Incremental bytecode cache should not append function updates when loaded from memory
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
2
3         Incremental bytecode cache should not append function updates when loaded from memory
4         https://bugs.webkit.org/show_bug.cgi?id=196865
5
6         Reviewed by Filip Pizlo.
7
8         * stress/bytecode-cache-shared-code-block.js: Added.
9         (b):
10         (program):
11
12 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
13
14         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
15         https://bugs.webkit.org/show_bug.cgi?id=196880
16
17         Reviewed by Yusuke Suzuki.
18
19         * stress/bytecode-cache-syntax-error.js: Added.
20         (catch):
21
22 2019-04-12  Saam barati  <sbarati@apple.com>
23
24         r244079 logically broke shouldSpeculateInt52
25         https://bugs.webkit.org/show_bug.cgi?id=196884
26
27         Reviewed by Yusuke Suzuki.
28
29         * microbenchmarks/int52-rand-function.js: Added.
30         (Math.random):
31
32 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
33
34         [JSC] op_has_indexed_property should not assume subscript part is Uint32
35         https://bugs.webkit.org/show_bug.cgi?id=196850
36
37         Reviewed by Saam Barati.
38
39         * stress/has-indexed-property-should-accept-non-int32.js: Added.
40         (foo):
41
42 2019-04-11  Saam barati  <sbarati@apple.com>
43
44         Remove invalid assertion in operationInstanceOfCustom
45         https://bugs.webkit.org/show_bug.cgi?id=196842
46         <rdar://problem/49725493>
47
48         Reviewed by Michael Saboff.
49
50         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
51
52 2019-04-10  Saam Barati  <sbarati@apple.com>
53
54         AbstractValue::validateOSREntryValue is wrong for Int52 constants
55         https://bugs.webkit.org/show_bug.cgi?id=196801
56         <rdar://problem/49771122>
57
58         Reviewed by Yusuke Suzuki.
59
60         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
61
62 2019-04-10  Robin Morisset  <rmorisset@apple.com>
63
64         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
65         https://bugs.webkit.org/show_bug.cgi?id=196746
66
67         Reviewed by Yusuke Suzuki.
68
69         * stress/cyclic-define-properties.js: Added.
70         (foo):
71
72 2019-04-09  Saam barati  <sbarati@apple.com>
73
74         Clean up Int52 code and some bugs in it
75         https://bugs.webkit.org/show_bug.cgi?id=196639
76         <rdar://problem/49515757>
77
78         Reviewed by Yusuke Suzuki.
79
80         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
81
82 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
83
84         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
85         https://bugs.webkit.org/show_bug.cgi?id=196708
86         <rdar://problem/49556803>
87
88         Reviewed by Yusuke Suzuki.
89
90         * stress/proxy-getter-stack-overflow.js: Added.
91         (const.handler.get target):
92         (const.handler.has):
93         (try.with):
94         (catch):
95
96 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
97
98         [JSC] DFG should respect node's strict flag
99         https://bugs.webkit.org/show_bug.cgi?id=196617
100
101         Reviewed by Saam Barati.
102
103         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
104         (shouldEqual):
105         (makeUnwriteableUnconfigurableObject):
106         (runTest):
107         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
108         (shouldBe):
109         (shouldThrow):
110         (with.result):
111         (with.putValueStrict):
112         (with.putValueSloppy):
113
114 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
115
116         [JSC] isRope jump in StringSlice should not jump over register allocations
117         https://bugs.webkit.org/show_bug.cgi?id=196716
118
119         Reviewed by Saam Barati.
120
121         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
122         (foo.bar):
123         (foo):
124
125 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
126
127         [JSC] to_index_string should not assume incoming value is Uint32
128         https://bugs.webkit.org/show_bug.cgi?id=196713
129
130         Reviewed by Saam Barati.
131
132         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
133         (foo):
134
135 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
136
137         [JSC] Add more tests for r243966
138         https://bugs.webkit.org/show_bug.cgi?id=196711
139
140         Reviewed by Saam Barati.
141
142         Adding one more test for r243966 fix. The added test will not crash after r243966.
143
144         * stress/stress-cleared-calllinkinfo.js: Added.
145         (runNearStackLimit.t):
146         (runNearStackLimit):
147         (repeat):
148         (cls):
149         (let.item.of.array.runNearStackLimit):
150
151 2019-04-08  Saam Barati  <sbarati@apple.com>
152
153         WebAssembly.RuntimeError missing exception check
154         https://bugs.webkit.org/show_bug.cgi?id=196700
155         <rdar://problem/49693932>
156
157         Reviewed by Yusuke Suzuki.
158
159         * wasm/js-api/runtime-error-should-exception-check.js: Added.
160
161 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
162
163         Unreviewed, rolling in r243948 with test fix
164         https://bugs.webkit.org/show_bug.cgi?id=196486
165
166         * stress/arrow-function-and-use-strict-directive.js: Added.
167         * stress/arrow-function-syntax.js: Added.
168         (checkSyntax):
169         (checkSyntaxError):
170
171 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
172
173         Unreviewed, rolling out r243948.
174
175         Caused inspector/runtime/parse.html to fail
176
177         Reverted changeset:
178
179         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
180         https://bugs.webkit.org/show_bug.cgi?id=196486
181         https://trac.webkit.org/changeset/243948
182
183 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
184
185         Unreviewed, rolling out r243943.
186
187         Caused test262 failures.
188
189         Reverted changeset:
190
191         "[JSC] Filter DontEnum properties in
192         ProxyObject::getOwnPropertyNames()"
193         https://bugs.webkit.org/show_bug.cgi?id=176810
194         https://trac.webkit.org/changeset/243943
195
196 2019-04-07  Michael Saboff  <msaboff@apple.com>
197
198         REGRESSION (r243642): Crash in reddit.com page
199         https://bugs.webkit.org/show_bug.cgi?id=196684
200
201         Reviewed by Geoffrey Garen.
202
203         New regression test.
204
205         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
206
207 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
208
209         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
210         https://bugs.webkit.org/show_bug.cgi?id=196683
211
212         Reviewed by Saam Barati.
213
214         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
215         (foo):
216
217 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
218
219         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
220         https://bugs.webkit.org/show_bug.cgi?id=196582
221
222         Reviewed by Saam Barati.
223
224         * stress/add-overflow-check-with-three-same-registers.js: Added.
225         (foo):
226         (Number.prototype.valueOf):
227         (runWithNumber):
228
229 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
230
231         Unreviewed, rolling out r243665.
232
233         Caused iOS JSC tests to exit with an exception.
234
235         Reverted changeset:
236
237         "Assertion failed in JSC::createError"
238         https://bugs.webkit.org/show_bug.cgi?id=196305
239         https://trac.webkit.org/changeset/243665
240
241 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
242
243         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
244         https://bugs.webkit.org/show_bug.cgi?id=196486
245
246         Reviewed by Saam Barati.
247
248         * stress/arrow-function-and-use-strict-directive.js: Added.
249         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
250         (checkSyntax):
251         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
252
253 2019-04-05  Caitlin Potter  <caitp@igalia.com>
254
255         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
256         https://bugs.webkit.org/show_bug.cgi?id=176810
257
258         Reviewed by Saam Barati.
259
260         Add tests for the DontEnum filtering, and variations of other tests
261         take the DontEnum-filtering path.
262
263         * stress/proxy-own-keys.js:
264         (i.catch):
265         (set assert):
266         (set add):
267         (let.set new):
268         (get let):
269
270 2019-04-05  Caitlin Potter  <caitp@igalia.com>
271
272         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
273         https://bugs.webkit.org/show_bug.cgi?id=185211
274
275         Reviewed by Saam Barati.
276
277         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
278
279         This changes several assertions to expect a TypeError to be thrown (in some cases,
280         changing thee expected message).
281
282         * es6/Proxy_ownKeys_duplicates.js:
283         (handler):
284         (shouldThrow):
285         (test):
286         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
287         (shouldThrow):
288         * stress/proxy-own-keys.js:
289         (i.catch):
290         (assert):
291
292 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
293
294         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
295         https://bugs.webkit.org/show_bug.cgi?id=196631
296
297         Reviewed by Saam Barati.
298
299         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
300         (assert):
301         (test):
302         (foo):
303
304 2019-04-04  Saam Barati  <sbarati@apple.com>
305
306         Unreviewed. Make the test from r243906 catch the thrown exceptions.
307
308         * stress/inferred-types-regex-matches-array.js:
309
310 2019-04-04  Saam Barati  <sbarati@apple.com>
311
312         createRegExpMatchesArray does not respect inferred types
313         https://bugs.webkit.org/show_bug.cgi?id=193287
314
315         Reviewed by Yusuke Suzuki.
316
317         This checks in the test case for 193287. This issue was discovered by
318         Samuel GroƟ of Google Project Zero.
319
320         * stress/inferred-types-regex-matches-array.js: Added.
321
322 2019-04-04  Saam barati  <sbarati@apple.com>
323
324         Teach Call ICs how to call Wasm
325         https://bugs.webkit.org/show_bug.cgi?id=196387
326
327         Reviewed by Filip Pizlo.
328
329         * wasm/function-tests/stack-trace.js:
330
331 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
332
333         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
334         https://bugs.webkit.org/show_bug.cgi?id=194944
335
336         Reviewed by Keith Miller.
337
338         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
339
340 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
341
342         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
343         https://bugs.webkit.org/show_bug.cgi?id=196409
344
345         Reviewed by Saam Barati.
346
347         * stress/bytecode-cache-cached-string-impl.js: Added.
348         (f):
349         (g):
350         * stress/bytecode-cache-run-string.js: Added.
351
352 2019-04-03  Robin Morisset  <rmorisset@apple.com>
353
354         B3 should use associativity to optimize expression trees
355         https://bugs.webkit.org/show_bug.cgi?id=194081
356
357         Reviewed by Filip Pizlo.
358
359         Added three microbenchmarks:
360         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
361         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
362           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
363         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
364
365         * microbenchmarks/add-tree.js: Added.
366         * microbenchmarks/bit-or-tree.js: Added.
367         * microbenchmarks/bit-xor-tree.js: Added.
368
369 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
370
371         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
372         https://bugs.webkit.org/show_bug.cgi?id=196574
373
374         Reviewed by Saam Barati.
375
376         * stress/string-index-of-exception-check.js: Added.
377         (blurType):
378         (1.forEach):
379
380 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
381
382         Assertion failed in JSC::createError
383         https://bugs.webkit.org/show_bug.cgi?id=196305
384         <rdar://problem/49387382>
385
386         Reviewed by Saam Barati.
387
388         * stress/create-error-out-of-memory-rope-string-2.js: Added.
389         (assert):
390         (catch):
391
392 2019-03-28  Saam Barati  <sbarati@apple.com>
393
394         BackwardsGraph needs to consider back edges as the backward's root successor
395         https://bugs.webkit.org/show_bug.cgi?id=195991
396
397         Reviewed by Filip Pizlo.
398
399         * stress/map-b3-licm-infinite-loop.js: Added.
400
401 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
402
403         CodeBlock::jettison() should disallow repatching its own calls
404         https://bugs.webkit.org/show_bug.cgi?id=196359
405         <rdar://problem/48973663>
406
407         Reviewed by Saam Barati.
408
409         * stress/call-link-info-osrexit-repatch.js: Added.
410         (foo):
411
412 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
413
414         [JSC] imports-oom.js intermittently fails
415         https://bugs.webkit.org/show_bug.cgi?id=196373
416
417         Reviewed by Saam Barati.
418
419         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
420         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
421         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
422         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
423         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
424
425         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
426         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
427
428         * wasm/lowExecutableMemory/imports-oom.js:
429
430 2019-03-27  Saam Barati  <sbarati@apple.com>
431
432         validateOSREntryValue with Int52 should box the value being checked into double format
433         https://bugs.webkit.org/show_bug.cgi?id=196313
434         <rdar://problem/49306703>
435
436         Reviewed by Yusuke Suzuki.
437
438         * stress/validate-int-52-ai-state.js: Added.
439
440 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
441
442         [JSC] Owner of watchpoints should validate at GC finalizing phase
443         https://bugs.webkit.org/show_bug.cgi?id=195827
444
445         Reviewed by Filip Pizlo.
446
447         * stress/gc-should-reap-dead-watchpoints.js: Added.
448         (foo):
449         (A.prototype.y):
450         (A):
451
452 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
453
454         Skip WebAssembly test on 32-bit systems
455         https://bugs.webkit.org/show_bug.cgi?id=196206
456
457         Reviewed by Saam Barati.
458
459         Invoking runDefault executes test immediately even though
460         that test should be skipped due to missing WASM support.
461         Therefore remove runDefault.
462
463         * wasm/regress/web-assembly-link-error-exception-check.js:
464
465 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
466
467         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
468         https://bugs.webkit.org/show_bug.cgi?id=196217
469
470         Reviewed by Saam Barati.
471
472         Re-enable all NaN tests for f32.min, f64.min and f64.max.
473
474         * wasm/spec-tests/f32.wast.js:
475         * wasm/spec-tests/f64.wast.js:
476         * wasm/wasm.json:
477
478 2019-03-25  Keith Miller  <keith_miller@apple.com>
479
480         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
481         https://bugs.webkit.org/show_bug.cgi?id=196176
482
483         Reviewed by Saam Barati.
484
485         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
486         (main.v10):
487         (main):
488
489 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
490
491         WebAssembly: f32.max with NaN generates incorrect result
492         https://bugs.webkit.org/show_bug.cgi?id=175691
493         <rdar://problem/33952228>
494
495         Reviewed by Saam Barati.
496
497         Enable all f32.max NaN tests
498
499         * wasm/spec-tests/f32.wast.js:
500         * wasm/wasm.json:
501
502 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
503
504         [JSC] Move test into directory for WASM tests
505         https://bugs.webkit.org/show_bug.cgi?id=196187
506
507         Reviewed by Mark Lam.
508
509         Move Test into wasm-directory. Otherwise this test
510         is also executed on systems without WASM support.
511
512         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
513
514 2019-03-23  Mark Lam  <mark.lam@apple.com>
515
516         Rolling out r243032 and r243071 because the fix is incorrect.
517         https://bugs.webkit.org/show_bug.cgi?id=195892
518         <rdar://problem/48981239>
519
520         Not reviewed.
521
522         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
523
524 2019-03-22  Mark Lam  <mark.lam@apple.com>
525
526         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
527         https://bugs.webkit.org/show_bug.cgi?id=196154
528         <rdar://problem/49145307>
529
530         Reviewed by Filip Pizlo.
531
532         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
533         There's no need to run this test on more than 1 test configuration.
534
535         * stress/typed-array-lastIndexOf-exception-check.js: Added.
536         * stress/web-assembly-link-error-exception-check.js:
537
538 2019-03-22  Mark Lam  <mark.lam@apple.com>
539
540         Placate exception check validation in constructJSWebAssemblyLinkError().
541         https://bugs.webkit.org/show_bug.cgi?id=196152
542         <rdar://problem/49145257>
543
544         Reviewed by Michael Saboff.
545
546         * stress/web-assembly-link-error-exception-check.js: Added.
547
548 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
549
550         Skip tests running out of memory on ARM/MIPS
551         https://bugs.webkit.org/show_bug.cgi?id=196131
552
553         Unreviewed. Skip test if memory is limited.
554
555         * microbenchmarks/put-by-val-direct-large-index.js:
556
557 2019-03-21  Mark Lam  <mark.lam@apple.com>
558
559         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
560         https://bugs.webkit.org/show_bug.cgi?id=196116
561         <rdar://problem/48976951>
562
563         Reviewed by Filip Pizlo.
564
565         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
566
567 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
568
569         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
570         https://bugs.webkit.org/show_bug.cgi?id=196078
571         <rdar://problem/35925380>
572
573         Reviewed by Mark Lam.
574
575         Add a new benchmark that allocates several objects and invokes put_by_val_direct
576         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
577
578         * microbenchmarks/put-by-val-direct-large-index.js: Added.
579
580 2019-03-21  Mark Lam  <mark.lam@apple.com>
581
582         Placate exception check validation in operationArrayIndexOfString().
583         https://bugs.webkit.org/show_bug.cgi?id=196067
584         <rdar://problem/49056572>
585
586         Reviewed by Michael Saboff.
587
588         * stress/string-equal-exception-check.js: Added.
589
590 2019-03-21  Mark Lam  <mark.lam@apple.com>
591
592         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
593         https://bugs.webkit.org/show_bug.cgi?id=196055
594         <rdar://problem/49067448>
595
596         Reviewed by Yusuke Suzuki.
597
598         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
599
600 2019-03-20  Saam Barati  <sbarati@apple.com>
601
602         typeOfDoubleSum is wrong for when NaN can be produced
603         https://bugs.webkit.org/show_bug.cgi?id=196030
604
605         Reviewed by Filip Pizlo.
606
607         * stress/double-add-sub-mul-can-produce-nan.js: Added.
608         (assert):
609         (noInline.sub):
610         (noInline):
611         (assert.mul):
612         (assert.add):
613
614 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
615
616         Update the test to ensure OutOfMemoryError is thrown as intended
617         https://bugs.webkit.org/show_bug.cgi?id=196032
618         <rdar://problem/46842740>
619
620         Rubber stamped by Saam Barati.
621
622         * stress/create-error-out-of-memory-rope-string.js:
623         (assert):
624         (catch):
625
626 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
627
628         JSC::createError needs to check for OOM in errorDescriptionForValue
629         https://bugs.webkit.org/show_bug.cgi?id=196032
630         <rdar://problem/46842740>
631
632         Reviewed by Mark Lam.
633
634         * stress/create-error-out-of-memory-rope-string.js: Added.
635
636 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
637
638         Unreviewed, reduce # of iterations to avoid timing out after r242991
639         https://bugs.webkit.org/show_bug.cgi?id=195791
640
641         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
642
643         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
644
645 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
646
647         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
648         https://bugs.webkit.org/show_bug.cgi?id=195950
649
650         Unreviewed, reducing the amount of memory used on this test to avoid
651         OOM on devices with memory restrictions.
652
653         * microbenchmarks/generate-multiple-llint-entrypoints.js:
654
655 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
656
657         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
658         https://bugs.webkit.org/show_bug.cgi?id=194648
659
660         Reviewed by Keith Miller.
661
662         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
663
664 2019-03-18  Mark Lam  <mark.lam@apple.com>
665
666         Missing a ThrowScope release in JSObject::toString().
667         https://bugs.webkit.org/show_bug.cgi?id=195893
668         <rdar://problem/48970986>
669
670         Reviewed by Michael Saboff.
671
672         * stress/to-string-exception-check-release.js: Added.
673
674 2019-03-18  Mark Lam  <mark.lam@apple.com>
675
676         Structure::flattenDictionary() should clear unused property slots.
677         https://bugs.webkit.org/show_bug.cgi?id=195871
678         <rdar://problem/48959497>
679
680         Reviewed by Michael Saboff.
681
682         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
683
684 2019-03-15  Mark Lam  <mark.lam@apple.com>
685
686         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
687         https://bugs.webkit.org/show_bug.cgi?id=195827
688         <rdar://problem/48845513>
689
690         Reviewed by Filip Pizlo.
691
692         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
693
694 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
695
696         [ARM,MIPS] Skip slow tests
697         https://bugs.webkit.org/show_bug.cgi?id=195799
698
699         Unreviewed, test does not finish on ARM and MIPS within the
700         timeout limit.
701
702         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
703
704 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
705
706         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
707         https://bugs.webkit.org/show_bug.cgi?id=195791
708         <rdar://problem/48806130>
709
710         Reviewed by Mark Lam.
711
712         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
713         (foo):
714
715 2019-03-14  Saam barati  <sbarati@apple.com>
716
717         We can't remove code after ForceOSRExit until after FixupPhase
718         https://bugs.webkit.org/show_bug.cgi?id=186916
719         <rdar://problem/41396612>
720
721         Reviewed by Yusuke Suzuki.
722
723         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
724         (foo):
725         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
726         (foo):
727
728 2019-03-13  Michael Saboff  <msaboff@apple.com>
729
730         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
731         https://bugs.webkit.org/show_bug.cgi?id=195735
732
733         Reviewed by Mark Lam.
734
735         New regression test.
736
737         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
738         (foo):
739         (bar):
740
741 2019-03-14  Saam barati  <sbarati@apple.com>
742
743         Fixup uses KnownInt32 incorrectly in some nodes
744         https://bugs.webkit.org/show_bug.cgi?id=195279
745         <rdar://problem/47915654>
746
747         Reviewed by Yusuke Suzuki.
748
749         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
750         (foo):
751
752 2019-03-14  Keith Miller  <keith_miller@apple.com>
753
754         DFG liveness can't skip tail caller inline frames
755         https://bugs.webkit.org/show_bug.cgi?id=195715
756
757         Reviewed by Saam Barati.
758
759         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
760         (i.foo):
761
762 2019-03-13  Mark Lam  <mark.lam@apple.com>
763
764         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
765         https://bugs.webkit.org/show_bug.cgi?id=195415
766
767         Not reviewed.
768
769         Changed these tests to only run the default configuration.
770         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
771         There's no strong need to run this test on that variant.
772
773         * stress/dfg-to-string-on-int-does-gc.js:
774         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
775
776 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
777
778         String overflow when using StringBuilder in JSC::createError
779         https://bugs.webkit.org/show_bug.cgi?id=194957
780
781         Reviewed by Mark Lam.
782
783         Add test string-overflow-createError-bulder.js that overflows
784         StringBuilder in notAFunctionSourceAppender. The second new test
785         string-overflow-createError-fit.js has an error message that doesn't
786         overflow, it still failed since the String's capacity can't be doubled.
787         Run test string-overflow-createError.js only in the default
788         configuration to reduce memory consumption when running the test
789         in all configurations on multiple CPUs in parallel.
790
791         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
792         (catch):
793         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
794         (catch):
795         * stress/string-overflow-createError.js:
796
797 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
798
799         [JSC] OSR entry should respect abstract values in addition to flush formats
800         https://bugs.webkit.org/show_bug.cgi?id=195653
801
802         Reviewed by Mark Lam.
803
804         * stress/osr-entry-locals-none.js: Added.
805
806 2019-03-12  Michael Saboff  <msaboff@apple.com>
807
808         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
809         https://bugs.webkit.org/show_bug.cgi?id=195613
810
811         Reviewed by Mark Lam.
812
813         New regression test.
814
815         * stress/regexp-backref-inbounds.js: Added.
816         (testRegExp):
817
818 2019-03-12  Mark Lam  <mark.lam@apple.com>
819
820         The HasIndexedProperty node does GC.
821         https://bugs.webkit.org/show_bug.cgi?id=195559
822         <rdar://problem/48767923>
823
824         Reviewed by Yusuke Suzuki.
825
826         * stress/HasIndexedProperty-does-gc.js: Added.
827
828 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
829
830         [ESNext][BigInt] Implement "~" unary operation
831         https://bugs.webkit.org/show_bug.cgi?id=182216
832
833         Reviewed by Keith Miller.
834
835         * stress/big-int-bit-not-general.js: Added.
836         * stress/big-int-bitwise-not-jit.js: Added.
837         * stress/big-int-bitwise-not-wrapped-value.js: Added.
838         * stress/bit-op-with-object-returning-int32.js:
839         * stress/bitwise-not-fixup-rules.js: Added.
840         * stress/value-bit-not-ai-rule.js: Added.
841
842 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
843
844         Invalid flags in a RegExp literal should be an early SyntaxError
845         https://bugs.webkit.org/show_bug.cgi?id=195514
846
847         Reviewed by Darin Adler.
848
849         * test262/expectations.yaml:
850         Mark 4 test cases as passing.
851
852         * stress/regexp-syntax-error-invalid-flags.js:
853         * stress/regress-161995.js: Removed.
854         Update existing test, merging in an older test for the same behavior.
855
856 2019-03-08  Mark Lam  <mark.lam@apple.com>
857
858         Stack overflow crash in JSC::JSObject::hasInstance.
859         https://bugs.webkit.org/show_bug.cgi?id=195458
860         <rdar://problem/48710195>
861
862         Reviewed by Yusuke Suzuki.
863
864         * stress/stack-overflow-in-custom-hasInstance.js: Added.
865
866 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
867
868         op_check_tdz does not def its argument
869         https://bugs.webkit.org/show_bug.cgi?id=192880
870         <rdar://problem/46221598>
871
872         Reviewed by Saam Barati.
873
874         * microbenchmarks/let-for-in.js: Added.
875         (foo):
876
877 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
878
879         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
880         https://bugs.webkit.org/show_bug.cgi?id=195429
881
882         Reviewed by Saam Barati.
883
884         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
885         (foo):
886         * stress/string-from-char-code-255.js: Added.
887
888 2019-03-06  Mark Lam  <mark.lam@apple.com>
889
890         Fix incorrect handling of try-finally completion values.
891         https://bugs.webkit.org/show_bug.cgi?id=195131
892         <rdar://problem/46222079>
893
894         Reviewed by Saam Barati and Yusuke Suzuki.
895
896         Added many permutations of new test case to test-finally.js.  test-finally.js has
897         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
898         tests passes there as well.
899
900         * stress/test-finally.js:
901
902 2019-03-06  Saam Barati  <sbarati@apple.com>
903
904         Air::reportUsedRegisters must padInterference
905         https://bugs.webkit.org/show_bug.cgi?id=195303
906         <rdar://problem/48270343>
907
908         Reviewed by Keith Miller.
909
910         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
911
912 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
913
914         [JSC] AI should not propagate AbstractValue relying on constant folding phase
915         https://bugs.webkit.org/show_bug.cgi?id=195375
916
917         Reviewed by Saam Barati.
918
919         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
920         (let.array):
921
922 2019-03-05  Saam barati  <sbarati@apple.com>
923
924         op_switch_char broken for rope strings after JSRopeString layout rewrite
925         https://bugs.webkit.org/show_bug.cgi?id=195339
926         <rdar://problem/48592545>
927
928         Reviewed by Yusuke Suzuki.
929
930         * stress/switch-on-char-llint-rope.js: Added.
931
932 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
933
934         [JSC] Store bits for JSRopeString in 3 stores
935         https://bugs.webkit.org/show_bug.cgi?id=195234
936
937         Reviewed by Saam Barati.
938
939         * stress/null-rope-and-collectors.js: Added.
940
941 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
942
943         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
944         https://bugs.webkit.org/show_bug.cgi?id=195207
945
946         Unreviewed. After test runtime was reduced in r242213, test can be
947         run again on ARM/MIPS.
948
949         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
950
951 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
952
953         [JSC] sizeof(JSString) should be 16
954         https://bugs.webkit.org/show_bug.cgi?id=194375
955
956         Reviewed by Saam Barati.
957
958         * microbenchmarks/make-rope.js: Added.
959         (makeRope):
960         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
961         (returnRope.helper): Deleted.
962         (returnRope): Deleted.
963
964 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
965
966         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
967         https://bugs.webkit.org/show_bug.cgi?id=195144
968
969         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
970         Change the number from 1e8 to 1e5.
971
972         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
973         (foo):
974
975 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
976
977         Test times out on ARM/MIPS
978         https://bugs.webkit.org/show_bug.cgi?id=195168
979
980         Unreviewed. Skip test on ARM/MIPS.
981
982         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
983
984 2019-02-27  Mark Lam  <mark.lam@apple.com>
985
986         The parser is failing to record the token location of new in new.target.
987         https://bugs.webkit.org/show_bug.cgi?id=195127
988         <rdar://problem/39645578>
989
990         Reviewed by Yusuke Suzuki.
991
992         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
993
994 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
995
996         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
997         https://bugs.webkit.org/show_bug.cgi?id=195144
998         <rdar://problem/47595961>
999
1000         Reviewed by Mark Lam.
1001
1002         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
1003         (bar):
1004         (foo):
1005         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
1006         (bar):
1007         (foo):
1008
1009 2019-02-27  Robin Morisset  <rmorisset@apple.com>
1010
1011         DFG: Loop-invariant code motion (LICM) should not hoist dead code
1012         https://bugs.webkit.org/show_bug.cgi?id=194945
1013         <rdar://problem/48311657>
1014
1015         Reviewed by Mark Lam.
1016
1017         * stress/licm-dead-code.js: Added.
1018
1019 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
1020
1021         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
1022         https://bugs.webkit.org/show_bug.cgi?id=194677
1023         <rdar://problem/48112492>
1024
1025         Reviewed by Mark Lam.
1026
1027         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
1028         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
1029         it immediately fails due the large size.
1030
1031         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
1032         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
1033         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
1034         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
1035
1036         This patch changes the test to produce 16bit string from String.fromCharCode.
1037
1038         * stress/regress-178386.js:
1039
1040 2019-02-26  Mark Lam  <mark.lam@apple.com>
1041
1042         wasmToJS() should purify incoming NaNs.
1043         https://bugs.webkit.org/show_bug.cgi?id=194807
1044         <rdar://problem/48189132>
1045
1046         Reviewed by Saam Barati.
1047
1048         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
1049
1050 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
1051
1052         [JSC] Repeat string created from Array.prototype.join() take too much memory
1053         https://bugs.webkit.org/show_bug.cgi?id=193912
1054
1055         Reviewed by Saam Barati.
1056
1057         Added a test and a microbenchmark for corner cases of
1058         Array.prototype.join() with an uninitialized array.
1059
1060         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1061         * stress/array-prototype-join-uninitialized.js: Added.
1062         (testArray):
1063         (testABC):
1064         (B):
1065         (C):
1066
1067 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1068
1069         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1070         https://bugs.webkit.org/show_bug.cgi?id=194953
1071         <rdar://problem/47595253>
1072
1073         Reviewed by Saam Barati.
1074
1075         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1076
1077         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1078
1079 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1080
1081         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1082         https://bugs.webkit.org/show_bug.cgi?id=172848
1083         <rdar://problem/25709212>
1084
1085         Reviewed by Mark Lam.
1086
1087         * typeProfiler/inheritance.js:
1088         Rewrite the test slightly for clarity. The hoisting was confusing.
1089
1090         * heapProfiler/class-names.js: Added.
1091         (MyES5Class):
1092         (MyES6Class):
1093         (MyES6Subclass):
1094         Test object types and improved class names.
1095
1096         * heapProfiler/driver/driver.js:
1097         (CheapHeapSnapshotNode):
1098         (CheapHeapSnapshot):
1099         (createCheapHeapSnapshot):
1100         (HeapSnapshot):
1101         (createHeapSnapshot):
1102         Update snapshot parsing from version 1 to version 2.
1103
1104 2019-02-19  Truitt Savell  <tsavell@apple.com>
1105
1106         Unreviewed, rolling out r241784.
1107
1108         Broke all OpenSource builds.
1109
1110         Reverted changeset:
1111
1112         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1113         instances view"
1114         https://bugs.webkit.org/show_bug.cgi?id=172848
1115         https://trac.webkit.org/changeset/241784
1116
1117 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1118
1119         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1120         https://bugs.webkit.org/show_bug.cgi?id=172848
1121         <rdar://problem/25709212>
1122
1123         Reviewed by Mark Lam.
1124
1125         * typeProfiler/inheritance.js:
1126         Rewrite the test slightly for clarity. The hoisting was confusing.
1127
1128         * heapProfiler/class-names.js: Added.
1129         (MyES5Class):
1130         (MyES6Class):
1131         (MyES6Subclass):
1132         Test object types and improved class names.
1133
1134         * heapProfiler/driver/driver.js:
1135         (CheapHeapSnapshotNode):
1136         (CheapHeapSnapshot):
1137         (createCheapHeapSnapshot):
1138         (HeapSnapshot):
1139         (createHeapSnapshot):
1140         Update snapshot parsing from version 1 to version 2.
1141
1142 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1143
1144         [ARM] Fix crash with sampling profiler
1145         https://bugs.webkit.org/show_bug.cgi?id=194772
1146
1147         Reviewed by Mark Lam.
1148
1149         Do not skip test since crash with sampling profiler is now fixed.
1150
1151         * stress/sampling-profiler-richards.js:
1152
1153 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1154
1155         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1156         https://bugs.webkit.org/show_bug.cgi?id=194784
1157         <rdar://problem/48154820>
1158
1159         Reviewed by Mark Lam.
1160
1161         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1162         (getProperties):
1163         (getRandomProperty):
1164         (i.catch):
1165
1166 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1167
1168         [ARM] Test gardening: Test running out of executable memory
1169         https://bugs.webkit.org/show_bug.cgi?id=194771
1170
1171         Unreviewed. Do not run test without LLInt, test is running out of executable
1172         memory on ARM otherwise.
1173
1174         * stress/tagged-template-object-collect.js:
1175
1176 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1177
1178         Unreviewed, skip the test on platforms without sampling profiler
1179
1180         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1181         (platformSupportsSamplingProfiler.foo):
1182         (platformSupportsSamplingProfiler.test):
1183         (platformSupportsSamplingProfiler):
1184         (foo): Deleted.
1185         (test): Deleted.
1186
1187 2019-02-17  Saam Barati  <sbarati@apple.com>
1188
1189         Deadlock when adding a Structure property transition and then doing incremental marking
1190         https://bugs.webkit.org/show_bug.cgi?id=194767
1191
1192         Reviewed by Mark Lam.
1193
1194         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1195
1196 2019-02-15  Michael Saboff  <msaboff@apple.com>
1197
1198         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1199         https://bugs.webkit.org/show_bug.cgi?id=194558
1200
1201         Reviewed by Saam Barati.
1202
1203         New regression test.
1204
1205         * stress/regexp-unicode-within-string.js: Added.
1206
1207 2019-02-15  Mark Lam  <mark.lam@apple.com>
1208
1209         SamplingProfiler::stackTracesAsJSON() should escape strings.
1210         https://bugs.webkit.org/show_bug.cgi?id=194649
1211         <rdar://problem/48072386>
1212
1213         Reviewed by Saam Barati.
1214
1215         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1216         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1217         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1218         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1219
1220 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1221         CodeBlock::jettison should clear related watchpoints
1222         https://bugs.webkit.org/show_bug.cgi?id=194544
1223
1224         Reviewed by Mark Lam.
1225
1226         * stress/regexp-replace-double-watchpoint.js: Added.
1227         (foo):
1228
1229 2019-02-15  Saam barati  <sbarati@apple.com>
1230
1231         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1232         https://bugs.webkit.org/show_bug.cgi?id=194036
1233
1234         Reviewed by Yusuke Suzuki.
1235
1236         * stress/tail-call-many-arguments.js: Added.
1237         (foo):
1238         (bar):
1239
1240 2019-02-14  Saam Barati  <sbarati@apple.com>
1241
1242         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1243         https://bugs.webkit.org/show_bug.cgi?id=194583
1244         <rdar://problem/48028140>
1245
1246         Reviewed by Yusuke Suzuki.
1247
1248         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1249
1250 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1251
1252         [JSC] String.fromCharCode's slow path always generates 16bit string
1253         https://bugs.webkit.org/show_bug.cgi?id=194466
1254
1255         Reviewed by Keith Miller.
1256
1257         * stress/string-from-char-code-slow-path.js: Added.
1258         (shouldBe):
1259         (testWithLength):
1260
1261 2019-02-08  Saam barati  <sbarati@apple.com>
1262
1263         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1264         https://bugs.webkit.org/show_bug.cgi?id=194334
1265         <rdar://problem/47844327>
1266
1267         Reviewed by Mark Lam.
1268
1269         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1270         (func):
1271
1272 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1273
1274         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1275         https://bugs.webkit.org/show_bug.cgi?id=194369
1276         <rdar://problem/47813087>
1277
1278         Reviewed by Saam Barati.
1279
1280         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1281         (A):
1282
1283 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1284
1285         [JSC] PrivateName to PublicName hash table is wasteful
1286         https://bugs.webkit.org/show_bug.cgi?id=194277
1287
1288         Reviewed by Michael Saboff.
1289
1290         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1291
1292         * ChakraCore.yaml:
1293
1294 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1295
1296         [ARM] Test running out of executable memory
1297         https://bugs.webkit.org/show_bug.cgi?id=194285
1298
1299         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1300         executable memory otherwise.
1301
1302         * stress/class-subclassing-function.js:
1303
1304 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1305
1306         when lowering AssertNotEmpty, create the value before creating the patchpoint
1307         https://bugs.webkit.org/show_bug.cgi?id=194231
1308
1309         Reviewed by Saam Barati.
1310
1311         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1312         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1313         So even tiny changes to this test can change the path code taken.
1314
1315         * stress/assert-not-empty.js: Added.
1316         (foo):
1317
1318 2019-02-01  Mark Lam  <mark.lam@apple.com>
1319
1320         Remove invalid assertion in DFG's compileDoubleRep().
1321         https://bugs.webkit.org/show_bug.cgi?id=194130
1322         <rdar://problem/47699474>
1323
1324         Reviewed by Saam Barati.
1325
1326         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1327
1328 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1329
1330         Import latest Test262 updates.
1331
1332         Rubber-stamped by Keith Miller.
1333
1334         * test262.yaml: Deleted.
1335         * test262/config.yaml:
1336         * test262/expectations.yaml:
1337         * test262/latest-changes-summary.txt:
1338         * test262/test/:
1339         * test262/test262-Revision.txt:
1340
1341 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1342
1343         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1344         https://bugs.webkit.org/show_bug.cgi?id=194050
1345         <rdar://problem/47595592>
1346
1347         Reviewed by Yusuke Suzuki.
1348
1349         * stress/object-keys-osr-exit.js: Added.
1350         (foo):
1351         (catch):
1352
1353 2019-01-29  Mark Lam  <mark.lam@apple.com>
1354
1355         ValueRecovery::recover() should purify NaN values it recovers.
1356         https://bugs.webkit.org/show_bug.cgi?id=193978
1357         <rdar://problem/47625488>
1358
1359         Reviewed by Saam Barati.
1360
1361         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1362
1363 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1364
1365         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1366         https://bugs.webkit.org/show_bug.cgi?id=193713
1367
1368         * stress/try-get-by-id-should-spill-registers-dfg.js:
1369         (let.f.createBuiltin):
1370
1371 2019-01-28  Mark Lam  <mark.lam@apple.com>
1372
1373         ToString node actually does GC.
1374         https://bugs.webkit.org/show_bug.cgi?id=193920
1375         <rdar://problem/46695900>
1376
1377         Reviewed by Yusuke Suzuki.
1378
1379         * stress/dfg-to-string-on-int-does-gc.js: Added.
1380         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1381         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1382
1383 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1384
1385         [JSC] NativeErrorConstructor should not have own IsoSubspace
1386         https://bugs.webkit.org/show_bug.cgi?id=193713
1387
1388         Reviewed by Saam Barati.
1389
1390         Remove @Error use.
1391
1392         * stress/try-get-by-id-should-spill-registers-dfg.js:
1393         (let.f.createBuiltin):
1394
1395 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1396
1397         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1398         https://bugs.webkit.org/show_bug.cgi?id=190693
1399
1400         Reviewed by Michael Saboff.
1401
1402         * stress/regress-190693.js: Added.
1403         (truth):
1404         (assert):
1405         (shouldThrowInvalidConstAssignment):
1406         (taz):
1407
1408 2019-01-24  Saam Barati  <sbarati@apple.com>
1409
1410         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1411         https://bugs.webkit.org/show_bug.cgi?id=193751
1412         <rdar://problem/47280215>
1413
1414         Reviewed by Michael Saboff.
1415
1416         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1417         (let.thing):
1418         (foo.let.hello):
1419         (foo):
1420
1421 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1422
1423         [JSC] Reenable baseline JIT on mips
1424         https://bugs.webkit.org/show_bug.cgi?id=192983
1425
1426         Reviewed by Mark Lam.
1427
1428         Added a new test for a case that was triggering a RELEASE_ASSERT when
1429         testing.
1430         Disable some slow tests that were already disabled for arm and x86.
1431
1432         * stress/json-parse-big-object.js: Added.
1433         * stress/new-largeish-contiguous-array-with-size.js:
1434         * stress/op_add.js:
1435         * stress/op_bitand.js:
1436         * stress/op_bitor.js:
1437         * stress/op_bitxor.js:
1438         * stress/op_lshift-ConstVar.js:
1439         * stress/op_lshift-VarConst.js:
1440         * stress/op_lshift-VarVar.js:
1441         * stress/op_mod-ConstVar.js:
1442         * stress/op_mod-VarConst.js:
1443         * stress/op_mod-VarVar.js:
1444         * stress/op_mul-ConstVar.js:
1445         * stress/op_mul-VarConst.js:
1446         * stress/op_mul-VarVar.js:
1447         * stress/op_rshift-ConstVar.js:
1448         * stress/op_rshift-VarConst.js:
1449         * stress/op_rshift-VarVar.js:
1450         * stress/op_sub-ConstVar.js:
1451         * stress/op_sub-VarConst.js:
1452         * stress/op_sub-VarVar.js:
1453         * stress/op_urshift-ConstVar.js:
1454         * stress/op_urshift-VarConst.js:
1455         * stress/op_urshift-VarVar.js:
1456         * stress/sampling-profiler-richards.js:
1457         * stress/spread-forward-call-varargs-stack-overflow.js:
1458
1459 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1460
1461         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1462         https://bugs.webkit.org/show_bug.cgi?id=193711
1463         <rdar://problem/47250262>
1464
1465         Reviewed by Saam Barati.
1466
1467         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1468         (shouldBe):
1469         (foo):
1470         (bar):
1471         (baz):
1472
1473 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1474
1475         Unreviewed, fix initial global lexical binding epoch
1476         https://bugs.webkit.org/show_bug.cgi?id=193603
1477         <rdar://problem/47380869>
1478
1479         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1480         (f1.f2.f3.f4):
1481         (f1.f2.f3):
1482         (f1.f2):
1483         (f1):
1484
1485 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1486
1487         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1488         https://bugs.webkit.org/show_bug.cgi?id=193709
1489         <rdar://problem/47363838>
1490
1491         Unreviewed, rollout to watch the tests.
1492
1493         * stress/object-tostring-changed-proto.js: Removed.
1494         * stress/object-tostring-changed.js: Removed.
1495         * stress/object-tostring-misc.js: Removed.
1496         * stress/object-tostring-other.js: Removed.
1497         * stress/object-tostring-untyped.js: Removed.
1498
1499 2019-01-22  Saam Barati  <sbarati@apple.com>
1500
1501         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1502
1503         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1504         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1505         (testUncheckedLessThanZero):
1506         (testUncheckedLessThanOrEqualZero):
1507         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1508         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1509
1510 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1511
1512         [JSC] Invalidate old scope operations using global lexical binding epoch
1513         https://bugs.webkit.org/show_bug.cgi?id=193603
1514         <rdar://problem/47380869>
1515
1516         Reviewed by Saam Barati.
1517
1518         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1519         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1520         (shouldThrow):
1521         (bar):
1522         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1523         (shouldBe):
1524         (get1):
1525         (get2):
1526         (get1If):
1527         (get2If):
1528         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1529         (shouldThrow):
1530         (foo):
1531
1532 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1533
1534         Unreviewed, roll out r240220 due to date-format-xparb regression
1535         https://bugs.webkit.org/show_bug.cgi?id=193603
1536
1537         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1538         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1539         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1540         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1541
1542 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1543
1544         DoesGC rule is wrong for nodes with BigIntUse
1545         https://bugs.webkit.org/show_bug.cgi?id=193652
1546
1547         Reviewed by Saam Barati.
1548
1549         * stress/big-int-value-op-update-gc-rules.js: Added.
1550         (assert):
1551         (doesGCAdd):
1552         (doesGCSub):
1553         (doesGCDiv):
1554         (doesGCMul):
1555         (doesGCBitAnd):
1556         (doesGCBitOr):
1557         (doesGCBitXor):
1558
1559 2019-01-20  Saam Barati  <sbarati@apple.com>
1560
1561         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1562         https://bugs.webkit.org/show_bug.cgi?id=193644
1563         <rdar://problem/46209745>
1564
1565         Reviewed by Yusuke Suzuki.
1566
1567         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1568         (foo):
1569         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1570         (foo):
1571         (bar):
1572
1573 2019-01-20  Saam Barati  <sbarati@apple.com>
1574
1575         MovHint must merge NodeBytecodeUsesAsValue for its child
1576         https://bugs.webkit.org/show_bug.cgi?id=186916
1577         <rdar://problem/41396612>
1578
1579         Reviewed by Yusuke Suzuki.
1580
1581         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1582         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1583
1584 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1585
1586         [JSC] Invalidate old scope operations using global lexical binding epoch
1587         https://bugs.webkit.org/show_bug.cgi?id=193603
1588         <rdar://problem/47380869>
1589
1590         Reviewed by Saam Barati.
1591
1592         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1593         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1594         (shouldThrow):
1595         (bar):
1596         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1597         (shouldBe):
1598         (get1):
1599         (get2):
1600         (get1If):
1601         (get2If):
1602         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1603         (shouldThrow):
1604         (foo):
1605
1606 2019-01-17  Saam barati  <sbarati@apple.com>
1607
1608         StringObjectUse should not be a structure check for the original string object structure
1609         https://bugs.webkit.org/show_bug.cgi?id=193483
1610         <rdar://problem/47280522>
1611
1612         Reviewed by Yusuke Suzuki.
1613
1614         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1615         (foo):
1616         (a.valueOf.0):
1617
1618 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1619
1620         [JSC] ToThis omission in DFGByteCodeParser is wrong
1621         https://bugs.webkit.org/show_bug.cgi?id=193513
1622         <rdar://problem/45842236>
1623
1624         Reviewed by Saam Barati.
1625
1626         * stress/to-this-omission-with-different-strict-modes.js: Added.
1627         (thisA):
1628         (thisAStrictWrapper):
1629
1630 2019-01-15  Mark Lam  <mark.lam@apple.com>
1631
1632         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1633         https://bugs.webkit.org/show_bug.cgi?id=193423
1634         <rdar://problem/46209355>
1635
1636         Reviewed by Saam Barati.
1637
1638         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1639         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1640         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1641         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1642
1643 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1644
1645         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1646         https://bugs.webkit.org/show_bug.cgi?id=193438
1647         <rdar://problem/45581249>
1648
1649         Reviewed by Saam Barati and Keith Miller.
1650
1651         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1652         Then, GetByVal(String) crashed.
1653
1654         * stress/string-get-by-val-lowering.js: Added.
1655         (shouldBe):
1656         (test):
1657         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1658         (Hello):
1659         (foo):
1660
1661 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1662
1663         Unreviewed, skip JIT tests if it's not enabled
1664
1665         * stress/bit-op-with-object-returning-int32.js:
1666
1667 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1668
1669         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1670         https://bugs.webkit.org/show_bug.cgi?id=192966
1671
1672         Reviewed by Yusuke Suzuki.
1673
1674         * stress/bit-op-with-object-returning-int32.js: Added.
1675
1676 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1677
1678         Skip a slow test and a flakey test on arm
1679
1680         Unreviewed gardening.
1681
1682         * typeProfiler/getter-richards.js:
1683         this test always times out, it used to be always skipped on arm and
1684         mips, but got accidentally enabled by r237919 now that we have DFG on
1685         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1686
1687 2019-01-14  Keith Miller  <keith_miller@apple.com>
1688
1689         Skip type-check-hoisting-phase-hoist... with no jit
1690         https://bugs.webkit.org/show_bug.cgi?id=193421
1691
1692         Reviewed by Mark Lam.
1693
1694         It's timing out the 32-bit bots and takes 330 seconds
1695         on my machine when run by itself.
1696
1697         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1698
1699 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1700
1701         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1702         https://bugs.webkit.org/show_bug.cgi?id=193413
1703         <rdar://problem/46092389>
1704
1705         Reviewed by Keith Miller.
1706
1707         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1708         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1709         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1710         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1711
1712         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1713         (compareArray):
1714
1715 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1716
1717         [BigInt] Literal parsing is crashing when used inside a Object Literal
1718         https://bugs.webkit.org/show_bug.cgi?id=193404
1719
1720         Reviewed by Yusuke Suzuki.
1721
1722         * stress/big-int-literal-inside-literal-object.js: Added.
1723
1724 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1725
1726         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1727         https://bugs.webkit.org/show_bug.cgi?id=193372
1728
1729         Reviewed by Saam Barati.
1730
1731         * stress/typed-array-array-modes-profile.js: Added.
1732         (foo):
1733
1734 2019-01-14  Mark Lam  <mark.lam@apple.com>
1735
1736         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1737         https://bugs.webkit.org/show_bug.cgi?id=193402
1738         <rdar://problem/46012309>
1739
1740         Reviewed by Keith Miller.
1741
1742         * stress/regexp-compile-oom.js:
1743         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1744           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1745
1746 2019-01-11  Saam barati  <sbarati@apple.com>
1747
1748         DFG combined liveness can be wrong for terminal basic blocks
1749         https://bugs.webkit.org/show_bug.cgi?id=193304
1750         <rdar://problem/45268632>
1751
1752         Reviewed by Yusuke Suzuki.
1753
1754         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1755
1756 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1757
1758         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1759         https://bugs.webkit.org/show_bug.cgi?id=193308
1760         <rdar://problem/45546542>
1761
1762         Reviewed by Saam Barati.
1763
1764         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1765         (shouldThrow):
1766         (shouldBe):
1767         (foo):
1768         (get shouldThrow):
1769         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1770         (shouldThrow):
1771         (shouldBe):
1772         (foo):
1773         (get shouldBe):
1774         (get shouldThrow):
1775         (get return):
1776         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1777         (shouldThrow):
1778         (shouldBe):
1779         (foo):
1780         (get shouldBe):
1781         (get shouldThrow):
1782         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1783         (shouldThrow):
1784         (shouldBe):
1785         (foo):
1786         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1787         (shouldThrow):
1788         (shouldBe):
1789         (foo):
1790         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1791         (shouldThrow):
1792         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1793         (shouldThrow):
1794         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1795         (shouldThrow):
1796         (shouldBe):
1797         (foo):
1798         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1799         (shouldThrow):
1800         (shouldBe):
1801         (foo):
1802         (get shouldBe):
1803         (get shouldThrow):
1804         (get return):
1805         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1806         (shouldThrow):
1807         (shouldBe):
1808         (foo):
1809         (get shouldBe):
1810         (get shouldThrow):
1811         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1812         (shouldThrow):
1813         (shouldBe):
1814         (foo):
1815         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1816         (shouldThrow):
1817         (shouldBe):
1818         (foo):
1819
1820 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1821
1822         Enable DFG on ARM/Linux again
1823         https://bugs.webkit.org/show_bug.cgi?id=192496
1824
1825         Reviewed by Yusuke Suzuki.
1826
1827         Test wasn't really skipped before moving the line with skip
1828         to the top.
1829
1830         * stress/regress-192717.js:
1831
1832 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1833
1834         Unreviewed, rolling out r239825.
1835         https://bugs.webkit.org/show_bug.cgi?id=193330
1836
1837         Broke tests on armv7/linux bots (Requested by guijemont on
1838         #webkit).
1839
1840         Reverted changeset:
1841
1842         "Enable DFG on ARM/Linux again"
1843         https://bugs.webkit.org/show_bug.cgi?id=192496
1844         https://trac.webkit.org/changeset/239825
1845
1846 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1847
1848         Enable DFG on ARM/Linux again
1849         https://bugs.webkit.org/show_bug.cgi?id=192496
1850
1851         Reviewed by Yusuke Suzuki.
1852
1853         Test wasn't really skipped before moving the line with skip
1854         to the top.
1855
1856         * stress/regress-192717.js:
1857
1858 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1859
1860         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1861         https://bugs.webkit.org/show_bug.cgi?id=193127
1862
1863         Reviewed by Saam Barati.
1864
1865         * stress/array-species-create-should-handle-masquerader.js: Added.
1866         (shouldThrow):
1867         * stress/is-undefined-or-null-builtin.js: Added.
1868         (shouldBe):
1869         (isUndefinedOrNull.vm.createBuiltin):
1870
1871 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1872
1873         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1874         https://bugs.webkit.org/show_bug.cgi?id=193221
1875
1876         Reviewed by Mark Lam.
1877
1878         * stress/put-by-id-flags.js: Added.
1879         (f):
1880         (g):
1881         (numberOfDFGCompiles):
1882
1883 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1884
1885         Baseline version of get_by_id may corrupt metadata
1886         https://bugs.webkit.org/show_bug.cgi?id=193085
1887         <rdar://problem/23453006>
1888
1889         Reviewed by Saam Barati.
1890
1891         * stress/get-by-id-change-mode.js: Added.
1892         (forEach):
1893
1894 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1895
1896         [JSC] Optimize Object.prototype.toString
1897         https://bugs.webkit.org/show_bug.cgi?id=193031
1898
1899         Reviewed by Saam Barati.
1900
1901         * stress/object-tostring-changed-proto.js: Added.
1902         (shouldBe):
1903         (test):
1904         * stress/object-tostring-changed.js: Added.
1905         (shouldBe):
1906         (test):
1907         * stress/object-tostring-misc.js: Added.
1908         (shouldBe):
1909         (test):
1910         (i.switch):
1911         * stress/object-tostring-other.js: Added.
1912         (shouldBe):
1913         (test):
1914         * stress/object-tostring-untyped.js: Added.
1915         (shouldBe):
1916         (test):
1917         (i.switch):
1918
1919 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1920
1921         test262-runner misbehaves when test file YAML has a trailing space
1922         https://bugs.webkit.org/show_bug.cgi?id=193053
1923
1924         Reviewed by Yusuke Suzuki.
1925
1926         * test262/expectations.yaml:
1927         Mark two dozen tests as passing (and correct the output of another).
1928
1929 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1930
1931         Unreviewed, JSTests gardening with memoryLimited
1932
1933         * stress/string-overflow-createError.js:
1934
1935 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1936
1937         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1938         https://bugs.webkit.org/show_bug.cgi?id=193050
1939
1940         Reviewed by Yusuke Suzuki.
1941
1942         * test262.yaml:
1943         * test262/expectations.yaml:
1944         Mark 16 tests as passing.
1945
1946 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1947
1948         [BigInt] Support BigInt in JSON.stringify
1949         https://bugs.webkit.org/show_bug.cgi?id=192624
1950
1951         Reviewed by Saam Barati.
1952
1953         * stress/big-int-json-stringify-to-json.js: Added.
1954         (shouldBe):
1955         (shouldThrow):
1956         (BigInt.prototype.toJSON):
1957         (shouldBe.JSON.stringify):
1958         * stress/big-int-json-stringify.js: Added.
1959         (shouldBe):
1960         (shouldThrow):
1961
1962 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1963
1964         [JSC] Implement "well-formed JSON.stringify" proposal
1965         https://bugs.webkit.org/show_bug.cgi?id=191677
1966
1967         Reviewed by Darin Adler.
1968
1969         * stress/json-surrogate-pair.js: Added.
1970         (shouldBe):
1971         * test262/expectations.yaml:
1972
1973 2018-12-20  Keith Miller  <keith_miller@apple.com>
1974
1975         Add support for globalThis
1976         https://bugs.webkit.org/show_bug.cgi?id=165171
1977
1978         Reviewed by Mark Lam.
1979
1980         * test262/config.yaml:
1981
1982 2018-12-19  Keith Miller  <keith_miller@apple.com>
1983
1984         Update test262 configuration to not run tests dependent on ICU version.
1985         https://bugs.webkit.org/show_bug.cgi?id=192920
1986
1987         Reviewed by Saam Barati.
1988
1989         * test262/expectations.yaml:
1990
1991 2018-12-20  Mark Lam  <mark.lam@apple.com>
1992
1993         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1994         https://bugs.webkit.org/show_bug.cgi?id=192939
1995         <rdar://problem/46869516>
1996
1997         Reviewed by Keith Miller.
1998
1999         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
2000
2001 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
2002
2003         WTF::String and StringImpl overflow MaxLength
2004         https://bugs.webkit.org/show_bug.cgi?id=192853
2005         <rdar://problem/45726906>
2006
2007         Reviewed by Mark Lam.
2008
2009         * stress/string-16bit-repeat-overflow.js: Added.
2010         (catch):
2011
2012 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
2013
2014         Unreviewed follow-up to r192914.
2015
2016         * test262/expectations.yaml:
2017         Add the last 20 missing expectations.
2018
2019 2018-12-19  Keith Miller  <keith_miller@apple.com>
2020
2021         Fix test262 expectations
2022         https://bugs.webkit.org/show_bug.cgi?id=192914
2023
2024         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
2025
2026         * test262/expectations.yaml:
2027
2028 2018-12-19  Keith Miller  <keith_miller@apple.com>
2029
2030         Update test262 tests.
2031         https://bugs.webkit.org/show_bug.cgi?id=192907
2032
2033         Rubber stamped by Mark Lam.
2034
2035         * test262/*: Omitted because prepare-changelog crashes.
2036
2037 2018-12-19  Mark Lam  <mark.lam@apple.com>
2038
2039         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
2040         https://bugs.webkit.org/show_bug.cgi?id=192464
2041         <rdar://problem/46519455>
2042
2043         Reviewed by Saam Barati.
2044
2045         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
2046         microbenchmark.
2047
2048         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
2049         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
2050
2051 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
2052
2053         String overflow in JSC::createError results in ASSERT in WTF::makeString
2054         https://bugs.webkit.org/show_bug.cgi?id=192833
2055         <rdar://problem/45706868>
2056
2057         Reviewed by Mark Lam.
2058
2059         * stress/string-overflow-createError.js: Added.
2060
2061 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2062
2063         Error message for `-x ** y` contains a typo.
2064         https://bugs.webkit.org/show_bug.cgi?id=192832
2065
2066         Reviewed by Saam Barati.
2067
2068         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2069         (assert.assert.return.throws):
2070         * stress/pow-expects-update-expression-on-lhs.js:
2071         (throw.new.Error):
2072         Update test expectations which match against the exact error message.
2073
2074 2018-12-18  Mark Lam  <mark.lam@apple.com>
2075
2076         Gardening: test options fix.
2077         https://bugs.webkit.org/show_bug.cgi?id=192822
2078
2079         Unreviewed.
2080
2081         * stress/json-stringify-string-builder-overflow.js:
2082
2083 2018-12-18  Mark Lam  <mark.lam@apple.com>
2084
2085         JSON.stringify() should throw OOM on StringBuilder overflows.
2086         https://bugs.webkit.org/show_bug.cgi?id=192822
2087         <rdar://problem/46670577>
2088
2089         Reviewed by Saam Barati.
2090
2091         * stress/json-stringify-string-builder-overflow.js: Added.
2092
2093 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2094
2095         Redeclaration of var over let/const/class should be a syntax error.
2096         https://bugs.webkit.org/show_bug.cgi?id=192298
2097
2098         Reviewed by Keith Miller.
2099
2100         * test262.yaml:
2101         * test262/expectations.yaml:
2102         Mark 46 tests as passing.
2103
2104         * stress/block-scope-redeclarations.js:
2105         Add some new tests.
2106
2107         * stress/for-in-invalidate-context-weird-assignments.js:
2108         * stress/for-in-tests.js:
2109         Replace tests for outdated behavior with tests for SyntaxError.
2110
2111         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2112         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2113         Update expectations.
2114
2115 2018-12-18  Mark Lam  <mark.lam@apple.com>
2116
2117         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2118         https://bugs.webkit.org/show_bug.cgi?id=191374
2119         <rdar://problem/46525447>
2120
2121         Reviewed by Yusuke Suzuki.
2122
2123         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2124
2125         * stress/elidable-new-object-roflcopter-then-exit.js:
2126
2127 2018-12-17  Mark Lam  <mark.lam@apple.com>
2128
2129         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2130         https://bugs.webkit.org/show_bug.cgi?id=192019
2131         <rdar://problem/46525456>
2132
2133         Reviewed by Yusuke Suzuki.
2134
2135         The test runs too slow on 32-bit.
2136
2137         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2138
2139 2018-12-17  Mark Lam  <mark.lam@apple.com>
2140
2141         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2142         https://bugs.webkit.org/show_bug.cgi?id=191373
2143         <rdar://problem/46525458>
2144
2145         Reviewed by Yusuke Suzuki.
2146
2147         The test is already slow running with a JIT on 64-bit.  It will always timeout
2148         on 32-bit without a JIT.
2149
2150         * stress/materialize-regexp-cyclic-regexp.js:
2151
2152 2018-12-17  Mark Lam  <mark.lam@apple.com>
2153
2154         Array unshift/shift should not race against the AI in the compiler thread.
2155         https://bugs.webkit.org/show_bug.cgi?id=192795
2156         <rdar://problem/46724263>
2157
2158         Reviewed by Saam Barati.
2159
2160         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2161
2162 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2163
2164         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2165         https://bugs.webkit.org/show_bug.cgi?id=190047
2166
2167         Reviewed by Saam Barati.
2168
2169         * stress/object-keys-cached-zero.js: Added.
2170         (shouldBe):
2171         (test):
2172         * stress/object-keys-changed-attribute.js: Added.
2173         (shouldBe):
2174         (test):
2175         * stress/object-keys-changed-index.js: Added.
2176         (shouldBe):
2177         (test):
2178         * stress/object-keys-changed.js: Added.
2179         (shouldBe):
2180         (test):
2181         * stress/object-keys-indexed-non-cache.js: Added.
2182         (shouldBe):
2183         (test):
2184         * stress/object-keys-overrides-get-property-names.js: Added.
2185         (shouldBe):
2186         (test):
2187         (noInline):
2188
2189 2018-12-17  Mark Lam  <mark.lam@apple.com>
2190
2191         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2192         https://bugs.webkit.org/show_bug.cgi?id=192779
2193         <rdar://problem/46775869>
2194
2195         Reviewed by Saam Barati.
2196
2197         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2198
2199 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2200
2201         Unreviewed test gardening, address a syntax error in a new test.
2202
2203         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2204
2205 2018-12-17  Mark Lam  <mark.lam@apple.com>
2206
2207         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2208         https://bugs.webkit.org/show_bug.cgi?id=192776
2209         <rdar://problem/46772368>
2210
2211         Reviewed by Keith Miller.
2212
2213         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2214
2215 2018-12-17  Mark Lam  <mark.lam@apple.com>
2216
2217         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2218         https://bugs.webkit.org/show_bug.cgi?id=192770
2219         <rdar://problem/46449037>
2220
2221         Reviewed by Keith Miller.
2222
2223         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2224
2225 2018-12-14  Mark Lam  <mark.lam@apple.com>
2226
2227         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2228         https://bugs.webkit.org/show_bug.cgi?id=192717
2229         <rdar://problem/46660677>
2230
2231         Reviewed by Saam Barati.
2232
2233         * stress/regress-192717.js: Added.
2234
2235 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2236
2237         Unreviewed, rolling out r239153, r239154, and r239155.
2238         https://bugs.webkit.org/show_bug.cgi?id=192715
2239
2240         Caused flaky GC-related crashes seen with layout tests
2241         (Requested by ryanhaddad on #webkit).
2242
2243         Reverted changesets:
2244
2245         "[JSC] Optimize Object.keys by caching own keys results in
2246         StructureRareData"
2247         https://bugs.webkit.org/show_bug.cgi?id=190047
2248         https://trac.webkit.org/changeset/239153
2249
2250         "Unreviewed, build fix after r239153"
2251         https://bugs.webkit.org/show_bug.cgi?id=190047
2252         https://trac.webkit.org/changeset/239154
2253
2254         "Unreviewed, build fix after r239153, part 2"
2255         https://bugs.webkit.org/show_bug.cgi?id=190047
2256         https://trac.webkit.org/changeset/239155
2257
2258 2018-12-14  Keith Miller  <keith_miller@apple.com>
2259
2260         Callers of JSString::getIndex should check for OOM exceptions
2261         https://bugs.webkit.org/show_bug.cgi?id=192709
2262
2263         Reviewed by Mark Lam.
2264
2265         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2266
2267 2018-12-13  Mark Lam  <mark.lam@apple.com>
2268
2269         Add a missing exception check.
2270         https://bugs.webkit.org/show_bug.cgi?id=192626
2271         <rdar://problem/46662163>
2272
2273         Reviewed by Keith Miller.
2274
2275         * stress/regress-192626.js: Added.
2276
2277 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2278
2279         [BigInt] Add ValueDiv into DFG
2280         https://bugs.webkit.org/show_bug.cgi?id=186178
2281
2282         Reviewed by Yusuke Suzuki.
2283
2284         * stress/big-int-div-jit-osr.js: Added.
2285         * stress/big-int-div-jit-untyped.js: Added.
2286         * stress/value-div-fixup-int32-big-int.js: Added.
2287
2288 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2289
2290         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2291         https://bugs.webkit.org/show_bug.cgi?id=190047
2292
2293         Reviewed by Keith Miller.
2294
2295         * stress/object-keys-cached-zero.js: Added.
2296         (shouldBe):
2297         (test):
2298         * stress/object-keys-changed-attribute.js: Added.
2299         (shouldBe):
2300         (test):
2301         * stress/object-keys-changed-index.js: Added.
2302         (shouldBe):
2303         (test):
2304         * stress/object-keys-changed.js: Added.
2305         (shouldBe):
2306         (test):
2307         * stress/object-keys-indexed-non-cache.js: Added.
2308         (shouldBe):
2309         (test):
2310         * stress/object-keys-overrides-get-property-names.js: Added.
2311         (shouldBe):
2312         (test):
2313         (noInline):
2314
2315 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2316
2317         [DFG][FTL] Add NewSymbol
2318         https://bugs.webkit.org/show_bug.cgi?id=192620
2319
2320         Reviewed by Saam Barati.
2321
2322         * microbenchmarks/symbol-creation.js: Added.
2323         (test):
2324         * stress/symbol-description-identity.js: Added.
2325         (shouldBe):
2326         (test):
2327         * stress/symbol-identity.js: Added.
2328         (shouldBe):
2329         (test):
2330         * stress/symbol-with-description-throw-error.js: Added.
2331         (shouldBe):
2332         (shouldThrow):
2333         (test):
2334         (object.toString):
2335
2336 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2337
2338         [BigInt] Implement DFG/FTL typeof for BigInt
2339         https://bugs.webkit.org/show_bug.cgi?id=192619
2340
2341         Reviewed by Keith Miller.
2342
2343         * stress/big-int-boolean-proven-type.js: Added.
2344         (assert):
2345         (bool):
2346         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2347         (assert):
2348         (typeOf):
2349         (i.switch):
2350         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2351         (assert):
2352         (typeOf):
2353         * stress/big-int-type-of.js:
2354         (typeOf):
2355         (func):
2356
2357 2018-12-10  Mark Lam  <mark.lam@apple.com>
2358
2359         PropertyAttribute needs a CustomValue bit.
2360         https://bugs.webkit.org/show_bug.cgi?id=191993
2361         <rdar://problem/46264467>
2362
2363         Reviewed by Saam Barati.
2364
2365         * stress/regress-191993.js: Added.
2366
2367 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2368
2369         [BigInt] Add ValueMul into DFG
2370         https://bugs.webkit.org/show_bug.cgi?id=186175
2371
2372         Reviewed by Yusuke Suzuki.
2373
2374         * stress/big-int-mul-jit-osr.js: Added.
2375         * stress/big-int-mul-jit-untyped.js: Added.
2376         * stress/value-mul-fixup-int32-big-int.js: Added.
2377
2378 2018-12-06  Keith Miller  <keith_miller@apple.com>
2379
2380         stress/big-wasm-memory tests failing on 32-bit JSC bot
2381         https://bugs.webkit.org/show_bug.cgi?id=192020
2382
2383         Reviewed by Saam Barati.
2384
2385         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2386         the wasm stress tests if the WebAssembly object does not exist.
2387
2388         * stress/big-wasm-memory-grow-no-max.js:
2389         (test.foo):
2390         (test):
2391         (foo): Deleted.
2392         (catch): Deleted.
2393         * stress/big-wasm-memory-grow.js:
2394         (test.foo):
2395         (test):
2396         (foo): Deleted.
2397         (catch): Deleted.
2398         * stress/big-wasm-memory.js:
2399         (test.foo):
2400         (test):
2401         (foo): Deleted.
2402         (catch): Deleted.
2403
2404 2018-12-05  Mark Lam  <mark.lam@apple.com>
2405
2406         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2407         https://bugs.webkit.org/show_bug.cgi?id=192441
2408         <rdar://problem/46480355>
2409
2410         Reviewed by Saam Barati.
2411
2412         * stress/regress-192441.js: Added.
2413
2414 2018-12-04  Mark Lam  <mark.lam@apple.com>
2415
2416         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2417         https://bugs.webkit.org/show_bug.cgi?id=192386
2418         <rdar://problem/46445516>
2419
2420         Reviewed by Saam Barati.
2421
2422         * stress/regress-192386.js: Added.
2423
2424 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2425
2426         [ESNext][BigInt] Support logic operations
2427         https://bugs.webkit.org/show_bug.cgi?id=179903
2428
2429         Reviewed by Yusuke Suzuki.
2430
2431         * stress/big-int-branch-usage.js: Added.
2432         * stress/big-int-logical-and.js: Added.
2433         * stress/big-int-logical-not.js: Added.
2434         * stress/big-int-logical-or.js: Added.
2435
2436 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2437
2438         Unreviewed, rolling out r238833.
2439
2440         Breaks macOS and iOS debug builds.
2441
2442         Reverted changeset:
2443
2444         "[ESNext][BigInt] Support logic operations"
2445         https://bugs.webkit.org/show_bug.cgi?id=179903
2446         https://trac.webkit.org/changeset/238833
2447
2448 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2449
2450         [ESNext][BigInt] Support logic operations
2451         https://bugs.webkit.org/show_bug.cgi?id=179903
2452
2453         Reviewed by Yusuke Suzuki.
2454
2455         * stress/big-int-branch-usage.js: Added.
2456         * stress/big-int-logical-and.js: Added.
2457         * stress/big-int-logical-not.js: Added.
2458         * stress/big-int-logical-or.js: Added.
2459
2460 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2461
2462         [ESNext][BigInt] Implement support for "<<" and ">>"
2463         https://bugs.webkit.org/show_bug.cgi?id=186233
2464
2465         Reviewed by Yusuke Suzuki.
2466
2467         * stress/big-int-left-shift-general.js: Added.
2468         * stress/big-int-left-shift-range-error.js: Added.
2469         * stress/big-int-left-shift-type-error.js: Added.
2470         * stress/big-int-left-shift-wrapped-value.js: Added.
2471         * stress/big-int-right-shift-general.js: Added.
2472         * stress/big-int-right-shift-type-error.js: Added.
2473         * stress/big-int-right-shift-wrapped-value.js: Added.
2474         * stress/left-shift-to-primitive-precedence.js: Added.
2475         * stress/right-shift-to-primitive-precedence.js: Added.
2476
2477 2018-11-30  Dean Jackson  <dino@apple.com>
2478
2479         Add first-class support for .mjs files in jsc binary
2480         https://bugs.webkit.org/show_bug.cgi?id=192190
2481         <rdar://problem/46375715>
2482
2483         Reviewed by Keith Miller.
2484
2485         * stress/simple-module.mjs: Added.
2486         * stress/simple-script.js: Added.
2487
2488 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2489
2490         [BigInt] Implement ValueBitXor into DFG
2491         https://bugs.webkit.org/show_bug.cgi?id=190264
2492
2493         Reviewed by Yusuke Suzuki.
2494
2495         * stress/big-int-bitwise-xor-jit.js: Added.
2496         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2497         * stress/big-int-bitwise-xor-untyped.js: Added.
2498
2499 2018-11-27  Saam barati  <sbarati@apple.com>
2500
2501         r238510 broke scopes of size zero
2502         https://bugs.webkit.org/show_bug.cgi?id=192033
2503         <rdar://problem/46281734>
2504
2505         Reviewed by Keith Miller.
2506
2507         * stress/r238510-bad-loop.js: Added.
2508         (foo):
2509
2510 2018-11-27  Mark Lam  <mark.lam@apple.com>
2511
2512         [Re-landing] NaNs read from Wasm code needs to be be purified.
2513         https://bugs.webkit.org/show_bug.cgi?id=191056
2514         <rdar://problem/45660341>
2515
2516         Reviewed by Filip Pizlo.
2517
2518         * wasm/regress/regress-191056.js: Added.
2519
2520 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2521
2522         Unreviewed, rolling out r238509.
2523
2524         Causes JSC tests to fail on iOS.
2525
2526         Reverted changeset:
2527
2528         "NaNs read from Wasm code needs to be be purified."
2529         https://bugs.webkit.org/show_bug.cgi?id=191056
2530         https://trac.webkit.org/changeset/238509
2531
2532 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2533
2534         Re-introduce op_bitnot
2535         https://bugs.webkit.org/show_bug.cgi?id=190923
2536
2537         Reviewed by Yusuke Suzuki.
2538
2539         * stress/bit-not-must-generate.js: Added.
2540         * stress/bitwise-not-no-int32.js: Added.
2541
2542 2018-11-26  Saam barati  <sbarati@apple.com>
2543
2544         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2545         https://bugs.webkit.org/show_bug.cgi?id=191956
2546         <rdar://problem/45665806>
2547
2548         Reviewed by Yusuke Suzuki.
2549
2550         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2551         (bar):
2552         (foo):
2553
2554 2018-11-26  Saam barati  <sbarati@apple.com>
2555
2556         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2557         https://bugs.webkit.org/show_bug.cgi?id=191958
2558         <rdar://problem/46221877>
2559
2560         Reviewed by Yusuke Suzuki.
2561
2562         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2563         (x):
2564         (foo):
2565
2566 2018-11-26  Mark Lam  <mark.lam@apple.com>
2567
2568         NaNs read from Wasm code needs to be be purified.
2569         https://bugs.webkit.org/show_bug.cgi?id=191056
2570         <rdar://problem/45660341>
2571
2572         Reviewed by Filip Pizlo.
2573
2574         * wasm/regress/regress-191056.js: Added.
2575
2576 2018-11-26  Michael Saboff  <msaboff@apple.com>
2577
2578         32-bit JSC test failure: stress/regexp-compile-oom.js
2579         https://bugs.webkit.org/show_bug.cgi?id=191375
2580
2581         Reviewed by Mark Lam.
2582
2583         Disabled the test for 32 bit platforms.
2584
2585         * stress/regexp-compile-oom.js:
2586
2587 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2588
2589         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2590         https://bugs.webkit.org/show_bug.cgi?id=191716
2591         <rdar://problem/45723878>
2592
2593         Reviewed by Saam Barati.
2594
2595         * stress/regress-187373.js: Added.
2596         (async.fn):
2597
2598 2018-11-21  Saam barati  <sbarati@apple.com>
2599
2600         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2601         https://bugs.webkit.org/show_bug.cgi?id=191897
2602         <rdar://problem/45871998>
2603
2604         Reviewed by Mark Lam.
2605
2606         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2607         (bar):
2608         (foo):
2609
2610 2018-11-21  Saam barati  <sbarati@apple.com>
2611
2612         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2613         https://bugs.webkit.org/show_bug.cgi?id=191895
2614         <rdar://problem/46167406>
2615
2616         Reviewed by Mark Lam.
2617
2618         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2619         (foo):
2620         (bar):
2621
2622 2018-11-21  Mark Lam  <mark.lam@apple.com>
2623
2624         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2625         https://bugs.webkit.org/show_bug.cgi?id=191776
2626         <rdar://problem/46152851>
2627
2628         Reviewed by Saam Barati.
2629
2630         * stress/big-wasm-memory-grow-no-max.js:
2631         * stress/big-wasm-memory-grow.js:
2632         * stress/big-wasm-memory.js:
2633         - updated these to expect an OutOfMemoryError.
2634
2635         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2636         (Binary.prototype.emit_u8):
2637         (Binary.prototype.emit_u32v):
2638         (Binary.prototype.emit_header):
2639         (Binary.prototype.emit_section):
2640         (Binary):
2641         (WasmModuleBuilder):
2642         (WasmModuleBuilder.prototype.addMemory):
2643         (WasmModuleBuilder.prototype.toArray):
2644         (WasmModuleBuilder.prototype.toBuffer):
2645         (WasmModuleBuilder.prototype.instantiate):
2646         (catch):
2647         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2648         (catch):
2649
2650 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2651
2652         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2653         https://bugs.webkit.org/show_bug.cgi?id=190836
2654
2655         Reviewed by Saam Barati and Yusuke Suzuki.
2656
2657         * stress/big-int-out-of-memory-tests.js: Added.
2658
2659 2018-11-20  Mark Lam  <mark.lam@apple.com>
2660
2661         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2662         https://bugs.webkit.org/show_bug.cgi?id=191856
2663         <rdar://problem/46089992>
2664
2665         Reviewed by Yusuke Suzuki.
2666
2667         * stress/regress-191856.js: Added.
2668         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2669
2670 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2671
2672         Enable JIT on ARM/Linux
2673         https://bugs.webkit.org/show_bug.cgi?id=191548
2674
2675         Reviewed by Yusuke Suzuki.
2676
2677         Disable test on system with limited memory. Program was killed by
2678         the OS before the exception was thrown.
2679
2680         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2681
2682 2018-11-20  Saam barati  <sbarati@apple.com>
2683
2684         Merging an IC variant may lead to the IC status containing overlapping structure sets
2685         https://bugs.webkit.org/show_bug.cgi?id=191869
2686         <rdar://problem/45403453>
2687
2688         Reviewed by Mark Lam.
2689
2690         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2691
2692 2018-11-19  Mark Lam  <mark.lam@apple.com>
2693
2694         globalFuncImportModule() should return a promise when it clears exceptions.
2695         https://bugs.webkit.org/show_bug.cgi?id=191792
2696         <rdar://problem/46090763>
2697
2698         Reviewed by Michael Saboff.
2699
2700         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2701
2702 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2703
2704         Skip new memory-hungry tests on memory limited devices
2705
2706         Unreviewed gardening.
2707
2708         * stress/big-wasm-memory-grow-no-max.js:
2709         * stress/big-wasm-memory-grow.js:
2710         * stress/big-wasm-memory.js:
2711
2712 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2713
2714         Unreviewed, rolling in the rest of r237254
2715         https://bugs.webkit.org/show_bug.cgi?id=190340
2716
2717         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2718         * stress/function-cache-with-parameters-end-position.js: Added.
2719         (shouldBe):
2720         (shouldThrow):
2721         (i.anonymous):
2722         * stress/function-constructor-name.js: Added.
2723         (shouldBe):
2724         (GeneratorFunction):
2725         (AsyncFunction.async):
2726         (AsyncGeneratorFunction.async):
2727         (anonymous):
2728         (async.anonymous):
2729         * test262/expectations.yaml:
2730
2731 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2732
2733         All users of ArrayBuffer should agree on the same max size
2734         https://bugs.webkit.org/show_bug.cgi?id=191771
2735
2736         Reviewed by Mark Lam.
2737
2738         * stress/big-wasm-memory-grow-no-max.js: Added.
2739         (foo):
2740         (catch):
2741         * stress/big-wasm-memory-grow.js: Added.
2742         (foo):
2743         (catch):
2744         * stress/big-wasm-memory.js: Added.
2745         (foo):
2746         (catch):
2747
2748 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2749
2750         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2751         run for each JSC config since they're regression tests for runtime bugs.
2752
2753         * stress/json-stringified-overflow-2.js:
2754         * stress/json-stringified-overflow.js:
2755
2756 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2757
2758         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2759         config since they're regression tests for runtime bugs.
2760
2761         * stress/large-unshift-splice.js:
2762         * stress/regress-185888.js:
2763
2764 2018-11-16  Saam Barati  <sbarati@apple.com>
2765
2766         KnownCellUse should also have SpecCellCheck as its type filter
2767         https://bugs.webkit.org/show_bug.cgi?id=191729
2768         <rdar://problem/45872852>
2769
2770         Reviewed by Filip Pizlo.
2771
2772         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2773         (C):
2774
2775 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2776
2777         Fix assertion failure on BytecodeGenerator::recordOpcode
2778         https://bugs.webkit.org/show_bug.cgi?id=191724
2779         <rdar://problem/45724395>
2780
2781         Reviewed by Saam Barati.
2782
2783         * stress/regress-187373-2.js: Added.
2784         (foo):
2785
2786 2018-11-15  Mark Lam  <mark.lam@apple.com>
2787
2788         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2789         https://bugs.webkit.org/show_bug.cgi?id=191730
2790         <rdar://problem/46048517>
2791
2792         Reviewed by Saam Barati.
2793
2794         * stress/regress-187006.js: Removed.
2795           - this test is invalid because its sole purpose is to test for the non-spec
2796             compliant behavior that we just fixed.
2797
2798         * stress/regress-191730.js: Added.
2799
2800 2018-11-15  Mark Lam  <mark.lam@apple.com>
2801
2802         RegExp operations should not take fast patch if lastIndex is not numeric.
2803         https://bugs.webkit.org/show_bug.cgi?id=191731
2804         <rdar://problem/46017305>
2805
2806         Reviewed by Saam Barati.
2807
2808         * stress/regress-191731.js: Added.
2809
2810 2018-11-13  Saam Barati  <sbarati@apple.com>
2811
2812         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2813         https://bugs.webkit.org/show_bug.cgi?id=191600
2814
2815         Reviewed by Mark Lam.
2816
2817         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2818         (foo):
2819         (test):
2820         (bar):
2821
2822 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2823
2824         Unreviewed, rolling out r238132.
2825
2826         The test added with this change is timing out on Debug JSC
2827         bots.
2828
2829         Reverted changeset:
2830
2831         "[BigInt] JSBigInt::createWithLength should throw when length
2832         is greater than JSBigInt::maxLength"
2833         https://bugs.webkit.org/show_bug.cgi?id=190836
2834         https://trac.webkit.org/changeset/238132
2835
2836 2018-11-13  Mark Lam  <mark.lam@apple.com>
2837
2838         Add OOM detection to StringPrototype's substituteBackreferences().
2839         https://bugs.webkit.org/show_bug.cgi?id=191563
2840         <rdar://problem/45720428>
2841
2842         Reviewed by Saam Barati.
2843
2844         * stress/regress-191563.js: Added.
2845
2846 2018-11-13  Mark Lam  <mark.lam@apple.com>
2847
2848         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2849         https://bugs.webkit.org/show_bug.cgi?id=191579
2850         <rdar://problem/45942472>
2851
2852         Reviewed by Saam Barati.
2853
2854         * stress/regress-191579.js: Added.
2855
2856 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2857
2858         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2859         https://bugs.webkit.org/show_bug.cgi?id=190836
2860
2861         Reviewed by Saam Barati.
2862
2863         * stress/big-int-out-of-memory-tests.js: Added.
2864
2865 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2866
2867         U+180E is no longer a whitespace character
2868         https://bugs.webkit.org/show_bug.cgi?id=191415
2869
2870         Reviewed by Saam Barati.
2871
2872         * ChakraCore/test/es5/regexSpace.baseline:
2873         * ChakraCore/test/es6/unicode_whitespace.js:
2874         Update tests to latest version.
2875         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2876
2877         * test262.yaml:
2878         * test262/config.yaml:
2879         * test262/expectations.yaml:
2880         Update expectations.
2881
2882 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2883
2884         [BigInt] Add support to BigInt into ValueAdd
2885         https://bugs.webkit.org/show_bug.cgi?id=186177
2886
2887         Reviewed by Keith Miller.
2888
2889         * stress/big-int-negate-jit.js:
2890         * stress/value-add-big-int-and-string.js: Added.
2891         * stress/value-add-big-int-prediction-propagation.js: Added.
2892         * stress/value-add-big-int-untyped.js: Added.
2893
2894 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2895
2896         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2897         https://bugs.webkit.org/show_bug.cgi?id=191184
2898
2899         Reviewed by Saam Barati.
2900
2901         Most tests were failing due to timeouts, since they are too slow to
2902         run on CLoop. The exceptions are:
2903
2904         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2905         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2906         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2907         to change the stack size since CLoop requires it to be page aligned.
2908
2909         * microbenchmarks/array-push-1.js:
2910         * microbenchmarks/array-push-2.js:
2911         * microbenchmarks/elidable-new-object-dag.js:
2912         * microbenchmarks/elidable-new-object-roflcopter.js:
2913         * microbenchmarks/elidable-new-object-tree.js:
2914         * microbenchmarks/getter-richards.js:
2915         * microbenchmarks/sinkable-new-object-dag.js:
2916         * microbenchmarks/string-concat-long-convert.js:
2917         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2918         * slowMicrobenchmarks/array-push-3.js:
2919         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2920         * slowMicrobenchmarks/spread-small-array.js:
2921         * slowMicrobenchmarks/undefined-property-access.js:
2922         * stress/activation-sink-default-value-tdz-error.js:
2923         * stress/activation-sink-default-value.js:
2924         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2925         * stress/activation-sink-osrexit-default-value.js:
2926         * stress/activation-sink-osrexit.js:
2927         * stress/activation-sink.js:
2928         * stress/allow-math-ic-b3-code-duplication.js:
2929         * stress/array-push-multiple-int32.js:
2930         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2931         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2932         * stress/arrowfunction-lexical-this-activation-sink.js:
2933         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2934         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2935         * stress/elide-new-object-dag-then-exit.js:
2936         * stress/materialize-regexp-cyclic.js:
2937         * stress/new-regex-inline.js:
2938         * stress/op_add.js:
2939         * stress/op_bitand.js:
2940         * stress/op_bitor.js:
2941         * stress/op_bitxor.js:
2942         * stress/op_div-ConstVar.js:
2943         * stress/op_div-VarConst.js:
2944         * stress/op_div-VarVar.js:
2945         * stress/op_lshift-ConstVar.js:
2946         * stress/op_lshift-VarConst.js:
2947         * stress/op_lshift-VarVar.js:
2948         * stress/op_mod-ConstVar.js:
2949         * stress/op_mod-VarConst.js:
2950         * stress/op_mod-VarVar.js:
2951         * stress/op_mul-ConstVar.js:
2952         * stress/op_mul-VarConst.js:
2953         * stress/op_mul-VarVar.js:
2954         * stress/op_rshift-ConstVar.js:
2955         * stress/op_rshift-VarConst.js:
2956         * stress/op_rshift-VarVar.js:
2957         * stress/op_sub-ConstVar.js:
2958         * stress/op_sub-VarConst.js:
2959         * stress/op_sub-VarVar.js:
2960         * stress/op_urshift-ConstVar.js:
2961         * stress/op_urshift-VarConst.js:
2962         * stress/op_urshift-VarVar.js:
2963         * stress/proxy-get-set-correct-receiver.js:
2964         * stress/regress-179562.js:
2965         * stress/rest-parameter-many-arguments.js:
2966         * stress/sampling-profiler-richards.js:
2967         * stress/splay-flash-access-1ms.js:
2968         * stress/tailCallForwardArguments.js:
2969         * stress/typed-array-get-by-val-profiling.js:
2970         * typeProfiler/getter-richards.js:
2971
2972 2018-11-06  Michael Saboff  <msaboff@apple.com>
2973
2974         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2975         https://bugs.webkit.org/show_bug.cgi?id=191271
2976
2977         Reviewed by Saam Barati.
2978
2979         Added more test cases and made all test cases run with the same deeply recursive stack
2980         instead of finding that same point for each test case.
2981
2982         * stress/regexp-compile-oom.js:
2983         (prototype.runTest):
2984         (recurseAndTest):
2985         (testList.push.new.TestAndExpectedException):
2986
2987 2018-11-05  Michael Saboff  <msaboff@apple.com>
2988
2989         Unreviewed build fix for linux.
2990
2991         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2992
2993 2018-11-02  Michael Saboff  <msaboff@apple.com>
2994
2995         Rolling in r237753 with unreviewed build fix.
2996
2997         Fixed issues with DECLARE_THROW_SCOPE placement.
2998
2999 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
3000
3001         Unreviewed, rolling out r237753.
3002
3003         Introduced JSC test failures
3004
3005         Reverted changeset:
3006
3007         "Running out of stack space not properly handled in
3008         RegExp::compile() and its callers"
3009         https://bugs.webkit.org/show_bug.cgi?id=191206
3010         https://trac.webkit.org/changeset/237753
3011
3012 2018-11-02  Michael Saboff  <msaboff@apple.com>
3013
3014         Running out of stack space not properly handled in RegExp::compile() and its callers
3015         https://bugs.webkit.org/show_bug.cgi?id=191206
3016
3017         Reviewed by Filip Pizlo.
3018
3019         New regression test.
3020
3021         * stress/regexp-compile-oom.js: Added.
3022         (recurseAndTest):
3023
3024 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
3025
3026         Skip tests on arm/mips that time out now we're running on CLoop
3027
3028         Unreviewed gardening.
3029
3030         Since the JIT is temporarily disabled on 32-bit platforms, these tests
3031         time out on the bots and need to be disabled. There's more tests
3032         disabled on arm because the timeout is longer on the mips bot (as the
3033         device is slower to start with), so many of the tests don't time out
3034         there.
3035
3036         * microbenchmarks/getter-richards.js: disable on arm and mips.
3037         * stress/op_add.js: disable on arm.
3038         * stress/op_bitand.js: disable on arm.
3039         * stress/op_bitor.js: disable on arm.
3040         * stress/op_bitxor.js: disable on arm.
3041         * stress/op_lshift-ConstVar.js: disable on arm.
3042         * stress/op_lshift-VarConst.js: disable on arm.
3043         * stress/op_lshift-VarVar.js: disable on arm.
3044         * stress/op_mod-ConstVar.js: disable on arm.
3045         * stress/op_mod-VarConst.js: disable on arm.
3046         * stress/op_mod-VarVar.js: disable on arm.
3047         * stress/op_mul-ConstVar.js: disable on arm.
3048         * stress/op_mul-VarConst.js: disable on arm.
3049         * stress/op_mul-VarVar.js: disable on arm.
3050         * stress/op_rshift-ConstVar.js: disable on arm.
3051         * stress/op_rshift-VarConst.js: disable on arm.
3052         * stress/op_rshift-VarVar.js: disable on arm.
3053         * stress/op_sub-ConstVar.js: disable on arm.
3054         * stress/op_sub-VarConst.js: disable on arm.
3055         * stress/op_sub-VarVar.js: disable on arm.
3056         * stress/op_urshift-ConstVar.js: disable on arm.
3057         * stress/op_urshift-VarConst.js: disable on arm.
3058         * stress/op_urshift-VarVar.js: disable on arm.
3059         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
3060         * stress/value-to-boolean.js: disable on arm and mips.
3061
3062 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3063
3064         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3065         https://bugs.webkit.org/show_bug.cgi?id=191108
3066         <rdar://problem/45690700>
3067
3068         Reviewed by Saam Barati.
3069
3070         * stress/wide-op_catch.js: Added.
3071         (catch):
3072
3073 2018-10-29  Mark Lam  <mark.lam@apple.com>
3074
3075         Correctly detect string overflow when using the 'Function' constructor.
3076         https://bugs.webkit.org/show_bug.cgi?id=184883
3077         <rdar://problem/36320331>
3078
3079         Reviewed by Saam Barati.
3080
3081         I've verified that this passes on 32-bit as well.
3082
3083         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3084
3085 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3086
3087         Add support for GetStack FlushedDouble
3088         https://bugs.webkit.org/show_bug.cgi?id=191012
3089         <rdar://problem/45265141>
3090
3091         Reviewed by Saam Barati.
3092
3093         * stress/get-stack-double.js: Added.
3094         (bar):
3095         (noInline):
3096
3097 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3098
3099         New bytecode format for JSC
3100         https://bugs.webkit.org/show_bug.cgi?id=187373
3101         <rdar://problem/44186758>
3102
3103         Reviewed by Filip Pizlo.
3104
3105         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3106
3107         * stress/maximum-inline-capacity.js: Added.
3108         (test1):
3109         (test3.Foo):
3110         (test3):
3111
3112 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3113
3114         Unreviewed, rolling out r237479 and r237484.
3115         https://bugs.webkit.org/show_bug.cgi?id=190978
3116
3117         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3118
3119         Reverted changesets:
3120
3121         "New bytecode format for JSC"
3122         https://bugs.webkit.org/show_bug.cgi?id=187373
3123         https://trac.webkit.org/changeset/237479
3124
3125         "Gardening: Build fix after r237479."
3126         https://bugs.webkit.org/show_bug.cgi?id=187373
3127         https://trac.webkit.org/changeset/237484
3128
3129 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3130
3131         New bytecode format for JSC
3132         https://bugs.webkit.org/show_bug.cgi?id=187373
3133         <rdar://problem/44186758>
3134
3135         Reviewed by Filip Pizlo.
3136
3137         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3138
3139         * stress/maximum-inline-capacity.js: Added.
3140         (test1):
3141         (test3.Foo):
3142         (test3):
3143
3144 2018-10-26  Mark Lam  <mark.lam@apple.com>
3145
3146         Fix missing edge cases with JSGlobalObjects having a bad time.
3147         https://bugs.webkit.org/show_bug.cgi?id=189028
3148         <rdar://problem/45204939>
3149
3150         Reviewed by Saam Barati.
3151
3152         * stress/regress-189028.js: Added.
3153
3154 2018-10-22  Mark Lam  <mark.lam@apple.com>
3155
3156         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3157         https://bugs.webkit.org/show_bug.cgi?id=190515
3158         <rdar://problem/45222379>
3159
3160         Rubber-stamped by Saam Barati.
3161
3162         Adding another test.
3163
3164         * stress/regress-190515-2.js: Added.
3165
3166 2018-10-22  Mark Lam  <mark.lam@apple.com>
3167
3168         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3169         https://bugs.webkit.org/show_bug.cgi?id=190515
3170         <rdar://problem/45222379>
3171
3172         Reviewed by Saam Barati.
3173
3174         * stress/regress-190515.js: Added.
3175
3176 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3177
3178         Unreviewed, rolling out r237254.
3179         https://bugs.webkit.org/show_bug.cgi?id=190760
3180
3181         "It regresses JetStream 2 by 5% on some iOS devices"
3182         (Requested by saamyjoon on #webkit).
3183
3184         Reverted changeset:
3185
3186         "[JSC] JSC should have "parseFunction" to optimize Function
3187         constructor"
3188         https://bugs.webkit.org/show_bug.cgi?id=190340
3189         https://trac.webkit.org/changeset/237254
3190
3191 2018-10-19  Saam Barati  <sbarati@apple.com>
3192
3193         vmCall should check if we exit before emitting an OSR exit due to exceptions
3194         https://bugs.webkit.org/show_bug.cgi?id=190740
3195         <rdar://problem/45220139>
3196
3197         Reviewed by Mark Lam.
3198
3199         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3200         (foo):
3201
3202 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3203
3204         [ESNext][BigInt] Implement support for "^"
3205         https://bugs.webkit.org/show_bug.cgi?id=186235
3206
3207         Reviewed by Yusuke Suzuki.
3208
3209         * stress/big-int-bitwise-xor-general.js: Added.
3210         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3211         * stress/big-int-bitwise-xor-type-error.js: Added.
3212         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3213
3214 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3215
3216         [BigInt] Add ValueSub into DFG
3217         https://bugs.webkit.org/show_bug.cgi?id=186176
3218
3219         Reviewed by Yusuke Suzuki.
3220
3221         * stress/big-int-subtraction-jit.js:
3222         * stress/value-sub-big-int-prediction-propagation.js: Added.
3223         * stress/value-sub-big-int-untyped.js: Added.
3224         * stress/value-sub-spec-none-case.js: Added.
3225
3226 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3227
3228         [JSC] JSC should have "parseFunction" to optimize Function constructor
3229         https://bugs.webkit.org/show_bug.cgi?id=190340
3230
3231         Reviewed by Mark Lam.
3232
3233         This patch fixes the line number of syntax errors raised by the Function constructor,
3234         since we now parse the final code only once. And we no longer use block statement
3235         for Function constructor's parsing.
3236
3237         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3238         * stress/function-cache-with-parameters-end-position.js: Added.
3239         (shouldBe):
3240         (shouldThrow):
3241         (i.anonymous):
3242         * stress/function-constructor-name.js: Added.
3243         (shouldBe):
3244         (GeneratorFunction):
3245         (AsyncFunction.async):
3246         (AsyncGeneratorFunction.async):
3247         (anonymous):
3248         (async.anonymous):
3249         * test262/expectations.yaml:
3250
3251 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3252
3253         Unreviewed, rolling out r237242.
3254         https://bugs.webkit.org/show_bug.cgi?id=190701
3255
3256         it breaks "stress/sampling-profiler-basic.js" (Requested by
3257         caiolima on #webkit).
3258
3259         Reverted changeset:
3260
3261         "[BigInt] Add ValueSub into DFG"
3262         https://bugs.webkit.org/show_bug.cgi?id=186176
3263         https://trac.webkit.org/changeset/237242
3264
3265 2018-10-17  Keith Miller  <keith_miller@apple.com>
3266
3267         AI does not clear Phantom allocation nodes.
3268         https://bugs.webkit.org/show_bug.cgi?id=190694
3269
3270         Reviewed by Saam Barati.
3271
3272         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3273         (Day):
3274         (DaysInYear):
3275         (TimeInYear):
3276         (TimeFromYear):
3277         (DayFromYear):
3278         (InLeapYear):
3279         (YearFromTime):
3280         (WeekDay):
3281         (DaylightSavingTA):
3282         (GetSecondSundayInMarch):
3283         (TimeInMonth):
3284
3285 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3286
3287         [BigInt] Add ValueSub into DFG
3288         https://bugs.webkit.org/show_bug.cgi?id=186176
3289
3290         Reviewed by Yusuke Suzuki.
3291
3292         * stress/big-int-subtraction-jit.js:
3293         * stress/value-sub-big-int-prediction-propagation.js: Added.
3294         * stress/value-sub-big-int-untyped.js: Added.
3295
3296 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3297
3298         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3299         https://bugs.webkit.org/show_bug.cgi?id=190611
3300
3301         Reviewed by Saam Barati.
3302
3303         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3304         to improve test runtime. On ARM/MIPS this test even timed out when running all
3305         tests.
3306
3307         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3308         (test):
3309
3310 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3311
3312         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3313
3314         Unreviewed gardening.
3315
3316         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3317
3318 2018-10-15  Saam barati  <sbarati@apple.com>
3319
3320         Emit fjcvtzs on ARM64E on Darwin
3321         https://bugs.webkit.org/show_bug.cgi?id=184023
3322
3323         Reviewed by Yusuke Suzuki and Filip Pizlo.
3324
3325         * stress/double-to-int32-NaN.js: Added.
3326         (assert):
3327         (foo):
3328
3329 2018-10-15  Saam Barati  <sbarati@apple.com>
3330
3331         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3332         https://bugs.webkit.org/show_bug.cgi?id=190262
3333         <rdar://problem/44986241>
3334
3335         Reviewed by Mark Lam.
3336
3337         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3338         (test):
3339         * stress/slice-array-storage-with-holes.js: Added.
3340         (main):
3341
3342 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3343
3344         Unreviewed, rolling out r237054.
3345         https://bugs.webkit.org/show_bug.cgi?id=190593
3346
3347         "this regressed JetStream 2 by 6% on iOS" (Requested by
3348         saamyjoon on #webkit).
3349
3350         Reverted changeset:
3351
3352         "[JSC] JSC should have "parseFunction" to optimize Function
3353         constructor"
3354         https://bugs.webkit.org/show_bug.cgi?id=190340
3355         https://trac.webkit.org/changeset/237054
3356
3357 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3358
3359         [JSC] JSON.stringify can accept call-with-no-arguments
3360         https://bugs.webkit.org/show_bug.cgi?id=190343
3361
3362         Reviewed by Mark Lam.
3363
3364         * stress/json-stringify-no-arguments.js: Added.
3365         (shouldBe):
3366
3367 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3368
3369         [JSC] JSC should have "parseFunction" to optimize Function constructor
3370         https://bugs.webkit.org/show_bug.cgi?id=190340
3371
3372         Reviewed by Mark Lam.
3373
3374         This patch fixes the line number of syntax errors raised by the Function constructor,
3375         since we now parse the final code only once. And we no longer use block statement
3376         for Function constructor's parsing.
3377
3378         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3379         * stress/function-cache-with-parameters-end-position.js: Added.
3380         (shouldBe):
3381         (shouldThrow):
3382         (i.anonymous):
3383         * stress/function-constructor-name.js: Added.
3384         (shouldBe):
3385         (GeneratorFunction):
3386         (AsyncFunction.async):
3387         (AsyncGeneratorFunction.async):
3388         (anonymous):
3389         (async.anonymous):
3390         * test262/expectations.yaml:
3391
3392 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3393
3394         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3395         https://bugs.webkit.org/show_bug.cgi?id=190426
3396
3397         Unreviewed gardening.
3398
3399         * stress/sampling-profiler-richards.js:
3400
3401 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3402
3403         [ESNext][BigInt] Implement support for "|"
3404         https://bugs.webkit.org/show_bug.cgi?id=186229
3405
3406         Reviewed by Yusuke Suzuki.
3407
3408         * stress/big-int-bitwise-and-jit.js:
3409         * stress/big-int-bitwise-or-general.js: Added.
3410         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3411         * stress/big-int-bitwise-or-jit.js: Added.
3412         * stress/big-int-bitwise-or-memory-stress.js: Added.
3413         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3414         * stress/big-int-bitwise-or-type-error.js: Added.
3415         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3416
3417 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3418
3419         Skip test on systems with limited memory
3420         https://bugs.webkit.org/show_bug.cgi?id=190310
3421
3422         Invoking runDefault adds test to runlist, skipping the test in the next
3423         line does not prevent the test from executing. Change order of lines such
3424         that runDefault is only executed if test is not executed.
3425
3426         Reviewed by Mark Lam.
3427
3428         * stress/regress-190187.js:
3429
3430 2018-10-03  Saam barati  <sbarati@apple.com>
3431
3432         lowXYZ in FTLLower should always filter the type of the incoming edge
3433         https://bugs.webkit.org/show_bug.cgi?id=189939
3434         <rdar://problem/44407030>
3435
3436         Reviewed by Michael Saboff.
3437
3438         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3439         (foo):
3440         (test):
3441
3442 2018-10-03  Mark Lam  <mark.lam@apple.com>
3443
3444         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3445         https://bugs.webkit.org/show_bug.cgi?id=190187
3446         <rdar://problem/42512909>
3447
3448         Reviewed by Michael Saboff.
3449
3450         * stress/regress-190187.js: Added.
3451
3452 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3453
3454         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3455         https://bugs.webkit.org/show_bug.cgi?id=190033
3456
3457         Reviewed by Yusuke Suzuki.
3458
3459         * stress/big-int-to-string.js:
3460
3461 2018-10-01  Mark Lam  <mark.lam@apple.com>
3462
3463         Function.toString() should also copy the source code Functions that are class definitions.
3464         https://bugs.webkit.org/show_bug.cgi?id=190186
3465         <rdar://problem/44733360>
3466
3467         Reviewed by Saam Barati.
3468
3469         * stress/regress-190186.js: Added.
3470
3471 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3472
3473         Split NaN-check into separate test
3474         https://bugs.webkit.org/show_bug.cgi?id=190010
3475
3476         Reviewed by Saam Barati.
3477
3478         DataView exposes NaN-representation, which is not necessarily the same on each
3479         architecture. Therefore move the check of the NaN-representation into its own
3480         file such that we can disable this test on MIPS where NaN-representation can be
3481         different on older CPUs.
3482
3483         * stress/dataview-jit-set-nan.js: Added.
3484         (assert):
3485         (test.storeLittleEndian):
3486         (test.storeBigEndian):
3487         (test.store):
3488         (test):
3489         * stress/dataview-jit-set.js:
3490         (test5):
3491
3492 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3493
3494         Unreviewed, rolling out r236647.
3495         https://bugs.webkit.org/show_bug.cgi?id=190124
3496
3497         Breaking test stress/big-int-to-string.js (Requested by
3498         caiolima_ on #webkit).
3499
3500         Reverted changeset:
3501
3502         "[BigInt] BigInt.proptotype.toString is broken when radix is
3503         power of 2"
3504         https://bugs.webkit.org/show_bug.cgi?id=190033
3505         https://trac.webkit.org/changeset/236647
3506
3507 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3508
3509         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3510         https://bugs.webkit.org/show_bug.cgi?id=190033
3511
3512         Reviewed by Yusuke Suzuki.
3513
3514         * stress/big-int-to-string.js:
3515
3516 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3517
3518         [ESNext][BigInt] Implement support for "&"
3519         https://bugs.webkit.org/show_bug.cgi?id=186228
3520
3521         Reviewed by Yusuke Suzuki.
3522
3523         * stress/big-int-bitwise-and-general.js: Added.
3524         (assert):
3525         (assert.sameValue):
3526         * stress/big-int-bitwise-and-jit.js: Added.
3527         (let.assert.sameValue):
3528         (bigIntBitAnd):
3529         * stress/big-int-bitwise-and-memory-stress.js: Added.
3530         (assert):
3531         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3532         (assert.sameValue):
3533         (let.o.Symbol.toPrimitive):
3534         (catch):
3535         * stress/big-int-bitwise-and-type-error.js: Added.
3536         (assert):
3537         (assertThrowTypeError):
3538         (let.o.valueOf):
3539         (o.valueOf):
3540         (o.toString):
3541         (o.Symbol.toPrimitive):
3542         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3543         (assert.sameValue):
3544         (testBitAnd):
3545         (let.o.Symbol.toPrimitive):
3546         (o.valueOf):
3547         (o.toString):
3548
3549 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3550
3551         JSC test stress/jsc-read.js doesn't support CRLF
3552         https://bugs.webkit.org/show_bug.cgi?id=190063
3553
3554         Reviewed by Yusuke Suzuki.
3555
3556         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3557
3558         * stress/jsc-read.js:
3559         (test):
3560
3561 2018-09-27  Saam barati  <sbarati@apple.com>
3562
3563         Verify the contents of AssemblerBuffer on arm64e
3564         https://bugs.webkit.org/show_bug.cgi?id=190057
3565         <rdar://problem/38916630>
3566
3567         Reviewed by Mark Lam.
3568
3569         * stress/regress-189132.js:
3570
3571 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3572
3573         Disable test without LLInt on ARMv7
3574         https://bugs.webkit.org/show_bug.cgi?id=190037
3575
3576         Reviewed by Mark Lam.
3577
3578         Test runs out of executable memory on ARMv7, do not run
3579         this test without LLInt enabled.
3580
3581         * stress/regress-169445.js:
3582
3583 2018-09-26  Keith Miller  <keith_miller@apple.com>
3584
3585         We should zero unused property storage when rebalancing array storage.
3586         https://bugs.webkit.org/show_bug.cgi?id=188151
3587
3588         Reviewed by Michael Saboff.
3589
3590         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3591
3592 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3593
3594         [JSC] Optimize Array#lastIndexOf
3595         https://bugs.webkit.org/show_bug.cgi?id=189780
3596
3597         Reviewed by Saam Barati.
3598
3599         * stress/array-lastindexof-array-prototype-trap.js: Added.
3600         (shouldBe):
3601         (AncestorArray.prototype.get 2):
3602         (AncestorArray):
3603         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3604         (shouldBe):
3605         * stress/array-lastindexof-hole-nan.js: Added.
3606         (shouldBe):
3607         (throw.new.Error):
3608         * stress/array-lastindexof-infinity.js: Added.
3609         (shouldBe):
3610         (throw.new.Error):
3611         * stress/array-lastindexof-negative-zero.js: Added.
3612         (shouldBe):
3613         (throw.new.Error):
3614         * stress/array-lastindexof-own-getter.js: Added.
3615         (shouldBe):
3616         (throw.new.Error.get array):
3617         (get array):
3618         * stress/array-lastindexof-prototype-trap.js: Added.
3619         (shouldBe):
3620         (DerivedArray.prototype.get 2):
3621         (DerivedArray):
3622
3623 2018-09-25  Saam Barati  <sbarati@apple.com>
3624
3625         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3626         https://bugs.webkit.org/show_bug.cgi?id=189940
3627         <rdar://problem/43640987>
3628
3629         Reviewed by Mark Lam.
3630
3631         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3632
3633 2018-09-24  Saam Barati  <sbarati@apple.com>
3634
3635         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3636         https://bugs.webkit.org/show_bug.cgi?id=189922
3637         <rdar://problem/44651275>
3638
3639         Reviewed by Mark Lam.
3640
3641         * stress/array-indexof-fast-path-effects.js: Added.
3642         * stress/array-indexof-cached-length.js: Added.
3643
3644 2018-09-24  Saam barati  <sbarati@apple.com>
3645
3646         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3647         https://bugs.webkit.org/show_bug.cgi?id=189682
3648         <rdar://problem/43557315>
3649
3650         Reviewed by Mark Lam.
3651
3652         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3653         (foo):
3654
3655 2018-09-22  Saam barati  <sbarati@apple.com>
3656
3657         The sampling should not use Strong<CodeBlock> in its machineLocation field
3658         https://bugs.webkit.org/show_bug.cgi?id=189319
3659
3660         Reviewed by Filip Pizlo.
3661
3662         * stress/sampling-profiler-richards.js: Added.
3663
3664 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3665
3666         [JSC] Optimize Array#indexOf in C++ runtime
3667         https://bugs.webkit.org/show_bug.cgi?id=189507
3668
3669         Reviewed by Saam Barati.
3670
3671         * stress/array-indexof-array-prototype-trap.js: Added.
3672         (shouldBe):
3673         (AncestorArray.prototype.get 2):
3674         (AncestorArray):
3675         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3676         (shouldBe):
3677         * stress/array-indexof-hole-nan.js: Added.
3678         (shouldBe):
3679         (throw.new.Error):
3680         * stress/array-indexof-infinity.js: Added.
3681         (shouldBe):
3682         (throw.new.Error):
3683         * stress/array-indexof-negative-zero.js: Added.
3684         (shouldBe):
3685         (throw.new.Error):
3686         * stress/array-indexof-own-getter.js: Added.
3687         (shouldBe):
3688         (throw.new.Error.get array):
3689         (get array):
3690         * stress/array-indexof-prototype-trap.js: Added.
3691         (shouldBe):
3692         (DerivedArray.prototype.get 2):
3693         (DerivedArray):
3694
3695 2018-09-19  Saam barati  <sbarati@apple.com>
3696
3697         AI rule for MultiPutByOffset executes its effects in the wrong order
3698         https://bugs.webkit.org/show_bug.cgi?id=189757
3699         <rdar://problem/43535257>
3700
3701         Reviewed by Michael Saboff.
3702
3703         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3704         (foo):
3705         (Foo):
3706         (g):
3707
3708 2018-09-17  Mark Lam  <mark.lam@apple.com>
3709
3710         Ensure that ForInContexts are invalidated if their loop local is over-written.
3711         https://bugs.webkit.org/show_bug.cgi?id=189571
3712         <rdar://problem/44402277>
3713
3714         Reviewed by Saam Barati.
3715
3716         * stress/regress-189571.js: Added.
3717
3718 2018-09-17  Saam barati  <sbarati@apple.com>
3719
3720         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3721         https://bugs.webkit.org/show_bug.cgi?id=189676
3722         <rdar://problem/39682897>
3723
3724         Reviewed by Michael Saboff.
3725
3726         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3727         (A):
3728         (K):
3729         (i.catch):
3730
3731 2018-09-14  Saam barati  <sbarati@apple.com>
3732
3733         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3734         https://bugs.webkit.org/show_bug.cgi?id=189628
3735         <rdar://problem/39481690>
3736
3737         Reviewed by Mark Lam.
3738
3739         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3740         (foo):
3741
3742 2018-09-11  Mark Lam  <mark.lam@apple.com>
3743
3744         Test for array initialization in arrayProtoFuncSplice.
3745         https://bugs.webkit.org/show_bug.cgi?id=170253
3746         <rdar://problem/31328773>
3747
3748         Rubber-stamped by Saam Barati.
3749
3750         * stress/regress-170253.js: Added.
3751
3752 2018-09-11  Mark Lam  <mark.lam@apple.com>
3753
3754         Test for IntlObject initialization.
3755         https://bugs.webkit.org/show_bug.cgi?id=170251
3756         <rdar://problem/31328419>
3757
3758         Rubber-stamped by Saam Barati.
3759
3760         * stress/regress-170251.js: Added.
3761
3762 2018-09-11  Mark Lam  <mark.lam@apple.com>
3763
3764         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3765         https://bugs.webkit.org/show_bug.cgi?id=169889
3766         <rdar://problem/31155607>
3767
3768         Reviewed by Saam Barati.
3769
3770         * stress/regress-169889-array-concat.js: Added.
3771         * stress/regress-169889-array-concat1.js: Added.
3772         * stress/regress-169889-array-slice.js: Added.
3773
3774 2018-09-11  Mark Lam  <mark.lam@apple.com>
3775
3776         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3777         https://bugs.webkit.org/show_bug.cgi?id=169445
3778         <rdar://problem/30957435>
3779
3780         Reviewed by Saam Barati.
3781
3782         * stress/regress-169445.js: Added.
3783         (let.gun.eval.A):
3784         (let.gun.eval.B.C):
3785         (let.gun.eval.B.C.prototype.trigger):
3786         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3787         (let.gun.eval.B):
3788         (let.gun.eval):
3789
3790 == Rolled over to ChangeLog-2018-09-11 ==