[JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
4         https://bugs.webkit.org/show_bug.cgi?id=196582
5
6         Reviewed by Saam Barati.
7
8         * stress/add-overflow-check-with-three-same-registers.js: Added.
9         (foo):
10         (Number.prototype.valueOf):
11         (runWithNumber):
12
13 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
14
15         Unreviewed, rolling out r243665.
16
17         Caused iOS JSC tests to exit with an exception.
18
19         Reverted changeset:
20
21         "Assertion failed in JSC::createError"
22         https://bugs.webkit.org/show_bug.cgi?id=196305
23         https://trac.webkit.org/changeset/243665
24
25 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
26
27         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
28         https://bugs.webkit.org/show_bug.cgi?id=196486
29
30         Reviewed by Saam Barati.
31
32         * stress/arrow-function-and-use-strict-directive.js: Added.
33         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
34         (checkSyntax):
35         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
36
37 2019-04-05  Caitlin Potter  <caitp@igalia.com>
38
39         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
40         https://bugs.webkit.org/show_bug.cgi?id=176810
41
42         Reviewed by Saam Barati.
43
44         Add tests for the DontEnum filtering, and variations of other tests
45         take the DontEnum-filtering path.
46
47         * stress/proxy-own-keys.js:
48         (i.catch):
49         (set assert):
50         (set add):
51         (let.set new):
52         (get let):
53
54 2019-04-05  Caitlin Potter  <caitp@igalia.com>
55
56         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
57         https://bugs.webkit.org/show_bug.cgi?id=185211
58
59         Reviewed by Saam Barati.
60
61         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
62
63         This changes several assertions to expect a TypeError to be thrown (in some cases,
64         changing thee expected message).
65
66         * es6/Proxy_ownKeys_duplicates.js:
67         (handler):
68         (shouldThrow):
69         (test):
70         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
71         (shouldThrow):
72         * stress/proxy-own-keys.js:
73         (i.catch):
74         (assert):
75
76 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
77
78         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
79         https://bugs.webkit.org/show_bug.cgi?id=196631
80
81         Reviewed by Saam Barati.
82
83         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
84         (assert):
85         (test):
86         (foo):
87
88 2019-04-04  Saam Barati  <sbarati@apple.com>
89
90         Unreviewed. Make the test from r243906 catch the thrown exceptions.
91
92         * stress/inferred-types-regex-matches-array.js:
93
94 2019-04-04  Saam Barati  <sbarati@apple.com>
95
96         createRegExpMatchesArray does not respect inferred types
97         https://bugs.webkit.org/show_bug.cgi?id=193287
98
99         Reviewed by Yusuke Suzuki.
100
101         This checks in the test case for 193287. This issue was discovered by
102         Samuel GroƟ of Google Project Zero.
103
104         * stress/inferred-types-regex-matches-array.js: Added.
105
106 2019-04-04  Saam barati  <sbarati@apple.com>
107
108         Teach Call ICs how to call Wasm
109         https://bugs.webkit.org/show_bug.cgi?id=196387
110
111         Reviewed by Filip Pizlo.
112
113         * wasm/function-tests/stack-trace.js:
114
115 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
116
117         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
118         https://bugs.webkit.org/show_bug.cgi?id=194944
119
120         Reviewed by Keith Miller.
121
122         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
123
124 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
125
126         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
127         https://bugs.webkit.org/show_bug.cgi?id=196409
128
129         Reviewed by Saam Barati.
130
131         * stress/bytecode-cache-cached-string-impl.js: Added.
132         (f):
133         (g):
134         * stress/bytecode-cache-run-string.js: Added.
135
136 2019-04-03  Robin Morisset  <rmorisset@apple.com>
137
138         B3 should use associativity to optimize expression trees
139         https://bugs.webkit.org/show_bug.cgi?id=194081
140
141         Reviewed by Filip Pizlo.
142
143         Added three microbenchmarks:
144         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
145         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
146           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
147         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
148
149         * microbenchmarks/add-tree.js: Added.
150         * microbenchmarks/bit-or-tree.js: Added.
151         * microbenchmarks/bit-xor-tree.js: Added.
152
153 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
154
155         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
156         https://bugs.webkit.org/show_bug.cgi?id=196574
157
158         Reviewed by Saam Barati.
159
160         * stress/string-index-of-exception-check.js: Added.
161         (blurType):
162         (1.forEach):
163
164 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
165
166         Assertion failed in JSC::createError
167         https://bugs.webkit.org/show_bug.cgi?id=196305
168         <rdar://problem/49387382>
169
170         Reviewed by Saam Barati.
171
172         * stress/create-error-out-of-memory-rope-string-2.js: Added.
173         (assert):
174         (catch):
175
176 2019-03-28  Saam Barati  <sbarati@apple.com>
177
178         BackwardsGraph needs to consider back edges as the backward's root successor
179         https://bugs.webkit.org/show_bug.cgi?id=195991
180
181         Reviewed by Filip Pizlo.
182
183         * stress/map-b3-licm-infinite-loop.js: Added.
184
185 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
186
187         CodeBlock::jettison() should disallow repatching its own calls
188         https://bugs.webkit.org/show_bug.cgi?id=196359
189         <rdar://problem/48973663>
190
191         Reviewed by Saam Barati.
192
193         * stress/call-link-info-osrexit-repatch.js: Added.
194         (foo):
195
196 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
197
198         [JSC] imports-oom.js intermittently fails
199         https://bugs.webkit.org/show_bug.cgi?id=196373
200
201         Reviewed by Saam Barati.
202
203         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
204         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
205         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
206         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
207         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
208
209         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
210         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
211
212         * wasm/lowExecutableMemory/imports-oom.js:
213
214 2019-03-27  Saam Barati  <sbarati@apple.com>
215
216         validateOSREntryValue with Int52 should box the value being checked into double format
217         https://bugs.webkit.org/show_bug.cgi?id=196313
218         <rdar://problem/49306703>
219
220         Reviewed by Yusuke Suzuki.
221
222         * stress/validate-int-52-ai-state.js: Added.
223
224 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
225
226         [JSC] Owner of watchpoints should validate at GC finalizing phase
227         https://bugs.webkit.org/show_bug.cgi?id=195827
228
229         Reviewed by Filip Pizlo.
230
231         * stress/gc-should-reap-dead-watchpoints.js: Added.
232         (foo):
233         (A.prototype.y):
234         (A):
235
236 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
237
238         Skip WebAssembly test on 32-bit systems
239         https://bugs.webkit.org/show_bug.cgi?id=196206
240
241         Reviewed by Saam Barati.
242
243         Invoking runDefault executes test immediately even though
244         that test should be skipped due to missing WASM support.
245         Therefore remove runDefault.
246
247         * wasm/regress/web-assembly-link-error-exception-check.js:
248
249 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
250
251         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
252         https://bugs.webkit.org/show_bug.cgi?id=196217
253
254         Reviewed by Saam Barati.
255
256         Re-enable all NaN tests for f32.min, f64.min and f64.max.
257
258         * wasm/spec-tests/f32.wast.js:
259         * wasm/spec-tests/f64.wast.js:
260         * wasm/wasm.json:
261
262 2019-03-25  Keith Miller  <keith_miller@apple.com>
263
264         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
265         https://bugs.webkit.org/show_bug.cgi?id=196176
266
267         Reviewed by Saam Barati.
268
269         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
270         (main.v10):
271         (main):
272
273 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
274
275         WebAssembly: f32.max with NaN generates incorrect result
276         https://bugs.webkit.org/show_bug.cgi?id=175691
277         <rdar://problem/33952228>
278
279         Reviewed by Saam Barati.
280
281         Enable all f32.max NaN tests
282
283         * wasm/spec-tests/f32.wast.js:
284         * wasm/wasm.json:
285
286 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
287
288         [JSC] Move test into directory for WASM tests
289         https://bugs.webkit.org/show_bug.cgi?id=196187
290
291         Reviewed by Mark Lam.
292
293         Move Test into wasm-directory. Otherwise this test
294         is also executed on systems without WASM support.
295
296         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
297
298 2019-03-23  Mark Lam  <mark.lam@apple.com>
299
300         Rolling out r243032 and r243071 because the fix is incorrect.
301         https://bugs.webkit.org/show_bug.cgi?id=195892
302         <rdar://problem/48981239>
303
304         Not reviewed.
305
306         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
307
308 2019-03-22  Mark Lam  <mark.lam@apple.com>
309
310         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
311         https://bugs.webkit.org/show_bug.cgi?id=196154
312         <rdar://problem/49145307>
313
314         Reviewed by Filip Pizlo.
315
316         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
317         There's no need to run this test on more than 1 test configuration.
318
319         * stress/typed-array-lastIndexOf-exception-check.js: Added.
320         * stress/web-assembly-link-error-exception-check.js:
321
322 2019-03-22  Mark Lam  <mark.lam@apple.com>
323
324         Placate exception check validation in constructJSWebAssemblyLinkError().
325         https://bugs.webkit.org/show_bug.cgi?id=196152
326         <rdar://problem/49145257>
327
328         Reviewed by Michael Saboff.
329
330         * stress/web-assembly-link-error-exception-check.js: Added.
331
332 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
333
334         Skip tests running out of memory on ARM/MIPS
335         https://bugs.webkit.org/show_bug.cgi?id=196131
336
337         Unreviewed. Skip test if memory is limited.
338
339         * microbenchmarks/put-by-val-direct-large-index.js:
340
341 2019-03-21  Mark Lam  <mark.lam@apple.com>
342
343         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
344         https://bugs.webkit.org/show_bug.cgi?id=196116
345         <rdar://problem/48976951>
346
347         Reviewed by Filip Pizlo.
348
349         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
350
351 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
352
353         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
354         https://bugs.webkit.org/show_bug.cgi?id=196078
355         <rdar://problem/35925380>
356
357         Reviewed by Mark Lam.
358
359         Add a new benchmark that allocates several objects and invokes put_by_val_direct
360         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
361
362         * microbenchmarks/put-by-val-direct-large-index.js: Added.
363
364 2019-03-21  Mark Lam  <mark.lam@apple.com>
365
366         Placate exception check validation in operationArrayIndexOfString().
367         https://bugs.webkit.org/show_bug.cgi?id=196067
368         <rdar://problem/49056572>
369
370         Reviewed by Michael Saboff.
371
372         * stress/string-equal-exception-check.js: Added.
373
374 2019-03-21  Mark Lam  <mark.lam@apple.com>
375
376         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
377         https://bugs.webkit.org/show_bug.cgi?id=196055
378         <rdar://problem/49067448>
379
380         Reviewed by Yusuke Suzuki.
381
382         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
383
384 2019-03-20  Saam Barati  <sbarati@apple.com>
385
386         typeOfDoubleSum is wrong for when NaN can be produced
387         https://bugs.webkit.org/show_bug.cgi?id=196030
388
389         Reviewed by Filip Pizlo.
390
391         * stress/double-add-sub-mul-can-produce-nan.js: Added.
392         (assert):
393         (noInline.sub):
394         (noInline):
395         (assert.mul):
396         (assert.add):
397
398 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
399
400         Update the test to ensure OutOfMemoryError is thrown as intended
401         https://bugs.webkit.org/show_bug.cgi?id=196032
402         <rdar://problem/46842740>
403
404         Rubber stamped by Saam Barati.
405
406         * stress/create-error-out-of-memory-rope-string.js:
407         (assert):
408         (catch):
409
410 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
411
412         JSC::createError needs to check for OOM in errorDescriptionForValue
413         https://bugs.webkit.org/show_bug.cgi?id=196032
414         <rdar://problem/46842740>
415
416         Reviewed by Mark Lam.
417
418         * stress/create-error-out-of-memory-rope-string.js: Added.
419
420 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
421
422         Unreviewed, reduce # of iterations to avoid timing out after r242991
423         https://bugs.webkit.org/show_bug.cgi?id=195791
424
425         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
426
427         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
428
429 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
430
431         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
432         https://bugs.webkit.org/show_bug.cgi?id=195950
433
434         Unreviewed, reducing the amount of memory used on this test to avoid
435         OOM on devices with memory restrictions.
436
437         * microbenchmarks/generate-multiple-llint-entrypoints.js:
438
439 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
440
441         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
442         https://bugs.webkit.org/show_bug.cgi?id=194648
443
444         Reviewed by Keith Miller.
445
446         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
447
448 2019-03-18  Mark Lam  <mark.lam@apple.com>
449
450         Missing a ThrowScope release in JSObject::toString().
451         https://bugs.webkit.org/show_bug.cgi?id=195893
452         <rdar://problem/48970986>
453
454         Reviewed by Michael Saboff.
455
456         * stress/to-string-exception-check-release.js: Added.
457
458 2019-03-18  Mark Lam  <mark.lam@apple.com>
459
460         Structure::flattenDictionary() should clear unused property slots.
461         https://bugs.webkit.org/show_bug.cgi?id=195871
462         <rdar://problem/48959497>
463
464         Reviewed by Michael Saboff.
465
466         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
467
468 2019-03-15  Mark Lam  <mark.lam@apple.com>
469
470         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
471         https://bugs.webkit.org/show_bug.cgi?id=195827
472         <rdar://problem/48845513>
473
474         Reviewed by Filip Pizlo.
475
476         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
477
478 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
479
480         [ARM,MIPS] Skip slow tests
481         https://bugs.webkit.org/show_bug.cgi?id=195799
482
483         Unreviewed, test does not finish on ARM and MIPS within the
484         timeout limit.
485
486         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
487
488 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
489
490         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
491         https://bugs.webkit.org/show_bug.cgi?id=195791
492         <rdar://problem/48806130>
493
494         Reviewed by Mark Lam.
495
496         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
497         (foo):
498
499 2019-03-14  Saam barati  <sbarati@apple.com>
500
501         We can't remove code after ForceOSRExit until after FixupPhase
502         https://bugs.webkit.org/show_bug.cgi?id=186916
503         <rdar://problem/41396612>
504
505         Reviewed by Yusuke Suzuki.
506
507         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
508         (foo):
509         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
510         (foo):
511
512 2019-03-13  Michael Saboff  <msaboff@apple.com>
513
514         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
515         https://bugs.webkit.org/show_bug.cgi?id=195735
516
517         Reviewed by Mark Lam.
518
519         New regression test.
520
521         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
522         (foo):
523         (bar):
524
525 2019-03-14  Saam barati  <sbarati@apple.com>
526
527         Fixup uses KnownInt32 incorrectly in some nodes
528         https://bugs.webkit.org/show_bug.cgi?id=195279
529         <rdar://problem/47915654>
530
531         Reviewed by Yusuke Suzuki.
532
533         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
534         (foo):
535
536 2019-03-14  Keith Miller  <keith_miller@apple.com>
537
538         DFG liveness can't skip tail caller inline frames
539         https://bugs.webkit.org/show_bug.cgi?id=195715
540
541         Reviewed by Saam Barati.
542
543         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
544         (i.foo):
545
546 2019-03-13  Mark Lam  <mark.lam@apple.com>
547
548         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
549         https://bugs.webkit.org/show_bug.cgi?id=195415
550
551         Not reviewed.
552
553         Changed these tests to only run the default configuration.
554         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
555         There's no strong need to run this test on that variant.
556
557         * stress/dfg-to-string-on-int-does-gc.js:
558         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
559
560 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
561
562         String overflow when using StringBuilder in JSC::createError
563         https://bugs.webkit.org/show_bug.cgi?id=194957
564
565         Reviewed by Mark Lam.
566
567         Add test string-overflow-createError-bulder.js that overflows
568         StringBuilder in notAFunctionSourceAppender. The second new test
569         string-overflow-createError-fit.js has an error message that doesn't
570         overflow, it still failed since the String's capacity can't be doubled.
571         Run test string-overflow-createError.js only in the default
572         configuration to reduce memory consumption when running the test
573         in all configurations on multiple CPUs in parallel.
574
575         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
576         (catch):
577         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
578         (catch):
579         * stress/string-overflow-createError.js:
580
581 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
582
583         [JSC] OSR entry should respect abstract values in addition to flush formats
584         https://bugs.webkit.org/show_bug.cgi?id=195653
585
586         Reviewed by Mark Lam.
587
588         * stress/osr-entry-locals-none.js: Added.
589
590 2019-03-12  Michael Saboff  <msaboff@apple.com>
591
592         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
593         https://bugs.webkit.org/show_bug.cgi?id=195613
594
595         Reviewed by Mark Lam.
596
597         New regression test.
598
599         * stress/regexp-backref-inbounds.js: Added.
600         (testRegExp):
601
602 2019-03-12  Mark Lam  <mark.lam@apple.com>
603
604         The HasIndexedProperty node does GC.
605         https://bugs.webkit.org/show_bug.cgi?id=195559
606         <rdar://problem/48767923>
607
608         Reviewed by Yusuke Suzuki.
609
610         * stress/HasIndexedProperty-does-gc.js: Added.
611
612 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
613
614         [ESNext][BigInt] Implement "~" unary operation
615         https://bugs.webkit.org/show_bug.cgi?id=182216
616
617         Reviewed by Keith Miller.
618
619         * stress/big-int-bit-not-general.js: Added.
620         * stress/big-int-bitwise-not-jit.js: Added.
621         * stress/big-int-bitwise-not-wrapped-value.js: Added.
622         * stress/bit-op-with-object-returning-int32.js:
623         * stress/bitwise-not-fixup-rules.js: Added.
624         * stress/value-bit-not-ai-rule.js: Added.
625
626 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
627
628         Invalid flags in a RegExp literal should be an early SyntaxError
629         https://bugs.webkit.org/show_bug.cgi?id=195514
630
631         Reviewed by Darin Adler.
632
633         * test262/expectations.yaml:
634         Mark 4 test cases as passing.
635
636         * stress/regexp-syntax-error-invalid-flags.js:
637         * stress/regress-161995.js: Removed.
638         Update existing test, merging in an older test for the same behavior.
639
640 2019-03-08  Mark Lam  <mark.lam@apple.com>
641
642         Stack overflow crash in JSC::JSObject::hasInstance.
643         https://bugs.webkit.org/show_bug.cgi?id=195458
644         <rdar://problem/48710195>
645
646         Reviewed by Yusuke Suzuki.
647
648         * stress/stack-overflow-in-custom-hasInstance.js: Added.
649
650 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
651
652         op_check_tdz does not def its argument
653         https://bugs.webkit.org/show_bug.cgi?id=192880
654         <rdar://problem/46221598>
655
656         Reviewed by Saam Barati.
657
658         * microbenchmarks/let-for-in.js: Added.
659         (foo):
660
661 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
662
663         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
664         https://bugs.webkit.org/show_bug.cgi?id=195429
665
666         Reviewed by Saam Barati.
667
668         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
669         (foo):
670         * stress/string-from-char-code-255.js: Added.
671
672 2019-03-06  Mark Lam  <mark.lam@apple.com>
673
674         Fix incorrect handling of try-finally completion values.
675         https://bugs.webkit.org/show_bug.cgi?id=195131
676         <rdar://problem/46222079>
677
678         Reviewed by Saam Barati and Yusuke Suzuki.
679
680         Added many permutations of new test case to test-finally.js.  test-finally.js has
681         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
682         tests passes there as well.
683
684         * stress/test-finally.js:
685
686 2019-03-06  Saam Barati  <sbarati@apple.com>
687
688         Air::reportUsedRegisters must padInterference
689         https://bugs.webkit.org/show_bug.cgi?id=195303
690         <rdar://problem/48270343>
691
692         Reviewed by Keith Miller.
693
694         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
695
696 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
697
698         [JSC] AI should not propagate AbstractValue relying on constant folding phase
699         https://bugs.webkit.org/show_bug.cgi?id=195375
700
701         Reviewed by Saam Barati.
702
703         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
704         (let.array):
705
706 2019-03-05  Saam barati  <sbarati@apple.com>
707
708         op_switch_char broken for rope strings after JSRopeString layout rewrite
709         https://bugs.webkit.org/show_bug.cgi?id=195339
710         <rdar://problem/48592545>
711
712         Reviewed by Yusuke Suzuki.
713
714         * stress/switch-on-char-llint-rope.js: Added.
715
716 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
717
718         [JSC] Store bits for JSRopeString in 3 stores
719         https://bugs.webkit.org/show_bug.cgi?id=195234
720
721         Reviewed by Saam Barati.
722
723         * stress/null-rope-and-collectors.js: Added.
724
725 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
726
727         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
728         https://bugs.webkit.org/show_bug.cgi?id=195207
729
730         Unreviewed. After test runtime was reduced in r242213, test can be
731         run again on ARM/MIPS.
732
733         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
734
735 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
736
737         [JSC] sizeof(JSString) should be 16
738         https://bugs.webkit.org/show_bug.cgi?id=194375
739
740         Reviewed by Saam Barati.
741
742         * microbenchmarks/make-rope.js: Added.
743         (makeRope):
744         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
745         (returnRope.helper): Deleted.
746         (returnRope): Deleted.
747
748 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
749
750         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
751         https://bugs.webkit.org/show_bug.cgi?id=195144
752
753         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
754         Change the number from 1e8 to 1e5.
755
756         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
757         (foo):
758
759 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
760
761         Test times out on ARM/MIPS
762         https://bugs.webkit.org/show_bug.cgi?id=195168
763
764         Unreviewed. Skip test on ARM/MIPS.
765
766         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
767
768 2019-02-27  Mark Lam  <mark.lam@apple.com>
769
770         The parser is failing to record the token location of new in new.target.
771         https://bugs.webkit.org/show_bug.cgi?id=195127
772         <rdar://problem/39645578>
773
774         Reviewed by Yusuke Suzuki.
775
776         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
777
778 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
779
780         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
781         https://bugs.webkit.org/show_bug.cgi?id=195144
782         <rdar://problem/47595961>
783
784         Reviewed by Mark Lam.
785
786         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
787         (bar):
788         (foo):
789         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
790         (bar):
791         (foo):
792
793 2019-02-27  Robin Morisset  <rmorisset@apple.com>
794
795         DFG: Loop-invariant code motion (LICM) should not hoist dead code
796         https://bugs.webkit.org/show_bug.cgi?id=194945
797         <rdar://problem/48311657>
798
799         Reviewed by Mark Lam.
800
801         * stress/licm-dead-code.js: Added.
802
803 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
804
805         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
806         https://bugs.webkit.org/show_bug.cgi?id=194677
807         <rdar://problem/48112492>
808
809         Reviewed by Mark Lam.
810
811         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
812         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
813         it immediately fails due the large size.
814
815         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
816         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
817         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
818         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
819
820         This patch changes the test to produce 16bit string from String.fromCharCode.
821
822         * stress/regress-178386.js:
823
824 2019-02-26  Mark Lam  <mark.lam@apple.com>
825
826         wasmToJS() should purify incoming NaNs.
827         https://bugs.webkit.org/show_bug.cgi?id=194807
828         <rdar://problem/48189132>
829
830         Reviewed by Saam Barati.
831
832         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
833
834 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
835
836         [JSC] Repeat string created from Array.prototype.join() take too much memory
837         https://bugs.webkit.org/show_bug.cgi?id=193912
838
839         Reviewed by Saam Barati.
840
841         Added a test and a microbenchmark for corner cases of
842         Array.prototype.join() with an uninitialized array.
843
844         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
845         * stress/array-prototype-join-uninitialized.js: Added.
846         (testArray):
847         (testABC):
848         (B):
849         (C):
850
851 2019-02-22  Robin Morisset  <rmorisset@apple.com>
852
853         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
854         https://bugs.webkit.org/show_bug.cgi?id=194953
855         <rdar://problem/47595253>
856
857         Reviewed by Saam Barati.
858
859         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
860
861         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
862
863 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
864
865         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
866         https://bugs.webkit.org/show_bug.cgi?id=172848
867         <rdar://problem/25709212>
868
869         Reviewed by Mark Lam.
870
871         * typeProfiler/inheritance.js:
872         Rewrite the test slightly for clarity. The hoisting was confusing.
873
874         * heapProfiler/class-names.js: Added.
875         (MyES5Class):
876         (MyES6Class):
877         (MyES6Subclass):
878         Test object types and improved class names.
879
880         * heapProfiler/driver/driver.js:
881         (CheapHeapSnapshotNode):
882         (CheapHeapSnapshot):
883         (createCheapHeapSnapshot):
884         (HeapSnapshot):
885         (createHeapSnapshot):
886         Update snapshot parsing from version 1 to version 2.
887
888 2019-02-19  Truitt Savell  <tsavell@apple.com>
889
890         Unreviewed, rolling out r241784.
891
892         Broke all OpenSource builds.
893
894         Reverted changeset:
895
896         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
897         instances view"
898         https://bugs.webkit.org/show_bug.cgi?id=172848
899         https://trac.webkit.org/changeset/241784
900
901 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
902
903         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
904         https://bugs.webkit.org/show_bug.cgi?id=172848
905         <rdar://problem/25709212>
906
907         Reviewed by Mark Lam.
908
909         * typeProfiler/inheritance.js:
910         Rewrite the test slightly for clarity. The hoisting was confusing.
911
912         * heapProfiler/class-names.js: Added.
913         (MyES5Class):
914         (MyES6Class):
915         (MyES6Subclass):
916         Test object types and improved class names.
917
918         * heapProfiler/driver/driver.js:
919         (CheapHeapSnapshotNode):
920         (CheapHeapSnapshot):
921         (createCheapHeapSnapshot):
922         (HeapSnapshot):
923         (createHeapSnapshot):
924         Update snapshot parsing from version 1 to version 2.
925
926 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
927
928         [ARM] Fix crash with sampling profiler
929         https://bugs.webkit.org/show_bug.cgi?id=194772
930
931         Reviewed by Mark Lam.
932
933         Do not skip test since crash with sampling profiler is now fixed.
934
935         * stress/sampling-profiler-richards.js:
936
937 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
938
939         [JSC] Add LazyClassStructure::getInitializedOnMainThread
940         https://bugs.webkit.org/show_bug.cgi?id=194784
941         <rdar://problem/48154820>
942
943         Reviewed by Mark Lam.
944
945         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
946         (getProperties):
947         (getRandomProperty):
948         (i.catch):
949
950 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
951
952         [ARM] Test gardening: Test running out of executable memory
953         https://bugs.webkit.org/show_bug.cgi?id=194771
954
955         Unreviewed. Do not run test without LLInt, test is running out of executable
956         memory on ARM otherwise.
957
958         * stress/tagged-template-object-collect.js:
959
960 2019-02-18  Tomas Popela  <tpopela@redhat.com>
961
962         Unreviewed, skip the test on platforms without sampling profiler
963
964         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
965         (platformSupportsSamplingProfiler.foo):
966         (platformSupportsSamplingProfiler.test):
967         (platformSupportsSamplingProfiler):
968         (foo): Deleted.
969         (test): Deleted.
970
971 2019-02-17  Saam Barati  <sbarati@apple.com>
972
973         Deadlock when adding a Structure property transition and then doing incremental marking
974         https://bugs.webkit.org/show_bug.cgi?id=194767
975
976         Reviewed by Mark Lam.
977
978         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
979
980 2019-02-15  Michael Saboff  <msaboff@apple.com>
981
982         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
983         https://bugs.webkit.org/show_bug.cgi?id=194558
984
985         Reviewed by Saam Barati.
986
987         New regression test.
988
989         * stress/regexp-unicode-within-string.js: Added.
990
991 2019-02-15  Mark Lam  <mark.lam@apple.com>
992
993         SamplingProfiler::stackTracesAsJSON() should escape strings.
994         https://bugs.webkit.org/show_bug.cgi?id=194649
995         <rdar://problem/48072386>
996
997         Reviewed by Saam Barati.
998
999         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1000         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1001         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1002         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1003
1004 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1005         CodeBlock::jettison should clear related watchpoints
1006         https://bugs.webkit.org/show_bug.cgi?id=194544
1007
1008         Reviewed by Mark Lam.
1009
1010         * stress/regexp-replace-double-watchpoint.js: Added.
1011         (foo):
1012
1013 2019-02-15  Saam barati  <sbarati@apple.com>
1014
1015         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1016         https://bugs.webkit.org/show_bug.cgi?id=194036
1017
1018         Reviewed by Yusuke Suzuki.
1019
1020         * stress/tail-call-many-arguments.js: Added.
1021         (foo):
1022         (bar):
1023
1024 2019-02-14  Saam Barati  <sbarati@apple.com>
1025
1026         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1027         https://bugs.webkit.org/show_bug.cgi?id=194583
1028         <rdar://problem/48028140>
1029
1030         Reviewed by Yusuke Suzuki.
1031
1032         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1033
1034 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1035
1036         [JSC] String.fromCharCode's slow path always generates 16bit string
1037         https://bugs.webkit.org/show_bug.cgi?id=194466
1038
1039         Reviewed by Keith Miller.
1040
1041         * stress/string-from-char-code-slow-path.js: Added.
1042         (shouldBe):
1043         (testWithLength):
1044
1045 2019-02-08  Saam barati  <sbarati@apple.com>
1046
1047         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1048         https://bugs.webkit.org/show_bug.cgi?id=194334
1049         <rdar://problem/47844327>
1050
1051         Reviewed by Mark Lam.
1052
1053         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1054         (func):
1055
1056 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1057
1058         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1059         https://bugs.webkit.org/show_bug.cgi?id=194369
1060         <rdar://problem/47813087>
1061
1062         Reviewed by Saam Barati.
1063
1064         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1065         (A):
1066
1067 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1068
1069         [JSC] PrivateName to PublicName hash table is wasteful
1070         https://bugs.webkit.org/show_bug.cgi?id=194277
1071
1072         Reviewed by Michael Saboff.
1073
1074         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1075
1076         * ChakraCore.yaml:
1077
1078 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1079
1080         [ARM] Test running out of executable memory
1081         https://bugs.webkit.org/show_bug.cgi?id=194285
1082
1083         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1084         executable memory otherwise.
1085
1086         * stress/class-subclassing-function.js:
1087
1088 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1089
1090         when lowering AssertNotEmpty, create the value before creating the patchpoint
1091         https://bugs.webkit.org/show_bug.cgi?id=194231
1092
1093         Reviewed by Saam Barati.
1094
1095         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1096         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1097         So even tiny changes to this test can change the path code taken.
1098
1099         * stress/assert-not-empty.js: Added.
1100         (foo):
1101
1102 2019-02-01  Mark Lam  <mark.lam@apple.com>
1103
1104         Remove invalid assertion in DFG's compileDoubleRep().
1105         https://bugs.webkit.org/show_bug.cgi?id=194130
1106         <rdar://problem/47699474>
1107
1108         Reviewed by Saam Barati.
1109
1110         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1111
1112 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1113
1114         Import latest Test262 updates.
1115
1116         Rubber-stamped by Keith Miller.
1117
1118         * test262.yaml: Deleted.
1119         * test262/config.yaml:
1120         * test262/expectations.yaml:
1121         * test262/latest-changes-summary.txt:
1122         * test262/test/:
1123         * test262/test262-Revision.txt:
1124
1125 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1126
1127         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1128         https://bugs.webkit.org/show_bug.cgi?id=194050
1129         <rdar://problem/47595592>
1130
1131         Reviewed by Yusuke Suzuki.
1132
1133         * stress/object-keys-osr-exit.js: Added.
1134         (foo):
1135         (catch):
1136
1137 2019-01-29  Mark Lam  <mark.lam@apple.com>
1138
1139         ValueRecovery::recover() should purify NaN values it recovers.
1140         https://bugs.webkit.org/show_bug.cgi?id=193978
1141         <rdar://problem/47625488>
1142
1143         Reviewed by Saam Barati.
1144
1145         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1146
1147 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1148
1149         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1150         https://bugs.webkit.org/show_bug.cgi?id=193713
1151
1152         * stress/try-get-by-id-should-spill-registers-dfg.js:
1153         (let.f.createBuiltin):
1154
1155 2019-01-28  Mark Lam  <mark.lam@apple.com>
1156
1157         ToString node actually does GC.
1158         https://bugs.webkit.org/show_bug.cgi?id=193920
1159         <rdar://problem/46695900>
1160
1161         Reviewed by Yusuke Suzuki.
1162
1163         * stress/dfg-to-string-on-int-does-gc.js: Added.
1164         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1165         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1166
1167 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1168
1169         [JSC] NativeErrorConstructor should not have own IsoSubspace
1170         https://bugs.webkit.org/show_bug.cgi?id=193713
1171
1172         Reviewed by Saam Barati.
1173
1174         Remove @Error use.
1175
1176         * stress/try-get-by-id-should-spill-registers-dfg.js:
1177         (let.f.createBuiltin):
1178
1179 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1180
1181         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1182         https://bugs.webkit.org/show_bug.cgi?id=190693
1183
1184         Reviewed by Michael Saboff.
1185
1186         * stress/regress-190693.js: Added.
1187         (truth):
1188         (assert):
1189         (shouldThrowInvalidConstAssignment):
1190         (taz):
1191
1192 2019-01-24  Saam Barati  <sbarati@apple.com>
1193
1194         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1195         https://bugs.webkit.org/show_bug.cgi?id=193751
1196         <rdar://problem/47280215>
1197
1198         Reviewed by Michael Saboff.
1199
1200         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1201         (let.thing):
1202         (foo.let.hello):
1203         (foo):
1204
1205 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1206
1207         [JSC] Reenable baseline JIT on mips
1208         https://bugs.webkit.org/show_bug.cgi?id=192983
1209
1210         Reviewed by Mark Lam.
1211
1212         Added a new test for a case that was triggering a RELEASE_ASSERT when
1213         testing.
1214         Disable some slow tests that were already disabled for arm and x86.
1215
1216         * stress/json-parse-big-object.js: Added.
1217         * stress/new-largeish-contiguous-array-with-size.js:
1218         * stress/op_add.js:
1219         * stress/op_bitand.js:
1220         * stress/op_bitor.js:
1221         * stress/op_bitxor.js:
1222         * stress/op_lshift-ConstVar.js:
1223         * stress/op_lshift-VarConst.js:
1224         * stress/op_lshift-VarVar.js:
1225         * stress/op_mod-ConstVar.js:
1226         * stress/op_mod-VarConst.js:
1227         * stress/op_mod-VarVar.js:
1228         * stress/op_mul-ConstVar.js:
1229         * stress/op_mul-VarConst.js:
1230         * stress/op_mul-VarVar.js:
1231         * stress/op_rshift-ConstVar.js:
1232         * stress/op_rshift-VarConst.js:
1233         * stress/op_rshift-VarVar.js:
1234         * stress/op_sub-ConstVar.js:
1235         * stress/op_sub-VarConst.js:
1236         * stress/op_sub-VarVar.js:
1237         * stress/op_urshift-ConstVar.js:
1238         * stress/op_urshift-VarConst.js:
1239         * stress/op_urshift-VarVar.js:
1240         * stress/sampling-profiler-richards.js:
1241         * stress/spread-forward-call-varargs-stack-overflow.js:
1242
1243 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1244
1245         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1246         https://bugs.webkit.org/show_bug.cgi?id=193711
1247         <rdar://problem/47250262>
1248
1249         Reviewed by Saam Barati.
1250
1251         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1252         (shouldBe):
1253         (foo):
1254         (bar):
1255         (baz):
1256
1257 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1258
1259         Unreviewed, fix initial global lexical binding epoch
1260         https://bugs.webkit.org/show_bug.cgi?id=193603
1261         <rdar://problem/47380869>
1262
1263         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1264         (f1.f2.f3.f4):
1265         (f1.f2.f3):
1266         (f1.f2):
1267         (f1):
1268
1269 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1270
1271         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1272         https://bugs.webkit.org/show_bug.cgi?id=193709
1273         <rdar://problem/47363838>
1274
1275         Unreviewed, rollout to watch the tests.
1276
1277         * stress/object-tostring-changed-proto.js: Removed.
1278         * stress/object-tostring-changed.js: Removed.
1279         * stress/object-tostring-misc.js: Removed.
1280         * stress/object-tostring-other.js: Removed.
1281         * stress/object-tostring-untyped.js: Removed.
1282
1283 2019-01-22  Saam Barati  <sbarati@apple.com>
1284
1285         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1286
1287         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1288         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1289         (testUncheckedLessThanZero):
1290         (testUncheckedLessThanOrEqualZero):
1291         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1292         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1293
1294 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1295
1296         [JSC] Invalidate old scope operations using global lexical binding epoch
1297         https://bugs.webkit.org/show_bug.cgi?id=193603
1298         <rdar://problem/47380869>
1299
1300         Reviewed by Saam Barati.
1301
1302         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1303         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1304         (shouldThrow):
1305         (bar):
1306         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1307         (shouldBe):
1308         (get1):
1309         (get2):
1310         (get1If):
1311         (get2If):
1312         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1313         (shouldThrow):
1314         (foo):
1315
1316 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1317
1318         Unreviewed, roll out r240220 due to date-format-xparb regression
1319         https://bugs.webkit.org/show_bug.cgi?id=193603
1320
1321         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1322         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1323         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1324         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1325
1326 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1327
1328         DoesGC rule is wrong for nodes with BigIntUse
1329         https://bugs.webkit.org/show_bug.cgi?id=193652
1330
1331         Reviewed by Saam Barati.
1332
1333         * stress/big-int-value-op-update-gc-rules.js: Added.
1334         (assert):
1335         (doesGCAdd):
1336         (doesGCSub):
1337         (doesGCDiv):
1338         (doesGCMul):
1339         (doesGCBitAnd):
1340         (doesGCBitOr):
1341         (doesGCBitXor):
1342
1343 2019-01-20  Saam Barati  <sbarati@apple.com>
1344
1345         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1346         https://bugs.webkit.org/show_bug.cgi?id=193644
1347         <rdar://problem/46209745>
1348
1349         Reviewed by Yusuke Suzuki.
1350
1351         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1352         (foo):
1353         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1354         (foo):
1355         (bar):
1356
1357 2019-01-20  Saam Barati  <sbarati@apple.com>
1358
1359         MovHint must merge NodeBytecodeUsesAsValue for its child
1360         https://bugs.webkit.org/show_bug.cgi?id=186916
1361         <rdar://problem/41396612>
1362
1363         Reviewed by Yusuke Suzuki.
1364
1365         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1366         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1367
1368 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1369
1370         [JSC] Invalidate old scope operations using global lexical binding epoch
1371         https://bugs.webkit.org/show_bug.cgi?id=193603
1372         <rdar://problem/47380869>
1373
1374         Reviewed by Saam Barati.
1375
1376         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1377         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1378         (shouldThrow):
1379         (bar):
1380         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1381         (shouldBe):
1382         (get1):
1383         (get2):
1384         (get1If):
1385         (get2If):
1386         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1387         (shouldThrow):
1388         (foo):
1389
1390 2019-01-17  Saam barati  <sbarati@apple.com>
1391
1392         StringObjectUse should not be a structure check for the original string object structure
1393         https://bugs.webkit.org/show_bug.cgi?id=193483
1394         <rdar://problem/47280522>
1395
1396         Reviewed by Yusuke Suzuki.
1397
1398         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1399         (foo):
1400         (a.valueOf.0):
1401
1402 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1403
1404         [JSC] ToThis omission in DFGByteCodeParser is wrong
1405         https://bugs.webkit.org/show_bug.cgi?id=193513
1406         <rdar://problem/45842236>
1407
1408         Reviewed by Saam Barati.
1409
1410         * stress/to-this-omission-with-different-strict-modes.js: Added.
1411         (thisA):
1412         (thisAStrictWrapper):
1413
1414 2019-01-15  Mark Lam  <mark.lam@apple.com>
1415
1416         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1417         https://bugs.webkit.org/show_bug.cgi?id=193423
1418         <rdar://problem/46209355>
1419
1420         Reviewed by Saam Barati.
1421
1422         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1423         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1424         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1425         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1426
1427 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1428
1429         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1430         https://bugs.webkit.org/show_bug.cgi?id=193438
1431         <rdar://problem/45581249>
1432
1433         Reviewed by Saam Barati and Keith Miller.
1434
1435         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1436         Then, GetByVal(String) crashed.
1437
1438         * stress/string-get-by-val-lowering.js: Added.
1439         (shouldBe):
1440         (test):
1441         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1442         (Hello):
1443         (foo):
1444
1445 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1446
1447         Unreviewed, skip JIT tests if it's not enabled
1448
1449         * stress/bit-op-with-object-returning-int32.js:
1450
1451 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1452
1453         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1454         https://bugs.webkit.org/show_bug.cgi?id=192966
1455
1456         Reviewed by Yusuke Suzuki.
1457
1458         * stress/bit-op-with-object-returning-int32.js: Added.
1459
1460 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1461
1462         Skip a slow test and a flakey test on arm
1463
1464         Unreviewed gardening.
1465
1466         * typeProfiler/getter-richards.js:
1467         this test always times out, it used to be always skipped on arm and
1468         mips, but got accidentally enabled by r237919 now that we have DFG on
1469         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1470
1471 2019-01-14  Keith Miller  <keith_miller@apple.com>
1472
1473         Skip type-check-hoisting-phase-hoist... with no jit
1474         https://bugs.webkit.org/show_bug.cgi?id=193421
1475
1476         Reviewed by Mark Lam.
1477
1478         It's timing out the 32-bit bots and takes 330 seconds
1479         on my machine when run by itself.
1480
1481         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1482
1483 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1484
1485         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1486         https://bugs.webkit.org/show_bug.cgi?id=193413
1487         <rdar://problem/46092389>
1488
1489         Reviewed by Keith Miller.
1490
1491         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1492         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1493         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1494         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1495
1496         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1497         (compareArray):
1498
1499 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1500
1501         [BigInt] Literal parsing is crashing when used inside a Object Literal
1502         https://bugs.webkit.org/show_bug.cgi?id=193404
1503
1504         Reviewed by Yusuke Suzuki.
1505
1506         * stress/big-int-literal-inside-literal-object.js: Added.
1507
1508 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1509
1510         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1511         https://bugs.webkit.org/show_bug.cgi?id=193372
1512
1513         Reviewed by Saam Barati.
1514
1515         * stress/typed-array-array-modes-profile.js: Added.
1516         (foo):
1517
1518 2019-01-14  Mark Lam  <mark.lam@apple.com>
1519
1520         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1521         https://bugs.webkit.org/show_bug.cgi?id=193402
1522         <rdar://problem/46012309>
1523
1524         Reviewed by Keith Miller.
1525
1526         * stress/regexp-compile-oom.js:
1527         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1528           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1529
1530 2019-01-11  Saam barati  <sbarati@apple.com>
1531
1532         DFG combined liveness can be wrong for terminal basic blocks
1533         https://bugs.webkit.org/show_bug.cgi?id=193304
1534         <rdar://problem/45268632>
1535
1536         Reviewed by Yusuke Suzuki.
1537
1538         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1539
1540 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1541
1542         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1543         https://bugs.webkit.org/show_bug.cgi?id=193308
1544         <rdar://problem/45546542>
1545
1546         Reviewed by Saam Barati.
1547
1548         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1549         (shouldThrow):
1550         (shouldBe):
1551         (foo):
1552         (get shouldThrow):
1553         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1554         (shouldThrow):
1555         (shouldBe):
1556         (foo):
1557         (get shouldBe):
1558         (get shouldThrow):
1559         (get return):
1560         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1561         (shouldThrow):
1562         (shouldBe):
1563         (foo):
1564         (get shouldBe):
1565         (get shouldThrow):
1566         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1567         (shouldThrow):
1568         (shouldBe):
1569         (foo):
1570         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1571         (shouldThrow):
1572         (shouldBe):
1573         (foo):
1574         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1575         (shouldThrow):
1576         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1577         (shouldThrow):
1578         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1579         (shouldThrow):
1580         (shouldBe):
1581         (foo):
1582         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1583         (shouldThrow):
1584         (shouldBe):
1585         (foo):
1586         (get shouldBe):
1587         (get shouldThrow):
1588         (get return):
1589         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1590         (shouldThrow):
1591         (shouldBe):
1592         (foo):
1593         (get shouldBe):
1594         (get shouldThrow):
1595         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1596         (shouldThrow):
1597         (shouldBe):
1598         (foo):
1599         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1600         (shouldThrow):
1601         (shouldBe):
1602         (foo):
1603
1604 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1605
1606         Enable DFG on ARM/Linux again
1607         https://bugs.webkit.org/show_bug.cgi?id=192496
1608
1609         Reviewed by Yusuke Suzuki.
1610
1611         Test wasn't really skipped before moving the line with skip
1612         to the top.
1613
1614         * stress/regress-192717.js:
1615
1616 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1617
1618         Unreviewed, rolling out r239825.
1619         https://bugs.webkit.org/show_bug.cgi?id=193330
1620
1621         Broke tests on armv7/linux bots (Requested by guijemont on
1622         #webkit).
1623
1624         Reverted changeset:
1625
1626         "Enable DFG on ARM/Linux again"
1627         https://bugs.webkit.org/show_bug.cgi?id=192496
1628         https://trac.webkit.org/changeset/239825
1629
1630 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1631
1632         Enable DFG on ARM/Linux again
1633         https://bugs.webkit.org/show_bug.cgi?id=192496
1634
1635         Reviewed by Yusuke Suzuki.
1636
1637         Test wasn't really skipped before moving the line with skip
1638         to the top.
1639
1640         * stress/regress-192717.js:
1641
1642 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1643
1644         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1645         https://bugs.webkit.org/show_bug.cgi?id=193127
1646
1647         Reviewed by Saam Barati.
1648
1649         * stress/array-species-create-should-handle-masquerader.js: Added.
1650         (shouldThrow):
1651         * stress/is-undefined-or-null-builtin.js: Added.
1652         (shouldBe):
1653         (isUndefinedOrNull.vm.createBuiltin):
1654
1655 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1656
1657         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1658         https://bugs.webkit.org/show_bug.cgi?id=193221
1659
1660         Reviewed by Mark Lam.
1661
1662         * stress/put-by-id-flags.js: Added.
1663         (f):
1664         (g):
1665         (numberOfDFGCompiles):
1666
1667 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1668
1669         Baseline version of get_by_id may corrupt metadata
1670         https://bugs.webkit.org/show_bug.cgi?id=193085
1671         <rdar://problem/23453006>
1672
1673         Reviewed by Saam Barati.
1674
1675         * stress/get-by-id-change-mode.js: Added.
1676         (forEach):
1677
1678 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1679
1680         [JSC] Optimize Object.prototype.toString
1681         https://bugs.webkit.org/show_bug.cgi?id=193031
1682
1683         Reviewed by Saam Barati.
1684
1685         * stress/object-tostring-changed-proto.js: Added.
1686         (shouldBe):
1687         (test):
1688         * stress/object-tostring-changed.js: Added.
1689         (shouldBe):
1690         (test):
1691         * stress/object-tostring-misc.js: Added.
1692         (shouldBe):
1693         (test):
1694         (i.switch):
1695         * stress/object-tostring-other.js: Added.
1696         (shouldBe):
1697         (test):
1698         * stress/object-tostring-untyped.js: Added.
1699         (shouldBe):
1700         (test):
1701         (i.switch):
1702
1703 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1704
1705         test262-runner misbehaves when test file YAML has a trailing space
1706         https://bugs.webkit.org/show_bug.cgi?id=193053
1707
1708         Reviewed by Yusuke Suzuki.
1709
1710         * test262/expectations.yaml:
1711         Mark two dozen tests as passing (and correct the output of another).
1712
1713 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1714
1715         Unreviewed, JSTests gardening with memoryLimited
1716
1717         * stress/string-overflow-createError.js:
1718
1719 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1720
1721         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1722         https://bugs.webkit.org/show_bug.cgi?id=193050
1723
1724         Reviewed by Yusuke Suzuki.
1725
1726         * test262.yaml:
1727         * test262/expectations.yaml:
1728         Mark 16 tests as passing.
1729
1730 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1731
1732         [BigInt] Support BigInt in JSON.stringify
1733         https://bugs.webkit.org/show_bug.cgi?id=192624
1734
1735         Reviewed by Saam Barati.
1736
1737         * stress/big-int-json-stringify-to-json.js: Added.
1738         (shouldBe):
1739         (shouldThrow):
1740         (BigInt.prototype.toJSON):
1741         (shouldBe.JSON.stringify):
1742         * stress/big-int-json-stringify.js: Added.
1743         (shouldBe):
1744         (shouldThrow):
1745
1746 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1747
1748         [JSC] Implement "well-formed JSON.stringify" proposal
1749         https://bugs.webkit.org/show_bug.cgi?id=191677
1750
1751         Reviewed by Darin Adler.
1752
1753         * stress/json-surrogate-pair.js: Added.
1754         (shouldBe):
1755         * test262/expectations.yaml:
1756
1757 2018-12-20  Keith Miller  <keith_miller@apple.com>
1758
1759         Add support for globalThis
1760         https://bugs.webkit.org/show_bug.cgi?id=165171
1761
1762         Reviewed by Mark Lam.
1763
1764         * test262/config.yaml:
1765
1766 2018-12-19  Keith Miller  <keith_miller@apple.com>
1767
1768         Update test262 configuration to not run tests dependent on ICU version.
1769         https://bugs.webkit.org/show_bug.cgi?id=192920
1770
1771         Reviewed by Saam Barati.
1772
1773         * test262/expectations.yaml:
1774
1775 2018-12-20  Mark Lam  <mark.lam@apple.com>
1776
1777         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1778         https://bugs.webkit.org/show_bug.cgi?id=192939
1779         <rdar://problem/46869516>
1780
1781         Reviewed by Keith Miller.
1782
1783         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1784
1785 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1786
1787         WTF::String and StringImpl overflow MaxLength
1788         https://bugs.webkit.org/show_bug.cgi?id=192853
1789         <rdar://problem/45726906>
1790
1791         Reviewed by Mark Lam.
1792
1793         * stress/string-16bit-repeat-overflow.js: Added.
1794         (catch):
1795
1796 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1797
1798         Unreviewed follow-up to r192914.
1799
1800         * test262/expectations.yaml:
1801         Add the last 20 missing expectations.
1802
1803 2018-12-19  Keith Miller  <keith_miller@apple.com>
1804
1805         Fix test262 expectations
1806         https://bugs.webkit.org/show_bug.cgi?id=192914
1807
1808         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1809
1810         * test262/expectations.yaml:
1811
1812 2018-12-19  Keith Miller  <keith_miller@apple.com>
1813
1814         Update test262 tests.
1815         https://bugs.webkit.org/show_bug.cgi?id=192907
1816
1817         Rubber stamped by Mark Lam.
1818
1819         * test262/*: Omitted because prepare-changelog crashes.
1820
1821 2018-12-19  Mark Lam  <mark.lam@apple.com>
1822
1823         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1824         https://bugs.webkit.org/show_bug.cgi?id=192464
1825         <rdar://problem/46519455>
1826
1827         Reviewed by Saam Barati.
1828
1829         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1830         microbenchmark.
1831
1832         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1833         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1834
1835 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1836
1837         String overflow in JSC::createError results in ASSERT in WTF::makeString
1838         https://bugs.webkit.org/show_bug.cgi?id=192833
1839         <rdar://problem/45706868>
1840
1841         Reviewed by Mark Lam.
1842
1843         * stress/string-overflow-createError.js: Added.
1844
1845 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1846
1847         Error message for `-x ** y` contains a typo.
1848         https://bugs.webkit.org/show_bug.cgi?id=192832
1849
1850         Reviewed by Saam Barati.
1851
1852         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1853         (assert.assert.return.throws):
1854         * stress/pow-expects-update-expression-on-lhs.js:
1855         (throw.new.Error):
1856         Update test expectations which match against the exact error message.
1857
1858 2018-12-18  Mark Lam  <mark.lam@apple.com>
1859
1860         Gardening: test options fix.
1861         https://bugs.webkit.org/show_bug.cgi?id=192822
1862
1863         Unreviewed.
1864
1865         * stress/json-stringify-string-builder-overflow.js:
1866
1867 2018-12-18  Mark Lam  <mark.lam@apple.com>
1868
1869         JSON.stringify() should throw OOM on StringBuilder overflows.
1870         https://bugs.webkit.org/show_bug.cgi?id=192822
1871         <rdar://problem/46670577>
1872
1873         Reviewed by Saam Barati.
1874
1875         * stress/json-stringify-string-builder-overflow.js: Added.
1876
1877 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1878
1879         Redeclaration of var over let/const/class should be a syntax error.
1880         https://bugs.webkit.org/show_bug.cgi?id=192298
1881
1882         Reviewed by Keith Miller.
1883
1884         * test262.yaml:
1885         * test262/expectations.yaml:
1886         Mark 46 tests as passing.
1887
1888         * stress/block-scope-redeclarations.js:
1889         Add some new tests.
1890
1891         * stress/for-in-invalidate-context-weird-assignments.js:
1892         * stress/for-in-tests.js:
1893         Replace tests for outdated behavior with tests for SyntaxError.
1894
1895         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1896         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1897         Update expectations.
1898
1899 2018-12-18  Mark Lam  <mark.lam@apple.com>
1900
1901         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1902         https://bugs.webkit.org/show_bug.cgi?id=191374
1903         <rdar://problem/46525447>
1904
1905         Reviewed by Yusuke Suzuki.
1906
1907         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1908
1909         * stress/elidable-new-object-roflcopter-then-exit.js:
1910
1911 2018-12-17  Mark Lam  <mark.lam@apple.com>
1912
1913         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1914         https://bugs.webkit.org/show_bug.cgi?id=192019
1915         <rdar://problem/46525456>
1916
1917         Reviewed by Yusuke Suzuki.
1918
1919         The test runs too slow on 32-bit.
1920
1921         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1922
1923 2018-12-17  Mark Lam  <mark.lam@apple.com>
1924
1925         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1926         https://bugs.webkit.org/show_bug.cgi?id=191373
1927         <rdar://problem/46525458>
1928
1929         Reviewed by Yusuke Suzuki.
1930
1931         The test is already slow running with a JIT on 64-bit.  It will always timeout
1932         on 32-bit without a JIT.
1933
1934         * stress/materialize-regexp-cyclic-regexp.js:
1935
1936 2018-12-17  Mark Lam  <mark.lam@apple.com>
1937
1938         Array unshift/shift should not race against the AI in the compiler thread.
1939         https://bugs.webkit.org/show_bug.cgi?id=192795
1940         <rdar://problem/46724263>
1941
1942         Reviewed by Saam Barati.
1943
1944         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1945
1946 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1947
1948         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1949         https://bugs.webkit.org/show_bug.cgi?id=190047
1950
1951         Reviewed by Saam Barati.
1952
1953         * stress/object-keys-cached-zero.js: Added.
1954         (shouldBe):
1955         (test):
1956         * stress/object-keys-changed-attribute.js: Added.
1957         (shouldBe):
1958         (test):
1959         * stress/object-keys-changed-index.js: Added.
1960         (shouldBe):
1961         (test):
1962         * stress/object-keys-changed.js: Added.
1963         (shouldBe):
1964         (test):
1965         * stress/object-keys-indexed-non-cache.js: Added.
1966         (shouldBe):
1967         (test):
1968         * stress/object-keys-overrides-get-property-names.js: Added.
1969         (shouldBe):
1970         (test):
1971         (noInline):
1972
1973 2018-12-17  Mark Lam  <mark.lam@apple.com>
1974
1975         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1976         https://bugs.webkit.org/show_bug.cgi?id=192779
1977         <rdar://problem/46775869>
1978
1979         Reviewed by Saam Barati.
1980
1981         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1982
1983 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1984
1985         Unreviewed test gardening, address a syntax error in a new test.
1986
1987         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1988
1989 2018-12-17  Mark Lam  <mark.lam@apple.com>
1990
1991         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1992         https://bugs.webkit.org/show_bug.cgi?id=192776
1993         <rdar://problem/46772368>
1994
1995         Reviewed by Keith Miller.
1996
1997         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1998
1999 2018-12-17  Mark Lam  <mark.lam@apple.com>
2000
2001         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2002         https://bugs.webkit.org/show_bug.cgi?id=192770
2003         <rdar://problem/46449037>
2004
2005         Reviewed by Keith Miller.
2006
2007         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2008
2009 2018-12-14  Mark Lam  <mark.lam@apple.com>
2010
2011         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2012         https://bugs.webkit.org/show_bug.cgi?id=192717
2013         <rdar://problem/46660677>
2014
2015         Reviewed by Saam Barati.
2016
2017         * stress/regress-192717.js: Added.
2018
2019 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2020
2021         Unreviewed, rolling out r239153, r239154, and r239155.
2022         https://bugs.webkit.org/show_bug.cgi?id=192715
2023
2024         Caused flaky GC-related crashes seen with layout tests
2025         (Requested by ryanhaddad on #webkit).
2026
2027         Reverted changesets:
2028
2029         "[JSC] Optimize Object.keys by caching own keys results in
2030         StructureRareData"
2031         https://bugs.webkit.org/show_bug.cgi?id=190047
2032         https://trac.webkit.org/changeset/239153
2033
2034         "Unreviewed, build fix after r239153"
2035         https://bugs.webkit.org/show_bug.cgi?id=190047
2036         https://trac.webkit.org/changeset/239154
2037
2038         "Unreviewed, build fix after r239153, part 2"
2039         https://bugs.webkit.org/show_bug.cgi?id=190047
2040         https://trac.webkit.org/changeset/239155
2041
2042 2018-12-14  Keith Miller  <keith_miller@apple.com>
2043
2044         Callers of JSString::getIndex should check for OOM exceptions
2045         https://bugs.webkit.org/show_bug.cgi?id=192709
2046
2047         Reviewed by Mark Lam.
2048
2049         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2050
2051 2018-12-13  Mark Lam  <mark.lam@apple.com>
2052
2053         Add a missing exception check.
2054         https://bugs.webkit.org/show_bug.cgi?id=192626
2055         <rdar://problem/46662163>
2056
2057         Reviewed by Keith Miller.
2058
2059         * stress/regress-192626.js: Added.
2060
2061 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2062
2063         [BigInt] Add ValueDiv into DFG
2064         https://bugs.webkit.org/show_bug.cgi?id=186178
2065
2066         Reviewed by Yusuke Suzuki.
2067
2068         * stress/big-int-div-jit-osr.js: Added.
2069         * stress/big-int-div-jit-untyped.js: Added.
2070         * stress/value-div-fixup-int32-big-int.js: Added.
2071
2072 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2073
2074         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2075         https://bugs.webkit.org/show_bug.cgi?id=190047
2076
2077         Reviewed by Keith Miller.
2078
2079         * stress/object-keys-cached-zero.js: Added.
2080         (shouldBe):
2081         (test):
2082         * stress/object-keys-changed-attribute.js: Added.
2083         (shouldBe):
2084         (test):
2085         * stress/object-keys-changed-index.js: Added.
2086         (shouldBe):
2087         (test):
2088         * stress/object-keys-changed.js: Added.
2089         (shouldBe):
2090         (test):
2091         * stress/object-keys-indexed-non-cache.js: Added.
2092         (shouldBe):
2093         (test):
2094         * stress/object-keys-overrides-get-property-names.js: Added.
2095         (shouldBe):
2096         (test):
2097         (noInline):
2098
2099 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2100
2101         [DFG][FTL] Add NewSymbol
2102         https://bugs.webkit.org/show_bug.cgi?id=192620
2103
2104         Reviewed by Saam Barati.
2105
2106         * microbenchmarks/symbol-creation.js: Added.
2107         (test):
2108         * stress/symbol-description-identity.js: Added.
2109         (shouldBe):
2110         (test):
2111         * stress/symbol-identity.js: Added.
2112         (shouldBe):
2113         (test):
2114         * stress/symbol-with-description-throw-error.js: Added.
2115         (shouldBe):
2116         (shouldThrow):
2117         (test):
2118         (object.toString):
2119
2120 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2121
2122         [BigInt] Implement DFG/FTL typeof for BigInt
2123         https://bugs.webkit.org/show_bug.cgi?id=192619
2124
2125         Reviewed by Keith Miller.
2126
2127         * stress/big-int-boolean-proven-type.js: Added.
2128         (assert):
2129         (bool):
2130         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2131         (assert):
2132         (typeOf):
2133         (i.switch):
2134         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2135         (assert):
2136         (typeOf):
2137         * stress/big-int-type-of.js:
2138         (typeOf):
2139         (func):
2140
2141 2018-12-10  Mark Lam  <mark.lam@apple.com>
2142
2143         PropertyAttribute needs a CustomValue bit.
2144         https://bugs.webkit.org/show_bug.cgi?id=191993
2145         <rdar://problem/46264467>
2146
2147         Reviewed by Saam Barati.
2148
2149         * stress/regress-191993.js: Added.
2150
2151 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2152
2153         [BigInt] Add ValueMul into DFG
2154         https://bugs.webkit.org/show_bug.cgi?id=186175
2155
2156         Reviewed by Yusuke Suzuki.
2157
2158         * stress/big-int-mul-jit-osr.js: Added.
2159         * stress/big-int-mul-jit-untyped.js: Added.
2160         * stress/value-mul-fixup-int32-big-int.js: Added.
2161
2162 2018-12-06  Keith Miller  <keith_miller@apple.com>
2163
2164         stress/big-wasm-memory tests failing on 32-bit JSC bot
2165         https://bugs.webkit.org/show_bug.cgi?id=192020
2166
2167         Reviewed by Saam Barati.
2168
2169         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2170         the wasm stress tests if the WebAssembly object does not exist.
2171
2172         * stress/big-wasm-memory-grow-no-max.js:
2173         (test.foo):
2174         (test):
2175         (foo): Deleted.
2176         (catch): Deleted.
2177         * stress/big-wasm-memory-grow.js:
2178         (test.foo):
2179         (test):
2180         (foo): Deleted.
2181         (catch): Deleted.
2182         * stress/big-wasm-memory.js:
2183         (test.foo):
2184         (test):
2185         (foo): Deleted.
2186         (catch): Deleted.
2187
2188 2018-12-05  Mark Lam  <mark.lam@apple.com>
2189
2190         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2191         https://bugs.webkit.org/show_bug.cgi?id=192441
2192         <rdar://problem/46480355>
2193
2194         Reviewed by Saam Barati.
2195
2196         * stress/regress-192441.js: Added.
2197
2198 2018-12-04  Mark Lam  <mark.lam@apple.com>
2199
2200         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2201         https://bugs.webkit.org/show_bug.cgi?id=192386
2202         <rdar://problem/46445516>
2203
2204         Reviewed by Saam Barati.
2205
2206         * stress/regress-192386.js: Added.
2207
2208 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2209
2210         [ESNext][BigInt] Support logic operations
2211         https://bugs.webkit.org/show_bug.cgi?id=179903
2212
2213         Reviewed by Yusuke Suzuki.
2214
2215         * stress/big-int-branch-usage.js: Added.
2216         * stress/big-int-logical-and.js: Added.
2217         * stress/big-int-logical-not.js: Added.
2218         * stress/big-int-logical-or.js: Added.
2219
2220 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2221
2222         Unreviewed, rolling out r238833.
2223
2224         Breaks macOS and iOS debug builds.
2225
2226         Reverted changeset:
2227
2228         "[ESNext][BigInt] Support logic operations"
2229         https://bugs.webkit.org/show_bug.cgi?id=179903
2230         https://trac.webkit.org/changeset/238833
2231
2232 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2233
2234         [ESNext][BigInt] Support logic operations
2235         https://bugs.webkit.org/show_bug.cgi?id=179903
2236
2237         Reviewed by Yusuke Suzuki.
2238
2239         * stress/big-int-branch-usage.js: Added.
2240         * stress/big-int-logical-and.js: Added.
2241         * stress/big-int-logical-not.js: Added.
2242         * stress/big-int-logical-or.js: Added.
2243
2244 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2245
2246         [ESNext][BigInt] Implement support for "<<" and ">>"
2247         https://bugs.webkit.org/show_bug.cgi?id=186233
2248
2249         Reviewed by Yusuke Suzuki.
2250
2251         * stress/big-int-left-shift-general.js: Added.
2252         * stress/big-int-left-shift-range-error.js: Added.
2253         * stress/big-int-left-shift-type-error.js: Added.
2254         * stress/big-int-left-shift-wrapped-value.js: Added.
2255         * stress/big-int-right-shift-general.js: Added.
2256         * stress/big-int-right-shift-type-error.js: Added.
2257         * stress/big-int-right-shift-wrapped-value.js: Added.
2258         * stress/left-shift-to-primitive-precedence.js: Added.
2259         * stress/right-shift-to-primitive-precedence.js: Added.
2260
2261 2018-11-30  Dean Jackson  <dino@apple.com>
2262
2263         Add first-class support for .mjs files in jsc binary
2264         https://bugs.webkit.org/show_bug.cgi?id=192190
2265         <rdar://problem/46375715>
2266
2267         Reviewed by Keith Miller.
2268
2269         * stress/simple-module.mjs: Added.
2270         * stress/simple-script.js: Added.
2271
2272 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2273
2274         [BigInt] Implement ValueBitXor into DFG
2275         https://bugs.webkit.org/show_bug.cgi?id=190264
2276
2277         Reviewed by Yusuke Suzuki.
2278
2279         * stress/big-int-bitwise-xor-jit.js: Added.
2280         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2281         * stress/big-int-bitwise-xor-untyped.js: Added.
2282
2283 2018-11-27  Saam barati  <sbarati@apple.com>
2284
2285         r238510 broke scopes of size zero
2286         https://bugs.webkit.org/show_bug.cgi?id=192033
2287         <rdar://problem/46281734>
2288
2289         Reviewed by Keith Miller.
2290
2291         * stress/r238510-bad-loop.js: Added.
2292         (foo):
2293
2294 2018-11-27  Mark Lam  <mark.lam@apple.com>
2295
2296         [Re-landing] NaNs read from Wasm code needs to be be purified.
2297         https://bugs.webkit.org/show_bug.cgi?id=191056
2298         <rdar://problem/45660341>
2299
2300         Reviewed by Filip Pizlo.
2301
2302         * wasm/regress/regress-191056.js: Added.
2303
2304 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2305
2306         Unreviewed, rolling out r238509.
2307
2308         Causes JSC tests to fail on iOS.
2309
2310         Reverted changeset:
2311
2312         "NaNs read from Wasm code needs to be be purified."
2313         https://bugs.webkit.org/show_bug.cgi?id=191056
2314         https://trac.webkit.org/changeset/238509
2315
2316 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2317
2318         Re-introduce op_bitnot
2319         https://bugs.webkit.org/show_bug.cgi?id=190923
2320
2321         Reviewed by Yusuke Suzuki.
2322
2323         * stress/bit-not-must-generate.js: Added.
2324         * stress/bitwise-not-no-int32.js: Added.
2325
2326 2018-11-26  Saam barati  <sbarati@apple.com>
2327
2328         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2329         https://bugs.webkit.org/show_bug.cgi?id=191956
2330         <rdar://problem/45665806>
2331
2332         Reviewed by Yusuke Suzuki.
2333
2334         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2335         (bar):
2336         (foo):
2337
2338 2018-11-26  Saam barati  <sbarati@apple.com>
2339
2340         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2341         https://bugs.webkit.org/show_bug.cgi?id=191958
2342         <rdar://problem/46221877>
2343
2344         Reviewed by Yusuke Suzuki.
2345
2346         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2347         (x):
2348         (foo):
2349
2350 2018-11-26  Mark Lam  <mark.lam@apple.com>
2351
2352         NaNs read from Wasm code needs to be be purified.
2353         https://bugs.webkit.org/show_bug.cgi?id=191056
2354         <rdar://problem/45660341>
2355
2356         Reviewed by Filip Pizlo.
2357
2358         * wasm/regress/regress-191056.js: Added.
2359
2360 2018-11-26  Michael Saboff  <msaboff@apple.com>
2361
2362         32-bit JSC test failure: stress/regexp-compile-oom.js
2363         https://bugs.webkit.org/show_bug.cgi?id=191375
2364
2365         Reviewed by Mark Lam.
2366
2367         Disabled the test for 32 bit platforms.
2368
2369         * stress/regexp-compile-oom.js:
2370
2371 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2372
2373         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2374         https://bugs.webkit.org/show_bug.cgi?id=191716
2375         <rdar://problem/45723878>
2376
2377         Reviewed by Saam Barati.
2378
2379         * stress/regress-187373.js: Added.
2380         (async.fn):
2381
2382 2018-11-21  Saam barati  <sbarati@apple.com>
2383
2384         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2385         https://bugs.webkit.org/show_bug.cgi?id=191897
2386         <rdar://problem/45871998>
2387
2388         Reviewed by Mark Lam.
2389
2390         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2391         (bar):
2392         (foo):
2393
2394 2018-11-21  Saam barati  <sbarati@apple.com>
2395
2396         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2397         https://bugs.webkit.org/show_bug.cgi?id=191895
2398         <rdar://problem/46167406>
2399
2400         Reviewed by Mark Lam.
2401
2402         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2403         (foo):
2404         (bar):
2405
2406 2018-11-21  Mark Lam  <mark.lam@apple.com>
2407
2408         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2409         https://bugs.webkit.org/show_bug.cgi?id=191776
2410         <rdar://problem/46152851>
2411
2412         Reviewed by Saam Barati.
2413
2414         * stress/big-wasm-memory-grow-no-max.js:
2415         * stress/big-wasm-memory-grow.js:
2416         * stress/big-wasm-memory.js:
2417         - updated these to expect an OutOfMemoryError.
2418
2419         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2420         (Binary.prototype.emit_u8):
2421         (Binary.prototype.emit_u32v):
2422         (Binary.prototype.emit_header):
2423         (Binary.prototype.emit_section):
2424         (Binary):
2425         (WasmModuleBuilder):
2426         (WasmModuleBuilder.prototype.addMemory):
2427         (WasmModuleBuilder.prototype.toArray):
2428         (WasmModuleBuilder.prototype.toBuffer):
2429         (WasmModuleBuilder.prototype.instantiate):
2430         (catch):
2431         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2432         (catch):
2433
2434 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2435
2436         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2437         https://bugs.webkit.org/show_bug.cgi?id=190836
2438
2439         Reviewed by Saam Barati and Yusuke Suzuki.
2440
2441         * stress/big-int-out-of-memory-tests.js: Added.
2442
2443 2018-11-20  Mark Lam  <mark.lam@apple.com>
2444
2445         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2446         https://bugs.webkit.org/show_bug.cgi?id=191856
2447         <rdar://problem/46089992>
2448
2449         Reviewed by Yusuke Suzuki.
2450
2451         * stress/regress-191856.js: Added.
2452         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2453
2454 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2455
2456         Enable JIT on ARM/Linux
2457         https://bugs.webkit.org/show_bug.cgi?id=191548
2458
2459         Reviewed by Yusuke Suzuki.
2460
2461         Disable test on system with limited memory. Program was killed by
2462         the OS before the exception was thrown.
2463
2464         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2465
2466 2018-11-20  Saam barati  <sbarati@apple.com>
2467
2468         Merging an IC variant may lead to the IC status containing overlapping structure sets
2469         https://bugs.webkit.org/show_bug.cgi?id=191869
2470         <rdar://problem/45403453>
2471
2472         Reviewed by Mark Lam.
2473
2474         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2475
2476 2018-11-19  Mark Lam  <mark.lam@apple.com>
2477
2478         globalFuncImportModule() should return a promise when it clears exceptions.
2479         https://bugs.webkit.org/show_bug.cgi?id=191792
2480         <rdar://problem/46090763>
2481
2482         Reviewed by Michael Saboff.
2483
2484         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2485
2486 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2487
2488         Skip new memory-hungry tests on memory limited devices
2489
2490         Unreviewed gardening.
2491
2492         * stress/big-wasm-memory-grow-no-max.js:
2493         * stress/big-wasm-memory-grow.js:
2494         * stress/big-wasm-memory.js:
2495
2496 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2497
2498         Unreviewed, rolling in the rest of r237254
2499         https://bugs.webkit.org/show_bug.cgi?id=190340
2500
2501         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2502         * stress/function-cache-with-parameters-end-position.js: Added.
2503         (shouldBe):
2504         (shouldThrow):
2505         (i.anonymous):
2506         * stress/function-constructor-name.js: Added.
2507         (shouldBe):
2508         (GeneratorFunction):
2509         (AsyncFunction.async):
2510         (AsyncGeneratorFunction.async):
2511         (anonymous):
2512         (async.anonymous):
2513         * test262/expectations.yaml:
2514
2515 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2516
2517         All users of ArrayBuffer should agree on the same max size
2518         https://bugs.webkit.org/show_bug.cgi?id=191771
2519
2520         Reviewed by Mark Lam.
2521
2522         * stress/big-wasm-memory-grow-no-max.js: Added.
2523         (foo):
2524         (catch):
2525         * stress/big-wasm-memory-grow.js: Added.
2526         (foo):
2527         (catch):
2528         * stress/big-wasm-memory.js: Added.
2529         (foo):
2530         (catch):
2531
2532 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2533
2534         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2535         run for each JSC config since they're regression tests for runtime bugs.
2536
2537         * stress/json-stringified-overflow-2.js:
2538         * stress/json-stringified-overflow.js:
2539
2540 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2541
2542         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2543         config since they're regression tests for runtime bugs.
2544
2545         * stress/large-unshift-splice.js:
2546         * stress/regress-185888.js:
2547
2548 2018-11-16  Saam Barati  <sbarati@apple.com>
2549
2550         KnownCellUse should also have SpecCellCheck as its type filter
2551         https://bugs.webkit.org/show_bug.cgi?id=191729
2552         <rdar://problem/45872852>
2553
2554         Reviewed by Filip Pizlo.
2555
2556         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2557         (C):
2558
2559 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2560
2561         Fix assertion failure on BytecodeGenerator::recordOpcode
2562         https://bugs.webkit.org/show_bug.cgi?id=191724
2563         <rdar://problem/45724395>
2564
2565         Reviewed by Saam Barati.
2566
2567         * stress/regress-187373-2.js: Added.
2568         (foo):
2569
2570 2018-11-15  Mark Lam  <mark.lam@apple.com>
2571
2572         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2573         https://bugs.webkit.org/show_bug.cgi?id=191730
2574         <rdar://problem/46048517>
2575
2576         Reviewed by Saam Barati.
2577
2578         * stress/regress-187006.js: Removed.
2579           - this test is invalid because its sole purpose is to test for the non-spec
2580             compliant behavior that we just fixed.
2581
2582         * stress/regress-191730.js: Added.
2583
2584 2018-11-15  Mark Lam  <mark.lam@apple.com>
2585
2586         RegExp operations should not take fast patch if lastIndex is not numeric.
2587         https://bugs.webkit.org/show_bug.cgi?id=191731
2588         <rdar://problem/46017305>
2589
2590         Reviewed by Saam Barati.
2591
2592         * stress/regress-191731.js: Added.
2593
2594 2018-11-13  Saam Barati  <sbarati@apple.com>
2595
2596         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2597         https://bugs.webkit.org/show_bug.cgi?id=191600
2598
2599         Reviewed by Mark Lam.
2600
2601         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2602         (foo):
2603         (test):
2604         (bar):
2605
2606 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2607
2608         Unreviewed, rolling out r238132.
2609
2610         The test added with this change is timing out on Debug JSC
2611         bots.
2612
2613         Reverted changeset:
2614
2615         "[BigInt] JSBigInt::createWithLength should throw when length
2616         is greater than JSBigInt::maxLength"
2617         https://bugs.webkit.org/show_bug.cgi?id=190836
2618         https://trac.webkit.org/changeset/238132
2619
2620 2018-11-13  Mark Lam  <mark.lam@apple.com>
2621
2622         Add OOM detection to StringPrototype's substituteBackreferences().
2623         https://bugs.webkit.org/show_bug.cgi?id=191563
2624         <rdar://problem/45720428>
2625
2626         Reviewed by Saam Barati.
2627
2628         * stress/regress-191563.js: Added.
2629
2630 2018-11-13  Mark Lam  <mark.lam@apple.com>
2631
2632         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2633         https://bugs.webkit.org/show_bug.cgi?id=191579
2634         <rdar://problem/45942472>
2635
2636         Reviewed by Saam Barati.
2637
2638         * stress/regress-191579.js: Added.
2639
2640 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2641
2642         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2643         https://bugs.webkit.org/show_bug.cgi?id=190836
2644
2645         Reviewed by Saam Barati.
2646
2647         * stress/big-int-out-of-memory-tests.js: Added.
2648
2649 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2650
2651         U+180E is no longer a whitespace character
2652         https://bugs.webkit.org/show_bug.cgi?id=191415
2653
2654         Reviewed by Saam Barati.
2655
2656         * ChakraCore/test/es5/regexSpace.baseline:
2657         * ChakraCore/test/es6/unicode_whitespace.js:
2658         Update tests to latest version.
2659         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2660
2661         * test262.yaml:
2662         * test262/config.yaml:
2663         * test262/expectations.yaml:
2664         Update expectations.
2665
2666 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2667
2668         [BigInt] Add support to BigInt into ValueAdd
2669         https://bugs.webkit.org/show_bug.cgi?id=186177
2670
2671         Reviewed by Keith Miller.
2672
2673         * stress/big-int-negate-jit.js:
2674         * stress/value-add-big-int-and-string.js: Added.
2675         * stress/value-add-big-int-prediction-propagation.js: Added.
2676         * stress/value-add-big-int-untyped.js: Added.
2677
2678 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2679
2680         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2681         https://bugs.webkit.org/show_bug.cgi?id=191184
2682
2683         Reviewed by Saam Barati.
2684
2685         Most tests were failing due to timeouts, since they are too slow to
2686         run on CLoop. The exceptions are:
2687
2688         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2689         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2690         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2691         to change the stack size since CLoop requires it to be page aligned.
2692
2693         * microbenchmarks/array-push-1.js:
2694         * microbenchmarks/array-push-2.js:
2695         * microbenchmarks/elidable-new-object-dag.js:
2696         * microbenchmarks/elidable-new-object-roflcopter.js:
2697         * microbenchmarks/elidable-new-object-tree.js:
2698         * microbenchmarks/getter-richards.js:
2699         * microbenchmarks/sinkable-new-object-dag.js:
2700         * microbenchmarks/string-concat-long-convert.js:
2701         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2702         * slowMicrobenchmarks/array-push-3.js:
2703         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2704         * slowMicrobenchmarks/spread-small-array.js:
2705         * slowMicrobenchmarks/undefined-property-access.js:
2706         * stress/activation-sink-default-value-tdz-error.js:
2707         * stress/activation-sink-default-value.js:
2708         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2709         * stress/activation-sink-osrexit-default-value.js:
2710         * stress/activation-sink-osrexit.js:
2711         * stress/activation-sink.js:
2712         * stress/allow-math-ic-b3-code-duplication.js:
2713         * stress/array-push-multiple-int32.js:
2714         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2715         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2716         * stress/arrowfunction-lexical-this-activation-sink.js:
2717         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2718         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2719         * stress/elide-new-object-dag-then-exit.js:
2720         * stress/materialize-regexp-cyclic.js:
2721         * stress/new-regex-inline.js:
2722         * stress/op_add.js:
2723         * stress/op_bitand.js:
2724         * stress/op_bitor.js:
2725         * stress/op_bitxor.js:
2726         * stress/op_div-ConstVar.js:
2727         * stress/op_div-VarConst.js:
2728         * stress/op_div-VarVar.js:
2729         * stress/op_lshift-ConstVar.js:
2730         * stress/op_lshift-VarConst.js:
2731         * stress/op_lshift-VarVar.js:
2732         * stress/op_mod-ConstVar.js:
2733         * stress/op_mod-VarConst.js:
2734         * stress/op_mod-VarVar.js:
2735         * stress/op_mul-ConstVar.js:
2736         * stress/op_mul-VarConst.js:
2737         * stress/op_mul-VarVar.js:
2738         * stress/op_rshift-ConstVar.js:
2739         * stress/op_rshift-VarConst.js:
2740         * stress/op_rshift-VarVar.js:
2741         * stress/op_sub-ConstVar.js:
2742         * stress/op_sub-VarConst.js:
2743         * stress/op_sub-VarVar.js:
2744         * stress/op_urshift-ConstVar.js:
2745         * stress/op_urshift-VarConst.js:
2746         * stress/op_urshift-VarVar.js:
2747         * stress/proxy-get-set-correct-receiver.js:
2748         * stress/regress-179562.js:
2749         * stress/rest-parameter-many-arguments.js:
2750         * stress/sampling-profiler-richards.js:
2751         * stress/splay-flash-access-1ms.js:
2752         * stress/tailCallForwardArguments.js:
2753         * stress/typed-array-get-by-val-profiling.js:
2754         * typeProfiler/getter-richards.js:
2755
2756 2018-11-06  Michael Saboff  <msaboff@apple.com>
2757
2758         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2759         https://bugs.webkit.org/show_bug.cgi?id=191271
2760
2761         Reviewed by Saam Barati.
2762
2763         Added more test cases and made all test cases run with the same deeply recursive stack
2764         instead of finding that same point for each test case.
2765
2766         * stress/regexp-compile-oom.js:
2767         (prototype.runTest):
2768         (recurseAndTest):
2769         (testList.push.new.TestAndExpectedException):
2770
2771 2018-11-05  Michael Saboff  <msaboff@apple.com>
2772
2773         Unreviewed build fix for linux.
2774
2775         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2776
2777 2018-11-02  Michael Saboff  <msaboff@apple.com>
2778
2779         Rolling in r237753 with unreviewed build fix.
2780
2781         Fixed issues with DECLARE_THROW_SCOPE placement.
2782
2783 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2784
2785         Unreviewed, rolling out r237753.
2786
2787         Introduced JSC test failures
2788
2789         Reverted changeset:
2790
2791         "Running out of stack space not properly handled in
2792         RegExp::compile() and its callers"
2793         https://bugs.webkit.org/show_bug.cgi?id=191206
2794         https://trac.webkit.org/changeset/237753
2795
2796 2018-11-02  Michael Saboff  <msaboff@apple.com>
2797
2798         Running out of stack space not properly handled in RegExp::compile() and its callers
2799         https://bugs.webkit.org/show_bug.cgi?id=191206
2800
2801         Reviewed by Filip Pizlo.
2802
2803         New regression test.
2804
2805         * stress/regexp-compile-oom.js: Added.
2806         (recurseAndTest):
2807
2808 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2809
2810         Skip tests on arm/mips that time out now we're running on CLoop
2811
2812         Unreviewed gardening.
2813
2814         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2815         time out on the bots and need to be disabled. There's more tests
2816         disabled on arm because the timeout is longer on the mips bot (as the
2817         device is slower to start with), so many of the tests don't time out
2818         there.
2819
2820         * microbenchmarks/getter-richards.js: disable on arm and mips.
2821         * stress/op_add.js: disable on arm.
2822         * stress/op_bitand.js: disable on arm.
2823         * stress/op_bitor.js: disable on arm.
2824         * stress/op_bitxor.js: disable on arm.
2825         * stress/op_lshift-ConstVar.js: disable on arm.
2826         * stress/op_lshift-VarConst.js: disable on arm.
2827         * stress/op_lshift-VarVar.js: disable on arm.
2828         * stress/op_mod-ConstVar.js: disable on arm.
2829         * stress/op_mod-VarConst.js: disable on arm.
2830         * stress/op_mod-VarVar.js: disable on arm.
2831         * stress/op_mul-ConstVar.js: disable on arm.
2832         * stress/op_mul-VarConst.js: disable on arm.
2833         * stress/op_mul-VarVar.js: disable on arm.
2834         * stress/op_rshift-ConstVar.js: disable on arm.
2835         * stress/op_rshift-VarConst.js: disable on arm.
2836         * stress/op_rshift-VarVar.js: disable on arm.
2837         * stress/op_sub-ConstVar.js: disable on arm.
2838         * stress/op_sub-VarConst.js: disable on arm.
2839         * stress/op_sub-VarVar.js: disable on arm.
2840         * stress/op_urshift-ConstVar.js: disable on arm.
2841         * stress/op_urshift-VarConst.js: disable on arm.
2842         * stress/op_urshift-VarVar.js: disable on arm.
2843         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2844         * stress/value-to-boolean.js: disable on arm and mips.
2845
2846 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2847
2848         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2849         https://bugs.webkit.org/show_bug.cgi?id=191108
2850         <rdar://problem/45690700>
2851
2852         Reviewed by Saam Barati.
2853
2854         * stress/wide-op_catch.js: Added.
2855         (catch):
2856
2857 2018-10-29  Mark Lam  <mark.lam@apple.com>
2858
2859         Correctly detect string overflow when using the 'Function' constructor.
2860         https://bugs.webkit.org/show_bug.cgi?id=184883
2861         <rdar://problem/36320331>
2862
2863         Reviewed by Saam Barati.
2864
2865         I've verified that this passes on 32-bit as well.
2866
2867         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2868
2869 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2870
2871         Add support for GetStack FlushedDouble
2872         https://bugs.webkit.org/show_bug.cgi?id=191012
2873         <rdar://problem/45265141>
2874
2875         Reviewed by Saam Barati.
2876
2877         * stress/get-stack-double.js: Added.
2878         (bar):
2879         (noInline):
2880
2881 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2882
2883         New bytecode format for JSC
2884         https://bugs.webkit.org/show_bug.cgi?id=187373
2885         <rdar://problem/44186758>
2886
2887         Reviewed by Filip Pizlo.
2888
2889         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2890
2891         * stress/maximum-inline-capacity.js: Added.
2892         (test1):
2893         (test3.Foo):
2894         (test3):
2895
2896 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2897
2898         Unreviewed, rolling out r237479 and r237484.
2899         https://bugs.webkit.org/show_bug.cgi?id=190978
2900
2901         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2902
2903         Reverted changesets:
2904
2905         "New bytecode format for JSC"
2906         https://bugs.webkit.org/show_bug.cgi?id=187373
2907         https://trac.webkit.org/changeset/237479
2908
2909         "Gardening: Build fix after r237479."
2910         https://bugs.webkit.org/show_bug.cgi?id=187373
2911         https://trac.webkit.org/changeset/237484
2912
2913 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2914
2915         New bytecode format for JSC
2916         https://bugs.webkit.org/show_bug.cgi?id=187373
2917         <rdar://problem/44186758>
2918
2919         Reviewed by Filip Pizlo.
2920
2921         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2922
2923         * stress/maximum-inline-capacity.js: Added.
2924         (test1):
2925         (test3.Foo):
2926         (test3):
2927
2928 2018-10-26  Mark Lam  <mark.lam@apple.com>
2929
2930         Fix missing edge cases with JSGlobalObjects having a bad time.
2931         https://bugs.webkit.org/show_bug.cgi?id=189028
2932         <rdar://problem/45204939>
2933
2934         Reviewed by Saam Barati.
2935
2936         * stress/regress-189028.js: Added.
2937
2938 2018-10-22  Mark Lam  <mark.lam@apple.com>
2939
2940         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2941         https://bugs.webkit.org/show_bug.cgi?id=190515
2942         <rdar://problem/45222379>
2943
2944         Rubber-stamped by Saam Barati.
2945
2946         Adding another test.
2947
2948         * stress/regress-190515-2.js: Added.
2949
2950 2018-10-22  Mark Lam  <mark.lam@apple.com>
2951
2952         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2953         https://bugs.webkit.org/show_bug.cgi?id=190515
2954         <rdar://problem/45222379>
2955
2956         Reviewed by Saam Barati.
2957
2958         * stress/regress-190515.js: Added.
2959
2960 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2961
2962         Unreviewed, rolling out r237254.
2963         https://bugs.webkit.org/show_bug.cgi?id=190760
2964
2965         "It regresses JetStream 2 by 5% on some iOS devices"
2966         (Requested by saamyjoon on #webkit).
2967
2968         Reverted changeset:
2969
2970         "[JSC] JSC should have "parseFunction" to optimize Function
2971         constructor"
2972         https://bugs.webkit.org/show_bug.cgi?id=190340
2973         https://trac.webkit.org/changeset/237254
2974
2975 2018-10-19  Saam Barati  <sbarati@apple.com>
2976
2977         vmCall should check if we exit before emitting an OSR exit due to exceptions
2978         https://bugs.webkit.org/show_bug.cgi?id=190740
2979         <rdar://problem/45220139>
2980
2981         Reviewed by Mark Lam.
2982
2983         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2984         (foo):
2985
2986 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2987
2988         [ESNext][BigInt] Implement support for "^"
2989         https://bugs.webkit.org/show_bug.cgi?id=186235
2990
2991         Reviewed by Yusuke Suzuki.
2992
2993         * stress/big-int-bitwise-xor-general.js: Added.
2994         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2995         * stress/big-int-bitwise-xor-type-error.js: Added.
2996         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2997
2998 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2999
3000         [BigInt] Add ValueSub into DFG
3001         https://bugs.webkit.org/show_bug.cgi?id=186176
3002
3003         Reviewed by Yusuke Suzuki.
3004
3005         * stress/big-int-subtraction-jit.js:
3006         * stress/value-sub-big-int-prediction-propagation.js: Added.
3007         * stress/value-sub-big-int-untyped.js: Added.
3008         * stress/value-sub-spec-none-case.js: Added.
3009
3010 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3011
3012         [JSC] JSC should have "parseFunction" to optimize Function constructor
3013         https://bugs.webkit.org/show_bug.cgi?id=190340
3014
3015         Reviewed by Mark Lam.
3016
3017         This patch fixes the line number of syntax errors raised by the Function constructor,
3018         since we now parse the final code only once. And we no longer use block statement
3019         for Function constructor's parsing.
3020
3021         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3022         * stress/function-cache-with-parameters-end-position.js: Added.
3023         (shouldBe):
3024         (shouldThrow):
3025         (i.anonymous):
3026         * stress/function-constructor-name.js: Added.
3027         (shouldBe):
3028         (GeneratorFunction):
3029         (AsyncFunction.async):
3030         (AsyncGeneratorFunction.async):
3031         (anonymous):
3032         (async.anonymous):
3033         * test262/expectations.yaml:
3034
3035 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3036
3037         Unreviewed, rolling out r237242.
3038         https://bugs.webkit.org/show_bug.cgi?id=190701
3039
3040         it breaks "stress/sampling-profiler-basic.js" (Requested by
3041         caiolima on #webkit).
3042
3043         Reverted changeset:
3044
3045         "[BigInt] Add ValueSub into DFG"
3046         https://bugs.webkit.org/show_bug.cgi?id=186176
3047         https://trac.webkit.org/changeset/237242
3048
3049 2018-10-17  Keith Miller  <keith_miller@apple.com>
3050
3051         AI does not clear Phantom allocation nodes.
3052         https://bugs.webkit.org/show_bug.cgi?id=190694
3053
3054         Reviewed by Saam Barati.
3055
3056         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3057         (Day):
3058         (DaysInYear):
3059         (TimeInYear):
3060         (TimeFromYear):
3061         (DayFromYear):
3062         (InLeapYear):
3063         (YearFromTime):
3064         (WeekDay):
3065         (DaylightSavingTA):
3066         (GetSecondSundayInMarch):
3067         (TimeInMonth):
3068
3069 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3070
3071         [BigInt] Add ValueSub into DFG
3072         https://bugs.webkit.org/show_bug.cgi?id=186176
3073
3074         Reviewed by Yusuke Suzuki.
3075
3076         * stress/big-int-subtraction-jit.js:
3077         * stress/value-sub-big-int-prediction-propagation.js: Added.
3078         * stress/value-sub-big-int-untyped.js: Added.
3079
3080 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3081
3082         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3083         https://bugs.webkit.org/show_bug.cgi?id=190611
3084
3085         Reviewed by Saam Barati.
3086
3087         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3088         to improve test runtime. On ARM/MIPS this test even timed out when running all
3089         tests.
3090
3091         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3092         (test):
3093
3094 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3095
3096         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3097
3098         Unreviewed gardening.
3099
3100         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3101
3102 2018-10-15  Saam barati  <sbarati@apple.com>
3103
3104         Emit fjcvtzs on ARM64E on Darwin
3105         https://bugs.webkit.org/show_bug.cgi?id=184023
3106
3107         Reviewed by Yusuke Suzuki and Filip Pizlo.
3108
3109         * stress/double-to-int32-NaN.js: Added.
3110         (assert):
3111         (foo):
3112
3113 2018-10-15  Saam Barati  <sbarati@apple.com>
3114
3115         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3116         https://bugs.webkit.org/show_bug.cgi?id=190262
3117         <rdar://problem/44986241>
3118
3119         Reviewed by Mark Lam.
3120
3121         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3122         (test):
3123         * stress/slice-array-storage-with-holes.js: Added.
3124         (main):
3125
3126 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3127
3128         Unreviewed, rolling out r237054.
3129         https://bugs.webkit.org/show_bug.cgi?id=190593
3130
3131         "this regressed JetStream 2 by 6% on iOS" (Requested by
3132         saamyjoon on #webkit).
3133
3134         Reverted changeset:
3135
3136         "[JSC] JSC should have "parseFunction" to optimize Function
3137         constructor"
3138         https://bugs.webkit.org/show_bug.cgi?id=190340
3139         https://trac.webkit.org/changeset/237054
3140
3141 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3142
3143         [JSC] JSON.stringify can accept call-with-no-arguments
3144         https://bugs.webkit.org/show_bug.cgi?id=190343
3145
3146         Reviewed by Mark Lam.
3147
3148         * stress/json-stringify-no-arguments.js: Added.
3149         (shouldBe):
3150
3151 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3152
3153         [JSC] JSC should have "parseFunction" to optimize Function constructor
3154         https://bugs.webkit.org/show_bug.cgi?id=190340
3155
3156         Reviewed by Mark Lam.
3157
3158         This patch fixes the line number of syntax errors raised by the Function constructor,
3159         since we now parse the final code only once. And we no longer use block statement
3160         for Function constructor's parsing.
3161
3162         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3163         * stress/function-cache-with-parameters-end-position.js: Added.
3164         (shouldBe):
3165         (shouldThrow):
3166         (i.anonymous):
3167         * stress/function-constructor-name.js: Added.
3168         (shouldBe):
3169         (GeneratorFunction):
3170         (AsyncFunction.async):
3171         (AsyncGeneratorFunction.async):
3172         (anonymous):
3173         (async.anonymous):
3174         * test262/expectations.yaml:
3175
3176 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3177
3178         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3179         https://bugs.webkit.org/show_bug.cgi?id=190426
3180
3181         Unreviewed gardening.
3182
3183         * stress/sampling-profiler-richards.js:
3184
3185 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3186
3187         [ESNext][BigInt] Implement support for "|"
3188         https://bugs.webkit.org/show_bug.cgi?id=186229
3189
3190         Reviewed by Yusuke Suzuki.
3191
3192         * stress/big-int-bitwise-and-jit.js:
3193         * stress/big-int-bitwise-or-general.js: Added.
3194         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3195         * stress/big-int-bitwise-or-jit.js: Added.
3196         * stress/big-int-bitwise-or-memory-stress.js: Added.
3197         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3198         * stress/big-int-bitwise-or-type-error.js: Added.
3199         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3200
3201 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3202
3203         Skip test on systems with limited memory
3204         https://bugs.webkit.org/show_bug.cgi?id=190310
3205
3206         Invoking runDefault adds test to runlist, skipping the test in the next
3207         line does not prevent the test from executing. Change order of lines such
3208         that runDefault is only executed if test is not executed.
3209
3210         Reviewed by Mark Lam.
3211
3212         * stress/regress-190187.js:
3213
3214 2018-10-03  Saam barati  <sbarati@apple.com>
3215
3216         lowXYZ in FTLLower should always filter the type of the incoming edge
3217         https://bugs.webkit.org/show_bug.cgi?id=189939
3218         <rdar://problem/44407030>
3219
3220         Reviewed by Michael Saboff.
3221
3222         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3223         (foo):
3224         (test):
3225
3226 2018-10-03  Mark Lam  <mark.lam@apple.com>
3227
3228         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3229         https://bugs.webkit.org/show_bug.cgi?id=190187
3230         <rdar://problem/42512909>
3231
3232         Reviewed by Michael Saboff.
3233
3234         * stress/regress-190187.js: Added.
3235
3236 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3237
3238         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3239         https://bugs.webkit.org/show_bug.cgi?id=190033
3240
3241         Reviewed by Yusuke Suzuki.
3242
3243         * stress/big-int-to-string.js:
3244
3245 2018-10-01  Mark Lam  <mark.lam@apple.com>
3246
3247         Function.toString() should also copy the source code Functions that are class definitions.
3248         https://bugs.webkit.org/show_bug.cgi?id=190186
3249         <rdar://problem/44733360>
3250
3251         Reviewed by Saam Barati.
3252
3253         * stress/regress-190186.js: Added.
3254
3255 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3256
3257         Split NaN-check into separate test
3258         https://bugs.webkit.org/show_bug.cgi?id=190010
3259
3260         Reviewed by Saam Barati.
3261
3262         DataView exposes NaN-representation, which is not necessarily the same on each
3263         architecture. Therefore move the check of the NaN-representation into its own
3264         file such that we can disable this test on MIPS where NaN-representation can be
3265         different on older CPUs.
3266
3267         * stress/dataview-jit-set-nan.js: Added.
3268         (assert):
3269         (test.storeLittleEndian):
3270         (test.storeBigEndian):
3271         (test.store):
3272         (test):
3273         * stress/dataview-jit-set.js:
3274         (test5):
3275
3276 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3277
3278         Unreviewed, rolling out r236647.
3279         https://bugs.webkit.org/show_bug.cgi?id=190124
3280
3281         Breaking test stress/big-int-to-string.js (Requested by
3282         caiolima_ on #webkit).
3283
3284         Reverted changeset:
3285
3286         "[BigInt] BigInt.proptotype.toString is broken when radix is
3287         power of 2"
3288         https://bugs.webkit.org/show_bug.cgi?id=190033
3289         https://trac.webkit.org/changeset/236647
3290
3291 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3292
3293         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3294         https://bugs.webkit.org/show_bug.cgi?id=190033
3295
3296         Reviewed by Yusuke Suzuki.
3297
3298         * stress/big-int-to-string.js:
3299
3300 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3301
3302         [ESNext][BigInt] Implement support for "&"
3303         https://bugs.webkit.org/show_bug.cgi?id=186228
3304
3305         Reviewed by Yusuke Suzuki.
3306
3307         * stress/big-int-bitwise-and-general.js: Added.
3308         (assert):
3309         (assert.sameValue):
3310         * stress/big-int-bitwise-and-jit.js: Added.
3311         (let.assert.sameValue):
3312         (bigIntBitAnd):
3313         * stress/big-int-bitwise-and-memory-stress.js: Added.
3314         (assert):
3315         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3316         (assert.sameValue):
3317         (let.o.Symbol.toPrimitive):
3318         (catch):
3319         * stress/big-int-bitwise-and-type-error.js: Added.
3320         (assert):
3321         (assertThrowTypeError):
3322         (let.o.valueOf):
3323         (o.valueOf):
3324         (o.toString):
3325         (o.Symbol.toPrimitive):
3326         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3327         (assert.sameValue):
3328         (testBitAnd):
3329         (let.o.Symbol.toPrimitive):
3330         (o.valueOf):
3331         (o.toString):
3332
3333 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3334
3335         JSC test stress/jsc-read.js doesn't support CRLF
3336         https://bugs.webkit.org/show_bug.cgi?id=190063
3337
3338         Reviewed by Yusuke Suzuki.
3339
3340         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3341
3342         * stress/jsc-read.js:
3343         (test):
3344
3345 2018-09-27  Saam barati  <sbarati@apple.com>
3346
3347         Verify the contents of AssemblerBuffer on arm64e
3348         https://bugs.webkit.org/show_bug.cgi?id=190057
3349         <rdar://problem/38916630>
3350
3351         Reviewed by Mark Lam.
3352
3353         * stress/regress-189132.js:
3354
3355 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3356
3357         Disable test without LLInt on ARMv7
3358         https://bugs.webkit.org/show_bug.cgi?id=190037
3359
3360         Reviewed by Mark Lam.
3361
3362         Test runs out of executable memory on ARMv7, do not run
3363         this test without LLInt enabled.
3364
3365         * stress/regress-169445.js:
3366
3367 2018-09-26  Keith Miller  <keith_miller@apple.com>
3368
3369         We should zero unused property storage when rebalancing array storage.
3370         https://bugs.webkit.org/show_bug.cgi?id=188151
3371
3372         Reviewed by Michael Saboff.
3373
3374         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3375
3376 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3377
3378         [JSC] Optimize Array#lastIndexOf
3379         https://bugs.webkit.org/show_bug.cgi?id=189780
3380
3381         Reviewed by Saam Barati.
3382
3383         * stress/array-lastindexof-array-prototype-trap.js: Added.
3384         (shouldBe):
3385         (AncestorArray.prototype.get 2):
3386         (AncestorArray):
3387         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3388         (shouldBe):
3389         * stress/array-lastindexof-hole-nan.js: Added.
3390         (shouldBe):
3391         (throw.new.Error):
3392         * stress/array-lastindexof-infinity.js: Added.
3393         (shouldBe):
3394         (throw.new.Error):
3395         * stress/array-lastindexof-negative-zero.js: Added.
3396         (shouldBe):
3397         (throw.new.Error):
3398         * stress/array-lastindexof-own-getter.js: Added.
3399         (shouldBe):
3400         (throw.new.Error.get array):
3401         (get array):
3402         * stress/array-lastindexof-prototype-trap.js: Added.
3403         (shouldBe):
3404         (DerivedArray.prototype.get 2):
3405         (DerivedArray):
3406
3407 2018-09-25  Saam Barati  <sbarati@apple.com>
3408
3409         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3410         https://bugs.webkit.org/show_bug.cgi?id=189940
3411         <rdar://problem/43640987>
3412
3413         Reviewed by Mark Lam.
3414
3415         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3416
3417 2018-09-24  Saam Barati  <sbarati@apple.com>
3418
3419         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3420         https://bugs.webkit.org/show_bug.cgi?id=189922
3421         <rdar://problem/44651275>
3422
3423         Reviewed by Mark Lam.
3424
3425         * stress/array-indexof-fast-path-effects.js: Added.
3426         * stress/array-indexof-cached-length.js: Added.
3427
3428 2018-09-24  Saam barati  <sbarati@apple.com>
3429
3430         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3431         https://bugs.webkit.org/show_bug.cgi?id=189682
3432         <rdar://problem/43557315>
3433
3434         Reviewed by Mark Lam.
3435
3436         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3437         (foo):
3438
3439 2018-09-22  Saam barati  <sbarati@apple.com>
3440
3441         The sampling should not use Strong<CodeBlock> in its machineLocation field
3442         https://bugs.webkit.org/show_bug.cgi?id=189319
3443
3444         Reviewed by Filip Pizlo.
3445
3446         * stress/sampling-profiler-richards.js: Added.
3447
3448 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3449
3450         [JSC] Optimize Array#indexOf in C++ runtime
3451         https://bugs.webkit.org/show_bug.cgi?id=189507
3452
3453         Reviewed by Saam Barati.
3454
3455         * stress/array-indexof-array-prototype-trap.js: Added.
3456         (shouldBe):
3457         (AncestorArray.prototype.get 2):
3458         (AncestorArray):
3459         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3460         (shouldBe):
3461         * stress/array-indexof-hole-nan.js: Added.
3462         (shouldBe):
3463         (throw.new.Error):
3464         * stress/array-indexof-infinity.js: Added.
3465         (shouldBe):
3466         (throw.new.Error):
3467         * stress/array-indexof-negative-zero.js: Added.
3468         (shouldBe):
3469         (throw.new.Error):
3470         * stress/array-indexof-own-getter.js: Added.
3471         (shouldBe):
3472         (throw.new.Error.get array):
3473         (get array):
3474         * stress/array-indexof-prototype-trap.js: Added.
3475         (shouldBe):
3476         (DerivedArray.prototype.get 2):
3477         (DerivedArray):
3478
3479 2018-09-19  Saam barati  <sbarati@apple.com>
3480
3481         AI rule for MultiPutByOffset executes its effects in the wrong order
3482         https://bugs.webkit.org/show_bug.cgi?id=189757
3483         <rdar://problem/43535257>
3484
3485         Reviewed by Michael Saboff.
3486
3487         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3488         (foo):
3489         (Foo):
3490         (g):
3491
3492 2018-09-17  Mark Lam  <mark.lam@apple.com>
3493
3494         Ensure that ForInContexts are invalidated if their loop local is over-written.
3495         https://bugs.webkit.org/show_bug.cgi?id=189571
3496         <rdar://problem/44402277>
3497
3498         Reviewed by Saam Barati.
3499
3500         * stress/regress-189571.js: Added.
3501
3502 2018-09-17  Saam barati  <sbarati@apple.com>
3503
3504         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3505         https://bugs.webkit.org/show_bug.cgi?id=189676
3506         <rdar://problem/39682897>
3507
3508         Reviewed by Michael Saboff.
3509
3510         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3511         (A):
3512         (K):
3513         (i.catch):
3514
3515 2018-09-14  Saam barati  <sbarati@apple.com>
3516
3517         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3518         https://bugs.webkit.org/show_bug.cgi?id=189628
3519         <rdar://problem/39481690>
3520
3521         Reviewed by Mark Lam.
3522
3523         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3524         (foo):
3525
3526 2018-09-11  Mark Lam  <mark.lam@apple.com>
3527
3528         Test for array initialization in arrayProtoFuncSplice.
3529         https://bugs.webkit.org/show_bug.cgi?id=170253
3530         <rdar://problem/31328773>
3531
3532         Rubber-stamped by Saam Barati.
3533
3534         * stress/regress-170253.js: Added.
3535
3536 2018-09-11  Mark Lam  <mark.lam@apple.com>
3537
3538         Test for IntlObject initialization.
3539         https://bugs.webkit.org/show_bug.cgi?id=170251
3540         <rdar://problem/31328419>
3541
3542         Rubber-stamped by Saam Barati.
3543
3544         * stress/regress-170251.js: Added.
3545
3546 2018-09-11  Mark Lam  <mark.lam@apple.com>
3547
3548         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3549         https://bugs.webkit.org/show_bug.cgi?id=169889
3550         <rdar://problem/31155607>
3551
3552         Reviewed by Saam Barati.
3553
3554         * stress/regress-169889-array-concat.js: Added.
3555         * stress/regress-169889-array-concat1.js: Added.
3556         * stress/regress-169889-array-slice.js: Added.
3557
3558 2018-09-11  Mark Lam  <mark.lam@apple.com>
3559
3560         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3561         https://bugs.webkit.org/show_bug.cgi?id=169445
3562         <rdar://problem/30957435>
3563
3564         Reviewed by Saam Barati.
3565
3566         * stress/regress-169445.js: Added.
3567         (let.gun.eval.A):
3568         (let.gun.eval.B.C):
3569         (let.gun.eval.B.C.prototype.trigger):
3570         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3571         (let.gun.eval.B):
3572         (let.gun.eval):
3573
3574 == Rolled over to ChangeLog-2018-09-11 ==