op_check_tdz does not def its argument
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
2
3         op_check_tdz does not def its argument
4         https://bugs.webkit.org/show_bug.cgi?id=192880
5         <rdar://problem/46221598>
6
7         Reviewed by Saam Barati.
8
9         * microbenchmarks/let-for-in.js: Added.
10         (foo):
11
12 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
13
14         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
15         https://bugs.webkit.org/show_bug.cgi?id=195429
16
17         Reviewed by Saam Barati.
18
19         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
20         (foo):
21         * stress/string-from-char-code-255.js: Added.
22
23 2019-03-06  Mark Lam  <mark.lam@apple.com>
24
25         Fix incorrect handling of try-finally completion values.
26         https://bugs.webkit.org/show_bug.cgi?id=195131
27         <rdar://problem/46222079>
28
29         Reviewed by Saam Barati and Yusuke Suzuki.
30
31         Added many permutations of new test case to test-finally.js.  test-finally.js has
32         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
33         tests passes there as well.
34
35         * stress/test-finally.js:
36
37 2019-03-06  Saam Barati  <sbarati@apple.com>
38
39         Air::reportUsedRegisters must padInterference
40         https://bugs.webkit.org/show_bug.cgi?id=195303
41         <rdar://problem/48270343>
42
43         Reviewed by Keith Miller.
44
45         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
46
47 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
48
49         [JSC] AI should not propagate AbstractValue relying on constant folding phase
50         https://bugs.webkit.org/show_bug.cgi?id=195375
51
52         Reviewed by Saam Barati.
53
54         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
55         (let.array):
56
57 2019-03-05  Saam barati  <sbarati@apple.com>
58
59         op_switch_char broken for rope strings after JSRopeString layout rewrite
60         https://bugs.webkit.org/show_bug.cgi?id=195339
61         <rdar://problem/48592545>
62
63         Reviewed by Yusuke Suzuki.
64
65         * stress/switch-on-char-llint-rope.js: Added.
66
67 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
68
69         [JSC] Store bits for JSRopeString in 3 stores
70         https://bugs.webkit.org/show_bug.cgi?id=195234
71
72         Reviewed by Saam Barati.
73
74         * stress/null-rope-and-collectors.js: Added.
75
76 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
77
78         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
79         https://bugs.webkit.org/show_bug.cgi?id=195207
80
81         Unreviewed. After test runtime was reduced in r242213, test can be
82         run again on ARM/MIPS.
83
84         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
85
86 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
87
88         [JSC] sizeof(JSString) should be 16
89         https://bugs.webkit.org/show_bug.cgi?id=194375
90
91         Reviewed by Saam Barati.
92
93         * microbenchmarks/make-rope.js: Added.
94         (makeRope):
95         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
96         (returnRope.helper): Deleted.
97         (returnRope): Deleted.
98
99 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
100
101         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
102         https://bugs.webkit.org/show_bug.cgi?id=195144
103
104         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
105         Change the number from 1e8 to 1e5.
106
107         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
108         (foo):
109
110 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
111
112         Test times out on ARM/MIPS
113         https://bugs.webkit.org/show_bug.cgi?id=195168
114
115         Unreviewed. Skip test on ARM/MIPS.
116
117         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
118
119 2019-02-27  Mark Lam  <mark.lam@apple.com>
120
121         The parser is failing to record the token location of new in new.target.
122         https://bugs.webkit.org/show_bug.cgi?id=195127
123         <rdar://problem/39645578>
124
125         Reviewed by Yusuke Suzuki.
126
127         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
128
129 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
130
131         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
132         https://bugs.webkit.org/show_bug.cgi?id=195144
133         <rdar://problem/47595961>
134
135         Reviewed by Mark Lam.
136
137         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
138         (bar):
139         (foo):
140         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
141         (bar):
142         (foo):
143
144 2019-02-27  Robin Morisset  <rmorisset@apple.com>
145
146         DFG: Loop-invariant code motion (LICM) should not hoist dead code
147         https://bugs.webkit.org/show_bug.cgi?id=194945
148         <rdar://problem/48311657>
149
150         Reviewed by Mark Lam.
151
152         * stress/licm-dead-code.js: Added.
153
154 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
155
156         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
157         https://bugs.webkit.org/show_bug.cgi?id=194677
158         <rdar://problem/48112492>
159
160         Reviewed by Mark Lam.
161
162         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
163         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
164         it immediately fails due the large size.
165
166         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
167         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
168         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
169         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
170
171         This patch changes the test to produce 16bit string from String.fromCharCode.
172
173         * stress/regress-178386.js:
174
175 2019-02-26  Mark Lam  <mark.lam@apple.com>
176
177         wasmToJS() should purify incoming NaNs.
178         https://bugs.webkit.org/show_bug.cgi?id=194807
179         <rdar://problem/48189132>
180
181         Reviewed by Saam Barati.
182
183         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
184
185 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
186
187         [JSC] Repeat string created from Array.prototype.join() take too much memory
188         https://bugs.webkit.org/show_bug.cgi?id=193912
189
190         Reviewed by Saam Barati.
191
192         Added a test and a microbenchmark for corner cases of
193         Array.prototype.join() with an uninitialized array.
194
195         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
196         * stress/array-prototype-join-uninitialized.js: Added.
197         (testArray):
198         (testABC):
199         (B):
200         (C):
201
202 2019-02-22  Robin Morisset  <rmorisset@apple.com>
203
204         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
205         https://bugs.webkit.org/show_bug.cgi?id=194953
206         <rdar://problem/47595253>
207
208         Reviewed by Saam Barati.
209
210         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
211
212         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
213
214 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
215
216         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
217         https://bugs.webkit.org/show_bug.cgi?id=172848
218         <rdar://problem/25709212>
219
220         Reviewed by Mark Lam.
221
222         * typeProfiler/inheritance.js:
223         Rewrite the test slightly for clarity. The hoisting was confusing.
224
225         * heapProfiler/class-names.js: Added.
226         (MyES5Class):
227         (MyES6Class):
228         (MyES6Subclass):
229         Test object types and improved class names.
230
231         * heapProfiler/driver/driver.js:
232         (CheapHeapSnapshotNode):
233         (CheapHeapSnapshot):
234         (createCheapHeapSnapshot):
235         (HeapSnapshot):
236         (createHeapSnapshot):
237         Update snapshot parsing from version 1 to version 2.
238
239 2019-02-19  Truitt Savell  <tsavell@apple.com>
240
241         Unreviewed, rolling out r241784.
242
243         Broke all OpenSource builds.
244
245         Reverted changeset:
246
247         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
248         instances view"
249         https://bugs.webkit.org/show_bug.cgi?id=172848
250         https://trac.webkit.org/changeset/241784
251
252 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
253
254         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
255         https://bugs.webkit.org/show_bug.cgi?id=172848
256         <rdar://problem/25709212>
257
258         Reviewed by Mark Lam.
259
260         * typeProfiler/inheritance.js:
261         Rewrite the test slightly for clarity. The hoisting was confusing.
262
263         * heapProfiler/class-names.js: Added.
264         (MyES5Class):
265         (MyES6Class):
266         (MyES6Subclass):
267         Test object types and improved class names.
268
269         * heapProfiler/driver/driver.js:
270         (CheapHeapSnapshotNode):
271         (CheapHeapSnapshot):
272         (createCheapHeapSnapshot):
273         (HeapSnapshot):
274         (createHeapSnapshot):
275         Update snapshot parsing from version 1 to version 2.
276
277 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
278
279         [ARM] Fix crash with sampling profiler
280         https://bugs.webkit.org/show_bug.cgi?id=194772
281
282         Reviewed by Mark Lam.
283
284         Do not skip test since crash with sampling profiler is now fixed.
285
286         * stress/sampling-profiler-richards.js:
287
288 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
289
290         [JSC] Add LazyClassStructure::getInitializedOnMainThread
291         https://bugs.webkit.org/show_bug.cgi?id=194784
292         <rdar://problem/48154820>
293
294         Reviewed by Mark Lam.
295
296         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
297         (getProperties):
298         (getRandomProperty):
299         (i.catch):
300
301 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
302
303         [ARM] Test gardening: Test running out of executable memory
304         https://bugs.webkit.org/show_bug.cgi?id=194771
305
306         Unreviewed. Do not run test without LLInt, test is running out of executable
307         memory on ARM otherwise.
308
309         * stress/tagged-template-object-collect.js:
310
311 2019-02-18  Tomas Popela  <tpopela@redhat.com>
312
313         Unreviewed, skip the test on platforms without sampling profiler
314
315         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
316         (platformSupportsSamplingProfiler.foo):
317         (platformSupportsSamplingProfiler.test):
318         (platformSupportsSamplingProfiler):
319         (foo): Deleted.
320         (test): Deleted.
321
322 2019-02-17  Saam Barati  <sbarati@apple.com>
323
324         Deadlock when adding a Structure property transition and then doing incremental marking
325         https://bugs.webkit.org/show_bug.cgi?id=194767
326
327         Reviewed by Mark Lam.
328
329         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
330
331 2019-02-15  Michael Saboff  <msaboff@apple.com>
332
333         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
334         https://bugs.webkit.org/show_bug.cgi?id=194558
335
336         Reviewed by Saam Barati.
337
338         New regression test.
339
340         * stress/regexp-unicode-within-string.js: Added.
341
342 2019-02-15  Mark Lam  <mark.lam@apple.com>
343
344         SamplingProfiler::stackTracesAsJSON() should escape strings.
345         https://bugs.webkit.org/show_bug.cgi?id=194649
346         <rdar://problem/48072386>
347
348         Reviewed by Saam Barati.
349
350         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
351         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
352         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
353         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
354
355 2019-02-15  Robin Morisset  <rmorisset@apple.com>
356         CodeBlock::jettison should clear related watchpoints
357         https://bugs.webkit.org/show_bug.cgi?id=194544
358
359         Reviewed by Mark Lam.
360
361         * stress/regexp-replace-double-watchpoint.js: Added.
362         (foo):
363
364 2019-02-15  Saam barati  <sbarati@apple.com>
365
366         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
367         https://bugs.webkit.org/show_bug.cgi?id=194036
368
369         Reviewed by Yusuke Suzuki.
370
371         * stress/tail-call-many-arguments.js: Added.
372         (foo):
373         (bar):
374
375 2019-02-14  Saam Barati  <sbarati@apple.com>
376
377         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
378         https://bugs.webkit.org/show_bug.cgi?id=194583
379         <rdar://problem/48028140>
380
381         Reviewed by Yusuke Suzuki.
382
383         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
384
385 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
386
387         [JSC] String.fromCharCode's slow path always generates 16bit string
388         https://bugs.webkit.org/show_bug.cgi?id=194466
389
390         Reviewed by Keith Miller.
391
392         * stress/string-from-char-code-slow-path.js: Added.
393         (shouldBe):
394         (testWithLength):
395
396 2019-02-08  Saam barati  <sbarati@apple.com>
397
398         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
399         https://bugs.webkit.org/show_bug.cgi?id=194334
400         <rdar://problem/47844327>
401
402         Reviewed by Mark Lam.
403
404         * stress/check-in-bounds-should-be-a-child-use.js: Added.
405         (func):
406
407 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
408
409         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
410         https://bugs.webkit.org/show_bug.cgi?id=194369
411         <rdar://problem/47813087>
412
413         Reviewed by Saam Barati.
414
415         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
416         (A):
417
418 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
419
420         [JSC] PrivateName to PublicName hash table is wasteful
421         https://bugs.webkit.org/show_bug.cgi?id=194277
422
423         Reviewed by Michael Saboff.
424
425         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
426
427         * ChakraCore.yaml:
428
429 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
430
431         [ARM] Test running out of executable memory
432         https://bugs.webkit.org/show_bug.cgi?id=194285
433
434         Unreviewed. Do no execute test with LLInt disabled, test runs out of
435         executable memory otherwise.
436
437         * stress/class-subclassing-function.js:
438
439 2019-02-04  Robin Morisset  <rmorisset@apple.com>
440
441         when lowering AssertNotEmpty, create the value before creating the patchpoint
442         https://bugs.webkit.org/show_bug.cgi?id=194231
443
444         Reviewed by Saam Barati.
445
446         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
447         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
448         So even tiny changes to this test can change the path code taken.
449
450         * stress/assert-not-empty.js: Added.
451         (foo):
452
453 2019-02-01  Mark Lam  <mark.lam@apple.com>
454
455         Remove invalid assertion in DFG's compileDoubleRep().
456         https://bugs.webkit.org/show_bug.cgi?id=194130
457         <rdar://problem/47699474>
458
459         Reviewed by Saam Barati.
460
461         * stress/constant-fold-double-rep-into-double-constant.js: Added.
462
463 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
464
465         Import latest Test262 updates.
466
467         Rubber-stamped by Keith Miller.
468
469         * test262.yaml: Deleted.
470         * test262/config.yaml:
471         * test262/expectations.yaml:
472         * test262/latest-changes-summary.txt:
473         * test262/test/:
474         * test262/test262-Revision.txt:
475
476 2019-01-30  Robin Morisset  <rmorisset@apple.com>
477
478         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
479         https://bugs.webkit.org/show_bug.cgi?id=194050
480         <rdar://problem/47595592>
481
482         Reviewed by Yusuke Suzuki.
483
484         * stress/object-keys-osr-exit.js: Added.
485         (foo):
486         (catch):
487
488 2019-01-29  Mark Lam  <mark.lam@apple.com>
489
490         ValueRecovery::recover() should purify NaN values it recovers.
491         https://bugs.webkit.org/show_bug.cgi?id=193978
492         <rdar://problem/47625488>
493
494         Reviewed by Saam Barati.
495
496         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
497
498 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
499
500         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
501         https://bugs.webkit.org/show_bug.cgi?id=193713
502
503         * stress/try-get-by-id-should-spill-registers-dfg.js:
504         (let.f.createBuiltin):
505
506 2019-01-28  Mark Lam  <mark.lam@apple.com>
507
508         ToString node actually does GC.
509         https://bugs.webkit.org/show_bug.cgi?id=193920
510         <rdar://problem/46695900>
511
512         Reviewed by Yusuke Suzuki.
513
514         * stress/dfg-to-string-on-int-does-gc.js: Added.
515         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
516         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
517
518 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
519
520         [JSC] NativeErrorConstructor should not have own IsoSubspace
521         https://bugs.webkit.org/show_bug.cgi?id=193713
522
523         Reviewed by Saam Barati.
524
525         Remove @Error use.
526
527         * stress/try-get-by-id-should-spill-registers-dfg.js:
528         (let.f.createBuiltin):
529
530 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
531
532         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
533         https://bugs.webkit.org/show_bug.cgi?id=190693
534
535         Reviewed by Michael Saboff.
536
537         * stress/regress-190693.js: Added.
538         (truth):
539         (assert):
540         (shouldThrowInvalidConstAssignment):
541         (taz):
542
543 2019-01-24  Saam Barati  <sbarati@apple.com>
544
545         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
546         https://bugs.webkit.org/show_bug.cgi?id=193751
547         <rdar://problem/47280215>
548
549         Reviewed by Michael Saboff.
550
551         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
552         (let.thing):
553         (foo.let.hello):
554         (foo):
555
556 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
557
558         [JSC] Reenable baseline JIT on mips
559         https://bugs.webkit.org/show_bug.cgi?id=192983
560
561         Reviewed by Mark Lam.
562
563         Added a new test for a case that was triggering a RELEASE_ASSERT when
564         testing.
565         Disable some slow tests that were already disabled for arm and x86.
566
567         * stress/json-parse-big-object.js: Added.
568         * stress/new-largeish-contiguous-array-with-size.js:
569         * stress/op_add.js:
570         * stress/op_bitand.js:
571         * stress/op_bitor.js:
572         * stress/op_bitxor.js:
573         * stress/op_lshift-ConstVar.js:
574         * stress/op_lshift-VarConst.js:
575         * stress/op_lshift-VarVar.js:
576         * stress/op_mod-ConstVar.js:
577         * stress/op_mod-VarConst.js:
578         * stress/op_mod-VarVar.js:
579         * stress/op_mul-ConstVar.js:
580         * stress/op_mul-VarConst.js:
581         * stress/op_mul-VarVar.js:
582         * stress/op_rshift-ConstVar.js:
583         * stress/op_rshift-VarConst.js:
584         * stress/op_rshift-VarVar.js:
585         * stress/op_sub-ConstVar.js:
586         * stress/op_sub-VarConst.js:
587         * stress/op_sub-VarVar.js:
588         * stress/op_urshift-ConstVar.js:
589         * stress/op_urshift-VarConst.js:
590         * stress/op_urshift-VarVar.js:
591         * stress/sampling-profiler-richards.js:
592         * stress/spread-forward-call-varargs-stack-overflow.js:
593
594 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
595
596         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
597         https://bugs.webkit.org/show_bug.cgi?id=193711
598         <rdar://problem/47250262>
599
600         Reviewed by Saam Barati.
601
602         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
603         (shouldBe):
604         (foo):
605         (bar):
606         (baz):
607
608 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
609
610         Unreviewed, fix initial global lexical binding epoch
611         https://bugs.webkit.org/show_bug.cgi?id=193603
612         <rdar://problem/47380869>
613
614         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
615         (f1.f2.f3.f4):
616         (f1.f2.f3):
617         (f1.f2):
618         (f1):
619
620 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
621
622         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
623         https://bugs.webkit.org/show_bug.cgi?id=193709
624         <rdar://problem/47363838>
625
626         Unreviewed, rollout to watch the tests.
627
628         * stress/object-tostring-changed-proto.js: Removed.
629         * stress/object-tostring-changed.js: Removed.
630         * stress/object-tostring-misc.js: Removed.
631         * stress/object-tostring-other.js: Removed.
632         * stress/object-tostring-untyped.js: Removed.
633
634 2019-01-22  Saam Barati  <sbarati@apple.com>
635
636         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
637
638         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
639         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
640         (testUncheckedLessThanZero):
641         (testUncheckedLessThanOrEqualZero):
642         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
643         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
644
645 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
646
647         [JSC] Invalidate old scope operations using global lexical binding epoch
648         https://bugs.webkit.org/show_bug.cgi?id=193603
649         <rdar://problem/47380869>
650
651         Reviewed by Saam Barati.
652
653         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
654         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
655         (shouldThrow):
656         (bar):
657         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
658         (shouldBe):
659         (get1):
660         (get2):
661         (get1If):
662         (get2If):
663         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
664         (shouldThrow):
665         (foo):
666
667 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
668
669         Unreviewed, roll out r240220 due to date-format-xparb regression
670         https://bugs.webkit.org/show_bug.cgi?id=193603
671
672         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
673         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
674         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
675         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
676
677 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
678
679         DoesGC rule is wrong for nodes with BigIntUse
680         https://bugs.webkit.org/show_bug.cgi?id=193652
681
682         Reviewed by Saam Barati.
683
684         * stress/big-int-value-op-update-gc-rules.js: Added.
685         (assert):
686         (doesGCAdd):
687         (doesGCSub):
688         (doesGCDiv):
689         (doesGCMul):
690         (doesGCBitAnd):
691         (doesGCBitOr):
692         (doesGCBitXor):
693
694 2019-01-20  Saam Barati  <sbarati@apple.com>
695
696         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
697         https://bugs.webkit.org/show_bug.cgi?id=193644
698         <rdar://problem/46209745>
699
700         Reviewed by Yusuke Suzuki.
701
702         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
703         (foo):
704         * stress/data-view-set-intrinsic-undefined-result.js: Added.
705         (foo):
706         (bar):
707
708 2019-01-20  Saam Barati  <sbarati@apple.com>
709
710         MovHint must merge NodeBytecodeUsesAsValue for its child
711         https://bugs.webkit.org/show_bug.cgi?id=186916
712         <rdar://problem/41396612>
713
714         Reviewed by Yusuke Suzuki.
715
716         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
717         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
718
719 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
720
721         [JSC] Invalidate old scope operations using global lexical binding epoch
722         https://bugs.webkit.org/show_bug.cgi?id=193603
723         <rdar://problem/47380869>
724
725         Reviewed by Saam Barati.
726
727         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
728         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
729         (shouldThrow):
730         (bar):
731         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
732         (shouldBe):
733         (get1):
734         (get2):
735         (get1If):
736         (get2If):
737         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
738         (shouldThrow):
739         (foo):
740
741 2019-01-17  Saam barati  <sbarati@apple.com>
742
743         StringObjectUse should not be a structure check for the original string object structure
744         https://bugs.webkit.org/show_bug.cgi?id=193483
745         <rdar://problem/47280522>
746
747         Reviewed by Yusuke Suzuki.
748
749         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
750         (foo):
751         (a.valueOf.0):
752
753 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
754
755         [JSC] ToThis omission in DFGByteCodeParser is wrong
756         https://bugs.webkit.org/show_bug.cgi?id=193513
757         <rdar://problem/45842236>
758
759         Reviewed by Saam Barati.
760
761         * stress/to-this-omission-with-different-strict-modes.js: Added.
762         (thisA):
763         (thisAStrictWrapper):
764
765 2019-01-15  Mark Lam  <mark.lam@apple.com>
766
767         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
768         https://bugs.webkit.org/show_bug.cgi?id=193423
769         <rdar://problem/46209355>
770
771         Reviewed by Saam Barati.
772
773         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
774         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
775         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
776         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
777
778 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
779
780         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
781         https://bugs.webkit.org/show_bug.cgi?id=193438
782         <rdar://problem/45581249>
783
784         Reviewed by Saam Barati and Keith Miller.
785
786         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
787         Then, GetByVal(String) crashed.
788
789         * stress/string-get-by-val-lowering.js: Added.
790         (shouldBe):
791         (test):
792         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
793         (Hello):
794         (foo):
795
796 2019-01-15  Tomas Popela  <tpopela@redhat.com>
797
798         Unreviewed, skip JIT tests if it's not enabled
799
800         * stress/bit-op-with-object-returning-int32.js:
801
802 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
803
804         DFGByteCodeParser rules for bitwise operations should consider type of their operands
805         https://bugs.webkit.org/show_bug.cgi?id=192966
806
807         Reviewed by Yusuke Suzuki.
808
809         * stress/bit-op-with-object-returning-int32.js: Added.
810
811 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
812
813         Skip a slow test and a flakey test on arm
814
815         Unreviewed gardening.
816
817         * typeProfiler/getter-richards.js:
818         this test always times out, it used to be always skipped on arm and
819         mips, but got accidentally enabled by r237919 now that we have DFG on
820         arm. Also skipping on mips as we plan to soon enable DFG for it too.
821
822 2019-01-14  Keith Miller  <keith_miller@apple.com>
823
824         Skip type-check-hoisting-phase-hoist... with no jit
825         https://bugs.webkit.org/show_bug.cgi?id=193421
826
827         Reviewed by Mark Lam.
828
829         It's timing out the 32-bit bots and takes 330 seconds
830         on my machine when run by itself.
831
832         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
833
834 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
835
836         [JSC] AI should check the given constant's array type when folding GetByVal into constant
837         https://bugs.webkit.org/show_bug.cgi?id=193413
838         <rdar://problem/46092389>
839
840         Reviewed by Keith Miller.
841
842         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
843         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
844         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
845         but GetByVal does not have appropriate ArrayModes, JSC crashes.
846
847         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
848         (compareArray):
849
850 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
851
852         [BigInt] Literal parsing is crashing when used inside a Object Literal
853         https://bugs.webkit.org/show_bug.cgi?id=193404
854
855         Reviewed by Yusuke Suzuki.
856
857         * stress/big-int-literal-inside-literal-object.js: Added.
858
859 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
860
861         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
862         https://bugs.webkit.org/show_bug.cgi?id=193372
863
864         Reviewed by Saam Barati.
865
866         * stress/typed-array-array-modes-profile.js: Added.
867         (foo):
868
869 2019-01-14  Mark Lam  <mark.lam@apple.com>
870
871         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
872         https://bugs.webkit.org/show_bug.cgi?id=193402
873         <rdar://problem/46012309>
874
875         Reviewed by Keith Miller.
876
877         * stress/regexp-compile-oom.js:
878         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
879           is enabled.  As a result, it will fail on cloop builds though there is no bug.
880
881 2019-01-11  Saam barati  <sbarati@apple.com>
882
883         DFG combined liveness can be wrong for terminal basic blocks
884         https://bugs.webkit.org/show_bug.cgi?id=193304
885         <rdar://problem/45268632>
886
887         Reviewed by Yusuke Suzuki.
888
889         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
890
891 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
892
893         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
894         https://bugs.webkit.org/show_bug.cgi?id=193308
895         <rdar://problem/45546542>
896
897         Reviewed by Saam Barati.
898
899         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
900         (shouldThrow):
901         (shouldBe):
902         (foo):
903         (get shouldThrow):
904         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
905         (shouldThrow):
906         (shouldBe):
907         (foo):
908         (get shouldBe):
909         (get shouldThrow):
910         (get return):
911         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
912         (shouldThrow):
913         (shouldBe):
914         (foo):
915         (get shouldBe):
916         (get shouldThrow):
917         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
918         (shouldThrow):
919         (shouldBe):
920         (foo):
921         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
922         (shouldThrow):
923         (shouldBe):
924         (foo):
925         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
926         (shouldThrow):
927         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
928         (shouldThrow):
929         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
930         (shouldThrow):
931         (shouldBe):
932         (foo):
933         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
934         (shouldThrow):
935         (shouldBe):
936         (foo):
937         (get shouldBe):
938         (get shouldThrow):
939         (get return):
940         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
941         (shouldThrow):
942         (shouldBe):
943         (foo):
944         (get shouldBe):
945         (get shouldThrow):
946         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
947         (shouldThrow):
948         (shouldBe):
949         (foo):
950         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
951         (shouldThrow):
952         (shouldBe):
953         (foo):
954
955 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
956
957         Enable DFG on ARM/Linux again
958         https://bugs.webkit.org/show_bug.cgi?id=192496
959
960         Reviewed by Yusuke Suzuki.
961
962         Test wasn't really skipped before moving the line with skip
963         to the top.
964
965         * stress/regress-192717.js:
966
967 2019-01-10  Commit Queue  <commit-queue@webkit.org>
968
969         Unreviewed, rolling out r239825.
970         https://bugs.webkit.org/show_bug.cgi?id=193330
971
972         Broke tests on armv7/linux bots (Requested by guijemont on
973         #webkit).
974
975         Reverted changeset:
976
977         "Enable DFG on ARM/Linux again"
978         https://bugs.webkit.org/show_bug.cgi?id=192496
979         https://trac.webkit.org/changeset/239825
980
981 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
982
983         Enable DFG on ARM/Linux again
984         https://bugs.webkit.org/show_bug.cgi?id=192496
985
986         Reviewed by Yusuke Suzuki.
987
988         Test wasn't really skipped before moving the line with skip
989         to the top.
990
991         * stress/regress-192717.js:
992
993 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
994
995         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
996         https://bugs.webkit.org/show_bug.cgi?id=193127
997
998         Reviewed by Saam Barati.
999
1000         * stress/array-species-create-should-handle-masquerader.js: Added.
1001         (shouldThrow):
1002         * stress/is-undefined-or-null-builtin.js: Added.
1003         (shouldBe):
1004         (isUndefinedOrNull.vm.createBuiltin):
1005
1006 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1007
1008         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1009         https://bugs.webkit.org/show_bug.cgi?id=193221
1010
1011         Reviewed by Mark Lam.
1012
1013         * stress/put-by-id-flags.js: Added.
1014         (f):
1015         (g):
1016         (numberOfDFGCompiles):
1017
1018 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1019
1020         Baseline version of get_by_id may corrupt metadata
1021         https://bugs.webkit.org/show_bug.cgi?id=193085
1022         <rdar://problem/23453006>
1023
1024         Reviewed by Saam Barati.
1025
1026         * stress/get-by-id-change-mode.js: Added.
1027         (forEach):
1028
1029 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1030
1031         [JSC] Optimize Object.prototype.toString
1032         https://bugs.webkit.org/show_bug.cgi?id=193031
1033
1034         Reviewed by Saam Barati.
1035
1036         * stress/object-tostring-changed-proto.js: Added.
1037         (shouldBe):
1038         (test):
1039         * stress/object-tostring-changed.js: Added.
1040         (shouldBe):
1041         (test):
1042         * stress/object-tostring-misc.js: Added.
1043         (shouldBe):
1044         (test):
1045         (i.switch):
1046         * stress/object-tostring-other.js: Added.
1047         (shouldBe):
1048         (test):
1049         * stress/object-tostring-untyped.js: Added.
1050         (shouldBe):
1051         (test):
1052         (i.switch):
1053
1054 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1055
1056         test262-runner misbehaves when test file YAML has a trailing space
1057         https://bugs.webkit.org/show_bug.cgi?id=193053
1058
1059         Reviewed by Yusuke Suzuki.
1060
1061         * test262/expectations.yaml:
1062         Mark two dozen tests as passing (and correct the output of another).
1063
1064 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1065
1066         Unreviewed, JSTests gardening with memoryLimited
1067
1068         * stress/string-overflow-createError.js:
1069
1070 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1071
1072         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1073         https://bugs.webkit.org/show_bug.cgi?id=193050
1074
1075         Reviewed by Yusuke Suzuki.
1076
1077         * test262.yaml:
1078         * test262/expectations.yaml:
1079         Mark 16 tests as passing.
1080
1081 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1082
1083         [BigInt] Support BigInt in JSON.stringify
1084         https://bugs.webkit.org/show_bug.cgi?id=192624
1085
1086         Reviewed by Saam Barati.
1087
1088         * stress/big-int-json-stringify-to-json.js: Added.
1089         (shouldBe):
1090         (shouldThrow):
1091         (BigInt.prototype.toJSON):
1092         (shouldBe.JSON.stringify):
1093         * stress/big-int-json-stringify.js: Added.
1094         (shouldBe):
1095         (shouldThrow):
1096
1097 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1098
1099         [JSC] Implement "well-formed JSON.stringify" proposal
1100         https://bugs.webkit.org/show_bug.cgi?id=191677
1101
1102         Reviewed by Darin Adler.
1103
1104         * stress/json-surrogate-pair.js: Added.
1105         (shouldBe):
1106         * test262/expectations.yaml:
1107
1108 2018-12-20  Keith Miller  <keith_miller@apple.com>
1109
1110         Add support for globalThis
1111         https://bugs.webkit.org/show_bug.cgi?id=165171
1112
1113         Reviewed by Mark Lam.
1114
1115         * test262/config.yaml:
1116
1117 2018-12-19  Keith Miller  <keith_miller@apple.com>
1118
1119         Update test262 configuration to not run tests dependent on ICU version.
1120         https://bugs.webkit.org/show_bug.cgi?id=192920
1121
1122         Reviewed by Saam Barati.
1123
1124         * test262/expectations.yaml:
1125
1126 2018-12-20  Mark Lam  <mark.lam@apple.com>
1127
1128         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1129         https://bugs.webkit.org/show_bug.cgi?id=192939
1130         <rdar://problem/46869516>
1131
1132         Reviewed by Keith Miller.
1133
1134         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1135
1136 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1137
1138         WTF::String and StringImpl overflow MaxLength
1139         https://bugs.webkit.org/show_bug.cgi?id=192853
1140         <rdar://problem/45726906>
1141
1142         Reviewed by Mark Lam.
1143
1144         * stress/string-16bit-repeat-overflow.js: Added.
1145         (catch):
1146
1147 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1148
1149         Unreviewed follow-up to r192914.
1150
1151         * test262/expectations.yaml:
1152         Add the last 20 missing expectations.
1153
1154 2018-12-19  Keith Miller  <keith_miller@apple.com>
1155
1156         Fix test262 expectations
1157         https://bugs.webkit.org/show_bug.cgi?id=192914
1158
1159         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1160
1161         * test262/expectations.yaml:
1162
1163 2018-12-19  Keith Miller  <keith_miller@apple.com>
1164
1165         Update test262 tests.
1166         https://bugs.webkit.org/show_bug.cgi?id=192907
1167
1168         Rubber stamped by Mark Lam.
1169
1170         * test262/*: Omitted because prepare-changelog crashes.
1171
1172 2018-12-19  Mark Lam  <mark.lam@apple.com>
1173
1174         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1175         https://bugs.webkit.org/show_bug.cgi?id=192464
1176         <rdar://problem/46519455>
1177
1178         Reviewed by Saam Barati.
1179
1180         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1181         microbenchmark.
1182
1183         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1184         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1185
1186 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1187
1188         String overflow in JSC::createError results in ASSERT in WTF::makeString
1189         https://bugs.webkit.org/show_bug.cgi?id=192833
1190         <rdar://problem/45706868>
1191
1192         Reviewed by Mark Lam.
1193
1194         * stress/string-overflow-createError.js: Added.
1195
1196 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1197
1198         Error message for `-x ** y` contains a typo.
1199         https://bugs.webkit.org/show_bug.cgi?id=192832
1200
1201         Reviewed by Saam Barati.
1202
1203         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1204         (assert.assert.return.throws):
1205         * stress/pow-expects-update-expression-on-lhs.js:
1206         (throw.new.Error):
1207         Update test expectations which match against the exact error message.
1208
1209 2018-12-18  Mark Lam  <mark.lam@apple.com>
1210
1211         Gardening: test options fix.
1212         https://bugs.webkit.org/show_bug.cgi?id=192822
1213
1214         Unreviewed.
1215
1216         * stress/json-stringify-string-builder-overflow.js:
1217
1218 2018-12-18  Mark Lam  <mark.lam@apple.com>
1219
1220         JSON.stringify() should throw OOM on StringBuilder overflows.
1221         https://bugs.webkit.org/show_bug.cgi?id=192822
1222         <rdar://problem/46670577>
1223
1224         Reviewed by Saam Barati.
1225
1226         * stress/json-stringify-string-builder-overflow.js: Added.
1227
1228 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1229
1230         Redeclaration of var over let/const/class should be a syntax error.
1231         https://bugs.webkit.org/show_bug.cgi?id=192298
1232
1233         Reviewed by Keith Miller.
1234
1235         * test262.yaml:
1236         * test262/expectations.yaml:
1237         Mark 46 tests as passing.
1238
1239         * stress/block-scope-redeclarations.js:
1240         Add some new tests.
1241
1242         * stress/for-in-invalidate-context-weird-assignments.js:
1243         * stress/for-in-tests.js:
1244         Replace tests for outdated behavior with tests for SyntaxError.
1245
1246         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1247         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1248         Update expectations.
1249
1250 2018-12-18  Mark Lam  <mark.lam@apple.com>
1251
1252         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1253         https://bugs.webkit.org/show_bug.cgi?id=191374
1254         <rdar://problem/46525447>
1255
1256         Reviewed by Yusuke Suzuki.
1257
1258         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1259
1260         * stress/elidable-new-object-roflcopter-then-exit.js:
1261
1262 2018-12-17  Mark Lam  <mark.lam@apple.com>
1263
1264         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1265         https://bugs.webkit.org/show_bug.cgi?id=192019
1266         <rdar://problem/46525456>
1267
1268         Reviewed by Yusuke Suzuki.
1269
1270         The test runs too slow on 32-bit.
1271
1272         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1273
1274 2018-12-17  Mark Lam  <mark.lam@apple.com>
1275
1276         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1277         https://bugs.webkit.org/show_bug.cgi?id=191373
1278         <rdar://problem/46525458>
1279
1280         Reviewed by Yusuke Suzuki.
1281
1282         The test is already slow running with a JIT on 64-bit.  It will always timeout
1283         on 32-bit without a JIT.
1284
1285         * stress/materialize-regexp-cyclic-regexp.js:
1286
1287 2018-12-17  Mark Lam  <mark.lam@apple.com>
1288
1289         Array unshift/shift should not race against the AI in the compiler thread.
1290         https://bugs.webkit.org/show_bug.cgi?id=192795
1291         <rdar://problem/46724263>
1292
1293         Reviewed by Saam Barati.
1294
1295         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1296
1297 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1298
1299         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1300         https://bugs.webkit.org/show_bug.cgi?id=190047
1301
1302         Reviewed by Saam Barati.
1303
1304         * stress/object-keys-cached-zero.js: Added.
1305         (shouldBe):
1306         (test):
1307         * stress/object-keys-changed-attribute.js: Added.
1308         (shouldBe):
1309         (test):
1310         * stress/object-keys-changed-index.js: Added.
1311         (shouldBe):
1312         (test):
1313         * stress/object-keys-changed.js: Added.
1314         (shouldBe):
1315         (test):
1316         * stress/object-keys-indexed-non-cache.js: Added.
1317         (shouldBe):
1318         (test):
1319         * stress/object-keys-overrides-get-property-names.js: Added.
1320         (shouldBe):
1321         (test):
1322         (noInline):
1323
1324 2018-12-17  Mark Lam  <mark.lam@apple.com>
1325
1326         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1327         https://bugs.webkit.org/show_bug.cgi?id=192779
1328         <rdar://problem/46775869>
1329
1330         Reviewed by Saam Barati.
1331
1332         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1333
1334 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1335
1336         Unreviewed test gardening, address a syntax error in a new test.
1337
1338         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1339
1340 2018-12-17  Mark Lam  <mark.lam@apple.com>
1341
1342         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1343         https://bugs.webkit.org/show_bug.cgi?id=192776
1344         <rdar://problem/46772368>
1345
1346         Reviewed by Keith Miller.
1347
1348         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1349
1350 2018-12-17  Mark Lam  <mark.lam@apple.com>
1351
1352         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1353         https://bugs.webkit.org/show_bug.cgi?id=192770
1354         <rdar://problem/46449037>
1355
1356         Reviewed by Keith Miller.
1357
1358         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1359
1360 2018-12-14  Mark Lam  <mark.lam@apple.com>
1361
1362         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1363         https://bugs.webkit.org/show_bug.cgi?id=192717
1364         <rdar://problem/46660677>
1365
1366         Reviewed by Saam Barati.
1367
1368         * stress/regress-192717.js: Added.
1369
1370 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1371
1372         Unreviewed, rolling out r239153, r239154, and r239155.
1373         https://bugs.webkit.org/show_bug.cgi?id=192715
1374
1375         Caused flaky GC-related crashes seen with layout tests
1376         (Requested by ryanhaddad on #webkit).
1377
1378         Reverted changesets:
1379
1380         "[JSC] Optimize Object.keys by caching own keys results in
1381         StructureRareData"
1382         https://bugs.webkit.org/show_bug.cgi?id=190047
1383         https://trac.webkit.org/changeset/239153
1384
1385         "Unreviewed, build fix after r239153"
1386         https://bugs.webkit.org/show_bug.cgi?id=190047
1387         https://trac.webkit.org/changeset/239154
1388
1389         "Unreviewed, build fix after r239153, part 2"
1390         https://bugs.webkit.org/show_bug.cgi?id=190047
1391         https://trac.webkit.org/changeset/239155
1392
1393 2018-12-14  Keith Miller  <keith_miller@apple.com>
1394
1395         Callers of JSString::getIndex should check for OOM exceptions
1396         https://bugs.webkit.org/show_bug.cgi?id=192709
1397
1398         Reviewed by Mark Lam.
1399
1400         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1401
1402 2018-12-13  Mark Lam  <mark.lam@apple.com>
1403
1404         Add a missing exception check.
1405         https://bugs.webkit.org/show_bug.cgi?id=192626
1406         <rdar://problem/46662163>
1407
1408         Reviewed by Keith Miller.
1409
1410         * stress/regress-192626.js: Added.
1411
1412 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1413
1414         [BigInt] Add ValueDiv into DFG
1415         https://bugs.webkit.org/show_bug.cgi?id=186178
1416
1417         Reviewed by Yusuke Suzuki.
1418
1419         * stress/big-int-div-jit-osr.js: Added.
1420         * stress/big-int-div-jit-untyped.js: Added.
1421         * stress/value-div-fixup-int32-big-int.js: Added.
1422
1423 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1424
1425         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1426         https://bugs.webkit.org/show_bug.cgi?id=190047
1427
1428         Reviewed by Keith Miller.
1429
1430         * stress/object-keys-cached-zero.js: Added.
1431         (shouldBe):
1432         (test):
1433         * stress/object-keys-changed-attribute.js: Added.
1434         (shouldBe):
1435         (test):
1436         * stress/object-keys-changed-index.js: Added.
1437         (shouldBe):
1438         (test):
1439         * stress/object-keys-changed.js: Added.
1440         (shouldBe):
1441         (test):
1442         * stress/object-keys-indexed-non-cache.js: Added.
1443         (shouldBe):
1444         (test):
1445         * stress/object-keys-overrides-get-property-names.js: Added.
1446         (shouldBe):
1447         (test):
1448         (noInline):
1449
1450 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1451
1452         [DFG][FTL] Add NewSymbol
1453         https://bugs.webkit.org/show_bug.cgi?id=192620
1454
1455         Reviewed by Saam Barati.
1456
1457         * microbenchmarks/symbol-creation.js: Added.
1458         (test):
1459         * stress/symbol-description-identity.js: Added.
1460         (shouldBe):
1461         (test):
1462         * stress/symbol-identity.js: Added.
1463         (shouldBe):
1464         (test):
1465         * stress/symbol-with-description-throw-error.js: Added.
1466         (shouldBe):
1467         (shouldThrow):
1468         (test):
1469         (object.toString):
1470
1471 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1472
1473         [BigInt] Implement DFG/FTL typeof for BigInt
1474         https://bugs.webkit.org/show_bug.cgi?id=192619
1475
1476         Reviewed by Keith Miller.
1477
1478         * stress/big-int-boolean-proven-type.js: Added.
1479         (assert):
1480         (bool):
1481         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1482         (assert):
1483         (typeOf):
1484         (i.switch):
1485         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1486         (assert):
1487         (typeOf):
1488         * stress/big-int-type-of.js:
1489         (typeOf):
1490         (func):
1491
1492 2018-12-10  Mark Lam  <mark.lam@apple.com>
1493
1494         PropertyAttribute needs a CustomValue bit.
1495         https://bugs.webkit.org/show_bug.cgi?id=191993
1496         <rdar://problem/46264467>
1497
1498         Reviewed by Saam Barati.
1499
1500         * stress/regress-191993.js: Added.
1501
1502 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1503
1504         [BigInt] Add ValueMul into DFG
1505         https://bugs.webkit.org/show_bug.cgi?id=186175
1506
1507         Reviewed by Yusuke Suzuki.
1508
1509         * stress/big-int-mul-jit-osr.js: Added.
1510         * stress/big-int-mul-jit-untyped.js: Added.
1511         * stress/value-mul-fixup-int32-big-int.js: Added.
1512
1513 2018-12-06  Keith Miller  <keith_miller@apple.com>
1514
1515         stress/big-wasm-memory tests failing on 32-bit JSC bot
1516         https://bugs.webkit.org/show_bug.cgi?id=192020
1517
1518         Reviewed by Saam Barati.
1519
1520         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1521         the wasm stress tests if the WebAssembly object does not exist.
1522
1523         * stress/big-wasm-memory-grow-no-max.js:
1524         (test.foo):
1525         (test):
1526         (foo): Deleted.
1527         (catch): Deleted.
1528         * stress/big-wasm-memory-grow.js:
1529         (test.foo):
1530         (test):
1531         (foo): Deleted.
1532         (catch): Deleted.
1533         * stress/big-wasm-memory.js:
1534         (test.foo):
1535         (test):
1536         (foo): Deleted.
1537         (catch): Deleted.
1538
1539 2018-12-05  Mark Lam  <mark.lam@apple.com>
1540
1541         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1542         https://bugs.webkit.org/show_bug.cgi?id=192441
1543         <rdar://problem/46480355>
1544
1545         Reviewed by Saam Barati.
1546
1547         * stress/regress-192441.js: Added.
1548
1549 2018-12-04  Mark Lam  <mark.lam@apple.com>
1550
1551         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1552         https://bugs.webkit.org/show_bug.cgi?id=192386
1553         <rdar://problem/46445516>
1554
1555         Reviewed by Saam Barati.
1556
1557         * stress/regress-192386.js: Added.
1558
1559 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1560
1561         [ESNext][BigInt] Support logic operations
1562         https://bugs.webkit.org/show_bug.cgi?id=179903
1563
1564         Reviewed by Yusuke Suzuki.
1565
1566         * stress/big-int-branch-usage.js: Added.
1567         * stress/big-int-logical-and.js: Added.
1568         * stress/big-int-logical-not.js: Added.
1569         * stress/big-int-logical-or.js: Added.
1570
1571 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1572
1573         Unreviewed, rolling out r238833.
1574
1575         Breaks macOS and iOS debug builds.
1576
1577         Reverted changeset:
1578
1579         "[ESNext][BigInt] Support logic operations"
1580         https://bugs.webkit.org/show_bug.cgi?id=179903
1581         https://trac.webkit.org/changeset/238833
1582
1583 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1584
1585         [ESNext][BigInt] Support logic operations
1586         https://bugs.webkit.org/show_bug.cgi?id=179903
1587
1588         Reviewed by Yusuke Suzuki.
1589
1590         * stress/big-int-branch-usage.js: Added.
1591         * stress/big-int-logical-and.js: Added.
1592         * stress/big-int-logical-not.js: Added.
1593         * stress/big-int-logical-or.js: Added.
1594
1595 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1596
1597         [ESNext][BigInt] Implement support for "<<" and ">>"
1598         https://bugs.webkit.org/show_bug.cgi?id=186233
1599
1600         Reviewed by Yusuke Suzuki.
1601
1602         * stress/big-int-left-shift-general.js: Added.
1603         * stress/big-int-left-shift-range-error.js: Added.
1604         * stress/big-int-left-shift-type-error.js: Added.
1605         * stress/big-int-left-shift-wrapped-value.js: Added.
1606         * stress/big-int-right-shift-general.js: Added.
1607         * stress/big-int-right-shift-type-error.js: Added.
1608         * stress/big-int-right-shift-wrapped-value.js: Added.
1609         * stress/left-shift-to-primitive-precedence.js: Added.
1610         * stress/right-shift-to-primitive-precedence.js: Added.
1611
1612 2018-11-30  Dean Jackson  <dino@apple.com>
1613
1614         Add first-class support for .mjs files in jsc binary
1615         https://bugs.webkit.org/show_bug.cgi?id=192190
1616         <rdar://problem/46375715>
1617
1618         Reviewed by Keith Miller.
1619
1620         * stress/simple-module.mjs: Added.
1621         * stress/simple-script.js: Added.
1622
1623 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1624
1625         [BigInt] Implement ValueBitXor into DFG
1626         https://bugs.webkit.org/show_bug.cgi?id=190264
1627
1628         Reviewed by Yusuke Suzuki.
1629
1630         * stress/big-int-bitwise-xor-jit.js: Added.
1631         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1632         * stress/big-int-bitwise-xor-untyped.js: Added.
1633
1634 2018-11-27  Saam barati  <sbarati@apple.com>
1635
1636         r238510 broke scopes of size zero
1637         https://bugs.webkit.org/show_bug.cgi?id=192033
1638         <rdar://problem/46281734>
1639
1640         Reviewed by Keith Miller.
1641
1642         * stress/r238510-bad-loop.js: Added.
1643         (foo):
1644
1645 2018-11-27  Mark Lam  <mark.lam@apple.com>
1646
1647         [Re-landing] NaNs read from Wasm code needs to be be purified.
1648         https://bugs.webkit.org/show_bug.cgi?id=191056
1649         <rdar://problem/45660341>
1650
1651         Reviewed by Filip Pizlo.
1652
1653         * wasm/regress/regress-191056.js: Added.
1654
1655 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1656
1657         Unreviewed, rolling out r238509.
1658
1659         Causes JSC tests to fail on iOS.
1660
1661         Reverted changeset:
1662
1663         "NaNs read from Wasm code needs to be be purified."
1664         https://bugs.webkit.org/show_bug.cgi?id=191056
1665         https://trac.webkit.org/changeset/238509
1666
1667 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1668
1669         Re-introduce op_bitnot
1670         https://bugs.webkit.org/show_bug.cgi?id=190923
1671
1672         Reviewed by Yusuke Suzuki.
1673
1674         * stress/bit-not-must-generate.js: Added.
1675         * stress/bitwise-not-no-int32.js: Added.
1676
1677 2018-11-26  Saam barati  <sbarati@apple.com>
1678
1679         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1680         https://bugs.webkit.org/show_bug.cgi?id=191956
1681         <rdar://problem/45665806>
1682
1683         Reviewed by Yusuke Suzuki.
1684
1685         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1686         (bar):
1687         (foo):
1688
1689 2018-11-26  Saam barati  <sbarati@apple.com>
1690
1691         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1692         https://bugs.webkit.org/show_bug.cgi?id=191958
1693         <rdar://problem/46221877>
1694
1695         Reviewed by Yusuke Suzuki.
1696
1697         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1698         (x):
1699         (foo):
1700
1701 2018-11-26  Mark Lam  <mark.lam@apple.com>
1702
1703         NaNs read from Wasm code needs to be be purified.
1704         https://bugs.webkit.org/show_bug.cgi?id=191056
1705         <rdar://problem/45660341>
1706
1707         Reviewed by Filip Pizlo.
1708
1709         * wasm/regress/regress-191056.js: Added.
1710
1711 2018-11-26  Michael Saboff  <msaboff@apple.com>
1712
1713         32-bit JSC test failure: stress/regexp-compile-oom.js
1714         https://bugs.webkit.org/show_bug.cgi?id=191375
1715
1716         Reviewed by Mark Lam.
1717
1718         Disabled the test for 32 bit platforms.
1719
1720         * stress/regexp-compile-oom.js:
1721
1722 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1723
1724         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1725         https://bugs.webkit.org/show_bug.cgi?id=191716
1726         <rdar://problem/45723878>
1727
1728         Reviewed by Saam Barati.
1729
1730         * stress/regress-187373.js: Added.
1731         (async.fn):
1732
1733 2018-11-21  Saam barati  <sbarati@apple.com>
1734
1735         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1736         https://bugs.webkit.org/show_bug.cgi?id=191897
1737         <rdar://problem/45871998>
1738
1739         Reviewed by Mark Lam.
1740
1741         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1742         (bar):
1743         (foo):
1744
1745 2018-11-21  Saam barati  <sbarati@apple.com>
1746
1747         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1748         https://bugs.webkit.org/show_bug.cgi?id=191895
1749         <rdar://problem/46167406>
1750
1751         Reviewed by Mark Lam.
1752
1753         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1754         (foo):
1755         (bar):
1756
1757 2018-11-21  Mark Lam  <mark.lam@apple.com>
1758
1759         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1760         https://bugs.webkit.org/show_bug.cgi?id=191776
1761         <rdar://problem/46152851>
1762
1763         Reviewed by Saam Barati.
1764
1765         * stress/big-wasm-memory-grow-no-max.js:
1766         * stress/big-wasm-memory-grow.js:
1767         * stress/big-wasm-memory.js:
1768         - updated these to expect an OutOfMemoryError.
1769
1770         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1771         (Binary.prototype.emit_u8):
1772         (Binary.prototype.emit_u32v):
1773         (Binary.prototype.emit_header):
1774         (Binary.prototype.emit_section):
1775         (Binary):
1776         (WasmModuleBuilder):
1777         (WasmModuleBuilder.prototype.addMemory):
1778         (WasmModuleBuilder.prototype.toArray):
1779         (WasmModuleBuilder.prototype.toBuffer):
1780         (WasmModuleBuilder.prototype.instantiate):
1781         (catch):
1782         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1783         (catch):
1784
1785 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1786
1787         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1788         https://bugs.webkit.org/show_bug.cgi?id=190836
1789
1790         Reviewed by Saam Barati and Yusuke Suzuki.
1791
1792         * stress/big-int-out-of-memory-tests.js: Added.
1793
1794 2018-11-20  Mark Lam  <mark.lam@apple.com>
1795
1796         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1797         https://bugs.webkit.org/show_bug.cgi?id=191856
1798         <rdar://problem/46089992>
1799
1800         Reviewed by Yusuke Suzuki.
1801
1802         * stress/regress-191856.js: Added.
1803         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1804
1805 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1806
1807         Enable JIT on ARM/Linux
1808         https://bugs.webkit.org/show_bug.cgi?id=191548
1809
1810         Reviewed by Yusuke Suzuki.
1811
1812         Disable test on system with limited memory. Program was killed by
1813         the OS before the exception was thrown.
1814
1815         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1816
1817 2018-11-20  Saam barati  <sbarati@apple.com>
1818
1819         Merging an IC variant may lead to the IC status containing overlapping structure sets
1820         https://bugs.webkit.org/show_bug.cgi?id=191869
1821         <rdar://problem/45403453>
1822
1823         Reviewed by Mark Lam.
1824
1825         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1826
1827 2018-11-19  Mark Lam  <mark.lam@apple.com>
1828
1829         globalFuncImportModule() should return a promise when it clears exceptions.
1830         https://bugs.webkit.org/show_bug.cgi?id=191792
1831         <rdar://problem/46090763>
1832
1833         Reviewed by Michael Saboff.
1834
1835         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1836
1837 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1838
1839         Skip new memory-hungry tests on memory limited devices
1840
1841         Unreviewed gardening.
1842
1843         * stress/big-wasm-memory-grow-no-max.js:
1844         * stress/big-wasm-memory-grow.js:
1845         * stress/big-wasm-memory.js:
1846
1847 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1848
1849         Unreviewed, rolling in the rest of r237254
1850         https://bugs.webkit.org/show_bug.cgi?id=190340
1851
1852         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1853         * stress/function-cache-with-parameters-end-position.js: Added.
1854         (shouldBe):
1855         (shouldThrow):
1856         (i.anonymous):
1857         * stress/function-constructor-name.js: Added.
1858         (shouldBe):
1859         (GeneratorFunction):
1860         (AsyncFunction.async):
1861         (AsyncGeneratorFunction.async):
1862         (anonymous):
1863         (async.anonymous):
1864         * test262/expectations.yaml:
1865
1866 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1867
1868         All users of ArrayBuffer should agree on the same max size
1869         https://bugs.webkit.org/show_bug.cgi?id=191771
1870
1871         Reviewed by Mark Lam.
1872
1873         * stress/big-wasm-memory-grow-no-max.js: Added.
1874         (foo):
1875         (catch):
1876         * stress/big-wasm-memory-grow.js: Added.
1877         (foo):
1878         (catch):
1879         * stress/big-wasm-memory.js: Added.
1880         (foo):
1881         (catch):
1882
1883 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1884
1885         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1886         run for each JSC config since they're regression tests for runtime bugs.
1887
1888         * stress/json-stringified-overflow-2.js:
1889         * stress/json-stringified-overflow.js:
1890
1891 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1892
1893         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1894         config since they're regression tests for runtime bugs.
1895
1896         * stress/large-unshift-splice.js:
1897         * stress/regress-185888.js:
1898
1899 2018-11-16  Saam Barati  <sbarati@apple.com>
1900
1901         KnownCellUse should also have SpecCellCheck as its type filter
1902         https://bugs.webkit.org/show_bug.cgi?id=191729
1903         <rdar://problem/45872852>
1904
1905         Reviewed by Filip Pizlo.
1906
1907         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1908         (C):
1909
1910 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1911
1912         Fix assertion failure on BytecodeGenerator::recordOpcode
1913         https://bugs.webkit.org/show_bug.cgi?id=191724
1914         <rdar://problem/45724395>
1915
1916         Reviewed by Saam Barati.
1917
1918         * stress/regress-187373-2.js: Added.
1919         (foo):
1920
1921 2018-11-15  Mark Lam  <mark.lam@apple.com>
1922
1923         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1924         https://bugs.webkit.org/show_bug.cgi?id=191730
1925         <rdar://problem/46048517>
1926
1927         Reviewed by Saam Barati.
1928
1929         * stress/regress-187006.js: Removed.
1930           - this test is invalid because its sole purpose is to test for the non-spec
1931             compliant behavior that we just fixed.
1932
1933         * stress/regress-191730.js: Added.
1934
1935 2018-11-15  Mark Lam  <mark.lam@apple.com>
1936
1937         RegExp operations should not take fast patch if lastIndex is not numeric.
1938         https://bugs.webkit.org/show_bug.cgi?id=191731
1939         <rdar://problem/46017305>
1940
1941         Reviewed by Saam Barati.
1942
1943         * stress/regress-191731.js: Added.
1944
1945 2018-11-13  Saam Barati  <sbarati@apple.com>
1946
1947         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1948         https://bugs.webkit.org/show_bug.cgi?id=191600
1949
1950         Reviewed by Mark Lam.
1951
1952         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1953         (foo):
1954         (test):
1955         (bar):
1956
1957 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1958
1959         Unreviewed, rolling out r238132.
1960
1961         The test added with this change is timing out on Debug JSC
1962         bots.
1963
1964         Reverted changeset:
1965
1966         "[BigInt] JSBigInt::createWithLength should throw when length
1967         is greater than JSBigInt::maxLength"
1968         https://bugs.webkit.org/show_bug.cgi?id=190836
1969         https://trac.webkit.org/changeset/238132
1970
1971 2018-11-13  Mark Lam  <mark.lam@apple.com>
1972
1973         Add OOM detection to StringPrototype's substituteBackreferences().
1974         https://bugs.webkit.org/show_bug.cgi?id=191563
1975         <rdar://problem/45720428>
1976
1977         Reviewed by Saam Barati.
1978
1979         * stress/regress-191563.js: Added.
1980
1981 2018-11-13  Mark Lam  <mark.lam@apple.com>
1982
1983         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1984         https://bugs.webkit.org/show_bug.cgi?id=191579
1985         <rdar://problem/45942472>
1986
1987         Reviewed by Saam Barati.
1988
1989         * stress/regress-191579.js: Added.
1990
1991 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1992
1993         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1994         https://bugs.webkit.org/show_bug.cgi?id=190836
1995
1996         Reviewed by Saam Barati.
1997
1998         * stress/big-int-out-of-memory-tests.js: Added.
1999
2000 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2001
2002         U+180E is no longer a whitespace character
2003         https://bugs.webkit.org/show_bug.cgi?id=191415
2004
2005         Reviewed by Saam Barati.
2006
2007         * ChakraCore/test/es5/regexSpace.baseline:
2008         * ChakraCore/test/es6/unicode_whitespace.js:
2009         Update tests to latest version.
2010         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2011
2012         * test262.yaml:
2013         * test262/config.yaml:
2014         * test262/expectations.yaml:
2015         Update expectations.
2016
2017 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2018
2019         [BigInt] Add support to BigInt into ValueAdd
2020         https://bugs.webkit.org/show_bug.cgi?id=186177
2021
2022         Reviewed by Keith Miller.
2023
2024         * stress/big-int-negate-jit.js:
2025         * stress/value-add-big-int-and-string.js: Added.
2026         * stress/value-add-big-int-prediction-propagation.js: Added.
2027         * stress/value-add-big-int-untyped.js: Added.
2028
2029 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2030
2031         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2032         https://bugs.webkit.org/show_bug.cgi?id=191184
2033
2034         Reviewed by Saam Barati.
2035
2036         Most tests were failing due to timeouts, since they are too slow to
2037         run on CLoop. The exceptions are:
2038
2039         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2040         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2041         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2042         to change the stack size since CLoop requires it to be page aligned.
2043
2044         * microbenchmarks/array-push-1.js:
2045         * microbenchmarks/array-push-2.js:
2046         * microbenchmarks/elidable-new-object-dag.js:
2047         * microbenchmarks/elidable-new-object-roflcopter.js:
2048         * microbenchmarks/elidable-new-object-tree.js:
2049         * microbenchmarks/getter-richards.js:
2050         * microbenchmarks/sinkable-new-object-dag.js:
2051         * microbenchmarks/string-concat-long-convert.js:
2052         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2053         * slowMicrobenchmarks/array-push-3.js:
2054         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2055         * slowMicrobenchmarks/spread-small-array.js:
2056         * slowMicrobenchmarks/undefined-property-access.js:
2057         * stress/activation-sink-default-value-tdz-error.js:
2058         * stress/activation-sink-default-value.js:
2059         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2060         * stress/activation-sink-osrexit-default-value.js:
2061         * stress/activation-sink-osrexit.js:
2062         * stress/activation-sink.js:
2063         * stress/allow-math-ic-b3-code-duplication.js:
2064         * stress/array-push-multiple-int32.js:
2065         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2066         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2067         * stress/arrowfunction-lexical-this-activation-sink.js:
2068         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2069         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2070         * stress/elide-new-object-dag-then-exit.js:
2071         * stress/materialize-regexp-cyclic.js:
2072         * stress/new-regex-inline.js:
2073         * stress/op_add.js:
2074         * stress/op_bitand.js:
2075         * stress/op_bitor.js:
2076         * stress/op_bitxor.js:
2077         * stress/op_div-ConstVar.js:
2078         * stress/op_div-VarConst.js:
2079         * stress/op_div-VarVar.js:
2080         * stress/op_lshift-ConstVar.js:
2081         * stress/op_lshift-VarConst.js:
2082         * stress/op_lshift-VarVar.js:
2083         * stress/op_mod-ConstVar.js:
2084         * stress/op_mod-VarConst.js:
2085         * stress/op_mod-VarVar.js:
2086         * stress/op_mul-ConstVar.js:
2087         * stress/op_mul-VarConst.js:
2088         * stress/op_mul-VarVar.js:
2089         * stress/op_rshift-ConstVar.js:
2090         * stress/op_rshift-VarConst.js:
2091         * stress/op_rshift-VarVar.js:
2092         * stress/op_sub-ConstVar.js:
2093         * stress/op_sub-VarConst.js:
2094         * stress/op_sub-VarVar.js:
2095         * stress/op_urshift-ConstVar.js:
2096         * stress/op_urshift-VarConst.js:
2097         * stress/op_urshift-VarVar.js:
2098         * stress/proxy-get-set-correct-receiver.js:
2099         * stress/regress-179562.js:
2100         * stress/rest-parameter-many-arguments.js:
2101         * stress/sampling-profiler-richards.js:
2102         * stress/splay-flash-access-1ms.js:
2103         * stress/tailCallForwardArguments.js:
2104         * stress/typed-array-get-by-val-profiling.js:
2105         * typeProfiler/getter-richards.js:
2106
2107 2018-11-06  Michael Saboff  <msaboff@apple.com>
2108
2109         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2110         https://bugs.webkit.org/show_bug.cgi?id=191271
2111
2112         Reviewed by Saam Barati.
2113
2114         Added more test cases and made all test cases run with the same deeply recursive stack
2115         instead of finding that same point for each test case.
2116
2117         * stress/regexp-compile-oom.js:
2118         (prototype.runTest):
2119         (recurseAndTest):
2120         (testList.push.new.TestAndExpectedException):
2121
2122 2018-11-05  Michael Saboff  <msaboff@apple.com>
2123
2124         Unreviewed build fix for linux.
2125
2126         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2127
2128 2018-11-02  Michael Saboff  <msaboff@apple.com>
2129
2130         Rolling in r237753 with unreviewed build fix.
2131
2132         Fixed issues with DECLARE_THROW_SCOPE placement.
2133
2134 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2135
2136         Unreviewed, rolling out r237753.
2137
2138         Introduced JSC test failures
2139
2140         Reverted changeset:
2141
2142         "Running out of stack space not properly handled in
2143         RegExp::compile() and its callers"
2144         https://bugs.webkit.org/show_bug.cgi?id=191206
2145         https://trac.webkit.org/changeset/237753
2146
2147 2018-11-02  Michael Saboff  <msaboff@apple.com>
2148
2149         Running out of stack space not properly handled in RegExp::compile() and its callers
2150         https://bugs.webkit.org/show_bug.cgi?id=191206
2151
2152         Reviewed by Filip Pizlo.
2153
2154         New regression test.
2155
2156         * stress/regexp-compile-oom.js: Added.
2157         (recurseAndTest):
2158
2159 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2160
2161         Skip tests on arm/mips that time out now we're running on CLoop
2162
2163         Unreviewed gardening.
2164
2165         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2166         time out on the bots and need to be disabled. There's more tests
2167         disabled on arm because the timeout is longer on the mips bot (as the
2168         device is slower to start with), so many of the tests don't time out
2169         there.
2170
2171         * microbenchmarks/getter-richards.js: disable on arm and mips.
2172         * stress/op_add.js: disable on arm.
2173         * stress/op_bitand.js: disable on arm.
2174         * stress/op_bitor.js: disable on arm.
2175         * stress/op_bitxor.js: disable on arm.
2176         * stress/op_lshift-ConstVar.js: disable on arm.
2177         * stress/op_lshift-VarConst.js: disable on arm.
2178         * stress/op_lshift-VarVar.js: disable on arm.
2179         * stress/op_mod-ConstVar.js: disable on arm.
2180         * stress/op_mod-VarConst.js: disable on arm.
2181         * stress/op_mod-VarVar.js: disable on arm.
2182         * stress/op_mul-ConstVar.js: disable on arm.
2183         * stress/op_mul-VarConst.js: disable on arm.
2184         * stress/op_mul-VarVar.js: disable on arm.
2185         * stress/op_rshift-ConstVar.js: disable on arm.
2186         * stress/op_rshift-VarConst.js: disable on arm.
2187         * stress/op_rshift-VarVar.js: disable on arm.
2188         * stress/op_sub-ConstVar.js: disable on arm.
2189         * stress/op_sub-VarConst.js: disable on arm.
2190         * stress/op_sub-VarVar.js: disable on arm.
2191         * stress/op_urshift-ConstVar.js: disable on arm.
2192         * stress/op_urshift-VarConst.js: disable on arm.
2193         * stress/op_urshift-VarVar.js: disable on arm.
2194         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2195         * stress/value-to-boolean.js: disable on arm and mips.
2196
2197 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2198
2199         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2200         https://bugs.webkit.org/show_bug.cgi?id=191108
2201         <rdar://problem/45690700>
2202
2203         Reviewed by Saam Barati.
2204
2205         * stress/wide-op_catch.js: Added.
2206         (catch):
2207
2208 2018-10-29  Mark Lam  <mark.lam@apple.com>
2209
2210         Correctly detect string overflow when using the 'Function' constructor.
2211         https://bugs.webkit.org/show_bug.cgi?id=184883
2212         <rdar://problem/36320331>
2213
2214         Reviewed by Saam Barati.
2215
2216         I've verified that this passes on 32-bit as well.
2217
2218         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2219
2220 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2221
2222         Add support for GetStack FlushedDouble
2223         https://bugs.webkit.org/show_bug.cgi?id=191012
2224         <rdar://problem/45265141>
2225
2226         Reviewed by Saam Barati.
2227
2228         * stress/get-stack-double.js: Added.
2229         (bar):
2230         (noInline):
2231
2232 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2233
2234         New bytecode format for JSC
2235         https://bugs.webkit.org/show_bug.cgi?id=187373
2236         <rdar://problem/44186758>
2237
2238         Reviewed by Filip Pizlo.
2239
2240         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2241
2242         * stress/maximum-inline-capacity.js: Added.
2243         (test1):
2244         (test3.Foo):
2245         (test3):
2246
2247 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2248
2249         Unreviewed, rolling out r237479 and r237484.
2250         https://bugs.webkit.org/show_bug.cgi?id=190978
2251
2252         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2253
2254         Reverted changesets:
2255
2256         "New bytecode format for JSC"
2257         https://bugs.webkit.org/show_bug.cgi?id=187373
2258         https://trac.webkit.org/changeset/237479
2259
2260         "Gardening: Build fix after r237479."
2261         https://bugs.webkit.org/show_bug.cgi?id=187373
2262         https://trac.webkit.org/changeset/237484
2263
2264 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2265
2266         New bytecode format for JSC
2267         https://bugs.webkit.org/show_bug.cgi?id=187373
2268         <rdar://problem/44186758>
2269
2270         Reviewed by Filip Pizlo.
2271
2272         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2273
2274         * stress/maximum-inline-capacity.js: Added.
2275         (test1):
2276         (test3.Foo):
2277         (test3):
2278
2279 2018-10-26  Mark Lam  <mark.lam@apple.com>
2280
2281         Fix missing edge cases with JSGlobalObjects having a bad time.
2282         https://bugs.webkit.org/show_bug.cgi?id=189028
2283         <rdar://problem/45204939>
2284
2285         Reviewed by Saam Barati.
2286
2287         * stress/regress-189028.js: Added.
2288
2289 2018-10-22  Mark Lam  <mark.lam@apple.com>
2290
2291         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2292         https://bugs.webkit.org/show_bug.cgi?id=190515
2293         <rdar://problem/45222379>
2294
2295         Rubber-stamped by Saam Barati.
2296
2297         Adding another test.
2298
2299         * stress/regress-190515-2.js: Added.
2300
2301 2018-10-22  Mark Lam  <mark.lam@apple.com>
2302
2303         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2304         https://bugs.webkit.org/show_bug.cgi?id=190515
2305         <rdar://problem/45222379>
2306
2307         Reviewed by Saam Barati.
2308
2309         * stress/regress-190515.js: Added.
2310
2311 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2312
2313         Unreviewed, rolling out r237254.
2314         https://bugs.webkit.org/show_bug.cgi?id=190760
2315
2316         "It regresses JetStream 2 by 5% on some iOS devices"
2317         (Requested by saamyjoon on #webkit).
2318
2319         Reverted changeset:
2320
2321         "[JSC] JSC should have "parseFunction" to optimize Function
2322         constructor"
2323         https://bugs.webkit.org/show_bug.cgi?id=190340
2324         https://trac.webkit.org/changeset/237254
2325
2326 2018-10-19  Saam Barati  <sbarati@apple.com>
2327
2328         vmCall should check if we exit before emitting an OSR exit due to exceptions
2329         https://bugs.webkit.org/show_bug.cgi?id=190740
2330         <rdar://problem/45220139>
2331
2332         Reviewed by Mark Lam.
2333
2334         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2335         (foo):
2336
2337 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2338
2339         [ESNext][BigInt] Implement support for "^"
2340         https://bugs.webkit.org/show_bug.cgi?id=186235
2341
2342         Reviewed by Yusuke Suzuki.
2343
2344         * stress/big-int-bitwise-xor-general.js: Added.
2345         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2346         * stress/big-int-bitwise-xor-type-error.js: Added.
2347         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2348
2349 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2350
2351         [BigInt] Add ValueSub into DFG
2352         https://bugs.webkit.org/show_bug.cgi?id=186176
2353
2354         Reviewed by Yusuke Suzuki.
2355
2356         * stress/big-int-subtraction-jit.js:
2357         * stress/value-sub-big-int-prediction-propagation.js: Added.
2358         * stress/value-sub-big-int-untyped.js: Added.
2359         * stress/value-sub-spec-none-case.js: Added.
2360
2361 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2362
2363         [JSC] JSC should have "parseFunction" to optimize Function constructor
2364         https://bugs.webkit.org/show_bug.cgi?id=190340
2365
2366         Reviewed by Mark Lam.
2367
2368         This patch fixes the line number of syntax errors raised by the Function constructor,
2369         since we now parse the final code only once. And we no longer use block statement
2370         for Function constructor's parsing.
2371
2372         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2373         * stress/function-cache-with-parameters-end-position.js: Added.
2374         (shouldBe):
2375         (shouldThrow):
2376         (i.anonymous):
2377         * stress/function-constructor-name.js: Added.
2378         (shouldBe):
2379         (GeneratorFunction):
2380         (AsyncFunction.async):
2381         (AsyncGeneratorFunction.async):
2382         (anonymous):
2383         (async.anonymous):
2384         * test262/expectations.yaml:
2385
2386 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2387
2388         Unreviewed, rolling out r237242.
2389         https://bugs.webkit.org/show_bug.cgi?id=190701
2390
2391         it breaks "stress/sampling-profiler-basic.js" (Requested by
2392         caiolima on #webkit).
2393
2394         Reverted changeset:
2395
2396         "[BigInt] Add ValueSub into DFG"
2397         https://bugs.webkit.org/show_bug.cgi?id=186176
2398         https://trac.webkit.org/changeset/237242
2399
2400 2018-10-17  Keith Miller  <keith_miller@apple.com>
2401
2402         AI does not clear Phantom allocation nodes.
2403         https://bugs.webkit.org/show_bug.cgi?id=190694
2404
2405         Reviewed by Saam Barati.
2406
2407         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2408         (Day):
2409         (DaysInYear):
2410         (TimeInYear):
2411         (TimeFromYear):
2412         (DayFromYear):
2413         (InLeapYear):
2414         (YearFromTime):
2415         (WeekDay):
2416         (DaylightSavingTA):
2417         (GetSecondSundayInMarch):
2418         (TimeInMonth):
2419
2420 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2421
2422         [BigInt] Add ValueSub into DFG
2423         https://bugs.webkit.org/show_bug.cgi?id=186176
2424
2425         Reviewed by Yusuke Suzuki.
2426
2427         * stress/big-int-subtraction-jit.js:
2428         * stress/value-sub-big-int-prediction-propagation.js: Added.
2429         * stress/value-sub-big-int-untyped.js: Added.
2430
2431 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2432
2433         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2434         https://bugs.webkit.org/show_bug.cgi?id=190611
2435
2436         Reviewed by Saam Barati.
2437
2438         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2439         to improve test runtime. On ARM/MIPS this test even timed out when running all
2440         tests.
2441
2442         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2443         (test):
2444
2445 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2446
2447         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2448
2449         Unreviewed gardening.
2450
2451         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2452
2453 2018-10-15  Saam barati  <sbarati@apple.com>
2454
2455         Emit fjcvtzs on ARM64E on Darwin
2456         https://bugs.webkit.org/show_bug.cgi?id=184023
2457
2458         Reviewed by Yusuke Suzuki and Filip Pizlo.
2459
2460         * stress/double-to-int32-NaN.js: Added.
2461         (assert):
2462         (foo):
2463
2464 2018-10-15  Saam Barati  <sbarati@apple.com>
2465
2466         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2467         https://bugs.webkit.org/show_bug.cgi?id=190262
2468         <rdar://problem/44986241>
2469
2470         Reviewed by Mark Lam.
2471
2472         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2473         (test):
2474         * stress/slice-array-storage-with-holes.js: Added.
2475         (main):
2476
2477 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2478
2479         Unreviewed, rolling out r237054.
2480         https://bugs.webkit.org/show_bug.cgi?id=190593
2481
2482         "this regressed JetStream 2 by 6% on iOS" (Requested by
2483         saamyjoon on #webkit).
2484
2485         Reverted changeset:
2486
2487         "[JSC] JSC should have "parseFunction" to optimize Function
2488         constructor"
2489         https://bugs.webkit.org/show_bug.cgi?id=190340
2490         https://trac.webkit.org/changeset/237054
2491
2492 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2493
2494         [JSC] JSON.stringify can accept call-with-no-arguments
2495         https://bugs.webkit.org/show_bug.cgi?id=190343
2496
2497         Reviewed by Mark Lam.
2498
2499         * stress/json-stringify-no-arguments.js: Added.
2500         (shouldBe):
2501
2502 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2503
2504         [JSC] JSC should have "parseFunction" to optimize Function constructor
2505         https://bugs.webkit.org/show_bug.cgi?id=190340
2506
2507         Reviewed by Mark Lam.
2508
2509         This patch fixes the line number of syntax errors raised by the Function constructor,
2510         since we now parse the final code only once. And we no longer use block statement
2511         for Function constructor's parsing.
2512
2513         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2514         * stress/function-cache-with-parameters-end-position.js: Added.
2515         (shouldBe):
2516         (shouldThrow):
2517         (i.anonymous):
2518         * stress/function-constructor-name.js: Added.
2519         (shouldBe):
2520         (GeneratorFunction):
2521         (AsyncFunction.async):
2522         (AsyncGeneratorFunction.async):
2523         (anonymous):
2524         (async.anonymous):
2525         * test262/expectations.yaml:
2526
2527 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2528
2529         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2530         https://bugs.webkit.org/show_bug.cgi?id=190426
2531
2532         Unreviewed gardening.
2533
2534         * stress/sampling-profiler-richards.js:
2535
2536 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2537
2538         [ESNext][BigInt] Implement support for "|"
2539         https://bugs.webkit.org/show_bug.cgi?id=186229
2540
2541         Reviewed by Yusuke Suzuki.
2542
2543         * stress/big-int-bitwise-and-jit.js:
2544         * stress/big-int-bitwise-or-general.js: Added.
2545         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2546         * stress/big-int-bitwise-or-jit.js: Added.
2547         * stress/big-int-bitwise-or-memory-stress.js: Added.
2548         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2549         * stress/big-int-bitwise-or-type-error.js: Added.
2550         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2551
2552 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2553
2554         Skip test on systems with limited memory
2555         https://bugs.webkit.org/show_bug.cgi?id=190310
2556
2557         Invoking runDefault adds test to runlist, skipping the test in the next
2558         line does not prevent the test from executing. Change order of lines such
2559         that runDefault is only executed if test is not executed.
2560
2561         Reviewed by Mark Lam.
2562
2563         * stress/regress-190187.js:
2564
2565 2018-10-03  Saam barati  <sbarati@apple.com>
2566
2567         lowXYZ in FTLLower should always filter the type of the incoming edge
2568         https://bugs.webkit.org/show_bug.cgi?id=189939
2569         <rdar://problem/44407030>
2570
2571         Reviewed by Michael Saboff.
2572
2573         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2574         (foo):
2575         (test):
2576
2577 2018-10-03  Mark Lam  <mark.lam@apple.com>
2578
2579         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2580         https://bugs.webkit.org/show_bug.cgi?id=190187
2581         <rdar://problem/42512909>
2582
2583         Reviewed by Michael Saboff.
2584
2585         * stress/regress-190187.js: Added.
2586
2587 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2588
2589         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2590         https://bugs.webkit.org/show_bug.cgi?id=190033
2591
2592         Reviewed by Yusuke Suzuki.
2593
2594         * stress/big-int-to-string.js:
2595
2596 2018-10-01  Mark Lam  <mark.lam@apple.com>
2597
2598         Function.toString() should also copy the source code Functions that are class definitions.
2599         https://bugs.webkit.org/show_bug.cgi?id=190186
2600         <rdar://problem/44733360>
2601
2602         Reviewed by Saam Barati.
2603
2604         * stress/regress-190186.js: Added.
2605
2606 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2607
2608         Split NaN-check into separate test
2609         https://bugs.webkit.org/show_bug.cgi?id=190010
2610
2611         Reviewed by Saam Barati.
2612
2613         DataView exposes NaN-representation, which is not necessarily the same on each
2614         architecture. Therefore move the check of the NaN-representation into its own
2615         file such that we can disable this test on MIPS where NaN-representation can be
2616         different on older CPUs.
2617
2618         * stress/dataview-jit-set-nan.js: Added.
2619         (assert):
2620         (test.storeLittleEndian):
2621         (test.storeBigEndian):
2622         (test.store):
2623         (test):
2624         * stress/dataview-jit-set.js:
2625         (test5):
2626
2627 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2628
2629         Unreviewed, rolling out r236647.
2630         https://bugs.webkit.org/show_bug.cgi?id=190124
2631
2632         Breaking test stress/big-int-to-string.js (Requested by
2633         caiolima_ on #webkit).
2634
2635         Reverted changeset:
2636
2637         "[BigInt] BigInt.proptotype.toString is broken when radix is
2638         power of 2"
2639         https://bugs.webkit.org/show_bug.cgi?id=190033
2640         https://trac.webkit.org/changeset/236647
2641
2642 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2643
2644         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2645         https://bugs.webkit.org/show_bug.cgi?id=190033
2646
2647         Reviewed by Yusuke Suzuki.
2648
2649         * stress/big-int-to-string.js:
2650
2651 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2652
2653         [ESNext][BigInt] Implement support for "&"
2654         https://bugs.webkit.org/show_bug.cgi?id=186228
2655
2656         Reviewed by Yusuke Suzuki.
2657
2658         * stress/big-int-bitwise-and-general.js: Added.
2659         (assert):
2660         (assert.sameValue):
2661         * stress/big-int-bitwise-and-jit.js: Added.
2662         (let.assert.sameValue):
2663         (bigIntBitAnd):
2664         * stress/big-int-bitwise-and-memory-stress.js: Added.
2665         (assert):
2666         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2667         (assert.sameValue):
2668         (let.o.Symbol.toPrimitive):
2669         (catch):
2670         * stress/big-int-bitwise-and-type-error.js: Added.
2671         (assert):
2672         (assertThrowTypeError):
2673         (let.o.valueOf):
2674         (o.valueOf):
2675         (o.toString):
2676         (o.Symbol.toPrimitive):
2677         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2678         (assert.sameValue):
2679         (testBitAnd):
2680         (let.o.Symbol.toPrimitive):
2681         (o.valueOf):
2682         (o.toString):
2683
2684 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2685
2686         JSC test stress/jsc-read.js doesn't support CRLF
2687         https://bugs.webkit.org/show_bug.cgi?id=190063
2688
2689         Reviewed by Yusuke Suzuki.
2690
2691         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2692
2693         * stress/jsc-read.js:
2694         (test):
2695
2696 2018-09-27  Saam barati  <sbarati@apple.com>
2697
2698         Verify the contents of AssemblerBuffer on arm64e
2699         https://bugs.webkit.org/show_bug.cgi?id=190057
2700         <rdar://problem/38916630>
2701
2702         Reviewed by Mark Lam.
2703
2704         * stress/regress-189132.js:
2705
2706 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2707
2708         Disable test without LLInt on ARMv7
2709         https://bugs.webkit.org/show_bug.cgi?id=190037
2710
2711         Reviewed by Mark Lam.
2712
2713         Test runs out of executable memory on ARMv7, do not run
2714         this test without LLInt enabled.
2715
2716         * stress/regress-169445.js:
2717
2718 2018-09-26  Keith Miller  <keith_miller@apple.com>
2719
2720         We should zero unused property storage when rebalancing array storage.
2721         https://bugs.webkit.org/show_bug.cgi?id=188151
2722
2723         Reviewed by Michael Saboff.
2724
2725         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2726
2727 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2728
2729         [JSC] Optimize Array#lastIndexOf
2730         https://bugs.webkit.org/show_bug.cgi?id=189780
2731
2732         Reviewed by Saam Barati.
2733
2734         * stress/array-lastindexof-array-prototype-trap.js: Added.
2735         (shouldBe):
2736         (AncestorArray.prototype.get 2):
2737         (AncestorArray):
2738         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2739         (shouldBe):
2740         * stress/array-lastindexof-hole-nan.js: Added.
2741         (shouldBe):
2742         (throw.new.Error):
2743         * stress/array-lastindexof-infinity.js: Added.
2744         (shouldBe):
2745         (throw.new.Error):
2746         * stress/array-lastindexof-negative-zero.js: Added.
2747         (shouldBe):
2748         (throw.new.Error):
2749         * stress/array-lastindexof-own-getter.js: Added.
2750         (shouldBe):
2751         (throw.new.Error.get array):
2752         (get array):
2753         * stress/array-lastindexof-prototype-trap.js: Added.
2754         (shouldBe):
2755         (DerivedArray.prototype.get 2):
2756         (DerivedArray):
2757
2758 2018-09-25  Saam Barati  <sbarati@apple.com>
2759
2760         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2761         https://bugs.webkit.org/show_bug.cgi?id=189940
2762         <rdar://problem/43640987>
2763
2764         Reviewed by Mark Lam.
2765
2766         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2767
2768 2018-09-24  Saam Barati  <sbarati@apple.com>
2769
2770         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2771         https://bugs.webkit.org/show_bug.cgi?id=189922
2772         <rdar://problem/44651275>
2773
2774         Reviewed by Mark Lam.
2775
2776         * stress/array-indexof-fast-path-effects.js: Added.
2777         * stress/array-indexof-cached-length.js: Added.
2778
2779 2018-09-24  Saam barati  <sbarati@apple.com>
2780
2781         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2782         https://bugs.webkit.org/show_bug.cgi?id=189682
2783         <rdar://problem/43557315>
2784
2785         Reviewed by Mark Lam.
2786
2787         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2788         (foo):
2789
2790 2018-09-22  Saam barati  <sbarati@apple.com>
2791
2792         The sampling should not use Strong<CodeBlock> in its machineLocation field
2793         https://bugs.webkit.org/show_bug.cgi?id=189319
2794
2795         Reviewed by Filip Pizlo.
2796
2797         * stress/sampling-profiler-richards.js: Added.
2798
2799 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2800
2801         [JSC] Optimize Array#indexOf in C++ runtime
2802         https://bugs.webkit.org/show_bug.cgi?id=189507
2803
2804         Reviewed by Saam Barati.
2805
2806         * stress/array-indexof-array-prototype-trap.js: Added.
2807         (shouldBe):
2808         (AncestorArray.prototype.get 2):
2809         (AncestorArray):
2810         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2811         (shouldBe):
2812         * stress/array-indexof-hole-nan.js: Added.
2813         (shouldBe):
2814         (throw.new.Error):
2815         * stress/array-indexof-infinity.js: Added.
2816         (shouldBe):
2817         (throw.new.Error):
2818         * stress/array-indexof-negative-zero.js: Added.
2819         (shouldBe):
2820         (throw.new.Error):
2821         * stress/array-indexof-own-getter.js: Added.
2822         (shouldBe):
2823         (throw.new.Error.get array):
2824         (get array):
2825         * stress/array-indexof-prototype-trap.js: Added.
2826         (shouldBe):
2827         (DerivedArray.prototype.get 2):
2828         (DerivedArray):
2829
2830 2018-09-19  Saam barati  <sbarati@apple.com>
2831
2832         AI rule for MultiPutByOffset executes its effects in the wrong order
2833         https://bugs.webkit.org/show_bug.cgi?id=189757
2834         <rdar://problem/43535257>
2835
2836         Reviewed by Michael Saboff.
2837
2838         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2839         (foo):
2840         (Foo):
2841         (g):
2842
2843 2018-09-17  Mark Lam  <mark.lam@apple.com>
2844
2845         Ensure that ForInContexts are invalidated if their loop local is over-written.
2846         https://bugs.webkit.org/show_bug.cgi?id=189571
2847         <rdar://problem/44402277>
2848
2849         Reviewed by Saam Barati.
2850
2851         * stress/regress-189571.js: Added.
2852
2853 2018-09-17  Saam barati  <sbarati@apple.com>
2854
2855         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2856         https://bugs.webkit.org/show_bug.cgi?id=189676
2857         <rdar://problem/39682897>
2858
2859         Reviewed by Michael Saboff.
2860
2861         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2862         (A):
2863         (K):
2864         (i.catch):
2865
2866 2018-09-14  Saam barati  <sbarati@apple.com>
2867
2868         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2869         https://bugs.webkit.org/show_bug.cgi?id=189628
2870         <rdar://problem/39481690>
2871
2872         Reviewed by Mark Lam.
2873
2874         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2875         (foo):
2876
2877 2018-09-11  Mark Lam  <mark.lam@apple.com>
2878
2879         Test for array initialization in arrayProtoFuncSplice.
2880         https://bugs.webkit.org/show_bug.cgi?id=170253
2881         <rdar://problem/31328773>
2882
2883         Rubber-stamped by Saam Barati.
2884
2885         * stress/regress-170253.js: Added.
2886
2887 2018-09-11  Mark Lam  <mark.lam@apple.com>
2888
2889         Test for IntlObject initialization.
2890         https://bugs.webkit.org/show_bug.cgi?id=170251
2891         <rdar://problem/31328419>
2892
2893         Rubber-stamped by Saam Barati.
2894
2895         * stress/regress-170251.js: Added.
2896
2897 2018-09-11  Mark Lam  <mark.lam@apple.com>
2898
2899         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2900         https://bugs.webkit.org/show_bug.cgi?id=169889
2901         <rdar://problem/31155607>
2902
2903         Reviewed by Saam Barati.
2904
2905         * stress/regress-169889-array-concat.js: Added.
2906         * stress/regress-169889-array-concat1.js: Added.
2907         * stress/regress-169889-array-slice.js: Added.
2908
2909 2018-09-11  Mark Lam  <mark.lam@apple.com>
2910
2911         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2912         https://bugs.webkit.org/show_bug.cgi?id=169445
2913         <rdar://problem/30957435>
2914
2915         Reviewed by Saam Barati.
2916
2917         * stress/regress-169445.js: Added.
2918         (let.gun.eval.A):
2919         (let.gun.eval.B.C):
2920         (let.gun.eval.B.C.prototype.trigger):
2921         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2922         (let.gun.eval.B):
2923         (let.gun.eval):
2924
2925 == Rolled over to ChangeLog-2018-09-11 ==