ValueRecovery::recover() should purify NaN values it recovers.
[WebKit-https.git] / JSTests / ChangeLog
1 2019-01-29  Mark Lam  <mark.lam@apple.com>
2
3         ValueRecovery::recover() should purify NaN values it recovers.
4         https://bugs.webkit.org/show_bug.cgi?id=193978
5         <rdar://problem/47625488>
6
7         Reviewed by Saam Barati.
8
9         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
10
11 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
12
13         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
14         https://bugs.webkit.org/show_bug.cgi?id=193713
15
16         * stress/try-get-by-id-should-spill-registers-dfg.js:
17         (let.f.createBuiltin):
18
19 2019-01-28  Mark Lam  <mark.lam@apple.com>
20
21         ToString node actually does GC.
22         https://bugs.webkit.org/show_bug.cgi?id=193920
23         <rdar://problem/46695900>
24
25         Reviewed by Yusuke Suzuki.
26
27         * stress/dfg-to-string-on-int-does-gc.js: Added.
28         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
29         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
30
31 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
32
33         [JSC] NativeErrorConstructor should not have own IsoSubspace
34         https://bugs.webkit.org/show_bug.cgi?id=193713
35
36         Reviewed by Saam Barati.
37
38         Remove @Error use.
39
40         * stress/try-get-by-id-should-spill-registers-dfg.js:
41         (let.f.createBuiltin):
42
43 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
44
45         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
46         https://bugs.webkit.org/show_bug.cgi?id=190693
47
48         Reviewed by Michael Saboff.
49
50         * stress/regress-190693.js: Added.
51         (truth):
52         (assert):
53         (shouldThrowInvalidConstAssignment):
54         (taz):
55
56 2019-01-24  Saam Barati  <sbarati@apple.com>
57
58         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
59         https://bugs.webkit.org/show_bug.cgi?id=193751
60         <rdar://problem/47280215>
61
62         Reviewed by Michael Saboff.
63
64         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
65         (let.thing):
66         (foo.let.hello):
67         (foo):
68
69 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
70
71         [JSC] Reenable baseline JIT on mips
72         https://bugs.webkit.org/show_bug.cgi?id=192983
73
74         Reviewed by Mark Lam.
75
76         Added a new test for a case that was triggering a RELEASE_ASSERT when
77         testing.
78         Disable some slow tests that were already disabled for arm and x86.
79
80         * stress/json-parse-big-object.js: Added.
81         * stress/new-largeish-contiguous-array-with-size.js:
82         * stress/op_add.js:
83         * stress/op_bitand.js:
84         * stress/op_bitor.js:
85         * stress/op_bitxor.js:
86         * stress/op_lshift-ConstVar.js:
87         * stress/op_lshift-VarConst.js:
88         * stress/op_lshift-VarVar.js:
89         * stress/op_mod-ConstVar.js:
90         * stress/op_mod-VarConst.js:
91         * stress/op_mod-VarVar.js:
92         * stress/op_mul-ConstVar.js:
93         * stress/op_mul-VarConst.js:
94         * stress/op_mul-VarVar.js:
95         * stress/op_rshift-ConstVar.js:
96         * stress/op_rshift-VarConst.js:
97         * stress/op_rshift-VarVar.js:
98         * stress/op_sub-ConstVar.js:
99         * stress/op_sub-VarConst.js:
100         * stress/op_sub-VarVar.js:
101         * stress/op_urshift-ConstVar.js:
102         * stress/op_urshift-VarConst.js:
103         * stress/op_urshift-VarVar.js:
104         * stress/sampling-profiler-richards.js:
105         * stress/spread-forward-call-varargs-stack-overflow.js:
106
107 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
108
109         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
110         https://bugs.webkit.org/show_bug.cgi?id=193711
111         <rdar://problem/47250262>
112
113         Reviewed by Saam Barati.
114
115         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
116         (shouldBe):
117         (foo):
118         (bar):
119         (baz):
120
121 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
122
123         Unreviewed, fix initial global lexical binding epoch
124         https://bugs.webkit.org/show_bug.cgi?id=193603
125         <rdar://problem/47380869>
126
127         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
128         (f1.f2.f3.f4):
129         (f1.f2.f3):
130         (f1.f2):
131         (f1):
132
133 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
134
135         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
136         https://bugs.webkit.org/show_bug.cgi?id=193709
137         <rdar://problem/47363838>
138
139         Unreviewed, rollout to watch the tests.
140
141         * stress/object-tostring-changed-proto.js: Removed.
142         * stress/object-tostring-changed.js: Removed.
143         * stress/object-tostring-misc.js: Removed.
144         * stress/object-tostring-other.js: Removed.
145         * stress/object-tostring-untyped.js: Removed.
146
147 2019-01-22  Saam Barati  <sbarati@apple.com>
148
149         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
150
151         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
152         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
153         (testUncheckedLessThanZero):
154         (testUncheckedLessThanOrEqualZero):
155         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
156         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
157
158 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
159
160         [JSC] Invalidate old scope operations using global lexical binding epoch
161         https://bugs.webkit.org/show_bug.cgi?id=193603
162         <rdar://problem/47380869>
163
164         Reviewed by Saam Barati.
165
166         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
167         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
168         (shouldThrow):
169         (bar):
170         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
171         (shouldBe):
172         (get1):
173         (get2):
174         (get1If):
175         (get2If):
176         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
177         (shouldThrow):
178         (foo):
179
180 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
181
182         Unreviewed, roll out r240220 due to date-format-xparb regression
183         https://bugs.webkit.org/show_bug.cgi?id=193603
184
185         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
186         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
187         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
188         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
189
190 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
191
192         DoesGC rule is wrong for nodes with BigIntUse
193         https://bugs.webkit.org/show_bug.cgi?id=193652
194
195         Reviewed by Saam Barati.
196
197         * stress/big-int-value-op-update-gc-rules.js: Added.
198         (assert):
199         (doesGCAdd):
200         (doesGCSub):
201         (doesGCDiv):
202         (doesGCMul):
203         (doesGCBitAnd):
204         (doesGCBitOr):
205         (doesGCBitXor):
206
207 2019-01-20  Saam Barati  <sbarati@apple.com>
208
209         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
210         https://bugs.webkit.org/show_bug.cgi?id=193644
211         <rdar://problem/46209745>
212
213         Reviewed by Yusuke Suzuki.
214
215         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
216         (foo):
217         * stress/data-view-set-intrinsic-undefined-result.js: Added.
218         (foo):
219         (bar):
220
221 2019-01-20  Saam Barati  <sbarati@apple.com>
222
223         MovHint must merge NodeBytecodeUsesAsValue for its child
224         https://bugs.webkit.org/show_bug.cgi?id=186916
225         <rdar://problem/41396612>
226
227         Reviewed by Yusuke Suzuki.
228
229         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
230         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
231
232 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
233
234         [JSC] Invalidate old scope operations using global lexical binding epoch
235         https://bugs.webkit.org/show_bug.cgi?id=193603
236         <rdar://problem/47380869>
237
238         Reviewed by Saam Barati.
239
240         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
241         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
242         (shouldThrow):
243         (bar):
244         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
245         (shouldBe):
246         (get1):
247         (get2):
248         (get1If):
249         (get2If):
250         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
251         (shouldThrow):
252         (foo):
253
254 2019-01-17  Saam barati  <sbarati@apple.com>
255
256         StringObjectUse should not be a structure check for the original string object structure
257         https://bugs.webkit.org/show_bug.cgi?id=193483
258         <rdar://problem/47280522>
259
260         Reviewed by Yusuke Suzuki.
261
262         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
263         (foo):
264         (a.valueOf.0):
265
266 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
267
268         [JSC] ToThis omission in DFGByteCodeParser is wrong
269         https://bugs.webkit.org/show_bug.cgi?id=193513
270         <rdar://problem/45842236>
271
272         Reviewed by Saam Barati.
273
274         * stress/to-this-omission-with-different-strict-modes.js: Added.
275         (thisA):
276         (thisAStrictWrapper):
277
278 2019-01-15  Mark Lam  <mark.lam@apple.com>
279
280         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
281         https://bugs.webkit.org/show_bug.cgi?id=193423
282         <rdar://problem/46209355>
283
284         Reviewed by Saam Barati.
285
286         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
287         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
288         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
289         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
290
291 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
292
293         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
294         https://bugs.webkit.org/show_bug.cgi?id=193438
295         <rdar://problem/45581249>
296
297         Reviewed by Saam Barati and Keith Miller.
298
299         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
300         Then, GetByVal(String) crashed.
301
302         * stress/string-get-by-val-lowering.js: Added.
303         (shouldBe):
304         (test):
305         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
306         (Hello):
307         (foo):
308
309 2019-01-15  Tomas Popela  <tpopela@redhat.com>
310
311         Unreviewed, skip JIT tests if it's not enabled
312
313         * stress/bit-op-with-object-returning-int32.js:
314
315 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
316
317         DFGByteCodeParser rules for bitwise operations should consider type of their operands
318         https://bugs.webkit.org/show_bug.cgi?id=192966
319
320         Reviewed by Yusuke Suzuki.
321
322         * stress/bit-op-with-object-returning-int32.js: Added.
323
324 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
325
326         Skip a slow test and a flakey test on arm
327
328         Unreviewed gardening.
329
330         * typeProfiler/getter-richards.js:
331         this test always times out, it used to be always skipped on arm and
332         mips, but got accidentally enabled by r237919 now that we have DFG on
333         arm. Also skipping on mips as we plan to soon enable DFG for it too.
334
335 2019-01-14  Keith Miller  <keith_miller@apple.com>
336
337         Skip type-check-hoisting-phase-hoist... with no jit
338         https://bugs.webkit.org/show_bug.cgi?id=193421
339
340         Reviewed by Mark Lam.
341
342         It's timing out the 32-bit bots and takes 330 seconds
343         on my machine when run by itself.
344
345         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
346
347 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
348
349         [JSC] AI should check the given constant's array type when folding GetByVal into constant
350         https://bugs.webkit.org/show_bug.cgi?id=193413
351         <rdar://problem/46092389>
352
353         Reviewed by Keith Miller.
354
355         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
356         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
357         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
358         but GetByVal does not have appropriate ArrayModes, JSC crashes.
359
360         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
361         (compareArray):
362
363 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
364
365         [BigInt] Literal parsing is crashing when used inside a Object Literal
366         https://bugs.webkit.org/show_bug.cgi?id=193404
367
368         Reviewed by Yusuke Suzuki.
369
370         * stress/big-int-literal-inside-literal-object.js: Added.
371
372 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
373
374         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
375         https://bugs.webkit.org/show_bug.cgi?id=193372
376
377         Reviewed by Saam Barati.
378
379         * stress/typed-array-array-modes-profile.js: Added.
380         (foo):
381
382 2019-01-14  Mark Lam  <mark.lam@apple.com>
383
384         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
385         https://bugs.webkit.org/show_bug.cgi?id=193402
386         <rdar://problem/46012309>
387
388         Reviewed by Keith Miller.
389
390         * stress/regexp-compile-oom.js:
391         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
392           is enabled.  As a result, it will fail on cloop builds though there is no bug.
393
394 2019-01-11  Saam barati  <sbarati@apple.com>
395
396         DFG combined liveness can be wrong for terminal basic blocks
397         https://bugs.webkit.org/show_bug.cgi?id=193304
398         <rdar://problem/45268632>
399
400         Reviewed by Yusuke Suzuki.
401
402         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
403
404 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
405
406         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
407         https://bugs.webkit.org/show_bug.cgi?id=193308
408         <rdar://problem/45546542>
409
410         Reviewed by Saam Barati.
411
412         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
413         (shouldThrow):
414         (shouldBe):
415         (foo):
416         (get shouldThrow):
417         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
418         (shouldThrow):
419         (shouldBe):
420         (foo):
421         (get shouldBe):
422         (get shouldThrow):
423         (get return):
424         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
425         (shouldThrow):
426         (shouldBe):
427         (foo):
428         (get shouldBe):
429         (get shouldThrow):
430         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
431         (shouldThrow):
432         (shouldBe):
433         (foo):
434         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
435         (shouldThrow):
436         (shouldBe):
437         (foo):
438         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
439         (shouldThrow):
440         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
441         (shouldThrow):
442         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
443         (shouldThrow):
444         (shouldBe):
445         (foo):
446         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
447         (shouldThrow):
448         (shouldBe):
449         (foo):
450         (get shouldBe):
451         (get shouldThrow):
452         (get return):
453         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
454         (shouldThrow):
455         (shouldBe):
456         (foo):
457         (get shouldBe):
458         (get shouldThrow):
459         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
460         (shouldThrow):
461         (shouldBe):
462         (foo):
463         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
464         (shouldThrow):
465         (shouldBe):
466         (foo):
467
468 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
469
470         Enable DFG on ARM/Linux again
471         https://bugs.webkit.org/show_bug.cgi?id=192496
472
473         Reviewed by Yusuke Suzuki.
474
475         Test wasn't really skipped before moving the line with skip
476         to the top.
477
478         * stress/regress-192717.js:
479
480 2019-01-10  Commit Queue  <commit-queue@webkit.org>
481
482         Unreviewed, rolling out r239825.
483         https://bugs.webkit.org/show_bug.cgi?id=193330
484
485         Broke tests on armv7/linux bots (Requested by guijemont on
486         #webkit).
487
488         Reverted changeset:
489
490         "Enable DFG on ARM/Linux again"
491         https://bugs.webkit.org/show_bug.cgi?id=192496
492         https://trac.webkit.org/changeset/239825
493
494 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
495
496         Enable DFG on ARM/Linux again
497         https://bugs.webkit.org/show_bug.cgi?id=192496
498
499         Reviewed by Yusuke Suzuki.
500
501         Test wasn't really skipped before moving the line with skip
502         to the top.
503
504         * stress/regress-192717.js:
505
506 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
507
508         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
509         https://bugs.webkit.org/show_bug.cgi?id=193127
510
511         Reviewed by Saam Barati.
512
513         * stress/array-species-create-should-handle-masquerader.js: Added.
514         (shouldThrow):
515         * stress/is-undefined-or-null-builtin.js: Added.
516         (shouldBe):
517         (isUndefinedOrNull.vm.createBuiltin):
518
519 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
520
521         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
522         https://bugs.webkit.org/show_bug.cgi?id=193221
523
524         Reviewed by Mark Lam.
525
526         * stress/put-by-id-flags.js: Added.
527         (f):
528         (g):
529         (numberOfDFGCompiles):
530
531 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
532
533         Baseline version of get_by_id may corrupt metadata
534         https://bugs.webkit.org/show_bug.cgi?id=193085
535         <rdar://problem/23453006>
536
537         Reviewed by Saam Barati.
538
539         * stress/get-by-id-change-mode.js: Added.
540         (forEach):
541
542 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
543
544         [JSC] Optimize Object.prototype.toString
545         https://bugs.webkit.org/show_bug.cgi?id=193031
546
547         Reviewed by Saam Barati.
548
549         * stress/object-tostring-changed-proto.js: Added.
550         (shouldBe):
551         (test):
552         * stress/object-tostring-changed.js: Added.
553         (shouldBe):
554         (test):
555         * stress/object-tostring-misc.js: Added.
556         (shouldBe):
557         (test):
558         (i.switch):
559         * stress/object-tostring-other.js: Added.
560         (shouldBe):
561         (test):
562         * stress/object-tostring-untyped.js: Added.
563         (shouldBe):
564         (test):
565         (i.switch):
566
567 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
568
569         test262-runner misbehaves when test file YAML has a trailing space
570         https://bugs.webkit.org/show_bug.cgi?id=193053
571
572         Reviewed by Yusuke Suzuki.
573
574         * test262/expectations.yaml:
575         Mark two dozen tests as passing (and correct the output of another).
576
577 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
578
579         Unreviewed, JSTests gardening with memoryLimited
580
581         * stress/string-overflow-createError.js:
582
583 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
584
585         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
586         https://bugs.webkit.org/show_bug.cgi?id=193050
587
588         Reviewed by Yusuke Suzuki.
589
590         * test262.yaml:
591         * test262/expectations.yaml:
592         Mark 16 tests as passing.
593
594 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
595
596         [BigInt] Support BigInt in JSON.stringify
597         https://bugs.webkit.org/show_bug.cgi?id=192624
598
599         Reviewed by Saam Barati.
600
601         * stress/big-int-json-stringify-to-json.js: Added.
602         (shouldBe):
603         (shouldThrow):
604         (BigInt.prototype.toJSON):
605         (shouldBe.JSON.stringify):
606         * stress/big-int-json-stringify.js: Added.
607         (shouldBe):
608         (shouldThrow):
609
610 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
611
612         [JSC] Implement "well-formed JSON.stringify" proposal
613         https://bugs.webkit.org/show_bug.cgi?id=191677
614
615         Reviewed by Darin Adler.
616
617         * stress/json-surrogate-pair.js: Added.
618         (shouldBe):
619         * test262/expectations.yaml:
620
621 2018-12-20  Keith Miller  <keith_miller@apple.com>
622
623         Add support for globalThis
624         https://bugs.webkit.org/show_bug.cgi?id=165171
625
626         Reviewed by Mark Lam.
627
628         * test262/config.yaml:
629
630 2018-12-19  Keith Miller  <keith_miller@apple.com>
631
632         Update test262 configuration to not run tests dependent on ICU version.
633         https://bugs.webkit.org/show_bug.cgi?id=192920
634
635         Reviewed by Saam Barati.
636
637         * test262/expectations.yaml:
638
639 2018-12-20  Mark Lam  <mark.lam@apple.com>
640
641         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
642         https://bugs.webkit.org/show_bug.cgi?id=192939
643         <rdar://problem/46869516>
644
645         Reviewed by Keith Miller.
646
647         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
648
649 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
650
651         WTF::String and StringImpl overflow MaxLength
652         https://bugs.webkit.org/show_bug.cgi?id=192853
653         <rdar://problem/45726906>
654
655         Reviewed by Mark Lam.
656
657         * stress/string-16bit-repeat-overflow.js: Added.
658         (catch):
659
660 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
661
662         Unreviewed follow-up to r192914.
663
664         * test262/expectations.yaml:
665         Add the last 20 missing expectations.
666
667 2018-12-19  Keith Miller  <keith_miller@apple.com>
668
669         Fix test262 expectations
670         https://bugs.webkit.org/show_bug.cgi?id=192914
671
672         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
673
674         * test262/expectations.yaml:
675
676 2018-12-19  Keith Miller  <keith_miller@apple.com>
677
678         Update test262 tests.
679         https://bugs.webkit.org/show_bug.cgi?id=192907
680
681         Rubber stamped by Mark Lam.
682
683         * test262/*: Omitted because prepare-changelog crashes.
684
685 2018-12-19  Mark Lam  <mark.lam@apple.com>
686
687         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
688         https://bugs.webkit.org/show_bug.cgi?id=192464
689         <rdar://problem/46519455>
690
691         Reviewed by Saam Barati.
692
693         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
694         microbenchmark.
695
696         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
697         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
698
699 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
700
701         String overflow in JSC::createError results in ASSERT in WTF::makeString
702         https://bugs.webkit.org/show_bug.cgi?id=192833
703         <rdar://problem/45706868>
704
705         Reviewed by Mark Lam.
706
707         * stress/string-overflow-createError.js: Added.
708
709 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
710
711         Error message for `-x ** y` contains a typo.
712         https://bugs.webkit.org/show_bug.cgi?id=192832
713
714         Reviewed by Saam Barati.
715
716         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
717         (assert.assert.return.throws):
718         * stress/pow-expects-update-expression-on-lhs.js:
719         (throw.new.Error):
720         Update test expectations which match against the exact error message.
721
722 2018-12-18  Mark Lam  <mark.lam@apple.com>
723
724         Gardening: test options fix.
725         https://bugs.webkit.org/show_bug.cgi?id=192822
726
727         Unreviewed.
728
729         * stress/json-stringify-string-builder-overflow.js:
730
731 2018-12-18  Mark Lam  <mark.lam@apple.com>
732
733         JSON.stringify() should throw OOM on StringBuilder overflows.
734         https://bugs.webkit.org/show_bug.cgi?id=192822
735         <rdar://problem/46670577>
736
737         Reviewed by Saam Barati.
738
739         * stress/json-stringify-string-builder-overflow.js: Added.
740
741 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
742
743         Redeclaration of var over let/const/class should be a syntax error.
744         https://bugs.webkit.org/show_bug.cgi?id=192298
745
746         Reviewed by Keith Miller.
747
748         * test262.yaml:
749         * test262/expectations.yaml:
750         Mark 46 tests as passing.
751
752         * stress/block-scope-redeclarations.js:
753         Add some new tests.
754
755         * stress/for-in-invalidate-context-weird-assignments.js:
756         * stress/for-in-tests.js:
757         Replace tests for outdated behavior with tests for SyntaxError.
758
759         * ChakraCore/test/LetConst/defer3.baseline-jsc:
760         * ChakraCore/test/LetConst/letvar.baseline-jsc:
761         Update expectations.
762
763 2018-12-18  Mark Lam  <mark.lam@apple.com>
764
765         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
766         https://bugs.webkit.org/show_bug.cgi?id=191374
767         <rdar://problem/46525447>
768
769         Reviewed by Yusuke Suzuki.
770
771         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
772
773         * stress/elidable-new-object-roflcopter-then-exit.js:
774
775 2018-12-17  Mark Lam  <mark.lam@apple.com>
776
777         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
778         https://bugs.webkit.org/show_bug.cgi?id=192019
779         <rdar://problem/46525456>
780
781         Reviewed by Yusuke Suzuki.
782
783         The test runs too slow on 32-bit.
784
785         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
786
787 2018-12-17  Mark Lam  <mark.lam@apple.com>
788
789         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
790         https://bugs.webkit.org/show_bug.cgi?id=191373
791         <rdar://problem/46525458>
792
793         Reviewed by Yusuke Suzuki.
794
795         The test is already slow running with a JIT on 64-bit.  It will always timeout
796         on 32-bit without a JIT.
797
798         * stress/materialize-regexp-cyclic-regexp.js:
799
800 2018-12-17  Mark Lam  <mark.lam@apple.com>
801
802         Array unshift/shift should not race against the AI in the compiler thread.
803         https://bugs.webkit.org/show_bug.cgi?id=192795
804         <rdar://problem/46724263>
805
806         Reviewed by Saam Barati.
807
808         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
809
810 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
811
812         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
813         https://bugs.webkit.org/show_bug.cgi?id=190047
814
815         Reviewed by Saam Barati.
816
817         * stress/object-keys-cached-zero.js: Added.
818         (shouldBe):
819         (test):
820         * stress/object-keys-changed-attribute.js: Added.
821         (shouldBe):
822         (test):
823         * stress/object-keys-changed-index.js: Added.
824         (shouldBe):
825         (test):
826         * stress/object-keys-changed.js: Added.
827         (shouldBe):
828         (test):
829         * stress/object-keys-indexed-non-cache.js: Added.
830         (shouldBe):
831         (test):
832         * stress/object-keys-overrides-get-property-names.js: Added.
833         (shouldBe):
834         (test):
835         (noInline):
836
837 2018-12-17  Mark Lam  <mark.lam@apple.com>
838
839         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
840         https://bugs.webkit.org/show_bug.cgi?id=192779
841         <rdar://problem/46775869>
842
843         Reviewed by Saam Barati.
844
845         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
846
847 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
848
849         Unreviewed test gardening, address a syntax error in a new test.
850
851         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
852
853 2018-12-17  Mark Lam  <mark.lam@apple.com>
854
855         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
856         https://bugs.webkit.org/show_bug.cgi?id=192776
857         <rdar://problem/46772368>
858
859         Reviewed by Keith Miller.
860
861         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
862
863 2018-12-17  Mark Lam  <mark.lam@apple.com>
864
865         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
866         https://bugs.webkit.org/show_bug.cgi?id=192770
867         <rdar://problem/46449037>
868
869         Reviewed by Keith Miller.
870
871         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
872
873 2018-12-14  Mark Lam  <mark.lam@apple.com>
874
875         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
876         https://bugs.webkit.org/show_bug.cgi?id=192717
877         <rdar://problem/46660677>
878
879         Reviewed by Saam Barati.
880
881         * stress/regress-192717.js: Added.
882
883 2018-12-14  Commit Queue  <commit-queue@webkit.org>
884
885         Unreviewed, rolling out r239153, r239154, and r239155.
886         https://bugs.webkit.org/show_bug.cgi?id=192715
887
888         Caused flaky GC-related crashes seen with layout tests
889         (Requested by ryanhaddad on #webkit).
890
891         Reverted changesets:
892
893         "[JSC] Optimize Object.keys by caching own keys results in
894         StructureRareData"
895         https://bugs.webkit.org/show_bug.cgi?id=190047
896         https://trac.webkit.org/changeset/239153
897
898         "Unreviewed, build fix after r239153"
899         https://bugs.webkit.org/show_bug.cgi?id=190047
900         https://trac.webkit.org/changeset/239154
901
902         "Unreviewed, build fix after r239153, part 2"
903         https://bugs.webkit.org/show_bug.cgi?id=190047
904         https://trac.webkit.org/changeset/239155
905
906 2018-12-14  Keith Miller  <keith_miller@apple.com>
907
908         Callers of JSString::getIndex should check for OOM exceptions
909         https://bugs.webkit.org/show_bug.cgi?id=192709
910
911         Reviewed by Mark Lam.
912
913         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
914
915 2018-12-13  Mark Lam  <mark.lam@apple.com>
916
917         Add a missing exception check.
918         https://bugs.webkit.org/show_bug.cgi?id=192626
919         <rdar://problem/46662163>
920
921         Reviewed by Keith Miller.
922
923         * stress/regress-192626.js: Added.
924
925 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
926
927         [BigInt] Add ValueDiv into DFG
928         https://bugs.webkit.org/show_bug.cgi?id=186178
929
930         Reviewed by Yusuke Suzuki.
931
932         * stress/big-int-div-jit-osr.js: Added.
933         * stress/big-int-div-jit-untyped.js: Added.
934         * stress/value-div-fixup-int32-big-int.js: Added.
935
936 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
937
938         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
939         https://bugs.webkit.org/show_bug.cgi?id=190047
940
941         Reviewed by Keith Miller.
942
943         * stress/object-keys-cached-zero.js: Added.
944         (shouldBe):
945         (test):
946         * stress/object-keys-changed-attribute.js: Added.
947         (shouldBe):
948         (test):
949         * stress/object-keys-changed-index.js: Added.
950         (shouldBe):
951         (test):
952         * stress/object-keys-changed.js: Added.
953         (shouldBe):
954         (test):
955         * stress/object-keys-indexed-non-cache.js: Added.
956         (shouldBe):
957         (test):
958         * stress/object-keys-overrides-get-property-names.js: Added.
959         (shouldBe):
960         (test):
961         (noInline):
962
963 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
964
965         [DFG][FTL] Add NewSymbol
966         https://bugs.webkit.org/show_bug.cgi?id=192620
967
968         Reviewed by Saam Barati.
969
970         * microbenchmarks/symbol-creation.js: Added.
971         (test):
972         * stress/symbol-description-identity.js: Added.
973         (shouldBe):
974         (test):
975         * stress/symbol-identity.js: Added.
976         (shouldBe):
977         (test):
978         * stress/symbol-with-description-throw-error.js: Added.
979         (shouldBe):
980         (shouldThrow):
981         (test):
982         (object.toString):
983
984 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
985
986         [BigInt] Implement DFG/FTL typeof for BigInt
987         https://bugs.webkit.org/show_bug.cgi?id=192619
988
989         Reviewed by Keith Miller.
990
991         * stress/big-int-boolean-proven-type.js: Added.
992         (assert):
993         (bool):
994         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
995         (assert):
996         (typeOf):
997         (i.switch):
998         * stress/big-int-type-of-proven-type-non-constant.js: Added.
999         (assert):
1000         (typeOf):
1001         * stress/big-int-type-of.js:
1002         (typeOf):
1003         (func):
1004
1005 2018-12-10  Mark Lam  <mark.lam@apple.com>
1006
1007         PropertyAttribute needs a CustomValue bit.
1008         https://bugs.webkit.org/show_bug.cgi?id=191993
1009         <rdar://problem/46264467>
1010
1011         Reviewed by Saam Barati.
1012
1013         * stress/regress-191993.js: Added.
1014
1015 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1016
1017         [BigInt] Add ValueMul into DFG
1018         https://bugs.webkit.org/show_bug.cgi?id=186175
1019
1020         Reviewed by Yusuke Suzuki.
1021
1022         * stress/big-int-mul-jit-osr.js: Added.
1023         * stress/big-int-mul-jit-untyped.js: Added.
1024         * stress/value-mul-fixup-int32-big-int.js: Added.
1025
1026 2018-12-06  Keith Miller  <keith_miller@apple.com>
1027
1028         stress/big-wasm-memory tests failing on 32-bit JSC bot
1029         https://bugs.webkit.org/show_bug.cgi?id=192020
1030
1031         Reviewed by Saam Barati.
1032
1033         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1034         the wasm stress tests if the WebAssembly object does not exist.
1035
1036         * stress/big-wasm-memory-grow-no-max.js:
1037         (test.foo):
1038         (test):
1039         (foo): Deleted.
1040         (catch): Deleted.
1041         * stress/big-wasm-memory-grow.js:
1042         (test.foo):
1043         (test):
1044         (foo): Deleted.
1045         (catch): Deleted.
1046         * stress/big-wasm-memory.js:
1047         (test.foo):
1048         (test):
1049         (foo): Deleted.
1050         (catch): Deleted.
1051
1052 2018-12-05  Mark Lam  <mark.lam@apple.com>
1053
1054         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1055         https://bugs.webkit.org/show_bug.cgi?id=192441
1056         <rdar://problem/46480355>
1057
1058         Reviewed by Saam Barati.
1059
1060         * stress/regress-192441.js: Added.
1061
1062 2018-12-04  Mark Lam  <mark.lam@apple.com>
1063
1064         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1065         https://bugs.webkit.org/show_bug.cgi?id=192386
1066         <rdar://problem/46445516>
1067
1068         Reviewed by Saam Barati.
1069
1070         * stress/regress-192386.js: Added.
1071
1072 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1073
1074         [ESNext][BigInt] Support logic operations
1075         https://bugs.webkit.org/show_bug.cgi?id=179903
1076
1077         Reviewed by Yusuke Suzuki.
1078
1079         * stress/big-int-branch-usage.js: Added.
1080         * stress/big-int-logical-and.js: Added.
1081         * stress/big-int-logical-not.js: Added.
1082         * stress/big-int-logical-or.js: Added.
1083
1084 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1085
1086         Unreviewed, rolling out r238833.
1087
1088         Breaks macOS and iOS debug builds.
1089
1090         Reverted changeset:
1091
1092         "[ESNext][BigInt] Support logic operations"
1093         https://bugs.webkit.org/show_bug.cgi?id=179903
1094         https://trac.webkit.org/changeset/238833
1095
1096 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1097
1098         [ESNext][BigInt] Support logic operations
1099         https://bugs.webkit.org/show_bug.cgi?id=179903
1100
1101         Reviewed by Yusuke Suzuki.
1102
1103         * stress/big-int-branch-usage.js: Added.
1104         * stress/big-int-logical-and.js: Added.
1105         * stress/big-int-logical-not.js: Added.
1106         * stress/big-int-logical-or.js: Added.
1107
1108 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1109
1110         [ESNext][BigInt] Implement support for "<<" and ">>"
1111         https://bugs.webkit.org/show_bug.cgi?id=186233
1112
1113         Reviewed by Yusuke Suzuki.
1114
1115         * stress/big-int-left-shift-general.js: Added.
1116         * stress/big-int-left-shift-range-error.js: Added.
1117         * stress/big-int-left-shift-type-error.js: Added.
1118         * stress/big-int-left-shift-wrapped-value.js: Added.
1119         * stress/big-int-right-shift-general.js: Added.
1120         * stress/big-int-right-shift-type-error.js: Added.
1121         * stress/big-int-right-shift-wrapped-value.js: Added.
1122         * stress/left-shift-to-primitive-precedence.js: Added.
1123         * stress/right-shift-to-primitive-precedence.js: Added.
1124
1125 2018-11-30  Dean Jackson  <dino@apple.com>
1126
1127         Add first-class support for .mjs files in jsc binary
1128         https://bugs.webkit.org/show_bug.cgi?id=192190
1129         <rdar://problem/46375715>
1130
1131         Reviewed by Keith Miller.
1132
1133         * stress/simple-module.mjs: Added.
1134         * stress/simple-script.js: Added.
1135
1136 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1137
1138         [BigInt] Implement ValueBitXor into DFG
1139         https://bugs.webkit.org/show_bug.cgi?id=190264
1140
1141         Reviewed by Yusuke Suzuki.
1142
1143         * stress/big-int-bitwise-xor-jit.js: Added.
1144         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1145         * stress/big-int-bitwise-xor-untyped.js: Added.
1146
1147 2018-11-27  Saam barati  <sbarati@apple.com>
1148
1149         r238510 broke scopes of size zero
1150         https://bugs.webkit.org/show_bug.cgi?id=192033
1151         <rdar://problem/46281734>
1152
1153         Reviewed by Keith Miller.
1154
1155         * stress/r238510-bad-loop.js: Added.
1156         (foo):
1157
1158 2018-11-27  Mark Lam  <mark.lam@apple.com>
1159
1160         [Re-landing] NaNs read from Wasm code needs to be be purified.
1161         https://bugs.webkit.org/show_bug.cgi?id=191056
1162         <rdar://problem/45660341>
1163
1164         Reviewed by Filip Pizlo.
1165
1166         * wasm/regress/regress-191056.js: Added.
1167
1168 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1169
1170         Unreviewed, rolling out r238509.
1171
1172         Causes JSC tests to fail on iOS.
1173
1174         Reverted changeset:
1175
1176         "NaNs read from Wasm code needs to be be purified."
1177         https://bugs.webkit.org/show_bug.cgi?id=191056
1178         https://trac.webkit.org/changeset/238509
1179
1180 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1181
1182         Re-introduce op_bitnot
1183         https://bugs.webkit.org/show_bug.cgi?id=190923
1184
1185         Reviewed by Yusuke Suzuki.
1186
1187         * stress/bit-not-must-generate.js: Added.
1188         * stress/bitwise-not-no-int32.js: Added.
1189
1190 2018-11-26  Saam barati  <sbarati@apple.com>
1191
1192         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1193         https://bugs.webkit.org/show_bug.cgi?id=191956
1194         <rdar://problem/45665806>
1195
1196         Reviewed by Yusuke Suzuki.
1197
1198         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1199         (bar):
1200         (foo):
1201
1202 2018-11-26  Saam barati  <sbarati@apple.com>
1203
1204         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1205         https://bugs.webkit.org/show_bug.cgi?id=191958
1206         <rdar://problem/46221877>
1207
1208         Reviewed by Yusuke Suzuki.
1209
1210         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1211         (x):
1212         (foo):
1213
1214 2018-11-26  Mark Lam  <mark.lam@apple.com>
1215
1216         NaNs read from Wasm code needs to be be purified.
1217         https://bugs.webkit.org/show_bug.cgi?id=191056
1218         <rdar://problem/45660341>
1219
1220         Reviewed by Filip Pizlo.
1221
1222         * wasm/regress/regress-191056.js: Added.
1223
1224 2018-11-26  Michael Saboff  <msaboff@apple.com>
1225
1226         32-bit JSC test failure: stress/regexp-compile-oom.js
1227         https://bugs.webkit.org/show_bug.cgi?id=191375
1228
1229         Reviewed by Mark Lam.
1230
1231         Disabled the test for 32 bit platforms.
1232
1233         * stress/regexp-compile-oom.js:
1234
1235 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1236
1237         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1238         https://bugs.webkit.org/show_bug.cgi?id=191716
1239         <rdar://problem/45723878>
1240
1241         Reviewed by Saam Barati.
1242
1243         * stress/regress-187373.js: Added.
1244         (async.fn):
1245
1246 2018-11-21  Saam barati  <sbarati@apple.com>
1247
1248         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1249         https://bugs.webkit.org/show_bug.cgi?id=191897
1250         <rdar://problem/45871998>
1251
1252         Reviewed by Mark Lam.
1253
1254         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1255         (bar):
1256         (foo):
1257
1258 2018-11-21  Saam barati  <sbarati@apple.com>
1259
1260         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1261         https://bugs.webkit.org/show_bug.cgi?id=191895
1262         <rdar://problem/46167406>
1263
1264         Reviewed by Mark Lam.
1265
1266         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1267         (foo):
1268         (bar):
1269
1270 2018-11-21  Mark Lam  <mark.lam@apple.com>
1271
1272         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1273         https://bugs.webkit.org/show_bug.cgi?id=191776
1274         <rdar://problem/46152851>
1275
1276         Reviewed by Saam Barati.
1277
1278         * stress/big-wasm-memory-grow-no-max.js:
1279         * stress/big-wasm-memory-grow.js:
1280         * stress/big-wasm-memory.js:
1281         - updated these to expect an OutOfMemoryError.
1282
1283         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1284         (Binary.prototype.emit_u8):
1285         (Binary.prototype.emit_u32v):
1286         (Binary.prototype.emit_header):
1287         (Binary.prototype.emit_section):
1288         (Binary):
1289         (WasmModuleBuilder):
1290         (WasmModuleBuilder.prototype.addMemory):
1291         (WasmModuleBuilder.prototype.toArray):
1292         (WasmModuleBuilder.prototype.toBuffer):
1293         (WasmModuleBuilder.prototype.instantiate):
1294         (catch):
1295         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1296         (catch):
1297
1298 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1299
1300         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1301         https://bugs.webkit.org/show_bug.cgi?id=190836
1302
1303         Reviewed by Saam Barati and Yusuke Suzuki.
1304
1305         * stress/big-int-out-of-memory-tests.js: Added.
1306
1307 2018-11-20  Mark Lam  <mark.lam@apple.com>
1308
1309         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1310         https://bugs.webkit.org/show_bug.cgi?id=191856
1311         <rdar://problem/46089992>
1312
1313         Reviewed by Yusuke Suzuki.
1314
1315         * stress/regress-191856.js: Added.
1316         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1317
1318 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1319
1320         Enable JIT on ARM/Linux
1321         https://bugs.webkit.org/show_bug.cgi?id=191548
1322
1323         Reviewed by Yusuke Suzuki.
1324
1325         Disable test on system with limited memory. Program was killed by
1326         the OS before the exception was thrown.
1327
1328         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1329
1330 2018-11-20  Saam barati  <sbarati@apple.com>
1331
1332         Merging an IC variant may lead to the IC status containing overlapping structure sets
1333         https://bugs.webkit.org/show_bug.cgi?id=191869
1334         <rdar://problem/45403453>
1335
1336         Reviewed by Mark Lam.
1337
1338         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1339
1340 2018-11-19  Mark Lam  <mark.lam@apple.com>
1341
1342         globalFuncImportModule() should return a promise when it clears exceptions.
1343         https://bugs.webkit.org/show_bug.cgi?id=191792
1344         <rdar://problem/46090763>
1345
1346         Reviewed by Michael Saboff.
1347
1348         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1349
1350 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1351
1352         Skip new memory-hungry tests on memory limited devices
1353
1354         Unreviewed gardening.
1355
1356         * stress/big-wasm-memory-grow-no-max.js:
1357         * stress/big-wasm-memory-grow.js:
1358         * stress/big-wasm-memory.js:
1359
1360 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1361
1362         Unreviewed, rolling in the rest of r237254
1363         https://bugs.webkit.org/show_bug.cgi?id=190340
1364
1365         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1366         * stress/function-cache-with-parameters-end-position.js: Added.
1367         (shouldBe):
1368         (shouldThrow):
1369         (i.anonymous):
1370         * stress/function-constructor-name.js: Added.
1371         (shouldBe):
1372         (GeneratorFunction):
1373         (AsyncFunction.async):
1374         (AsyncGeneratorFunction.async):
1375         (anonymous):
1376         (async.anonymous):
1377         * test262/expectations.yaml:
1378
1379 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1380
1381         All users of ArrayBuffer should agree on the same max size
1382         https://bugs.webkit.org/show_bug.cgi?id=191771
1383
1384         Reviewed by Mark Lam.
1385
1386         * stress/big-wasm-memory-grow-no-max.js: Added.
1387         (foo):
1388         (catch):
1389         * stress/big-wasm-memory-grow.js: Added.
1390         (foo):
1391         (catch):
1392         * stress/big-wasm-memory.js: Added.
1393         (foo):
1394         (catch):
1395
1396 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1397
1398         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1399         run for each JSC config since they're regression tests for runtime bugs.
1400
1401         * stress/json-stringified-overflow-2.js:
1402         * stress/json-stringified-overflow.js:
1403
1404 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1405
1406         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1407         config since they're regression tests for runtime bugs.
1408
1409         * stress/large-unshift-splice.js:
1410         * stress/regress-185888.js:
1411
1412 2018-11-16  Saam Barati  <sbarati@apple.com>
1413
1414         KnownCellUse should also have SpecCellCheck as its type filter
1415         https://bugs.webkit.org/show_bug.cgi?id=191729
1416         <rdar://problem/45872852>
1417
1418         Reviewed by Filip Pizlo.
1419
1420         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1421         (C):
1422
1423 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1424
1425         Fix assertion failure on BytecodeGenerator::recordOpcode
1426         https://bugs.webkit.org/show_bug.cgi?id=191724
1427         <rdar://problem/45724395>
1428
1429         Reviewed by Saam Barati.
1430
1431         * stress/regress-187373-2.js: Added.
1432         (foo):
1433
1434 2018-11-15  Mark Lam  <mark.lam@apple.com>
1435
1436         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1437         https://bugs.webkit.org/show_bug.cgi?id=191730
1438         <rdar://problem/46048517>
1439
1440         Reviewed by Saam Barati.
1441
1442         * stress/regress-187006.js: Removed.
1443           - this test is invalid because its sole purpose is to test for the non-spec
1444             compliant behavior that we just fixed.
1445
1446         * stress/regress-191730.js: Added.
1447
1448 2018-11-15  Mark Lam  <mark.lam@apple.com>
1449
1450         RegExp operations should not take fast patch if lastIndex is not numeric.
1451         https://bugs.webkit.org/show_bug.cgi?id=191731
1452         <rdar://problem/46017305>
1453
1454         Reviewed by Saam Barati.
1455
1456         * stress/regress-191731.js: Added.
1457
1458 2018-11-13  Saam Barati  <sbarati@apple.com>
1459
1460         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1461         https://bugs.webkit.org/show_bug.cgi?id=191600
1462
1463         Reviewed by Mark Lam.
1464
1465         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1466         (foo):
1467         (test):
1468         (bar):
1469
1470 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1471
1472         Unreviewed, rolling out r238132.
1473
1474         The test added with this change is timing out on Debug JSC
1475         bots.
1476
1477         Reverted changeset:
1478
1479         "[BigInt] JSBigInt::createWithLength should throw when length
1480         is greater than JSBigInt::maxLength"
1481         https://bugs.webkit.org/show_bug.cgi?id=190836
1482         https://trac.webkit.org/changeset/238132
1483
1484 2018-11-13  Mark Lam  <mark.lam@apple.com>
1485
1486         Add OOM detection to StringPrototype's substituteBackreferences().
1487         https://bugs.webkit.org/show_bug.cgi?id=191563
1488         <rdar://problem/45720428>
1489
1490         Reviewed by Saam Barati.
1491
1492         * stress/regress-191563.js: Added.
1493
1494 2018-11-13  Mark Lam  <mark.lam@apple.com>
1495
1496         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1497         https://bugs.webkit.org/show_bug.cgi?id=191579
1498         <rdar://problem/45942472>
1499
1500         Reviewed by Saam Barati.
1501
1502         * stress/regress-191579.js: Added.
1503
1504 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1505
1506         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1507         https://bugs.webkit.org/show_bug.cgi?id=190836
1508
1509         Reviewed by Saam Barati.
1510
1511         * stress/big-int-out-of-memory-tests.js: Added.
1512
1513 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1514
1515         U+180E is no longer a whitespace character
1516         https://bugs.webkit.org/show_bug.cgi?id=191415
1517
1518         Reviewed by Saam Barati.
1519
1520         * ChakraCore/test/es5/regexSpace.baseline:
1521         * ChakraCore/test/es6/unicode_whitespace.js:
1522         Update tests to latest version.
1523         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1524
1525         * test262.yaml:
1526         * test262/config.yaml:
1527         * test262/expectations.yaml:
1528         Update expectations.
1529
1530 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1531
1532         [BigInt] Add support to BigInt into ValueAdd
1533         https://bugs.webkit.org/show_bug.cgi?id=186177
1534
1535         Reviewed by Keith Miller.
1536
1537         * stress/big-int-negate-jit.js:
1538         * stress/value-add-big-int-and-string.js: Added.
1539         * stress/value-add-big-int-prediction-propagation.js: Added.
1540         * stress/value-add-big-int-untyped.js: Added.
1541
1542 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1543
1544         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1545         https://bugs.webkit.org/show_bug.cgi?id=191184
1546
1547         Reviewed by Saam Barati.
1548
1549         Most tests were failing due to timeouts, since they are too slow to
1550         run on CLoop. The exceptions are:
1551
1552         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1553         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1554         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1555         to change the stack size since CLoop requires it to be page aligned.
1556
1557         * microbenchmarks/array-push-1.js:
1558         * microbenchmarks/array-push-2.js:
1559         * microbenchmarks/elidable-new-object-dag.js:
1560         * microbenchmarks/elidable-new-object-roflcopter.js:
1561         * microbenchmarks/elidable-new-object-tree.js:
1562         * microbenchmarks/getter-richards.js:
1563         * microbenchmarks/sinkable-new-object-dag.js:
1564         * microbenchmarks/string-concat-long-convert.js:
1565         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1566         * slowMicrobenchmarks/array-push-3.js:
1567         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1568         * slowMicrobenchmarks/spread-small-array.js:
1569         * slowMicrobenchmarks/undefined-property-access.js:
1570         * stress/activation-sink-default-value-tdz-error.js:
1571         * stress/activation-sink-default-value.js:
1572         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1573         * stress/activation-sink-osrexit-default-value.js:
1574         * stress/activation-sink-osrexit.js:
1575         * stress/activation-sink.js:
1576         * stress/allow-math-ic-b3-code-duplication.js:
1577         * stress/array-push-multiple-int32.js:
1578         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1579         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1580         * stress/arrowfunction-lexical-this-activation-sink.js:
1581         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1582         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1583         * stress/elide-new-object-dag-then-exit.js:
1584         * stress/materialize-regexp-cyclic.js:
1585         * stress/new-regex-inline.js:
1586         * stress/op_add.js:
1587         * stress/op_bitand.js:
1588         * stress/op_bitor.js:
1589         * stress/op_bitxor.js:
1590         * stress/op_div-ConstVar.js:
1591         * stress/op_div-VarConst.js:
1592         * stress/op_div-VarVar.js:
1593         * stress/op_lshift-ConstVar.js:
1594         * stress/op_lshift-VarConst.js:
1595         * stress/op_lshift-VarVar.js:
1596         * stress/op_mod-ConstVar.js:
1597         * stress/op_mod-VarConst.js:
1598         * stress/op_mod-VarVar.js:
1599         * stress/op_mul-ConstVar.js:
1600         * stress/op_mul-VarConst.js:
1601         * stress/op_mul-VarVar.js:
1602         * stress/op_rshift-ConstVar.js:
1603         * stress/op_rshift-VarConst.js:
1604         * stress/op_rshift-VarVar.js:
1605         * stress/op_sub-ConstVar.js:
1606         * stress/op_sub-VarConst.js:
1607         * stress/op_sub-VarVar.js:
1608         * stress/op_urshift-ConstVar.js:
1609         * stress/op_urshift-VarConst.js:
1610         * stress/op_urshift-VarVar.js:
1611         * stress/proxy-get-set-correct-receiver.js:
1612         * stress/regress-179562.js:
1613         * stress/rest-parameter-many-arguments.js:
1614         * stress/sampling-profiler-richards.js:
1615         * stress/splay-flash-access-1ms.js:
1616         * stress/tailCallForwardArguments.js:
1617         * stress/typed-array-get-by-val-profiling.js:
1618         * typeProfiler/getter-richards.js:
1619
1620 2018-11-06  Michael Saboff  <msaboff@apple.com>
1621
1622         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1623         https://bugs.webkit.org/show_bug.cgi?id=191271
1624
1625         Reviewed by Saam Barati.
1626
1627         Added more test cases and made all test cases run with the same deeply recursive stack
1628         instead of finding that same point for each test case.
1629
1630         * stress/regexp-compile-oom.js:
1631         (prototype.runTest):
1632         (recurseAndTest):
1633         (testList.push.new.TestAndExpectedException):
1634
1635 2018-11-05  Michael Saboff  <msaboff@apple.com>
1636
1637         Unreviewed build fix for linux.
1638
1639         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1640
1641 2018-11-02  Michael Saboff  <msaboff@apple.com>
1642
1643         Rolling in r237753 with unreviewed build fix.
1644
1645         Fixed issues with DECLARE_THROW_SCOPE placement.
1646
1647 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1648
1649         Unreviewed, rolling out r237753.
1650
1651         Introduced JSC test failures
1652
1653         Reverted changeset:
1654
1655         "Running out of stack space not properly handled in
1656         RegExp::compile() and its callers"
1657         https://bugs.webkit.org/show_bug.cgi?id=191206
1658         https://trac.webkit.org/changeset/237753
1659
1660 2018-11-02  Michael Saboff  <msaboff@apple.com>
1661
1662         Running out of stack space not properly handled in RegExp::compile() and its callers
1663         https://bugs.webkit.org/show_bug.cgi?id=191206
1664
1665         Reviewed by Filip Pizlo.
1666
1667         New regression test.
1668
1669         * stress/regexp-compile-oom.js: Added.
1670         (recurseAndTest):
1671
1672 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1673
1674         Skip tests on arm/mips that time out now we're running on CLoop
1675
1676         Unreviewed gardening.
1677
1678         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1679         time out on the bots and need to be disabled. There's more tests
1680         disabled on arm because the timeout is longer on the mips bot (as the
1681         device is slower to start with), so many of the tests don't time out
1682         there.
1683
1684         * microbenchmarks/getter-richards.js: disable on arm and mips.
1685         * stress/op_add.js: disable on arm.
1686         * stress/op_bitand.js: disable on arm.
1687         * stress/op_bitor.js: disable on arm.
1688         * stress/op_bitxor.js: disable on arm.
1689         * stress/op_lshift-ConstVar.js: disable on arm.
1690         * stress/op_lshift-VarConst.js: disable on arm.
1691         * stress/op_lshift-VarVar.js: disable on arm.
1692         * stress/op_mod-ConstVar.js: disable on arm.
1693         * stress/op_mod-VarConst.js: disable on arm.
1694         * stress/op_mod-VarVar.js: disable on arm.
1695         * stress/op_mul-ConstVar.js: disable on arm.
1696         * stress/op_mul-VarConst.js: disable on arm.
1697         * stress/op_mul-VarVar.js: disable on arm.
1698         * stress/op_rshift-ConstVar.js: disable on arm.
1699         * stress/op_rshift-VarConst.js: disable on arm.
1700         * stress/op_rshift-VarVar.js: disable on arm.
1701         * stress/op_sub-ConstVar.js: disable on arm.
1702         * stress/op_sub-VarConst.js: disable on arm.
1703         * stress/op_sub-VarVar.js: disable on arm.
1704         * stress/op_urshift-ConstVar.js: disable on arm.
1705         * stress/op_urshift-VarConst.js: disable on arm.
1706         * stress/op_urshift-VarVar.js: disable on arm.
1707         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1708         * stress/value-to-boolean.js: disable on arm and mips.
1709
1710 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1711
1712         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1713         https://bugs.webkit.org/show_bug.cgi?id=191108
1714         <rdar://problem/45690700>
1715
1716         Reviewed by Saam Barati.
1717
1718         * stress/wide-op_catch.js: Added.
1719         (catch):
1720
1721 2018-10-29  Mark Lam  <mark.lam@apple.com>
1722
1723         Correctly detect string overflow when using the 'Function' constructor.
1724         https://bugs.webkit.org/show_bug.cgi?id=184883
1725         <rdar://problem/36320331>
1726
1727         Reviewed by Saam Barati.
1728
1729         I've verified that this passes on 32-bit as well.
1730
1731         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1732
1733 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1734
1735         Add support for GetStack FlushedDouble
1736         https://bugs.webkit.org/show_bug.cgi?id=191012
1737         <rdar://problem/45265141>
1738
1739         Reviewed by Saam Barati.
1740
1741         * stress/get-stack-double.js: Added.
1742         (bar):
1743         (noInline):
1744
1745 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1746
1747         New bytecode format for JSC
1748         https://bugs.webkit.org/show_bug.cgi?id=187373
1749         <rdar://problem/44186758>
1750
1751         Reviewed by Filip Pizlo.
1752
1753         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1754
1755         * stress/maximum-inline-capacity.js: Added.
1756         (test1):
1757         (test3.Foo):
1758         (test3):
1759
1760 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1761
1762         Unreviewed, rolling out r237479 and r237484.
1763         https://bugs.webkit.org/show_bug.cgi?id=190978
1764
1765         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1766
1767         Reverted changesets:
1768
1769         "New bytecode format for JSC"
1770         https://bugs.webkit.org/show_bug.cgi?id=187373
1771         https://trac.webkit.org/changeset/237479
1772
1773         "Gardening: Build fix after r237479."
1774         https://bugs.webkit.org/show_bug.cgi?id=187373
1775         https://trac.webkit.org/changeset/237484
1776
1777 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1778
1779         New bytecode format for JSC
1780         https://bugs.webkit.org/show_bug.cgi?id=187373
1781         <rdar://problem/44186758>
1782
1783         Reviewed by Filip Pizlo.
1784
1785         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1786
1787         * stress/maximum-inline-capacity.js: Added.
1788         (test1):
1789         (test3.Foo):
1790         (test3):
1791
1792 2018-10-26  Mark Lam  <mark.lam@apple.com>
1793
1794         Fix missing edge cases with JSGlobalObjects having a bad time.
1795         https://bugs.webkit.org/show_bug.cgi?id=189028
1796         <rdar://problem/45204939>
1797
1798         Reviewed by Saam Barati.
1799
1800         * stress/regress-189028.js: Added.
1801
1802 2018-10-22  Mark Lam  <mark.lam@apple.com>
1803
1804         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1805         https://bugs.webkit.org/show_bug.cgi?id=190515
1806         <rdar://problem/45222379>
1807
1808         Rubber-stamped by Saam Barati.
1809
1810         Adding another test.
1811
1812         * stress/regress-190515-2.js: Added.
1813
1814 2018-10-22  Mark Lam  <mark.lam@apple.com>
1815
1816         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1817         https://bugs.webkit.org/show_bug.cgi?id=190515
1818         <rdar://problem/45222379>
1819
1820         Reviewed by Saam Barati.
1821
1822         * stress/regress-190515.js: Added.
1823
1824 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1825
1826         Unreviewed, rolling out r237254.
1827         https://bugs.webkit.org/show_bug.cgi?id=190760
1828
1829         "It regresses JetStream 2 by 5% on some iOS devices"
1830         (Requested by saamyjoon on #webkit).
1831
1832         Reverted changeset:
1833
1834         "[JSC] JSC should have "parseFunction" to optimize Function
1835         constructor"
1836         https://bugs.webkit.org/show_bug.cgi?id=190340
1837         https://trac.webkit.org/changeset/237254
1838
1839 2018-10-19  Saam Barati  <sbarati@apple.com>
1840
1841         vmCall should check if we exit before emitting an OSR exit due to exceptions
1842         https://bugs.webkit.org/show_bug.cgi?id=190740
1843         <rdar://problem/45220139>
1844
1845         Reviewed by Mark Lam.
1846
1847         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1848         (foo):
1849
1850 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1851
1852         [ESNext][BigInt] Implement support for "^"
1853         https://bugs.webkit.org/show_bug.cgi?id=186235
1854
1855         Reviewed by Yusuke Suzuki.
1856
1857         * stress/big-int-bitwise-xor-general.js: Added.
1858         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1859         * stress/big-int-bitwise-xor-type-error.js: Added.
1860         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1861
1862 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1863
1864         [BigInt] Add ValueSub into DFG
1865         https://bugs.webkit.org/show_bug.cgi?id=186176
1866
1867         Reviewed by Yusuke Suzuki.
1868
1869         * stress/big-int-subtraction-jit.js:
1870         * stress/value-sub-big-int-prediction-propagation.js: Added.
1871         * stress/value-sub-big-int-untyped.js: Added.
1872         * stress/value-sub-spec-none-case.js: Added.
1873
1874 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1875
1876         [JSC] JSC should have "parseFunction" to optimize Function constructor
1877         https://bugs.webkit.org/show_bug.cgi?id=190340
1878
1879         Reviewed by Mark Lam.
1880
1881         This patch fixes the line number of syntax errors raised by the Function constructor,
1882         since we now parse the final code only once. And we no longer use block statement
1883         for Function constructor's parsing.
1884
1885         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1886         * stress/function-cache-with-parameters-end-position.js: Added.
1887         (shouldBe):
1888         (shouldThrow):
1889         (i.anonymous):
1890         * stress/function-constructor-name.js: Added.
1891         (shouldBe):
1892         (GeneratorFunction):
1893         (AsyncFunction.async):
1894         (AsyncGeneratorFunction.async):
1895         (anonymous):
1896         (async.anonymous):
1897         * test262/expectations.yaml:
1898
1899 2018-10-18  Commit Queue  <commit-queue@webkit.org>
1900
1901         Unreviewed, rolling out r237242.
1902         https://bugs.webkit.org/show_bug.cgi?id=190701
1903
1904         it breaks "stress/sampling-profiler-basic.js" (Requested by
1905         caiolima on #webkit).
1906
1907         Reverted changeset:
1908
1909         "[BigInt] Add ValueSub into DFG"
1910         https://bugs.webkit.org/show_bug.cgi?id=186176
1911         https://trac.webkit.org/changeset/237242
1912
1913 2018-10-17  Keith Miller  <keith_miller@apple.com>
1914
1915         AI does not clear Phantom allocation nodes.
1916         https://bugs.webkit.org/show_bug.cgi?id=190694
1917
1918         Reviewed by Saam Barati.
1919
1920         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1921         (Day):
1922         (DaysInYear):
1923         (TimeInYear):
1924         (TimeFromYear):
1925         (DayFromYear):
1926         (InLeapYear):
1927         (YearFromTime):
1928         (WeekDay):
1929         (DaylightSavingTA):
1930         (GetSecondSundayInMarch):
1931         (TimeInMonth):
1932
1933 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1934
1935         [BigInt] Add ValueSub into DFG
1936         https://bugs.webkit.org/show_bug.cgi?id=186176
1937
1938         Reviewed by Yusuke Suzuki.
1939
1940         * stress/big-int-subtraction-jit.js:
1941         * stress/value-sub-big-int-prediction-propagation.js: Added.
1942         * stress/value-sub-big-int-untyped.js: Added.
1943
1944 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1945
1946         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1947         https://bugs.webkit.org/show_bug.cgi?id=190611
1948
1949         Reviewed by Saam Barati.
1950
1951         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1952         to improve test runtime. On ARM/MIPS this test even timed out when running all
1953         tests.
1954
1955         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1956         (test):
1957
1958 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1959
1960         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1961
1962         Unreviewed gardening.
1963
1964         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1965
1966 2018-10-15  Saam barati  <sbarati@apple.com>
1967
1968         Emit fjcvtzs on ARM64E on Darwin
1969         https://bugs.webkit.org/show_bug.cgi?id=184023
1970
1971         Reviewed by Yusuke Suzuki and Filip Pizlo.
1972
1973         * stress/double-to-int32-NaN.js: Added.
1974         (assert):
1975         (foo):
1976
1977 2018-10-15  Saam Barati  <sbarati@apple.com>
1978
1979         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1980         https://bugs.webkit.org/show_bug.cgi?id=190262
1981         <rdar://problem/44986241>
1982
1983         Reviewed by Mark Lam.
1984
1985         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1986         (test):
1987         * stress/slice-array-storage-with-holes.js: Added.
1988         (main):
1989
1990 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1991
1992         Unreviewed, rolling out r237054.
1993         https://bugs.webkit.org/show_bug.cgi?id=190593
1994
1995         "this regressed JetStream 2 by 6% on iOS" (Requested by
1996         saamyjoon on #webkit).
1997
1998         Reverted changeset:
1999
2000         "[JSC] JSC should have "parseFunction" to optimize Function
2001         constructor"
2002         https://bugs.webkit.org/show_bug.cgi?id=190340
2003         https://trac.webkit.org/changeset/237054
2004
2005 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2006
2007         [JSC] JSON.stringify can accept call-with-no-arguments
2008         https://bugs.webkit.org/show_bug.cgi?id=190343
2009
2010         Reviewed by Mark Lam.
2011
2012         * stress/json-stringify-no-arguments.js: Added.
2013         (shouldBe):
2014
2015 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2016
2017         [JSC] JSC should have "parseFunction" to optimize Function constructor
2018         https://bugs.webkit.org/show_bug.cgi?id=190340
2019
2020         Reviewed by Mark Lam.
2021
2022         This patch fixes the line number of syntax errors raised by the Function constructor,
2023         since we now parse the final code only once. And we no longer use block statement
2024         for Function constructor's parsing.
2025
2026         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2027         * stress/function-cache-with-parameters-end-position.js: Added.
2028         (shouldBe):
2029         (shouldThrow):
2030         (i.anonymous):
2031         * stress/function-constructor-name.js: Added.
2032         (shouldBe):
2033         (GeneratorFunction):
2034         (AsyncFunction.async):
2035         (AsyncGeneratorFunction.async):
2036         (anonymous):
2037         (async.anonymous):
2038         * test262/expectations.yaml:
2039
2040 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2041
2042         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2043         https://bugs.webkit.org/show_bug.cgi?id=190426
2044
2045         Unreviewed gardening.
2046
2047         * stress/sampling-profiler-richards.js:
2048
2049 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2050
2051         [ESNext][BigInt] Implement support for "|"
2052         https://bugs.webkit.org/show_bug.cgi?id=186229
2053
2054         Reviewed by Yusuke Suzuki.
2055
2056         * stress/big-int-bitwise-and-jit.js:
2057         * stress/big-int-bitwise-or-general.js: Added.
2058         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2059         * stress/big-int-bitwise-or-jit.js: Added.
2060         * stress/big-int-bitwise-or-memory-stress.js: Added.
2061         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2062         * stress/big-int-bitwise-or-type-error.js: Added.
2063         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2064
2065 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2066
2067         Skip test on systems with limited memory
2068         https://bugs.webkit.org/show_bug.cgi?id=190310
2069
2070         Invoking runDefault adds test to runlist, skipping the test in the next
2071         line does not prevent the test from executing. Change order of lines such
2072         that runDefault is only executed if test is not executed.
2073
2074         Reviewed by Mark Lam.
2075
2076         * stress/regress-190187.js:
2077
2078 2018-10-03  Saam barati  <sbarati@apple.com>
2079
2080         lowXYZ in FTLLower should always filter the type of the incoming edge
2081         https://bugs.webkit.org/show_bug.cgi?id=189939
2082         <rdar://problem/44407030>
2083
2084         Reviewed by Michael Saboff.
2085
2086         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2087         (foo):
2088         (test):
2089
2090 2018-10-03  Mark Lam  <mark.lam@apple.com>
2091
2092         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2093         https://bugs.webkit.org/show_bug.cgi?id=190187
2094         <rdar://problem/42512909>
2095
2096         Reviewed by Michael Saboff.
2097
2098         * stress/regress-190187.js: Added.
2099
2100 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2101
2102         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2103         https://bugs.webkit.org/show_bug.cgi?id=190033
2104
2105         Reviewed by Yusuke Suzuki.
2106
2107         * stress/big-int-to-string.js:
2108
2109 2018-10-01  Mark Lam  <mark.lam@apple.com>
2110
2111         Function.toString() should also copy the source code Functions that are class definitions.
2112         https://bugs.webkit.org/show_bug.cgi?id=190186
2113         <rdar://problem/44733360>
2114
2115         Reviewed by Saam Barati.
2116
2117         * stress/regress-190186.js: Added.
2118
2119 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2120
2121         Split NaN-check into separate test
2122         https://bugs.webkit.org/show_bug.cgi?id=190010
2123
2124         Reviewed by Saam Barati.
2125
2126         DataView exposes NaN-representation, which is not necessarily the same on each
2127         architecture. Therefore move the check of the NaN-representation into its own
2128         file such that we can disable this test on MIPS where NaN-representation can be
2129         different on older CPUs.
2130
2131         * stress/dataview-jit-set-nan.js: Added.
2132         (assert):
2133         (test.storeLittleEndian):
2134         (test.storeBigEndian):
2135         (test.store):
2136         (test):
2137         * stress/dataview-jit-set.js:
2138         (test5):
2139
2140 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2141
2142         Unreviewed, rolling out r236647.
2143         https://bugs.webkit.org/show_bug.cgi?id=190124
2144
2145         Breaking test stress/big-int-to-string.js (Requested by
2146         caiolima_ on #webkit).
2147
2148         Reverted changeset:
2149
2150         "[BigInt] BigInt.proptotype.toString is broken when radix is
2151         power of 2"
2152         https://bugs.webkit.org/show_bug.cgi?id=190033
2153         https://trac.webkit.org/changeset/236647
2154
2155 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2156
2157         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2158         https://bugs.webkit.org/show_bug.cgi?id=190033
2159
2160         Reviewed by Yusuke Suzuki.
2161
2162         * stress/big-int-to-string.js:
2163
2164 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2165
2166         [ESNext][BigInt] Implement support for "&"
2167         https://bugs.webkit.org/show_bug.cgi?id=186228
2168
2169         Reviewed by Yusuke Suzuki.
2170
2171         * stress/big-int-bitwise-and-general.js: Added.
2172         (assert):
2173         (assert.sameValue):
2174         * stress/big-int-bitwise-and-jit.js: Added.
2175         (let.assert.sameValue):
2176         (bigIntBitAnd):
2177         * stress/big-int-bitwise-and-memory-stress.js: Added.
2178         (assert):
2179         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2180         (assert.sameValue):
2181         (let.o.Symbol.toPrimitive):
2182         (catch):
2183         * stress/big-int-bitwise-and-type-error.js: Added.
2184         (assert):
2185         (assertThrowTypeError):
2186         (let.o.valueOf):
2187         (o.valueOf):
2188         (o.toString):
2189         (o.Symbol.toPrimitive):
2190         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2191         (assert.sameValue):
2192         (testBitAnd):
2193         (let.o.Symbol.toPrimitive):
2194         (o.valueOf):
2195         (o.toString):
2196
2197 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2198
2199         JSC test stress/jsc-read.js doesn't support CRLF
2200         https://bugs.webkit.org/show_bug.cgi?id=190063
2201
2202         Reviewed by Yusuke Suzuki.
2203
2204         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2205
2206         * stress/jsc-read.js:
2207         (test):
2208
2209 2018-09-27  Saam barati  <sbarati@apple.com>
2210
2211         Verify the contents of AssemblerBuffer on arm64e
2212         https://bugs.webkit.org/show_bug.cgi?id=190057
2213         <rdar://problem/38916630>
2214
2215         Reviewed by Mark Lam.
2216
2217         * stress/regress-189132.js:
2218
2219 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2220
2221         Disable test without LLInt on ARMv7
2222         https://bugs.webkit.org/show_bug.cgi?id=190037
2223
2224         Reviewed by Mark Lam.
2225
2226         Test runs out of executable memory on ARMv7, do not run
2227         this test without LLInt enabled.
2228
2229         * stress/regress-169445.js:
2230
2231 2018-09-26  Keith Miller  <keith_miller@apple.com>
2232
2233         We should zero unused property storage when rebalancing array storage.
2234         https://bugs.webkit.org/show_bug.cgi?id=188151
2235
2236         Reviewed by Michael Saboff.
2237
2238         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2239
2240 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2241
2242         [JSC] Optimize Array#lastIndexOf
2243         https://bugs.webkit.org/show_bug.cgi?id=189780
2244
2245         Reviewed by Saam Barati.
2246
2247         * stress/array-lastindexof-array-prototype-trap.js: Added.
2248         (shouldBe):
2249         (AncestorArray.prototype.get 2):
2250         (AncestorArray):
2251         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2252         (shouldBe):
2253         * stress/array-lastindexof-hole-nan.js: Added.
2254         (shouldBe):
2255         (throw.new.Error):
2256         * stress/array-lastindexof-infinity.js: Added.
2257         (shouldBe):
2258         (throw.new.Error):
2259         * stress/array-lastindexof-negative-zero.js: Added.
2260         (shouldBe):
2261         (throw.new.Error):
2262         * stress/array-lastindexof-own-getter.js: Added.
2263         (shouldBe):
2264         (throw.new.Error.get array):
2265         (get array):
2266         * stress/array-lastindexof-prototype-trap.js: Added.
2267         (shouldBe):
2268         (DerivedArray.prototype.get 2):
2269         (DerivedArray):
2270
2271 2018-09-25  Saam Barati  <sbarati@apple.com>
2272
2273         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2274         https://bugs.webkit.org/show_bug.cgi?id=189940
2275         <rdar://problem/43640987>
2276
2277         Reviewed by Mark Lam.
2278
2279         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2280
2281 2018-09-24  Saam Barati  <sbarati@apple.com>
2282
2283         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2284         https://bugs.webkit.org/show_bug.cgi?id=189922
2285         <rdar://problem/44651275>
2286
2287         Reviewed by Mark Lam.
2288
2289         * stress/array-indexof-fast-path-effects.js: Added.
2290         * stress/array-indexof-cached-length.js: Added.
2291
2292 2018-09-24  Saam barati  <sbarati@apple.com>
2293
2294         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2295         https://bugs.webkit.org/show_bug.cgi?id=189682
2296         <rdar://problem/43557315>
2297
2298         Reviewed by Mark Lam.
2299
2300         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2301         (foo):
2302
2303 2018-09-22  Saam barati  <sbarati@apple.com>
2304
2305         The sampling should not use Strong<CodeBlock> in its machineLocation field
2306         https://bugs.webkit.org/show_bug.cgi?id=189319
2307
2308         Reviewed by Filip Pizlo.
2309
2310         * stress/sampling-profiler-richards.js: Added.
2311
2312 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2313
2314         [JSC] Optimize Array#indexOf in C++ runtime
2315         https://bugs.webkit.org/show_bug.cgi?id=189507
2316
2317         Reviewed by Saam Barati.
2318
2319         * stress/array-indexof-array-prototype-trap.js: Added.
2320         (shouldBe):
2321         (AncestorArray.prototype.get 2):
2322         (AncestorArray):
2323         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2324         (shouldBe):
2325         * stress/array-indexof-hole-nan.js: Added.
2326         (shouldBe):
2327         (throw.new.Error):
2328         * stress/array-indexof-infinity.js: Added.
2329         (shouldBe):
2330         (throw.new.Error):
2331         * stress/array-indexof-negative-zero.js: Added.
2332         (shouldBe):
2333         (throw.new.Error):
2334         * stress/array-indexof-own-getter.js: Added.
2335         (shouldBe):
2336         (throw.new.Error.get array):
2337         (get array):
2338         * stress/array-indexof-prototype-trap.js: Added.
2339         (shouldBe):
2340         (DerivedArray.prototype.get 2):
2341         (DerivedArray):
2342
2343 2018-09-19  Saam barati  <sbarati@apple.com>
2344
2345         AI rule for MultiPutByOffset executes its effects in the wrong order
2346         https://bugs.webkit.org/show_bug.cgi?id=189757
2347         <rdar://problem/43535257>
2348
2349         Reviewed by Michael Saboff.
2350
2351         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2352         (foo):
2353         (Foo):
2354         (g):
2355
2356 2018-09-17  Mark Lam  <mark.lam@apple.com>
2357
2358         Ensure that ForInContexts are invalidated if their loop local is over-written.
2359         https://bugs.webkit.org/show_bug.cgi?id=189571
2360         <rdar://problem/44402277>
2361
2362         Reviewed by Saam Barati.
2363
2364         * stress/regress-189571.js: Added.
2365
2366 2018-09-17  Saam barati  <sbarati@apple.com>
2367
2368         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2369         https://bugs.webkit.org/show_bug.cgi?id=189676
2370         <rdar://problem/39682897>
2371
2372         Reviewed by Michael Saboff.
2373
2374         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2375         (A):
2376         (K):
2377         (i.catch):
2378
2379 2018-09-14  Saam barati  <sbarati@apple.com>
2380
2381         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2382         https://bugs.webkit.org/show_bug.cgi?id=189628
2383         <rdar://problem/39481690>
2384
2385         Reviewed by Mark Lam.
2386
2387         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2388         (foo):
2389
2390 2018-09-11  Mark Lam  <mark.lam@apple.com>
2391
2392         Test for array initialization in arrayProtoFuncSplice.
2393         https://bugs.webkit.org/show_bug.cgi?id=170253
2394         <rdar://problem/31328773>
2395
2396         Rubber-stamped by Saam Barati.
2397
2398         * stress/regress-170253.js: Added.
2399
2400 2018-09-11  Mark Lam  <mark.lam@apple.com>
2401
2402         Test for IntlObject initialization.
2403         https://bugs.webkit.org/show_bug.cgi?id=170251
2404         <rdar://problem/31328419>
2405
2406         Rubber-stamped by Saam Barati.
2407
2408         * stress/regress-170251.js: Added.
2409
2410 2018-09-11  Mark Lam  <mark.lam@apple.com>
2411
2412         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2413         https://bugs.webkit.org/show_bug.cgi?id=169889
2414         <rdar://problem/31155607>
2415
2416         Reviewed by Saam Barati.
2417
2418         * stress/regress-169889-array-concat.js: Added.
2419         * stress/regress-169889-array-concat1.js: Added.
2420         * stress/regress-169889-array-slice.js: Added.
2421
2422 2018-09-11  Mark Lam  <mark.lam@apple.com>
2423
2424         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2425         https://bugs.webkit.org/show_bug.cgi?id=169445
2426         <rdar://problem/30957435>
2427
2428         Reviewed by Saam Barati.
2429
2430         * stress/regress-169445.js: Added.
2431         (let.gun.eval.A):
2432         (let.gun.eval.B.C):
2433         (let.gun.eval.B.C.prototype.trigger):
2434         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2435         (let.gun.eval.B):
2436         (let.gun.eval):
2437
2438 == Rolled over to ChangeLog-2018-09-11 ==