op_urshift-ConstVar.js:
1259         * stress/op_urshift-VarConst.js:
1260         * stress/op_urshift-VarVar.js:
1261         * stress/sampling-profiler-richards.js:
1262         * stress/spread-forward-call-varargs-stack-overflow.js:
1263
1264 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1265
1266         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1267         https://bugs.webkit.org/show_bug.cgi?id=193711
1268         <rdar://problem/47250262>
1269
1270         Reviewed by Saam Barati.
1271
1272         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1273         (shouldBe):
1274         (foo):
1275         (bar):
1276         (baz):
1277
1278 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1279
1280         Unreviewed, fix initial global lexical binding epoch
1281         https://bugs.webkit.org/show_bug.cgi?id=193603
1282         <rdar://problem/47380869>
1283
1284         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1285         (f1.f2.f3.f4):
1286         (f1.f2.f3):
1287         (f1.f2):
1288         (f1):
1289
1290 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1291
1292         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1293         https://bugs.webkit.org/show_bug.cgi?id=193709
1294         <rdar://problem/47363838>
1295
1296         Unreviewed, rollout to watch the tests.
1297
1298         * stress/object-tostring-changed-proto.js: Removed.
1299         * stress/object-tostring-changed.js: Removed.
1300         * stress/object-tostring-misc.js: Removed.
1301         * stress/object-tostring-other.js: Removed.
1302         * stress/object-tostring-untyped.js: Removed.
1303
1304 2019-01-22  Saam Barati  <sbarati@apple.com>
1305
1306         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1307
1308         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1309         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1310         (testUncheckedLessThanZero):
1311         (testUncheckedLessThanOrEqualZero):
1312         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1313         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1314
1315 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1316
1317         [JSC] Invalidate old scope operations using global lexical binding epoch
1318         https://bugs.webkit.org/show_bug.cgi?id=193603
1319         <rdar://problem/47380869>
1320
1321         Reviewed by Saam Barati.
1322
1323         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1324         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1325         (shouldThrow):
1326         (bar):
1327         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1328         (shouldBe):
1329         (get1):
1330         (get2):
1331         (get1If):
1332         (get2If):
1333         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1334         (shouldThrow):
1335         (foo):
1336
1337 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1338
1339         Unreviewed, roll out r240220 due to date-format-xparb regression
1340         https://bugs.webkit.org/show_bug.cgi?id=193603
1341
1342         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1343         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1344         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1345         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1346
1347 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1348
1349         DoesGC rule is wrong for nodes with BigIntUse
1350         https://bugs.webkit.org/show_bug.cgi?id=193652
1351
1352         Reviewed by Saam Barati.
1353
1354         * stress/big-int-value-op-update-gc-rules.js: Added.
1355         (assert):
1356         (doesGCAdd):
1357         (doesGCSub):
1358         (doesGCDiv):
1359         (doesGCMul):
1360         (doesGCBitAnd):
1361         (doesGCBitOr):
1362         (doesGCBitXor):
1363
1364 2019-01-20  Saam Barati  <sbarati@apple.com>
1365
1366         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1367         https://bugs.webkit.org/show_bug.cgi?id=193644
1368         <rdar://problem/46209745>
1369
1370         Reviewed by Yusuke Suzuki.
1371
1372         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1373         (foo):
1374         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1375         (foo):
1376         (bar):
1377
1378 2019-01-20  Saam Barati  <sbarati@apple.com>
1379
1380         MovHint must merge NodeBytecodeUsesAsValue for its child
1381         https://bugs.webkit.org/show_bug.cgi?id=186916
1382         <rdar://problem/41396612>
1383
1384         Reviewed by Yusuke Suzuki.
1385
1386         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1387         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1388
1389 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1390
1391         [JSC] Invalidate old scope operations using global lexical binding epoch
1392         https://bugs.webkit.org/show_bug.cgi?id=193603
1393         <rdar://problem/47380869>
1394
1395         Reviewed by Saam Barati.
1396
1397         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1398         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1399         (shouldThrow):
1400         (bar):
1401         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1402         (shouldBe):
1403         (get1):
1404         (get2):
1405         (get1If):
1406         (get2If):
1407         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1408         (shouldThrow):
1409         (foo):
1410
1411 2019-01-17  Saam barati  <sbarati@apple.com>
1412
1413         StringObjectUse should not be a structure check for the original string object structure
1414         https://bugs.webkit.org/show_bug.cgi?id=193483
1415         <rdar://problem/47280522>
1416
1417         Reviewed by Yusuke Suzuki.
1418
1419         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1420         (foo):
1421         (a.valueOf.0):
1422
1423 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1424
1425         [JSC] ToThis omission in DFGByteCodeParser is wrong
1426         https://bugs.webkit.org/show_bug.cgi?id=193513
1427         <rdar://problem/45842236>
1428
1429         Reviewed by Saam Barati.
1430
1431         * stress/to-this-omission-with-different-strict-modes.js: Added.
1432         (thisA):
1433         (thisAStrictWrapper):
1434
1435 2019-01-15  Mark Lam  <mark.lam@apple.com>
1436
1437         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1438         https://bugs.webkit.org/show_bug.cgi?id=193423
1439         <rdar://problem/46209355>
1440
1441         Reviewed by Saam Barati.
1442
1443         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1444         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1445         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1446         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1447
1448 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1449
1450         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1451         https://bugs.webkit.org/show_bug.cgi?id=193438
1452         <rdar://problem/45581249>
1453
1454         Reviewed by Saam Barati and Keith Miller.
1455
1456         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1457         Then, GetByVal(String) crashed.
1458
1459         * stress/string-get-by-val-lowering.js: Added.
1460         (shouldBe):
1461         (test):
1462         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1463         (Hello):
1464         (foo):
1465
1466 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1467
1468         Unreviewed, skip JIT tests if it's not enabled
1469
1470         * stress/bit-op-with-object-returning-int32.js:
1471
1472 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1473
1474         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1475         https://bugs.webkit.org/show_bug.cgi?id=192966
1476
1477         Reviewed by Yusuke Suzuki.
1478
1479         * stress/bit-op-with-object-returning-int32.js: Added.
1480
1481 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1482
1483         Skip a slow test and a flakey test on arm
1484
1485         Unreviewed gardening.
1486
1487         * typeProfiler/getter-richards.js:
1488         this test always times out, it used to be always skipped on arm and
1489         mips, but got accidentally enabled by r237919 now that we have DFG on
1490         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1491
1492 2019-01-14  Keith Miller  <keith_miller@apple.com>
1493
1494         Skip type-check-hoisting-phase-hoist... with no jit
1495         https://bugs.webkit.org/show_bug.cgi?id=193421
1496
1497         Reviewed by Mark Lam.
1498
1499         It's timing out the 32-bit bots and takes 330 seconds
1500         on my machine when run by itself.
1501
1502         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1503
1504 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1505
1506         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1507         https://bugs.webkit.org/show_bug.cgi?id=193413
1508         <rdar://problem/46092389>
1509
1510         Reviewed by Keith Miller.
1511
1512         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1513         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1514         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1515         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1516
1517         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1518         (compareArray):
1519
1520 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1521
1522         [BigInt] Literal parsing is crashing when used inside a Object Literal
1523         https://bugs.webkit.org/show_bug.cgi?id=193404
1524
1525         Reviewed by Yusuke Suzuki.
1526
1527         * stress/big-int-literal-inside-literal-object.js: Added.
1528
1529 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1530
1531         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1532         https://bugs.webkit.org/show_bug.cgi?id=193372
1533
1534         Reviewed by Saam Barati.
1535
1536         * stress/typed-array-array-modes-profile.js: Added.
1537         (foo):
1538
1539 2019-01-14  Mark Lam  <mark.lam@apple.com>
1540
1541         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1542         https://bugs.webkit.org/show_bug.cgi?id=193402
1543         <rdar://problem/46012309>
1544
1545         Reviewed by Keith Miller.
1546
1547         * stress/regexp-compile-oom.js:
1548         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1549           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1550
1551 2019-01-11  Saam barati  <sbarati@apple.com>
1552
1553         DFG combined liveness can be wrong for terminal basic blocks
1554         https://bugs.webkit.org/show_bug.cgi?id=193304
1555         <rdar://problem/45268632>
1556
1557         Reviewed by Yusuke Suzuki.
1558
1559         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1560
1561 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1562
1563         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1564         https://bugs.webkit.org/show_bug.cgi?id=193308
1565         <rdar://problem/45546542>
1566
1567         Reviewed by Saam Barati.
1568
1569         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1570         (shouldThrow):
1571         (shouldBe):
1572         (foo):
1573         (get shouldThrow):
1574         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1575         (shouldThrow):
1576         (shouldBe):
1577         (foo):
1578         (get shouldBe):
1579         (get shouldThrow):
1580         (get return):
1581         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1582         (shouldThrow):
1583         (shouldBe):
1584         (foo):
1585         (get shouldBe):
1586         (get shouldThrow):
1587         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1588         (shouldThrow):
1589         (shouldBe):
1590         (foo):
1591         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1592         (shouldThrow):
1593         (shouldBe):
1594         (foo):
1595         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1596         (shouldThrow):
1597         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1598         (shouldThrow):
1599         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1600         (shouldThrow):
1601         (shouldBe):
1602         (foo):
1603         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1604         (shouldThrow):
1605         (shouldBe):
1606         (foo):
1607         (get shouldBe):
1608         (get shouldThrow):
1609         (get return):
1610         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1611         (shouldThrow):
1612         (shouldBe):
1613         (foo):
1614         (get shouldBe):
1615         (get shouldThrow):
1616         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1617         (shouldThrow):
1618         (shouldBe):
1619         (foo):
1620         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1621         (shouldThrow):
1622         (shouldBe):
1623         (foo):
1624
1625 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1626
1627         Enable DFG on ARM/Linux again
1628         https://bugs.webkit.org/show_bug.cgi?id=192496
1629
1630         Reviewed by Yusuke Suzuki.
1631
1632         Test wasn't really skipped before moving the line with skip
1633         to the top.
1634
1635         * stress/regress-192717.js:
1636
1637 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1638
1639         Unreviewed, rolling out r239825.
1640         https://bugs.webkit.org/show_bug.cgi?id=193330
1641
1642         Broke tests on armv7/linux bots (Requested by guijemont on
1643         #webkit).
1644
1645         Reverted changeset:
1646
1647         "Enable DFG on ARM/Linux again"
1648         https://bugs.webkit.org/show_bug.cgi?id=192496
1649         https://trac.webkit.org/changeset/239825
1650
1651 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1652
1653         Enable DFG on ARM/Linux again
1654         https://bugs.webkit.org/show_bug.cgi?id=192496
1655
1656         Reviewed by Yusuke Suzuki.
1657
1658         Test wasn't really skipped before moving the line with skip
1659         to the top.
1660
1661         * stress/regress-192717.js:
1662
1663 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1664
1665         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1666         https://bugs.webkit.org/show_bug.cgi?id=193127
1667
1668         Reviewed by Saam Barati.
1669
1670         * stress/array-species-create-should-handle-masquerader.js: Added.
1671         (shouldThrow):
1672         * stress/is-undefined-or-null-builtin.js: Added.
1673         (shouldBe):
1674         (isUndefinedOrNull.vm.createBuiltin):
1675
1676 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1677
1678         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1679         https://bugs.webkit.org/show_bug.cgi?id=193221
1680
1681         Reviewed by Mark Lam.
1682
1683         * stress/put-by-id-flags.js: Added.
1684         (f):
1685         (g):
1686         (numberOfDFGCompiles):
1687
1688 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1689
1690         Baseline version of get_by_id may corrupt metadata
1691         https://bugs.webkit.org/show_bug.cgi?id=193085
1692         <rdar://problem/23453006>
1693
1694         Reviewed by Saam Barati.
1695
1696         * stress/get-by-id-change-mode.js: Added.
1697         (forEach):
1698
1699 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1700
1701         [JSC] Optimize Object.prototype.toString
1702         https://bugs.webkit.org/show_bug.cgi?id=193031
1703
1704         Reviewed by Saam Barati.
1705
1706         * stress/object-tostring-changed-proto.js: Added.
1707         (shouldBe):
1708         (test):
1709         * stress/object-tostring-changed.js: Added.
1710         (shouldBe):
1711         (test):
1712         * stress/object-tostring-misc.js: Added.
1713         (shouldBe):
1714         (test):
1715         (i.switch):
1716         * stress/object-tostring-other.js: Added.
1717         (shouldBe):
1718         (test):
1719         * stress/object-tostring-untyped.js: Added.
1720         (shouldBe):
1721         (test):
1722         (i.switch):
1723
1724 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1725
1726         test262-runner misbehaves when test file YAML has a trailing space
1727         https://bugs.webkit.org/show_bug.cgi?id=193053
1728
1729         Reviewed by Yusuke Suzuki.
1730
1731         * test262/expectations.yaml:
1732         Mark two dozen tests as passing (and correct the output of another).
1733
1734 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1735
1736         Unreviewed, JSTests gardening with memoryLimited
1737
1738         * stress/string-overflow-createError.js:
1739
1740 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1741
1742         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1743         https://bugs.webkit.org/show_bug.cgi?id=193050
1744
1745         Reviewed by Yusuke Suzuki.
1746
1747         * test262.yaml:
1748         * test262/expectations.yaml:
1749         Mark 16 tests as passing.
1750
1751 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1752
1753         [BigInt] Support BigInt in JSON.stringify
1754         https://bugs.webkit.org/show_bug.cgi?id=192624
1755
1756         Reviewed by Saam Barati.
1757
1758         * stress/big-int-json-stringify-to-json.js: Added.
1759         (shouldBe):
1760         (shouldThrow):
1761         (BigInt.prototype.toJSON):
1762         (shouldBe.JSON.stringify):
1763         * stress/big-int-json-stringify.js: Added.
1764         (shouldBe):
1765         (shouldThrow):
1766
1767 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1768
1769         [JSC] Implement "well-formed JSON.stringify" proposal
1770         https://bugs.webkit.org/show_bug.cgi?id=191677
1771
1772         Reviewed by Darin Adler.
1773
1774         * stress/json-surrogate-pair.js: Added.
1775         (shouldBe):
1776         * test262/expectations.yaml:
1777
1778 2018-12-20  Keith Miller  <keith_miller@apple.com>
1779
1780         Add support for globalThis
1781         https://bugs.webkit.org/show_bug.cgi?id=165171
1782
1783         Reviewed by Mark Lam.
1784
1785         * test262/config.yaml:
1786
1787 2018-12-19  Keith Miller  <keith_miller@apple.com>
1788
1789         Update test262 configuration to not run tests dependent on ICU version.
1790         https://bugs.webkit.org/show_bug.cgi?id=192920
1791
1792         Reviewed by Saam Barati.
1793
1794         * test262/expectations.yaml:
1795
1796 2018-12-20  Mark Lam  <mark.lam@apple.com>
1797
1798         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1799         https://bugs.webkit.org/show_bug.cgi?id=192939
1800         <rdar://problem/46869516>
1801
1802         Reviewed by Keith Miller.
1803
1804         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1805
1806 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1807
1808         WTF::String and StringImpl overflow MaxLength
1809         https://bugs.webkit.org/show_bug.cgi?id=192853
1810         <rdar://problem/45726906>
1811
1812         Reviewed by Mark Lam.
1813
1814         * stress/string-16bit-repeat-overflow.js: Added.
1815         (catch):
1816
1817 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1818
1819         Unreviewed follow-up to r192914.
1820
1821         * test262/expectations.yaml:
1822         Add the last 20 missing expectations.
1823
1824 2018-12-19  Keith Miller  <keith_miller@apple.com>
1825
1826         Fix test262 expectations
1827         https://bugs.webkit.org/show_bug.cgi?id=192914
1828
1829         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1830
1831         * test262/expectations.yaml:
1832
1833 2018-12-19  Keith Miller  <keith_miller@apple.com>
1834
1835         Update test262 tests.
1836         https://bugs.webkit.org/show_bug.cgi?id=192907
1837
1838         Rubber stamped by Mark Lam.
1839
1840         * test262/*: Omitted because prepare-changelog crashes.
1841
1842 2018-12-19  Mark Lam  <mark.lam@apple.com>
1843
1844         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1845         https://bugs.webkit.org/show_bug.cgi?id=192464
1846         <rdar://problem/46519455>
1847
1848         Reviewed by Saam Barati.
1849
1850         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1851         microbenchmark.
1852
1853         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1854         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1855
1856 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1857
1858         String overflow in JSC::createError results in ASSERT in WTF::makeString
1859         https://bugs.webkit.org/show_bug.cgi?id=192833
1860         <rdar://problem/45706868>
1861
1862         Reviewed by Mark Lam.
1863
1864         * stress/string-overflow-createError.js: Added.
1865
1866 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1867
1868         Error message for `-x ** y` contains a typo.
1869         https://bugs.webkit.org/show_bug.cgi?id=192832
1870
1871         Reviewed by Saam Barati.
1872
1873         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1874         (assert.assert.return.throws):
1875         * stress/pow-expects-update-expression-on-lhs.js:
1876         (throw.new.Error):
1877         Update test expectations which match against the exact error message.
1878
1879 2018-12-18  Mark Lam  <mark.lam@apple.com>
1880
1881         Gardening: test options fix.
1882         https://bugs.webkit.org/show_bug.cgi?id=192822
1883
1884         Unreviewed.
1885
1886         * stress/json-stringify-string-builder-overflow.js:
1887
1888 2018-12-18  Mark Lam  <mark.lam@apple.com>
1889
1890         JSON.stringify() should throw OOM on StringBuilder overflows.
1891         https://bugs.webkit.org/show_bug.cgi?id=192822
1892         <rdar://problem/46670577>
1893
1894         Reviewed by Saam Barati.
1895
1896         * stress/json-stringify-string-builder-overflow.js: Added.
1897
1898 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1899
1900         Redeclaration of var over let/const/class should be a syntax error.
1901         https://bugs.webkit.org/show_bug.cgi?id=192298
1902
1903         Reviewed by Keith Miller.
1904
1905         * test262.yaml:
1906         * test262/expectations.yaml:
1907         Mark 46 tests as passing.
1908
1909         * stress/block-scope-redeclarations.js:
1910         Add some new tests.
1911
1912         * stress/for-in-invalidate-context-weird-assignments.js:
1913         * stress/for-in-tests.js:
1914         Replace tests for outdated behavior with tests for SyntaxError.
1915
1916         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1917         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1918         Update expectations.
1919
1920 2018-12-18  Mark Lam  <mark.lam@apple.com>
1921
1922         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1923         https://bugs.webkit.org/show_bug.cgi?id=191374
1924         <rdar://problem/46525447>
1925
1926         Reviewed by Yusuke Suzuki.
1927
1928         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1929
1930         * stress/elidable-new-object-roflcopter-then-exit.js:
1931
1932 2018-12-17  Mark Lam  <mark.lam@apple.com>
1933
1934         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1935         https://bugs.webkit.org/show_bug.cgi?id=192019
1936         <rdar://problem/46525456>
1937
1938         Reviewed by Yusuke Suzuki.
1939
1940         The test runs too slow on 32-bit.
1941
1942         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1943
1944 2018-12-17  Mark Lam  <mark.lam@apple.com>
1945
1946         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1947         https://bugs.webkit.org/show_bug.cgi?id=191373
1948         <rdar://problem/46525458>
1949
1950         Reviewed by Yusuke Suzuki.
1951
1952         The test is already slow running with a JIT on 64-bit.  It will always timeout
1953         on 32-bit without a JIT.
1954
1955         * stress/materialize-regexp-cyclic-regexp.js:
1956
1957 2018-12-17  Mark Lam  <mark.lam@apple.com>
1958
1959         Array unshift/shift should not race against the AI in the compiler thread.
1960         https://bugs.webkit.org/show_bug.cgi?id=192795
1961         <rdar://problem/46724263>
1962
1963         Reviewed by Saam Barati.
1964
1965         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1966
1967 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1968
1969         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1970         https://bugs.webkit.org/show_bug.cgi?id=190047
1971
1972         Reviewed by Saam Barati.
1973
1974         * stress/object-keys-cached-zero.js: Added.
1975         (shouldBe):
1976         (test):
1977         * stress/object-keys-changed-attribute.js: Added.
1978         (shouldBe):
1979         (test):
1980         * stress/object-keys-changed-index.js: Added.
1981         (shouldBe):
1982         (test):
1983         * stress/object-keys-changed.js: Added.
1984         (shouldBe):
1985         (test):
1986         * stress/object-keys-indexed-non-cache.js: Added.
1987         (shouldBe):
1988         (test):
1989         * stress/object-keys-overrides-get-property-names.js: Added.
1990         (shouldBe):
1991         (test):
1992         (noInline):
1993
1994 2018-12-17  Mark Lam  <mark.lam@apple.com>
1995
1996         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1997         https://bugs.webkit.org/show_bug.cgi?id=192779
1998         <rdar://problem/46775869>
1999
2000         Reviewed by Saam Barati.
2001
2002         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2003
2004 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2005
2006         Unreviewed test gardening, address a syntax error in a new test.
2007
2008         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2009
2010 2018-12-17  Mark Lam  <mark.lam@apple.com>
2011
2012         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2013         https://bugs.webkit.org/show_bug.cgi?id=192776
2014         <rdar://problem/46772368>
2015
2016         Reviewed by Keith Miller.
2017
2018         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2019
2020 2018-12-17  Mark Lam  <mark.lam@apple.com>
2021
2022         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2023         https://bugs.webkit.org/show_bug.cgi?id=192770
2024         <rdar://problem/46449037>
2025
2026         Reviewed by Keith Miller.
2027
2028         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2029
2030 2018-12-14  Mark Lam  <mark.lam@apple.com>
2031
2032         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2033         https://bugs.webkit.org/show_bug.cgi?id=192717
2034         <rdar://problem/46660677>
2035
2036         Reviewed by Saam Barati.
2037
2038         * stress/regress-192717.js: Added.
2039
2040 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2041
2042         Unreviewed, rolling out r239153, r239154, and r239155.
2043         https://bugs.webkit.org/show_bug.cgi?id=192715
2044
2045         Caused flaky GC-related crashes seen with layout tests
2046         (Requested by ryanhaddad on #webkit).
2047
2048         Reverted changesets:
2049
2050         "[JSC] Optimize Object.keys by caching own keys results in
2051         StructureRareData"
2052         https://bugs.webkit.org/show_bug.cgi?id=190047
2053         https://trac.webkit.org/changeset/239153
2054
2055         "Unreviewed, build fix after r239153"
2056         https://bugs.webkit.org/show_bug.cgi?id=190047
2057         https://trac.webkit.org/changeset/239154
2058
2059         "Unreviewed, build fix after r239153, part 2"
2060         https://bugs.webkit.org/show_bug.cgi?id=190047
2061         https://trac.webkit.org/changeset/239155
2062
2063 2018-12-14  Keith Miller  <keith_miller@apple.com>
2064
2065         Callers of JSString::getIndex should check for OOM exceptions
2066         https://bugs.webkit.org/show_bug.cgi?id=192709
2067
2068         Reviewed by Mark Lam.
2069
2070         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2071
2072 2018-12-13  Mark Lam  <mark.lam@apple.com>
2073
2074         Add a missing exception check.
2075         https://bugs.webkit.org/show_bug.cgi?id=192626
2076         <rdar://problem/46662163>
2077
2078         Reviewed by Keith Miller.
2079
2080         * stress/regress-192626.js: Added.
2081
2082 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2083
2084         [BigInt] Add ValueDiv into DFG
2085         https://bugs.webkit.org/show_bug.cgi?id=186178
2086
2087         Reviewed by Yusuke Suzuki.
2088
2089         * stress/big-int-div-jit-osr.js: Added.
2090         * stress/big-int-div-jit-untyped.js: Added.
2091         * stress/value-div-fixup-int32-big-int.js: Added.
2092
2093 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2094
2095         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2096         https://bugs.webkit.org/show_bug.cgi?id=190047
2097
2098         Reviewed by Keith Miller.
2099
2100         * stress/object-keys-cached-zero.js: Added.
2101         (shouldBe):
2102         (test):
2103         * stress/object-keys-changed-attribute.js: Added.
2104         (shouldBe):
2105         (test):
2106         * stress/object-keys-changed-index.js: Added.
2107         (shouldBe):
2108         (test):
2109         * stress/object-keys-changed.js: Added.
2110         (shouldBe):
2111         (test):
2112         * stress/object-keys-indexed-non-cache.js: Added.
2113         (shouldBe):
2114         (test):
2115         * stress/object-keys-overrides-get-property-names.js: Added.
2116         (shouldBe):
2117         (test):
2118         (noInline):
2119
2120 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2121
2122         [DFG][FTL] Add NewSymbol
2123         https://bugs.webkit.org/show_bug.cgi?id=192620
2124
2125         Reviewed by Saam Barati.
2126
2127         * microbenchmarks/symbol-creation.js: Added.
2128         (test):
2129         * stress/symbol-description-identity.js: Added.
2130         (shouldBe):
2131         (test):
2132         * stress/symbol-identity.js: Added.
2133         (shouldBe):
2134         (test):
2135         * stress/symbol-with-description-throw-error.js: Added.
2136         (shouldBe):
2137         (shouldThrow):
2138         (test):
2139         (object.toString):
2140
2141 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2142
2143         [BigInt] Implement DFG/FTL typeof for BigInt
2144         https://bugs.webkit.org/show_bug.cgi?id=192619
2145
2146         Reviewed by Keith Miller.
2147
2148         * stress/big-int-boolean-proven-type.js: Added.
2149         (assert):
2150         (bool):
2151         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2152         (assert):
2153         (typeOf):
2154         (i.switch):
2155         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2156         (assert):
2157         (typeOf):
2158         * stress/big-int-type-of.js:
2159         (typeOf):
2160         (func):
2161
2162 2018-12-10  Mark Lam  <mark.lam@apple.com>
2163
2164         PropertyAttribute needs a CustomValue bit.
2165         https://bugs.webkit.org/show_bug.cgi?id=191993
2166         <rdar://problem/46264467>
2167
2168         Reviewed by Saam Barati.
2169
2170         * stress/regress-191993.js: Added.
2171
2172 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2173
2174         [BigInt] Add ValueMul into DFG
2175         https://bugs.webkit.org/show_bug.cgi?id=186175
2176
2177         Reviewed by Yusuke Suzuki.
2178
2179         * stress/big-int-mul-jit-osr.js: Added.
2180         * stress/big-int-mul-jit-untyped.js: Added.
2181         * stress/value-mul-fixup-int32-big-int.js: Added.
2182
2183 2018-12-06  Keith Miller  <keith_miller@apple.com>
2184
2185         stress/big-wasm-memory tests failing on 32-bit JSC bot
2186         https://bugs.webkit.org/show_bug.cgi?id=192020
2187
2188         Reviewed by Saam Barati.
2189
2190         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2191         the wasm stress tests if the WebAssembly object does not exist.
2192
2193         * stress/big-wasm-memory-grow-no-max.js:
2194         (test.foo):
2195         (test):
2196         (foo): Deleted.
2197         (catch): Deleted.
2198         * stress/big-wasm-memory-grow.js:
2199         (test.foo):
2200         (test):
2201         (foo): Deleted.
2202         (catch): Deleted.
2203         * stress/big-wasm-memory.js:
2204         (test.foo):
2205         (test):
2206         (foo): Deleted.
2207         (catch): Deleted.
2208
2209 2018-12-05  Mark Lam  <mark.lam@apple.com>
2210
2211         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2212         https://bugs.webkit.org/show_bug.cgi?id=192441
2213         <rdar://problem/46480355>
2214
2215         Reviewed by Saam Barati.
2216
2217         * stress/regress-192441.js: Added.
2218
2219 2018-12-04  Mark Lam  <mark.lam@apple.com>
2220
2221         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2222         https://bugs.webkit.org/show_bug.cgi?id=192386
2223         <rdar://problem/46445516>
2224
2225         Reviewed by Saam Barati.
2226
2227         * stress/regress-192386.js: Added.
2228
2229 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2230
2231         [ESNext][BigInt] Support logic operations
2232         https://bugs.webkit.org/show_bug.cgi?id=179903
2233
2234         Reviewed by Yusuke Suzuki.
2235
2236         * stress/big-int-branch-usage.js: Added.
2237         * stress/big-int-logical-and.js: Added.
2238         * stress/big-int-logical-not.js: Added.
2239         * stress/big-int-logical-or.js: Added.
2240
2241 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2242
2243         Unreviewed, rolling out r238833.
2244
2245         Breaks macOS and iOS debug builds.
2246
2247         Reverted changeset:
2248
2249         "[ESNext][BigInt] Support logic operations"
2250         https://bugs.webkit.org/show_bug.cgi?id=179903
2251         https://trac.webkit.org/changeset/238833
2252
2253 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2254
2255         [ESNext][BigInt] Support logic operations
2256         https://bugs.webkit.org/show_bug.cgi?id=179903
2257
2258         Reviewed by Yusuke Suzuki.
2259
2260         * stress/big-int-branch-usage.js: Added.
2261         * stress/big-int-logical-and.js: Added.
2262         * stress/big-int-logical-not.js: Added.
2263         * stress/big-int-logical-or.js: Added.
2264
2265 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2266
2267         [ESNext][BigInt] Implement support for "<<" and ">>"
2268         https://bugs.webkit.org/show_bug.cgi?id=186233
2269
2270         Reviewed by Yusuke Suzuki.
2271
2272         * stress/big-int-left-shift-general.js: Added.
2273         * stress/big-int-left-shift-range-error.js: Added.
2274         * stress/big-int-left-shift-type-error.js: Added.
2275         * stress/big-int-left-shift-wrapped-value.js: Added.
2276         * stress/big-int-right-shift-general.js: Added.
2277         * stress/big-int-right-shift-type-error.js: Added.
2278         * stress/big-int-right-shift-wrapped-value.js: Added.
2279         * stress/left-shift-to-primitive-precedence.js: Added.
2280         * stress/right-shift-to-primitive-precedence.js: Added.
2281
2282 2018-11-30  Dean Jackson  <dino@apple.com>
2283
2284         Add first-class support for .mjs files in jsc binary
2285         https://bugs.webkit.org/show_bug.cgi?id=192190
2286         <rdar://problem/46375715>
2287
2288         Reviewed by Keith Miller.
2289
2290         * stress/simple-module.mjs: Added.
2291         * stress/simple-script.js: Added.
2292
2293 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2294
2295         [BigInt] Implement ValueBitXor into DFG
2296         https://bugs.webkit.org/show_bug.cgi?id=190264
2297
2298         Reviewed by Yusuke Suzuki.
2299
2300         * stress/big-int-bitwise-xor-jit.js: Added.
2301         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2302         * stress/big-int-bitwise-xor-untyped.js: Added.
2303
2304 2018-11-27  Saam barati  <sbarati@apple.com>
2305
2306         r238510 broke scopes of size zero
2307         https://bugs.webkit.org/show_bug.cgi?id=192033
2308         <rdar://problem/46281734>
2309
2310         Reviewed by Keith Miller.
2311
2312         * stress/r238510-bad-loop.js: Added.
2313         (foo):
2314
2315 2018-11-27  Mark Lam  <mark.lam@apple.com>
2316
2317         [Re-landing] NaNs read from Wasm code needs to be be purified.
2318         https://bugs.webkit.org/show_bug.cgi?id=191056
2319         <rdar://problem/45660341>
2320
2321         Reviewed by Filip Pizlo.
2322
2323         * wasm/regress/regress-191056.js: Added.
2324
2325 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2326
2327         Unreviewed, rolling out r238509.
2328
2329         Causes JSC tests to fail on iOS.
2330
2331         Reverted changeset:
2332
2333         "NaNs read from Wasm code needs to be be purified."
2334         https://bugs.webkit.org/show_bug.cgi?id=191056
2335         https://trac.webkit.org/changeset/238509
2336
2337 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2338
2339         Re-introduce op_bitnot
2340         https://bugs.webkit.org/show_bug.cgi?id=190923
2341
2342         Reviewed by Yusuke Suzuki.
2343
2344         * stress/bit-not-must-generate.js: Added.
2345         * stress/bitwise-not-no-int32.js: Added.
2346
2347 2018-11-26  Saam barati  <sbarati@apple.com>
2348
2349         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2350         https://bugs.webkit.org/show_bug.cgi?id=191956
2351         <rdar://problem/45665806>
2352
2353         Reviewed by Yusuke Suzuki.
2354
2355         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2356         (bar):
2357         (foo):
2358
2359 2018-11-26  Saam barati  <sbarati@apple.com>
2360
2361         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2362         https://bugs.webkit.org/show_bug.cgi?id=191958
2363         <rdar://problem/46221877>
2364
2365         Reviewed by Yusuke Suzuki.
2366
2367         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2368         (x):
2369         (foo):
2370
2371 2018-11-26  Mark Lam  <mark.lam@apple.com>
2372
2373         NaNs read from Wasm code needs to be be purified.
2374         https://bugs.webkit.org/show_bug.cgi?id=191056
2375         <rdar://problem/45660341>
2376
2377         Reviewed by Filip Pizlo.
2378
2379         * wasm/regress/regress-191056.js: Added.
2380
2381 2018-11-26  Michael Saboff  <msaboff@apple.com>
2382
2383         32-bit JSC test failure: stress/regexp-compile-oom.js
2384         https://bugs.webkit.org/show_bug.cgi?id=191375
2385
2386         Reviewed by Mark Lam.
2387
2388         Disabled the test for 32 bit platforms.
2389
2390         * stress/regexp-compile-oom.js:
2391
2392 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2393
2394         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2395         https://bugs.webkit.org/show_bug.cgi?id=191716
2396         <rdar://problem/45723878>
2397
2398         Reviewed by Saam Barati.
2399
2400         * stress/regress-187373.js: Added.
2401         (async.fn):
2402
2403 2018-11-21  Saam barati  <sbarati@apple.com>
2404
2405         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2406         https://bugs.webkit.org/show_bug.cgi?id=191897
2407         <rdar://problem/45871998>
2408
2409         Reviewed by Mark Lam.
2410
2411         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2412         (bar):
2413         (foo):
2414
2415 2018-11-21  Saam barati  <sbarati@apple.com>
2416
2417         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2418         https://bugs.webkit.org/show_bug.cgi?id=191895
2419         <rdar://problem/46167406>
2420
2421         Reviewed by Mark Lam.
2422
2423         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2424         (foo):
2425         (bar):
2426
2427 2018-11-21  Mark Lam  <mark.lam@apple.com>
2428
2429         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2430         https://bugs.webkit.org/show_bug.cgi?id=191776
2431         <rdar://problem/46152851>
2432
2433         Reviewed by Saam Barati.
2434
2435         * stress/big-wasm-memory-grow-no-max.js:
2436         * stress/big-wasm-memory-grow.js:
2437         * stress/big-wasm-memory.js:
2438         - updated these to expect an OutOfMemoryError.
2439
2440         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2441         (Binary.prototype.emit_u8):
2442         (Binary.prototype.emit_u32v):
2443         (Binary.prototype.emit_header):
2444         (Binary.prototype.emit_section):
2445         (Binary):
2446         (WasmModuleBuilder):
2447         (WasmModuleBuilder.prototype.addMemory):
2448         (WasmModuleBuilder.prototype.toArray):
2449         (WasmModuleBuilder.prototype.toBuffer):
2450         (WasmModuleBuilder.prototype.instantiate):
2451         (catch):
2452         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2453         (catch):
2454
2455 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2456
2457         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2458         https://bugs.webkit.org/show_bug.cgi?id=190836
2459
2460         Reviewed by Saam Barati and Yusuke Suzuki.
2461
2462         * stress/big-int-out-of-memory-tests.js: Added.
2463
2464 2018-11-20  Mark Lam  <mark.lam@apple.com>
2465
2466         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2467         https://bugs.webkit.org/show_bug.cgi?id=191856
2468         <rdar://problem/46089992>
2469
2470         Reviewed by Yusuke Suzuki.
2471
2472         * stress/regress-191856.js: Added.
2473         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2474
2475 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2476
2477         Enable JIT on ARM/Linux
2478         https://bugs.webkit.org/show_bug.cgi?id=191548
2479
2480         Reviewed by Yusuke Suzuki.
2481
2482         Disable test on system with limited memory. Program was killed by
2483         the OS before the exception was thrown.
2484
2485         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2486
2487 2018-11-20  Saam barati  <sbarati@apple.com>
2488
2489         Merging an IC variant may lead to the IC status containing overlapping structure sets
2490         https://bugs.webkit.org/show_bug.cgi?id=191869
2491         <rdar://problem/45403453>
2492
2493         Reviewed by Mark Lam.
2494
2495         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2496
2497 2018-11-19  Mark Lam  <mark.lam@apple.com>
2498
2499         globalFuncImportModule() should return a promise when it clears exceptions.
2500         https://bugs.webkit.org/show_bug.cgi?id=191792
2501         <rdar://problem/46090763>
2502
2503         Reviewed by Michael Saboff.
2504
2505         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2506
2507 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2508
2509         Skip new memory-hungry tests on memory limited devices
2510
2511         Unreviewed gardening.
2512
2513         * stress/big-wasm-memory-grow-no-max.js:
2514         * stress/big-wasm-memory-grow.js:
2515         * stress/big-wasm-memory.js:
2516
2517 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2518
2519         Unreviewed, rolling in the rest of r237254
2520         https://bugs.webkit.org/show_bug.cgi?id=190340
2521
2522         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2523         * stress/function-cache-with-parameters-end-position.js: Added.
2524         (shouldBe):
2525         (shouldThrow):
2526         (i.anonymous):
2527         * stress/function-constructor-name.js: Added.
2528         (shouldBe):
2529         (GeneratorFunction):
2530         (AsyncFunction.async):
2531         (AsyncGeneratorFunction.async):
2532         (anonymous):
2533         (async.anonymous):
2534         * test262/expectations.yaml:
2535
2536 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2537
2538         All users of ArrayBuffer should agree on the same max size
2539         https://bugs.webkit.org/show_bug.cgi?id=191771
2540
2541         Reviewed by Mark Lam.
2542
2543         * stress/big-wasm-memory-grow-no-max.js: Added.
2544         (foo):
2545         (catch):
2546         * stress/big-wasm-memory-grow.js: Added.
2547         (foo):
2548         (catch):
2549         * stress/big-wasm-memory.js: Added.
2550         (foo):
2551         (catch):
2552
2553 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2554
2555         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2556         run for each JSC config since they're regression tests for runtime bugs.
2557
2558         * stress/json-stringified-overflow-2.js:
2559         * stress/json-stringified-overflow.js:
2560
2561 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2562
2563         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2564         config since they're regression tests for runtime bugs.
2565
2566         * stress/large-unshift-splice.js:
2567         * stress/regress-185888.js:
2568
2569 2018-11-16  Saam Barati  <sbarati@apple.com>
2570
2571         KnownCellUse should also have SpecCellCheck as its type filter
2572         https://bugs.webkit.org/show_bug.cgi?id=191729
2573         <rdar://problem/45872852>
2574
2575         Reviewed by Filip Pizlo.
2576
2577         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2578         (C):
2579
2580 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2581
2582         Fix assertion failure on BytecodeGenerator::recordOpcode
2583         https://bugs.webkit.org/show_bug.cgi?id=191724
2584         <rdar://problem/45724395>
2585
2586         Reviewed by Saam Barati.
2587
2588         * stress/regress-187373-2.js: Added.
2589         (foo):
2590
2591 2018-11-15  Mark Lam  <mark.lam@apple.com>
2592
2593         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2594         https://bugs.webkit.org/show_bug.cgi?id=191730
2595         <rdar://problem/46048517>
2596
2597         Reviewed by Saam Barati.
2598
2599         * stress/regress-187006.js: Removed.
2600           - this test is invalid because its sole purpose is to test for the non-spec
2601             compliant behavior that we just fixed.
2602
2603         * stress/regress-191730.js: Added.
2604
2605 2018-11-15  Mark Lam  <mark.lam@apple.com>
2606
2607         RegExp operations should not take fast patch if lastIndex is not numeric.
2608         https://bugs.webkit.org/show_bug.cgi?id=191731
2609         <rdar://problem/46017305>
2610
2611         Reviewed by Saam Barati.
2612
2613         * stress/regress-191731.js: Added.
2614
2615 2018-11-13  Saam Barati  <sbarati@apple.com>
2616
2617         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2618         https://bugs.webkit.org/show_bug.cgi?id=191600
2619
2620         Reviewed by Mark Lam.
2621
2622         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2623         (foo):
2624         (test):
2625         (bar):
2626
2627 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2628
2629         Unreviewed, rolling out r238132.
2630
2631         The test added with this change is timing out on Debug JSC
2632         bots.
2633
2634         Reverted changeset:
2635
2636         "[BigInt] JSBigInt::createWithLength should throw when length
2637         is greater than JSBigInt::maxLength"
2638         https://bugs.webkit.org/show_bug.cgi?id=190836
2639         https://trac.webkit.org/changeset/238132
2640
2641 2018-11-13  Mark Lam  <mark.lam@apple.com>
2642
2643         Add OOM detection to StringPrototype's substituteBackreferences().
2644         https://bugs.webkit.org/show_bug.cgi?id=191563
2645         <rdar://problem/45720428>
2646
2647         Reviewed by Saam Barati.
2648
2649         * stress/regress-191563.js: Added.
2650
2651 2018-11-13  Mark Lam  <mark.lam@apple.com>
2652
2653         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2654         https://bugs.webkit.org/show_bug.cgi?id=191579
2655         <rdar://problem/45942472>
2656
2657         Reviewed by Saam Barati.
2658
2659         * stress/regress-191579.js: Added.
2660
2661 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2662
2663         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2664         https://bugs.webkit.org/show_bug.cgi?id=190836
2665
2666         Reviewed by Saam Barati.
2667
2668         * stress/big-int-out-of-memory-tests.js: Added.
2669
2670 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2671
2672         U+180E is no longer a whitespace character
2673         https://bugs.webkit.org/show_bug.cgi?id=191415
2674
2675         Reviewed by Saam Barati.
2676
2677         * ChakraCore/test/es5/regexSpace.baseline:
2678         * ChakraCore/test/es6/unicode_whitespace.js:
2679         Update tests to latest version.
2680         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2681
2682         * test262.yaml:
2683         * test262/config.yaml:
2684         * test262/expectations.yaml:
2685         Update expectations.
2686
2687 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2688
2689         [BigInt] Add support to BigInt into ValueAdd
2690         https://bugs.webkit.org/show_bug.cgi?id=186177
2691
2692         Reviewed by Keith Miller.
2693
2694         * stress/big-int-negate-jit.js:
2695         * stress/value-add-big-int-and-string.js: Added.
2696         * stress/value-add-big-int-prediction-propagation.js: Added.
2697         * stress/value-add-big-int-untyped.js: Added.
2698
2699 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2700
2701         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2702         https://bugs.webkit.org/show_bug.cgi?id=191184
2703
2704         Reviewed by Saam Barati.
2705
2706         Most tests were failing due to timeouts, since they are too slow to
2707         run on CLoop. The exceptions are:
2708
2709         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2710         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2711         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2712         to change the stack size since CLoop requires it to be page aligned.
2713
2714         * microbenchmarks/array-push-1.js:
2715         * microbenchmarks/array-push-2.js:
2716         * microbenchmarks/elidable-new-object-dag.js:
2717         * microbenchmarks/elidable-new-object-roflcopter.js:
2718         * microbenchmarks/elidable-new-object-tree.js:
2719         * microbenchmarks/getter-richards.js:
2720         * microbenchmarks/sinkable-new-object-dag.js:
2721         * microbenchmarks/string-concat-long-convert.js:
2722         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2723         * slowMicrobenchmarks/array-push-3.js:
2724         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2725         * slowMicrobenchmarks/spread-small-array.js:
2726         * slowMicrobenchmarks/undefined-property-access.js:
2727         * stress/activation-sink-default-value-tdz-error.js:
2728         * stress/activation-sink-default-value.js:
2729         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2730         * stress/activation-sink-osrexit-default-value.js:
2731         * stress/activation-sink-osrexit.js:
2732         * stress/activation-sink.js:
2733         * stress/allow-math-ic-b3-code-duplication.js:
2734         * stress/array-push-multiple-int32.js:
2735         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2736         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2737         * stress/arrowfunction-lexical-this-activation-sink.js:
2738         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2739         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2740         * stress/elide-new-object-dag-then-exit.js:
2741         * stress/materialize-regexp-cyclic.js:
2742         * stress/new-regex-inline.js:
2743         * stress/op_add.js:
2744         * stress/op_bitand.js:
2745         * stress/op_bitor.js:
2746         * stress/op_bitxor.js:
2747         * stress/op_div-ConstVar.js:
2748         * stress/op_div-VarConst.js:
2749         * stress/op_div-VarVar.js:
2750         * stress/op_lshift-ConstVar.js:
2751         * stress/op_lshift-VarConst.js:
2752         * stress/op_lshift-VarVar.js:
2753         * stress/op_mod-ConstVar.js:
2754         * stress/op_mod-VarConst.js:
2755         * stress/op_mod-VarVar.js:
2756         * stress/op_mul-ConstVar.js:
2757         * stress/op_mul-VarConst.js:
2758         * stress/op_mul-VarVar.js:
2759         * stress/op_rshift-ConstVar.js:
2760         * stress/op_rshift-VarConst.js:
2761         * stress/op_rshift-VarVar.js:
2762         * stress/op_sub-ConstVar.js:
2763         * stress/op_sub-VarConst.js:
2764         * stress/op_sub-VarVar.js:
2765         * stress/op_urshift-ConstVar.js:
2766         * stress/op_urshift-VarConst.js:
2767         * stress/op_urshift-VarVar.js:
2768         * stress/proxy-get-set-correct-receiver.js:
2769         * stress/regress-179562.js:
2770         * stress/rest-parameter-many-arguments.js:
2771         * stress/sampling-profiler-richards.js:
2772         * stress/splay-flash-access-1ms.js:
2773         * stress/tailCallForwardArguments.js:
2774         * stress/typed-array-get-by-val-profiling.js:
2775         * typeProfiler/getter-richards.js:
2776
2777 2018-11-06  Michael Saboff  <msaboff@apple.com>
2778
2779         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2780         https://bugs.webkit.org/show_bug.cgi?id=191271
2781
2782         Reviewed by Saam Barati.
2783
2784         Added more test cases and made all test cases run with the same deeply recursive stack
2785         instead of finding that same point for each test case.
2786
2787         * stress/regexp-compile-oom.js:
2788         (prototype.runTest):
2789         (recurseAndTest):
2790         (testList.push.new.TestAndExpectedException):
2791
2792 2018-11-05  Michael Saboff  <msaboff@apple.com>
2793
2794         Unreviewed build fix for linux.
2795
2796         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2797
2798 2018-11-02  Michael Saboff  <msaboff@apple.com>
2799
2800         Rolling in r237753 with unreviewed build fix.
2801
2802         Fixed issues with DECLARE_THROW_SCOPE placement.
2803
2804 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2805
2806         Unreviewed, rolling out r237753.
2807
2808         Introduced JSC test failures
2809
2810         Reverted changeset:
2811
2812         "Running out of stack space not properly handled in
2813         RegExp::compile() and its callers"
2814         https://bugs.webkit.org/show_bug.cgi?id=191206
2815         https://trac.webkit.org/changeset/237753
2816
2817 2018-11-02  Michael Saboff  <msaboff@apple.com>
2818
2819         Running out of stack space not properly handled in RegExp::compile() and its callers
2820         https://bugs.webkit.org/show_bug.cgi?id=191206
2821
2822         Reviewed by Filip Pizlo.
2823
2824         New regression test.
2825
2826         * stress/regexp-compile-oom.js: Added.
2827         (recurseAndTest):
2828
2829 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2830
2831         Skip tests on arm/mips that time out now we're running on CLoop
2832
2833         Unreviewed gardening.
2834
2835         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2836         time out on the bots and need to be disabled. There's more tests
2837         disabled on arm because the timeout is longer on the mips bot (as the
2838         device is slower to start with), so many of the tests don't time out
2839         there.
2840
2841         * microbenchmarks/getter-richards.js: disable on arm and mips.
2842         * stress/op_add.js: disable on arm.
2843         * stress/op_bitand.js: disable on arm.
2844         * stress/op_bitor.js: disable on arm.
2845         * stress/op_bitxor.js: disable on arm.
2846         * stress/op_lshift-ConstVar.js: disable on arm.
2847         * stress/op_lshift-VarConst.js: disable on arm.
2848         * stress/op_lshift-VarVar.js: disable on arm.
2849         * stress/op_mod-ConstVar.js: disable on arm.
2850         * stress/op_mod-VarConst.js: disable on arm.
2851         * stress/op_mod-VarVar.js: disable on arm.
2852         * stress/op_mul-ConstVar.js: disable on arm.
2853         * stress/op_mul-VarConst.js: disable on arm.
2854         * stress/op_mul-VarVar.js: disable on arm.
2855         * stress/op_rshift-ConstVar.js: disable on arm.
2856         * stress/op_rshift-VarConst.js: disable on arm.
2857         * stress/op_rshift-VarVar.js: disable on arm.
2858         * stress/op_sub-ConstVar.js: disable on arm.
2859         * stress/op_sub-VarConst.js: disable on arm.
2860         * stress/op_sub-VarVar.js: disable on arm.
2861         * stress/op_urshift-ConstVar.js: disable on arm.
2862         * stress/op_urshift-VarConst.js: disable on arm.
2863         * stress/op_urshift-VarVar.js: disable on arm.
2864         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2865         * stress/value-to-boolean.js: disable on arm and mips.
2866
2867 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2868
2869         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2870         https://bugs.webkit.org/show_bug.cgi?id=191108
2871         <rdar://problem/45690700>
2872
2873         Reviewed by Saam Barati.
2874
2875         * stress/wide-op_catch.js: Added.
2876         (catch):
2877
2878 2018-10-29  Mark Lam  <mark.lam@apple.com>
2879
2880         Correctly detect string overflow when using the 'Function' constructor.
2881         https://bugs.webkit.org/show_bug.cgi?id=184883
2882         <rdar://problem/36320331>
2883
2884         Reviewed by Saam Barati.
2885
2886         I've verified that this passes on 32-bit as well.
2887
2888         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2889
2890 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2891
2892         Add support for GetStack FlushedDouble
2893         https://bugs.webkit.org/show_bug.cgi?id=191012
2894         <rdar://problem/45265141>
2895
2896         Reviewed by Saam Barati.
2897
2898         * stress/get-stack-double.js: Added.
2899         (bar):
2900         (noInline):
2901
2902 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2903
2904         New bytecode format for JSC
2905         https://bugs.webkit.org/show_bug.cgi?id=187373
2906         <rdar://problem/44186758>
2907
2908         Reviewed by Filip Pizlo.
2909
2910         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2911
2912         * stress/maximum-inline-capacity.js: Added.
2913         (test1):
2914         (test3.Foo):
2915         (test3):
2916
2917 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2918
2919         Unreviewed, rolling out r237479 and r237484.
2920         https://bugs.webkit.org/show_bug.cgi?id=190978
2921
2922         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2923
2924         Reverted changesets:
2925
2926         "New bytecode format for JSC"
2927         https://bugs.webkit.org/show_bug.cgi?id=187373
2928         https://trac.webkit.org/changeset/237479
2929
2930         "Gardening: Build fix after r237479."
2931         https://bugs.webkit.org/show_bug.cgi?id=187373
2932         https://trac.webkit.org/changeset/237484
2933
2934 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2935
2936         New bytecode format for JSC
2937         https://bugs.webkit.org/show_bug.cgi?id=187373
2938         <rdar://problem/44186758>
2939
2940         Reviewed by Filip Pizlo.
2941
2942         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2943
2944         * stress/maximum-inline-capacity.js: Added.
2945         (test1):
2946         (test3.Foo):
2947         (test3):
2948
2949 2018-10-26  Mark Lam  <mark.lam@apple.com>
2950
2951         Fix missing edge cases with JSGlobalObjects having a bad time.
2952         https://bugs.webkit.org/show_bug.cgi?id=189028
2953         <rdar://problem/45204939>
2954
2955         Reviewed by Saam Barati.
2956
2957         * stress/regress-189028.js: Added.
2958
2959 2018-10-22  Mark Lam  <mark.lam@apple.com>
2960
2961         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2962         https://bugs.webkit.org/show_bug.cgi?id=190515
2963         <rdar://problem/45222379>
2964
2965         Rubber-stamped by Saam Barati.
2966
2967         Adding another test.
2968
2969         * stress/regress-190515-2.js: Added.
2970
2971 2018-10-22  Mark Lam  <mark.lam@apple.com>
2972
2973         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2974         https://bugs.webkit.org/show_bug.cgi?id=190515
2975         <rdar://problem/45222379>
2976
2977         Reviewed by Saam Barati.
2978
2979         * stress/regress-190515.js: Added.
2980
2981 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2982
2983         Unreviewed, rolling out r237254.
2984         https://bugs.webkit.org/show_bug.cgi?id=190760
2985
2986         "It regresses JetStream 2 by 5% on some iOS devices"
2987         (Requested by saamyjoon on #webkit).
2988
2989         Reverted changeset:
2990
2991         "[JSC] JSC should have "parseFunction" to optimize Function
2992         constructor"
2993         https://bugs.webkit.org/show_bug.cgi?id=190340
2994         https://trac.webkit.org/changeset/237254
2995
2996 2018-10-19  Saam Barati  <sbarati@apple.com>
2997
2998         vmCall should check if we exit before emitting an OSR exit due to exceptions
2999         https://bugs.webkit.org/show_bug.cgi?id=190740
3000         <rdar://problem/45220139>
3001
3002         Reviewed by Mark Lam.
3003
3004         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3005         (foo):
3006
3007 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3008
3009         [ESNext][BigInt] Implement support for "^"
3010         https://bugs.webkit.org/show_bug.cgi?id=186235
3011
3012         Reviewed by Yusuke Suzuki.
3013
3014         * stress/big-int-bitwise-xor-general.js: Added.
3015         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3016         * stress/big-int-bitwise-xor-type-error.js: Added.
3017         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3018
3019 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3020
3021         [BigInt] Add ValueSub into DFG
3022         https://bugs.webkit.org/show_bug.cgi?id=186176
3023
3024         Reviewed by Yusuke Suzuki.
3025
3026         * stress/big-int-subtraction-jit.js:
3027         * stress/value-sub-big-int-prediction-propagation.js: Added.
3028         * stress/value-sub-big-int-untyped.js: Added.
3029         * stress/value-sub-spec-none-case.js: Added.
3030
3031 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3032
3033         [JSC] JSC should have "parseFunction" to optimize Function constructor
3034         https://bugs.webkit.org/show_bug.cgi?id=190340
3035
3036         Reviewed by Mark Lam.
3037
3038         This patch fixes the line number of syntax errors raised by the Function constructor,
3039         since we now parse the final code only once. And we no longer use block statement
3040         for Function constructor's parsing.
3041
3042         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3043         * stress/function-cache-with-parameters-end-position.js: Added.
3044         (shouldBe):
3045         (shouldThrow):
3046         (i.anonymous):
3047         * stress/function-constructor-name.js: Added.
3048         (shouldBe):
3049         (GeneratorFunction):
3050         (AsyncFunction.async):
3051         (AsyncGeneratorFunction.async):
3052         (anonymous):
3053         (async.anonymous):
3054         * test262/expectations.yaml:
3055
3056 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3057
3058         Unreviewed, rolling out r237242.
3059         https://bugs.webkit.org/show_bug.cgi?id=190701
3060
3061         it breaks "stress/sampling-profiler-basic.js" (Requested by
3062         caiolima on #webkit).
3063
3064         Reverted changeset:
3065
3066         "[BigInt] Add ValueSub into DFG"
3067         https://bugs.webkit.org/show_bug.cgi?id=186176
3068         https://trac.webkit.org/changeset/237242
3069
3070 2018-10-17  Keith Miller  <keith_miller@apple.com>
3071
3072         AI does not clear Phantom allocation nodes.
3073         https://bugs.webkit.org/show_bug.cgi?id=190694
3074
3075         Reviewed by Saam Barati.
3076
3077         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3078         (Day):
3079         (DaysInYear):
3080         (TimeInYear):
3081         (TimeFromYear):
3082         (DayFromYear):
3083         (InLeapYear):
3084         (YearFromTime):
3085         (WeekDay):
3086         (DaylightSavingTA):
3087         (GetSecondSundayInMarch):
3088         (TimeInMonth):
3089
3090 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3091
3092         [BigInt] Add ValueSub into DFG
3093         https://bugs.webkit.org/show_bug.cgi?id=186176
3094
3095         Reviewed by Yusuke Suzuki.
3096
3097         * stress/big-int-subtraction-jit.js:
3098         * stress/value-sub-big-int-prediction-propagation.js: Added.
3099         * stress/value-sub-big-int-untyped.js: Added.
3100
3101 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3102
3103         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3104         https://bugs.webkit.org/show_bug.cgi?id=190611
3105
3106         Reviewed by Saam Barati.
3107
3108         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3109         to improve test runtime. On ARM/MIPS this test even timed out when running all
3110         tests.
3111
3112         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3113         (test):
3114
3115 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3116
3117         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3118
3119         Unreviewed gardening.
3120
3121         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3122
3123 2018-10-15  Saam barati  <sbarati@apple.com>
3124
3125         Emit fjcvtzs on ARM64E on Darwin
3126         https://bugs.webkit.org/show_bug.cgi?id=184023
3127
3128         Reviewed by Yusuke Suzuki and Filip Pizlo.
3129
3130         * stress/double-to-int32-NaN.js: Added.
3131         (assert):
3132         (foo):
3133
3134 2018-10-15  Saam Barati  <sbarati@apple.com>
3135
3136         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3137         https://bugs.webkit.org/show_bug.cgi?id=190262
3138         <rdar://problem/44986241>
3139
3140         Reviewed by Mark Lam.
3141
3142         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3143         (test):
3144         * stress/slice-array-storage-with-holes.js: Added.
3145         (main):
3146
3147 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3148
3149         Unreviewed, rolling out r237054.
3150         https://bugs.webkit.org/show_bug.cgi?id=190593
3151
3152         "this regressed JetStream 2 by 6% on iOS" (Requested by
3153         saamyjoon on #webkit).
3154
3155         Reverted changeset:
3156
3157         "[JSC] JSC should have "parseFunction" to optimize Function
3158         constructor"
3159         https://bugs.webkit.org/show_bug.cgi?id=190340
3160         https://trac.webkit.org/changeset/237054
3161
3162 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3163
3164         [JSC] JSON.stringify can accept call-with-no-arguments
3165         https://bugs.webkit.org/show_bug.cgi?id=190343
3166
3167         Reviewed by Mark Lam.
3168
3169         * stress/json-stringify-no-arguments.js: Added.
3170         (shouldBe):
3171
3172 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3173
3174         [JSC] JSC should have "parseFunction" to optimize Function constructor
3175         https://bugs.webkit.org/show_bug.cgi?id=190340
3176
3177         Reviewed by Mark Lam.
3178
3179         This patch fixes the line number of syntax errors raised by the Function constructor,
3180         since we now parse the final code only once. And we no longer use block statement
3181         for Function constructor's parsing.
3182
3183         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3184         * stress/function-cache-with-parameters-end-position.js: Added.
3185         (shouldBe):
3186         (shouldThrow):
3187         (i.anonymous):
3188         * stress/function-constructor-name.js: Added.
3189         (shouldBe):
3190         (GeneratorFunction):
3191         (AsyncFunction.async):
3192         (AsyncGeneratorFunction.async):
3193         (anonymous):
3194         (async.anonymous):
3195         * test262/expectations.yaml:
3196
3197 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3198
3199         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3200         https://bugs.webkit.org/show_bug.cgi?id=190426
3201
3202         Unreviewed gardening.
3203
3204         * stress/sampling-profiler-richards.js:
3205
3206 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3207
3208         [ESNext][BigInt] Implement support for "|"
3209         https://bugs.webkit.org/show_bug.cgi?id=186229
3210
3211         Reviewed by Yusuke Suzuki.
3212
3213         * stress/big-int-bitwise-and-jit.js:
3214         * stress/big-int-bitwise-or-general.js: Added.
3215         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3216         * stress/big-int-bitwise-or-jit.js: Added.
3217         * stress/big-int-bitwise-or-memory-stress.js: Added.
3218         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3219         * stress/big-int-bitwise-or-type-error.js: Added.
3220         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3221
3222 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3223
3224         Skip test on systems with limited memory
3225         https://bugs.webkit.org/show_bug.cgi?id=190310
3226
3227         Invoking runDefault adds test to runlist, skipping the test in the next
3228         line does not prevent the test from executing. Change order of lines such
3229         that runDefault is only executed if test is not executed.
3230
3231         Reviewed by Mark Lam.
3232
3233         * stress/regress-190187.js:
3234
3235 2018-10-03  Saam barati  <sbarati@apple.com>
3236
3237         lowXYZ in FTLLower should always filter the type of the incoming edge
3238         https://bugs.webkit.org/show_bug.cgi?id=189939
3239         <rdar://problem/44407030>
3240
3241         Reviewed by Michael Saboff.
3242
3243         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3244         (foo):
3245         (test):
3246
3247 2018-10-03  Mark Lam  <mark.lam@apple.com>
3248
3249         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3250         https://bugs.webkit.org/show_bug.cgi?id=190187
3251         <rdar://problem/42512909>
3252
3253         Reviewed by Michael Saboff.
3254
3255         * stress/regress-190187.js: Added.
3256
3257 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3258
3259         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3260         https://bugs.webkit.org/show_bug.cgi?id=190033
3261
3262         Reviewed by Yusuke Suzuki.
3263
3264         * stress/big-int-to-string.js:
3265
3266 2018-10-01  Mark Lam  <mark.lam@apple.com>
3267
3268         Function.toString() should also copy the source code Functions that are class definitions.
3269         https://bugs.webkit.org/show_bug.cgi?id=190186
3270         <rdar://problem/44733360>
3271
3272         Reviewed by Saam Barati.
3273
3274         * stress/regress-190186.js: Added.
3275
3276 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3277
3278         Split NaN-check into separate test
3279         https://bugs.webkit.org/show_bug.cgi?id=190010
3280
3281         Reviewed by Saam Barati.
3282
3283         DataView exposes NaN-representation, which is not necessarily the same on each
3284         architecture. Therefore move the check of the NaN-representation into its own
3285         file such that we can disable this test on MIPS where NaN-representation can be
3286         different on older CPUs.
3287
3288         * stress/dataview-jit-set-nan.js: Added.
3289         (assert):
3290         (test.storeLittleEndian):
3291         (test.storeBigEndian):
3292         (test.store):
3293         (test):
3294         * stress/dataview-jit-set.js:
3295         (test5):
3296
3297 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3298
3299         Unreviewed, rolling out r236647.
3300         https://bugs.webkit.org/show_bug.cgi?id=190124
3301
3302         Breaking test stress/big-int-to-string.js (Requested by
3303         caiolima_ on #webkit).
3304
3305         Reverted changeset:
3306
3307         "[BigInt] BigInt.proptotype.toString is broken when radix is
3308         power of 2"
3309         https://bugs.webkit.org/show_bug.cgi?id=190033
3310         https://trac.webkit.org/changeset/236647
3311
3312 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3313
3314         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3315         https://bugs.webkit.org/show_bug.cgi?id=190033
3316
3317         Reviewed by Yusuke Suzuki.
3318
3319         * stress/big-int-to-string.js:
3320
3321 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3322
3323         [ESNext][BigInt] Implement support for "&"
3324         https://bugs.webkit.org/show_bug.cgi?id=186228
3325
3326         Reviewed by Yusuke Suzuki.
3327
3328         * stress/big-int-bitwise-and-general.js: Added.
3329         (assert):
3330         (assert.sameValue):
3331         * stress/big-int-bitwise-and-jit.js: Added.
3332         (let.assert.sameValue):
3333         (bigIntBitAnd):
3334         * stress/big-int-bitwise-and-memory-stress.js: Added.
3335         (assert):
3336         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3337         (assert.sameValue):
3338         (let.o.Symbol.toPrimitive):
3339         (catch):
3340         * stress/big-int-bitwise-and-type-error.js: Added.
3341         (assert):
3342         (assertThrowTypeError):
3343         (let.o.valueOf):
3344         (o.valueOf):
3345         (o.toString):
3346         (o.Symbol.toPrimitive):
3347         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3348         (assert.sameValue):
3349         (testBitAnd):
3350         (let.o.Symbol.toPrimitive):
3351         (o.valueOf):
3352         (o.toString):
3353
3354 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3355
3356         JSC test stress/jsc-read.js doesn't support CRLF
3357         https://bugs.webkit.org/show_bug.cgi?id=190063
3358
3359         Reviewed by Yusuke Suzuki.
3360
3361         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3362
3363         * stress/jsc-read.js:
3364         (test):
3365
3366 2018-09-27  Saam barati  <sbarati@apple.com>
3367
3368         Verify the contents of AssemblerBuffer on arm64e
3369         https://bugs.webkit.org/show_bug.cgi?id=190057
3370         <rdar://problem/38916630>
3371
3372         Reviewed by Mark Lam.
3373
3374         * stress/regress-189132.js:
3375
3376 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3377
3378         Disable test without LLInt on ARMv7
3379         https://bugs.webkit.org/show_bug.cgi?id=190037
3380
3381         Reviewed by Mark Lam.
3382
3383         Test runs out of executable memory on ARMv7, do not run
3384         this test without LLInt enabled.
3385
3386         * stress/regress-169445.js:
3387
3388 2018-09-26  Keith Miller  <keith_miller@apple.com>
3389
3390         We should zero unused property storage when rebalancing array storage.
3391         https://bugs.webkit.org/show_bug.cgi?id=188151
3392
3393         Reviewed by Michael Saboff.
3394
3395         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3396
3397 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3398
3399         [JSC] Optimize Array#lastIndexOf
3400         https://bugs.webkit.org/show_bug.cgi?id=189780
3401
3402         Reviewed by Saam Barati.
3403
3404         * stress/array-lastindexof-array-prototype-trap.js: Added.
3405         (shouldBe):
3406         (AncestorArray.prototype.get 2):
3407         (AncestorArray):
3408         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3409         (shouldBe):
3410         * stress/array-lastindexof-hole-nan.js: Added.
3411         (shouldBe):
3412         (throw.new.Error):
3413         * stress/array-lastindexof-infinity.js: Added.
3414         (shouldBe):
3415         (throw.new.Error):
3416         * stress/array-lastindexof-negative-zero.js: Added.
3417         (shouldBe):
3418         (throw.new.Error):
3419         * stress/array-lastindexof-own-getter.js: Added.
3420         (shouldBe):
3421         (throw.new.Error.get array):
3422         (get array):
3423         * stress/array-lastindexof-prototype-trap.js: Added.
3424         (shouldBe):
3425         (DerivedArray.prototype.get 2):
3426         (DerivedArray):
3427
3428 2018-09-25  Saam Barati  <sbarati@apple.com>
3429
3430         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3431         https://bugs.webkit.org/show_bug.cgi?id=189940
3432         <rdar://problem/43640987>
3433
3434         Reviewed by Mark Lam.
3435
3436         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3437
3438 2018-09-24  Saam Barati  <sbarati@apple.com>
3439
3440         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3441         https://bugs.webkit.org/show_bug.cgi?id=189922
3442         <rdar://problem/44651275>
3443
3444         Reviewed by Mark Lam.
3445
3446         * stress/array-indexof-fast-path-effects.js: Added.
3447         * stress/array-indexof-cached-length.js: Added.
3448
3449 2018-09-24  Saam barati  <sbarati@apple.com>
3450
3451         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3452         https://bugs.webkit.org/show_bug.cgi?id=189682
3453         <rdar://problem/43557315>
3454
3455         Reviewed by Mark Lam.
3456
3457         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3458         (foo):
3459
3460 2018-09-22  Saam barati  <sbarati@apple.com>
3461
3462         The sampling should not use Strong<CodeBlock> in its machineLocation field
3463         https://bugs.webkit.org/show_bug.cgi?id=189319
3464
3465         Reviewed by Filip Pizlo.
3466
3467         * stress/sampling-profiler-richards.js: Added.
3468
3469 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3470
3471         [JSC] Optimize Array#indexOf in C++ runtime
3472         https://bugs.webkit.org/show_bug.cgi?id=189507
3473
3474         Reviewed by Saam Barati.
3475
3476         * stress/array-indexof-array-prototype-trap.js: Added.
3477         (shouldBe):
3478         (AncestorArray.prototype.get 2):
3479         (AncestorArray):
3480         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3481         (shouldBe):
3482         * stress/array-indexof-hole-nan.js: Added.
3483         (shouldBe):
3484         (throw.new.Error):
3485         * stress/array-indexof-infinity.js: Added.
3486         (shouldBe):
3487         (throw.new.Error):
3488         * stress/array-indexof-negative-zero.js: Added.
3489         (shouldBe):
3490         (throw.new.Error):
3491         * stress/array-indexof-own-getter.js: Added.
3492         (shouldBe):
3493         (throw.new.Error.get array):
3494         (get array):
3495         * stress/array-indexof-prototype-trap.js: Added.
3496         (shouldBe):
3497         (DerivedArray.prototype.get 2):
3498         (DerivedArray):
3499
3500 2018-09-19  Saam barati  <sbarati@apple.com>
3501
3502         AI rule for MultiPutByOffset executes its effects in the wrong order
3503         https://bugs.webkit.org/show_bug.cgi?id=189757
3504         <rdar://problem/43535257>
3505
3506         Reviewed by Michael Saboff.
3507
3508         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3509         (foo):
3510         (Foo):
3511         (g):
3512
3513 2018-09-17  Mark Lam  <mark.lam@apple.com>
3514
3515         Ensure that ForInContexts are invalidated if their loop local is over-written.
3516         https://bugs.webkit.org/show_bug.cgi?id=189571
3517         <rdar://problem/44402277>
3518
3519         Reviewed by Saam Barati.
3520
3521         * stress/regress-189571.js: Added.
3522
3523 2018-09-17  Saam barati  <sbarati@apple.com>
3524
3525         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3526         https://bugs.webkit.org/show_bug.cgi?id=189676
3527         <rdar://problem/39682897>
3528
3529         Reviewed by Michael Saboff.
3530
3531         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3532         (A):
3533         (K):
3534         (i.catch):
3535
3536 2018-09-14  Saam barati  <sbarati@apple.com>
3537
3538         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3539         https://bugs.webkit.org/show_bug.cgi?id=189628
3540         <rdar://problem/39481690>
3541
3542         Reviewed by Mark Lam.
3543
3544         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3545         (foo):
3546
3547 2018-09-11  Mark Lam  <mark.lam@apple.com>
3548
3549         Test for array initialization in arrayProtoFuncSplice.
3550         https://bugs.webkit.org/show_bug.cgi?id=170253
3551         <rdar://problem/31328773>
3552
3553         Rubber-stamped by Saam Barati.
3554
3555         * stress/regress-170253.js: Added.
3556
3557 2018-09-11  Mark Lam  <mark.lam@apple.com>
3558
3559         Test for IntlObject initialization.
3560         https://bugs.webkit.org/show_bug.cgi?id=170251
3561         <rdar://problem/31328419>
3562
3563         Rubber-stamped by Saam Barati.
3564
3565         * stress/regress-170251.js: Added.
3566
3567 2018-09-11  Mark Lam  <mark.lam@apple.com>
3568
3569         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3570         https://bugs.webkit.org/show_bug.cgi?id=169889
3571         <rdar://problem/31155607>
3572
3573         Reviewed by Saam Barati.
3574
3575         * stress/regress-169889-array-concat.js: Added.
3576         * stress/regress-169889-array-concat1.js: Added.
3577         * stress/regress-169889-array-slice.js: Added.
3578
3579 2018-09-11  Mark Lam  <mark.lam@apple.com>
3580
3581         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3582         https://bugs.webkit.org/show_bug.cgi?id=169445
3583         <rdar://problem/30957435>
3584
3585         Reviewed by Saam Barati.
3586
3587         * stress/regress-169445.js: Added.
3588         (let.gun.eval.A):
3589         (let.gun.eval.B.C):
3590         (let.gun.eval.B.C.prototype.trigger):
3591         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3592         (let.gun.eval.B):
3593         (let.gun.eval):
3594
3595 == Rolled over to ChangeLog-2018-09-11 ==