JSFunction::canUseAllocationProfile() should account for builtin functions with no...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-01-15  Mark Lam  <mark.lam@apple.com>
2
3         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
4         https://bugs.webkit.org/show_bug.cgi?id=193423
5         <rdar://problem/46209355>
6
7         Reviewed by Saam Barati.
8
9         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
10         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
11         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
12         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
13
14 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
15
16         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
17         https://bugs.webkit.org/show_bug.cgi?id=193438
18         <rdar://problem/45581249>
19
20         Reviewed by Saam Barati and Keith Miller.
21
22         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
23         Then, GetByVal(String) crashed.
24
25         * stress/string-get-by-val-lowering.js: Added.
26         (shouldBe):
27         (test):
28         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
29         (Hello):
30         (foo):
31
32 2019-01-15  Tomas Popela  <tpopela@redhat.com>
33
34         Unreviewed, skip JIT tests if it's not enabled
35
36         * stress/bit-op-with-object-returning-int32.js:
37
38 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
39
40         DFGByteCodeParser rules for bitwise operations should consider type of their operands
41         https://bugs.webkit.org/show_bug.cgi?id=192966
42
43         Reviewed by Yusuke Suzuki.
44
45         * stress/bit-op-with-object-returning-int32.js: Added.
46
47 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
48
49         Skip a slow test and a flakey test on arm
50
51         Unreviewed gardening.
52
53         * typeProfiler/getter-richards.js:
54         this test always times out, it used to be always skipped on arm and
55         mips, but got accidentally enabled by r237919 now that we have DFG on
56         arm. Also skipping on mips as we plan to soon enable DFG for it too.
57
58 2019-01-14  Keith Miller  <keith_miller@apple.com>
59
60         Skip type-check-hoisting-phase-hoist... with no jit
61         https://bugs.webkit.org/show_bug.cgi?id=193421
62
63         Reviewed by Mark Lam.
64
65         It's timing out the 32-bit bots and takes 330 seconds
66         on my machine when run by itself.
67
68         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
69
70 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
71
72         [JSC] AI should check the given constant's array type when folding GetByVal into constant
73         https://bugs.webkit.org/show_bug.cgi?id=193413
74         <rdar://problem/46092389>
75
76         Reviewed by Keith Miller.
77
78         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
79         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
80         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
81         but GetByVal does not have appropriate ArrayModes, JSC crashes.
82
83         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
84         (compareArray):
85
86 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
87
88         [BigInt] Literal parsing is crashing when used inside a Object Literal
89         https://bugs.webkit.org/show_bug.cgi?id=193404
90
91         Reviewed by Yusuke Suzuki.
92
93         * stress/big-int-literal-inside-literal-object.js: Added.
94
95 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
96
97         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
98         https://bugs.webkit.org/show_bug.cgi?id=193372
99
100         Reviewed by Saam Barati.
101
102         * stress/typed-array-array-modes-profile.js: Added.
103         (foo):
104
105 2019-01-14  Mark Lam  <mark.lam@apple.com>
106
107         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
108         https://bugs.webkit.org/show_bug.cgi?id=193402
109         <rdar://problem/46012309>
110
111         Reviewed by Keith Miller.
112
113         * stress/regexp-compile-oom.js:
114         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
115           is enabled.  As a result, it will fail on cloop builds though there is no bug.
116
117 2019-01-11  Saam barati  <sbarati@apple.com>
118
119         DFG combined liveness can be wrong for terminal basic blocks
120         https://bugs.webkit.org/show_bug.cgi?id=193304
121         <rdar://problem/45268632>
122
123         Reviewed by Yusuke Suzuki.
124
125         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
126
127 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
128
129         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
130         https://bugs.webkit.org/show_bug.cgi?id=193308
131         <rdar://problem/45546542>
132
133         Reviewed by Saam Barati.
134
135         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
136         (shouldThrow):
137         (shouldBe):
138         (foo):
139         (get shouldThrow):
140         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
141         (shouldThrow):
142         (shouldBe):
143         (foo):
144         (get shouldBe):
145         (get shouldThrow):
146         (get return):
147         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
148         (shouldThrow):
149         (shouldBe):
150         (foo):
151         (get shouldBe):
152         (get shouldThrow):
153         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
154         (shouldThrow):
155         (shouldBe):
156         (foo):
157         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
158         (shouldThrow):
159         (shouldBe):
160         (foo):
161         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
162         (shouldThrow):
163         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
164         (shouldThrow):
165         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
166         (shouldThrow):
167         (shouldBe):
168         (foo):
169         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
170         (shouldThrow):
171         (shouldBe):
172         (foo):
173         (get shouldBe):
174         (get shouldThrow):
175         (get return):
176         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
177         (shouldThrow):
178         (shouldBe):
179         (foo):
180         (get shouldBe):
181         (get shouldThrow):
182         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
183         (shouldThrow):
184         (shouldBe):
185         (foo):
186         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
187         (shouldThrow):
188         (shouldBe):
189         (foo):
190
191 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
192
193         Enable DFG on ARM/Linux again
194         https://bugs.webkit.org/show_bug.cgi?id=192496
195
196         Reviewed by Yusuke Suzuki.
197
198         Test wasn't really skipped before moving the line with skip
199         to the top.
200
201         * stress/regress-192717.js:
202
203 2019-01-10  Commit Queue  <commit-queue@webkit.org>
204
205         Unreviewed, rolling out r239825.
206         https://bugs.webkit.org/show_bug.cgi?id=193330
207
208         Broke tests on armv7/linux bots (Requested by guijemont on
209         #webkit).
210
211         Reverted changeset:
212
213         "Enable DFG on ARM/Linux again"
214         https://bugs.webkit.org/show_bug.cgi?id=192496
215         https://trac.webkit.org/changeset/239825
216
217 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
218
219         Enable DFG on ARM/Linux again
220         https://bugs.webkit.org/show_bug.cgi?id=192496
221
222         Reviewed by Yusuke Suzuki.
223
224         Test wasn't really skipped before moving the line with skip
225         to the top.
226
227         * stress/regress-192717.js:
228
229 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
230
231         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
232         https://bugs.webkit.org/show_bug.cgi?id=193127
233
234         Reviewed by Saam Barati.
235
236         * stress/array-species-create-should-handle-masquerader.js: Added.
237         (shouldThrow):
238         * stress/is-undefined-or-null-builtin.js: Added.
239         (shouldBe):
240         (isUndefinedOrNull.vm.createBuiltin):
241
242 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
243
244         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
245         https://bugs.webkit.org/show_bug.cgi?id=193221
246
247         Reviewed by Mark Lam.
248
249         * stress/put-by-id-flags.js: Added.
250         (f):
251         (g):
252         (numberOfDFGCompiles):
253
254 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
255
256         Baseline version of get_by_id may corrupt metadata
257         https://bugs.webkit.org/show_bug.cgi?id=193085
258         <rdar://problem/23453006>
259
260         Reviewed by Saam Barati.
261
262         * stress/get-by-id-change-mode.js: Added.
263         (forEach):
264
265 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
266
267         [JSC] Optimize Object.prototype.toString
268         https://bugs.webkit.org/show_bug.cgi?id=193031
269
270         Reviewed by Saam Barati.
271
272         * stress/object-tostring-changed-proto.js: Added.
273         (shouldBe):
274         (test):
275         * stress/object-tostring-changed.js: Added.
276         (shouldBe):
277         (test):
278         * stress/object-tostring-misc.js: Added.
279         (shouldBe):
280         (test):
281         (i.switch):
282         * stress/object-tostring-other.js: Added.
283         (shouldBe):
284         (test):
285         * stress/object-tostring-untyped.js: Added.
286         (shouldBe):
287         (test):
288         (i.switch):
289
290 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
291
292         test262-runner misbehaves when test file YAML has a trailing space
293         https://bugs.webkit.org/show_bug.cgi?id=193053
294
295         Reviewed by Yusuke Suzuki.
296
297         * test262/expectations.yaml:
298         Mark two dozen tests as passing (and correct the output of another).
299
300 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
301
302         Unreviewed, JSTests gardening with memoryLimited
303
304         * stress/string-overflow-createError.js:
305
306 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
307
308         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
309         https://bugs.webkit.org/show_bug.cgi?id=193050
310
311         Reviewed by Yusuke Suzuki.
312
313         * test262.yaml:
314         * test262/expectations.yaml:
315         Mark 16 tests as passing.
316
317 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
318
319         [BigInt] Support BigInt in JSON.stringify
320         https://bugs.webkit.org/show_bug.cgi?id=192624
321
322         Reviewed by Saam Barati.
323
324         * stress/big-int-json-stringify-to-json.js: Added.
325         (shouldBe):
326         (shouldThrow):
327         (BigInt.prototype.toJSON):
328         (shouldBe.JSON.stringify):
329         * stress/big-int-json-stringify.js: Added.
330         (shouldBe):
331         (shouldThrow):
332
333 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
334
335         [JSC] Implement "well-formed JSON.stringify" proposal
336         https://bugs.webkit.org/show_bug.cgi?id=191677
337
338         Reviewed by Darin Adler.
339
340         * stress/json-surrogate-pair.js: Added.
341         (shouldBe):
342         * test262/expectations.yaml:
343
344 2018-12-20  Keith Miller  <keith_miller@apple.com>
345
346         Add support for globalThis
347         https://bugs.webkit.org/show_bug.cgi?id=165171
348
349         Reviewed by Mark Lam.
350
351         * test262/config.yaml:
352
353 2018-12-19  Keith Miller  <keith_miller@apple.com>
354
355         Update test262 configuration to not run tests dependent on ICU version.
356         https://bugs.webkit.org/show_bug.cgi?id=192920
357
358         Reviewed by Saam Barati.
359
360         * test262/expectations.yaml:
361
362 2018-12-20  Mark Lam  <mark.lam@apple.com>
363
364         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
365         https://bugs.webkit.org/show_bug.cgi?id=192939
366         <rdar://problem/46869516>
367
368         Reviewed by Keith Miller.
369
370         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
371
372 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
373
374         WTF::String and StringImpl overflow MaxLength
375         https://bugs.webkit.org/show_bug.cgi?id=192853
376         <rdar://problem/45726906>
377
378         Reviewed by Mark Lam.
379
380         * stress/string-16bit-repeat-overflow.js: Added.
381         (catch):
382
383 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
384
385         Unreviewed follow-up to r192914.
386
387         * test262/expectations.yaml:
388         Add the last 20 missing expectations.
389
390 2018-12-19  Keith Miller  <keith_miller@apple.com>
391
392         Fix test262 expectations
393         https://bugs.webkit.org/show_bug.cgi?id=192914
394
395         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
396
397         * test262/expectations.yaml:
398
399 2018-12-19  Keith Miller  <keith_miller@apple.com>
400
401         Update test262 tests.
402         https://bugs.webkit.org/show_bug.cgi?id=192907
403
404         Rubber stamped by Mark Lam.
405
406         * test262/*: Omitted because prepare-changelog crashes.
407
408 2018-12-19  Mark Lam  <mark.lam@apple.com>
409
410         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
411         https://bugs.webkit.org/show_bug.cgi?id=192464
412         <rdar://problem/46519455>
413
414         Reviewed by Saam Barati.
415
416         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
417         microbenchmark.
418
419         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
420         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
421
422 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
423
424         String overflow in JSC::createError results in ASSERT in WTF::makeString
425         https://bugs.webkit.org/show_bug.cgi?id=192833
426         <rdar://problem/45706868>
427
428         Reviewed by Mark Lam.
429
430         * stress/string-overflow-createError.js: Added.
431
432 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
433
434         Error message for `-x ** y` contains a typo.
435         https://bugs.webkit.org/show_bug.cgi?id=192832
436
437         Reviewed by Saam Barati.
438
439         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
440         (assert.assert.return.throws):
441         * stress/pow-expects-update-expression-on-lhs.js:
442         (throw.new.Error):
443         Update test expectations which match against the exact error message.
444
445 2018-12-18  Mark Lam  <mark.lam@apple.com>
446
447         Gardening: test options fix.
448         https://bugs.webkit.org/show_bug.cgi?id=192822
449
450         Unreviewed.
451
452         * stress/json-stringify-string-builder-overflow.js:
453
454 2018-12-18  Mark Lam  <mark.lam@apple.com>
455
456         JSON.stringify() should throw OOM on StringBuilder overflows.
457         https://bugs.webkit.org/show_bug.cgi?id=192822
458         <rdar://problem/46670577>
459
460         Reviewed by Saam Barati.
461
462         * stress/json-stringify-string-builder-overflow.js: Added.
463
464 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
465
466         Redeclaration of var over let/const/class should be a syntax error.
467         https://bugs.webkit.org/show_bug.cgi?id=192298
468
469         Reviewed by Keith Miller.
470
471         * test262.yaml:
472         * test262/expectations.yaml:
473         Mark 46 tests as passing.
474
475         * stress/block-scope-redeclarations.js:
476         Add some new tests.
477
478         * stress/for-in-invalidate-context-weird-assignments.js:
479         * stress/for-in-tests.js:
480         Replace tests for outdated behavior with tests for SyntaxError.
481
482         * ChakraCore/test/LetConst/defer3.baseline-jsc:
483         * ChakraCore/test/LetConst/letvar.baseline-jsc:
484         Update expectations.
485
486 2018-12-18  Mark Lam  <mark.lam@apple.com>
487
488         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
489         https://bugs.webkit.org/show_bug.cgi?id=191374
490         <rdar://problem/46525447>
491
492         Reviewed by Yusuke Suzuki.
493
494         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
495
496         * stress/elidable-new-object-roflcopter-then-exit.js:
497
498 2018-12-17  Mark Lam  <mark.lam@apple.com>
499
500         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
501         https://bugs.webkit.org/show_bug.cgi?id=192019
502         <rdar://problem/46525456>
503
504         Reviewed by Yusuke Suzuki.
505
506         The test runs too slow on 32-bit.
507
508         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
509
510 2018-12-17  Mark Lam  <mark.lam@apple.com>
511
512         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
513         https://bugs.webkit.org/show_bug.cgi?id=191373
514         <rdar://problem/46525458>
515
516         Reviewed by Yusuke Suzuki.
517
518         The test is already slow running with a JIT on 64-bit.  It will always timeout
519         on 32-bit without a JIT.
520
521         * stress/materialize-regexp-cyclic-regexp.js:
522
523 2018-12-17  Mark Lam  <mark.lam@apple.com>
524
525         Array unshift/shift should not race against the AI in the compiler thread.
526         https://bugs.webkit.org/show_bug.cgi?id=192795
527         <rdar://problem/46724263>
528
529         Reviewed by Saam Barati.
530
531         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
532
533 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
534
535         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
536         https://bugs.webkit.org/show_bug.cgi?id=190047
537
538         Reviewed by Saam Barati.
539
540         * stress/object-keys-cached-zero.js: Added.
541         (shouldBe):
542         (test):
543         * stress/object-keys-changed-attribute.js: Added.
544         (shouldBe):
545         (test):
546         * stress/object-keys-changed-index.js: Added.
547         (shouldBe):
548         (test):
549         * stress/object-keys-changed.js: Added.
550         (shouldBe):
551         (test):
552         * stress/object-keys-indexed-non-cache.js: Added.
553         (shouldBe):
554         (test):
555         * stress/object-keys-overrides-get-property-names.js: Added.
556         (shouldBe):
557         (test):
558         (noInline):
559
560 2018-12-17  Mark Lam  <mark.lam@apple.com>
561
562         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
563         https://bugs.webkit.org/show_bug.cgi?id=192779
564         <rdar://problem/46775869>
565
566         Reviewed by Saam Barati.
567
568         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
569
570 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
571
572         Unreviewed test gardening, address a syntax error in a new test.
573
574         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
575
576 2018-12-17  Mark Lam  <mark.lam@apple.com>
577
578         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
579         https://bugs.webkit.org/show_bug.cgi?id=192776
580         <rdar://problem/46772368>
581
582         Reviewed by Keith Miller.
583
584         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
585
586 2018-12-17  Mark Lam  <mark.lam@apple.com>
587
588         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
589         https://bugs.webkit.org/show_bug.cgi?id=192770
590         <rdar://problem/46449037>
591
592         Reviewed by Keith Miller.
593
594         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
595
596 2018-12-14  Mark Lam  <mark.lam@apple.com>
597
598         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
599         https://bugs.webkit.org/show_bug.cgi?id=192717
600         <rdar://problem/46660677>
601
602         Reviewed by Saam Barati.
603
604         * stress/regress-192717.js: Added.
605
606 2018-12-14  Commit Queue  <commit-queue@webkit.org>
607
608         Unreviewed, rolling out r239153, r239154, and r239155.
609         https://bugs.webkit.org/show_bug.cgi?id=192715
610
611         Caused flaky GC-related crashes seen with layout tests
612         (Requested by ryanhaddad on #webkit).
613
614         Reverted changesets:
615
616         "[JSC] Optimize Object.keys by caching own keys results in
617         StructureRareData"
618         https://bugs.webkit.org/show_bug.cgi?id=190047
619         https://trac.webkit.org/changeset/239153
620
621         "Unreviewed, build fix after r239153"
622         https://bugs.webkit.org/show_bug.cgi?id=190047
623         https://trac.webkit.org/changeset/239154
624
625         "Unreviewed, build fix after r239153, part 2"
626         https://bugs.webkit.org/show_bug.cgi?id=190047
627         https://trac.webkit.org/changeset/239155
628
629 2018-12-14  Keith Miller  <keith_miller@apple.com>
630
631         Callers of JSString::getIndex should check for OOM exceptions
632         https://bugs.webkit.org/show_bug.cgi?id=192709
633
634         Reviewed by Mark Lam.
635
636         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
637
638 2018-12-13  Mark Lam  <mark.lam@apple.com>
639
640         Add a missing exception check.
641         https://bugs.webkit.org/show_bug.cgi?id=192626
642         <rdar://problem/46662163>
643
644         Reviewed by Keith Miller.
645
646         * stress/regress-192626.js: Added.
647
648 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
649
650         [BigInt] Add ValueDiv into DFG
651         https://bugs.webkit.org/show_bug.cgi?id=186178
652
653         Reviewed by Yusuke Suzuki.
654
655         * stress/big-int-div-jit-osr.js: Added.
656         * stress/big-int-div-jit-untyped.js: Added.
657         * stress/value-div-fixup-int32-big-int.js: Added.
658
659 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
660
661         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
662         https://bugs.webkit.org/show_bug.cgi?id=190047
663
664         Reviewed by Keith Miller.
665
666         * stress/object-keys-cached-zero.js: Added.
667         (shouldBe):
668         (test):
669         * stress/object-keys-changed-attribute.js: Added.
670         (shouldBe):
671         (test):
672         * stress/object-keys-changed-index.js: Added.
673         (shouldBe):
674         (test):
675         * stress/object-keys-changed.js: Added.
676         (shouldBe):
677         (test):
678         * stress/object-keys-indexed-non-cache.js: Added.
679         (shouldBe):
680         (test):
681         * stress/object-keys-overrides-get-property-names.js: Added.
682         (shouldBe):
683         (test):
684         (noInline):
685
686 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
687
688         [DFG][FTL] Add NewSymbol
689         https://bugs.webkit.org/show_bug.cgi?id=192620
690
691         Reviewed by Saam Barati.
692
693         * microbenchmarks/symbol-creation.js: Added.
694         (test):
695         * stress/symbol-description-identity.js: Added.
696         (shouldBe):
697         (test):
698         * stress/symbol-identity.js: Added.
699         (shouldBe):
700         (test):
701         * stress/symbol-with-description-throw-error.js: Added.
702         (shouldBe):
703         (shouldThrow):
704         (test):
705         (object.toString):
706
707 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
708
709         [BigInt] Implement DFG/FTL typeof for BigInt
710         https://bugs.webkit.org/show_bug.cgi?id=192619
711
712         Reviewed by Keith Miller.
713
714         * stress/big-int-boolean-proven-type.js: Added.
715         (assert):
716         (bool):
717         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
718         (assert):
719         (typeOf):
720         (i.switch):
721         * stress/big-int-type-of-proven-type-non-constant.js: Added.
722         (assert):
723         (typeOf):
724         * stress/big-int-type-of.js:
725         (typeOf):
726         (func):
727
728 2018-12-10  Mark Lam  <mark.lam@apple.com>
729
730         PropertyAttribute needs a CustomValue bit.
731         https://bugs.webkit.org/show_bug.cgi?id=191993
732         <rdar://problem/46264467>
733
734         Reviewed by Saam Barati.
735
736         * stress/regress-191993.js: Added.
737
738 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
739
740         [BigInt] Add ValueMul into DFG
741         https://bugs.webkit.org/show_bug.cgi?id=186175
742
743         Reviewed by Yusuke Suzuki.
744
745         * stress/big-int-mul-jit-osr.js: Added.
746         * stress/big-int-mul-jit-untyped.js: Added.
747         * stress/value-mul-fixup-int32-big-int.js: Added.
748
749 2018-12-06  Keith Miller  <keith_miller@apple.com>
750
751         stress/big-wasm-memory tests failing on 32-bit JSC bot
752         https://bugs.webkit.org/show_bug.cgi?id=192020
753
754         Reviewed by Saam Barati.
755
756         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
757         the wasm stress tests if the WebAssembly object does not exist.
758
759         * stress/big-wasm-memory-grow-no-max.js:
760         (test.foo):
761         (test):
762         (foo): Deleted.
763         (catch): Deleted.
764         * stress/big-wasm-memory-grow.js:
765         (test.foo):
766         (test):
767         (foo): Deleted.
768         (catch): Deleted.
769         * stress/big-wasm-memory.js:
770         (test.foo):
771         (test):
772         (foo): Deleted.
773         (catch): Deleted.
774
775 2018-12-05  Mark Lam  <mark.lam@apple.com>
776
777         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
778         https://bugs.webkit.org/show_bug.cgi?id=192441
779         <rdar://problem/46480355>
780
781         Reviewed by Saam Barati.
782
783         * stress/regress-192441.js: Added.
784
785 2018-12-04  Mark Lam  <mark.lam@apple.com>
786
787         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
788         https://bugs.webkit.org/show_bug.cgi?id=192386
789         <rdar://problem/46445516>
790
791         Reviewed by Saam Barati.
792
793         * stress/regress-192386.js: Added.
794
795 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
796
797         [ESNext][BigInt] Support logic operations
798         https://bugs.webkit.org/show_bug.cgi?id=179903
799
800         Reviewed by Yusuke Suzuki.
801
802         * stress/big-int-branch-usage.js: Added.
803         * stress/big-int-logical-and.js: Added.
804         * stress/big-int-logical-not.js: Added.
805         * stress/big-int-logical-or.js: Added.
806
807 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
808
809         Unreviewed, rolling out r238833.
810
811         Breaks macOS and iOS debug builds.
812
813         Reverted changeset:
814
815         "[ESNext][BigInt] Support logic operations"
816         https://bugs.webkit.org/show_bug.cgi?id=179903
817         https://trac.webkit.org/changeset/238833
818
819 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
820
821         [ESNext][BigInt] Support logic operations
822         https://bugs.webkit.org/show_bug.cgi?id=179903
823
824         Reviewed by Yusuke Suzuki.
825
826         * stress/big-int-branch-usage.js: Added.
827         * stress/big-int-logical-and.js: Added.
828         * stress/big-int-logical-not.js: Added.
829         * stress/big-int-logical-or.js: Added.
830
831 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
832
833         [ESNext][BigInt] Implement support for "<<" and ">>"
834         https://bugs.webkit.org/show_bug.cgi?id=186233
835
836         Reviewed by Yusuke Suzuki.
837
838         * stress/big-int-left-shift-general.js: Added.
839         * stress/big-int-left-shift-range-error.js: Added.
840         * stress/big-int-left-shift-type-error.js: Added.
841         * stress/big-int-left-shift-wrapped-value.js: Added.
842         * stress/big-int-right-shift-general.js: Added.
843         * stress/big-int-right-shift-type-error.js: Added.
844         * stress/big-int-right-shift-wrapped-value.js: Added.
845         * stress/left-shift-to-primitive-precedence.js: Added.
846         * stress/right-shift-to-primitive-precedence.js: Added.
847
848 2018-11-30  Dean Jackson  <dino@apple.com>
849
850         Add first-class support for .mjs files in jsc binary
851         https://bugs.webkit.org/show_bug.cgi?id=192190
852         <rdar://problem/46375715>
853
854         Reviewed by Keith Miller.
855
856         * stress/simple-module.mjs: Added.
857         * stress/simple-script.js: Added.
858
859 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
860
861         [BigInt] Implement ValueBitXor into DFG
862         https://bugs.webkit.org/show_bug.cgi?id=190264
863
864         Reviewed by Yusuke Suzuki.
865
866         * stress/big-int-bitwise-xor-jit.js: Added.
867         * stress/big-int-bitwise-xor-memory-stress.js: Added.
868         * stress/big-int-bitwise-xor-untyped.js: Added.
869
870 2018-11-27  Saam barati  <sbarati@apple.com>
871
872         r238510 broke scopes of size zero
873         https://bugs.webkit.org/show_bug.cgi?id=192033
874         <rdar://problem/46281734>
875
876         Reviewed by Keith Miller.
877
878         * stress/r238510-bad-loop.js: Added.
879         (foo):
880
881 2018-11-27  Mark Lam  <mark.lam@apple.com>
882
883         [Re-landing] NaNs read from Wasm code needs to be be purified.
884         https://bugs.webkit.org/show_bug.cgi?id=191056
885         <rdar://problem/45660341>
886
887         Reviewed by Filip Pizlo.
888
889         * wasm/regress/regress-191056.js: Added.
890
891 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
892
893         Unreviewed, rolling out r238509.
894
895         Causes JSC tests to fail on iOS.
896
897         Reverted changeset:
898
899         "NaNs read from Wasm code needs to be be purified."
900         https://bugs.webkit.org/show_bug.cgi?id=191056
901         https://trac.webkit.org/changeset/238509
902
903 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
904
905         Re-introduce op_bitnot
906         https://bugs.webkit.org/show_bug.cgi?id=190923
907
908         Reviewed by Yusuke Suzuki.
909
910         * stress/bit-not-must-generate.js: Added.
911         * stress/bitwise-not-no-int32.js: Added.
912
913 2018-11-26  Saam barati  <sbarati@apple.com>
914
915         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
916         https://bugs.webkit.org/show_bug.cgi?id=191956
917         <rdar://problem/45665806>
918
919         Reviewed by Yusuke Suzuki.
920
921         * stress/end-basic-block-set-local-should-filter-type.js: Added.
922         (bar):
923         (foo):
924
925 2018-11-26  Saam barati  <sbarati@apple.com>
926
927         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
928         https://bugs.webkit.org/show_bug.cgi?id=191958
929         <rdar://problem/46221877>
930
931         Reviewed by Yusuke Suzuki.
932
933         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
934         (x):
935         (foo):
936
937 2018-11-26  Mark Lam  <mark.lam@apple.com>
938
939         NaNs read from Wasm code needs to be be purified.
940         https://bugs.webkit.org/show_bug.cgi?id=191056
941         <rdar://problem/45660341>
942
943         Reviewed by Filip Pizlo.
944
945         * wasm/regress/regress-191056.js: Added.
946
947 2018-11-26  Michael Saboff  <msaboff@apple.com>
948
949         32-bit JSC test failure: stress/regexp-compile-oom.js
950         https://bugs.webkit.org/show_bug.cgi?id=191375
951
952         Reviewed by Mark Lam.
953
954         Disabled the test for 32 bit platforms.
955
956         * stress/regexp-compile-oom.js:
957
958 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
959
960         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
961         https://bugs.webkit.org/show_bug.cgi?id=191716
962         <rdar://problem/45723878>
963
964         Reviewed by Saam Barati.
965
966         * stress/regress-187373.js: Added.
967         (async.fn):
968
969 2018-11-21  Saam barati  <sbarati@apple.com>
970
971         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
972         https://bugs.webkit.org/show_bug.cgi?id=191897
973         <rdar://problem/45871998>
974
975         Reviewed by Mark Lam.
976
977         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
978         (bar):
979         (foo):
980
981 2018-11-21  Saam barati  <sbarati@apple.com>
982
983         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
984         https://bugs.webkit.org/show_bug.cgi?id=191895
985         <rdar://problem/46167406>
986
987         Reviewed by Mark Lam.
988
989         * stress/known-cell-use-needs-type-check-assertion.js: Added.
990         (foo):
991         (bar):
992
993 2018-11-21  Mark Lam  <mark.lam@apple.com>
994
995         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
996         https://bugs.webkit.org/show_bug.cgi?id=191776
997         <rdar://problem/46152851>
998
999         Reviewed by Saam Barati.
1000
1001         * stress/big-wasm-memory-grow-no-max.js:
1002         * stress/big-wasm-memory-grow.js:
1003         * stress/big-wasm-memory.js:
1004         - updated these to expect an OutOfMemoryError.
1005
1006         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1007         (Binary.prototype.emit_u8):
1008         (Binary.prototype.emit_u32v):
1009         (Binary.prototype.emit_header):
1010         (Binary.prototype.emit_section):
1011         (Binary):
1012         (WasmModuleBuilder):
1013         (WasmModuleBuilder.prototype.addMemory):
1014         (WasmModuleBuilder.prototype.toArray):
1015         (WasmModuleBuilder.prototype.toBuffer):
1016         (WasmModuleBuilder.prototype.instantiate):
1017         (catch):
1018         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1019         (catch):
1020
1021 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1022
1023         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1024         https://bugs.webkit.org/show_bug.cgi?id=190836
1025
1026         Reviewed by Saam Barati and Yusuke Suzuki.
1027
1028         * stress/big-int-out-of-memory-tests.js: Added.
1029
1030 2018-11-20  Mark Lam  <mark.lam@apple.com>
1031
1032         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1033         https://bugs.webkit.org/show_bug.cgi?id=191856
1034         <rdar://problem/46089992>
1035
1036         Reviewed by Yusuke Suzuki.
1037
1038         * stress/regress-191856.js: Added.
1039         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1040
1041 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1042
1043         Enable JIT on ARM/Linux
1044         https://bugs.webkit.org/show_bug.cgi?id=191548
1045
1046         Reviewed by Yusuke Suzuki.
1047
1048         Disable test on system with limited memory. Program was killed by
1049         the OS before the exception was thrown.
1050
1051         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1052
1053 2018-11-20  Saam barati  <sbarati@apple.com>
1054
1055         Merging an IC variant may lead to the IC status containing overlapping structure sets
1056         https://bugs.webkit.org/show_bug.cgi?id=191869
1057         <rdar://problem/45403453>
1058
1059         Reviewed by Mark Lam.
1060
1061         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1062
1063 2018-11-19  Mark Lam  <mark.lam@apple.com>
1064
1065         globalFuncImportModule() should return a promise when it clears exceptions.
1066         https://bugs.webkit.org/show_bug.cgi?id=191792
1067         <rdar://problem/46090763>
1068
1069         Reviewed by Michael Saboff.
1070
1071         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1072
1073 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1074
1075         Skip new memory-hungry tests on memory limited devices
1076
1077         Unreviewed gardening.
1078
1079         * stress/big-wasm-memory-grow-no-max.js:
1080         * stress/big-wasm-memory-grow.js:
1081         * stress/big-wasm-memory.js:
1082
1083 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1084
1085         Unreviewed, rolling in the rest of r237254
1086         https://bugs.webkit.org/show_bug.cgi?id=190340
1087
1088         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1089         * stress/function-cache-with-parameters-end-position.js: Added.
1090         (shouldBe):
1091         (shouldThrow):
1092         (i.anonymous):
1093         * stress/function-constructor-name.js: Added.
1094         (shouldBe):
1095         (GeneratorFunction):
1096         (AsyncFunction.async):
1097         (AsyncGeneratorFunction.async):
1098         (anonymous):
1099         (async.anonymous):
1100         * test262/expectations.yaml:
1101
1102 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1103
1104         All users of ArrayBuffer should agree on the same max size
1105         https://bugs.webkit.org/show_bug.cgi?id=191771
1106
1107         Reviewed by Mark Lam.
1108
1109         * stress/big-wasm-memory-grow-no-max.js: Added.
1110         (foo):
1111         (catch):
1112         * stress/big-wasm-memory-grow.js: Added.
1113         (foo):
1114         (catch):
1115         * stress/big-wasm-memory.js: Added.
1116         (foo):
1117         (catch):
1118
1119 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1120
1121         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1122         run for each JSC config since they're regression tests for runtime bugs.
1123
1124         * stress/json-stringified-overflow-2.js:
1125         * stress/json-stringified-overflow.js:
1126
1127 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1128
1129         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1130         config since they're regression tests for runtime bugs.
1131
1132         * stress/large-unshift-splice.js:
1133         * stress/regress-185888.js:
1134
1135 2018-11-16  Saam Barati  <sbarati@apple.com>
1136
1137         KnownCellUse should also have SpecCellCheck as its type filter
1138         https://bugs.webkit.org/show_bug.cgi?id=191729
1139         <rdar://problem/45872852>
1140
1141         Reviewed by Filip Pizlo.
1142
1143         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1144         (C):
1145
1146 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1147
1148         Fix assertion failure on BytecodeGenerator::recordOpcode
1149         https://bugs.webkit.org/show_bug.cgi?id=191724
1150         <rdar://problem/45724395>
1151
1152         Reviewed by Saam Barati.
1153
1154         * stress/regress-187373-2.js: Added.
1155         (foo):
1156
1157 2018-11-15  Mark Lam  <mark.lam@apple.com>
1158
1159         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1160         https://bugs.webkit.org/show_bug.cgi?id=191730
1161         <rdar://problem/46048517>
1162
1163         Reviewed by Saam Barati.
1164
1165         * stress/regress-187006.js: Removed.
1166           - this test is invalid because its sole purpose is to test for the non-spec
1167             compliant behavior that we just fixed.
1168
1169         * stress/regress-191730.js: Added.
1170
1171 2018-11-15  Mark Lam  <mark.lam@apple.com>
1172
1173         RegExp operations should not take fast patch if lastIndex is not numeric.
1174         https://bugs.webkit.org/show_bug.cgi?id=191731
1175         <rdar://problem/46017305>
1176
1177         Reviewed by Saam Barati.
1178
1179         * stress/regress-191731.js: Added.
1180
1181 2018-11-13  Saam Barati  <sbarati@apple.com>
1182
1183         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1184         https://bugs.webkit.org/show_bug.cgi?id=191600
1185
1186         Reviewed by Mark Lam.
1187
1188         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1189         (foo):
1190         (test):
1191         (bar):
1192
1193 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1194
1195         Unreviewed, rolling out r238132.
1196
1197         The test added with this change is timing out on Debug JSC
1198         bots.
1199
1200         Reverted changeset:
1201
1202         "[BigInt] JSBigInt::createWithLength should throw when length
1203         is greater than JSBigInt::maxLength"
1204         https://bugs.webkit.org/show_bug.cgi?id=190836
1205         https://trac.webkit.org/changeset/238132
1206
1207 2018-11-13  Mark Lam  <mark.lam@apple.com>
1208
1209         Add OOM detection to StringPrototype's substituteBackreferences().
1210         https://bugs.webkit.org/show_bug.cgi?id=191563
1211         <rdar://problem/45720428>
1212
1213         Reviewed by Saam Barati.
1214
1215         * stress/regress-191563.js: Added.
1216
1217 2018-11-13  Mark Lam  <mark.lam@apple.com>
1218
1219         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1220         https://bugs.webkit.org/show_bug.cgi?id=191579
1221         <rdar://problem/45942472>
1222
1223         Reviewed by Saam Barati.
1224
1225         * stress/regress-191579.js: Added.
1226
1227 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1228
1229         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1230         https://bugs.webkit.org/show_bug.cgi?id=190836
1231
1232         Reviewed by Saam Barati.
1233
1234         * stress/big-int-out-of-memory-tests.js: Added.
1235
1236 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1237
1238         U+180E is no longer a whitespace character
1239         https://bugs.webkit.org/show_bug.cgi?id=191415
1240
1241         Reviewed by Saam Barati.
1242
1243         * ChakraCore/test/es5/regexSpace.baseline:
1244         * ChakraCore/test/es6/unicode_whitespace.js:
1245         Update tests to latest version.
1246         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1247
1248         * test262.yaml:
1249         * test262/config.yaml:
1250         * test262/expectations.yaml:
1251         Update expectations.
1252
1253 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1254
1255         [BigInt] Add support to BigInt into ValueAdd
1256         https://bugs.webkit.org/show_bug.cgi?id=186177
1257
1258         Reviewed by Keith Miller.
1259
1260         * stress/big-int-negate-jit.js:
1261         * stress/value-add-big-int-and-string.js: Added.
1262         * stress/value-add-big-int-prediction-propagation.js: Added.
1263         * stress/value-add-big-int-untyped.js: Added.
1264
1265 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1266
1267         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1268         https://bugs.webkit.org/show_bug.cgi?id=191184
1269
1270         Reviewed by Saam Barati.
1271
1272         Most tests were failing due to timeouts, since they are too slow to
1273         run on CLoop. The exceptions are:
1274
1275         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1276         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1277         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1278         to change the stack size since CLoop requires it to be page aligned.
1279
1280         * microbenchmarks/array-push-1.js:
1281         * microbenchmarks/array-push-2.js:
1282         * microbenchmarks/elidable-new-object-dag.js:
1283         * microbenchmarks/elidable-new-object-roflcopter.js:
1284         * microbenchmarks/elidable-new-object-tree.js:
1285         * microbenchmarks/getter-richards.js:
1286         * microbenchmarks/sinkable-new-object-dag.js:
1287         * microbenchmarks/string-concat-long-convert.js:
1288         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1289         * slowMicrobenchmarks/array-push-3.js:
1290         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1291         * slowMicrobenchmarks/spread-small-array.js:
1292         * slowMicrobenchmarks/undefined-property-access.js:
1293         * stress/activation-sink-default-value-tdz-error.js:
1294         * stress/activation-sink-default-value.js:
1295         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1296         * stress/activation-sink-osrexit-default-value.js:
1297         * stress/activation-sink-osrexit.js:
1298         * stress/activation-sink.js:
1299         * stress/allow-math-ic-b3-code-duplication.js:
1300         * stress/array-push-multiple-int32.js:
1301         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1302         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1303         * stress/arrowfunction-lexical-this-activation-sink.js:
1304         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1305         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1306         * stress/elide-new-object-dag-then-exit.js:
1307         * stress/materialize-regexp-cyclic.js:
1308         * stress/new-regex-inline.js:
1309         * stress/op_add.js:
1310         * stress/op_bitand.js:
1311         * stress/op_bitor.js:
1312         * stress/op_bitxor.js:
1313         * stress/op_div-ConstVar.js:
1314         * stress/op_div-VarConst.js:
1315         * stress/op_div-VarVar.js:
1316         * stress/op_lshift-ConstVar.js:
1317         * stress/op_lshift-VarConst.js:
1318         * stress/op_lshift-VarVar.js:
1319         * stress/op_mod-ConstVar.js:
1320         * stress/op_mod-VarConst.js:
1321         * stress/op_mod-VarVar.js:
1322         * stress/op_mul-ConstVar.js:
1323         * stress/op_mul-VarConst.js:
1324         * stress/op_mul-VarVar.js:
1325         * stress/op_rshift-ConstVar.js:
1326         * stress/op_rshift-VarConst.js:
1327         * stress/op_rshift-VarVar.js:
1328         * stress/op_sub-ConstVar.js:
1329         * stress/op_sub-VarConst.js:
1330         * stress/op_sub-VarVar.js:
1331         * stress/op_urshift-ConstVar.js:
1332         * stress/op_urshift-VarConst.js:
1333         * stress/op_urshift-VarVar.js:
1334         * stress/proxy-get-set-correct-receiver.js:
1335         * stress/regress-179562.js:
1336         * stress/rest-parameter-many-arguments.js:
1337         * stress/sampling-profiler-richards.js:
1338         * stress/splay-flash-access-1ms.js:
1339         * stress/tailCallForwardArguments.js:
1340         * stress/typed-array-get-by-val-profiling.js:
1341         * typeProfiler/getter-richards.js:
1342
1343 2018-11-06  Michael Saboff  <msaboff@apple.com>
1344
1345         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1346         https://bugs.webkit.org/show_bug.cgi?id=191271
1347
1348         Reviewed by Saam Barati.
1349
1350         Added more test cases and made all test cases run with the same deeply recursive stack
1351         instead of finding that same point for each test case.
1352
1353         * stress/regexp-compile-oom.js:
1354         (prototype.runTest):
1355         (recurseAndTest):
1356         (testList.push.new.TestAndExpectedException):
1357
1358 2018-11-05  Michael Saboff  <msaboff@apple.com>
1359
1360         Unreviewed build fix for linux.
1361
1362         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1363
1364 2018-11-02  Michael Saboff  <msaboff@apple.com>
1365
1366         Rolling in r237753 with unreviewed build fix.
1367
1368         Fixed issues with DECLARE_THROW_SCOPE placement.
1369
1370 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1371
1372         Unreviewed, rolling out r237753.
1373
1374         Introduced JSC test failures
1375
1376         Reverted changeset:
1377
1378         "Running out of stack space not properly handled in
1379         RegExp::compile() and its callers"
1380         https://bugs.webkit.org/show_bug.cgi?id=191206
1381         https://trac.webkit.org/changeset/237753
1382
1383 2018-11-02  Michael Saboff  <msaboff@apple.com>
1384
1385         Running out of stack space not properly handled in RegExp::compile() and its callers
1386         https://bugs.webkit.org/show_bug.cgi?id=191206
1387
1388         Reviewed by Filip Pizlo.
1389
1390         New regression test.
1391
1392         * stress/regexp-compile-oom.js: Added.
1393         (recurseAndTest):
1394
1395 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1396
1397         Skip tests on arm/mips that time out now we're running on CLoop
1398
1399         Unreviewed gardening.
1400
1401         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1402         time out on the bots and need to be disabled. There's more tests
1403         disabled on arm because the timeout is longer on the mips bot (as the
1404         device is slower to start with), so many of the tests don't time out
1405         there.
1406
1407         * microbenchmarks/getter-richards.js: disable on arm and mips.
1408         * stress/op_add.js: disable on arm.
1409         * stress/op_bitand.js: disable on arm.
1410         * stress/op_bitor.js: disable on arm.
1411         * stress/op_bitxor.js: disable on arm.
1412         * stress/op_lshift-ConstVar.js: disable on arm.
1413         * stress/op_lshift-VarConst.js: disable on arm.
1414         * stress/op_lshift-VarVar.js: disable on arm.
1415         * stress/op_mod-ConstVar.js: disable on arm.
1416         * stress/op_mod-VarConst.js: disable on arm.
1417         * stress/op_mod-VarVar.js: disable on arm.
1418         * stress/op_mul-ConstVar.js: disable on arm.
1419         * stress/op_mul-VarConst.js: disable on arm.
1420         * stress/op_mul-VarVar.js: disable on arm.
1421         * stress/op_rshift-ConstVar.js: disable on arm.
1422         * stress/op_rshift-VarConst.js: disable on arm.
1423         * stress/op_rshift-VarVar.js: disable on arm.
1424         * stress/op_sub-ConstVar.js: disable on arm.
1425         * stress/op_sub-VarConst.js: disable on arm.
1426         * stress/op_sub-VarVar.js: disable on arm.
1427         * stress/op_urshift-ConstVar.js: disable on arm.
1428         * stress/op_urshift-VarConst.js: disable on arm.
1429         * stress/op_urshift-VarVar.js: disable on arm.
1430         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1431         * stress/value-to-boolean.js: disable on arm and mips.
1432
1433 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1434
1435         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1436         https://bugs.webkit.org/show_bug.cgi?id=191108
1437         <rdar://problem/45690700>
1438
1439         Reviewed by Saam Barati.
1440
1441         * stress/wide-op_catch.js: Added.
1442         (catch):
1443
1444 2018-10-29  Mark Lam  <mark.lam@apple.com>
1445
1446         Correctly detect string overflow when using the 'Function' constructor.
1447         https://bugs.webkit.org/show_bug.cgi?id=184883
1448         <rdar://problem/36320331>
1449
1450         Reviewed by Saam Barati.
1451
1452         I've verified that this passes on 32-bit as well.
1453
1454         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1455
1456 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1457
1458         Add support for GetStack FlushedDouble
1459         https://bugs.webkit.org/show_bug.cgi?id=191012
1460         <rdar://problem/45265141>
1461
1462         Reviewed by Saam Barati.
1463
1464         * stress/get-stack-double.js: Added.
1465         (bar):
1466         (noInline):
1467
1468 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1469
1470         New bytecode format for JSC
1471         https://bugs.webkit.org/show_bug.cgi?id=187373
1472         <rdar://problem/44186758>
1473
1474         Reviewed by Filip Pizlo.
1475
1476         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1477
1478         * stress/maximum-inline-capacity.js: Added.
1479         (test1):
1480         (test3.Foo):
1481         (test3):
1482
1483 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1484
1485         Unreviewed, rolling out r237479 and r237484.
1486         https://bugs.webkit.org/show_bug.cgi?id=190978
1487
1488         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1489
1490         Reverted changesets:
1491
1492         "New bytecode format for JSC"
1493         https://bugs.webkit.org/show_bug.cgi?id=187373
1494         https://trac.webkit.org/changeset/237479
1495
1496         "Gardening: Build fix after r237479."
1497         https://bugs.webkit.org/show_bug.cgi?id=187373
1498         https://trac.webkit.org/changeset/237484
1499
1500 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1501
1502         New bytecode format for JSC
1503         https://bugs.webkit.org/show_bug.cgi?id=187373
1504         <rdar://problem/44186758>
1505
1506         Reviewed by Filip Pizlo.
1507
1508         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1509
1510         * stress/maximum-inline-capacity.js: Added.
1511         (test1):
1512         (test3.Foo):
1513         (test3):
1514
1515 2018-10-26  Mark Lam  <mark.lam@apple.com>
1516
1517         Fix missing edge cases with JSGlobalObjects having a bad time.
1518         https://bugs.webkit.org/show_bug.cgi?id=189028
1519         <rdar://problem/45204939>
1520
1521         Reviewed by Saam Barati.
1522
1523         * stress/regress-189028.js: Added.
1524
1525 2018-10-22  Mark Lam  <mark.lam@apple.com>
1526
1527         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1528         https://bugs.webkit.org/show_bug.cgi?id=190515
1529         <rdar://problem/45222379>
1530
1531         Rubber-stamped by Saam Barati.
1532
1533         Adding another test.
1534
1535         * stress/regress-190515-2.js: Added.
1536
1537 2018-10-22  Mark Lam  <mark.lam@apple.com>
1538
1539         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1540         https://bugs.webkit.org/show_bug.cgi?id=190515
1541         <rdar://problem/45222379>
1542
1543         Reviewed by Saam Barati.
1544
1545         * stress/regress-190515.js: Added.
1546
1547 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1548
1549         Unreviewed, rolling out r237254.
1550         https://bugs.webkit.org/show_bug.cgi?id=190760
1551
1552         "It regresses JetStream 2 by 5% on some iOS devices"
1553         (Requested by saamyjoon on #webkit).
1554
1555         Reverted changeset:
1556
1557         "[JSC] JSC should have "parseFunction" to optimize Function
1558         constructor"
1559         https://bugs.webkit.org/show_bug.cgi?id=190340
1560         https://trac.webkit.org/changeset/237254
1561
1562 2018-10-19  Saam Barati  <sbarati@apple.com>
1563
1564         vmCall should check if we exit before emitting an OSR exit due to exceptions
1565         https://bugs.webkit.org/show_bug.cgi?id=190740
1566         <rdar://problem/45220139>
1567
1568         Reviewed by Mark Lam.
1569
1570         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1571         (foo):
1572
1573 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1574
1575         [ESNext][BigInt] Implement support for "^"
1576         https://bugs.webkit.org/show_bug.cgi?id=186235
1577
1578         Reviewed by Yusuke Suzuki.
1579
1580         * stress/big-int-bitwise-xor-general.js: Added.
1581         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1582         * stress/big-int-bitwise-xor-type-error.js: Added.
1583         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1584
1585 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1586
1587         [BigInt] Add ValueSub into DFG
1588         https://bugs.webkit.org/show_bug.cgi?id=186176
1589
1590         Reviewed by Yusuke Suzuki.
1591
1592         * stress/big-int-subtraction-jit.js:
1593         * stress/value-sub-big-int-prediction-propagation.js: Added.
1594         * stress/value-sub-big-int-untyped.js: Added.
1595         * stress/value-sub-spec-none-case.js: Added.
1596
1597 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1598
1599         [JSC] JSC should have "parseFunction" to optimize Function constructor
1600         https://bugs.webkit.org/show_bug.cgi?id=190340
1601
1602         Reviewed by Mark Lam.
1603
1604         This patch fixes the line number of syntax errors raised by the Function constructor,
1605         since we now parse the final code only once. And we no longer use block statement
1606         for Function constructor's parsing.
1607
1608         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1609         * stress/function-cache-with-parameters-end-position.js: Added.
1610         (shouldBe):
1611         (shouldThrow):
1612         (i.anonymous):
1613         * stress/function-constructor-name.js: Added.
1614         (shouldBe):
1615         (GeneratorFunction):
1616         (AsyncFunction.async):
1617         (AsyncGeneratorFunction.async):
1618         (anonymous):
1619         (async.anonymous):
1620         * test262/expectations.yaml:
1621
1622 2018-10-18  Commit Queue  <commit-queue@webkit.org>
1623
1624         Unreviewed, rolling out r237242.
1625         https://bugs.webkit.org/show_bug.cgi?id=190701
1626
1627         it breaks "stress/sampling-profiler-basic.js" (Requested by
1628         caiolima on #webkit).
1629
1630         Reverted changeset:
1631
1632         "[BigInt] Add ValueSub into DFG"
1633         https://bugs.webkit.org/show_bug.cgi?id=186176
1634         https://trac.webkit.org/changeset/237242
1635
1636 2018-10-17  Keith Miller  <keith_miller@apple.com>
1637
1638         AI does not clear Phantom allocation nodes.
1639         https://bugs.webkit.org/show_bug.cgi?id=190694
1640
1641         Reviewed by Saam Barati.
1642
1643         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1644         (Day):
1645         (DaysInYear):
1646         (TimeInYear):
1647         (TimeFromYear):
1648         (DayFromYear):
1649         (InLeapYear):
1650         (YearFromTime):
1651         (WeekDay):
1652         (DaylightSavingTA):
1653         (GetSecondSundayInMarch):
1654         (TimeInMonth):
1655
1656 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1657
1658         [BigInt] Add ValueSub into DFG
1659         https://bugs.webkit.org/show_bug.cgi?id=186176
1660
1661         Reviewed by Yusuke Suzuki.
1662
1663         * stress/big-int-subtraction-jit.js:
1664         * stress/value-sub-big-int-prediction-propagation.js: Added.
1665         * stress/value-sub-big-int-untyped.js: Added.
1666
1667 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1668
1669         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1670         https://bugs.webkit.org/show_bug.cgi?id=190611
1671
1672         Reviewed by Saam Barati.
1673
1674         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1675         to improve test runtime. On ARM/MIPS this test even timed out when running all
1676         tests.
1677
1678         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1679         (test):
1680
1681 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1682
1683         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1684
1685         Unreviewed gardening.
1686
1687         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1688
1689 2018-10-15  Saam barati  <sbarati@apple.com>
1690
1691         Emit fjcvtzs on ARM64E on Darwin
1692         https://bugs.webkit.org/show_bug.cgi?id=184023
1693
1694         Reviewed by Yusuke Suzuki and Filip Pizlo.
1695
1696         * stress/double-to-int32-NaN.js: Added.
1697         (assert):
1698         (foo):
1699
1700 2018-10-15  Saam Barati  <sbarati@apple.com>
1701
1702         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1703         https://bugs.webkit.org/show_bug.cgi?id=190262
1704         <rdar://problem/44986241>
1705
1706         Reviewed by Mark Lam.
1707
1708         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1709         (test):
1710         * stress/slice-array-storage-with-holes.js: Added.
1711         (main):
1712
1713 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1714
1715         Unreviewed, rolling out r237054.
1716         https://bugs.webkit.org/show_bug.cgi?id=190593
1717
1718         "this regressed JetStream 2 by 6% on iOS" (Requested by
1719         saamyjoon on #webkit).
1720
1721         Reverted changeset:
1722
1723         "[JSC] JSC should have "parseFunction" to optimize Function
1724         constructor"
1725         https://bugs.webkit.org/show_bug.cgi?id=190340
1726         https://trac.webkit.org/changeset/237054
1727
1728 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1729
1730         [JSC] JSON.stringify can accept call-with-no-arguments
1731         https://bugs.webkit.org/show_bug.cgi?id=190343
1732
1733         Reviewed by Mark Lam.
1734
1735         * stress/json-stringify-no-arguments.js: Added.
1736         (shouldBe):
1737
1738 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1739
1740         [JSC] JSC should have "parseFunction" to optimize Function constructor
1741         https://bugs.webkit.org/show_bug.cgi?id=190340
1742
1743         Reviewed by Mark Lam.
1744
1745         This patch fixes the line number of syntax errors raised by the Function constructor,
1746         since we now parse the final code only once. And we no longer use block statement
1747         for Function constructor's parsing.
1748
1749         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1750         * stress/function-cache-with-parameters-end-position.js: Added.
1751         (shouldBe):
1752         (shouldThrow):
1753         (i.anonymous):
1754         * stress/function-constructor-name.js: Added.
1755         (shouldBe):
1756         (GeneratorFunction):
1757         (AsyncFunction.async):
1758         (AsyncGeneratorFunction.async):
1759         (anonymous):
1760         (async.anonymous):
1761         * test262/expectations.yaml:
1762
1763 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
1764
1765         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
1766         https://bugs.webkit.org/show_bug.cgi?id=190426
1767
1768         Unreviewed gardening.
1769
1770         * stress/sampling-profiler-richards.js:
1771
1772 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
1773
1774         [ESNext][BigInt] Implement support for "|"
1775         https://bugs.webkit.org/show_bug.cgi?id=186229
1776
1777         Reviewed by Yusuke Suzuki.
1778
1779         * stress/big-int-bitwise-and-jit.js:
1780         * stress/big-int-bitwise-or-general.js: Added.
1781         * stress/big-int-bitwise-or-jit-untyped.js: Added.
1782         * stress/big-int-bitwise-or-jit.js: Added.
1783         * stress/big-int-bitwise-or-memory-stress.js: Added.
1784         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
1785         * stress/big-int-bitwise-or-type-error.js: Added.
1786         * stress/big-int-bitwise-or-wrapped-value.js: Added.
1787
1788 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
1789
1790         Skip test on systems with limited memory
1791         https://bugs.webkit.org/show_bug.cgi?id=190310
1792
1793         Invoking runDefault adds test to runlist, skipping the test in the next
1794         line does not prevent the test from executing. Change order of lines such
1795         that runDefault is only executed if test is not executed.
1796
1797         Reviewed by Mark Lam.
1798
1799         * stress/regress-190187.js:
1800
1801 2018-10-03  Saam barati  <sbarati@apple.com>
1802
1803         lowXYZ in FTLLower should always filter the type of the incoming edge
1804         https://bugs.webkit.org/show_bug.cgi?id=189939
1805         <rdar://problem/44407030>
1806
1807         Reviewed by Michael Saboff.
1808
1809         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
1810         (foo):
1811         (test):
1812
1813 2018-10-03  Mark Lam  <mark.lam@apple.com>
1814
1815         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1816         https://bugs.webkit.org/show_bug.cgi?id=190187
1817         <rdar://problem/42512909>
1818
1819         Reviewed by Michael Saboff.
1820
1821         * stress/regress-190187.js: Added.
1822
1823 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1824
1825         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1826         https://bugs.webkit.org/show_bug.cgi?id=190033
1827
1828         Reviewed by Yusuke Suzuki.
1829
1830         * stress/big-int-to-string.js:
1831
1832 2018-10-01  Mark Lam  <mark.lam@apple.com>
1833
1834         Function.toString() should also copy the source code Functions that are class definitions.
1835         https://bugs.webkit.org/show_bug.cgi?id=190186
1836         <rdar://problem/44733360>
1837
1838         Reviewed by Saam Barati.
1839
1840         * stress/regress-190186.js: Added.
1841
1842 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
1843
1844         Split NaN-check into separate test
1845         https://bugs.webkit.org/show_bug.cgi?id=190010
1846
1847         Reviewed by Saam Barati.
1848
1849         DataView exposes NaN-representation, which is not necessarily the same on each
1850         architecture. Therefore move the check of the NaN-representation into its own
1851         file such that we can disable this test on MIPS where NaN-representation can be
1852         different on older CPUs.
1853
1854         * stress/dataview-jit-set-nan.js: Added.
1855         (assert):
1856         (test.storeLittleEndian):
1857         (test.storeBigEndian):
1858         (test.store):
1859         (test):
1860         * stress/dataview-jit-set.js:
1861         (test5):
1862
1863 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1864
1865         Unreviewed, rolling out r236647.
1866         https://bugs.webkit.org/show_bug.cgi?id=190124
1867
1868         Breaking test stress/big-int-to-string.js (Requested by
1869         caiolima_ on #webkit).
1870
1871         Reverted changeset:
1872
1873         "[BigInt] BigInt.proptotype.toString is broken when radix is
1874         power of 2"
1875         https://bugs.webkit.org/show_bug.cgi?id=190033
1876         https://trac.webkit.org/changeset/236647
1877
1878 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1879
1880         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1881         https://bugs.webkit.org/show_bug.cgi?id=190033
1882
1883         Reviewed by Yusuke Suzuki.
1884
1885         * stress/big-int-to-string.js:
1886
1887 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1888
1889         [ESNext][BigInt] Implement support for "&"
1890         https://bugs.webkit.org/show_bug.cgi?id=186228
1891
1892         Reviewed by Yusuke Suzuki.
1893
1894         * stress/big-int-bitwise-and-general.js: Added.
1895         (assert):
1896         (assert.sameValue):
1897         * stress/big-int-bitwise-and-jit.js: Added.
1898         (let.assert.sameValue):
1899         (bigIntBitAnd):
1900         * stress/big-int-bitwise-and-memory-stress.js: Added.
1901         (assert):
1902         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
1903         (assert.sameValue):
1904         (let.o.Symbol.toPrimitive):
1905         (catch):
1906         * stress/big-int-bitwise-and-type-error.js: Added.
1907         (assert):
1908         (assertThrowTypeError):
1909         (let.o.valueOf):
1910         (o.valueOf):
1911         (o.toString):
1912         (o.Symbol.toPrimitive):
1913         * stress/big-int-bitwise-and-wrapped-value.js: Added.
1914         (assert.sameValue):
1915         (testBitAnd):
1916         (let.o.Symbol.toPrimitive):
1917         (o.valueOf):
1918         (o.toString):
1919
1920 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
1921
1922         JSC test stress/jsc-read.js doesn't support CRLF
1923         https://bugs.webkit.org/show_bug.cgi?id=190063
1924
1925         Reviewed by Yusuke Suzuki.
1926
1927         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
1928
1929         * stress/jsc-read.js:
1930         (test):
1931
1932 2018-09-27  Saam barati  <sbarati@apple.com>
1933
1934         Verify the contents of AssemblerBuffer on arm64e
1935         https://bugs.webkit.org/show_bug.cgi?id=190057
1936         <rdar://problem/38916630>
1937
1938         Reviewed by Mark Lam.
1939
1940         * stress/regress-189132.js:
1941
1942 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
1943
1944         Disable test without LLInt on ARMv7
1945         https://bugs.webkit.org/show_bug.cgi?id=190037
1946
1947         Reviewed by Mark Lam.
1948
1949         Test runs out of executable memory on ARMv7, do not run
1950         this test without LLInt enabled.
1951
1952         * stress/regress-169445.js:
1953
1954 2018-09-26  Keith Miller  <keith_miller@apple.com>
1955
1956         We should zero unused property storage when rebalancing array storage.
1957         https://bugs.webkit.org/show_bug.cgi?id=188151
1958
1959         Reviewed by Michael Saboff.
1960
1961         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
1962
1963 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1964
1965         [JSC] Optimize Array#lastIndexOf
1966         https://bugs.webkit.org/show_bug.cgi?id=189780
1967
1968         Reviewed by Saam Barati.
1969
1970         * stress/array-lastindexof-array-prototype-trap.js: Added.
1971         (shouldBe):
1972         (AncestorArray.prototype.get 2):
1973         (AncestorArray):
1974         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
1975         (shouldBe):
1976         * stress/array-lastindexof-hole-nan.js: Added.
1977         (shouldBe):
1978         (throw.new.Error):
1979         * stress/array-lastindexof-infinity.js: Added.
1980         (shouldBe):
1981         (throw.new.Error):
1982         * stress/array-lastindexof-negative-zero.js: Added.
1983         (shouldBe):
1984         (throw.new.Error):
1985         * stress/array-lastindexof-own-getter.js: Added.
1986         (shouldBe):
1987         (throw.new.Error.get array):
1988         (get array):
1989         * stress/array-lastindexof-prototype-trap.js: Added.
1990         (shouldBe):
1991         (DerivedArray.prototype.get 2):
1992         (DerivedArray):
1993
1994 2018-09-25  Saam Barati  <sbarati@apple.com>
1995
1996         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
1997         https://bugs.webkit.org/show_bug.cgi?id=189940
1998         <rdar://problem/43640987>
1999
2000         Reviewed by Mark Lam.
2001
2002         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2003
2004 2018-09-24  Saam Barati  <sbarati@apple.com>
2005
2006         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2007         https://bugs.webkit.org/show_bug.cgi?id=189922
2008         <rdar://problem/44651275>
2009
2010         Reviewed by Mark Lam.
2011
2012         * stress/array-indexof-fast-path-effects.js: Added.
2013         * stress/array-indexof-cached-length.js: Added.
2014
2015 2018-09-24  Saam barati  <sbarati@apple.com>
2016
2017         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2018         https://bugs.webkit.org/show_bug.cgi?id=189682
2019         <rdar://problem/43557315>
2020
2021         Reviewed by Mark Lam.
2022
2023         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2024         (foo):
2025
2026 2018-09-22  Saam barati  <sbarati@apple.com>
2027
2028         The sampling should not use Strong<CodeBlock> in its machineLocation field
2029         https://bugs.webkit.org/show_bug.cgi?id=189319
2030
2031         Reviewed by Filip Pizlo.
2032
2033         * stress/sampling-profiler-richards.js: Added.
2034
2035 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2036
2037         [JSC] Optimize Array#indexOf in C++ runtime
2038         https://bugs.webkit.org/show_bug.cgi?id=189507
2039
2040         Reviewed by Saam Barati.
2041
2042         * stress/array-indexof-array-prototype-trap.js: Added.
2043         (shouldBe):
2044         (AncestorArray.prototype.get 2):
2045         (AncestorArray):
2046         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2047         (shouldBe):
2048         * stress/array-indexof-hole-nan.js: Added.
2049         (shouldBe):
2050         (throw.new.Error):
2051         * stress/array-indexof-infinity.js: Added.
2052         (shouldBe):
2053         (throw.new.Error):
2054         * stress/array-indexof-negative-zero.js: Added.
2055         (shouldBe):
2056         (throw.new.Error):
2057         * stress/array-indexof-own-getter.js: Added.
2058         (shouldBe):
2059         (throw.new.Error.get array):
2060         (get array):
2061         * stress/array-indexof-prototype-trap.js: Added.
2062         (shouldBe):
2063         (DerivedArray.prototype.get 2):
2064         (DerivedArray):
2065
2066 2018-09-19  Saam barati  <sbarati@apple.com>
2067
2068         AI rule for MultiPutByOffset executes its effects in the wrong order
2069         https://bugs.webkit.org/show_bug.cgi?id=189757
2070         <rdar://problem/43535257>
2071
2072         Reviewed by Michael Saboff.
2073
2074         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2075         (foo):
2076         (Foo):
2077         (g):
2078
2079 2018-09-17  Mark Lam  <mark.lam@apple.com>
2080
2081         Ensure that ForInContexts are invalidated if their loop local is over-written.
2082         https://bugs.webkit.org/show_bug.cgi?id=189571
2083         <rdar://problem/44402277>
2084
2085         Reviewed by Saam Barati.
2086
2087         * stress/regress-189571.js: Added.
2088
2089 2018-09-17  Saam barati  <sbarati@apple.com>
2090
2091         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2092         https://bugs.webkit.org/show_bug.cgi?id=189676
2093         <rdar://problem/39682897>
2094
2095         Reviewed by Michael Saboff.
2096
2097         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2098         (A):
2099         (K):
2100         (i.catch):
2101
2102 2018-09-14  Saam barati  <sbarati@apple.com>
2103
2104         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2105         https://bugs.webkit.org/show_bug.cgi?id=189628
2106         <rdar://problem/39481690>
2107
2108         Reviewed by Mark Lam.
2109
2110         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2111         (foo):
2112
2113 2018-09-11  Mark Lam  <mark.lam@apple.com>
2114
2115         Test for array initialization in arrayProtoFuncSplice.
2116         https://bugs.webkit.org/show_bug.cgi?id=170253
2117         <rdar://problem/31328773>
2118
2119         Rubber-stamped by Saam Barati.
2120
2121         * stress/regress-170253.js: Added.
2122
2123 2018-09-11  Mark Lam  <mark.lam@apple.com>
2124
2125         Test for IntlObject initialization.
2126         https://bugs.webkit.org/show_bug.cgi?id=170251
2127         <rdar://problem/31328419>
2128
2129         Rubber-stamped by Saam Barati.
2130
2131         * stress/regress-170251.js: Added.
2132
2133 2018-09-11  Mark Lam  <mark.lam@apple.com>
2134
2135         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2136         https://bugs.webkit.org/show_bug.cgi?id=169889
2137         <rdar://problem/31155607>
2138
2139         Reviewed by Saam Barati.
2140
2141         * stress/regress-169889-array-concat.js: Added.
2142         * stress/regress-169889-array-concat1.js: Added.
2143         * stress/regress-169889-array-slice.js: Added.
2144
2145 2018-09-11  Mark Lam  <mark.lam@apple.com>
2146
2147         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2148         https://bugs.webkit.org/show_bug.cgi?id=169445
2149         <rdar://problem/30957435>
2150
2151         Reviewed by Saam Barati.
2152
2153         * stress/regress-169445.js: Added.
2154         (let.gun.eval.A):
2155         (let.gun.eval.B.C):
2156         (let.gun.eval.B.C.prototype.trigger):
2157         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2158         (let.gun.eval.B):
2159         (let.gun.eval):
2160
2161 == Rolled over to ChangeLog-2018-09-11 ==