[JSC] Add LazyClassStructure::getInitializedOnMainThread
[WebKit-https.git] / JSTests / ChangeLog
1 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Add LazyClassStructure::getInitializedOnMainThread
4         https://bugs.webkit.org/show_bug.cgi?id=194784
5         <rdar://problem/48154820>
6
7         Reviewed by Mark Lam.
8
9         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
10         (getProperties):
11         (getRandomProperty):
12         (i.catch):
13
14 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
15
16         [ARM] Test gardening: Test running out of executable memory
17         https://bugs.webkit.org/show_bug.cgi?id=194771
18
19         Unreviewed. Do not run test without LLInt, test is running out of executable
20         memory on ARM otherwise.
21
22         * stress/tagged-template-object-collect.js:
23
24 2019-02-18  Tomas Popela  <tpopela@redhat.com>
25
26         Unreviewed, skip the test on platforms without sampling profiler
27
28         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
29         (platformSupportsSamplingProfiler.foo):
30         (platformSupportsSamplingProfiler.test):
31         (platformSupportsSamplingProfiler):
32         (foo): Deleted.
33         (test): Deleted.
34
35 2019-02-17  Saam Barati  <sbarati@apple.com>
36
37         Deadlock when adding a Structure property transition and then doing incremental marking
38         https://bugs.webkit.org/show_bug.cgi?id=194767
39
40         Reviewed by Mark Lam.
41
42         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
43
44 2019-02-15  Michael Saboff  <msaboff@apple.com>
45
46         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
47         https://bugs.webkit.org/show_bug.cgi?id=194558
48
49         Reviewed by Saam Barati.
50
51         New regression test.
52
53         * stress/regexp-unicode-within-string.js: Added.
54
55 2019-02-15  Mark Lam  <mark.lam@apple.com>
56
57         SamplingProfiler::stackTracesAsJSON() should escape strings.
58         https://bugs.webkit.org/show_bug.cgi?id=194649
59         <rdar://problem/48072386>
60
61         Reviewed by Saam Barati.
62
63         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
64         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
65         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
66         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
67
68 2019-02-15  Robin Morisset  <rmorisset@apple.com>
69         CodeBlock::jettison should clear related watchpoints
70         https://bugs.webkit.org/show_bug.cgi?id=194544
71
72         Reviewed by Mark Lam.
73
74         * stress/regexp-replace-double-watchpoint.js: Added.
75         (foo):
76
77 2019-02-15  Saam barati  <sbarati@apple.com>
78
79         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
80         https://bugs.webkit.org/show_bug.cgi?id=194036
81
82         Reviewed by Yusuke Suzuki.
83
84         * stress/tail-call-many-arguments.js: Added.
85         (foo):
86         (bar):
87
88 2019-02-14  Saam Barati  <sbarati@apple.com>
89
90         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
91         https://bugs.webkit.org/show_bug.cgi?id=194583
92         <rdar://problem/48028140>
93
94         Reviewed by Yusuke Suzuki.
95
96         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
97
98 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
99
100         [JSC] String.fromCharCode's slow path always generates 16bit string
101         https://bugs.webkit.org/show_bug.cgi?id=194466
102
103         Reviewed by Keith Miller.
104
105         * stress/string-from-char-code-slow-path.js: Added.
106         (shouldBe):
107         (testWithLength):
108
109 2019-02-08  Saam barati  <sbarati@apple.com>
110
111         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
112         https://bugs.webkit.org/show_bug.cgi?id=194334
113         <rdar://problem/47844327>
114
115         Reviewed by Mark Lam.
116
117         * stress/check-in-bounds-should-be-a-child-use.js: Added.
118         (func):
119
120 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
121
122         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
123         https://bugs.webkit.org/show_bug.cgi?id=194369
124         <rdar://problem/47813087>
125
126         Reviewed by Saam Barati.
127
128         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
129         (A):
130
131 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
132
133         [JSC] PrivateName to PublicName hash table is wasteful
134         https://bugs.webkit.org/show_bug.cgi?id=194277
135
136         Reviewed by Michael Saboff.
137
138         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
139
140         * ChakraCore.yaml:
141
142 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
143
144         [ARM] Test running out of executable memory
145         https://bugs.webkit.org/show_bug.cgi?id=194285
146
147         Unreviewed. Do no execute test with LLInt disabled, test runs out of
148         executable memory otherwise.
149
150         * stress/class-subclassing-function.js:
151
152 2019-02-04  Robin Morisset  <rmorisset@apple.com>
153
154         when lowering AssertNotEmpty, create the value before creating the patchpoint
155         https://bugs.webkit.org/show_bug.cgi?id=194231
156
157         Reviewed by Saam Barati.
158
159         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
160         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
161         So even tiny changes to this test can change the path code taken.
162
163         * stress/assert-not-empty.js: Added.
164         (foo):
165
166 2019-02-01  Mark Lam  <mark.lam@apple.com>
167
168         Remove invalid assertion in DFG's compileDoubleRep().
169         https://bugs.webkit.org/show_bug.cgi?id=194130
170         <rdar://problem/47699474>
171
172         Reviewed by Saam Barati.
173
174         * stress/constant-fold-double-rep-into-double-constant.js: Added.
175
176 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
177
178         Import latest Test262 updates.
179
180         Rubber-stamped by Keith Miller.
181
182         * test262.yaml: Deleted.
183         * test262/config.yaml:
184         * test262/expectations.yaml:
185         * test262/latest-changes-summary.txt:
186         * test262/test/:
187         * test262/test262-Revision.txt:
188
189 2019-01-30  Robin Morisset  <rmorisset@apple.com>
190
191         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
192         https://bugs.webkit.org/show_bug.cgi?id=194050
193         <rdar://problem/47595592>
194
195         Reviewed by Yusuke Suzuki.
196
197         * stress/object-keys-osr-exit.js: Added.
198         (foo):
199         (catch):
200
201 2019-01-29  Mark Lam  <mark.lam@apple.com>
202
203         ValueRecovery::recover() should purify NaN values it recovers.
204         https://bugs.webkit.org/show_bug.cgi?id=193978
205         <rdar://problem/47625488>
206
207         Reviewed by Saam Barati.
208
209         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
210
211 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
212
213         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
214         https://bugs.webkit.org/show_bug.cgi?id=193713
215
216         * stress/try-get-by-id-should-spill-registers-dfg.js:
217         (let.f.createBuiltin):
218
219 2019-01-28  Mark Lam  <mark.lam@apple.com>
220
221         ToString node actually does GC.
222         https://bugs.webkit.org/show_bug.cgi?id=193920
223         <rdar://problem/46695900>
224
225         Reviewed by Yusuke Suzuki.
226
227         * stress/dfg-to-string-on-int-does-gc.js: Added.
228         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
229         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
230
231 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
232
233         [JSC] NativeErrorConstructor should not have own IsoSubspace
234         https://bugs.webkit.org/show_bug.cgi?id=193713
235
236         Reviewed by Saam Barati.
237
238         Remove @Error use.
239
240         * stress/try-get-by-id-should-spill-registers-dfg.js:
241         (let.f.createBuiltin):
242
243 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
244
245         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
246         https://bugs.webkit.org/show_bug.cgi?id=190693
247
248         Reviewed by Michael Saboff.
249
250         * stress/regress-190693.js: Added.
251         (truth):
252         (assert):
253         (shouldThrowInvalidConstAssignment):
254         (taz):
255
256 2019-01-24  Saam Barati  <sbarati@apple.com>
257
258         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
259         https://bugs.webkit.org/show_bug.cgi?id=193751
260         <rdar://problem/47280215>
261
262         Reviewed by Michael Saboff.
263
264         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
265         (let.thing):
266         (foo.let.hello):
267         (foo):
268
269 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
270
271         [JSC] Reenable baseline JIT on mips
272         https://bugs.webkit.org/show_bug.cgi?id=192983
273
274         Reviewed by Mark Lam.
275
276         Added a new test for a case that was triggering a RELEASE_ASSERT when
277         testing.
278         Disable some slow tests that were already disabled for arm and x86.
279
280         * stress/json-parse-big-object.js: Added.
281         * stress/new-largeish-contiguous-array-with-size.js:
282         * stress/op_add.js:
283         * stress/op_bitand.js:
284         * stress/op_bitor.js:
285         * stress/op_bitxor.js:
286         * stress/op_lshift-ConstVar.js:
287         * stress/op_lshift-VarConst.js:
288         * stress/op_lshift-VarVar.js:
289         * stress/op_mod-ConstVar.js:
290         * stress/op_mod-VarConst.js:
291         * stress/op_mod-VarVar.js:
292         * stress/op_mul-ConstVar.js:
293         * stress/op_mul-VarConst.js:
294         * stress/op_mul-VarVar.js:
295         * stress/op_rshift-ConstVar.js:
296         * stress/op_rshift-VarConst.js:
297         * stress/op_rshift-VarVar.js:
298         * stress/op_sub-ConstVar.js:
299         * stress/op_sub-VarConst.js:
300         * stress/op_sub-VarVar.js:
301         * stress/op_urshift-ConstVar.js:
302         * stress/op_urshift-VarConst.js:
303         * stress/op_urshift-VarVar.js:
304         * stress/sampling-profiler-richards.js:
305         * stress/spread-forward-call-varargs-stack-overflow.js:
306
307 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
308
309         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
310         https://bugs.webkit.org/show_bug.cgi?id=193711
311         <rdar://problem/47250262>
312
313         Reviewed by Saam Barati.
314
315         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
316         (shouldBe):
317         (foo):
318         (bar):
319         (baz):
320
321 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
322
323         Unreviewed, fix initial global lexical binding epoch
324         https://bugs.webkit.org/show_bug.cgi?id=193603
325         <rdar://problem/47380869>
326
327         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
328         (f1.f2.f3.f4):
329         (f1.f2.f3):
330         (f1.f2):
331         (f1):
332
333 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
334
335         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
336         https://bugs.webkit.org/show_bug.cgi?id=193709
337         <rdar://problem/47363838>
338
339         Unreviewed, rollout to watch the tests.
340
341         * stress/object-tostring-changed-proto.js: Removed.
342         * stress/object-tostring-changed.js: Removed.
343         * stress/object-tostring-misc.js: Removed.
344         * stress/object-tostring-other.js: Removed.
345         * stress/object-tostring-untyped.js: Removed.
346
347 2019-01-22  Saam Barati  <sbarati@apple.com>
348
349         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
350
351         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
352         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
353         (testUncheckedLessThanZero):
354         (testUncheckedLessThanOrEqualZero):
355         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
356         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
357
358 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
359
360         [JSC] Invalidate old scope operations using global lexical binding epoch
361         https://bugs.webkit.org/show_bug.cgi?id=193603
362         <rdar://problem/47380869>
363
364         Reviewed by Saam Barati.
365
366         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
367         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
368         (shouldThrow):
369         (bar):
370         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
371         (shouldBe):
372         (get1):
373         (get2):
374         (get1If):
375         (get2If):
376         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
377         (shouldThrow):
378         (foo):
379
380 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
381
382         Unreviewed, roll out r240220 due to date-format-xparb regression
383         https://bugs.webkit.org/show_bug.cgi?id=193603
384
385         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
386         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
387         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
388         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
389
390 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
391
392         DoesGC rule is wrong for nodes with BigIntUse
393         https://bugs.webkit.org/show_bug.cgi?id=193652
394
395         Reviewed by Saam Barati.
396
397         * stress/big-int-value-op-update-gc-rules.js: Added.
398         (assert):
399         (doesGCAdd):
400         (doesGCSub):
401         (doesGCDiv):
402         (doesGCMul):
403         (doesGCBitAnd):
404         (doesGCBitOr):
405         (doesGCBitXor):
406
407 2019-01-20  Saam Barati  <sbarati@apple.com>
408
409         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
410         https://bugs.webkit.org/show_bug.cgi?id=193644
411         <rdar://problem/46209745>
412
413         Reviewed by Yusuke Suzuki.
414
415         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
416         (foo):
417         * stress/data-view-set-intrinsic-undefined-result.js: Added.
418         (foo):
419         (bar):
420
421 2019-01-20  Saam Barati  <sbarati@apple.com>
422
423         MovHint must merge NodeBytecodeUsesAsValue for its child
424         https://bugs.webkit.org/show_bug.cgi?id=186916
425         <rdar://problem/41396612>
426
427         Reviewed by Yusuke Suzuki.
428
429         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
430         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
431
432 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
433
434         [JSC] Invalidate old scope operations using global lexical binding epoch
435         https://bugs.webkit.org/show_bug.cgi?id=193603
436         <rdar://problem/47380869>
437
438         Reviewed by Saam Barati.
439
440         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
441         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
442         (shouldThrow):
443         (bar):
444         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
445         (shouldBe):
446         (get1):
447         (get2):
448         (get1If):
449         (get2If):
450         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
451         (shouldThrow):
452         (foo):
453
454 2019-01-17  Saam barati  <sbarati@apple.com>
455
456         StringObjectUse should not be a structure check for the original string object structure
457         https://bugs.webkit.org/show_bug.cgi?id=193483
458         <rdar://problem/47280522>
459
460         Reviewed by Yusuke Suzuki.
461
462         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
463         (foo):
464         (a.valueOf.0):
465
466 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
467
468         [JSC] ToThis omission in DFGByteCodeParser is wrong
469         https://bugs.webkit.org/show_bug.cgi?id=193513
470         <rdar://problem/45842236>
471
472         Reviewed by Saam Barati.
473
474         * stress/to-this-omission-with-different-strict-modes.js: Added.
475         (thisA):
476         (thisAStrictWrapper):
477
478 2019-01-15  Mark Lam  <mark.lam@apple.com>
479
480         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
481         https://bugs.webkit.org/show_bug.cgi?id=193423
482         <rdar://problem/46209355>
483
484         Reviewed by Saam Barati.
485
486         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
487         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
488         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
489         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
490
491 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
492
493         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
494         https://bugs.webkit.org/show_bug.cgi?id=193438
495         <rdar://problem/45581249>
496
497         Reviewed by Saam Barati and Keith Miller.
498
499         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
500         Then, GetByVal(String) crashed.
501
502         * stress/string-get-by-val-lowering.js: Added.
503         (shouldBe):
504         (test):
505         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
506         (Hello):
507         (foo):
508
509 2019-01-15  Tomas Popela  <tpopela@redhat.com>
510
511         Unreviewed, skip JIT tests if it's not enabled
512
513         * stress/bit-op-with-object-returning-int32.js:
514
515 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
516
517         DFGByteCodeParser rules for bitwise operations should consider type of their operands
518         https://bugs.webkit.org/show_bug.cgi?id=192966
519
520         Reviewed by Yusuke Suzuki.
521
522         * stress/bit-op-with-object-returning-int32.js: Added.
523
524 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
525
526         Skip a slow test and a flakey test on arm
527
528         Unreviewed gardening.
529
530         * typeProfiler/getter-richards.js:
531         this test always times out, it used to be always skipped on arm and
532         mips, but got accidentally enabled by r237919 now that we have DFG on
533         arm. Also skipping on mips as we plan to soon enable DFG for it too.
534
535 2019-01-14  Keith Miller  <keith_miller@apple.com>
536
537         Skip type-check-hoisting-phase-hoist... with no jit
538         https://bugs.webkit.org/show_bug.cgi?id=193421
539
540         Reviewed by Mark Lam.
541
542         It's timing out the 32-bit bots and takes 330 seconds
543         on my machine when run by itself.
544
545         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
546
547 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
548
549         [JSC] AI should check the given constant's array type when folding GetByVal into constant
550         https://bugs.webkit.org/show_bug.cgi?id=193413
551         <rdar://problem/46092389>
552
553         Reviewed by Keith Miller.
554
555         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
556         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
557         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
558         but GetByVal does not have appropriate ArrayModes, JSC crashes.
559
560         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
561         (compareArray):
562
563 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
564
565         [BigInt] Literal parsing is crashing when used inside a Object Literal
566         https://bugs.webkit.org/show_bug.cgi?id=193404
567
568         Reviewed by Yusuke Suzuki.
569
570         * stress/big-int-literal-inside-literal-object.js: Added.
571
572 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
573
574         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
575         https://bugs.webkit.org/show_bug.cgi?id=193372
576
577         Reviewed by Saam Barati.
578
579         * stress/typed-array-array-modes-profile.js: Added.
580         (foo):
581
582 2019-01-14  Mark Lam  <mark.lam@apple.com>
583
584         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
585         https://bugs.webkit.org/show_bug.cgi?id=193402
586         <rdar://problem/46012309>
587
588         Reviewed by Keith Miller.
589
590         * stress/regexp-compile-oom.js:
591         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
592           is enabled.  As a result, it will fail on cloop builds though there is no bug.
593
594 2019-01-11  Saam barati  <sbarati@apple.com>
595
596         DFG combined liveness can be wrong for terminal basic blocks
597         https://bugs.webkit.org/show_bug.cgi?id=193304
598         <rdar://problem/45268632>
599
600         Reviewed by Yusuke Suzuki.
601
602         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
603
604 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
605
606         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
607         https://bugs.webkit.org/show_bug.cgi?id=193308
608         <rdar://problem/45546542>
609
610         Reviewed by Saam Barati.
611
612         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
613         (shouldThrow):
614         (shouldBe):
615         (foo):
616         (get shouldThrow):
617         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
618         (shouldThrow):
619         (shouldBe):
620         (foo):
621         (get shouldBe):
622         (get shouldThrow):
623         (get return):
624         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
625         (shouldThrow):
626         (shouldBe):
627         (foo):
628         (get shouldBe):
629         (get shouldThrow):
630         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
631         (shouldThrow):
632         (shouldBe):
633         (foo):
634         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
635         (shouldThrow):
636         (shouldBe):
637         (foo):
638         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
639         (shouldThrow):
640         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
641         (shouldThrow):
642         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
643         (shouldThrow):
644         (shouldBe):
645         (foo):
646         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
647         (shouldThrow):
648         (shouldBe):
649         (foo):
650         (get shouldBe):
651         (get shouldThrow):
652         (get return):
653         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
654         (shouldThrow):
655         (shouldBe):
656         (foo):
657         (get shouldBe):
658         (get shouldThrow):
659         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
660         (shouldThrow):
661         (shouldBe):
662         (foo):
663         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
664         (shouldThrow):
665         (shouldBe):
666         (foo):
667
668 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
669
670         Enable DFG on ARM/Linux again
671         https://bugs.webkit.org/show_bug.cgi?id=192496
672
673         Reviewed by Yusuke Suzuki.
674
675         Test wasn't really skipped before moving the line with skip
676         to the top.
677
678         * stress/regress-192717.js:
679
680 2019-01-10  Commit Queue  <commit-queue@webkit.org>
681
682         Unreviewed, rolling out r239825.
683         https://bugs.webkit.org/show_bug.cgi?id=193330
684
685         Broke tests on armv7/linux bots (Requested by guijemont on
686         #webkit).
687
688         Reverted changeset:
689
690         "Enable DFG on ARM/Linux again"
691         https://bugs.webkit.org/show_bug.cgi?id=192496
692         https://trac.webkit.org/changeset/239825
693
694 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
695
696         Enable DFG on ARM/Linux again
697         https://bugs.webkit.org/show_bug.cgi?id=192496
698
699         Reviewed by Yusuke Suzuki.
700
701         Test wasn't really skipped before moving the line with skip
702         to the top.
703
704         * stress/regress-192717.js:
705
706 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
707
708         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
709         https://bugs.webkit.org/show_bug.cgi?id=193127
710
711         Reviewed by Saam Barati.
712
713         * stress/array-species-create-should-handle-masquerader.js: Added.
714         (shouldThrow):
715         * stress/is-undefined-or-null-builtin.js: Added.
716         (shouldBe):
717         (isUndefinedOrNull.vm.createBuiltin):
718
719 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
720
721         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
722         https://bugs.webkit.org/show_bug.cgi?id=193221
723
724         Reviewed by Mark Lam.
725
726         * stress/put-by-id-flags.js: Added.
727         (f):
728         (g):
729         (numberOfDFGCompiles):
730
731 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
732
733         Baseline version of get_by_id may corrupt metadata
734         https://bugs.webkit.org/show_bug.cgi?id=193085
735         <rdar://problem/23453006>
736
737         Reviewed by Saam Barati.
738
739         * stress/get-by-id-change-mode.js: Added.
740         (forEach):
741
742 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
743
744         [JSC] Optimize Object.prototype.toString
745         https://bugs.webkit.org/show_bug.cgi?id=193031
746
747         Reviewed by Saam Barati.
748
749         * stress/object-tostring-changed-proto.js: Added.
750         (shouldBe):
751         (test):
752         * stress/object-tostring-changed.js: Added.
753         (shouldBe):
754         (test):
755         * stress/object-tostring-misc.js: Added.
756         (shouldBe):
757         (test):
758         (i.switch):
759         * stress/object-tostring-other.js: Added.
760         (shouldBe):
761         (test):
762         * stress/object-tostring-untyped.js: Added.
763         (shouldBe):
764         (test):
765         (i.switch):
766
767 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
768
769         test262-runner misbehaves when test file YAML has a trailing space
770         https://bugs.webkit.org/show_bug.cgi?id=193053
771
772         Reviewed by Yusuke Suzuki.
773
774         * test262/expectations.yaml:
775         Mark two dozen tests as passing (and correct the output of another).
776
777 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
778
779         Unreviewed, JSTests gardening with memoryLimited
780
781         * stress/string-overflow-createError.js:
782
783 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
784
785         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
786         https://bugs.webkit.org/show_bug.cgi?id=193050
787
788         Reviewed by Yusuke Suzuki.
789
790         * test262.yaml:
791         * test262/expectations.yaml:
792         Mark 16 tests as passing.
793
794 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
795
796         [BigInt] Support BigInt in JSON.stringify
797         https://bugs.webkit.org/show_bug.cgi?id=192624
798
799         Reviewed by Saam Barati.
800
801         * stress/big-int-json-stringify-to-json.js: Added.
802         (shouldBe):
803         (shouldThrow):
804         (BigInt.prototype.toJSON):
805         (shouldBe.JSON.stringify):
806         * stress/big-int-json-stringify.js: Added.
807         (shouldBe):
808         (shouldThrow):
809
810 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
811
812         [JSC] Implement "well-formed JSON.stringify" proposal
813         https://bugs.webkit.org/show_bug.cgi?id=191677
814
815         Reviewed by Darin Adler.
816
817         * stress/json-surrogate-pair.js: Added.
818         (shouldBe):
819         * test262/expectations.yaml:
820
821 2018-12-20  Keith Miller  <keith_miller@apple.com>
822
823         Add support for globalThis
824         https://bugs.webkit.org/show_bug.cgi?id=165171
825
826         Reviewed by Mark Lam.
827
828         * test262/config.yaml:
829
830 2018-12-19  Keith Miller  <keith_miller@apple.com>
831
832         Update test262 configuration to not run tests dependent on ICU version.
833         https://bugs.webkit.org/show_bug.cgi?id=192920
834
835         Reviewed by Saam Barati.
836
837         * test262/expectations.yaml:
838
839 2018-12-20  Mark Lam  <mark.lam@apple.com>
840
841         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
842         https://bugs.webkit.org/show_bug.cgi?id=192939
843         <rdar://problem/46869516>
844
845         Reviewed by Keith Miller.
846
847         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
848
849 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
850
851         WTF::String and StringImpl overflow MaxLength
852         https://bugs.webkit.org/show_bug.cgi?id=192853
853         <rdar://problem/45726906>
854
855         Reviewed by Mark Lam.
856
857         * stress/string-16bit-repeat-overflow.js: Added.
858         (catch):
859
860 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
861
862         Unreviewed follow-up to r192914.
863
864         * test262/expectations.yaml:
865         Add the last 20 missing expectations.
866
867 2018-12-19  Keith Miller  <keith_miller@apple.com>
868
869         Fix test262 expectations
870         https://bugs.webkit.org/show_bug.cgi?id=192914
871
872         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
873
874         * test262/expectations.yaml:
875
876 2018-12-19  Keith Miller  <keith_miller@apple.com>
877
878         Update test262 tests.
879         https://bugs.webkit.org/show_bug.cgi?id=192907
880
881         Rubber stamped by Mark Lam.
882
883         * test262/*: Omitted because prepare-changelog crashes.
884
885 2018-12-19  Mark Lam  <mark.lam@apple.com>
886
887         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
888         https://bugs.webkit.org/show_bug.cgi?id=192464
889         <rdar://problem/46519455>
890
891         Reviewed by Saam Barati.
892
893         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
894         microbenchmark.
895
896         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
897         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
898
899 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
900
901         String overflow in JSC::createError results in ASSERT in WTF::makeString
902         https://bugs.webkit.org/show_bug.cgi?id=192833
903         <rdar://problem/45706868>
904
905         Reviewed by Mark Lam.
906
907         * stress/string-overflow-createError.js: Added.
908
909 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
910
911         Error message for `-x ** y` contains a typo.
912         https://bugs.webkit.org/show_bug.cgi?id=192832
913
914         Reviewed by Saam Barati.
915
916         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
917         (assert.assert.return.throws):
918         * stress/pow-expects-update-expression-on-lhs.js:
919         (throw.new.Error):
920         Update test expectations which match against the exact error message.
921
922 2018-12-18  Mark Lam  <mark.lam@apple.com>
923
924         Gardening: test options fix.
925         https://bugs.webkit.org/show_bug.cgi?id=192822
926
927         Unreviewed.
928
929         * stress/json-stringify-string-builder-overflow.js:
930
931 2018-12-18  Mark Lam  <mark.lam@apple.com>
932
933         JSON.stringify() should throw OOM on StringBuilder overflows.
934         https://bugs.webkit.org/show_bug.cgi?id=192822
935         <rdar://problem/46670577>
936
937         Reviewed by Saam Barati.
938
939         * stress/json-stringify-string-builder-overflow.js: Added.
940
941 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
942
943         Redeclaration of var over let/const/class should be a syntax error.
944         https://bugs.webkit.org/show_bug.cgi?id=192298
945
946         Reviewed by Keith Miller.
947
948         * test262.yaml:
949         * test262/expectations.yaml:
950         Mark 46 tests as passing.
951
952         * stress/block-scope-redeclarations.js:
953         Add some new tests.
954
955         * stress/for-in-invalidate-context-weird-assignments.js:
956         * stress/for-in-tests.js:
957         Replace tests for outdated behavior with tests for SyntaxError.
958
959         * ChakraCore/test/LetConst/defer3.baseline-jsc:
960         * ChakraCore/test/LetConst/letvar.baseline-jsc:
961         Update expectations.
962
963 2018-12-18  Mark Lam  <mark.lam@apple.com>
964
965         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
966         https://bugs.webkit.org/show_bug.cgi?id=191374
967         <rdar://problem/46525447>
968
969         Reviewed by Yusuke Suzuki.
970
971         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
972
973         * stress/elidable-new-object-roflcopter-then-exit.js:
974
975 2018-12-17  Mark Lam  <mark.lam@apple.com>
976
977         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
978         https://bugs.webkit.org/show_bug.cgi?id=192019
979         <rdar://problem/46525456>
980
981         Reviewed by Yusuke Suzuki.
982
983         The test runs too slow on 32-bit.
984
985         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
986
987 2018-12-17  Mark Lam  <mark.lam@apple.com>
988
989         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
990         https://bugs.webkit.org/show_bug.cgi?id=191373
991         <rdar://problem/46525458>
992
993         Reviewed by Yusuke Suzuki.
994
995         The test is already slow running with a JIT on 64-bit.  It will always timeout
996         on 32-bit without a JIT.
997
998         * stress/materialize-regexp-cyclic-regexp.js:
999
1000 2018-12-17  Mark Lam  <mark.lam@apple.com>
1001
1002         Array unshift/shift should not race against the AI in the compiler thread.
1003         https://bugs.webkit.org/show_bug.cgi?id=192795
1004         <rdar://problem/46724263>
1005
1006         Reviewed by Saam Barati.
1007
1008         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1009
1010 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1011
1012         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1013         https://bugs.webkit.org/show_bug.cgi?id=190047
1014
1015         Reviewed by Saam Barati.
1016
1017         * stress/object-keys-cached-zero.js: Added.
1018         (shouldBe):
1019         (test):
1020         * stress/object-keys-changed-attribute.js: Added.
1021         (shouldBe):
1022         (test):
1023         * stress/object-keys-changed-index.js: Added.
1024         (shouldBe):
1025         (test):
1026         * stress/object-keys-changed.js: Added.
1027         (shouldBe):
1028         (test):
1029         * stress/object-keys-indexed-non-cache.js: Added.
1030         (shouldBe):
1031         (test):
1032         * stress/object-keys-overrides-get-property-names.js: Added.
1033         (shouldBe):
1034         (test):
1035         (noInline):
1036
1037 2018-12-17  Mark Lam  <mark.lam@apple.com>
1038
1039         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1040         https://bugs.webkit.org/show_bug.cgi?id=192779
1041         <rdar://problem/46775869>
1042
1043         Reviewed by Saam Barati.
1044
1045         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1046
1047 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1048
1049         Unreviewed test gardening, address a syntax error in a new test.
1050
1051         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1052
1053 2018-12-17  Mark Lam  <mark.lam@apple.com>
1054
1055         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1056         https://bugs.webkit.org/show_bug.cgi?id=192776
1057         <rdar://problem/46772368>
1058
1059         Reviewed by Keith Miller.
1060
1061         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1062
1063 2018-12-17  Mark Lam  <mark.lam@apple.com>
1064
1065         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1066         https://bugs.webkit.org/show_bug.cgi?id=192770
1067         <rdar://problem/46449037>
1068
1069         Reviewed by Keith Miller.
1070
1071         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1072
1073 2018-12-14  Mark Lam  <mark.lam@apple.com>
1074
1075         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1076         https://bugs.webkit.org/show_bug.cgi?id=192717
1077         <rdar://problem/46660677>
1078
1079         Reviewed by Saam Barati.
1080
1081         * stress/regress-192717.js: Added.
1082
1083 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1084
1085         Unreviewed, rolling out r239153, r239154, and r239155.
1086         https://bugs.webkit.org/show_bug.cgi?id=192715
1087
1088         Caused flaky GC-related crashes seen with layout tests
1089         (Requested by ryanhaddad on #webkit).
1090
1091         Reverted changesets:
1092
1093         "[JSC] Optimize Object.keys by caching own keys results in
1094         StructureRareData"
1095         https://bugs.webkit.org/show_bug.cgi?id=190047
1096         https://trac.webkit.org/changeset/239153
1097
1098         "Unreviewed, build fix after r239153"
1099         https://bugs.webkit.org/show_bug.cgi?id=190047
1100         https://trac.webkit.org/changeset/239154
1101
1102         "Unreviewed, build fix after r239153, part 2"
1103         https://bugs.webkit.org/show_bug.cgi?id=190047
1104         https://trac.webkit.org/changeset/239155
1105
1106 2018-12-14  Keith Miller  <keith_miller@apple.com>
1107
1108         Callers of JSString::getIndex should check for OOM exceptions
1109         https://bugs.webkit.org/show_bug.cgi?id=192709
1110
1111         Reviewed by Mark Lam.
1112
1113         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1114
1115 2018-12-13  Mark Lam  <mark.lam@apple.com>
1116
1117         Add a missing exception check.
1118         https://bugs.webkit.org/show_bug.cgi?id=192626
1119         <rdar://problem/46662163>
1120
1121         Reviewed by Keith Miller.
1122
1123         * stress/regress-192626.js: Added.
1124
1125 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1126
1127         [BigInt] Add ValueDiv into DFG
1128         https://bugs.webkit.org/show_bug.cgi?id=186178
1129
1130         Reviewed by Yusuke Suzuki.
1131
1132         * stress/big-int-div-jit-osr.js: Added.
1133         * stress/big-int-div-jit-untyped.js: Added.
1134         * stress/value-div-fixup-int32-big-int.js: Added.
1135
1136 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1137
1138         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1139         https://bugs.webkit.org/show_bug.cgi?id=190047
1140
1141         Reviewed by Keith Miller.
1142
1143         * stress/object-keys-cached-zero.js: Added.
1144         (shouldBe):
1145         (test):
1146         * stress/object-keys-changed-attribute.js: Added.
1147         (shouldBe):
1148         (test):
1149         * stress/object-keys-changed-index.js: Added.
1150         (shouldBe):
1151         (test):
1152         * stress/object-keys-changed.js: Added.
1153         (shouldBe):
1154         (test):
1155         * stress/object-keys-indexed-non-cache.js: Added.
1156         (shouldBe):
1157         (test):
1158         * stress/object-keys-overrides-get-property-names.js: Added.
1159         (shouldBe):
1160         (test):
1161         (noInline):
1162
1163 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1164
1165         [DFG][FTL] Add NewSymbol
1166         https://bugs.webkit.org/show_bug.cgi?id=192620
1167
1168         Reviewed by Saam Barati.
1169
1170         * microbenchmarks/symbol-creation.js: Added.
1171         (test):
1172         * stress/symbol-description-identity.js: Added.
1173         (shouldBe):
1174         (test):
1175         * stress/symbol-identity.js: Added.
1176         (shouldBe):
1177         (test):
1178         * stress/symbol-with-description-throw-error.js: Added.
1179         (shouldBe):
1180         (shouldThrow):
1181         (test):
1182         (object.toString):
1183
1184 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1185
1186         [BigInt] Implement DFG/FTL typeof for BigInt
1187         https://bugs.webkit.org/show_bug.cgi?id=192619
1188
1189         Reviewed by Keith Miller.
1190
1191         * stress/big-int-boolean-proven-type.js: Added.
1192         (assert):
1193         (bool):
1194         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1195         (assert):
1196         (typeOf):
1197         (i.switch):
1198         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1199         (assert):
1200         (typeOf):
1201         * stress/big-int-type-of.js:
1202         (typeOf):
1203         (func):
1204
1205 2018-12-10  Mark Lam  <mark.lam@apple.com>
1206
1207         PropertyAttribute needs a CustomValue bit.
1208         https://bugs.webkit.org/show_bug.cgi?id=191993
1209         <rdar://problem/46264467>
1210
1211         Reviewed by Saam Barati.
1212
1213         * stress/regress-191993.js: Added.
1214
1215 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1216
1217         [BigInt] Add ValueMul into DFG
1218         https://bugs.webkit.org/show_bug.cgi?id=186175
1219
1220         Reviewed by Yusuke Suzuki.
1221
1222         * stress/big-int-mul-jit-osr.js: Added.
1223         * stress/big-int-mul-jit-untyped.js: Added.
1224         * stress/value-mul-fixup-int32-big-int.js: Added.
1225
1226 2018-12-06  Keith Miller  <keith_miller@apple.com>
1227
1228         stress/big-wasm-memory tests failing on 32-bit JSC bot
1229         https://bugs.webkit.org/show_bug.cgi?id=192020
1230
1231         Reviewed by Saam Barati.
1232
1233         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1234         the wasm stress tests if the WebAssembly object does not exist.
1235
1236         * stress/big-wasm-memory-grow-no-max.js:
1237         (test.foo):
1238         (test):
1239         (foo): Deleted.
1240         (catch): Deleted.
1241         * stress/big-wasm-memory-grow.js:
1242         (test.foo):
1243         (test):
1244         (foo): Deleted.
1245         (catch): Deleted.
1246         * stress/big-wasm-memory.js:
1247         (test.foo):
1248         (test):
1249         (foo): Deleted.
1250         (catch): Deleted.
1251
1252 2018-12-05  Mark Lam  <mark.lam@apple.com>
1253
1254         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1255         https://bugs.webkit.org/show_bug.cgi?id=192441
1256         <rdar://problem/46480355>
1257
1258         Reviewed by Saam Barati.
1259
1260         * stress/regress-192441.js: Added.
1261
1262 2018-12-04  Mark Lam  <mark.lam@apple.com>
1263
1264         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1265         https://bugs.webkit.org/show_bug.cgi?id=192386
1266         <rdar://problem/46445516>
1267
1268         Reviewed by Saam Barati.
1269
1270         * stress/regress-192386.js: Added.
1271
1272 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1273
1274         [ESNext][BigInt] Support logic operations
1275         https://bugs.webkit.org/show_bug.cgi?id=179903
1276
1277         Reviewed by Yusuke Suzuki.
1278
1279         * stress/big-int-branch-usage.js: Added.
1280         * stress/big-int-logical-and.js: Added.
1281         * stress/big-int-logical-not.js: Added.
1282         * stress/big-int-logical-or.js: Added.
1283
1284 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1285
1286         Unreviewed, rolling out r238833.
1287
1288         Breaks macOS and iOS debug builds.
1289
1290         Reverted changeset:
1291
1292         "[ESNext][BigInt] Support logic operations"
1293         https://bugs.webkit.org/show_bug.cgi?id=179903
1294         https://trac.webkit.org/changeset/238833
1295
1296 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1297
1298         [ESNext][BigInt] Support logic operations
1299         https://bugs.webkit.org/show_bug.cgi?id=179903
1300
1301         Reviewed by Yusuke Suzuki.
1302
1303         * stress/big-int-branch-usage.js: Added.
1304         * stress/big-int-logical-and.js: Added.
1305         * stress/big-int-logical-not.js: Added.
1306         * stress/big-int-logical-or.js: Added.
1307
1308 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1309
1310         [ESNext][BigInt] Implement support for "<<" and ">>"
1311         https://bugs.webkit.org/show_bug.cgi?id=186233
1312
1313         Reviewed by Yusuke Suzuki.
1314
1315         * stress/big-int-left-shift-general.js: Added.
1316         * stress/big-int-left-shift-range-error.js: Added.
1317         * stress/big-int-left-shift-type-error.js: Added.
1318         * stress/big-int-left-shift-wrapped-value.js: Added.
1319         * stress/big-int-right-shift-general.js: Added.
1320         * stress/big-int-right-shift-type-error.js: Added.
1321         * stress/big-int-right-shift-wrapped-value.js: Added.
1322         * stress/left-shift-to-primitive-precedence.js: Added.
1323         * stress/right-shift-to-primitive-precedence.js: Added.
1324
1325 2018-11-30  Dean Jackson  <dino@apple.com>
1326
1327         Add first-class support for .mjs files in jsc binary
1328         https://bugs.webkit.org/show_bug.cgi?id=192190
1329         <rdar://problem/46375715>
1330
1331         Reviewed by Keith Miller.
1332
1333         * stress/simple-module.mjs: Added.
1334         * stress/simple-script.js: Added.
1335
1336 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1337
1338         [BigInt] Implement ValueBitXor into DFG
1339         https://bugs.webkit.org/show_bug.cgi?id=190264
1340
1341         Reviewed by Yusuke Suzuki.
1342
1343         * stress/big-int-bitwise-xor-jit.js: Added.
1344         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1345         * stress/big-int-bitwise-xor-untyped.js: Added.
1346
1347 2018-11-27  Saam barati  <sbarati@apple.com>
1348
1349         r238510 broke scopes of size zero
1350         https://bugs.webkit.org/show_bug.cgi?id=192033
1351         <rdar://problem/46281734>
1352
1353         Reviewed by Keith Miller.
1354
1355         * stress/r238510-bad-loop.js: Added.
1356         (foo):
1357
1358 2018-11-27  Mark Lam  <mark.lam@apple.com>
1359
1360         [Re-landing] NaNs read from Wasm code needs to be be purified.
1361         https://bugs.webkit.org/show_bug.cgi?id=191056
1362         <rdar://problem/45660341>
1363
1364         Reviewed by Filip Pizlo.
1365
1366         * wasm/regress/regress-191056.js: Added.
1367
1368 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1369
1370         Unreviewed, rolling out r238509.
1371
1372         Causes JSC tests to fail on iOS.
1373
1374         Reverted changeset:
1375
1376         "NaNs read from Wasm code needs to be be purified."
1377         https://bugs.webkit.org/show_bug.cgi?id=191056
1378         https://trac.webkit.org/changeset/238509
1379
1380 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1381
1382         Re-introduce op_bitnot
1383         https://bugs.webkit.org/show_bug.cgi?id=190923
1384
1385         Reviewed by Yusuke Suzuki.
1386
1387         * stress/bit-not-must-generate.js: Added.
1388         * stress/bitwise-not-no-int32.js: Added.
1389
1390 2018-11-26  Saam barati  <sbarati@apple.com>
1391
1392         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1393         https://bugs.webkit.org/show_bug.cgi?id=191956
1394         <rdar://problem/45665806>
1395
1396         Reviewed by Yusuke Suzuki.
1397
1398         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1399         (bar):
1400         (foo):
1401
1402 2018-11-26  Saam barati  <sbarati@apple.com>
1403
1404         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1405         https://bugs.webkit.org/show_bug.cgi?id=191958
1406         <rdar://problem/46221877>
1407
1408         Reviewed by Yusuke Suzuki.
1409
1410         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1411         (x):
1412         (foo):
1413
1414 2018-11-26  Mark Lam  <mark.lam@apple.com>
1415
1416         NaNs read from Wasm code needs to be be purified.
1417         https://bugs.webkit.org/show_bug.cgi?id=191056
1418         <rdar://problem/45660341>
1419
1420         Reviewed by Filip Pizlo.
1421
1422         * wasm/regress/regress-191056.js: Added.
1423
1424 2018-11-26  Michael Saboff  <msaboff@apple.com>
1425
1426         32-bit JSC test failure: stress/regexp-compile-oom.js
1427         https://bugs.webkit.org/show_bug.cgi?id=191375
1428
1429         Reviewed by Mark Lam.
1430
1431         Disabled the test for 32 bit platforms.
1432
1433         * stress/regexp-compile-oom.js:
1434
1435 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1436
1437         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1438         https://bugs.webkit.org/show_bug.cgi?id=191716
1439         <rdar://problem/45723878>
1440
1441         Reviewed by Saam Barati.
1442
1443         * stress/regress-187373.js: Added.
1444         (async.fn):
1445
1446 2018-11-21  Saam barati  <sbarati@apple.com>
1447
1448         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1449         https://bugs.webkit.org/show_bug.cgi?id=191897
1450         <rdar://problem/45871998>
1451
1452         Reviewed by Mark Lam.
1453
1454         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1455         (bar):
1456         (foo):
1457
1458 2018-11-21  Saam barati  <sbarati@apple.com>
1459
1460         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1461         https://bugs.webkit.org/show_bug.cgi?id=191895
1462         <rdar://problem/46167406>
1463
1464         Reviewed by Mark Lam.
1465
1466         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1467         (foo):
1468         (bar):
1469
1470 2018-11-21  Mark Lam  <mark.lam@apple.com>
1471
1472         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1473         https://bugs.webkit.org/show_bug.cgi?id=191776
1474         <rdar://problem/46152851>
1475
1476         Reviewed by Saam Barati.
1477
1478         * stress/big-wasm-memory-grow-no-max.js:
1479         * stress/big-wasm-memory-grow.js:
1480         * stress/big-wasm-memory.js:
1481         - updated these to expect an OutOfMemoryError.
1482
1483         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1484         (Binary.prototype.emit_u8):
1485         (Binary.prototype.emit_u32v):
1486         (Binary.prototype.emit_header):
1487         (Binary.prototype.emit_section):
1488         (Binary):
1489         (WasmModuleBuilder):
1490         (WasmModuleBuilder.prototype.addMemory):
1491         (WasmModuleBuilder.prototype.toArray):
1492         (WasmModuleBuilder.prototype.toBuffer):
1493         (WasmModuleBuilder.prototype.instantiate):
1494         (catch):
1495         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1496         (catch):
1497
1498 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1499
1500         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1501         https://bugs.webkit.org/show_bug.cgi?id=190836
1502
1503         Reviewed by Saam Barati and Yusuke Suzuki.
1504
1505         * stress/big-int-out-of-memory-tests.js: Added.
1506
1507 2018-11-20  Mark Lam  <mark.lam@apple.com>
1508
1509         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1510         https://bugs.webkit.org/show_bug.cgi?id=191856
1511         <rdar://problem/46089992>
1512
1513         Reviewed by Yusuke Suzuki.
1514
1515         * stress/regress-191856.js: Added.
1516         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1517
1518 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1519
1520         Enable JIT on ARM/Linux
1521         https://bugs.webkit.org/show_bug.cgi?id=191548
1522
1523         Reviewed by Yusuke Suzuki.
1524
1525         Disable test on system with limited memory. Program was killed by
1526         the OS before the exception was thrown.
1527
1528         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1529
1530 2018-11-20  Saam barati  <sbarati@apple.com>
1531
1532         Merging an IC variant may lead to the IC status containing overlapping structure sets
1533         https://bugs.webkit.org/show_bug.cgi?id=191869
1534         <rdar://problem/45403453>
1535
1536         Reviewed by Mark Lam.
1537
1538         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1539
1540 2018-11-19  Mark Lam  <mark.lam@apple.com>
1541
1542         globalFuncImportModule() should return a promise when it clears exceptions.
1543         https://bugs.webkit.org/show_bug.cgi?id=191792
1544         <rdar://problem/46090763>
1545
1546         Reviewed by Michael Saboff.
1547
1548         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1549
1550 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1551
1552         Skip new memory-hungry tests on memory limited devices
1553
1554         Unreviewed gardening.
1555
1556         * stress/big-wasm-memory-grow-no-max.js:
1557         * stress/big-wasm-memory-grow.js:
1558         * stress/big-wasm-memory.js:
1559
1560 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1561
1562         Unreviewed, rolling in the rest of r237254
1563         https://bugs.webkit.org/show_bug.cgi?id=190340
1564
1565         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1566         * stress/function-cache-with-parameters-end-position.js: Added.
1567         (shouldBe):
1568         (shouldThrow):
1569         (i.anonymous):
1570         * stress/function-constructor-name.js: Added.
1571         (shouldBe):
1572         (GeneratorFunction):
1573         (AsyncFunction.async):
1574         (AsyncGeneratorFunction.async):
1575         (anonymous):
1576         (async.anonymous):
1577         * test262/expectations.yaml:
1578
1579 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1580
1581         All users of ArrayBuffer should agree on the same max size
1582         https://bugs.webkit.org/show_bug.cgi?id=191771
1583
1584         Reviewed by Mark Lam.
1585
1586         * stress/big-wasm-memory-grow-no-max.js: Added.
1587         (foo):
1588         (catch):
1589         * stress/big-wasm-memory-grow.js: Added.
1590         (foo):
1591         (catch):
1592         * stress/big-wasm-memory.js: Added.
1593         (foo):
1594         (catch):
1595
1596 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1597
1598         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1599         run for each JSC config since they're regression tests for runtime bugs.
1600
1601         * stress/json-stringified-overflow-2.js:
1602         * stress/json-stringified-overflow.js:
1603
1604 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1605
1606         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1607         config since they're regression tests for runtime bugs.
1608
1609         * stress/large-unshift-splice.js:
1610         * stress/regress-185888.js:
1611
1612 2018-11-16  Saam Barati  <sbarati@apple.com>
1613
1614         KnownCellUse should also have SpecCellCheck as its type filter
1615         https://bugs.webkit.org/show_bug.cgi?id=191729
1616         <rdar://problem/45872852>
1617
1618         Reviewed by Filip Pizlo.
1619
1620         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1621         (C):
1622
1623 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1624
1625         Fix assertion failure on BytecodeGenerator::recordOpcode
1626         https://bugs.webkit.org/show_bug.cgi?id=191724
1627         <rdar://problem/45724395>
1628
1629         Reviewed by Saam Barati.
1630
1631         * stress/regress-187373-2.js: Added.
1632         (foo):
1633
1634 2018-11-15  Mark Lam  <mark.lam@apple.com>
1635
1636         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1637         https://bugs.webkit.org/show_bug.cgi?id=191730
1638         <rdar://problem/46048517>
1639
1640         Reviewed by Saam Barati.
1641
1642         * stress/regress-187006.js: Removed.
1643           - this test is invalid because its sole purpose is to test for the non-spec
1644             compliant behavior that we just fixed.
1645
1646         * stress/regress-191730.js: Added.
1647
1648 2018-11-15  Mark Lam  <mark.lam@apple.com>
1649
1650         RegExp operations should not take fast patch if lastIndex is not numeric.
1651         https://bugs.webkit.org/show_bug.cgi?id=191731
1652         <rdar://problem/46017305>
1653
1654         Reviewed by Saam Barati.
1655
1656         * stress/regress-191731.js: Added.
1657
1658 2018-11-13  Saam Barati  <sbarati@apple.com>
1659
1660         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1661         https://bugs.webkit.org/show_bug.cgi?id=191600
1662
1663         Reviewed by Mark Lam.
1664
1665         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1666         (foo):
1667         (test):
1668         (bar):
1669
1670 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1671
1672         Unreviewed, rolling out r238132.
1673
1674         The test added with this change is timing out on Debug JSC
1675         bots.
1676
1677         Reverted changeset:
1678
1679         "[BigInt] JSBigInt::createWithLength should throw when length
1680         is greater than JSBigInt::maxLength"
1681         https://bugs.webkit.org/show_bug.cgi?id=190836
1682         https://trac.webkit.org/changeset/238132
1683
1684 2018-11-13  Mark Lam  <mark.lam@apple.com>
1685
1686         Add OOM detection to StringPrototype's substituteBackreferences().
1687         https://bugs.webkit.org/show_bug.cgi?id=191563
1688         <rdar://problem/45720428>
1689
1690         Reviewed by Saam Barati.
1691
1692         * stress/regress-191563.js: Added.
1693
1694 2018-11-13  Mark Lam  <mark.lam@apple.com>
1695
1696         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1697         https://bugs.webkit.org/show_bug.cgi?id=191579
1698         <rdar://problem/45942472>
1699
1700         Reviewed by Saam Barati.
1701
1702         * stress/regress-191579.js: Added.
1703
1704 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1705
1706         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1707         https://bugs.webkit.org/show_bug.cgi?id=190836
1708
1709         Reviewed by Saam Barati.
1710
1711         * stress/big-int-out-of-memory-tests.js: Added.
1712
1713 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1714
1715         U+180E is no longer a whitespace character
1716         https://bugs.webkit.org/show_bug.cgi?id=191415
1717
1718         Reviewed by Saam Barati.
1719
1720         * ChakraCore/test/es5/regexSpace.baseline:
1721         * ChakraCore/test/es6/unicode_whitespace.js:
1722         Update tests to latest version.
1723         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1724
1725         * test262.yaml:
1726         * test262/config.yaml:
1727         * test262/expectations.yaml:
1728         Update expectations.
1729
1730 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1731
1732         [BigInt] Add support to BigInt into ValueAdd
1733         https://bugs.webkit.org/show_bug.cgi?id=186177
1734
1735         Reviewed by Keith Miller.
1736
1737         * stress/big-int-negate-jit.js:
1738         * stress/value-add-big-int-and-string.js: Added.
1739         * stress/value-add-big-int-prediction-propagation.js: Added.
1740         * stress/value-add-big-int-untyped.js: Added.
1741
1742 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1743
1744         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1745         https://bugs.webkit.org/show_bug.cgi?id=191184
1746
1747         Reviewed by Saam Barati.
1748
1749         Most tests were failing due to timeouts, since they are too slow to
1750         run on CLoop. The exceptions are:
1751
1752         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1753         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1754         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1755         to change the stack size since CLoop requires it to be page aligned.
1756
1757         * microbenchmarks/array-push-1.js:
1758         * microbenchmarks/array-push-2.js:
1759         * microbenchmarks/elidable-new-object-dag.js:
1760         * microbenchmarks/elidable-new-object-roflcopter.js:
1761         * microbenchmarks/elidable-new-object-tree.js:
1762         * microbenchmarks/getter-richards.js:
1763         * microbenchmarks/sinkable-new-object-dag.js:
1764         * microbenchmarks/string-concat-long-convert.js:
1765         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1766         * slowMicrobenchmarks/array-push-3.js:
1767         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1768         * slowMicrobenchmarks/spread-small-array.js:
1769         * slowMicrobenchmarks/undefined-property-access.js:
1770         * stress/activation-sink-default-value-tdz-error.js:
1771         * stress/activation-sink-default-value.js:
1772         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1773         * stress/activation-sink-osrexit-default-value.js:
1774         * stress/activation-sink-osrexit.js:
1775         * stress/activation-sink.js:
1776         * stress/allow-math-ic-b3-code-duplication.js:
1777         * stress/array-push-multiple-int32.js:
1778         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1779         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1780         * stress/arrowfunction-lexical-this-activation-sink.js:
1781         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1782         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1783         * stress/elide-new-object-dag-then-exit.js:
1784         * stress/materialize-regexp-cyclic.js:
1785         * stress/new-regex-inline.js:
1786         * stress/op_add.js:
1787         * stress/op_bitand.js:
1788         * stress/op_bitor.js:
1789         * stress/op_bitxor.js:
1790         * stress/op_div-ConstVar.js:
1791         * stress/op_div-VarConst.js:
1792         * stress/op_div-VarVar.js:
1793         * stress/op_lshift-ConstVar.js:
1794         * stress/op_lshift-VarConst.js:
1795         * stress/op_lshift-VarVar.js:
1796         * stress/op_mod-ConstVar.js:
1797         * stress/op_mod-VarConst.js:
1798         * stress/op_mod-VarVar.js:
1799         * stress/op_mul-ConstVar.js:
1800         * stress/op_mul-VarConst.js:
1801         * stress/op_mul-VarVar.js:
1802         * stress/op_rshift-ConstVar.js:
1803         * stress/op_rshift-VarConst.js:
1804         * stress/op_rshift-VarVar.js:
1805         * stress/op_sub-ConstVar.js:
1806         * stress/op_sub-VarConst.js:
1807         * stress/op_sub-VarVar.js:
1808         * stress/op_urshift-ConstVar.js:
1809         * stress/op_urshift-VarConst.js:
1810         * stress/op_urshift-VarVar.js:
1811         * stress/proxy-get-set-correct-receiver.js:
1812         * stress/regress-179562.js:
1813         * stress/rest-parameter-many-arguments.js:
1814         * stress/sampling-profiler-richards.js:
1815         * stress/splay-flash-access-1ms.js:
1816         * stress/tailCallForwardArguments.js:
1817         * stress/typed-array-get-by-val-profiling.js:
1818         * typeProfiler/getter-richards.js:
1819
1820 2018-11-06  Michael Saboff  <msaboff@apple.com>
1821
1822         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1823         https://bugs.webkit.org/show_bug.cgi?id=191271
1824
1825         Reviewed by Saam Barati.
1826
1827         Added more test cases and made all test cases run with the same deeply recursive stack
1828         instead of finding that same point for each test case.
1829
1830         * stress/regexp-compile-oom.js:
1831         (prototype.runTest):
1832         (recurseAndTest):
1833         (testList.push.new.TestAndExpectedException):
1834
1835 2018-11-05  Michael Saboff  <msaboff@apple.com>
1836
1837         Unreviewed build fix for linux.
1838
1839         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1840
1841 2018-11-02  Michael Saboff  <msaboff@apple.com>
1842
1843         Rolling in r237753 with unreviewed build fix.
1844
1845         Fixed issues with DECLARE_THROW_SCOPE placement.
1846
1847 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1848
1849         Unreviewed, rolling out r237753.
1850
1851         Introduced JSC test failures
1852
1853         Reverted changeset:
1854
1855         "Running out of stack space not properly handled in
1856         RegExp::compile() and its callers"
1857         https://bugs.webkit.org/show_bug.cgi?id=191206
1858         https://trac.webkit.org/changeset/237753
1859
1860 2018-11-02  Michael Saboff  <msaboff@apple.com>
1861
1862         Running out of stack space not properly handled in RegExp::compile() and its callers
1863         https://bugs.webkit.org/show_bug.cgi?id=191206
1864
1865         Reviewed by Filip Pizlo.
1866
1867         New regression test.
1868
1869         * stress/regexp-compile-oom.js: Added.
1870         (recurseAndTest):
1871
1872 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1873
1874         Skip tests on arm/mips that time out now we're running on CLoop
1875
1876         Unreviewed gardening.
1877
1878         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1879         time out on the bots and need to be disabled. There's more tests
1880         disabled on arm because the timeout is longer on the mips bot (as the
1881         device is slower to start with), so many of the tests don't time out
1882         there.
1883
1884         * microbenchmarks/getter-richards.js: disable on arm and mips.
1885         * stress/op_add.js: disable on arm.
1886         * stress/op_bitand.js: disable on arm.
1887         * stress/op_bitor.js: disable on arm.
1888         * stress/op_bitxor.js: disable on arm.
1889         * stress/op_lshift-ConstVar.js: disable on arm.
1890         * stress/op_lshift-VarConst.js: disable on arm.
1891         * stress/op_lshift-VarVar.js: disable on arm.
1892         * stress/op_mod-ConstVar.js: disable on arm.
1893         * stress/op_mod-VarConst.js: disable on arm.
1894         * stress/op_mod-VarVar.js: disable on arm.
1895         * stress/op_mul-ConstVar.js: disable on arm.
1896         * stress/op_mul-VarConst.js: disable on arm.
1897         * stress/op_mul-VarVar.js: disable on arm.
1898         * stress/op_rshift-ConstVar.js: disable on arm.
1899         * stress/op_rshift-VarConst.js: disable on arm.
1900         * stress/op_rshift-VarVar.js: disable on arm.
1901         * stress/op_sub-ConstVar.js: disable on arm.
1902         * stress/op_sub-VarConst.js: disable on arm.
1903         * stress/op_sub-VarVar.js: disable on arm.
1904         * stress/op_urshift-ConstVar.js: disable on arm.
1905         * stress/op_urshift-VarConst.js: disable on arm.
1906         * stress/op_urshift-VarVar.js: disable on arm.
1907         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1908         * stress/value-to-boolean.js: disable on arm and mips.
1909
1910 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1911
1912         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1913         https://bugs.webkit.org/show_bug.cgi?id=191108
1914         <rdar://problem/45690700>
1915
1916         Reviewed by Saam Barati.
1917
1918         * stress/wide-op_catch.js: Added.
1919         (catch):
1920
1921 2018-10-29  Mark Lam  <mark.lam@apple.com>
1922
1923         Correctly detect string overflow when using the 'Function' constructor.
1924         https://bugs.webkit.org/show_bug.cgi?id=184883
1925         <rdar://problem/36320331>
1926
1927         Reviewed by Saam Barati.
1928
1929         I've verified that this passes on 32-bit as well.
1930
1931         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1932
1933 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1934
1935         Add support for GetStack FlushedDouble
1936         https://bugs.webkit.org/show_bug.cgi?id=191012
1937         <rdar://problem/45265141>
1938
1939         Reviewed by Saam Barati.
1940
1941         * stress/get-stack-double.js: Added.
1942         (bar):
1943         (noInline):
1944
1945 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1946
1947         New bytecode format for JSC
1948         https://bugs.webkit.org/show_bug.cgi?id=187373
1949         <rdar://problem/44186758>
1950
1951         Reviewed by Filip Pizlo.
1952
1953         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1954
1955         * stress/maximum-inline-capacity.js: Added.
1956         (test1):
1957         (test3.Foo):
1958         (test3):
1959
1960 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1961
1962         Unreviewed, rolling out r237479 and r237484.
1963         https://bugs.webkit.org/show_bug.cgi?id=190978
1964
1965         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1966
1967         Reverted changesets:
1968
1969         "New bytecode format for JSC"
1970         https://bugs.webkit.org/show_bug.cgi?id=187373
1971         https://trac.webkit.org/changeset/237479
1972
1973         "Gardening: Build fix after r237479."
1974         https://bugs.webkit.org/show_bug.cgi?id=187373
1975         https://trac.webkit.org/changeset/237484
1976
1977 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1978
1979         New bytecode format for JSC
1980         https://bugs.webkit.org/show_bug.cgi?id=187373
1981         <rdar://problem/44186758>
1982
1983         Reviewed by Filip Pizlo.
1984
1985         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1986
1987         * stress/maximum-inline-capacity.js: Added.
1988         (test1):
1989         (test3.Foo):
1990         (test3):
1991
1992 2018-10-26  Mark Lam  <mark.lam@apple.com>
1993
1994         Fix missing edge cases with JSGlobalObjects having a bad time.
1995         https://bugs.webkit.org/show_bug.cgi?id=189028
1996         <rdar://problem/45204939>
1997
1998         Reviewed by Saam Barati.
1999
2000         * stress/regress-189028.js: Added.
2001
2002 2018-10-22  Mark Lam  <mark.lam@apple.com>
2003
2004         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2005         https://bugs.webkit.org/show_bug.cgi?id=190515
2006         <rdar://problem/45222379>
2007
2008         Rubber-stamped by Saam Barati.
2009
2010         Adding another test.
2011
2012         * stress/regress-190515-2.js: Added.
2013
2014 2018-10-22  Mark Lam  <mark.lam@apple.com>
2015
2016         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2017         https://bugs.webkit.org/show_bug.cgi?id=190515
2018         <rdar://problem/45222379>
2019
2020         Reviewed by Saam Barati.
2021
2022         * stress/regress-190515.js: Added.
2023
2024 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2025
2026         Unreviewed, rolling out r237254.
2027         https://bugs.webkit.org/show_bug.cgi?id=190760
2028
2029         "It regresses JetStream 2 by 5% on some iOS devices"
2030         (Requested by saamyjoon on #webkit).
2031
2032         Reverted changeset:
2033
2034         "[JSC] JSC should have "parseFunction" to optimize Function
2035         constructor"
2036         https://bugs.webkit.org/show_bug.cgi?id=190340
2037         https://trac.webkit.org/changeset/237254
2038
2039 2018-10-19  Saam Barati  <sbarati@apple.com>
2040
2041         vmCall should check if we exit before emitting an OSR exit due to exceptions
2042         https://bugs.webkit.org/show_bug.cgi?id=190740
2043         <rdar://problem/45220139>
2044
2045         Reviewed by Mark Lam.
2046
2047         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2048         (foo):
2049
2050 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2051
2052         [ESNext][BigInt] Implement support for "^"
2053         https://bugs.webkit.org/show_bug.cgi?id=186235
2054
2055         Reviewed by Yusuke Suzuki.
2056
2057         * stress/big-int-bitwise-xor-general.js: Added.
2058         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2059         * stress/big-int-bitwise-xor-type-error.js: Added.
2060         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2061
2062 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2063
2064         [BigInt] Add ValueSub into DFG
2065         https://bugs.webkit.org/show_bug.cgi?id=186176
2066
2067         Reviewed by Yusuke Suzuki.
2068
2069         * stress/big-int-subtraction-jit.js:
2070         * stress/value-sub-big-int-prediction-propagation.js: Added.
2071         * stress/value-sub-big-int-untyped.js: Added.
2072         * stress/value-sub-spec-none-case.js: Added.
2073
2074 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2075
2076         [JSC] JSC should have "parseFunction" to optimize Function constructor
2077         https://bugs.webkit.org/show_bug.cgi?id=190340
2078
2079         Reviewed by Mark Lam.
2080
2081         This patch fixes the line number of syntax errors raised by the Function constructor,
2082         since we now parse the final code only once. And we no longer use block statement
2083         for Function constructor's parsing.
2084
2085         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2086         * stress/function-cache-with-parameters-end-position.js: Added.
2087         (shouldBe):
2088         (shouldThrow):
2089         (i.anonymous):
2090         * stress/function-constructor-name.js: Added.
2091         (shouldBe):
2092         (GeneratorFunction):
2093         (AsyncFunction.async):
2094         (AsyncGeneratorFunction.async):
2095         (anonymous):
2096         (async.anonymous):
2097         * test262/expectations.yaml:
2098
2099 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2100
2101         Unreviewed, rolling out r237242.
2102         https://bugs.webkit.org/show_bug.cgi?id=190701
2103
2104         it breaks "stress/sampling-profiler-basic.js" (Requested by
2105         caiolima on #webkit).
2106
2107         Reverted changeset:
2108
2109         "[BigInt] Add ValueSub into DFG"
2110         https://bugs.webkit.org/show_bug.cgi?id=186176
2111         https://trac.webkit.org/changeset/237242
2112
2113 2018-10-17  Keith Miller  <keith_miller@apple.com>
2114
2115         AI does not clear Phantom allocation nodes.
2116         https://bugs.webkit.org/show_bug.cgi?id=190694
2117
2118         Reviewed by Saam Barati.
2119
2120         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2121         (Day):
2122         (DaysInYear):
2123         (TimeInYear):
2124         (TimeFromYear):
2125         (DayFromYear):
2126         (InLeapYear):
2127         (YearFromTime):
2128         (WeekDay):
2129         (DaylightSavingTA):
2130         (GetSecondSundayInMarch):
2131         (TimeInMonth):
2132
2133 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2134
2135         [BigInt] Add ValueSub into DFG
2136         https://bugs.webkit.org/show_bug.cgi?id=186176
2137
2138         Reviewed by Yusuke Suzuki.
2139
2140         * stress/big-int-subtraction-jit.js:
2141         * stress/value-sub-big-int-prediction-propagation.js: Added.
2142         * stress/value-sub-big-int-untyped.js: Added.
2143
2144 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2145
2146         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2147         https://bugs.webkit.org/show_bug.cgi?id=190611
2148
2149         Reviewed by Saam Barati.
2150
2151         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2152         to improve test runtime. On ARM/MIPS this test even timed out when running all
2153         tests.
2154
2155         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2156         (test):
2157
2158 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2159
2160         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2161
2162         Unreviewed gardening.
2163
2164         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2165
2166 2018-10-15  Saam barati  <sbarati@apple.com>
2167
2168         Emit fjcvtzs on ARM64E on Darwin
2169         https://bugs.webkit.org/show_bug.cgi?id=184023
2170
2171         Reviewed by Yusuke Suzuki and Filip Pizlo.
2172
2173         * stress/double-to-int32-NaN.js: Added.
2174         (assert):
2175         (foo):
2176
2177 2018-10-15  Saam Barati  <sbarati@apple.com>
2178
2179         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2180         https://bugs.webkit.org/show_bug.cgi?id=190262
2181         <rdar://problem/44986241>
2182
2183         Reviewed by Mark Lam.
2184
2185         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2186         (test):
2187         * stress/slice-array-storage-with-holes.js: Added.
2188         (main):
2189
2190 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2191
2192         Unreviewed, rolling out r237054.
2193         https://bugs.webkit.org/show_bug.cgi?id=190593
2194
2195         "this regressed JetStream 2 by 6% on iOS" (Requested by
2196         saamyjoon on #webkit).
2197
2198         Reverted changeset:
2199
2200         "[JSC] JSC should have "parseFunction" to optimize Function
2201         constructor"
2202         https://bugs.webkit.org/show_bug.cgi?id=190340
2203         https://trac.webkit.org/changeset/237054
2204
2205 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2206
2207         [JSC] JSON.stringify can accept call-with-no-arguments
2208         https://bugs.webkit.org/show_bug.cgi?id=190343
2209
2210         Reviewed by Mark Lam.
2211
2212         * stress/json-stringify-no-arguments.js: Added.
2213         (shouldBe):
2214
2215 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2216
2217         [JSC] JSC should have "parseFunction" to optimize Function constructor
2218         https://bugs.webkit.org/show_bug.cgi?id=190340
2219
2220         Reviewed by Mark Lam.
2221
2222         This patch fixes the line number of syntax errors raised by the Function constructor,
2223         since we now parse the final code only once. And we no longer use block statement
2224         for Function constructor's parsing.
2225
2226         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2227         * stress/function-cache-with-parameters-end-position.js: Added.
2228         (shouldBe):
2229         (shouldThrow):
2230         (i.anonymous):
2231         * stress/function-constructor-name.js: Added.
2232         (shouldBe):
2233         (GeneratorFunction):
2234         (AsyncFunction.async):
2235         (AsyncGeneratorFunction.async):
2236         (anonymous):
2237         (async.anonymous):
2238         * test262/expectations.yaml:
2239
2240 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2241
2242         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2243         https://bugs.webkit.org/show_bug.cgi?id=190426
2244
2245         Unreviewed gardening.
2246
2247         * stress/sampling-profiler-richards.js:
2248
2249 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2250
2251         [ESNext][BigInt] Implement support for "|"
2252         https://bugs.webkit.org/show_bug.cgi?id=186229
2253
2254         Reviewed by Yusuke Suzuki.
2255
2256         * stress/big-int-bitwise-and-jit.js:
2257         * stress/big-int-bitwise-or-general.js: Added.
2258         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2259         * stress/big-int-bitwise-or-jit.js: Added.
2260         * stress/big-int-bitwise-or-memory-stress.js: Added.
2261         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2262         * stress/big-int-bitwise-or-type-error.js: Added.
2263         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2264
2265 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2266
2267         Skip test on systems with limited memory
2268         https://bugs.webkit.org/show_bug.cgi?id=190310
2269
2270         Invoking runDefault adds test to runlist, skipping the test in the next
2271         line does not prevent the test from executing. Change order of lines such
2272         that runDefault is only executed if test is not executed.
2273
2274         Reviewed by Mark Lam.
2275
2276         * stress/regress-190187.js:
2277
2278 2018-10-03  Saam barati  <sbarati@apple.com>
2279
2280         lowXYZ in FTLLower should always filter the type of the incoming edge
2281         https://bugs.webkit.org/show_bug.cgi?id=189939
2282         <rdar://problem/44407030>
2283
2284         Reviewed by Michael Saboff.
2285
2286         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2287         (foo):
2288         (test):
2289
2290 2018-10-03  Mark Lam  <mark.lam@apple.com>
2291
2292         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2293         https://bugs.webkit.org/show_bug.cgi?id=190187
2294         <rdar://problem/42512909>
2295
2296         Reviewed by Michael Saboff.
2297
2298         * stress/regress-190187.js: Added.
2299
2300 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2301
2302         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2303         https://bugs.webkit.org/show_bug.cgi?id=190033
2304
2305         Reviewed by Yusuke Suzuki.
2306
2307         * stress/big-int-to-string.js:
2308
2309 2018-10-01  Mark Lam  <mark.lam@apple.com>
2310
2311         Function.toString() should also copy the source code Functions that are class definitions.
2312         https://bugs.webkit.org/show_bug.cgi?id=190186
2313         <rdar://problem/44733360>
2314
2315         Reviewed by Saam Barati.
2316
2317         * stress/regress-190186.js: Added.
2318
2319 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2320
2321         Split NaN-check into separate test
2322         https://bugs.webkit.org/show_bug.cgi?id=190010
2323
2324         Reviewed by Saam Barati.
2325
2326         DataView exposes NaN-representation, which is not necessarily the same on each
2327         architecture. Therefore move the check of the NaN-representation into its own
2328         file such that we can disable this test on MIPS where NaN-representation can be
2329         different on older CPUs.
2330
2331         * stress/dataview-jit-set-nan.js: Added.
2332         (assert):
2333         (test.storeLittleEndian):
2334         (test.storeBigEndian):
2335         (test.store):
2336         (test):
2337         * stress/dataview-jit-set.js:
2338         (test5):
2339
2340 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2341
2342         Unreviewed, rolling out r236647.
2343         https://bugs.webkit.org/show_bug.cgi?id=190124
2344
2345         Breaking test stress/big-int-to-string.js (Requested by
2346         caiolima_ on #webkit).
2347
2348         Reverted changeset:
2349
2350         "[BigInt] BigInt.proptotype.toString is broken when radix is
2351         power of 2"
2352         https://bugs.webkit.org/show_bug.cgi?id=190033
2353         https://trac.webkit.org/changeset/236647
2354
2355 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2356
2357         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2358         https://bugs.webkit.org/show_bug.cgi?id=190033
2359
2360         Reviewed by Yusuke Suzuki.
2361
2362         * stress/big-int-to-string.js:
2363
2364 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2365
2366         [ESNext][BigInt] Implement support for "&"
2367         https://bugs.webkit.org/show_bug.cgi?id=186228
2368
2369         Reviewed by Yusuke Suzuki.
2370
2371         * stress/big-int-bitwise-and-general.js: Added.
2372         (assert):
2373         (assert.sameValue):
2374         * stress/big-int-bitwise-and-jit.js: Added.
2375         (let.assert.sameValue):
2376         (bigIntBitAnd):
2377         * stress/big-int-bitwise-and-memory-stress.js: Added.
2378         (assert):
2379         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2380         (assert.sameValue):
2381         (let.o.Symbol.toPrimitive):
2382         (catch):
2383         * stress/big-int-bitwise-and-type-error.js: Added.
2384         (assert):
2385         (assertThrowTypeError):
2386         (let.o.valueOf):
2387         (o.valueOf):
2388         (o.toString):
2389         (o.Symbol.toPrimitive):
2390         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2391         (assert.sameValue):
2392         (testBitAnd):
2393         (let.o.Symbol.toPrimitive):
2394         (o.valueOf):
2395         (o.toString):
2396
2397 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2398
2399         JSC test stress/jsc-read.js doesn't support CRLF
2400         https://bugs.webkit.org/show_bug.cgi?id=190063
2401
2402         Reviewed by Yusuke Suzuki.
2403
2404         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2405
2406         * stress/jsc-read.js:
2407         (test):
2408
2409 2018-09-27  Saam barati  <sbarati@apple.com>
2410
2411         Verify the contents of AssemblerBuffer on arm64e
2412         https://bugs.webkit.org/show_bug.cgi?id=190057
2413         <rdar://problem/38916630>
2414
2415         Reviewed by Mark Lam.
2416
2417         * stress/regress-189132.js:
2418
2419 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2420
2421         Disable test without LLInt on ARMv7
2422         https://bugs.webkit.org/show_bug.cgi?id=190037
2423
2424         Reviewed by Mark Lam.
2425
2426         Test runs out of executable memory on ARMv7, do not run
2427         this test without LLInt enabled.
2428
2429         * stress/regress-169445.js:
2430
2431 2018-09-26  Keith Miller  <keith_miller@apple.com>
2432
2433         We should zero unused property storage when rebalancing array storage.
2434         https://bugs.webkit.org/show_bug.cgi?id=188151
2435
2436         Reviewed by Michael Saboff.
2437
2438         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2439
2440 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2441
2442         [JSC] Optimize Array#lastIndexOf
2443         https://bugs.webkit.org/show_bug.cgi?id=189780
2444
2445         Reviewed by Saam Barati.
2446
2447         * stress/array-lastindexof-array-prototype-trap.js: Added.
2448         (shouldBe):
2449         (AncestorArray.prototype.get 2):
2450         (AncestorArray):
2451         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2452         (shouldBe):
2453         * stress/array-lastindexof-hole-nan.js: Added.
2454         (shouldBe):
2455         (throw.new.Error):
2456         * stress/array-lastindexof-infinity.js: Added.
2457         (shouldBe):
2458         (throw.new.Error):
2459         * stress/array-lastindexof-negative-zero.js: Added.
2460         (shouldBe):
2461         (throw.new.Error):
2462         * stress/array-lastindexof-own-getter.js: Added.
2463         (shouldBe):
2464         (throw.new.Error.get array):
2465         (get array):
2466         * stress/array-lastindexof-prototype-trap.js: Added.
2467         (shouldBe):
2468         (DerivedArray.prototype.get 2):
2469         (DerivedArray):
2470
2471 2018-09-25  Saam Barati  <sbarati@apple.com>
2472
2473         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2474         https://bugs.webkit.org/show_bug.cgi?id=189940
2475         <rdar://problem/43640987>
2476
2477         Reviewed by Mark Lam.
2478
2479         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2480
2481 2018-09-24  Saam Barati  <sbarati@apple.com>
2482
2483         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2484         https://bugs.webkit.org/show_bug.cgi?id=189922
2485         <rdar://problem/44651275>
2486
2487         Reviewed by Mark Lam.
2488
2489         * stress/array-indexof-fast-path-effects.js: Added.
2490         * stress/array-indexof-cached-length.js: Added.
2491
2492 2018-09-24  Saam barati  <sbarati@apple.com>
2493
2494         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2495         https://bugs.webkit.org/show_bug.cgi?id=189682
2496         <rdar://problem/43557315>
2497
2498         Reviewed by Mark Lam.
2499
2500         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2501         (foo):
2502
2503 2018-09-22  Saam barati  <sbarati@apple.com>
2504
2505         The sampling should not use Strong<CodeBlock> in its machineLocation field
2506         https://bugs.webkit.org/show_bug.cgi?id=189319
2507
2508         Reviewed by Filip Pizlo.
2509
2510         * stress/sampling-profiler-richards.js: Added.
2511
2512 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2513
2514         [JSC] Optimize Array#indexOf in C++ runtime
2515         https://bugs.webkit.org/show_bug.cgi?id=189507
2516
2517         Reviewed by Saam Barati.
2518
2519         * stress/array-indexof-array-prototype-trap.js: Added.
2520         (shouldBe):
2521         (AncestorArray.prototype.get 2):
2522         (AncestorArray):
2523         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2524         (shouldBe):
2525         * stress/array-indexof-hole-nan.js: Added.
2526         (shouldBe):
2527         (throw.new.Error):
2528         * stress/array-indexof-infinity.js: Added.
2529         (shouldBe):
2530         (throw.new.Error):
2531         * stress/array-indexof-negative-zero.js: Added.
2532         (shouldBe):
2533         (throw.new.Error):
2534         * stress/array-indexof-own-getter.js: Added.
2535         (shouldBe):
2536         (throw.new.Error.get array):
2537         (get array):
2538         * stress/array-indexof-prototype-trap.js: Added.
2539         (shouldBe):
2540         (DerivedArray.prototype.get 2):
2541         (DerivedArray):
2542
2543 2018-09-19  Saam barati  <sbarati@apple.com>
2544
2545         AI rule for MultiPutByOffset executes its effects in the wrong order
2546         https://bugs.webkit.org/show_bug.cgi?id=189757
2547         <rdar://problem/43535257>
2548
2549         Reviewed by Michael Saboff.
2550
2551         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2552         (foo):
2553         (Foo):
2554         (g):
2555
2556 2018-09-17  Mark Lam  <mark.lam@apple.com>
2557
2558         Ensure that ForInContexts are invalidated if their loop local is over-written.
2559         https://bugs.webkit.org/show_bug.cgi?id=189571
2560         <rdar://problem/44402277>
2561
2562         Reviewed by Saam Barati.
2563
2564         * stress/regress-189571.js: Added.
2565
2566 2018-09-17  Saam barati  <sbarati@apple.com>
2567
2568         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2569         https://bugs.webkit.org/show_bug.cgi?id=189676
2570         <rdar://problem/39682897>
2571
2572         Reviewed by Michael Saboff.
2573
2574         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2575         (A):
2576         (K):
2577         (i.catch):
2578
2579 2018-09-14  Saam barati  <sbarati@apple.com>
2580
2581         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2582         https://bugs.webkit.org/show_bug.cgi?id=189628
2583         <rdar://problem/39481690>
2584
2585         Reviewed by Mark Lam.
2586
2587         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2588         (foo):
2589
2590 2018-09-11  Mark Lam  <mark.lam@apple.com>
2591
2592         Test for array initialization in arrayProtoFuncSplice.
2593         https://bugs.webkit.org/show_bug.cgi?id=170253
2594         <rdar://problem/31328773>
2595
2596         Rubber-stamped by Saam Barati.
2597
2598         * stress/regress-170253.js: Added.
2599
2600 2018-09-11  Mark Lam  <mark.lam@apple.com>
2601
2602         Test for IntlObject initialization.
2603         https://bugs.webkit.org/show_bug.cgi?id=170251
2604         <rdar://problem/31328419>
2605
2606         Rubber-stamped by Saam Barati.
2607
2608         * stress/regress-170251.js: Added.
2609
2610 2018-09-11  Mark Lam  <mark.lam@apple.com>
2611
2612         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2613         https://bugs.webkit.org/show_bug.cgi?id=169889
2614         <rdar://problem/31155607>
2615
2616         Reviewed by Saam Barati.
2617
2618         * stress/regress-169889-array-concat.js: Added.
2619         * stress/regress-169889-array-concat1.js: Added.
2620         * stress/regress-169889-array-slice.js: Added.
2621
2622 2018-09-11  Mark Lam  <mark.lam@apple.com>
2623
2624         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2625         https://bugs.webkit.org/show_bug.cgi?id=169445
2626         <rdar://problem/30957435>
2627
2628         Reviewed by Saam Barati.
2629
2630         * stress/regress-169445.js: Added.
2631         (let.gun.eval.A):
2632         (let.gun.eval.B.C):
2633         (let.gun.eval.B.C.prototype.trigger):
2634         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2635         (let.gun.eval.B):
2636         (let.gun.eval):
2637
2638 == Rolled over to ChangeLog-2018-09-11 ==