[JSC] linkPolymorphicCall now does GC
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] linkPolymorphicCall now does GC
4         https://bugs.webkit.org/show_bug.cgi?id=197306
5
6         Reviewed by Saam Barati.
7
8         * stress/link-polymorphic-call-can-gc.js: Added.
9         (module):
10         (instance):
11
12 2019-04-26  Robin Morisset  <rmorisset@apple.com>
13
14         All prototypes should call didBecomePrototype()
15         https://bugs.webkit.org/show_bug.cgi?id=196315
16
17         Reviewed by Saam Barati.
18
19         * stress/function-prototype-indexed-accessor.js: Added.
20
21 2019-04-23  Saam Barati  <sbarati@apple.com>
22
23         LICM incorrectly assumes it'll never insert a node which provably OSR exits
24         https://bugs.webkit.org/show_bug.cgi?id=196721
25         <rdar://problem/49556479> 
26
27         Reviewed by Filip Pizlo.
28
29         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
30         (foo):
31
32 2019-04-19  Saam Barati  <sbarati@apple.com>
33
34         AbstractValue can represent more than int52
35         https://bugs.webkit.org/show_bug.cgi?id=197118
36         <rdar://problem/49969960>
37
38         Reviewed by Michael Saboff.
39
40         * stress/abstract-value-can-include-int52.js: Added.
41         (foo):
42         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
43
44 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
45
46         [WTF] StringBuilder should set correct m_is8Bit flag when merging
47         https://bugs.webkit.org/show_bug.cgi?id=197053
48
49         Reviewed by Saam Barati.
50
51         * stress/merge-string-builder-in-dfg.js: Added.
52         (foo):
53
54 2019-04-16  Caitlin Potter  <caitp@igalia.com>
55
56         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
57         https://bugs.webkit.org/show_bug.cgi?id=176810
58
59         Reviewed by Saam Barati.
60
61         Add tests for the DontEnum filtering, and variations of other tests
62         take the DontEnum-filtering path.
63
64         * stress/proxy-own-keys.js:
65         (i.catch):
66         (set assert):
67         (set add):
68         (let.set new):
69         (get let):
70
71 2019-04-15  Saam barati  <sbarati@apple.com>
72
73         Modify how we do SetArgument when we inline varargs calls
74         https://bugs.webkit.org/show_bug.cgi?id=196712
75         <rdar://problem/49605012>
76
77         Reviewed by Michael Saboff.
78
79         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
80         (foo):
81
82 2019-04-15  Saam barati  <sbarati@apple.com>
83
84         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
85         https://bugs.webkit.org/show_bug.cgi?id=196945
86         <rdar://problem/49802750>
87
88         Reviewed by Filip Pizlo.
89
90         * stress/get-by-offset-should-use-correct-child.js: Added.
91         (foo.bar):
92         (foo):
93
94 2019-04-15  Robin Morisset  <rmorisset@apple.com>
95
96         DFG should be able to constant fold Object.create() with a constant prototype operand
97         https://bugs.webkit.org/show_bug.cgi?id=196886
98
99         Reviewed by Yusuke Suzuki.
100
101         Note that this new benchmark does not currently see a speedup with inlining removed.
102         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
103
104         * microbenchmarks/object-create-constant-prototype.js: Added.
105         (test):
106
107 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
108
109         Incremental bytecode cache should not append function updates when loaded from memory
110         https://bugs.webkit.org/show_bug.cgi?id=196865
111
112         Reviewed by Filip Pizlo.
113
114         * stress/bytecode-cache-shared-code-block.js: Added.
115         (b):
116         (program):
117
118 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
119
120         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
121         https://bugs.webkit.org/show_bug.cgi?id=196880
122
123         Reviewed by Yusuke Suzuki.
124
125         * stress/bytecode-cache-syntax-error.js: Added.
126         (catch):
127
128 2019-04-12  Saam barati  <sbarati@apple.com>
129
130         r244079 logically broke shouldSpeculateInt52
131         https://bugs.webkit.org/show_bug.cgi?id=196884
132
133         Reviewed by Yusuke Suzuki.
134
135         * microbenchmarks/int52-rand-function.js: Added.
136         (Math.random):
137
138 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
139
140         [JSC] op_has_indexed_property should not assume subscript part is Uint32
141         https://bugs.webkit.org/show_bug.cgi?id=196850
142
143         Reviewed by Saam Barati.
144
145         * stress/has-indexed-property-should-accept-non-int32.js: Added.
146         (foo):
147
148 2019-04-11  Saam barati  <sbarati@apple.com>
149
150         Remove invalid assertion in operationInstanceOfCustom
151         https://bugs.webkit.org/show_bug.cgi?id=196842
152         <rdar://problem/49725493>
153
154         Reviewed by Michael Saboff.
155
156         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
157
158 2019-04-10  Saam Barati  <sbarati@apple.com>
159
160         AbstractValue::validateOSREntryValue is wrong for Int52 constants
161         https://bugs.webkit.org/show_bug.cgi?id=196801
162         <rdar://problem/49771122>
163
164         Reviewed by Yusuke Suzuki.
165
166         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
167
168 2019-04-10  Robin Morisset  <rmorisset@apple.com>
169
170         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
171         https://bugs.webkit.org/show_bug.cgi?id=196746
172
173         Reviewed by Yusuke Suzuki.
174
175         * stress/cyclic-define-properties.js: Added.
176         (foo):
177
178 2019-04-09  Saam barati  <sbarati@apple.com>
179
180         Clean up Int52 code and some bugs in it
181         https://bugs.webkit.org/show_bug.cgi?id=196639
182         <rdar://problem/49515757>
183
184         Reviewed by Yusuke Suzuki.
185
186         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
187
188 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
189
190         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
191         https://bugs.webkit.org/show_bug.cgi?id=196708
192         <rdar://problem/49556803>
193
194         Reviewed by Yusuke Suzuki.
195
196         * stress/proxy-getter-stack-overflow.js: Added.
197         (const.handler.get target):
198         (const.handler.has):
199         (try.with):
200         (catch):
201
202 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
203
204         [JSC] DFG should respect node's strict flag
205         https://bugs.webkit.org/show_bug.cgi?id=196617
206
207         Reviewed by Saam Barati.
208
209         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
210         (shouldEqual):
211         (makeUnwriteableUnconfigurableObject):
212         (runTest):
213         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
214         (shouldBe):
215         (shouldThrow):
216         (with.result):
217         (with.putValueStrict):
218         (with.putValueSloppy):
219
220 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
221
222         [JSC] isRope jump in StringSlice should not jump over register allocations
223         https://bugs.webkit.org/show_bug.cgi?id=196716
224
225         Reviewed by Saam Barati.
226
227         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
228         (foo.bar):
229         (foo):
230
231 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
232
233         [JSC] to_index_string should not assume incoming value is Uint32
234         https://bugs.webkit.org/show_bug.cgi?id=196713
235
236         Reviewed by Saam Barati.
237
238         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
239         (foo):
240
241 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
242
243         [JSC] Add more tests for r243966
244         https://bugs.webkit.org/show_bug.cgi?id=196711
245
246         Reviewed by Saam Barati.
247
248         Adding one more test for r243966 fix. The added test will not crash after r243966.
249
250         * stress/stress-cleared-calllinkinfo.js: Added.
251         (runNearStackLimit.t):
252         (runNearStackLimit):
253         (repeat):
254         (cls):
255         (let.item.of.array.runNearStackLimit):
256
257 2019-04-08  Saam Barati  <sbarati@apple.com>
258
259         WebAssembly.RuntimeError missing exception check
260         https://bugs.webkit.org/show_bug.cgi?id=196700
261         <rdar://problem/49693932>
262
263         Reviewed by Yusuke Suzuki.
264
265         * wasm/js-api/runtime-error-should-exception-check.js: Added.
266
267 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
268
269         Unreviewed, rolling in r243948 with test fix
270         https://bugs.webkit.org/show_bug.cgi?id=196486
271
272         * stress/arrow-function-and-use-strict-directive.js: Added.
273         * stress/arrow-function-syntax.js: Added.
274         (checkSyntax):
275         (checkSyntaxError):
276
277 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
278
279         Unreviewed, rolling out r243948.
280
281         Caused inspector/runtime/parse.html to fail
282
283         Reverted changeset:
284
285         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
286         https://bugs.webkit.org/show_bug.cgi?id=196486
287         https://trac.webkit.org/changeset/243948
288
289 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
290
291         Unreviewed, rolling out r243943.
292
293         Caused test262 failures.
294
295         Reverted changeset:
296
297         "[JSC] Filter DontEnum properties in
298         ProxyObject::getOwnPropertyNames()"
299         https://bugs.webkit.org/show_bug.cgi?id=176810
300         https://trac.webkit.org/changeset/243943
301
302 2019-04-07  Michael Saboff  <msaboff@apple.com>
303
304         REGRESSION (r243642): Crash in reddit.com page
305         https://bugs.webkit.org/show_bug.cgi?id=196684
306
307         Reviewed by Geoffrey Garen.
308
309         New regression test.
310
311         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
312
313 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
314
315         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
316         https://bugs.webkit.org/show_bug.cgi?id=196683
317
318         Reviewed by Saam Barati.
319
320         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
321         (foo):
322
323 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
324
325         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
326         https://bugs.webkit.org/show_bug.cgi?id=196582
327
328         Reviewed by Saam Barati.
329
330         * stress/add-overflow-check-with-three-same-registers.js: Added.
331         (foo):
332         (Number.prototype.valueOf):
333         (runWithNumber):
334
335 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
336
337         Unreviewed, rolling out r243665.
338
339         Caused iOS JSC tests to exit with an exception.
340
341         Reverted changeset:
342
343         "Assertion failed in JSC::createError"
344         https://bugs.webkit.org/show_bug.cgi?id=196305
345         https://trac.webkit.org/changeset/243665
346
347 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
348
349         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
350         https://bugs.webkit.org/show_bug.cgi?id=196486
351
352         Reviewed by Saam Barati.
353
354         * stress/arrow-function-and-use-strict-directive.js: Added.
355         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
356         (checkSyntax):
357         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
358
359 2019-04-05  Caitlin Potter  <caitp@igalia.com>
360
361         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
362         https://bugs.webkit.org/show_bug.cgi?id=176810
363
364         Reviewed by Saam Barati.
365
366         Add tests for the DontEnum filtering, and variations of other tests
367         take the DontEnum-filtering path.
368
369         * stress/proxy-own-keys.js:
370         (i.catch):
371         (set assert):
372         (set add):
373         (let.set new):
374         (get let):
375
376 2019-04-05  Caitlin Potter  <caitp@igalia.com>
377
378         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
379         https://bugs.webkit.org/show_bug.cgi?id=185211
380
381         Reviewed by Saam Barati.
382
383         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
384
385         This changes several assertions to expect a TypeError to be thrown (in some cases,
386         changing thee expected message).
387
388         * es6/Proxy_ownKeys_duplicates.js:
389         (handler):
390         (shouldThrow):
391         (test):
392         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
393         (shouldThrow):
394         * stress/proxy-own-keys.js:
395         (i.catch):
396         (assert):
397
398 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
399
400         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
401         https://bugs.webkit.org/show_bug.cgi?id=196631
402
403         Reviewed by Saam Barati.
404
405         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
406         (assert):
407         (test):
408         (foo):
409
410 2019-04-04  Saam Barati  <sbarati@apple.com>
411
412         Unreviewed. Make the test from r243906 catch the thrown exceptions.
413
414         * stress/inferred-types-regex-matches-array.js:
415
416 2019-04-04  Saam Barati  <sbarati@apple.com>
417
418         createRegExpMatchesArray does not respect inferred types
419         https://bugs.webkit.org/show_bug.cgi?id=193287
420
421         Reviewed by Yusuke Suzuki.
422
423         This checks in the test case for 193287. This issue was discovered by
424         Samuel GroƟ of Google Project Zero.
425
426         * stress/inferred-types-regex-matches-array.js: Added.
427
428 2019-04-04  Saam barati  <sbarati@apple.com>
429
430         Teach Call ICs how to call Wasm
431         https://bugs.webkit.org/show_bug.cgi?id=196387
432
433         Reviewed by Filip Pizlo.
434
435         * wasm/function-tests/stack-trace.js:
436
437 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
438
439         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
440         https://bugs.webkit.org/show_bug.cgi?id=194944
441
442         Reviewed by Keith Miller.
443
444         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
445
446 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
447
448         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
449         https://bugs.webkit.org/show_bug.cgi?id=196409
450
451         Reviewed by Saam Barati.
452
453         * stress/bytecode-cache-cached-string-impl.js: Added.
454         (f):
455         (g):
456         * stress/bytecode-cache-run-string.js: Added.
457
458 2019-04-03  Robin Morisset  <rmorisset@apple.com>
459
460         B3 should use associativity to optimize expression trees
461         https://bugs.webkit.org/show_bug.cgi?id=194081
462
463         Reviewed by Filip Pizlo.
464
465         Added three microbenchmarks:
466         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
467         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
468           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
469         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
470
471         * microbenchmarks/add-tree.js: Added.
472         * microbenchmarks/bit-or-tree.js: Added.
473         * microbenchmarks/bit-xor-tree.js: Added.
474
475 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
476
477         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
478         https://bugs.webkit.org/show_bug.cgi?id=196574
479
480         Reviewed by Saam Barati.
481
482         * stress/string-index-of-exception-check.js: Added.
483         (blurType):
484         (1.forEach):
485
486 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
487
488         Assertion failed in JSC::createError
489         https://bugs.webkit.org/show_bug.cgi?id=196305
490         <rdar://problem/49387382>
491
492         Reviewed by Saam Barati.
493
494         * stress/create-error-out-of-memory-rope-string-2.js: Added.
495         (assert):
496         (catch):
497
498 2019-03-28  Saam Barati  <sbarati@apple.com>
499
500         BackwardsGraph needs to consider back edges as the backward's root successor
501         https://bugs.webkit.org/show_bug.cgi?id=195991
502
503         Reviewed by Filip Pizlo.
504
505         * stress/map-b3-licm-infinite-loop.js: Added.
506
507 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
508
509         CodeBlock::jettison() should disallow repatching its own calls
510         https://bugs.webkit.org/show_bug.cgi?id=196359
511         <rdar://problem/48973663>
512
513         Reviewed by Saam Barati.
514
515         * stress/call-link-info-osrexit-repatch.js: Added.
516         (foo):
517
518 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
519
520         [JSC] imports-oom.js intermittently fails
521         https://bugs.webkit.org/show_bug.cgi?id=196373
522
523         Reviewed by Saam Barati.
524
525         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
526         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
527         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
528         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
529         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
530
531         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
532         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
533
534         * wasm/lowExecutableMemory/imports-oom.js:
535
536 2019-03-27  Saam Barati  <sbarati@apple.com>
537
538         validateOSREntryValue with Int52 should box the value being checked into double format
539         https://bugs.webkit.org/show_bug.cgi?id=196313
540         <rdar://problem/49306703>
541
542         Reviewed by Yusuke Suzuki.
543
544         * stress/validate-int-52-ai-state.js: Added.
545
546 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
547
548         [JSC] Owner of watchpoints should validate at GC finalizing phase
549         https://bugs.webkit.org/show_bug.cgi?id=195827
550
551         Reviewed by Filip Pizlo.
552
553         * stress/gc-should-reap-dead-watchpoints.js: Added.
554         (foo):
555         (A.prototype.y):
556         (A):
557
558 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
559
560         Skip WebAssembly test on 32-bit systems
561         https://bugs.webkit.org/show_bug.cgi?id=196206
562
563         Reviewed by Saam Barati.
564
565         Invoking runDefault executes test immediately even though
566         that test should be skipped due to missing WASM support.
567         Therefore remove runDefault.
568
569         * wasm/regress/web-assembly-link-error-exception-check.js:
570
571 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
572
573         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
574         https://bugs.webkit.org/show_bug.cgi?id=196217
575
576         Reviewed by Saam Barati.
577
578         Re-enable all NaN tests for f32.min, f64.min and f64.max.
579
580         * wasm/spec-tests/f32.wast.js:
581         * wasm/spec-tests/f64.wast.js:
582         * wasm/wasm.json:
583
584 2019-03-25  Keith Miller  <keith_miller@apple.com>
585
586         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
587         https://bugs.webkit.org/show_bug.cgi?id=196176
588
589         Reviewed by Saam Barati.
590
591         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
592         (main.v10):
593         (main):
594
595 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
596
597         WebAssembly: f32.max with NaN generates incorrect result
598         https://bugs.webkit.org/show_bug.cgi?id=175691
599         <rdar://problem/33952228>
600
601         Reviewed by Saam Barati.
602
603         Enable all f32.max NaN tests
604
605         * wasm/spec-tests/f32.wast.js:
606         * wasm/wasm.json:
607
608 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
609
610         [JSC] Move test into directory for WASM tests
611         https://bugs.webkit.org/show_bug.cgi?id=196187
612
613         Reviewed by Mark Lam.
614
615         Move Test into wasm-directory. Otherwise this test
616         is also executed on systems without WASM support.
617
618         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
619
620 2019-03-23  Mark Lam  <mark.lam@apple.com>
621
622         Rolling out r243032 and r243071 because the fix is incorrect.
623         https://bugs.webkit.org/show_bug.cgi?id=195892
624         <rdar://problem/48981239>
625
626         Not reviewed.
627
628         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
629
630 2019-03-22  Mark Lam  <mark.lam@apple.com>
631
632         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
633         https://bugs.webkit.org/show_bug.cgi?id=196154
634         <rdar://problem/49145307>
635
636         Reviewed by Filip Pizlo.
637
638         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
639         There's no need to run this test on more than 1 test configuration.
640
641         * stress/typed-array-lastIndexOf-exception-check.js: Added.
642         * stress/web-assembly-link-error-exception-check.js:
643
644 2019-03-22  Mark Lam  <mark.lam@apple.com>
645
646         Placate exception check validation in constructJSWebAssemblyLinkError().
647         https://bugs.webkit.org/show_bug.cgi?id=196152
648         <rdar://problem/49145257>
649
650         Reviewed by Michael Saboff.
651
652         * stress/web-assembly-link-error-exception-check.js: Added.
653
654 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
655
656         Skip tests running out of memory on ARM/MIPS
657         https://bugs.webkit.org/show_bug.cgi?id=196131
658
659         Unreviewed. Skip test if memory is limited.
660
661         * microbenchmarks/put-by-val-direct-large-index.js:
662
663 2019-03-21  Mark Lam  <mark.lam@apple.com>
664
665         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
666         https://bugs.webkit.org/show_bug.cgi?id=196116
667         <rdar://problem/48976951>
668
669         Reviewed by Filip Pizlo.
670
671         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
672
673 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
674
675         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
676         https://bugs.webkit.org/show_bug.cgi?id=196078
677         <rdar://problem/35925380>
678
679         Reviewed by Mark Lam.
680
681         Add a new benchmark that allocates several objects and invokes put_by_val_direct
682         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
683
684         * microbenchmarks/put-by-val-direct-large-index.js: Added.
685
686 2019-03-21  Mark Lam  <mark.lam@apple.com>
687
688         Placate exception check validation in operationArrayIndexOfString().
689         https://bugs.webkit.org/show_bug.cgi?id=196067
690         <rdar://problem/49056572>
691
692         Reviewed by Michael Saboff.
693
694         * stress/string-equal-exception-check.js: Added.
695
696 2019-03-21  Mark Lam  <mark.lam@apple.com>
697
698         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
699         https://bugs.webkit.org/show_bug.cgi?id=196055
700         <rdar://problem/49067448>
701
702         Reviewed by Yusuke Suzuki.
703
704         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
705
706 2019-03-20  Saam Barati  <sbarati@apple.com>
707
708         typeOfDoubleSum is wrong for when NaN can be produced
709         https://bugs.webkit.org/show_bug.cgi?id=196030
710
711         Reviewed by Filip Pizlo.
712
713         * stress/double-add-sub-mul-can-produce-nan.js: Added.
714         (assert):
715         (noInline.sub):
716         (noInline):
717         (assert.mul):
718         (assert.add):
719
720 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
721
722         Update the test to ensure OutOfMemoryError is thrown as intended
723         https://bugs.webkit.org/show_bug.cgi?id=196032
724         <rdar://problem/46842740>
725
726         Rubber stamped by Saam Barati.
727
728         * stress/create-error-out-of-memory-rope-string.js:
729         (assert):
730         (catch):
731
732 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
733
734         JSC::createError needs to check for OOM in errorDescriptionForValue
735         https://bugs.webkit.org/show_bug.cgi?id=196032
736         <rdar://problem/46842740>
737
738         Reviewed by Mark Lam.
739
740         * stress/create-error-out-of-memory-rope-string.js: Added.
741
742 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
743
744         Unreviewed, reduce # of iterations to avoid timing out after r242991
745         https://bugs.webkit.org/show_bug.cgi?id=195791
746
747         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
748
749         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
750
751 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
752
753         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
754         https://bugs.webkit.org/show_bug.cgi?id=195950
755
756         Unreviewed, reducing the amount of memory used on this test to avoid
757         OOM on devices with memory restrictions.
758
759         * microbenchmarks/generate-multiple-llint-entrypoints.js:
760
761 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
762
763         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
764         https://bugs.webkit.org/show_bug.cgi?id=194648
765
766         Reviewed by Keith Miller.
767
768         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
769
770 2019-03-18  Mark Lam  <mark.lam@apple.com>
771
772         Missing a ThrowScope release in JSObject::toString().
773         https://bugs.webkit.org/show_bug.cgi?id=195893
774         <rdar://problem/48970986>
775
776         Reviewed by Michael Saboff.
777
778         * stress/to-string-exception-check-release.js: Added.
779
780 2019-03-18  Mark Lam  <mark.lam@apple.com>
781
782         Structure::flattenDictionary() should clear unused property slots.
783         https://bugs.webkit.org/show_bug.cgi?id=195871
784         <rdar://problem/48959497>
785
786         Reviewed by Michael Saboff.
787
788         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
789
790 2019-03-15  Mark Lam  <mark.lam@apple.com>
791
792         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
793         https://bugs.webkit.org/show_bug.cgi?id=195827
794         <rdar://problem/48845513>
795
796         Reviewed by Filip Pizlo.
797
798         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
799
800 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
801
802         [ARM,MIPS] Skip slow tests
803         https://bugs.webkit.org/show_bug.cgi?id=195799
804
805         Unreviewed, test does not finish on ARM and MIPS within the
806         timeout limit.
807
808         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
809
810 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
811
812         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
813         https://bugs.webkit.org/show_bug.cgi?id=195791
814         <rdar://problem/48806130>
815
816         Reviewed by Mark Lam.
817
818         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
819         (foo):
820
821 2019-03-14  Saam barati  <sbarati@apple.com>
822
823         We can't remove code after ForceOSRExit until after FixupPhase
824         https://bugs.webkit.org/show_bug.cgi?id=186916
825         <rdar://problem/41396612>
826
827         Reviewed by Yusuke Suzuki.
828
829         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
830         (foo):
831         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
832         (foo):
833
834 2019-03-13  Michael Saboff  <msaboff@apple.com>
835
836         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
837         https://bugs.webkit.org/show_bug.cgi?id=195735
838
839         Reviewed by Mark Lam.
840
841         New regression test.
842
843         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
844         (foo):
845         (bar):
846
847 2019-03-14  Saam barati  <sbarati@apple.com>
848
849         Fixup uses KnownInt32 incorrectly in some nodes
850         https://bugs.webkit.org/show_bug.cgi?id=195279
851         <rdar://problem/47915654>
852
853         Reviewed by Yusuke Suzuki.
854
855         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
856         (foo):
857
858 2019-03-14  Keith Miller  <keith_miller@apple.com>
859
860         DFG liveness can't skip tail caller inline frames
861         https://bugs.webkit.org/show_bug.cgi?id=195715
862
863         Reviewed by Saam Barati.
864
865         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
866         (i.foo):
867
868 2019-03-13  Mark Lam  <mark.lam@apple.com>
869
870         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
871         https://bugs.webkit.org/show_bug.cgi?id=195415
872
873         Not reviewed.
874
875         Changed these tests to only run the default configuration.
876         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
877         There's no strong need to run this test on that variant.
878
879         * stress/dfg-to-string-on-int-does-gc.js:
880         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
881
882 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
883
884         String overflow when using StringBuilder in JSC::createError
885         https://bugs.webkit.org/show_bug.cgi?id=194957
886
887         Reviewed by Mark Lam.
888
889         Add test string-overflow-createError-bulder.js that overflows
890         StringBuilder in notAFunctionSourceAppender. The second new test
891         string-overflow-createError-fit.js has an error message that doesn't
892         overflow, it still failed since the String's capacity can't be doubled.
893         Run test string-overflow-createError.js only in the default
894         configuration to reduce memory consumption when running the test
895         in all configurations on multiple CPUs in parallel.
896
897         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
898         (catch):
899         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
900         (catch):
901         * stress/string-overflow-createError.js:
902
903 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
904
905         [JSC] OSR entry should respect abstract values in addition to flush formats
906         https://bugs.webkit.org/show_bug.cgi?id=195653
907
908         Reviewed by Mark Lam.
909
910         * stress/osr-entry-locals-none.js: Added.
911
912 2019-03-12  Michael Saboff  <msaboff@apple.com>
913
914         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
915         https://bugs.webkit.org/show_bug.cgi?id=195613
916
917         Reviewed by Mark Lam.
918
919         New regression test.
920
921         * stress/regexp-backref-inbounds.js: Added.
922         (testRegExp):
923
924 2019-03-12  Mark Lam  <mark.lam@apple.com>
925
926         The HasIndexedProperty node does GC.
927         https://bugs.webkit.org/show_bug.cgi?id=195559
928         <rdar://problem/48767923>
929
930         Reviewed by Yusuke Suzuki.
931
932         * stress/HasIndexedProperty-does-gc.js: Added.
933
934 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
935
936         [ESNext][BigInt] Implement "~" unary operation
937         https://bugs.webkit.org/show_bug.cgi?id=182216
938
939         Reviewed by Keith Miller.
940
941         * stress/big-int-bit-not-general.js: Added.
942         * stress/big-int-bitwise-not-jit.js: Added.
943         * stress/big-int-bitwise-not-wrapped-value.js: Added.
944         * stress/bit-op-with-object-returning-int32.js:
945         * stress/bitwise-not-fixup-rules.js: Added.
946         * stress/value-bit-not-ai-rule.js: Added.
947
948 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
949
950         Invalid flags in a RegExp literal should be an early SyntaxError
951         https://bugs.webkit.org/show_bug.cgi?id=195514
952
953         Reviewed by Darin Adler.
954
955         * test262/expectations.yaml:
956         Mark 4 test cases as passing.
957
958         * stress/regexp-syntax-error-invalid-flags.js:
959         * stress/regress-161995.js: Removed.
960         Update existing test, merging in an older test for the same behavior.
961
962 2019-03-08  Mark Lam  <mark.lam@apple.com>
963
964         Stack overflow crash in JSC::JSObject::hasInstance.
965         https://bugs.webkit.org/show_bug.cgi?id=195458
966         <rdar://problem/48710195>
967
968         Reviewed by Yusuke Suzuki.
969
970         * stress/stack-overflow-in-custom-hasInstance.js: Added.
971
972 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
973
974         op_check_tdz does not def its argument
975         https://bugs.webkit.org/show_bug.cgi?id=192880
976         <rdar://problem/46221598>
977
978         Reviewed by Saam Barati.
979
980         * microbenchmarks/let-for-in.js: Added.
981         (foo):
982
983 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
984
985         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
986         https://bugs.webkit.org/show_bug.cgi?id=195429
987
988         Reviewed by Saam Barati.
989
990         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
991         (foo):
992         * stress/string-from-char-code-255.js: Added.
993
994 2019-03-06  Mark Lam  <mark.lam@apple.com>
995
996         Fix incorrect handling of try-finally completion values.
997         https://bugs.webkit.org/show_bug.cgi?id=195131
998         <rdar://problem/46222079>
999
1000         Reviewed by Saam Barati and Yusuke Suzuki.
1001
1002         Added many permutations of new test case to test-finally.js.  test-finally.js has
1003         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
1004         tests passes there as well.
1005
1006         * stress/test-finally.js:
1007
1008 2019-03-06  Saam Barati  <sbarati@apple.com>
1009
1010         Air::reportUsedRegisters must padInterference
1011         https://bugs.webkit.org/show_bug.cgi?id=195303
1012         <rdar://problem/48270343>
1013
1014         Reviewed by Keith Miller.
1015
1016         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
1017
1018 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
1019
1020         [JSC] AI should not propagate AbstractValue relying on constant folding phase
1021         https://bugs.webkit.org/show_bug.cgi?id=195375
1022
1023         Reviewed by Saam Barati.
1024
1025         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
1026         (let.array):
1027
1028 2019-03-05  Saam barati  <sbarati@apple.com>
1029
1030         op_switch_char broken for rope strings after JSRopeString layout rewrite
1031         https://bugs.webkit.org/show_bug.cgi?id=195339
1032         <rdar://problem/48592545>
1033
1034         Reviewed by Yusuke Suzuki.
1035
1036         * stress/switch-on-char-llint-rope.js: Added.
1037
1038 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
1039
1040         [JSC] Store bits for JSRopeString in 3 stores
1041         https://bugs.webkit.org/show_bug.cgi?id=195234
1042
1043         Reviewed by Saam Barati.
1044
1045         * stress/null-rope-and-collectors.js: Added.
1046
1047 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
1048
1049         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
1050         https://bugs.webkit.org/show_bug.cgi?id=195207
1051
1052         Unreviewed. After test runtime was reduced in r242213, test can be
1053         run again on ARM/MIPS.
1054
1055         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1056
1057 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1058
1059         [JSC] sizeof(JSString) should be 16
1060         https://bugs.webkit.org/show_bug.cgi?id=194375
1061
1062         Reviewed by Saam Barati.
1063
1064         * microbenchmarks/make-rope.js: Added.
1065         (makeRope):
1066         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
1067         (returnRope.helper): Deleted.
1068         (returnRope): Deleted.
1069
1070 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1071
1072         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
1073         https://bugs.webkit.org/show_bug.cgi?id=195144
1074
1075         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
1076         Change the number from 1e8 to 1e5.
1077
1078         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1079         (foo):
1080
1081 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
1082
1083         Test times out on ARM/MIPS
1084         https://bugs.webkit.org/show_bug.cgi?id=195168
1085
1086         Unreviewed. Skip test on ARM/MIPS.
1087
1088         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1089
1090 2019-02-27  Mark Lam  <mark.lam@apple.com>
1091
1092         The parser is failing to record the token location of new in new.target.
1093         https://bugs.webkit.org/show_bug.cgi?id=195127
1094         <rdar://problem/39645578>
1095
1096         Reviewed by Yusuke Suzuki.
1097
1098         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
1099
1100 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
1101
1102         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
1103         https://bugs.webkit.org/show_bug.cgi?id=195144
1104         <rdar://problem/47595961>
1105
1106         Reviewed by Mark Lam.
1107
1108         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
1109         (bar):
1110         (foo):
1111         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
1112         (bar):
1113         (foo):
1114
1115 2019-02-27  Robin Morisset  <rmorisset@apple.com>
1116
1117         DFG: Loop-invariant code motion (LICM) should not hoist dead code
1118         https://bugs.webkit.org/show_bug.cgi?id=194945
1119         <rdar://problem/48311657>
1120
1121         Reviewed by Mark Lam.
1122
1123         * stress/licm-dead-code.js: Added.
1124
1125 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
1126
1127         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
1128         https://bugs.webkit.org/show_bug.cgi?id=194677
1129         <rdar://problem/48112492>
1130
1131         Reviewed by Mark Lam.
1132
1133         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
1134         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
1135         it immediately fails due the large size.
1136
1137         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
1138         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
1139         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
1140         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
1141
1142         This patch changes the test to produce 16bit string from String.fromCharCode.
1143
1144         * stress/regress-178386.js:
1145
1146 2019-02-26  Mark Lam  <mark.lam@apple.com>
1147
1148         wasmToJS() should purify incoming NaNs.
1149         https://bugs.webkit.org/show_bug.cgi?id=194807
1150         <rdar://problem/48189132>
1151
1152         Reviewed by Saam Barati.
1153
1154         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
1155
1156 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
1157
1158         [JSC] Repeat string created from Array.prototype.join() take too much memory
1159         https://bugs.webkit.org/show_bug.cgi?id=193912
1160
1161         Reviewed by Saam Barati.
1162
1163         Added a test and a microbenchmark for corner cases of
1164         Array.prototype.join() with an uninitialized array.
1165
1166         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1167         * stress/array-prototype-join-uninitialized.js: Added.
1168         (testArray):
1169         (testABC):
1170         (B):
1171         (C):
1172
1173 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1174
1175         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1176         https://bugs.webkit.org/show_bug.cgi?id=194953
1177         <rdar://problem/47595253>
1178
1179         Reviewed by Saam Barati.
1180
1181         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1182
1183         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1184
1185 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1186
1187         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1188         https://bugs.webkit.org/show_bug.cgi?id=172848
1189         <rdar://problem/25709212>
1190
1191         Reviewed by Mark Lam.
1192
1193         * typeProfiler/inheritance.js:
1194         Rewrite the test slightly for clarity. The hoisting was confusing.
1195
1196         * heapProfiler/class-names.js: Added.
1197         (MyES5Class):
1198         (MyES6Class):
1199         (MyES6Subclass):
1200         Test object types and improved class names.
1201
1202         * heapProfiler/driver/driver.js:
1203         (CheapHeapSnapshotNode):
1204         (CheapHeapSnapshot):
1205         (createCheapHeapSnapshot):
1206         (HeapSnapshot):
1207         (createHeapSnapshot):
1208         Update snapshot parsing from version 1 to version 2.
1209
1210 2019-02-19  Truitt Savell  <tsavell@apple.com>
1211
1212         Unreviewed, rolling out r241784.
1213
1214         Broke all OpenSource builds.
1215
1216         Reverted changeset:
1217
1218         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1219         instances view"
1220         https://bugs.webkit.org/show_bug.cgi?id=172848
1221         https://trac.webkit.org/changeset/241784
1222
1223 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1224
1225         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1226         https://bugs.webkit.org/show_bug.cgi?id=172848
1227         <rdar://problem/25709212>
1228
1229         Reviewed by Mark Lam.
1230
1231         * typeProfiler/inheritance.js:
1232         Rewrite the test slightly for clarity. The hoisting was confusing.
1233
1234         * heapProfiler/class-names.js: Added.
1235         (MyES5Class):
1236         (MyES6Class):
1237         (MyES6Subclass):
1238         Test object types and improved class names.
1239
1240         * heapProfiler/driver/driver.js:
1241         (CheapHeapSnapshotNode):
1242         (CheapHeapSnapshot):
1243         (createCheapHeapSnapshot):
1244         (HeapSnapshot):
1245         (createHeapSnapshot):
1246         Update snapshot parsing from version 1 to version 2.
1247
1248 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1249
1250         [ARM] Fix crash with sampling profiler
1251         https://bugs.webkit.org/show_bug.cgi?id=194772
1252
1253         Reviewed by Mark Lam.
1254
1255         Do not skip test since crash with sampling profiler is now fixed.
1256
1257         * stress/sampling-profiler-richards.js:
1258
1259 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1260
1261         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1262         https://bugs.webkit.org/show_bug.cgi?id=194784
1263         <rdar://problem/48154820>
1264
1265         Reviewed by Mark Lam.
1266
1267         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1268         (getProperties):
1269         (getRandomProperty):
1270         (i.catch):
1271
1272 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1273
1274         [ARM] Test gardening: Test running out of executable memory
1275         https://bugs.webkit.org/show_bug.cgi?id=194771
1276
1277         Unreviewed. Do not run test without LLInt, test is running out of executable
1278         memory on ARM otherwise.
1279
1280         * stress/tagged-template-object-collect.js:
1281
1282 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1283
1284         Unreviewed, skip the test on platforms without sampling profiler
1285
1286         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1287         (platformSupportsSamplingProfiler.foo):
1288         (platformSupportsSamplingProfiler.test):
1289         (platformSupportsSamplingProfiler):
1290         (foo): Deleted.
1291         (test): Deleted.
1292
1293 2019-02-17  Saam Barati  <sbarati@apple.com>
1294
1295         Deadlock when adding a Structure property transition and then doing incremental marking
1296         https://bugs.webkit.org/show_bug.cgi?id=194767
1297
1298         Reviewed by Mark Lam.
1299
1300         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1301
1302 2019-02-15  Michael Saboff  <msaboff@apple.com>
1303
1304         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1305         https://bugs.webkit.org/show_bug.cgi?id=194558
1306
1307         Reviewed by Saam Barati.
1308
1309         New regression test.
1310
1311         * stress/regexp-unicode-within-string.js: Added.
1312
1313 2019-02-15  Mark Lam  <mark.lam@apple.com>
1314
1315         SamplingProfiler::stackTracesAsJSON() should escape strings.
1316         https://bugs.webkit.org/show_bug.cgi?id=194649
1317         <rdar://problem/48072386>
1318
1319         Reviewed by Saam Barati.
1320
1321         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1322         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1323         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1324         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1325
1326 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1327         CodeBlock::jettison should clear related watchpoints
1328         https://bugs.webkit.org/show_bug.cgi?id=194544
1329
1330         Reviewed by Mark Lam.
1331
1332         * stress/regexp-replace-double-watchpoint.js: Added.
1333         (foo):
1334
1335 2019-02-15  Saam barati  <sbarati@apple.com>
1336
1337         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1338         https://bugs.webkit.org/show_bug.cgi?id=194036
1339
1340         Reviewed by Yusuke Suzuki.
1341
1342         * stress/tail-call-many-arguments.js: Added.
1343         (foo):
1344         (bar):
1345
1346 2019-02-14  Saam Barati  <sbarati@apple.com>
1347
1348         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1349         https://bugs.webkit.org/show_bug.cgi?id=194583
1350         <rdar://problem/48028140>
1351
1352         Reviewed by Yusuke Suzuki.
1353
1354         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1355
1356 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1357
1358         [JSC] String.fromCharCode's slow path always generates 16bit string
1359         https://bugs.webkit.org/show_bug.cgi?id=194466
1360
1361         Reviewed by Keith Miller.
1362
1363         * stress/string-from-char-code-slow-path.js: Added.
1364         (shouldBe):
1365         (testWithLength):
1366
1367 2019-02-08  Saam barati  <sbarati@apple.com>
1368
1369         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1370         https://bugs.webkit.org/show_bug.cgi?id=194334
1371         <rdar://problem/47844327>
1372
1373         Reviewed by Mark Lam.
1374
1375         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1376         (func):
1377
1378 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1379
1380         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1381         https://bugs.webkit.org/show_bug.cgi?id=194369
1382         <rdar://problem/47813087>
1383
1384         Reviewed by Saam Barati.
1385
1386         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1387         (A):
1388
1389 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1390
1391         [JSC] PrivateName to PublicName hash table is wasteful
1392         https://bugs.webkit.org/show_bug.cgi?id=194277
1393
1394         Reviewed by Michael Saboff.
1395
1396         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1397
1398         * ChakraCore.yaml:
1399
1400 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1401
1402         [ARM] Test running out of executable memory
1403         https://bugs.webkit.org/show_bug.cgi?id=194285
1404
1405         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1406         executable memory otherwise.
1407
1408         * stress/class-subclassing-function.js:
1409
1410 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1411
1412         when lowering AssertNotEmpty, create the value before creating the patchpoint
1413         https://bugs.webkit.org/show_bug.cgi?id=194231
1414
1415         Reviewed by Saam Barati.
1416
1417         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1418         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1419         So even tiny changes to this test can change the path code taken.
1420
1421         * stress/assert-not-empty.js: Added.
1422         (foo):
1423
1424 2019-02-01  Mark Lam  <mark.lam@apple.com>
1425
1426         Remove invalid assertion in DFG's compileDoubleRep().
1427         https://bugs.webkit.org/show_bug.cgi?id=194130
1428         <rdar://problem/47699474>
1429
1430         Reviewed by Saam Barati.
1431
1432         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1433
1434 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1435
1436         Import latest Test262 updates.
1437
1438         Rubber-stamped by Keith Miller.
1439
1440         * test262.yaml: Deleted.
1441         * test262/config.yaml:
1442         * test262/expectations.yaml:
1443         * test262/latest-changes-summary.txt:
1444         * test262/test/:
1445         * test262/test262-Revision.txt:
1446
1447 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1448
1449         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1450         https://bugs.webkit.org/show_bug.cgi?id=194050
1451         <rdar://problem/47595592>
1452
1453         Reviewed by Yusuke Suzuki.
1454
1455         * stress/object-keys-osr-exit.js: Added.
1456         (foo):
1457         (catch):
1458
1459 2019-01-29  Mark Lam  <mark.lam@apple.com>
1460
1461         ValueRecovery::recover() should purify NaN values it recovers.
1462         https://bugs.webkit.org/show_bug.cgi?id=193978
1463         <rdar://problem/47625488>
1464
1465         Reviewed by Saam Barati.
1466
1467         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1468
1469 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1470
1471         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1472         https://bugs.webkit.org/show_bug.cgi?id=193713
1473
1474         * stress/try-get-by-id-should-spill-registers-dfg.js:
1475         (let.f.createBuiltin):
1476
1477 2019-01-28  Mark Lam  <mark.lam@apple.com>
1478
1479         ToString node actually does GC.
1480         https://bugs.webkit.org/show_bug.cgi?id=193920
1481         <rdar://problem/46695900>
1482
1483         Reviewed by Yusuke Suzuki.
1484
1485         * stress/dfg-to-string-on-int-does-gc.js: Added.
1486         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1487         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1488
1489 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1490
1491         [JSC] NativeErrorConstructor should not have own IsoSubspace
1492         https://bugs.webkit.org/show_bug.cgi?id=193713
1493
1494         Reviewed by Saam Barati.
1495
1496         Remove @Error use.
1497
1498         * stress/try-get-by-id-should-spill-registers-dfg.js:
1499         (let.f.createBuiltin):
1500
1501 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1502
1503         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1504         https://bugs.webkit.org/show_bug.cgi?id=190693
1505
1506         Reviewed by Michael Saboff.
1507
1508         * stress/regress-190693.js: Added.
1509         (truth):
1510         (assert):
1511         (shouldThrowInvalidConstAssignment):
1512         (taz):
1513
1514 2019-01-24  Saam Barati  <sbarati@apple.com>
1515
1516         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1517         https://bugs.webkit.org/show_bug.cgi?id=193751
1518         <rdar://problem/47280215>
1519
1520         Reviewed by Michael Saboff.
1521
1522         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1523         (let.thing):
1524         (foo.let.hello):
1525         (foo):
1526
1527 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1528
1529         [JSC] Reenable baseline JIT on mips
1530         https://bugs.webkit.org/show_bug.cgi?id=192983
1531
1532         Reviewed by Mark Lam.
1533
1534         Added a new test for a case that was triggering a RELEASE_ASSERT when
1535         testing.
1536         Disable some slow tests that were already disabled for arm and x86.
1537
1538         * stress/json-parse-big-object.js: Added.
1539         * stress/new-largeish-contiguous-array-with-size.js:
1540         * stress/op_add.js:
1541         * stress/op_bitand.js:
1542         * stress/op_bitor.js:
1543         * stress/op_bitxor.js:
1544         * stress/op_lshift-ConstVar.js:
1545         * stress/op_lshift-VarConst.js:
1546         * stress/op_lshift-VarVar.js:
1547         * stress/op_mod-ConstVar.js:
1548         * stress/op_mod-VarConst.js:
1549         * stress/op_mod-VarVar.js:
1550         * stress/op_mul-ConstVar.js:
1551         * stress/op_mul-VarConst.js:
1552         * stress/op_mul-VarVar.js:
1553         * stress/op_rshift-ConstVar.js:
1554         * stress/op_rshift-VarConst.js:
1555         * stress/op_rshift-VarVar.js:
1556         * stress/op_sub-ConstVar.js:
1557         * stress/op_sub-VarConst.js:
1558         * stress/op_sub-VarVar.js:
1559         * stress/op_urshift-ConstVar.js:
1560         * stress/op_urshift-VarConst.js:
1561         * stress/op_urshift-VarVar.js:
1562         * stress/sampling-profiler-richards.js:
1563         * stress/spread-forward-call-varargs-stack-overflow.js:
1564
1565 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1566
1567         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1568         https://bugs.webkit.org/show_bug.cgi?id=193711
1569         <rdar://problem/47250262>
1570
1571         Reviewed by Saam Barati.
1572
1573         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1574         (shouldBe):
1575         (foo):
1576         (bar):
1577         (baz):
1578
1579 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1580
1581         Unreviewed, fix initial global lexical binding epoch
1582         https://bugs.webkit.org/show_bug.cgi?id=193603
1583         <rdar://problem/47380869>
1584
1585         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1586         (f1.f2.f3.f4):
1587         (f1.f2.f3):
1588         (f1.f2):
1589         (f1):
1590
1591 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1592
1593         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1594         https://bugs.webkit.org/show_bug.cgi?id=193709
1595         <rdar://problem/47363838>
1596
1597         Unreviewed, rollout to watch the tests.
1598
1599         * stress/object-tostring-changed-proto.js: Removed.
1600         * stress/object-tostring-changed.js: Removed.
1601         * stress/object-tostring-misc.js: Removed.
1602         * stress/object-tostring-other.js: Removed.
1603         * stress/object-tostring-untyped.js: Removed.
1604
1605 2019-01-22  Saam Barati  <sbarati@apple.com>
1606
1607         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1608
1609         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1610         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1611         (testUncheckedLessThanZero):
1612         (testUncheckedLessThanOrEqualZero):
1613         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1614         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1615
1616 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1617
1618         [JSC] Invalidate old scope operations using global lexical binding epoch
1619         https://bugs.webkit.org/show_bug.cgi?id=193603
1620         <rdar://problem/47380869>
1621
1622         Reviewed by Saam Barati.
1623
1624         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1625         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1626         (shouldThrow):
1627         (bar):
1628         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1629         (shouldBe):
1630         (get1):
1631         (get2):
1632         (get1If):
1633         (get2If):
1634         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1635         (shouldThrow):
1636         (foo):
1637
1638 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1639
1640         Unreviewed, roll out r240220 due to date-format-xparb regression
1641         https://bugs.webkit.org/show_bug.cgi?id=193603
1642
1643         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1644         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1645         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1646         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1647
1648 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1649
1650         DoesGC rule is wrong for nodes with BigIntUse
1651         https://bugs.webkit.org/show_bug.cgi?id=193652
1652
1653         Reviewed by Saam Barati.
1654
1655         * stress/big-int-value-op-update-gc-rules.js: Added.
1656         (assert):
1657         (doesGCAdd):
1658         (doesGCSub):
1659         (doesGCDiv):
1660         (doesGCMul):
1661         (doesGCBitAnd):
1662         (doesGCBitOr):
1663         (doesGCBitXor):
1664
1665 2019-01-20  Saam Barati  <sbarati@apple.com>
1666
1667         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1668         https://bugs.webkit.org/show_bug.cgi?id=193644
1669         <rdar://problem/46209745>
1670
1671         Reviewed by Yusuke Suzuki.
1672
1673         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1674         (foo):
1675         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1676         (foo):
1677         (bar):
1678
1679 2019-01-20  Saam Barati  <sbarati@apple.com>
1680
1681         MovHint must merge NodeBytecodeUsesAsValue for its child
1682         https://bugs.webkit.org/show_bug.cgi?id=186916
1683         <rdar://problem/41396612>
1684
1685         Reviewed by Yusuke Suzuki.
1686
1687         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1688         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1689
1690 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1691
1692         [JSC] Invalidate old scope operations using global lexical binding epoch
1693         https://bugs.webkit.org/show_bug.cgi?id=193603
1694         <rdar://problem/47380869>
1695
1696         Reviewed by Saam Barati.
1697
1698         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1699         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1700         (shouldThrow):
1701         (bar):
1702         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1703         (shouldBe):
1704         (get1):
1705         (get2):
1706         (get1If):
1707         (get2If):
1708         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1709         (shouldThrow):
1710         (foo):
1711
1712 2019-01-17  Saam barati  <sbarati@apple.com>
1713
1714         StringObjectUse should not be a structure check for the original string object structure
1715         https://bugs.webkit.org/show_bug.cgi?id=193483
1716         <rdar://problem/47280522>
1717
1718         Reviewed by Yusuke Suzuki.
1719
1720         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1721         (foo):
1722         (a.valueOf.0):
1723
1724 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1725
1726         [JSC] ToThis omission in DFGByteCodeParser is wrong
1727         https://bugs.webkit.org/show_bug.cgi?id=193513
1728         <rdar://problem/45842236>
1729
1730         Reviewed by Saam Barati.
1731
1732         * stress/to-this-omission-with-different-strict-modes.js: Added.
1733         (thisA):
1734         (thisAStrictWrapper):
1735
1736 2019-01-15  Mark Lam  <mark.lam@apple.com>
1737
1738         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1739         https://bugs.webkit.org/show_bug.cgi?id=193423
1740         <rdar://problem/46209355>
1741
1742         Reviewed by Saam Barati.
1743
1744         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1745         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1746         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1747         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1748
1749 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1750
1751         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1752         https://bugs.webkit.org/show_bug.cgi?id=193438
1753         <rdar://problem/45581249>
1754
1755         Reviewed by Saam Barati and Keith Miller.
1756
1757         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1758         Then, GetByVal(String) crashed.
1759
1760         * stress/string-get-by-val-lowering.js: Added.
1761         (shouldBe):
1762         (test):
1763         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1764         (Hello):
1765         (foo):
1766
1767 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1768
1769         Unreviewed, skip JIT tests if it's not enabled
1770
1771         * stress/bit-op-with-object-returning-int32.js:
1772
1773 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1774
1775         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1776         https://bugs.webkit.org/show_bug.cgi?id=192966
1777
1778         Reviewed by Yusuke Suzuki.
1779
1780         * stress/bit-op-with-object-returning-int32.js: Added.
1781
1782 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1783
1784         Skip a slow test and a flakey test on arm
1785
1786         Unreviewed gardening.
1787
1788         * typeProfiler/getter-richards.js:
1789         this test always times out, it used to be always skipped on arm and
1790         mips, but got accidentally enabled by r237919 now that we have DFG on
1791         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1792
1793 2019-01-14  Keith Miller  <keith_miller@apple.com>
1794
1795         Skip type-check-hoisting-phase-hoist... with no jit
1796         https://bugs.webkit.org/show_bug.cgi?id=193421
1797
1798         Reviewed by Mark Lam.
1799
1800         It's timing out the 32-bit bots and takes 330 seconds
1801         on my machine when run by itself.
1802
1803         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1804
1805 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1806
1807         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1808         https://bugs.webkit.org/show_bug.cgi?id=193413
1809         <rdar://problem/46092389>
1810
1811         Reviewed by Keith Miller.
1812
1813         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1814         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1815         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1816         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1817
1818         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1819         (compareArray):
1820
1821 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1822
1823         [BigInt] Literal parsing is crashing when used inside a Object Literal
1824         https://bugs.webkit.org/show_bug.cgi?id=193404
1825
1826         Reviewed by Yusuke Suzuki.
1827
1828         * stress/big-int-literal-inside-literal-object.js: Added.
1829
1830 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1831
1832         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1833         https://bugs.webkit.org/show_bug.cgi?id=193372
1834
1835         Reviewed by Saam Barati.
1836
1837         * stress/typed-array-array-modes-profile.js: Added.
1838         (foo):
1839
1840 2019-01-14  Mark Lam  <mark.lam@apple.com>
1841
1842         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1843         https://bugs.webkit.org/show_bug.cgi?id=193402
1844         <rdar://problem/46012309>
1845
1846         Reviewed by Keith Miller.
1847
1848         * stress/regexp-compile-oom.js:
1849         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1850           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1851
1852 2019-01-11  Saam barati  <sbarati@apple.com>
1853
1854         DFG combined liveness can be wrong for terminal basic blocks
1855         https://bugs.webkit.org/show_bug.cgi?id=193304
1856         <rdar://problem/45268632>
1857
1858         Reviewed by Yusuke Suzuki.
1859
1860         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1861
1862 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1863
1864         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1865         https://bugs.webkit.org/show_bug.cgi?id=193308
1866         <rdar://problem/45546542>
1867
1868         Reviewed by Saam Barati.
1869
1870         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1871         (shouldThrow):
1872         (shouldBe):
1873         (foo):
1874         (get shouldThrow):
1875         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1876         (shouldThrow):
1877         (shouldBe):
1878         (foo):
1879         (get shouldBe):
1880         (get shouldThrow):
1881         (get return):
1882         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1883         (shouldThrow):
1884         (shouldBe):
1885         (foo):
1886         (get shouldBe):
1887         (get shouldThrow):
1888         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1889         (shouldThrow):
1890         (shouldBe):
1891         (foo):
1892         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1893         (shouldThrow):
1894         (shouldBe):
1895         (foo):
1896         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1897         (shouldThrow):
1898         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1899         (shouldThrow):
1900         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1901         (shouldThrow):
1902         (shouldBe):
1903         (foo):
1904         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1905         (shouldThrow):
1906         (shouldBe):
1907         (foo):
1908         (get shouldBe):
1909         (get shouldThrow):
1910         (get return):
1911         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1912         (shouldThrow):
1913         (shouldBe):
1914         (foo):
1915         (get shouldBe):
1916         (get shouldThrow):
1917         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1918         (shouldThrow):
1919         (shouldBe):
1920         (foo):
1921         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1922         (shouldThrow):
1923         (shouldBe):
1924         (foo):
1925
1926 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1927
1928         Enable DFG on ARM/Linux again
1929         https://bugs.webkit.org/show_bug.cgi?id=192496
1930
1931         Reviewed by Yusuke Suzuki.
1932
1933         Test wasn't really skipped before moving the line with skip
1934         to the top.
1935
1936         * stress/regress-192717.js:
1937
1938 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1939
1940         Unreviewed, rolling out r239825.
1941         https://bugs.webkit.org/show_bug.cgi?id=193330
1942
1943         Broke tests on armv7/linux bots (Requested by guijemont on
1944         #webkit).
1945
1946         Reverted changeset:
1947
1948         "Enable DFG on ARM/Linux again"
1949         https://bugs.webkit.org/show_bug.cgi?id=192496
1950         https://trac.webkit.org/changeset/239825
1951
1952 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1953
1954         Enable DFG on ARM/Linux again
1955         https://bugs.webkit.org/show_bug.cgi?id=192496
1956
1957         Reviewed by Yusuke Suzuki.
1958
1959         Test wasn't really skipped before moving the line with skip
1960         to the top.
1961
1962         * stress/regress-192717.js:
1963
1964 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1965
1966         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1967         https://bugs.webkit.org/show_bug.cgi?id=193127
1968
1969         Reviewed by Saam Barati.
1970
1971         * stress/array-species-create-should-handle-masquerader.js: Added.
1972         (shouldThrow):
1973         * stress/is-undefined-or-null-builtin.js: Added.
1974         (shouldBe):
1975         (isUndefinedOrNull.vm.createBuiltin):
1976
1977 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1978
1979         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1980         https://bugs.webkit.org/show_bug.cgi?id=193221
1981
1982         Reviewed by Mark Lam.
1983
1984         * stress/put-by-id-flags.js: Added.
1985         (f):
1986         (g):
1987         (numberOfDFGCompiles):
1988
1989 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1990
1991         Baseline version of get_by_id may corrupt metadata
1992         https://bugs.webkit.org/show_bug.cgi?id=193085
1993         <rdar://problem/23453006>
1994
1995         Reviewed by Saam Barati.
1996
1997         * stress/get-by-id-change-mode.js: Added.
1998         (forEach):
1999
2000 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2001
2002         [JSC] Optimize Object.prototype.toString
2003         https://bugs.webkit.org/show_bug.cgi?id=193031
2004
2005         Reviewed by Saam Barati.
2006
2007         * stress/object-tostring-changed-proto.js: Added.
2008         (shouldBe):
2009         (test):
2010         * stress/object-tostring-changed.js: Added.
2011         (shouldBe):
2012         (test):
2013         * stress/object-tostring-misc.js: Added.
2014         (shouldBe):
2015         (test):
2016         (i.switch):
2017         * stress/object-tostring-other.js: Added.
2018         (shouldBe):
2019         (test):
2020         * stress/object-tostring-untyped.js: Added.
2021         (shouldBe):
2022         (test):
2023         (i.switch):
2024
2025 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
2026
2027         test262-runner misbehaves when test file YAML has a trailing space
2028         https://bugs.webkit.org/show_bug.cgi?id=193053
2029
2030         Reviewed by Yusuke Suzuki.
2031
2032         * test262/expectations.yaml:
2033         Mark two dozen tests as passing (and correct the output of another).
2034
2035 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2036
2037         Unreviewed, JSTests gardening with memoryLimited
2038
2039         * stress/string-overflow-createError.js:
2040
2041 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
2042
2043         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
2044         https://bugs.webkit.org/show_bug.cgi?id=193050
2045
2046         Reviewed by Yusuke Suzuki.
2047
2048         * test262.yaml:
2049         * test262/expectations.yaml:
2050         Mark 16 tests as passing.
2051
2052 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2053
2054         [BigInt] Support BigInt in JSON.stringify
2055         https://bugs.webkit.org/show_bug.cgi?id=192624
2056
2057         Reviewed by Saam Barati.
2058
2059         * stress/big-int-json-stringify-to-json.js: Added.
2060         (shouldBe):
2061         (shouldThrow):
2062         (BigInt.prototype.toJSON):
2063         (shouldBe.JSON.stringify):
2064         * stress/big-int-json-stringify.js: Added.
2065         (shouldBe):
2066         (shouldThrow):
2067
2068 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2069
2070         [JSC] Implement "well-formed JSON.stringify" proposal
2071         https://bugs.webkit.org/show_bug.cgi?id=191677
2072
2073         Reviewed by Darin Adler.
2074
2075         * stress/json-surrogate-pair.js: Added.
2076         (shouldBe):
2077         * test262/expectations.yaml:
2078
2079 2018-12-20  Keith Miller  <keith_miller@apple.com>
2080
2081         Add support for globalThis
2082         https://bugs.webkit.org/show_bug.cgi?id=165171
2083
2084         Reviewed by Mark Lam.
2085
2086         * test262/config.yaml:
2087
2088 2018-12-19  Keith Miller  <keith_miller@apple.com>
2089
2090         Update test262 configuration to not run tests dependent on ICU version.
2091         https://bugs.webkit.org/show_bug.cgi?id=192920
2092
2093         Reviewed by Saam Barati.
2094
2095         * test262/expectations.yaml:
2096
2097 2018-12-20  Mark Lam  <mark.lam@apple.com>
2098
2099         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
2100         https://bugs.webkit.org/show_bug.cgi?id=192939
2101         <rdar://problem/46869516>
2102
2103         Reviewed by Keith Miller.
2104
2105         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
2106
2107 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
2108
2109         WTF::String and StringImpl overflow MaxLength
2110         https://bugs.webkit.org/show_bug.cgi?id=192853
2111         <rdar://problem/45726906>
2112
2113         Reviewed by Mark Lam.
2114
2115         * stress/string-16bit-repeat-overflow.js: Added.
2116         (catch):
2117
2118 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
2119
2120         Unreviewed follow-up to r192914.
2121
2122         * test262/expectations.yaml:
2123         Add the last 20 missing expectations.
2124
2125 2018-12-19  Keith Miller  <keith_miller@apple.com>
2126
2127         Fix test262 expectations
2128         https://bugs.webkit.org/show_bug.cgi?id=192914
2129
2130         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
2131
2132         * test262/expectations.yaml:
2133
2134 2018-12-19  Keith Miller  <keith_miller@apple.com>
2135
2136         Update test262 tests.
2137         https://bugs.webkit.org/show_bug.cgi?id=192907
2138
2139         Rubber stamped by Mark Lam.
2140
2141         * test262/*: Omitted because prepare-changelog crashes.
2142
2143 2018-12-19  Mark Lam  <mark.lam@apple.com>
2144
2145         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
2146         https://bugs.webkit.org/show_bug.cgi?id=192464
2147         <rdar://problem/46519455>
2148
2149         Reviewed by Saam Barati.
2150
2151         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
2152         microbenchmark.
2153
2154         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
2155         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
2156
2157 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
2158
2159         String overflow in JSC::createError results in ASSERT in WTF::makeString
2160         https://bugs.webkit.org/show_bug.cgi?id=192833
2161         <rdar://problem/45706868>
2162
2163         Reviewed by Mark Lam.
2164
2165         * stress/string-overflow-createError.js: Added.
2166
2167 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2168
2169         Error message for `-x ** y` contains a typo.
2170         https://bugs.webkit.org/show_bug.cgi?id=192832
2171
2172         Reviewed by Saam Barati.
2173
2174         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2175         (assert.assert.return.throws):
2176         * stress/pow-expects-update-expression-on-lhs.js:
2177         (throw.new.Error):
2178         Update test expectations which match against the exact error message.
2179
2180 2018-12-18  Mark Lam  <mark.lam@apple.com>
2181
2182         Gardening: test options fix.
2183         https://bugs.webkit.org/show_bug.cgi?id=192822
2184
2185         Unreviewed.
2186
2187         * stress/json-stringify-string-builder-overflow.js:
2188
2189 2018-12-18  Mark Lam  <mark.lam@apple.com>
2190
2191         JSON.stringify() should throw OOM on StringBuilder overflows.
2192         https://bugs.webkit.org/show_bug.cgi?id=192822
2193         <rdar://problem/46670577>
2194
2195         Reviewed by Saam Barati.
2196
2197         * stress/json-stringify-string-builder-overflow.js: Added.
2198
2199 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2200
2201         Redeclaration of var over let/const/class should be a syntax error.
2202         https://bugs.webkit.org/show_bug.cgi?id=192298
2203
2204         Reviewed by Keith Miller.
2205
2206         * test262.yaml:
2207         * test262/expectations.yaml:
2208         Mark 46 tests as passing.
2209
2210         * stress/block-scope-redeclarations.js:
2211         Add some new tests.
2212
2213         * stress/for-in-invalidate-context-weird-assignments.js:
2214         * stress/for-in-tests.js:
2215         Replace tests for outdated behavior with tests for SyntaxError.
2216
2217         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2218         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2219         Update expectations.
2220
2221 2018-12-18  Mark Lam  <mark.lam@apple.com>
2222
2223         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2224         https://bugs.webkit.org/show_bug.cgi?id=191374
2225         <rdar://problem/46525447>
2226
2227         Reviewed by Yusuke Suzuki.
2228
2229         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2230
2231         * stress/elidable-new-object-roflcopter-then-exit.js:
2232
2233 2018-12-17  Mark Lam  <mark.lam@apple.com>
2234
2235         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2236         https://bugs.webkit.org/show_bug.cgi?id=192019
2237         <rdar://problem/46525456>
2238
2239         Reviewed by Yusuke Suzuki.
2240
2241         The test runs too slow on 32-bit.
2242
2243         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2244
2245 2018-12-17  Mark Lam  <mark.lam@apple.com>
2246
2247         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2248         https://bugs.webkit.org/show_bug.cgi?id=191373
2249         <rdar://problem/46525458>
2250
2251         Reviewed by Yusuke Suzuki.
2252
2253         The test is already slow running with a JIT on 64-bit.  It will always timeout
2254         on 32-bit without a JIT.
2255
2256         * stress/materialize-regexp-cyclic-regexp.js:
2257
2258 2018-12-17  Mark Lam  <mark.lam@apple.com>
2259
2260         Array unshift/shift should not race against the AI in the compiler thread.
2261         https://bugs.webkit.org/show_bug.cgi?id=192795
2262         <rdar://problem/46724263>
2263
2264         Reviewed by Saam Barati.
2265
2266         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2267
2268 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2269
2270         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2271         https://bugs.webkit.org/show_bug.cgi?id=190047
2272
2273         Reviewed by Saam Barati.
2274
2275         * stress/object-keys-cached-zero.js: Added.
2276         (shouldBe):
2277         (test):
2278         * stress/object-keys-changed-attribute.js: Added.
2279         (shouldBe):
2280         (test):
2281         * stress/object-keys-changed-index.js: Added.
2282         (shouldBe):
2283         (test):
2284         * stress/object-keys-changed.js: Added.
2285         (shouldBe):
2286         (test):
2287         * stress/object-keys-indexed-non-cache.js: Added.
2288         (shouldBe):
2289         (test):
2290         * stress/object-keys-overrides-get-property-names.js: Added.
2291         (shouldBe):
2292         (test):
2293         (noInline):
2294
2295 2018-12-17  Mark Lam  <mark.lam@apple.com>
2296
2297         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2298         https://bugs.webkit.org/show_bug.cgi?id=192779
2299         <rdar://problem/46775869>
2300
2301         Reviewed by Saam Barati.
2302
2303         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2304
2305 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2306
2307         Unreviewed test gardening, address a syntax error in a new test.
2308
2309         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2310
2311 2018-12-17  Mark Lam  <mark.lam@apple.com>
2312
2313         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2314         https://bugs.webkit.org/show_bug.cgi?id=192776
2315         <rdar://problem/46772368>
2316
2317         Reviewed by Keith Miller.
2318
2319         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2320
2321 2018-12-17  Mark Lam  <mark.lam@apple.com>
2322
2323         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2324         https://bugs.webkit.org/show_bug.cgi?id=192770
2325         <rdar://problem/46449037>
2326
2327         Reviewed by Keith Miller.
2328
2329         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2330
2331 2018-12-14  Mark Lam  <mark.lam@apple.com>
2332
2333         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2334         https://bugs.webkit.org/show_bug.cgi?id=192717
2335         <rdar://problem/46660677>
2336
2337         Reviewed by Saam Barati.
2338
2339         * stress/regress-192717.js: Added.
2340
2341 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2342
2343         Unreviewed, rolling out r239153, r239154, and r239155.
2344         https://bugs.webkit.org/show_bug.cgi?id=192715
2345
2346         Caused flaky GC-related crashes seen with layout tests
2347         (Requested by ryanhaddad on #webkit).
2348
2349         Reverted changesets:
2350
2351         "[JSC] Optimize Object.keys by caching own keys results in
2352         StructureRareData"
2353         https://bugs.webkit.org/show_bug.cgi?id=190047
2354         https://trac.webkit.org/changeset/239153
2355
2356         "Unreviewed, build fix after r239153"
2357         https://bugs.webkit.org/show_bug.cgi?id=190047
2358         https://trac.webkit.org/changeset/239154
2359
2360         "Unreviewed, build fix after r239153, part 2"
2361         https://bugs.webkit.org/show_bug.cgi?id=190047
2362         https://trac.webkit.org/changeset/239155
2363
2364 2018-12-14  Keith Miller  <keith_miller@apple.com>
2365
2366         Callers of JSString::getIndex should check for OOM exceptions
2367         https://bugs.webkit.org/show_bug.cgi?id=192709
2368
2369         Reviewed by Mark Lam.
2370
2371         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2372
2373 2018-12-13  Mark Lam  <mark.lam@apple.com>
2374
2375         Add a missing exception check.
2376         https://bugs.webkit.org/show_bug.cgi?id=192626
2377         <rdar://problem/46662163>
2378
2379         Reviewed by Keith Miller.
2380
2381         * stress/regress-192626.js: Added.
2382
2383 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2384
2385         [BigInt] Add ValueDiv into DFG
2386         https://bugs.webkit.org/show_bug.cgi?id=186178
2387
2388         Reviewed by Yusuke Suzuki.
2389
2390         * stress/big-int-div-jit-osr.js: Added.
2391         * stress/big-int-div-jit-untyped.js: Added.
2392         * stress/value-div-fixup-int32-big-int.js: Added.
2393
2394 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2395
2396         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2397         https://bugs.webkit.org/show_bug.cgi?id=190047
2398
2399         Reviewed by Keith Miller.
2400
2401         * stress/object-keys-cached-zero.js: Added.
2402         (shouldBe):
2403         (test):
2404         * stress/object-keys-changed-attribute.js: Added.
2405         (shouldBe):
2406         (test):
2407         * stress/object-keys-changed-index.js: Added.
2408         (shouldBe):
2409         (test):
2410         * stress/object-keys-changed.js: Added.
2411         (shouldBe):
2412         (test):
2413         * stress/object-keys-indexed-non-cache.js: Added.
2414         (shouldBe):
2415         (test):
2416         * stress/object-keys-overrides-get-property-names.js: Added.
2417         (shouldBe):
2418         (test):
2419         (noInline):
2420
2421 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2422
2423         [DFG][FTL] Add NewSymbol
2424         https://bugs.webkit.org/show_bug.cgi?id=192620
2425
2426         Reviewed by Saam Barati.
2427
2428         * microbenchmarks/symbol-creation.js: Added.
2429         (test):
2430         * stress/symbol-description-identity.js: Added.
2431         (shouldBe):
2432         (test):
2433         * stress/symbol-identity.js: Added.
2434         (shouldBe):
2435         (test):
2436         * stress/symbol-with-description-throw-error.js: Added.
2437         (shouldBe):
2438         (shouldThrow):
2439         (test):
2440         (object.toString):
2441
2442 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2443
2444         [BigInt] Implement DFG/FTL typeof for BigInt
2445         https://bugs.webkit.org/show_bug.cgi?id=192619
2446
2447         Reviewed by Keith Miller.
2448
2449         * stress/big-int-boolean-proven-type.js: Added.
2450         (assert):
2451         (bool):
2452         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2453         (assert):
2454         (typeOf):
2455         (i.switch):
2456         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2457         (assert):
2458         (typeOf):
2459         * stress/big-int-type-of.js:
2460         (typeOf):
2461         (func):
2462
2463 2018-12-10  Mark Lam  <mark.lam@apple.com>
2464
2465         PropertyAttribute needs a CustomValue bit.
2466         https://bugs.webkit.org/show_bug.cgi?id=191993
2467         <rdar://problem/46264467>
2468
2469         Reviewed by Saam Barati.
2470
2471         * stress/regress-191993.js: Added.
2472
2473 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2474
2475         [BigInt] Add ValueMul into DFG
2476         https://bugs.webkit.org/show_bug.cgi?id=186175
2477
2478         Reviewed by Yusuke Suzuki.
2479
2480         * stress/big-int-mul-jit-osr.js: Added.
2481         * stress/big-int-mul-jit-untyped.js: Added.
2482         * stress/value-mul-fixup-int32-big-int.js: Added.
2483
2484 2018-12-06  Keith Miller  <keith_miller@apple.com>
2485
2486         stress/big-wasm-memory tests failing on 32-bit JSC bot
2487         https://bugs.webkit.org/show_bug.cgi?id=192020
2488
2489         Reviewed by Saam Barati.
2490
2491         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2492         the wasm stress tests if the WebAssembly object does not exist.
2493
2494         * stress/big-wasm-memory-grow-no-max.js:
2495         (test.foo):
2496         (test):
2497         (foo): Deleted.
2498         (catch): Deleted.
2499         * stress/big-wasm-memory-grow.js:
2500         (test.foo):
2501         (test):
2502         (foo): Deleted.
2503         (catch): Deleted.
2504         * stress/big-wasm-memory.js:
2505         (test.foo):
2506         (test):
2507         (foo): Deleted.
2508         (catch): Deleted.
2509
2510 2018-12-05  Mark Lam  <mark.lam@apple.com>
2511
2512         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2513         https://bugs.webkit.org/show_bug.cgi?id=192441
2514         <rdar://problem/46480355>
2515
2516         Reviewed by Saam Barati.
2517
2518         * stress/regress-192441.js: Added.
2519
2520 2018-12-04  Mark Lam  <mark.lam@apple.com>
2521
2522         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2523         https://bugs.webkit.org/show_bug.cgi?id=192386
2524         <rdar://problem/46445516>
2525
2526         Reviewed by Saam Barati.
2527
2528         * stress/regress-192386.js: Added.
2529
2530 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2531
2532         [ESNext][BigInt] Support logic operations
2533         https://bugs.webkit.org/show_bug.cgi?id=179903
2534
2535         Reviewed by Yusuke Suzuki.
2536
2537         * stress/big-int-branch-usage.js: Added.
2538         * stress/big-int-logical-and.js: Added.
2539         * stress/big-int-logical-not.js: Added.
2540         * stress/big-int-logical-or.js: Added.
2541
2542 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2543
2544         Unreviewed, rolling out r238833.
2545
2546         Breaks macOS and iOS debug builds.
2547
2548         Reverted changeset:
2549
2550         "[ESNext][BigInt] Support logic operations"
2551         https://bugs.webkit.org/show_bug.cgi?id=179903
2552         https://trac.webkit.org/changeset/238833
2553
2554 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2555
2556         [ESNext][BigInt] Support logic operations
2557         https://bugs.webkit.org/show_bug.cgi?id=179903
2558
2559         Reviewed by Yusuke Suzuki.
2560
2561         * stress/big-int-branch-usage.js: Added.
2562         * stress/big-int-logical-and.js: Added.
2563         * stress/big-int-logical-not.js: Added.
2564         * stress/big-int-logical-or.js: Added.
2565
2566 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2567
2568         [ESNext][BigInt] Implement support for "<<" and ">>"
2569         https://bugs.webkit.org/show_bug.cgi?id=186233
2570
2571         Reviewed by Yusuke Suzuki.
2572
2573         * stress/big-int-left-shift-general.js: Added.
2574         * stress/big-int-left-shift-range-error.js: Added.
2575         * stress/big-int-left-shift-type-error.js: Added.
2576         * stress/big-int-left-shift-wrapped-value.js: Added.
2577         * stress/big-int-right-shift-general.js: Added.
2578         * stress/big-int-right-shift-type-error.js: Added.
2579         * stress/big-int-right-shift-wrapped-value.js: Added.
2580         * stress/left-shift-to-primitive-precedence.js: Added.
2581         * stress/right-shift-to-primitive-precedence.js: Added.
2582
2583 2018-11-30  Dean Jackson  <dino@apple.com>
2584
2585         Add first-class support for .mjs files in jsc binary
2586         https://bugs.webkit.org/show_bug.cgi?id=192190
2587         <rdar://problem/46375715>
2588
2589         Reviewed by Keith Miller.
2590
2591         * stress/simple-module.mjs: Added.
2592         * stress/simple-script.js: Added.
2593
2594 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2595
2596         [BigInt] Implement ValueBitXor into DFG
2597         https://bugs.webkit.org/show_bug.cgi?id=190264
2598
2599         Reviewed by Yusuke Suzuki.
2600
2601         * stress/big-int-bitwise-xor-jit.js: Added.
2602         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2603         * stress/big-int-bitwise-xor-untyped.js: Added.
2604
2605 2018-11-27  Saam barati  <sbarati@apple.com>
2606
2607         r238510 broke scopes of size zero
2608         https://bugs.webkit.org/show_bug.cgi?id=192033
2609         <rdar://problem/46281734>
2610
2611         Reviewed by Keith Miller.
2612
2613         * stress/r238510-bad-loop.js: Added.
2614         (foo):
2615
2616 2018-11-27  Mark Lam  <mark.lam@apple.com>
2617
2618         [Re-landing] NaNs read from Wasm code needs to be be purified.
2619         https://bugs.webkit.org/show_bug.cgi?id=191056
2620         <rdar://problem/45660341>
2621
2622         Reviewed by Filip Pizlo.
2623
2624         * wasm/regress/regress-191056.js: Added.
2625
2626 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2627
2628         Unreviewed, rolling out r238509.
2629
2630         Causes JSC tests to fail on iOS.
2631
2632         Reverted changeset:
2633
2634         "NaNs read from Wasm code needs to be be purified."
2635         https://bugs.webkit.org/show_bug.cgi?id=191056
2636         https://trac.webkit.org/changeset/238509
2637
2638 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2639
2640         Re-introduce op_bitnot
2641         https://bugs.webkit.org/show_bug.cgi?id=190923
2642
2643         Reviewed by Yusuke Suzuki.
2644
2645         * stress/bit-not-must-generate.js: Added.
2646         * stress/bitwise-not-no-int32.js: Added.
2647
2648 2018-11-26  Saam barati  <sbarati@apple.com>
2649
2650         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2651         https://bugs.webkit.org/show_bug.cgi?id=191956
2652         <rdar://problem/45665806>
2653
2654         Reviewed by Yusuke Suzuki.
2655
2656         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2657         (bar):
2658         (foo):
2659
2660 2018-11-26  Saam barati  <sbarati@apple.com>
2661
2662         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2663         https://bugs.webkit.org/show_bug.cgi?id=191958
2664         <rdar://problem/46221877>
2665
2666         Reviewed by Yusuke Suzuki.
2667
2668         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2669         (x):
2670         (foo):
2671
2672 2018-11-26  Mark Lam  <mark.lam@apple.com>
2673
2674         NaNs read from Wasm code needs to be be purified.
2675         https://bugs.webkit.org/show_bug.cgi?id=191056
2676         <rdar://problem/45660341>
2677
2678         Reviewed by Filip Pizlo.
2679
2680         * wasm/regress/regress-191056.js: Added.
2681
2682 2018-11-26  Michael Saboff  <msaboff@apple.com>
2683
2684         32-bit JSC test failure: stress/regexp-compile-oom.js
2685         https://bugs.webkit.org/show_bug.cgi?id=191375
2686
2687         Reviewed by Mark Lam.
2688
2689         Disabled the test for 32 bit platforms.
2690
2691         * stress/regexp-compile-oom.js:
2692
2693 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2694
2695         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2696         https://bugs.webkit.org/show_bug.cgi?id=191716
2697         <rdar://problem/45723878>
2698
2699         Reviewed by Saam Barati.
2700
2701         * stress/regress-187373.js: Added.
2702         (async.fn):
2703
2704 2018-11-21  Saam barati  <sbarati@apple.com>
2705
2706         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2707         https://bugs.webkit.org/show_bug.cgi?id=191897
2708         <rdar://problem/45871998>
2709
2710         Reviewed by Mark Lam.
2711
2712         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2713         (bar):
2714         (foo):
2715
2716 2018-11-21  Saam barati  <sbarati@apple.com>
2717
2718         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2719         https://bugs.webkit.org/show_bug.cgi?id=191895
2720         <rdar://problem/46167406>
2721
2722         Reviewed by Mark Lam.
2723
2724         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2725         (foo):
2726         (bar):
2727
2728 2018-11-21  Mark Lam  <mark.lam@apple.com>
2729
2730         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2731         https://bugs.webkit.org/show_bug.cgi?id=191776
2732         <rdar://problem/46152851>
2733
2734         Reviewed by Saam Barati.
2735
2736         * stress/big-wasm-memory-grow-no-max.js:
2737         * stress/big-wasm-memory-grow.js:
2738         * stress/big-wasm-memory.js:
2739         - updated these to expect an OutOfMemoryError.
2740
2741         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2742         (Binary.prototype.emit_u8):
2743         (Binary.prototype.emit_u32v):
2744         (Binary.prototype.emit_header):
2745         (Binary.prototype.emit_section):
2746         (Binary):
2747         (WasmModuleBuilder):
2748         (WasmModuleBuilder.prototype.addMemory):
2749         (WasmModuleBuilder.prototype.toArray):
2750         (WasmModuleBuilder.prototype.toBuffer):
2751         (WasmModuleBuilder.prototype.instantiate):
2752         (catch):
2753         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2754         (catch):
2755
2756 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2757
2758         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2759         https://bugs.webkit.org/show_bug.cgi?id=190836
2760
2761         Reviewed by Saam Barati and Yusuke Suzuki.
2762
2763         * stress/big-int-out-of-memory-tests.js: Added.
2764
2765 2018-11-20  Mark Lam  <mark.lam@apple.com>
2766
2767         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2768         https://bugs.webkit.org/show_bug.cgi?id=191856
2769         <rdar://problem/46089992>
2770
2771         Reviewed by Yusuke Suzuki.
2772
2773         * stress/regress-191856.js: Added.
2774         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2775
2776 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2777
2778         Enable JIT on ARM/Linux
2779         https://bugs.webkit.org/show_bug.cgi?id=191548
2780
2781         Reviewed by Yusuke Suzuki.
2782
2783         Disable test on system with limited memory. Program was killed by
2784         the OS before the exception was thrown.
2785
2786         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2787
2788 2018-11-20  Saam barati  <sbarati@apple.com>
2789
2790         Merging an IC variant may lead to the IC status containing overlapping structure sets
2791         https://bugs.webkit.org/show_bug.cgi?id=191869
2792         <rdar://problem/45403453>
2793
2794         Reviewed by Mark Lam.
2795
2796         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2797
2798 2018-11-19  Mark Lam  <mark.lam@apple.com>
2799
2800         globalFuncImportModule() should return a promise when it clears exceptions.
2801         https://bugs.webkit.org/show_bug.cgi?id=191792
2802         <rdar://problem/46090763>
2803
2804         Reviewed by Michael Saboff.
2805
2806         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2807
2808 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2809
2810         Skip new memory-hungry tests on memory limited devices
2811
2812         Unreviewed gardening.
2813
2814         * stress/big-wasm-memory-grow-no-max.js:
2815         * stress/big-wasm-memory-grow.js:
2816         * stress/big-wasm-memory.js:
2817
2818 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2819
2820         Unreviewed, rolling in the rest of r237254
2821         https://bugs.webkit.org/show_bug.cgi?id=190340
2822
2823         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2824         * stress/function-cache-with-parameters-end-position.js: Added.
2825         (shouldBe):
2826         (shouldThrow):
2827         (i.anonymous):
2828         * stress/function-constructor-name.js: Added.
2829         (shouldBe):
2830         (GeneratorFunction):
2831         (AsyncFunction.async):
2832         (AsyncGeneratorFunction.async):
2833         (anonymous):
2834         (async.anonymous):
2835         * test262/expectations.yaml:
2836
2837 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2838
2839         All users of ArrayBuffer should agree on the same max size
2840         https://bugs.webkit.org/show_bug.cgi?id=191771
2841
2842         Reviewed by Mark Lam.
2843
2844         * stress/big-wasm-memory-grow-no-max.js: Added.
2845         (foo):
2846         (catch):
2847         * stress/big-wasm-memory-grow.js: Added.
2848         (foo):
2849         (catch):
2850         * stress/big-wasm-memory.js: Added.
2851         (foo):
2852         (catch):
2853
2854 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2855
2856         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2857         run for each JSC config since they're regression tests for runtime bugs.
2858
2859         * stress/json-stringified-overflow-2.js:
2860         * stress/json-stringified-overflow.js:
2861
2862 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2863
2864         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2865         config since they're regression tests for runtime bugs.
2866
2867         * stress/large-unshift-splice.js:
2868         * stress/regress-185888.js:
2869
2870 2018-11-16  Saam Barati  <sbarati@apple.com>
2871
2872         KnownCellUse should also have SpecCellCheck as its type filter
2873         https://bugs.webkit.org/show_bug.cgi?id=191729
2874         <rdar://problem/45872852>
2875
2876         Reviewed by Filip Pizlo.
2877
2878         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2879         (C):
2880
2881 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2882
2883         Fix assertion failure on BytecodeGenerator::recordOpcode
2884         https://bugs.webkit.org/show_bug.cgi?id=191724
2885         <rdar://problem/45724395>
2886
2887         Reviewed by Saam Barati.
2888
2889         * stress/regress-187373-2.js: Added.
2890         (foo):
2891
2892 2018-11-15  Mark Lam  <mark.lam@apple.com>
2893
2894         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2895         https://bugs.webkit.org/show_bug.cgi?id=191730
2896         <rdar://problem/46048517>
2897
2898         Reviewed by Saam Barati.
2899
2900         * stress/regress-187006.js: Removed.
2901           - this test is invalid because its sole purpose is to test for the non-spec
2902             compliant behavior that we just fixed.
2903
2904         * stress/regress-191730.js: Added.
2905
2906 2018-11-15  Mark Lam  <mark.lam@apple.com>
2907
2908         RegExp operations should not take fast patch if lastIndex is not numeric.
2909         https://bugs.webkit.org/show_bug.cgi?id=191731
2910         <rdar://problem/46017305>
2911
2912         Reviewed by Saam Barati.
2913
2914         * stress/regress-191731.js: Added.
2915
2916 2018-11-13  Saam Barati  <sbarati@apple.com>
2917
2918         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2919         https://bugs.webkit.org/show_bug.cgi?id=191600
2920
2921         Reviewed by Mark Lam.
2922
2923         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2924         (foo):
2925         (test):
2926         (bar):
2927
2928 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2929
2930         Unreviewed, rolling out r238132.
2931
2932         The test added with this change is timing out on Debug JSC
2933         bots.
2934
2935         Reverted changeset:
2936
2937         "[BigInt] JSBigInt::createWithLength should throw when length
2938         is greater than JSBigInt::maxLength"
2939         https://bugs.webkit.org/show_bug.cgi?id=190836
2940         https://trac.webkit.org/changeset/238132
2941
2942 2018-11-13  Mark Lam  <mark.lam@apple.com>
2943
2944         Add OOM detection to StringPrototype's substituteBackreferences().
2945         https://bugs.webkit.org/show_bug.cgi?id=191563
2946         <rdar://problem/45720428>
2947
2948         Reviewed by Saam Barati.
2949
2950         * stress/regress-191563.js: Added.
2951
2952 2018-11-13  Mark Lam  <mark.lam@apple.com>
2953
2954         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2955         https://bugs.webkit.org/show_bug.cgi?id=191579
2956         <rdar://problem/45942472>
2957
2958         Reviewed by Saam Barati.
2959
2960         * stress/regress-191579.js: Added.
2961
2962 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2963
2964         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2965         https://bugs.webkit.org/show_bug.cgi?id=190836
2966
2967         Reviewed by Saam Barati.
2968
2969         * stress/big-int-out-of-memory-tests.js: Added.
2970
2971 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2972
2973         U+180E is no longer a whitespace character
2974         https://bugs.webkit.org/show_bug.cgi?id=191415
2975
2976         Reviewed by Saam Barati.
2977
2978         * ChakraCore/test/es5/regexSpace.baseline:
2979         * ChakraCore/test/es6/unicode_whitespace.js:
2980         Update tests to latest version.
2981         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2982
2983         * test262.yaml:
2984         * test262/config.yaml:
2985         * test262/expectations.yaml:
2986         Update expectations.
2987
2988 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2989
2990         [BigInt] Add support to BigInt into ValueAdd
2991         https://bugs.webkit.org/show_bug.cgi?id=186177
2992
2993         Reviewed by Keith Miller.
2994
2995         * stress/big-int-negate-jit.js:
2996         * stress/value-add-big-int-and-string.js: Added.
2997         * stress/value-add-big-int-prediction-propagation.js: Added.
2998         * stress/value-add-big-int-untyped.js: Added.
2999
3000 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
3001
3002         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
3003         https://bugs.webkit.org/show_bug.cgi?id=191184
3004
3005         Reviewed by Saam Barati.
3006
3007         Most tests were failing due to timeouts, since they are too slow to
3008         run on CLoop. The exceptions are:
3009
3010         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
3011         dont-crash-on-stack-overflow-when-parsing-builtin.js and
3012         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
3013         to change the stack size since CLoop requires it to be page aligned.
3014
3015         * microbenchmarks/array-push-1.js:
3016         * microbenchmarks/array-push-2.js:
3017         * microbenchmarks/elidable-new-object-dag.js:
3018         * microbenchmarks/elidable-new-object-roflcopter.js:
3019         * microbenchmarks/elidable-new-object-tree.js:
3020         * microbenchmarks/getter-richards.js:
3021         * microbenchmarks/sinkable-new-object-dag.js:
3022         * microbenchmarks/string-concat-long-convert.js:
3023         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
3024         * slowMicrobenchmarks/array-push-3.js:
3025         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
3026         * slowMicrobenchmarks/spread-small-array.js:
3027         * slowMicrobenchmarks/undefined-property-access.js:
3028         * stress/activation-sink-default-value-tdz-error.js:
3029         * stress/activation-sink-default-value.js:
3030         * stress/activation-sink-osrexit-default-value-tdz-error.js:
3031         * stress/activation-sink-osrexit-default-value.js:
3032         * stress/activation-sink-osrexit.js:
3033         * stress/activation-sink.js:
3034         * stress/allow-math-ic-b3-code-duplication.js:
3035         * stress/array-push-multiple-int32.js:
3036         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
3037         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
3038         * stress/arrowfunction-lexical-this-activation-sink.js:
3039         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
3040         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
3041         * stress/elide-new-object-dag-then-exit.js:
3042         * stress/materialize-regexp-cyclic.js:
3043         * stress/new-regex-inline.js:
3044         * stress/op_add.js:
3045         * stress/op_bitand.js:
3046         * stress/op_bitor.js:
3047         * stress/op_bitxor.js:
3048         * stress/op_div-ConstVar.js:
3049         * stress/op_div-VarConst.js:
3050         * stress/op_div-VarVar.js:
3051         * stress/op_lshift-ConstVar.js:
3052         * stress/op_lshift-VarConst.js:
3053         * stress/op_lshift-VarVar.js:
3054         * stress/op_mod-ConstVar.js:
3055         * stress/op_mod-VarConst.js:
3056         * stress/op_mod-VarVar.js:
3057         * stress/op_mul-ConstVar.js:
3058         * stress/op_mul-VarConst.js:
3059         * stress/op_mul-VarVar.js:
3060         * stress/op_rshift-ConstVar.js:
3061         * stress/op_rshift-VarConst.js:
3062         * stress/op_rshift-VarVar.js:
3063         * stress/op_sub-ConstVar.js:
3064         * stress/op_sub-VarConst.js:
3065         * stress/op_sub-VarVar.js:
3066         * stress/op_urshift-ConstVar.js:
3067         * stress/op_urshift-VarConst.js:
3068         * stress/op_urshift-VarVar.js:
3069         * stress/proxy-get-set-correct-receiver.js:
3070         * stress/regress-179562.js:
3071         * stress/rest-parameter-many-arguments.js:
3072         * stress/sampling-profiler-richards.js:
3073         * stress/splay-flash-access-1ms.js:
3074         * stress/tailCallForwardArguments.js:
3075         * stress/typed-array-get-by-val-profiling.js:
3076         * typeProfiler/getter-richards.js:
3077
3078 2018-11-06  Michael Saboff  <msaboff@apple.com>
3079
3080         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
3081         https://bugs.webkit.org/show_bug.cgi?id=191271
3082
3083         Reviewed by Saam Barati.
3084
3085         Added more test cases and made all test cases run with the same deeply recursive stack
3086         instead of finding that same point for each test case.
3087
3088         * stress/regexp-compile-oom.js:
3089         (prototype.runTest):
3090         (recurseAndTest):
3091         (testList.push.new.TestAndExpectedException):
3092
3093 2018-11-05  Michael Saboff  <msaboff@apple.com>
3094
3095         Unreviewed build fix for linux.
3096
3097         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
3098
3099 2018-11-02  Michael Saboff  <msaboff@apple.com>
3100
3101         Rolling in r237753 with unreviewed build fix.
3102
3103         Fixed issues with DECLARE_THROW_SCOPE placement.
3104
3105 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
3106
3107         Unreviewed, rolling out r237753.
3108
3109         Introduced JSC test failures
3110
3111         Reverted changeset:
3112
3113         "Running out of stack space not properly handled in
3114         RegExp::compile() and its callers"
3115         https://bugs.webkit.org/show_bug.cgi?id=191206
3116         https://trac.webkit.org/changeset/237753
3117
3118 2018-11-02  Michael Saboff  <msaboff@apple.com>
3119
3120         Running out of stack space not properly handled in RegExp::compile() and its callers
3121         https://bugs.webkit.org/show_bug.cgi?id=191206
3122
3123         Reviewed by Filip Pizlo.
3124
3125         New regression test.
3126
3127         * stress/regexp-compile-oom.js: Added.
3128         (recurseAndTest):
3129
3130 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
3131
3132         Skip tests on arm/mips that time out now we're running on CLoop
3133
3134         Unreviewed gardening.
3135
3136         Since the JIT is temporarily disabled on 32-bit platforms, these tests
3137         time out on the bots and need to be disabled. There's more tests
3138         disabled on arm because the timeout is longer on the mips bot (as the
3139         device is slower to start with), so many of the tests don't time out
3140         there.
3141
3142         * microbenchmarks/getter-richards.js: disable on arm and mips.
3143         * stress/op_add.js: disable on arm.
3144         * stress/op_bitand.js: disable on arm.
3145         * stress/op_bitor.js: disable on arm.
3146         * stress/op_bitxor.js: disable on arm.
3147         * stress/op_lshift-ConstVar.js: disable on arm.
3148         * stress/op_lshift-VarConst.js: disable on arm.
3149         * stress/op_lshift-VarVar.js: disable on arm.
3150         * stress/op_mod-ConstVar.js: disable on arm.
3151         * stress/op_mod-VarConst.js: disable on arm.
3152         * stress/op_mod-VarVar.js: disable on arm.
3153         * stress/op_mul-ConstVar.js: disable on arm.
3154         * stress/op_mul-VarConst.js: disable on arm.
3155         * stress/op_mul-VarVar.js: disable on arm.
3156         * stress/op_rshift-ConstVar.js: disable on arm.
3157         * stress/op_rshift-VarConst.js: disable on arm.
3158         * stress/op_rshift-VarVar.js: disable on arm.
3159         * stress/op_sub-ConstVar.js: disable on arm.
3160         * stress/op_sub-VarConst.js: disable on arm.
3161         * stress/op_sub-VarVar.js: disable on arm.
3162         * stress/op_urshift-ConstVar.js: disable on arm.
3163         * stress/op_urshift-VarConst.js: disable on arm.
3164         * stress/op_urshift-VarVar.js: disable on arm.
3165         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
3166         * stress/value-to-boolean.js: disable on arm and mips.
3167
3168 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3169
3170         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3171         https://bugs.webkit.org/show_bug.cgi?id=191108
3172         <rdar://problem/45690700>
3173
3174         Reviewed by Saam Barati.
3175
3176         * stress/wide-op_catch.js: Added.
3177         (catch):
3178
3179 2018-10-29  Mark Lam  <mark.lam@apple.com>
3180
3181         Correctly detect string overflow when using the 'Function' constructor.
3182         https://bugs.webkit.org/show_bug.cgi?id=184883
3183         <rdar://problem/36320331>
3184
3185         Reviewed by Saam Barati.
3186
3187         I've verified that this passes on 32-bit as well.
3188
3189         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3190
3191 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3192
3193         Add support for GetStack FlushedDouble
3194         https://bugs.webkit.org/show_bug.cgi?id=191012
3195         <rdar://problem/45265141>
3196
3197         Reviewed by Saam Barati.
3198
3199         * stress/get-stack-double.js: Added.
3200         (bar):
3201         (noInline):
3202
3203 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3204
3205         New bytecode format for JSC
3206         https://bugs.webkit.org/show_bug.cgi?id=187373
3207         <rdar://problem/44186758>
3208
3209         Reviewed by Filip Pizlo.
3210
3211         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3212
3213         * stress/maximum-inline-capacity.js: Added.
3214         (test1):
3215         (test3.Foo):
3216         (test3):
3217
3218 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3219
3220         Unreviewed, rolling out r237479 and r237484.
3221         https://bugs.webkit.org/show_bug.cgi?id=190978
3222
3223         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3224
3225         Reverted changesets:
3226
3227         "New bytecode format for JSC"
3228         https://bugs.webkit.org/show_bug.cgi?id=187373
3229         https://trac.webkit.org/changeset/237479
3230
3231         "Gardening: Build fix after r237479."
3232         https://bugs.webkit.org/show_bug.cgi?id=187373
3233         https://trac.webkit.org/changeset/237484
3234
3235 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3236
3237         New bytecode format for JSC
3238         https://bugs.webkit.org/show_bug.cgi?id=187373
3239         <rdar://problem/44186758>
3240
3241         Reviewed by Filip Pizlo.
3242
3243         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3244
3245         * stress/maximum-inline-capacity.js: Added.
3246         (test1):
3247         (test3.Foo):
3248         (test3):
3249
3250 2018-10-26  Mark Lam  <mark.lam@apple.com>
3251
3252         Fix missing edge cases with JSGlobalObjects having a bad time.
3253         https://bugs.webkit.org/show_bug.cgi?id=189028
3254         <rdar://problem/45204939>
3255
3256         Reviewed by Saam Barati.
3257
3258         * stress/regress-189028.js: Added.
3259
3260 2018-10-22  Mark Lam  <mark.lam@apple.com>
3261
3262         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3263         https://bugs.webkit.org/show_bug.cgi?id=190515
3264         <rdar://problem/45222379>
3265
3266         Rubber-stamped by Saam Barati.
3267
3268         Adding another test.
3269
3270         * stress/regress-190515-2.js: Added.
3271
3272 2018-10-22  Mark Lam  <mark.lam@apple.com>
3273
3274         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3275         https://bugs.webkit.org/show_bug.cgi?id=190515
3276         <rdar://problem/45222379>
3277
3278         Reviewed by Saam Barati.
3279
3280         * stress/regress-190515.js: Added.
3281
3282 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3283
3284         Unreviewed, rolling out r237254.
3285         https://bugs.webkit.org/show_bug.cgi?id=190760
3286
3287         "It regresses JetStream 2 by 5% on some iOS devices"
3288         (Requested by saamyjoon on #webkit).
3289
3290         Reverted changeset:
3291
3292         "[JSC] JSC should have "parseFunction" to optimize Function
3293         constructor"
3294         https://bugs.webkit.org/show_bug.cgi?id=190340
3295         https://trac.webkit.org/changeset/237254
3296
3297 2018-10-19  Saam Barati  <sbarati@apple.com>
3298
3299         vmCall should check if we exit before emitting an OSR exit due to exceptions
3300         https://bugs.webkit.org/show_bug.cgi?id=190740
3301         <rdar://problem/45220139>
3302
3303         Reviewed by Mark Lam.
3304
3305         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3306         (foo):
3307
3308 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3309
3310         [ESNext][BigInt] Implement support for "^"
3311         https://bugs.webkit.org/show_bug.cgi?id=186235
3312
3313         Reviewed by Yusuke Suzuki.
3314
3315         * stress/big-int-bitwise-xor-general.js: Added.
3316         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3317         * stress/big-int-bitwise-xor-type-error.js: Added.
3318         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3319
3320 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3321
3322         [BigInt] Add ValueSub into DFG
3323         https://bugs.webkit.org/show_bug.cgi?id=186176
3324
3325         Reviewed by Yusuke Suzuki.
3326
3327         * stress/big-int-subtraction-jit.js:
3328         * stress/value-sub-big-int-prediction-propagation.js: Added.
3329         * stress/value-sub-big-int-untyped.js: Added.
3330         * stress/value-sub-spec-none-case.js: Added.
3331
3332 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3333
3334         [JSC] JSC should have "parseFunction" to optimize Function constructor
3335         https://bugs.webkit.org/show_bug.cgi?id=190340
3336
3337         Reviewed by Mark Lam.
3338
3339         This patch fixes the line number of syntax errors raised by the Function constructor,
3340         since we now parse the final code only once. And we no longer use block statement
3341         for Function constructor's parsing.
3342
3343         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3344         * stress/function-cache-with-parameters-end-position.js: Added.
3345         (shouldBe):
3346         (shouldThrow):
3347         (i.anonymous):
3348         * stress/function-constructor-name.js: Added.
3349         (shouldBe):
3350         (GeneratorFunction):
3351         (AsyncFunction.async):
3352         (AsyncGeneratorFunction.async):
3353         (anonymous):
3354         (async.anonymous):
3355         * test262/expectations.yaml:
3356
3357 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3358
3359         Unreviewed, rolling out r237242.
3360         https://bugs.webkit.org/show_bug.cgi?id=190701
3361
3362         it breaks "stress/sampling-profiler-basic.js" (Requested by
3363         caiolima on #webkit).
3364
3365         Reverted changeset:
3366
3367         "[BigInt] Add ValueSub into DFG"
3368         https://bugs.webkit.org/show_bug.cgi?id=186176
3369         https://trac.webkit.org/changeset/237242
3370
3371 2018-10-17  Keith Miller  <keith_miller@apple.com>
3372
3373         AI does not clear Phantom allocation nodes.
3374         https://bugs.webkit.org/show_bug.cgi?id=190694
3375
3376         Reviewed by Saam Barati.
3377
3378         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3379         (Day):
3380         (DaysInYear):
3381         (TimeInYear):
3382         (TimeFromYear):
3383         (DayFromYear):
3384         (InLeapYear):
3385         (YearFromTime):
3386         (WeekDay):
3387         (DaylightSavingTA):
3388         (GetSecondSundayInMarch):
3389         (TimeInMonth):
3390
3391 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3392
3393         [BigInt] Add ValueSub into DFG
3394         https://bugs.webkit.org/show_bug.cgi?id=186176
3395
3396         Reviewed by Yusuke Suzuki.
3397
3398         * stress/big-int-subtraction-jit.js:
3399         * stress/value-sub-big-int-prediction-propagation.js: Added.
3400         * stress/value-sub-big-int-untyped.js: Added.
3401
3402 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3403
3404         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3405         https://bugs.webkit.org/show_bug.cgi?id=190611
3406
3407         Reviewed by Saam Barati.
3408
3409         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3410         to improve test runtime. On ARM/MIPS this test even timed out when running all
3411         tests.
3412
3413         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3414         (test):
3415
3416 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3417
3418         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3419
3420         Unreviewed gardening.
3421
3422         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3423
3424 2018-10-15  Saam barati  <sbarati@apple.com>
3425
3426         Emit fjcvtzs on ARM64E on Darwin
3427         https://bugs.webkit.org/show_bug.cgi?id=184023
3428
3429         Reviewed by Yusuke Suzuki and Filip Pizlo.
3430
3431         * stress/double-to-int32-NaN.js: Added.
3432         (assert):
3433         (foo):
3434
3435 2018-10-15  Saam Barati  <sbarati@apple.com>
3436
3437         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3438         https://bugs.webkit.org/show_bug.cgi?id=190262
3439         <rdar://problem/44986241>
3440
3441         Reviewed by Mark Lam.
3442
3443         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3444         (test):
3445         * stress/slice-array-storage-with-holes.js: Added.
3446         (main):
3447
3448 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3449
3450         Unreviewed, rolling out r237054.
3451         https://bugs.webkit.org/show_bug.cgi?id=190593
3452
3453         "this regressed JetStream 2 by 6% on iOS" (Requested by
3454         saamyjoon on #webkit).
3455
3456         Reverted changeset:
3457
3458         "[JSC] JSC should have "parseFunction" to optimize Function
3459         constructor"
3460         https://bugs.webkit.org/show_bug.cgi?id=190340
3461         https://trac.webkit.org/changeset/237054
3462
3463 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3464
3465         [JSC] JSON.stringify can accept call-with-no-arguments
3466         https://bugs.webkit.org/show_bug.cgi?id=190343
3467
3468         Reviewed by Mark Lam.
3469
3470         * stress/json-stringify-no-arguments.js: Added.
3471         (shouldBe):
3472
3473 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3474
3475         [JSC] JSC should have "parseFunction" to optimize Function constructor
3476         https://bugs.webkit.org/show_bug.cgi?id=190340
3477
3478         Reviewed by Mark Lam.
3479
3480         This patch fixes the line number of syntax errors raised by the Function constructor,
3481         since we now parse the final code only once. And we no longer use block statement
3482         for Function constructor's parsing.
3483
3484         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3485         * stress/function-cache-with-parameters-end-position.js: Added.
3486         (shouldBe):
3487         (shouldThrow):
3488         (i.anonymous):
3489         * stress/function-constructor-name.js: Added.
3490         (shouldBe):
3491         (GeneratorFunction):
3492         (AsyncFunction.async):
3493         (AsyncGeneratorFunction.async):
3494         (anonymous):
3495         (async.anonymous):
3496         * test262/expectations.yaml:
3497
3498 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3499
3500         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3501         https://bugs.webkit.org/show_bug.cgi?id=190426
3502
3503         Unreviewed gardening.
3504
3505         * stress/sampling-profiler-richards.js:
3506
3507 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3508
3509         [ESNext][BigInt] Implement support for "|"
3510         https://bugs.webkit.org/show_bug.cgi?id=186229
3511
3512         Reviewed by Yusuke Suzuki.
3513
3514         * stress/big-int-bitwise-and-jit.js:
3515         * stress/big-int-bitwise-or-general.js: Added.
3516         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3517         * stress/big-int-bitwise-or-jit.js: Added.
3518         * stress/big-int-bitwise-or-memory-stress.js: Added.
3519         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3520         * stress/big-int-bitwise-or-type-error.js: Added.
3521         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3522
3523 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3524
3525         Skip test on systems with limited memory
3526         https://bugs.webkit.org/show_bug.cgi?id=190310
3527
3528         Invoking runDefault adds test to runlist, skipping the test in the next
3529         line does not prevent the test from executing. Change order of lines such
3530         that runDefault is only executed if test is not executed.
3531
3532         Reviewed by Mark Lam.
3533
3534         * stress/regress-190187.js:
3535
3536 2018-10-03  Saam barati  <sbarati@apple.com>
3537
3538         lowXYZ in FTLLower should always filter the type of the incoming edge
3539         https://bugs.webkit.org/show_bug.cgi?id=189939
3540         <rdar://problem/44407030>
3541
3542         Reviewed by Michael Saboff.
3543
3544         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3545         (foo):
3546         (test):
3547
3548 2018-10-03  Mark Lam  <mark.lam@apple.com>
3549
3550         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3551         https://bugs.webkit.org/show_bug.cgi?id=190187
3552         <rdar://problem/42512909>
3553
3554         Reviewed by Michael Saboff.
3555
3556         * stress/regress-190187.js: Added.
3557
3558 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3559
3560         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3561         https://bugs.webkit.org/show_bug.cgi?id=190033
3562
3563         Reviewed by Yusuke Suzuki.
3564
3565         * stress/big-int-to-string.js:
3566
3567 2018-10-01  Mark Lam  <mark.lam@apple.com>
3568
3569         Function.toString() should also copy the source code Functions that are class definitions.
3570         https://bugs.webkit.org/show_bug.cgi?id=190186
3571         <rdar://problem/44733360>
3572
3573         Reviewed by Saam Barati.
3574
3575         * stress/regress-190186.js: Added.
3576
3577 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3578
3579         Split NaN-check into separate test
3580         https://bugs.webkit.org/show_bug.cgi?id=190010
3581
3582         Reviewed by Saam Barati.
3583
3584         DataView exposes NaN-representation, which is not necessarily the same on each
3585         architecture. Therefore move the check of the NaN-representation into its own
3586         file such that we can disable this test on MIPS where NaN-representation can be
3587         different on older CPUs.
3588
3589         * stress/dataview-jit-set-nan.js: Added.
3590         (assert):
3591         (test.storeLittleEndian):
3592         (test.storeBigEndian):
3593         (test.store):
3594         (test):
3595         * stress/dataview-jit-set.js:
3596         (test5):
3597
3598 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3599
3600         Unreviewed, rolling out r236647.
3601         https://bugs.webkit.org/show_bug.cgi?id=190124
3602
3603         Breaking test stress/big-int-to-string.js (Requested by
3604         caiolima_ on #webkit).
3605
3606         Reverted changeset:
3607
3608         "[BigInt] BigInt.proptotype.toString is broken when radix is
3609         power of 2"
3610         https://bugs.webkit.org/show_bug.cgi?id=190033
3611         https://trac.webkit.org/changeset/236647
3612
3613 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3614
3615         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3616         https://bugs.webkit.org/show_bug.cgi?id=190033
3617
3618         Reviewed by Yusuke Suzuki.
3619
3620         * stress/big-int-to-string.js:
3621
3622 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3623
3624         [ESNext][BigInt] Implement support for "&"
3625         https://bugs.webkit.org/show_bug.cgi?id=186228
3626
3627         Reviewed by Yusuke Suzuki.
3628
3629         * stress/big-int-bitwise-and-general.js: Added.
3630         (assert):
3631         (assert.sameValue):
3632         * stress/big-int-bitwise-and-jit.js: Added.
3633         (let.assert.sameValue):
3634         (bigIntBitAnd):
3635         * stress/big-int-bitwise-and-memory-stress.js: Added.
3636         (assert):
3637         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3638         (assert.sameValue):
3639         (let.o.Symbol.toPrimitive):
3640         (catch):
3641         * stress/big-int-bitwise-and-type-error.js: Added.
3642         (assert):
3643         (assertThrowTypeError):
3644         (let.o.valueOf):
3645         (o.valueOf):
3646         (o.toString):
3647         (o.Symbol.toPrimitive):
3648         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3649         (assert.sameValue):
3650         (testBitAnd):
3651         (let.o.Symbol.toPrimitive):
3652         (o.valueOf):
3653         (o.toString):
3654
3655 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3656
3657         JSC test stress/jsc-read.js doesn't support CRLF
3658         https://bugs.webkit.org/show_bug.cgi?id=190063
3659
3660         Reviewed by Yusuke Suzuki.
3661
3662         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3663
3664         * stress/jsc-read.js:
3665         (test):
3666
3667 2018-09-27  Saam barati  <sbarati@apple.com>
3668
3669         Verify the contents of AssemblerBuffer on arm64e
3670         https://bugs.webkit.org/show_bug.cgi?id=190057
3671         <rdar://problem/38916630>
3672
3673         Reviewed by Mark Lam.
3674
3675         * stress/regress-189132.js:
3676
3677 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3678
3679         Disable test without LLInt on ARMv7
3680         https://bugs.webkit.org/show_bug.cgi?id=190037
3681
3682         Reviewed by Mark Lam.
3683
3684         Test runs out of executable memory on ARMv7, do not run
3685         this test without LLInt enabled.
3686
3687         * stress/regress-169445.js:
3688
3689 2018-09-26  Keith Miller  <keith_miller@apple.com>
3690
3691         We should zero unused property storage when rebalancing array storage.
3692         https://bugs.webkit.org/show_bug.cgi?id=188151
3693
3694         Reviewed by Michael Saboff.
3695
3696         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3697
3698 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3699
3700         [JSC] Optimize Array#lastIndexOf
3701         https://bugs.webkit.org/show_bug.cgi?id=189780
3702
3703         Reviewed by Saam Barati.
3704
3705         * stress/array-lastindexof-array-prototype-trap.js: Added.
3706         (shouldBe):
3707         (AncestorArray.prototype.get 2):
3708         (AncestorArray):
3709         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3710         (shouldBe):
3711         * stress/array-lastindexof-hole-nan.js: Added.
3712         (shouldBe):
3713         (throw.new.Error):
3714         * stress/array-lastindexof-infinity.js: Added.
3715         (shouldBe):
3716         (throw.new.Error):
3717         * stress/array-lastindexof-negative-zero.js: Added.
3718         (shouldBe):
3719         (throw.new.Error):
3720         * stress/array-lastindexof-own-getter.js: Added.
3721         (shouldBe):
3722         (throw.new.Error.get array):
3723         (get array):
3724         * stress/array-lastindexof-prototype-trap.js: Added.
3725         (shouldBe):
3726         (DerivedArray.prototype.get 2):
3727         (DerivedArray):
3728
3729 2018-09-25  Saam Barati  <sbarati@apple.com>
3730
3731         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3732         https://bugs.webkit.org/show_bug.cgi?id=189940
3733         <rdar://problem/43640987>
3734
3735         Reviewed by Mark Lam.
3736
3737         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3738
3739 2018-09-24  Saam Barati  <sbarati@apple.com>
3740
3741         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3742         https://bugs.webkit.org/show_bug.cgi?id=189922
3743         <rdar://problem/44651275>
3744
3745         Reviewed by Mark Lam.
3746
3747         * stress/array-indexof-fast-path-effects.js: Added.
3748         * stress/array-indexof-cached-length.js: Added.
3749
3750 2018-09-24  Saam barati  <sbarati@apple.com>
3751
3752         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3753         https://bugs.webkit.org/show_bug.cgi?id=189682
3754         <rdar://problem/43557315>
3755
3756         Reviewed by Mark Lam.
3757
3758         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3759         (foo):
3760
3761 2018-09-22  Saam barati  <sbarati@apple.com>
3762
3763         The sampling should not use Strong<CodeBlock> in its machineLocation field
3764         https://bugs.webkit.org/show_bug.cgi?id=189319
3765
3766         Reviewed by Filip Pizlo.
3767
3768         * stress/sampling-profiler-richards.js: Added.
3769
3770 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3771
3772         [JSC] Optimize Array#indexOf in C++ runtime
3773         https://bugs.webkit.org/show_bug.cgi?id=189507
3774
3775         Reviewed by Saam Barati.
3776
3777         * stress/array-indexof-array-prototype-trap.js: Added.
3778         (shouldBe):
3779         (AncestorArray.prototype.get 2):
3780         (AncestorArray):
3781         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3782         (shouldBe):
3783         * stress/array-indexof-hole-nan.js: Added.
3784         (shouldBe):
3785         (throw.new.Error):
3786         * stress/array-indexof-infinity.js: Added.
3787         (shouldBe):
3788         (throw.new.Error):
3789         * stress/array-indexof-negative-zero.js: Added.
3790         (shouldBe):
3791         (throw.new.Error):
3792         * stress/array-indexof-own-getter.js: Added.
3793         (shouldBe):
3794         (throw.new.Error.get array):
3795         (get array):
3796         * stress/array-indexof-prototype-trap.js: Added.
3797         (shouldBe):
3798         (DerivedArray.prototype.get 2):
3799         (DerivedArray):
3800
3801 2018-09-19  Saam barati  <sbarati@apple.com>
3802
3803         AI rule for MultiPutByOffset executes its effects in the wrong order
3804         https://bugs.webkit.org/show_bug.cgi?id=189757
3805         <rdar://problem/43535257>
3806
3807         Reviewed by Michael Saboff.
3808
3809         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3810         (foo):
3811         (Foo):
3812         (g):
3813
3814 2018-09-17  Mark Lam  <mark.lam@apple.com>
3815
3816         Ensure that ForInContexts are invalidated if their loop local is over-written.
3817         https://bugs.webkit.org/show_bug.cgi?id=189571
3818         <rdar://problem/44402277>
3819
3820         Reviewed by Saam Barati.
3821
3822         * stress/regress-189571.js: Added.
3823
3824 2018-09-17  Saam barati  <sbarati@apple.com>
3825
3826         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3827         https://bugs.webkit.org/show_bug.cgi?id=189676
3828         <rdar://problem/39682897>
3829
3830         Reviewed by Michael Saboff.
3831
3832         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3833         (A):
3834         (K):
3835         (i.catch):
3836
3837 2018-09-14  Saam barati  <sbarati@apple.com>
3838
3839         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3840         https://bugs.webkit.org/show_bug.cgi?id=189628
3841         <rdar://problem/39481690>
3842
3843         Reviewed by Mark Lam.
3844
3845         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3846         (foo):
3847
3848 2018-09-11  Mark Lam  <mark.lam@apple.com>
3849
3850         Test for array initialization in arrayProtoFuncSplice.
3851         https://bugs.webkit.org/show_bug.cgi?id=170253
3852         <rdar://problem/31328773>
3853
3854         Rubber-stamped by Saam Barati.
3855
3856         * stress/regress-170253.js: Added.
3857
3858 2018-09-11  Mark Lam  <mark.lam@apple.com>
3859
3860         Test for IntlObject initialization.
3861         https://bugs.webkit.org/show_bug.cgi?id=170251
3862         <rdar://problem/31328419>
3863
3864         Rubber-stamped by Saam Barati.
3865
3866         * stress/regress-170251.js: Added.
3867
3868 2018-09-11  Mark Lam  <mark.lam@apple.com>
3869
3870         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3871         https://bugs.webkit.org/show_bug.cgi?id=169889
3872         <rdar://problem/31155607>
3873
3874         Reviewed by Saam Barati.
3875
3876         * stress/regress-169889-array-concat.js: Added.
3877         * stress/regress-169889-array-concat1.js: Added.
3878         * stress/regress-169889-array-slice.js: Added.
3879
3880 2018-09-11  Mark Lam  <mark.lam@apple.com>
3881
3882         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3883         https://bugs.webkit.org/show_bug.cgi?id=169445
3884         <rdar://problem/30957435>
3885
3886         Reviewed by Saam Barati.
3887
3888         * stress/regress-169445.js: Added.
3889         (let.gun.eval.A):
3890         (let.gun.eval.B.C):
3891         (let.gun.eval.B.C.prototype.trigger):
3892         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3893         (let.gun.eval.B):
3894         (let.gun.eval):
3895
3896 == Rolled over to ChangeLog-2018-09-11 ==