[JSC] Invalidate old scope operations using global lexical binding epoch
[WebKit-https.git] / JSTests / ChangeLog
1 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Invalidate old scope operations using global lexical binding epoch
4         https://bugs.webkit.org/show_bug.cgi?id=193603
5         <rdar://problem/47380869>
6
7         Reviewed by Saam Barati.
8
9         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
10         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
11         (shouldThrow):
12         (bar):
13         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
14         (shouldBe):
15         (get1):
16         (get2):
17         (get1If):
18         (get2If):
19         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
20         (shouldThrow):
21         (foo):
22
23 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
24
25         Unreviewed, roll out r240220 due to date-format-xparb regression
26         https://bugs.webkit.org/show_bug.cgi?id=193603
27
28         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
29         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
30         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
31         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
32
33 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
34
35         DoesGC rule is wrong for nodes with BigIntUse
36         https://bugs.webkit.org/show_bug.cgi?id=193652
37
38         Reviewed by Saam Barati.
39
40         * stress/big-int-value-op-update-gc-rules.js: Added.
41         (assert):
42         (doesGCAdd):
43         (doesGCSub):
44         (doesGCDiv):
45         (doesGCMul):
46         (doesGCBitAnd):
47         (doesGCBitOr):
48         (doesGCBitXor):
49
50 2019-01-20  Saam Barati  <sbarati@apple.com>
51
52         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
53         https://bugs.webkit.org/show_bug.cgi?id=193644
54         <rdar://problem/46209745>
55
56         Reviewed by Yusuke Suzuki.
57
58         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
59         (foo):
60         * stress/data-view-set-intrinsic-undefined-result.js: Added.
61         (foo):
62         (bar):
63
64 2019-01-20  Saam Barati  <sbarati@apple.com>
65
66         MovHint must merge NodeBytecodeUsesAsValue for its child
67         https://bugs.webkit.org/show_bug.cgi?id=186916
68         <rdar://problem/41396612>
69
70         Reviewed by Yusuke Suzuki.
71
72         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
73         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
74
75 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
76
77         [JSC] Invalidate old scope operations using global lexical binding epoch
78         https://bugs.webkit.org/show_bug.cgi?id=193603
79         <rdar://problem/47380869>
80
81         Reviewed by Saam Barati.
82
83         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
84         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
85         (shouldThrow):
86         (bar):
87         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
88         (shouldBe):
89         (get1):
90         (get2):
91         (get1If):
92         (get2If):
93         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
94         (shouldThrow):
95         (foo):
96
97 2019-01-17  Saam barati  <sbarati@apple.com>
98
99         StringObjectUse should not be a structure check for the original string object structure
100         https://bugs.webkit.org/show_bug.cgi?id=193483
101         <rdar://problem/47280522>
102
103         Reviewed by Yusuke Suzuki.
104
105         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
106         (foo):
107         (a.valueOf.0):
108
109 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
110
111         [JSC] ToThis omission in DFGByteCodeParser is wrong
112         https://bugs.webkit.org/show_bug.cgi?id=193513
113         <rdar://problem/45842236>
114
115         Reviewed by Saam Barati.
116
117         * stress/to-this-omission-with-different-strict-modes.js: Added.
118         (thisA):
119         (thisAStrictWrapper):
120
121 2019-01-15  Mark Lam  <mark.lam@apple.com>
122
123         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
124         https://bugs.webkit.org/show_bug.cgi?id=193423
125         <rdar://problem/46209355>
126
127         Reviewed by Saam Barati.
128
129         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
130         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
131         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
132         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
133
134 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
135
136         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
137         https://bugs.webkit.org/show_bug.cgi?id=193438
138         <rdar://problem/45581249>
139
140         Reviewed by Saam Barati and Keith Miller.
141
142         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
143         Then, GetByVal(String) crashed.
144
145         * stress/string-get-by-val-lowering.js: Added.
146         (shouldBe):
147         (test):
148         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
149         (Hello):
150         (foo):
151
152 2019-01-15  Tomas Popela  <tpopela@redhat.com>
153
154         Unreviewed, skip JIT tests if it's not enabled
155
156         * stress/bit-op-with-object-returning-int32.js:
157
158 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
159
160         DFGByteCodeParser rules for bitwise operations should consider type of their operands
161         https://bugs.webkit.org/show_bug.cgi?id=192966
162
163         Reviewed by Yusuke Suzuki.
164
165         * stress/bit-op-with-object-returning-int32.js: Added.
166
167 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
168
169         Skip a slow test and a flakey test on arm
170
171         Unreviewed gardening.
172
173         * typeProfiler/getter-richards.js:
174         this test always times out, it used to be always skipped on arm and
175         mips, but got accidentally enabled by r237919 now that we have DFG on
176         arm. Also skipping on mips as we plan to soon enable DFG for it too.
177
178 2019-01-14  Keith Miller  <keith_miller@apple.com>
179
180         Skip type-check-hoisting-phase-hoist... with no jit
181         https://bugs.webkit.org/show_bug.cgi?id=193421
182
183         Reviewed by Mark Lam.
184
185         It's timing out the 32-bit bots and takes 330 seconds
186         on my machine when run by itself.
187
188         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
189
190 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
191
192         [JSC] AI should check the given constant's array type when folding GetByVal into constant
193         https://bugs.webkit.org/show_bug.cgi?id=193413
194         <rdar://problem/46092389>
195
196         Reviewed by Keith Miller.
197
198         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
199         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
200         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
201         but GetByVal does not have appropriate ArrayModes, JSC crashes.
202
203         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
204         (compareArray):
205
206 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
207
208         [BigInt] Literal parsing is crashing when used inside a Object Literal
209         https://bugs.webkit.org/show_bug.cgi?id=193404
210
211         Reviewed by Yusuke Suzuki.
212
213         * stress/big-int-literal-inside-literal-object.js: Added.
214
215 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
216
217         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
218         https://bugs.webkit.org/show_bug.cgi?id=193372
219
220         Reviewed by Saam Barati.
221
222         * stress/typed-array-array-modes-profile.js: Added.
223         (foo):
224
225 2019-01-14  Mark Lam  <mark.lam@apple.com>
226
227         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
228         https://bugs.webkit.org/show_bug.cgi?id=193402
229         <rdar://problem/46012309>
230
231         Reviewed by Keith Miller.
232
233         * stress/regexp-compile-oom.js:
234         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
235           is enabled.  As a result, it will fail on cloop builds though there is no bug.
236
237 2019-01-11  Saam barati  <sbarati@apple.com>
238
239         DFG combined liveness can be wrong for terminal basic blocks
240         https://bugs.webkit.org/show_bug.cgi?id=193304
241         <rdar://problem/45268632>
242
243         Reviewed by Yusuke Suzuki.
244
245         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
246
247 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
248
249         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
250         https://bugs.webkit.org/show_bug.cgi?id=193308
251         <rdar://problem/45546542>
252
253         Reviewed by Saam Barati.
254
255         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
256         (shouldThrow):
257         (shouldBe):
258         (foo):
259         (get shouldThrow):
260         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
261         (shouldThrow):
262         (shouldBe):
263         (foo):
264         (get shouldBe):
265         (get shouldThrow):
266         (get return):
267         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
268         (shouldThrow):
269         (shouldBe):
270         (foo):
271         (get shouldBe):
272         (get shouldThrow):
273         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
274         (shouldThrow):
275         (shouldBe):
276         (foo):
277         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
278         (shouldThrow):
279         (shouldBe):
280         (foo):
281         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
282         (shouldThrow):
283         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
284         (shouldThrow):
285         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
286         (shouldThrow):
287         (shouldBe):
288         (foo):
289         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
290         (shouldThrow):
291         (shouldBe):
292         (foo):
293         (get shouldBe):
294         (get shouldThrow):
295         (get return):
296         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
297         (shouldThrow):
298         (shouldBe):
299         (foo):
300         (get shouldBe):
301         (get shouldThrow):
302         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
303         (shouldThrow):
304         (shouldBe):
305         (foo):
306         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
307         (shouldThrow):
308         (shouldBe):
309         (foo):
310
311 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
312
313         Enable DFG on ARM/Linux again
314         https://bugs.webkit.org/show_bug.cgi?id=192496
315
316         Reviewed by Yusuke Suzuki.
317
318         Test wasn't really skipped before moving the line with skip
319         to the top.
320
321         * stress/regress-192717.js:
322
323 2019-01-10  Commit Queue  <commit-queue@webkit.org>
324
325         Unreviewed, rolling out r239825.
326         https://bugs.webkit.org/show_bug.cgi?id=193330
327
328         Broke tests on armv7/linux bots (Requested by guijemont on
329         #webkit).
330
331         Reverted changeset:
332
333         "Enable DFG on ARM/Linux again"
334         https://bugs.webkit.org/show_bug.cgi?id=192496
335         https://trac.webkit.org/changeset/239825
336
337 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
338
339         Enable DFG on ARM/Linux again
340         https://bugs.webkit.org/show_bug.cgi?id=192496
341
342         Reviewed by Yusuke Suzuki.
343
344         Test wasn't really skipped before moving the line with skip
345         to the top.
346
347         * stress/regress-192717.js:
348
349 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
350
351         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
352         https://bugs.webkit.org/show_bug.cgi?id=193127
353
354         Reviewed by Saam Barati.
355
356         * stress/array-species-create-should-handle-masquerader.js: Added.
357         (shouldThrow):
358         * stress/is-undefined-or-null-builtin.js: Added.
359         (shouldBe):
360         (isUndefinedOrNull.vm.createBuiltin):
361
362 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
363
364         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
365         https://bugs.webkit.org/show_bug.cgi?id=193221
366
367         Reviewed by Mark Lam.
368
369         * stress/put-by-id-flags.js: Added.
370         (f):
371         (g):
372         (numberOfDFGCompiles):
373
374 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
375
376         Baseline version of get_by_id may corrupt metadata
377         https://bugs.webkit.org/show_bug.cgi?id=193085
378         <rdar://problem/23453006>
379
380         Reviewed by Saam Barati.
381
382         * stress/get-by-id-change-mode.js: Added.
383         (forEach):
384
385 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
386
387         [JSC] Optimize Object.prototype.toString
388         https://bugs.webkit.org/show_bug.cgi?id=193031
389
390         Reviewed by Saam Barati.
391
392         * stress/object-tostring-changed-proto.js: Added.
393         (shouldBe):
394         (test):
395         * stress/object-tostring-changed.js: Added.
396         (shouldBe):
397         (test):
398         * stress/object-tostring-misc.js: Added.
399         (shouldBe):
400         (test):
401         (i.switch):
402         * stress/object-tostring-other.js: Added.
403         (shouldBe):
404         (test):
405         * stress/object-tostring-untyped.js: Added.
406         (shouldBe):
407         (test):
408         (i.switch):
409
410 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
411
412         test262-runner misbehaves when test file YAML has a trailing space
413         https://bugs.webkit.org/show_bug.cgi?id=193053
414
415         Reviewed by Yusuke Suzuki.
416
417         * test262/expectations.yaml:
418         Mark two dozen tests as passing (and correct the output of another).
419
420 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
421
422         Unreviewed, JSTests gardening with memoryLimited
423
424         * stress/string-overflow-createError.js:
425
426 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
427
428         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
429         https://bugs.webkit.org/show_bug.cgi?id=193050
430
431         Reviewed by Yusuke Suzuki.
432
433         * test262.yaml:
434         * test262/expectations.yaml:
435         Mark 16 tests as passing.
436
437 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
438
439         [BigInt] Support BigInt in JSON.stringify
440         https://bugs.webkit.org/show_bug.cgi?id=192624
441
442         Reviewed by Saam Barati.
443
444         * stress/big-int-json-stringify-to-json.js: Added.
445         (shouldBe):
446         (shouldThrow):
447         (BigInt.prototype.toJSON):
448         (shouldBe.JSON.stringify):
449         * stress/big-int-json-stringify.js: Added.
450         (shouldBe):
451         (shouldThrow):
452
453 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
454
455         [JSC] Implement "well-formed JSON.stringify" proposal
456         https://bugs.webkit.org/show_bug.cgi?id=191677
457
458         Reviewed by Darin Adler.
459
460         * stress/json-surrogate-pair.js: Added.
461         (shouldBe):
462         * test262/expectations.yaml:
463
464 2018-12-20  Keith Miller  <keith_miller@apple.com>
465
466         Add support for globalThis
467         https://bugs.webkit.org/show_bug.cgi?id=165171
468
469         Reviewed by Mark Lam.
470
471         * test262/config.yaml:
472
473 2018-12-19  Keith Miller  <keith_miller@apple.com>
474
475         Update test262 configuration to not run tests dependent on ICU version.
476         https://bugs.webkit.org/show_bug.cgi?id=192920
477
478         Reviewed by Saam Barati.
479
480         * test262/expectations.yaml:
481
482 2018-12-20  Mark Lam  <mark.lam@apple.com>
483
484         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
485         https://bugs.webkit.org/show_bug.cgi?id=192939
486         <rdar://problem/46869516>
487
488         Reviewed by Keith Miller.
489
490         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
491
492 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
493
494         WTF::String and StringImpl overflow MaxLength
495         https://bugs.webkit.org/show_bug.cgi?id=192853
496         <rdar://problem/45726906>
497
498         Reviewed by Mark Lam.
499
500         * stress/string-16bit-repeat-overflow.js: Added.
501         (catch):
502
503 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
504
505         Unreviewed follow-up to r192914.
506
507         * test262/expectations.yaml:
508         Add the last 20 missing expectations.
509
510 2018-12-19  Keith Miller  <keith_miller@apple.com>
511
512         Fix test262 expectations
513         https://bugs.webkit.org/show_bug.cgi?id=192914
514
515         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
516
517         * test262/expectations.yaml:
518
519 2018-12-19  Keith Miller  <keith_miller@apple.com>
520
521         Update test262 tests.
522         https://bugs.webkit.org/show_bug.cgi?id=192907
523
524         Rubber stamped by Mark Lam.
525
526         * test262/*: Omitted because prepare-changelog crashes.
527
528 2018-12-19  Mark Lam  <mark.lam@apple.com>
529
530         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
531         https://bugs.webkit.org/show_bug.cgi?id=192464
532         <rdar://problem/46519455>
533
534         Reviewed by Saam Barati.
535
536         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
537         microbenchmark.
538
539         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
540         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
541
542 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
543
544         String overflow in JSC::createError results in ASSERT in WTF::makeString
545         https://bugs.webkit.org/show_bug.cgi?id=192833
546         <rdar://problem/45706868>
547
548         Reviewed by Mark Lam.
549
550         * stress/string-overflow-createError.js: Added.
551
552 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
553
554         Error message for `-x ** y` contains a typo.
555         https://bugs.webkit.org/show_bug.cgi?id=192832
556
557         Reviewed by Saam Barati.
558
559         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
560         (assert.assert.return.throws):
561         * stress/pow-expects-update-expression-on-lhs.js:
562         (throw.new.Error):
563         Update test expectations which match against the exact error message.
564
565 2018-12-18  Mark Lam  <mark.lam@apple.com>
566
567         Gardening: test options fix.
568         https://bugs.webkit.org/show_bug.cgi?id=192822
569
570         Unreviewed.
571
572         * stress/json-stringify-string-builder-overflow.js:
573
574 2018-12-18  Mark Lam  <mark.lam@apple.com>
575
576         JSON.stringify() should throw OOM on StringBuilder overflows.
577         https://bugs.webkit.org/show_bug.cgi?id=192822
578         <rdar://problem/46670577>
579
580         Reviewed by Saam Barati.
581
582         * stress/json-stringify-string-builder-overflow.js: Added.
583
584 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
585
586         Redeclaration of var over let/const/class should be a syntax error.
587         https://bugs.webkit.org/show_bug.cgi?id=192298
588
589         Reviewed by Keith Miller.
590
591         * test262.yaml:
592         * test262/expectations.yaml:
593         Mark 46 tests as passing.
594
595         * stress/block-scope-redeclarations.js:
596         Add some new tests.
597
598         * stress/for-in-invalidate-context-weird-assignments.js:
599         * stress/for-in-tests.js:
600         Replace tests for outdated behavior with tests for SyntaxError.
601
602         * ChakraCore/test/LetConst/defer3.baseline-jsc:
603         * ChakraCore/test/LetConst/letvar.baseline-jsc:
604         Update expectations.
605
606 2018-12-18  Mark Lam  <mark.lam@apple.com>
607
608         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
609         https://bugs.webkit.org/show_bug.cgi?id=191374
610         <rdar://problem/46525447>
611
612         Reviewed by Yusuke Suzuki.
613
614         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
615
616         * stress/elidable-new-object-roflcopter-then-exit.js:
617
618 2018-12-17  Mark Lam  <mark.lam@apple.com>
619
620         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
621         https://bugs.webkit.org/show_bug.cgi?id=192019
622         <rdar://problem/46525456>
623
624         Reviewed by Yusuke Suzuki.
625
626         The test runs too slow on 32-bit.
627
628         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
629
630 2018-12-17  Mark Lam  <mark.lam@apple.com>
631
632         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
633         https://bugs.webkit.org/show_bug.cgi?id=191373
634         <rdar://problem/46525458>
635
636         Reviewed by Yusuke Suzuki.
637
638         The test is already slow running with a JIT on 64-bit.  It will always timeout
639         on 32-bit without a JIT.
640
641         * stress/materialize-regexp-cyclic-regexp.js:
642
643 2018-12-17  Mark Lam  <mark.lam@apple.com>
644
645         Array unshift/shift should not race against the AI in the compiler thread.
646         https://bugs.webkit.org/show_bug.cgi?id=192795
647         <rdar://problem/46724263>
648
649         Reviewed by Saam Barati.
650
651         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
652
653 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
654
655         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
656         https://bugs.webkit.org/show_bug.cgi?id=190047
657
658         Reviewed by Saam Barati.
659
660         * stress/object-keys-cached-zero.js: Added.
661         (shouldBe):
662         (test):
663         * stress/object-keys-changed-attribute.js: Added.
664         (shouldBe):
665         (test):
666         * stress/object-keys-changed-index.js: Added.
667         (shouldBe):
668         (test):
669         * stress/object-keys-changed.js: Added.
670         (shouldBe):
671         (test):
672         * stress/object-keys-indexed-non-cache.js: Added.
673         (shouldBe):
674         (test):
675         * stress/object-keys-overrides-get-property-names.js: Added.
676         (shouldBe):
677         (test):
678         (noInline):
679
680 2018-12-17  Mark Lam  <mark.lam@apple.com>
681
682         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
683         https://bugs.webkit.org/show_bug.cgi?id=192779
684         <rdar://problem/46775869>
685
686         Reviewed by Saam Barati.
687
688         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
689
690 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
691
692         Unreviewed test gardening, address a syntax error in a new test.
693
694         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
695
696 2018-12-17  Mark Lam  <mark.lam@apple.com>
697
698         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
699         https://bugs.webkit.org/show_bug.cgi?id=192776
700         <rdar://problem/46772368>
701
702         Reviewed by Keith Miller.
703
704         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
705
706 2018-12-17  Mark Lam  <mark.lam@apple.com>
707
708         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
709         https://bugs.webkit.org/show_bug.cgi?id=192770
710         <rdar://problem/46449037>
711
712         Reviewed by Keith Miller.
713
714         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
715
716 2018-12-14  Mark Lam  <mark.lam@apple.com>
717
718         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
719         https://bugs.webkit.org/show_bug.cgi?id=192717
720         <rdar://problem/46660677>
721
722         Reviewed by Saam Barati.
723
724         * stress/regress-192717.js: Added.
725
726 2018-12-14  Commit Queue  <commit-queue@webkit.org>
727
728         Unreviewed, rolling out r239153, r239154, and r239155.
729         https://bugs.webkit.org/show_bug.cgi?id=192715
730
731         Caused flaky GC-related crashes seen with layout tests
732         (Requested by ryanhaddad on #webkit).
733
734         Reverted changesets:
735
736         "[JSC] Optimize Object.keys by caching own keys results in
737         StructureRareData"
738         https://bugs.webkit.org/show_bug.cgi?id=190047
739         https://trac.webkit.org/changeset/239153
740
741         "Unreviewed, build fix after r239153"
742         https://bugs.webkit.org/show_bug.cgi?id=190047
743         https://trac.webkit.org/changeset/239154
744
745         "Unreviewed, build fix after r239153, part 2"
746         https://bugs.webkit.org/show_bug.cgi?id=190047
747         https://trac.webkit.org/changeset/239155
748
749 2018-12-14  Keith Miller  <keith_miller@apple.com>
750
751         Callers of JSString::getIndex should check for OOM exceptions
752         https://bugs.webkit.org/show_bug.cgi?id=192709
753
754         Reviewed by Mark Lam.
755
756         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
757
758 2018-12-13  Mark Lam  <mark.lam@apple.com>
759
760         Add a missing exception check.
761         https://bugs.webkit.org/show_bug.cgi?id=192626
762         <rdar://problem/46662163>
763
764         Reviewed by Keith Miller.
765
766         * stress/regress-192626.js: Added.
767
768 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
769
770         [BigInt] Add ValueDiv into DFG
771         https://bugs.webkit.org/show_bug.cgi?id=186178
772
773         Reviewed by Yusuke Suzuki.
774
775         * stress/big-int-div-jit-osr.js: Added.
776         * stress/big-int-div-jit-untyped.js: Added.
777         * stress/value-div-fixup-int32-big-int.js: Added.
778
779 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
780
781         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
782         https://bugs.webkit.org/show_bug.cgi?id=190047
783
784         Reviewed by Keith Miller.
785
786         * stress/object-keys-cached-zero.js: Added.
787         (shouldBe):
788         (test):
789         * stress/object-keys-changed-attribute.js: Added.
790         (shouldBe):
791         (test):
792         * stress/object-keys-changed-index.js: Added.
793         (shouldBe):
794         (test):
795         * stress/object-keys-changed.js: Added.
796         (shouldBe):
797         (test):
798         * stress/object-keys-indexed-non-cache.js: Added.
799         (shouldBe):
800         (test):
801         * stress/object-keys-overrides-get-property-names.js: Added.
802         (shouldBe):
803         (test):
804         (noInline):
805
806 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
807
808         [DFG][FTL] Add NewSymbol
809         https://bugs.webkit.org/show_bug.cgi?id=192620
810
811         Reviewed by Saam Barati.
812
813         * microbenchmarks/symbol-creation.js: Added.
814         (test):
815         * stress/symbol-description-identity.js: Added.
816         (shouldBe):
817         (test):
818         * stress/symbol-identity.js: Added.
819         (shouldBe):
820         (test):
821         * stress/symbol-with-description-throw-error.js: Added.
822         (shouldBe):
823         (shouldThrow):
824         (test):
825         (object.toString):
826
827 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
828
829         [BigInt] Implement DFG/FTL typeof for BigInt
830         https://bugs.webkit.org/show_bug.cgi?id=192619
831
832         Reviewed by Keith Miller.
833
834         * stress/big-int-boolean-proven-type.js: Added.
835         (assert):
836         (bool):
837         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
838         (assert):
839         (typeOf):
840         (i.switch):
841         * stress/big-int-type-of-proven-type-non-constant.js: Added.
842         (assert):
843         (typeOf):
844         * stress/big-int-type-of.js:
845         (typeOf):
846         (func):
847
848 2018-12-10  Mark Lam  <mark.lam@apple.com>
849
850         PropertyAttribute needs a CustomValue bit.
851         https://bugs.webkit.org/show_bug.cgi?id=191993
852         <rdar://problem/46264467>
853
854         Reviewed by Saam Barati.
855
856         * stress/regress-191993.js: Added.
857
858 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
859
860         [BigInt] Add ValueMul into DFG
861         https://bugs.webkit.org/show_bug.cgi?id=186175
862
863         Reviewed by Yusuke Suzuki.
864
865         * stress/big-int-mul-jit-osr.js: Added.
866         * stress/big-int-mul-jit-untyped.js: Added.
867         * stress/value-mul-fixup-int32-big-int.js: Added.
868
869 2018-12-06  Keith Miller  <keith_miller@apple.com>
870
871         stress/big-wasm-memory tests failing on 32-bit JSC bot
872         https://bugs.webkit.org/show_bug.cgi?id=192020
873
874         Reviewed by Saam Barati.
875
876         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
877         the wasm stress tests if the WebAssembly object does not exist.
878
879         * stress/big-wasm-memory-grow-no-max.js:
880         (test.foo):
881         (test):
882         (foo): Deleted.
883         (catch): Deleted.
884         * stress/big-wasm-memory-grow.js:
885         (test.foo):
886         (test):
887         (foo): Deleted.
888         (catch): Deleted.
889         * stress/big-wasm-memory.js:
890         (test.foo):
891         (test):
892         (foo): Deleted.
893         (catch): Deleted.
894
895 2018-12-05  Mark Lam  <mark.lam@apple.com>
896
897         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
898         https://bugs.webkit.org/show_bug.cgi?id=192441
899         <rdar://problem/46480355>
900
901         Reviewed by Saam Barati.
902
903         * stress/regress-192441.js: Added.
904
905 2018-12-04  Mark Lam  <mark.lam@apple.com>
906
907         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
908         https://bugs.webkit.org/show_bug.cgi?id=192386
909         <rdar://problem/46445516>
910
911         Reviewed by Saam Barati.
912
913         * stress/regress-192386.js: Added.
914
915 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
916
917         [ESNext][BigInt] Support logic operations
918         https://bugs.webkit.org/show_bug.cgi?id=179903
919
920         Reviewed by Yusuke Suzuki.
921
922         * stress/big-int-branch-usage.js: Added.
923         * stress/big-int-logical-and.js: Added.
924         * stress/big-int-logical-not.js: Added.
925         * stress/big-int-logical-or.js: Added.
926
927 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
928
929         Unreviewed, rolling out r238833.
930
931         Breaks macOS and iOS debug builds.
932
933         Reverted changeset:
934
935         "[ESNext][BigInt] Support logic operations"
936         https://bugs.webkit.org/show_bug.cgi?id=179903
937         https://trac.webkit.org/changeset/238833
938
939 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
940
941         [ESNext][BigInt] Support logic operations
942         https://bugs.webkit.org/show_bug.cgi?id=179903
943
944         Reviewed by Yusuke Suzuki.
945
946         * stress/big-int-branch-usage.js: Added.
947         * stress/big-int-logical-and.js: Added.
948         * stress/big-int-logical-not.js: Added.
949         * stress/big-int-logical-or.js: Added.
950
951 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
952
953         [ESNext][BigInt] Implement support for "<<" and ">>"
954         https://bugs.webkit.org/show_bug.cgi?id=186233
955
956         Reviewed by Yusuke Suzuki.
957
958         * stress/big-int-left-shift-general.js: Added.
959         * stress/big-int-left-shift-range-error.js: Added.
960         * stress/big-int-left-shift-type-error.js: Added.
961         * stress/big-int-left-shift-wrapped-value.js: Added.
962         * stress/big-int-right-shift-general.js: Added.
963         * stress/big-int-right-shift-type-error.js: Added.
964         * stress/big-int-right-shift-wrapped-value.js: Added.
965         * stress/left-shift-to-primitive-precedence.js: Added.
966         * stress/right-shift-to-primitive-precedence.js: Added.
967
968 2018-11-30  Dean Jackson  <dino@apple.com>
969
970         Add first-class support for .mjs files in jsc binary
971         https://bugs.webkit.org/show_bug.cgi?id=192190
972         <rdar://problem/46375715>
973
974         Reviewed by Keith Miller.
975
976         * stress/simple-module.mjs: Added.
977         * stress/simple-script.js: Added.
978
979 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
980
981         [BigInt] Implement ValueBitXor into DFG
982         https://bugs.webkit.org/show_bug.cgi?id=190264
983
984         Reviewed by Yusuke Suzuki.
985
986         * stress/big-int-bitwise-xor-jit.js: Added.
987         * stress/big-int-bitwise-xor-memory-stress.js: Added.
988         * stress/big-int-bitwise-xor-untyped.js: Added.
989
990 2018-11-27  Saam barati  <sbarati@apple.com>
991
992         r238510 broke scopes of size zero
993         https://bugs.webkit.org/show_bug.cgi?id=192033
994         <rdar://problem/46281734>
995
996         Reviewed by Keith Miller.
997
998         * stress/r238510-bad-loop.js: Added.
999         (foo):
1000
1001 2018-11-27  Mark Lam  <mark.lam@apple.com>
1002
1003         [Re-landing] NaNs read from Wasm code needs to be be purified.
1004         https://bugs.webkit.org/show_bug.cgi?id=191056
1005         <rdar://problem/45660341>
1006
1007         Reviewed by Filip Pizlo.
1008
1009         * wasm/regress/regress-191056.js: Added.
1010
1011 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1012
1013         Unreviewed, rolling out r238509.
1014
1015         Causes JSC tests to fail on iOS.
1016
1017         Reverted changeset:
1018
1019         "NaNs read from Wasm code needs to be be purified."
1020         https://bugs.webkit.org/show_bug.cgi?id=191056
1021         https://trac.webkit.org/changeset/238509
1022
1023 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1024
1025         Re-introduce op_bitnot
1026         https://bugs.webkit.org/show_bug.cgi?id=190923
1027
1028         Reviewed by Yusuke Suzuki.
1029
1030         * stress/bit-not-must-generate.js: Added.
1031         * stress/bitwise-not-no-int32.js: Added.
1032
1033 2018-11-26  Saam barati  <sbarati@apple.com>
1034
1035         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1036         https://bugs.webkit.org/show_bug.cgi?id=191956
1037         <rdar://problem/45665806>
1038
1039         Reviewed by Yusuke Suzuki.
1040
1041         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1042         (bar):
1043         (foo):
1044
1045 2018-11-26  Saam barati  <sbarati@apple.com>
1046
1047         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1048         https://bugs.webkit.org/show_bug.cgi?id=191958
1049         <rdar://problem/46221877>
1050
1051         Reviewed by Yusuke Suzuki.
1052
1053         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1054         (x):
1055         (foo):
1056
1057 2018-11-26  Mark Lam  <mark.lam@apple.com>
1058
1059         NaNs read from Wasm code needs to be be purified.
1060         https://bugs.webkit.org/show_bug.cgi?id=191056
1061         <rdar://problem/45660341>
1062
1063         Reviewed by Filip Pizlo.
1064
1065         * wasm/regress/regress-191056.js: Added.
1066
1067 2018-11-26  Michael Saboff  <msaboff@apple.com>
1068
1069         32-bit JSC test failure: stress/regexp-compile-oom.js
1070         https://bugs.webkit.org/show_bug.cgi?id=191375
1071
1072         Reviewed by Mark Lam.
1073
1074         Disabled the test for 32 bit platforms.
1075
1076         * stress/regexp-compile-oom.js:
1077
1078 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1079
1080         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1081         https://bugs.webkit.org/show_bug.cgi?id=191716
1082         <rdar://problem/45723878>
1083
1084         Reviewed by Saam Barati.
1085
1086         * stress/regress-187373.js: Added.
1087         (async.fn):
1088
1089 2018-11-21  Saam barati  <sbarati@apple.com>
1090
1091         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1092         https://bugs.webkit.org/show_bug.cgi?id=191897
1093         <rdar://problem/45871998>
1094
1095         Reviewed by Mark Lam.
1096
1097         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1098         (bar):
1099         (foo):
1100
1101 2018-11-21  Saam barati  <sbarati@apple.com>
1102
1103         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1104         https://bugs.webkit.org/show_bug.cgi?id=191895
1105         <rdar://problem/46167406>
1106
1107         Reviewed by Mark Lam.
1108
1109         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1110         (foo):
1111         (bar):
1112
1113 2018-11-21  Mark Lam  <mark.lam@apple.com>
1114
1115         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1116         https://bugs.webkit.org/show_bug.cgi?id=191776
1117         <rdar://problem/46152851>
1118
1119         Reviewed by Saam Barati.
1120
1121         * stress/big-wasm-memory-grow-no-max.js:
1122         * stress/big-wasm-memory-grow.js:
1123         * stress/big-wasm-memory.js:
1124         - updated these to expect an OutOfMemoryError.
1125
1126         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1127         (Binary.prototype.emit_u8):
1128         (Binary.prototype.emit_u32v):
1129         (Binary.prototype.emit_header):
1130         (Binary.prototype.emit_section):
1131         (Binary):
1132         (WasmModuleBuilder):
1133         (WasmModuleBuilder.prototype.addMemory):
1134         (WasmModuleBuilder.prototype.toArray):
1135         (WasmModuleBuilder.prototype.toBuffer):
1136         (WasmModuleBuilder.prototype.instantiate):
1137         (catch):
1138         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1139         (catch):
1140
1141 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1142
1143         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1144         https://bugs.webkit.org/show_bug.cgi?id=190836
1145
1146         Reviewed by Saam Barati and Yusuke Suzuki.
1147
1148         * stress/big-int-out-of-memory-tests.js: Added.
1149
1150 2018-11-20  Mark Lam  <mark.lam@apple.com>
1151
1152         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1153         https://bugs.webkit.org/show_bug.cgi?id=191856
1154         <rdar://problem/46089992>
1155
1156         Reviewed by Yusuke Suzuki.
1157
1158         * stress/regress-191856.js: Added.
1159         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1160
1161 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1162
1163         Enable JIT on ARM/Linux
1164         https://bugs.webkit.org/show_bug.cgi?id=191548
1165
1166         Reviewed by Yusuke Suzuki.
1167
1168         Disable test on system with limited memory. Program was killed by
1169         the OS before the exception was thrown.
1170
1171         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1172
1173 2018-11-20  Saam barati  <sbarati@apple.com>
1174
1175         Merging an IC variant may lead to the IC status containing overlapping structure sets
1176         https://bugs.webkit.org/show_bug.cgi?id=191869
1177         <rdar://problem/45403453>
1178
1179         Reviewed by Mark Lam.
1180
1181         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1182
1183 2018-11-19  Mark Lam  <mark.lam@apple.com>
1184
1185         globalFuncImportModule() should return a promise when it clears exceptions.
1186         https://bugs.webkit.org/show_bug.cgi?id=191792
1187         <rdar://problem/46090763>
1188
1189         Reviewed by Michael Saboff.
1190
1191         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1192
1193 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1194
1195         Skip new memory-hungry tests on memory limited devices
1196
1197         Unreviewed gardening.
1198
1199         * stress/big-wasm-memory-grow-no-max.js:
1200         * stress/big-wasm-memory-grow.js:
1201         * stress/big-wasm-memory.js:
1202
1203 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1204
1205         Unreviewed, rolling in the rest of r237254
1206         https://bugs.webkit.org/show_bug.cgi?id=190340
1207
1208         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1209         * stress/function-cache-with-parameters-end-position.js: Added.
1210         (shouldBe):
1211         (shouldThrow):
1212         (i.anonymous):
1213         * stress/function-constructor-name.js: Added.
1214         (shouldBe):
1215         (GeneratorFunction):
1216         (AsyncFunction.async):
1217         (AsyncGeneratorFunction.async):
1218         (anonymous):
1219         (async.anonymous):
1220         * test262/expectations.yaml:
1221
1222 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1223
1224         All users of ArrayBuffer should agree on the same max size
1225         https://bugs.webkit.org/show_bug.cgi?id=191771
1226
1227         Reviewed by Mark Lam.
1228
1229         * stress/big-wasm-memory-grow-no-max.js: Added.
1230         (foo):
1231         (catch):
1232         * stress/big-wasm-memory-grow.js: Added.
1233         (foo):
1234         (catch):
1235         * stress/big-wasm-memory.js: Added.
1236         (foo):
1237         (catch):
1238
1239 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1240
1241         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1242         run for each JSC config since they're regression tests for runtime bugs.
1243
1244         * stress/json-stringified-overflow-2.js:
1245         * stress/json-stringified-overflow.js:
1246
1247 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1248
1249         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1250         config since they're regression tests for runtime bugs.
1251
1252         * stress/large-unshift-splice.js:
1253         * stress/regress-185888.js:
1254
1255 2018-11-16  Saam Barati  <sbarati@apple.com>
1256
1257         KnownCellUse should also have SpecCellCheck as its type filter
1258         https://bugs.webkit.org/show_bug.cgi?id=191729
1259         <rdar://problem/45872852>
1260
1261         Reviewed by Filip Pizlo.
1262
1263         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1264         (C):
1265
1266 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1267
1268         Fix assertion failure on BytecodeGenerator::recordOpcode
1269         https://bugs.webkit.org/show_bug.cgi?id=191724
1270         <rdar://problem/45724395>
1271
1272         Reviewed by Saam Barati.
1273
1274         * stress/regress-187373-2.js: Added.
1275         (foo):
1276
1277 2018-11-15  Mark Lam  <mark.lam@apple.com>
1278
1279         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1280         https://bugs.webkit.org/show_bug.cgi?id=191730
1281         <rdar://problem/46048517>
1282
1283         Reviewed by Saam Barati.
1284
1285         * stress/regress-187006.js: Removed.
1286           - this test is invalid because its sole purpose is to test for the non-spec
1287             compliant behavior that we just fixed.
1288
1289         * stress/regress-191730.js: Added.
1290
1291 2018-11-15  Mark Lam  <mark.lam@apple.com>
1292
1293         RegExp operations should not take fast patch if lastIndex is not numeric.
1294         https://bugs.webkit.org/show_bug.cgi?id=191731
1295         <rdar://problem/46017305>
1296
1297         Reviewed by Saam Barati.
1298
1299         * stress/regress-191731.js: Added.
1300
1301 2018-11-13  Saam Barati  <sbarati@apple.com>
1302
1303         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1304         https://bugs.webkit.org/show_bug.cgi?id=191600
1305
1306         Reviewed by Mark Lam.
1307
1308         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1309         (foo):
1310         (test):
1311         (bar):
1312
1313 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1314
1315         Unreviewed, rolling out r238132.
1316
1317         The test added with this change is timing out on Debug JSC
1318         bots.
1319
1320         Reverted changeset:
1321
1322         "[BigInt] JSBigInt::createWithLength should throw when length
1323         is greater than JSBigInt::maxLength"
1324         https://bugs.webkit.org/show_bug.cgi?id=190836
1325         https://trac.webkit.org/changeset/238132
1326
1327 2018-11-13  Mark Lam  <mark.lam@apple.com>
1328
1329         Add OOM detection to StringPrototype's substituteBackreferences().
1330         https://bugs.webkit.org/show_bug.cgi?id=191563
1331         <rdar://problem/45720428>
1332
1333         Reviewed by Saam Barati.
1334
1335         * stress/regress-191563.js: Added.
1336
1337 2018-11-13  Mark Lam  <mark.lam@apple.com>
1338
1339         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1340         https://bugs.webkit.org/show_bug.cgi?id=191579
1341         <rdar://problem/45942472>
1342
1343         Reviewed by Saam Barati.
1344
1345         * stress/regress-191579.js: Added.
1346
1347 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1348
1349         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1350         https://bugs.webkit.org/show_bug.cgi?id=190836
1351
1352         Reviewed by Saam Barati.
1353
1354         * stress/big-int-out-of-memory-tests.js: Added.
1355
1356 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1357
1358         U+180E is no longer a whitespace character
1359         https://bugs.webkit.org/show_bug.cgi?id=191415
1360
1361         Reviewed by Saam Barati.
1362
1363         * ChakraCore/test/es5/regexSpace.baseline:
1364         * ChakraCore/test/es6/unicode_whitespace.js:
1365         Update tests to latest version.
1366         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1367
1368         * test262.yaml:
1369         * test262/config.yaml:
1370         * test262/expectations.yaml:
1371         Update expectations.
1372
1373 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1374
1375         [BigInt] Add support to BigInt into ValueAdd
1376         https://bugs.webkit.org/show_bug.cgi?id=186177
1377
1378         Reviewed by Keith Miller.
1379
1380         * stress/big-int-negate-jit.js:
1381         * stress/value-add-big-int-and-string.js: Added.
1382         * stress/value-add-big-int-prediction-propagation.js: Added.
1383         * stress/value-add-big-int-untyped.js: Added.
1384
1385 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1386
1387         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1388         https://bugs.webkit.org/show_bug.cgi?id=191184
1389
1390         Reviewed by Saam Barati.
1391
1392         Most tests were failing due to timeouts, since they are too slow to
1393         run on CLoop. The exceptions are:
1394
1395         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1396         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1397         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1398         to change the stack size since CLoop requires it to be page aligned.
1399
1400         * microbenchmarks/array-push-1.js:
1401         * microbenchmarks/array-push-2.js:
1402         * microbenchmarks/elidable-new-object-dag.js:
1403         * microbenchmarks/elidable-new-object-roflcopter.js:
1404         * microbenchmarks/elidable-new-object-tree.js:
1405         * microbenchmarks/getter-richards.js:
1406         * microbenchmarks/sinkable-new-object-dag.js:
1407         * microbenchmarks/string-concat-long-convert.js:
1408         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1409         * slowMicrobenchmarks/array-push-3.js:
1410         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1411         * slowMicrobenchmarks/spread-small-array.js:
1412         * slowMicrobenchmarks/undefined-property-access.js:
1413         * stress/activation-sink-default-value-tdz-error.js:
1414         * stress/activation-sink-default-value.js:
1415         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1416         * stress/activation-sink-osrexit-default-value.js:
1417         * stress/activation-sink-osrexit.js:
1418         * stress/activation-sink.js:
1419         * stress/allow-math-ic-b3-code-duplication.js:
1420         * stress/array-push-multiple-int32.js:
1421         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1422         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1423         * stress/arrowfunction-lexical-this-activation-sink.js:
1424         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1425         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1426         * stress/elide-new-object-dag-then-exit.js:
1427         * stress/materialize-regexp-cyclic.js:
1428         * stress/new-regex-inline.js:
1429         * stress/op_add.js:
1430         * stress/op_bitand.js:
1431         * stress/op_bitor.js:
1432         * stress/op_bitxor.js:
1433         * stress/op_div-ConstVar.js:
1434         * stress/op_div-VarConst.js:
1435         * stress/op_div-VarVar.js:
1436         * stress/op_lshift-ConstVar.js:
1437         * stress/op_lshift-VarConst.js:
1438         * stress/op_lshift-VarVar.js:
1439         * stress/op_mod-ConstVar.js:
1440         * stress/op_mod-VarConst.js:
1441         * stress/op_mod-VarVar.js:
1442         * stress/op_mul-ConstVar.js:
1443         * stress/op_mul-VarConst.js:
1444         * stress/op_mul-VarVar.js:
1445         * stress/op_rshift-ConstVar.js:
1446         * stress/op_rshift-VarConst.js:
1447         * stress/op_rshift-VarVar.js:
1448         * stress/op_sub-ConstVar.js:
1449         * stress/op_sub-VarConst.js:
1450         * stress/op_sub-VarVar.js:
1451         * stress/op_urshift-ConstVar.js:
1452         * stress/op_urshift-VarConst.js:
1453         * stress/op_urshift-VarVar.js:
1454         * stress/proxy-get-set-correct-receiver.js:
1455         * stress/regress-179562.js:
1456         * stress/rest-parameter-many-arguments.js:
1457         * stress/sampling-profiler-richards.js:
1458         * stress/splay-flash-access-1ms.js:
1459         * stress/tailCallForwardArguments.js:
1460         * stress/typed-array-get-by-val-profiling.js:
1461         * typeProfiler/getter-richards.js:
1462
1463 2018-11-06  Michael Saboff  <msaboff@apple.com>
1464
1465         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1466         https://bugs.webkit.org/show_bug.cgi?id=191271
1467
1468         Reviewed by Saam Barati.
1469
1470         Added more test cases and made all test cases run with the same deeply recursive stack
1471         instead of finding that same point for each test case.
1472
1473         * stress/regexp-compile-oom.js:
1474         (prototype.runTest):
1475         (recurseAndTest):
1476         (testList.push.new.TestAndExpectedException):
1477
1478 2018-11-05  Michael Saboff  <msaboff@apple.com>
1479
1480         Unreviewed build fix for linux.
1481
1482         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1483
1484 2018-11-02  Michael Saboff  <msaboff@apple.com>
1485
1486         Rolling in r237753 with unreviewed build fix.
1487
1488         Fixed issues with DECLARE_THROW_SCOPE placement.
1489
1490 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1491
1492         Unreviewed, rolling out r237753.
1493
1494         Introduced JSC test failures
1495
1496         Reverted changeset:
1497
1498         "Running out of stack space not properly handled in
1499         RegExp::compile() and its callers"
1500         https://bugs.webkit.org/show_bug.cgi?id=191206
1501         https://trac.webkit.org/changeset/237753
1502
1503 2018-11-02  Michael Saboff  <msaboff@apple.com>
1504
1505         Running out of stack space not properly handled in RegExp::compile() and its callers
1506         https://bugs.webkit.org/show_bug.cgi?id=191206
1507
1508         Reviewed by Filip Pizlo.
1509
1510         New regression test.
1511
1512         * stress/regexp-compile-oom.js: Added.
1513         (recurseAndTest):
1514
1515 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1516
1517         Skip tests on arm/mips that time out now we're running on CLoop
1518
1519         Unreviewed gardening.
1520
1521         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1522         time out on the bots and need to be disabled. There's more tests
1523         disabled on arm because the timeout is longer on the mips bot (as the
1524         device is slower to start with), so many of the tests don't time out
1525         there.
1526
1527         * microbenchmarks/getter-richards.js: disable on arm and mips.
1528         * stress/op_add.js: disable on arm.
1529         * stress/op_bitand.js: disable on arm.
1530         * stress/op_bitor.js: disable on arm.
1531         * stress/op_bitxor.js: disable on arm.
1532         * stress/op_lshift-ConstVar.js: disable on arm.
1533         * stress/op_lshift-VarConst.js: disable on arm.
1534         * stress/op_lshift-VarVar.js: disable on arm.
1535         * stress/op_mod-ConstVar.js: disable on arm.
1536         * stress/op_mod-VarConst.js: disable on arm.
1537         * stress/op_mod-VarVar.js: disable on arm.
1538         * stress/op_mul-ConstVar.js: disable on arm.
1539         * stress/op_mul-VarConst.js: disable on arm.
1540         * stress/op_mul-VarVar.js: disable on arm.
1541         * stress/op_rshift-ConstVar.js: disable on arm.
1542         * stress/op_rshift-VarConst.js: disable on arm.
1543         * stress/op_rshift-VarVar.js: disable on arm.
1544         * stress/op_sub-ConstVar.js: disable on arm.
1545         * stress/op_sub-VarConst.js: disable on arm.
1546         * stress/op_sub-VarVar.js: disable on arm.
1547         * stress/op_urshift-ConstVar.js: disable on arm.
1548         * stress/op_urshift-VarConst.js: disable on arm.
1549         * stress/op_urshift-VarVar.js: disable on arm.
1550         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1551         * stress/value-to-boolean.js: disable on arm and mips.
1552
1553 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1554
1555         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1556         https://bugs.webkit.org/show_bug.cgi?id=191108
1557         <rdar://problem/45690700>
1558
1559         Reviewed by Saam Barati.
1560
1561         * stress/wide-op_catch.js: Added.
1562         (catch):
1563
1564 2018-10-29  Mark Lam  <mark.lam@apple.com>
1565
1566         Correctly detect string overflow when using the 'Function' constructor.
1567         https://bugs.webkit.org/show_bug.cgi?id=184883
1568         <rdar://problem/36320331>
1569
1570         Reviewed by Saam Barati.
1571
1572         I've verified that this passes on 32-bit as well.
1573
1574         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1575
1576 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1577
1578         Add support for GetStack FlushedDouble
1579         https://bugs.webkit.org/show_bug.cgi?id=191012
1580         <rdar://problem/45265141>
1581
1582         Reviewed by Saam Barati.
1583
1584         * stress/get-stack-double.js: Added.
1585         (bar):
1586         (noInline):
1587
1588 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1589
1590         New bytecode format for JSC
1591         https://bugs.webkit.org/show_bug.cgi?id=187373
1592         <rdar://problem/44186758>
1593
1594         Reviewed by Filip Pizlo.
1595
1596         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1597
1598         * stress/maximum-inline-capacity.js: Added.
1599         (test1):
1600         (test3.Foo):
1601         (test3):
1602
1603 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1604
1605         Unreviewed, rolling out r237479 and r237484.
1606         https://bugs.webkit.org/show_bug.cgi?id=190978
1607
1608         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1609
1610         Reverted changesets:
1611
1612         "New bytecode format for JSC"
1613         https://bugs.webkit.org/show_bug.cgi?id=187373
1614         https://trac.webkit.org/changeset/237479
1615
1616         "Gardening: Build fix after r237479."
1617         https://bugs.webkit.org/show_bug.cgi?id=187373
1618         https://trac.webkit.org/changeset/237484
1619
1620 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1621
1622         New bytecode format for JSC
1623         https://bugs.webkit.org/show_bug.cgi?id=187373
1624         <rdar://problem/44186758>
1625
1626         Reviewed by Filip Pizlo.
1627
1628         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1629
1630         * stress/maximum-inline-capacity.js: Added.
1631         (test1):
1632         (test3.Foo):
1633         (test3):
1634
1635 2018-10-26  Mark Lam  <mark.lam@apple.com>
1636
1637         Fix missing edge cases with JSGlobalObjects having a bad time.
1638         https://bugs.webkit.org/show_bug.cgi?id=189028
1639         <rdar://problem/45204939>
1640
1641         Reviewed by Saam Barati.
1642
1643         * stress/regress-189028.js: Added.
1644
1645 2018-10-22  Mark Lam  <mark.lam@apple.com>
1646
1647         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1648         https://bugs.webkit.org/show_bug.cgi?id=190515
1649         <rdar://problem/45222379>
1650
1651         Rubber-stamped by Saam Barati.
1652
1653         Adding another test.
1654
1655         * stress/regress-190515-2.js: Added.
1656
1657 2018-10-22  Mark Lam  <mark.lam@apple.com>
1658
1659         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1660         https://bugs.webkit.org/show_bug.cgi?id=190515
1661         <rdar://problem/45222379>
1662
1663         Reviewed by Saam Barati.
1664
1665         * stress/regress-190515.js: Added.
1666
1667 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1668
1669         Unreviewed, rolling out r237254.
1670         https://bugs.webkit.org/show_bug.cgi?id=190760
1671
1672         "It regresses JetStream 2 by 5% on some iOS devices"
1673         (Requested by saamyjoon on #webkit).
1674
1675         Reverted changeset:
1676
1677         "[JSC] JSC should have "parseFunction" to optimize Function
1678         constructor"
1679         https://bugs.webkit.org/show_bug.cgi?id=190340
1680         https://trac.webkit.org/changeset/237254
1681
1682 2018-10-19  Saam Barati  <sbarati@apple.com>
1683
1684         vmCall should check if we exit before emitting an OSR exit due to exceptions
1685         https://bugs.webkit.org/show_bug.cgi?id=190740
1686         <rdar://problem/45220139>
1687
1688         Reviewed by Mark Lam.
1689
1690         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1691         (foo):
1692
1693 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1694
1695         [ESNext][BigInt] Implement support for "^"
1696         https://bugs.webkit.org/show_bug.cgi?id=186235
1697
1698         Reviewed by Yusuke Suzuki.
1699
1700         * stress/big-int-bitwise-xor-general.js: Added.
1701         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1702         * stress/big-int-bitwise-xor-type-error.js: Added.
1703         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1704
1705 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1706
1707         [BigInt] Add ValueSub into DFG
1708         https://bugs.webkit.org/show_bug.cgi?id=186176
1709
1710         Reviewed by Yusuke Suzuki.
1711
1712         * stress/big-int-subtraction-jit.js:
1713         * stress/value-sub-big-int-prediction-propagation.js: Added.
1714         * stress/value-sub-big-int-untyped.js: Added.
1715         * stress/value-sub-spec-none-case.js: Added.
1716
1717 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1718
1719         [JSC] JSC should have "parseFunction" to optimize Function constructor
1720         https://bugs.webkit.org/show_bug.cgi?id=190340
1721
1722         Reviewed by Mark Lam.
1723
1724         This patch fixes the line number of syntax errors raised by the Function constructor,
1725         since we now parse the final code only once. And we no longer use block statement
1726         for Function constructor's parsing.
1727
1728         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1729         * stress/function-cache-with-parameters-end-position.js: Added.
1730         (shouldBe):
1731         (shouldThrow):
1732         (i.anonymous):
1733         * stress/function-constructor-name.js: Added.
1734         (shouldBe):
1735         (GeneratorFunction):
1736         (AsyncFunction.async):
1737         (AsyncGeneratorFunction.async):
1738         (anonymous):
1739         (async.anonymous):
1740         * test262/expectations.yaml:
1741
1742 2018-10-18  Commit Queue  <commit-queue@webkit.org>
1743
1744         Unreviewed, rolling out r237242.
1745         https://bugs.webkit.org/show_bug.cgi?id=190701
1746
1747         it breaks "stress/sampling-profiler-basic.js" (Requested by
1748         caiolima on #webkit).
1749
1750         Reverted changeset:
1751
1752         "[BigInt] Add ValueSub into DFG"
1753         https://bugs.webkit.org/show_bug.cgi?id=186176
1754         https://trac.webkit.org/changeset/237242
1755
1756 2018-10-17  Keith Miller  <keith_miller@apple.com>
1757
1758         AI does not clear Phantom allocation nodes.
1759         https://bugs.webkit.org/show_bug.cgi?id=190694
1760
1761         Reviewed by Saam Barati.
1762
1763         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1764         (Day):
1765         (DaysInYear):
1766         (TimeInYear):
1767         (TimeFromYear):
1768         (DayFromYear):
1769         (InLeapYear):
1770         (YearFromTime):
1771         (WeekDay):
1772         (DaylightSavingTA):
1773         (GetSecondSundayInMarch):
1774         (TimeInMonth):
1775
1776 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1777
1778         [BigInt] Add ValueSub into DFG
1779         https://bugs.webkit.org/show_bug.cgi?id=186176
1780
1781         Reviewed by Yusuke Suzuki.
1782
1783         * stress/big-int-subtraction-jit.js:
1784         * stress/value-sub-big-int-prediction-propagation.js: Added.
1785         * stress/value-sub-big-int-untyped.js: Added.
1786
1787 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1788
1789         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1790         https://bugs.webkit.org/show_bug.cgi?id=190611
1791
1792         Reviewed by Saam Barati.
1793
1794         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1795         to improve test runtime. On ARM/MIPS this test even timed out when running all
1796         tests.
1797
1798         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1799         (test):
1800
1801 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1802
1803         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1804
1805         Unreviewed gardening.
1806
1807         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1808
1809 2018-10-15  Saam barati  <sbarati@apple.com>
1810
1811         Emit fjcvtzs on ARM64E on Darwin
1812         https://bugs.webkit.org/show_bug.cgi?id=184023
1813
1814         Reviewed by Yusuke Suzuki and Filip Pizlo.
1815
1816         * stress/double-to-int32-NaN.js: Added.
1817         (assert):
1818         (foo):
1819
1820 2018-10-15  Saam Barati  <sbarati@apple.com>
1821
1822         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1823         https://bugs.webkit.org/show_bug.cgi?id=190262
1824         <rdar://problem/44986241>
1825
1826         Reviewed by Mark Lam.
1827
1828         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1829         (test):
1830         * stress/slice-array-storage-with-holes.js: Added.
1831         (main):
1832
1833 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1834
1835         Unreviewed, rolling out r237054.
1836         https://bugs.webkit.org/show_bug.cgi?id=190593
1837
1838         "this regressed JetStream 2 by 6% on iOS" (Requested by
1839         saamyjoon on #webkit).
1840
1841         Reverted changeset:
1842
1843         "[JSC] JSC should have "parseFunction" to optimize Function
1844         constructor"
1845         https://bugs.webkit.org/show_bug.cgi?id=190340
1846         https://trac.webkit.org/changeset/237054
1847
1848 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1849
1850         [JSC] JSON.stringify can accept call-with-no-arguments
1851         https://bugs.webkit.org/show_bug.cgi?id=190343
1852
1853         Reviewed by Mark Lam.
1854
1855         * stress/json-stringify-no-arguments.js: Added.
1856         (shouldBe):
1857
1858 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1859
1860         [JSC] JSC should have "parseFunction" to optimize Function constructor
1861         https://bugs.webkit.org/show_bug.cgi?id=190340
1862
1863         Reviewed by Mark Lam.
1864
1865         This patch fixes the line number of syntax errors raised by the Function constructor,
1866         since we now parse the final code only once. And we no longer use block statement
1867         for Function constructor's parsing.
1868
1869         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1870         * stress/function-cache-with-parameters-end-position.js: Added.
1871         (shouldBe):
1872         (shouldThrow):
1873         (i.anonymous):
1874         * stress/function-constructor-name.js: Added.
1875         (shouldBe):
1876         (GeneratorFunction):
1877         (AsyncFunction.async):
1878         (AsyncGeneratorFunction.async):
1879         (anonymous):
1880         (async.anonymous):
1881         * test262/expectations.yaml:
1882
1883 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
1884
1885         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
1886         https://bugs.webkit.org/show_bug.cgi?id=190426
1887
1888         Unreviewed gardening.
1889
1890         * stress/sampling-profiler-richards.js:
1891
1892 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
1893
1894         [ESNext][BigInt] Implement support for "|"
1895         https://bugs.webkit.org/show_bug.cgi?id=186229
1896
1897         Reviewed by Yusuke Suzuki.
1898
1899         * stress/big-int-bitwise-and-jit.js:
1900         * stress/big-int-bitwise-or-general.js: Added.
1901         * stress/big-int-bitwise-or-jit-untyped.js: Added.
1902         * stress/big-int-bitwise-or-jit.js: Added.
1903         * stress/big-int-bitwise-or-memory-stress.js: Added.
1904         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
1905         * stress/big-int-bitwise-or-type-error.js: Added.
1906         * stress/big-int-bitwise-or-wrapped-value.js: Added.
1907
1908 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
1909
1910         Skip test on systems with limited memory
1911         https://bugs.webkit.org/show_bug.cgi?id=190310
1912
1913         Invoking runDefault adds test to runlist, skipping the test in the next
1914         line does not prevent the test from executing. Change order of lines such
1915         that runDefault is only executed if test is not executed.
1916
1917         Reviewed by Mark Lam.
1918
1919         * stress/regress-190187.js:
1920
1921 2018-10-03  Saam barati  <sbarati@apple.com>
1922
1923         lowXYZ in FTLLower should always filter the type of the incoming edge
1924         https://bugs.webkit.org/show_bug.cgi?id=189939
1925         <rdar://problem/44407030>
1926
1927         Reviewed by Michael Saboff.
1928
1929         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
1930         (foo):
1931         (test):
1932
1933 2018-10-03  Mark Lam  <mark.lam@apple.com>
1934
1935         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1936         https://bugs.webkit.org/show_bug.cgi?id=190187
1937         <rdar://problem/42512909>
1938
1939         Reviewed by Michael Saboff.
1940
1941         * stress/regress-190187.js: Added.
1942
1943 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1944
1945         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1946         https://bugs.webkit.org/show_bug.cgi?id=190033
1947
1948         Reviewed by Yusuke Suzuki.
1949
1950         * stress/big-int-to-string.js:
1951
1952 2018-10-01  Mark Lam  <mark.lam@apple.com>
1953
1954         Function.toString() should also copy the source code Functions that are class definitions.
1955         https://bugs.webkit.org/show_bug.cgi?id=190186
1956         <rdar://problem/44733360>
1957
1958         Reviewed by Saam Barati.
1959
1960         * stress/regress-190186.js: Added.
1961
1962 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
1963
1964         Split NaN-check into separate test
1965         https://bugs.webkit.org/show_bug.cgi?id=190010
1966
1967         Reviewed by Saam Barati.
1968
1969         DataView exposes NaN-representation, which is not necessarily the same on each
1970         architecture. Therefore move the check of the NaN-representation into its own
1971         file such that we can disable this test on MIPS where NaN-representation can be
1972         different on older CPUs.
1973
1974         * stress/dataview-jit-set-nan.js: Added.
1975         (assert):
1976         (test.storeLittleEndian):
1977         (test.storeBigEndian):
1978         (test.store):
1979         (test):
1980         * stress/dataview-jit-set.js:
1981         (test5):
1982
1983 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1984
1985         Unreviewed, rolling out r236647.
1986         https://bugs.webkit.org/show_bug.cgi?id=190124
1987
1988         Breaking test stress/big-int-to-string.js (Requested by
1989         caiolima_ on #webkit).
1990
1991         Reverted changeset:
1992
1993         "[BigInt] BigInt.proptotype.toString is broken when radix is
1994         power of 2"
1995         https://bugs.webkit.org/show_bug.cgi?id=190033
1996         https://trac.webkit.org/changeset/236647
1997
1998 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1999
2000         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2001         https://bugs.webkit.org/show_bug.cgi?id=190033
2002
2003         Reviewed by Yusuke Suzuki.
2004
2005         * stress/big-int-to-string.js:
2006
2007 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2008
2009         [ESNext][BigInt] Implement support for "&"
2010         https://bugs.webkit.org/show_bug.cgi?id=186228
2011
2012         Reviewed by Yusuke Suzuki.
2013
2014         * stress/big-int-bitwise-and-general.js: Added.
2015         (assert):
2016         (assert.sameValue):
2017         * stress/big-int-bitwise-and-jit.js: Added.
2018         (let.assert.sameValue):
2019         (bigIntBitAnd):
2020         * stress/big-int-bitwise-and-memory-stress.js: Added.
2021         (assert):
2022         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2023         (assert.sameValue):
2024         (let.o.Symbol.toPrimitive):
2025         (catch):
2026         * stress/big-int-bitwise-and-type-error.js: Added.
2027         (assert):
2028         (assertThrowTypeError):
2029         (let.o.valueOf):
2030         (o.valueOf):
2031         (o.toString):
2032         (o.Symbol.toPrimitive):
2033         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2034         (assert.sameValue):
2035         (testBitAnd):
2036         (let.o.Symbol.toPrimitive):
2037         (o.valueOf):
2038         (o.toString):
2039
2040 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2041
2042         JSC test stress/jsc-read.js doesn't support CRLF
2043         https://bugs.webkit.org/show_bug.cgi?id=190063
2044
2045         Reviewed by Yusuke Suzuki.
2046
2047         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2048
2049         * stress/jsc-read.js:
2050         (test):
2051
2052 2018-09-27  Saam barati  <sbarati@apple.com>
2053
2054         Verify the contents of AssemblerBuffer on arm64e
2055         https://bugs.webkit.org/show_bug.cgi?id=190057
2056         <rdar://problem/38916630>
2057
2058         Reviewed by Mark Lam.
2059
2060         * stress/regress-189132.js:
2061
2062 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2063
2064         Disable test without LLInt on ARMv7
2065         https://bugs.webkit.org/show_bug.cgi?id=190037
2066
2067         Reviewed by Mark Lam.
2068
2069         Test runs out of executable memory on ARMv7, do not run
2070         this test without LLInt enabled.
2071
2072         * stress/regress-169445.js:
2073
2074 2018-09-26  Keith Miller  <keith_miller@apple.com>
2075
2076         We should zero unused property storage when rebalancing array storage.
2077         https://bugs.webkit.org/show_bug.cgi?id=188151
2078
2079         Reviewed by Michael Saboff.
2080
2081         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2082
2083 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2084
2085         [JSC] Optimize Array#lastIndexOf
2086         https://bugs.webkit.org/show_bug.cgi?id=189780
2087
2088         Reviewed by Saam Barati.
2089
2090         * stress/array-lastindexof-array-prototype-trap.js: Added.
2091         (shouldBe):
2092         (AncestorArray.prototype.get 2):
2093         (AncestorArray):
2094         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2095         (shouldBe):
2096         * stress/array-lastindexof-hole-nan.js: Added.
2097         (shouldBe):
2098         (throw.new.Error):
2099         * stress/array-lastindexof-infinity.js: Added.
2100         (shouldBe):
2101         (throw.new.Error):
2102         * stress/array-lastindexof-negative-zero.js: Added.
2103         (shouldBe):
2104         (throw.new.Error):
2105         * stress/array-lastindexof-own-getter.js: Added.
2106         (shouldBe):
2107         (throw.new.Error.get array):
2108         (get array):
2109         * stress/array-lastindexof-prototype-trap.js: Added.
2110         (shouldBe):
2111         (DerivedArray.prototype.get 2):
2112         (DerivedArray):
2113
2114 2018-09-25  Saam Barati  <sbarati@apple.com>
2115
2116         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2117         https://bugs.webkit.org/show_bug.cgi?id=189940
2118         <rdar://problem/43640987>
2119
2120         Reviewed by Mark Lam.
2121
2122         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2123
2124 2018-09-24  Saam Barati  <sbarati@apple.com>
2125
2126         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2127         https://bugs.webkit.org/show_bug.cgi?id=189922
2128         <rdar://problem/44651275>
2129
2130         Reviewed by Mark Lam.
2131
2132         * stress/array-indexof-fast-path-effects.js: Added.
2133         * stress/array-indexof-cached-length.js: Added.
2134
2135 2018-09-24  Saam barati  <sbarati@apple.com>
2136
2137         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2138         https://bugs.webkit.org/show_bug.cgi?id=189682
2139         <rdar://problem/43557315>
2140
2141         Reviewed by Mark Lam.
2142
2143         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2144         (foo):
2145
2146 2018-09-22  Saam barati  <sbarati@apple.com>
2147
2148         The sampling should not use Strong<CodeBlock> in its machineLocation field
2149         https://bugs.webkit.org/show_bug.cgi?id=189319
2150
2151         Reviewed by Filip Pizlo.
2152
2153         * stress/sampling-profiler-richards.js: Added.
2154
2155 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2156
2157         [JSC] Optimize Array#indexOf in C++ runtime
2158         https://bugs.webkit.org/show_bug.cgi?id=189507
2159
2160         Reviewed by Saam Barati.
2161
2162         * stress/array-indexof-array-prototype-trap.js: Added.
2163         (shouldBe):
2164         (AncestorArray.prototype.get 2):
2165         (AncestorArray):
2166         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2167         (shouldBe):
2168         * stress/array-indexof-hole-nan.js: Added.
2169         (shouldBe):
2170         (throw.new.Error):
2171         * stress/array-indexof-infinity.js: Added.
2172         (shouldBe):
2173         (throw.new.Error):
2174         * stress/array-indexof-negative-zero.js: Added.
2175         (shouldBe):
2176         (throw.new.Error):
2177         * stress/array-indexof-own-getter.js: Added.
2178         (shouldBe):
2179         (throw.new.Error.get array):
2180         (get array):
2181         * stress/array-indexof-prototype-trap.js: Added.
2182         (shouldBe):
2183         (DerivedArray.prototype.get 2):
2184         (DerivedArray):
2185
2186 2018-09-19  Saam barati  <sbarati@apple.com>
2187
2188         AI rule for MultiPutByOffset executes its effects in the wrong order
2189         https://bugs.webkit.org/show_bug.cgi?id=189757
2190         <rdar://problem/43535257>
2191
2192         Reviewed by Michael Saboff.
2193
2194         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2195         (foo):
2196         (Foo):
2197         (g):
2198
2199 2018-09-17  Mark Lam  <mark.lam@apple.com>
2200
2201         Ensure that ForInContexts are invalidated if their loop local is over-written.
2202         https://bugs.webkit.org/show_bug.cgi?id=189571
2203         <rdar://problem/44402277>
2204
2205         Reviewed by Saam Barati.
2206
2207         * stress/regress-189571.js: Added.
2208
2209 2018-09-17  Saam barati  <sbarati@apple.com>
2210
2211         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2212         https://bugs.webkit.org/show_bug.cgi?id=189676
2213         <rdar://problem/39682897>
2214
2215         Reviewed by Michael Saboff.
2216
2217         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2218         (A):
2219         (K):
2220         (i.catch):
2221
2222 2018-09-14  Saam barati  <sbarati@apple.com>
2223
2224         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2225         https://bugs.webkit.org/show_bug.cgi?id=189628
2226         <rdar://problem/39481690>
2227
2228         Reviewed by Mark Lam.
2229
2230         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2231         (foo):
2232
2233 2018-09-11  Mark Lam  <mark.lam@apple.com>
2234
2235         Test for array initialization in arrayProtoFuncSplice.
2236         https://bugs.webkit.org/show_bug.cgi?id=170253
2237         <rdar://problem/31328773>
2238
2239         Rubber-stamped by Saam Barati.
2240
2241         * stress/regress-170253.js: Added.
2242
2243 2018-09-11  Mark Lam  <mark.lam@apple.com>
2244
2245         Test for IntlObject initialization.
2246         https://bugs.webkit.org/show_bug.cgi?id=170251
2247         <rdar://problem/31328419>
2248
2249         Rubber-stamped by Saam Barati.
2250
2251         * stress/regress-170251.js: Added.
2252
2253 2018-09-11  Mark Lam  <mark.lam@apple.com>
2254
2255         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2256         https://bugs.webkit.org/show_bug.cgi?id=169889
2257         <rdar://problem/31155607>
2258
2259         Reviewed by Saam Barati.
2260
2261         * stress/regress-169889-array-concat.js: Added.
2262         * stress/regress-169889-array-concat1.js: Added.
2263         * stress/regress-169889-array-slice.js: Added.
2264
2265 2018-09-11  Mark Lam  <mark.lam@apple.com>
2266
2267         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2268         https://bugs.webkit.org/show_bug.cgi?id=169445
2269         <rdar://problem/30957435>
2270
2271         Reviewed by Saam Barati.
2272
2273         * stress/regress-169445.js: Added.
2274         (let.gun.eval.A):
2275         (let.gun.eval.B.C):
2276         (let.gun.eval.B.C.prototype.trigger):
2277         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2278         (let.gun.eval.B):
2279         (let.gun.eval):
2280
2281 == Rolled over to ChangeLog-2018-09-11 ==