[ESNext][BigInt] Implement "~" unary operation
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
2
3         [ESNext][BigInt] Implement "~" unary operation
4         https://bugs.webkit.org/show_bug.cgi?id=182216
5
6         Reviewed by Keith Miller.
7
8         * stress/big-int-bit-not-general.js: Added.
9         * stress/big-int-bitwise-not-jit.js: Added.
10         * stress/big-int-bitwise-not-wrapped-value.js: Added.
11         * stress/bit-op-with-object-returning-int32.js:
12         * stress/bitwise-not-fixup-rules.js: Added.
13         * stress/value-bit-not-ai-rule.js: Added.
14
15 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
16
17         Invalid flags in a RegExp literal should be an early SyntaxError
18         https://bugs.webkit.org/show_bug.cgi?id=195514
19
20         Reviewed by Darin Adler.
21
22         * test262/expectations.yaml:
23         Mark 4 test cases as passing.
24
25         * stress/regexp-syntax-error-invalid-flags.js:
26         * stress/regress-161995.js: Removed.
27         Update existing test, merging in an older test for the same behavior.
28
29 2019-03-08  Mark Lam  <mark.lam@apple.com>
30
31         Stack overflow crash in JSC::JSObject::hasInstance.
32         https://bugs.webkit.org/show_bug.cgi?id=195458
33         <rdar://problem/48710195>
34
35         Reviewed by Yusuke Suzuki.
36
37         * stress/stack-overflow-in-custom-hasInstance.js: Added.
38
39 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
40
41         op_check_tdz does not def its argument
42         https://bugs.webkit.org/show_bug.cgi?id=192880
43         <rdar://problem/46221598>
44
45         Reviewed by Saam Barati.
46
47         * microbenchmarks/let-for-in.js: Added.
48         (foo):
49
50 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
51
52         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
53         https://bugs.webkit.org/show_bug.cgi?id=195429
54
55         Reviewed by Saam Barati.
56
57         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
58         (foo):
59         * stress/string-from-char-code-255.js: Added.
60
61 2019-03-06  Mark Lam  <mark.lam@apple.com>
62
63         Fix incorrect handling of try-finally completion values.
64         https://bugs.webkit.org/show_bug.cgi?id=195131
65         <rdar://problem/46222079>
66
67         Reviewed by Saam Barati and Yusuke Suzuki.
68
69         Added many permutations of new test case to test-finally.js.  test-finally.js has
70         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
71         tests passes there as well.
72
73         * stress/test-finally.js:
74
75 2019-03-06  Saam Barati  <sbarati@apple.com>
76
77         Air::reportUsedRegisters must padInterference
78         https://bugs.webkit.org/show_bug.cgi?id=195303
79         <rdar://problem/48270343>
80
81         Reviewed by Keith Miller.
82
83         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
84
85 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
86
87         [JSC] AI should not propagate AbstractValue relying on constant folding phase
88         https://bugs.webkit.org/show_bug.cgi?id=195375
89
90         Reviewed by Saam Barati.
91
92         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
93         (let.array):
94
95 2019-03-05  Saam barati  <sbarati@apple.com>
96
97         op_switch_char broken for rope strings after JSRopeString layout rewrite
98         https://bugs.webkit.org/show_bug.cgi?id=195339
99         <rdar://problem/48592545>
100
101         Reviewed by Yusuke Suzuki.
102
103         * stress/switch-on-char-llint-rope.js: Added.
104
105 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
106
107         [JSC] Store bits for JSRopeString in 3 stores
108         https://bugs.webkit.org/show_bug.cgi?id=195234
109
110         Reviewed by Saam Barati.
111
112         * stress/null-rope-and-collectors.js: Added.
113
114 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
115
116         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
117         https://bugs.webkit.org/show_bug.cgi?id=195207
118
119         Unreviewed. After test runtime was reduced in r242213, test can be
120         run again on ARM/MIPS.
121
122         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
123
124 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
125
126         [JSC] sizeof(JSString) should be 16
127         https://bugs.webkit.org/show_bug.cgi?id=194375
128
129         Reviewed by Saam Barati.
130
131         * microbenchmarks/make-rope.js: Added.
132         (makeRope):
133         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
134         (returnRope.helper): Deleted.
135         (returnRope): Deleted.
136
137 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
138
139         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
140         https://bugs.webkit.org/show_bug.cgi?id=195144
141
142         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
143         Change the number from 1e8 to 1e5.
144
145         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
146         (foo):
147
148 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
149
150         Test times out on ARM/MIPS
151         https://bugs.webkit.org/show_bug.cgi?id=195168
152
153         Unreviewed. Skip test on ARM/MIPS.
154
155         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
156
157 2019-02-27  Mark Lam  <mark.lam@apple.com>
158
159         The parser is failing to record the token location of new in new.target.
160         https://bugs.webkit.org/show_bug.cgi?id=195127
161         <rdar://problem/39645578>
162
163         Reviewed by Yusuke Suzuki.
164
165         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
166
167 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
168
169         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
170         https://bugs.webkit.org/show_bug.cgi?id=195144
171         <rdar://problem/47595961>
172
173         Reviewed by Mark Lam.
174
175         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
176         (bar):
177         (foo):
178         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
179         (bar):
180         (foo):
181
182 2019-02-27  Robin Morisset  <rmorisset@apple.com>
183
184         DFG: Loop-invariant code motion (LICM) should not hoist dead code
185         https://bugs.webkit.org/show_bug.cgi?id=194945
186         <rdar://problem/48311657>
187
188         Reviewed by Mark Lam.
189
190         * stress/licm-dead-code.js: Added.
191
192 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
193
194         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
195         https://bugs.webkit.org/show_bug.cgi?id=194677
196         <rdar://problem/48112492>
197
198         Reviewed by Mark Lam.
199
200         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
201         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
202         it immediately fails due the large size.
203
204         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
205         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
206         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
207         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
208
209         This patch changes the test to produce 16bit string from String.fromCharCode.
210
211         * stress/regress-178386.js:
212
213 2019-02-26  Mark Lam  <mark.lam@apple.com>
214
215         wasmToJS() should purify incoming NaNs.
216         https://bugs.webkit.org/show_bug.cgi?id=194807
217         <rdar://problem/48189132>
218
219         Reviewed by Saam Barati.
220
221         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
222
223 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
224
225         [JSC] Repeat string created from Array.prototype.join() take too much memory
226         https://bugs.webkit.org/show_bug.cgi?id=193912
227
228         Reviewed by Saam Barati.
229
230         Added a test and a microbenchmark for corner cases of
231         Array.prototype.join() with an uninitialized array.
232
233         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
234         * stress/array-prototype-join-uninitialized.js: Added.
235         (testArray):
236         (testABC):
237         (B):
238         (C):
239
240 2019-02-22  Robin Morisset  <rmorisset@apple.com>
241
242         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
243         https://bugs.webkit.org/show_bug.cgi?id=194953
244         <rdar://problem/47595253>
245
246         Reviewed by Saam Barati.
247
248         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
249
250         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
251
252 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
253
254         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
255         https://bugs.webkit.org/show_bug.cgi?id=172848
256         <rdar://problem/25709212>
257
258         Reviewed by Mark Lam.
259
260         * typeProfiler/inheritance.js:
261         Rewrite the test slightly for clarity. The hoisting was confusing.
262
263         * heapProfiler/class-names.js: Added.
264         (MyES5Class):
265         (MyES6Class):
266         (MyES6Subclass):
267         Test object types and improved class names.
268
269         * heapProfiler/driver/driver.js:
270         (CheapHeapSnapshotNode):
271         (CheapHeapSnapshot):
272         (createCheapHeapSnapshot):
273         (HeapSnapshot):
274         (createHeapSnapshot):
275         Update snapshot parsing from version 1 to version 2.
276
277 2019-02-19  Truitt Savell  <tsavell@apple.com>
278
279         Unreviewed, rolling out r241784.
280
281         Broke all OpenSource builds.
282
283         Reverted changeset:
284
285         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
286         instances view"
287         https://bugs.webkit.org/show_bug.cgi?id=172848
288         https://trac.webkit.org/changeset/241784
289
290 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
291
292         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
293         https://bugs.webkit.org/show_bug.cgi?id=172848
294         <rdar://problem/25709212>
295
296         Reviewed by Mark Lam.
297
298         * typeProfiler/inheritance.js:
299         Rewrite the test slightly for clarity. The hoisting was confusing.
300
301         * heapProfiler/class-names.js: Added.
302         (MyES5Class):
303         (MyES6Class):
304         (MyES6Subclass):
305         Test object types and improved class names.
306
307         * heapProfiler/driver/driver.js:
308         (CheapHeapSnapshotNode):
309         (CheapHeapSnapshot):
310         (createCheapHeapSnapshot):
311         (HeapSnapshot):
312         (createHeapSnapshot):
313         Update snapshot parsing from version 1 to version 2.
314
315 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
316
317         [ARM] Fix crash with sampling profiler
318         https://bugs.webkit.org/show_bug.cgi?id=194772
319
320         Reviewed by Mark Lam.
321
322         Do not skip test since crash with sampling profiler is now fixed.
323
324         * stress/sampling-profiler-richards.js:
325
326 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
327
328         [JSC] Add LazyClassStructure::getInitializedOnMainThread
329         https://bugs.webkit.org/show_bug.cgi?id=194784
330         <rdar://problem/48154820>
331
332         Reviewed by Mark Lam.
333
334         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
335         (getProperties):
336         (getRandomProperty):
337         (i.catch):
338
339 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
340
341         [ARM] Test gardening: Test running out of executable memory
342         https://bugs.webkit.org/show_bug.cgi?id=194771
343
344         Unreviewed. Do not run test without LLInt, test is running out of executable
345         memory on ARM otherwise.
346
347         * stress/tagged-template-object-collect.js:
348
349 2019-02-18  Tomas Popela  <tpopela@redhat.com>
350
351         Unreviewed, skip the test on platforms without sampling profiler
352
353         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
354         (platformSupportsSamplingProfiler.foo):
355         (platformSupportsSamplingProfiler.test):
356         (platformSupportsSamplingProfiler):
357         (foo): Deleted.
358         (test): Deleted.
359
360 2019-02-17  Saam Barati  <sbarati@apple.com>
361
362         Deadlock when adding a Structure property transition and then doing incremental marking
363         https://bugs.webkit.org/show_bug.cgi?id=194767
364
365         Reviewed by Mark Lam.
366
367         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
368
369 2019-02-15  Michael Saboff  <msaboff@apple.com>
370
371         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
372         https://bugs.webkit.org/show_bug.cgi?id=194558
373
374         Reviewed by Saam Barati.
375
376         New regression test.
377
378         * stress/regexp-unicode-within-string.js: Added.
379
380 2019-02-15  Mark Lam  <mark.lam@apple.com>
381
382         SamplingProfiler::stackTracesAsJSON() should escape strings.
383         https://bugs.webkit.org/show_bug.cgi?id=194649
384         <rdar://problem/48072386>
385
386         Reviewed by Saam Barati.
387
388         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
389         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
390         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
391         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
392
393 2019-02-15  Robin Morisset  <rmorisset@apple.com>
394         CodeBlock::jettison should clear related watchpoints
395         https://bugs.webkit.org/show_bug.cgi?id=194544
396
397         Reviewed by Mark Lam.
398
399         * stress/regexp-replace-double-watchpoint.js: Added.
400         (foo):
401
402 2019-02-15  Saam barati  <sbarati@apple.com>
403
404         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
405         https://bugs.webkit.org/show_bug.cgi?id=194036
406
407         Reviewed by Yusuke Suzuki.
408
409         * stress/tail-call-many-arguments.js: Added.
410         (foo):
411         (bar):
412
413 2019-02-14  Saam Barati  <sbarati@apple.com>
414
415         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
416         https://bugs.webkit.org/show_bug.cgi?id=194583
417         <rdar://problem/48028140>
418
419         Reviewed by Yusuke Suzuki.
420
421         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
422
423 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
424
425         [JSC] String.fromCharCode's slow path always generates 16bit string
426         https://bugs.webkit.org/show_bug.cgi?id=194466
427
428         Reviewed by Keith Miller.
429
430         * stress/string-from-char-code-slow-path.js: Added.
431         (shouldBe):
432         (testWithLength):
433
434 2019-02-08  Saam barati  <sbarati@apple.com>
435
436         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
437         https://bugs.webkit.org/show_bug.cgi?id=194334
438         <rdar://problem/47844327>
439
440         Reviewed by Mark Lam.
441
442         * stress/check-in-bounds-should-be-a-child-use.js: Added.
443         (func):
444
445 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
446
447         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
448         https://bugs.webkit.org/show_bug.cgi?id=194369
449         <rdar://problem/47813087>
450
451         Reviewed by Saam Barati.
452
453         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
454         (A):
455
456 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
457
458         [JSC] PrivateName to PublicName hash table is wasteful
459         https://bugs.webkit.org/show_bug.cgi?id=194277
460
461         Reviewed by Michael Saboff.
462
463         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
464
465         * ChakraCore.yaml:
466
467 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
468
469         [ARM] Test running out of executable memory
470         https://bugs.webkit.org/show_bug.cgi?id=194285
471
472         Unreviewed. Do no execute test with LLInt disabled, test runs out of
473         executable memory otherwise.
474
475         * stress/class-subclassing-function.js:
476
477 2019-02-04  Robin Morisset  <rmorisset@apple.com>
478
479         when lowering AssertNotEmpty, create the value before creating the patchpoint
480         https://bugs.webkit.org/show_bug.cgi?id=194231
481
482         Reviewed by Saam Barati.
483
484         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
485         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
486         So even tiny changes to this test can change the path code taken.
487
488         * stress/assert-not-empty.js: Added.
489         (foo):
490
491 2019-02-01  Mark Lam  <mark.lam@apple.com>
492
493         Remove invalid assertion in DFG's compileDoubleRep().
494         https://bugs.webkit.org/show_bug.cgi?id=194130
495         <rdar://problem/47699474>
496
497         Reviewed by Saam Barati.
498
499         * stress/constant-fold-double-rep-into-double-constant.js: Added.
500
501 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
502
503         Import latest Test262 updates.
504
505         Rubber-stamped by Keith Miller.
506
507         * test262.yaml: Deleted.
508         * test262/config.yaml:
509         * test262/expectations.yaml:
510         * test262/latest-changes-summary.txt:
511         * test262/test/:
512         * test262/test262-Revision.txt:
513
514 2019-01-30  Robin Morisset  <rmorisset@apple.com>
515
516         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
517         https://bugs.webkit.org/show_bug.cgi?id=194050
518         <rdar://problem/47595592>
519
520         Reviewed by Yusuke Suzuki.
521
522         * stress/object-keys-osr-exit.js: Added.
523         (foo):
524         (catch):
525
526 2019-01-29  Mark Lam  <mark.lam@apple.com>
527
528         ValueRecovery::recover() should purify NaN values it recovers.
529         https://bugs.webkit.org/show_bug.cgi?id=193978
530         <rdar://problem/47625488>
531
532         Reviewed by Saam Barati.
533
534         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
535
536 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
537
538         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
539         https://bugs.webkit.org/show_bug.cgi?id=193713
540
541         * stress/try-get-by-id-should-spill-registers-dfg.js:
542         (let.f.createBuiltin):
543
544 2019-01-28  Mark Lam  <mark.lam@apple.com>
545
546         ToString node actually does GC.
547         https://bugs.webkit.org/show_bug.cgi?id=193920
548         <rdar://problem/46695900>
549
550         Reviewed by Yusuke Suzuki.
551
552         * stress/dfg-to-string-on-int-does-gc.js: Added.
553         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
554         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
555
556 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
557
558         [JSC] NativeErrorConstructor should not have own IsoSubspace
559         https://bugs.webkit.org/show_bug.cgi?id=193713
560
561         Reviewed by Saam Barati.
562
563         Remove @Error use.
564
565         * stress/try-get-by-id-should-spill-registers-dfg.js:
566         (let.f.createBuiltin):
567
568 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
569
570         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
571         https://bugs.webkit.org/show_bug.cgi?id=190693
572
573         Reviewed by Michael Saboff.
574
575         * stress/regress-190693.js: Added.
576         (truth):
577         (assert):
578         (shouldThrowInvalidConstAssignment):
579         (taz):
580
581 2019-01-24  Saam Barati  <sbarati@apple.com>
582
583         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
584         https://bugs.webkit.org/show_bug.cgi?id=193751
585         <rdar://problem/47280215>
586
587         Reviewed by Michael Saboff.
588
589         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
590         (let.thing):
591         (foo.let.hello):
592         (foo):
593
594 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
595
596         [JSC] Reenable baseline JIT on mips
597         https://bugs.webkit.org/show_bug.cgi?id=192983
598
599         Reviewed by Mark Lam.
600
601         Added a new test for a case that was triggering a RELEASE_ASSERT when
602         testing.
603         Disable some slow tests that were already disabled for arm and x86.
604
605         * stress/json-parse-big-object.js: Added.
606         * stress/new-largeish-contiguous-array-with-size.js:
607         * stress/op_add.js:
608         * stress/op_bitand.js:
609         * stress/op_bitor.js:
610         * stress/op_bitxor.js:
611         * stress/op_lshift-ConstVar.js:
612         * stress/op_lshift-VarConst.js:
613         * stress/op_lshift-VarVar.js:
614         * stress/op_mod-ConstVar.js:
615         * stress/op_mod-VarConst.js:
616         * stress/op_mod-VarVar.js:
617         * stress/op_mul-ConstVar.js:
618         * stress/op_mul-VarConst.js:
619         * stress/op_mul-VarVar.js:
620         * stress/op_rshift-ConstVar.js:
621         * stress/op_rshift-VarConst.js:
622         * stress/op_rshift-VarVar.js:
623         * stress/op_sub-ConstVar.js:
624         * stress/op_sub-VarConst.js:
625         * stress/op_sub-VarVar.js:
626         * stress/op_urshift-ConstVar.js:
627         * stress/op_urshift-VarConst.js:
628         * stress/op_urshift-VarVar.js:
629         * stress/sampling-profiler-richards.js:
630         * stress/spread-forward-call-varargs-stack-overflow.js:
631
632 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
633
634         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
635         https://bugs.webkit.org/show_bug.cgi?id=193711
636         <rdar://problem/47250262>
637
638         Reviewed by Saam Barati.
639
640         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
641         (shouldBe):
642         (foo):
643         (bar):
644         (baz):
645
646 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
647
648         Unreviewed, fix initial global lexical binding epoch
649         https://bugs.webkit.org/show_bug.cgi?id=193603
650         <rdar://problem/47380869>
651
652         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
653         (f1.f2.f3.f4):
654         (f1.f2.f3):
655         (f1.f2):
656         (f1):
657
658 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
659
660         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
661         https://bugs.webkit.org/show_bug.cgi?id=193709
662         <rdar://problem/47363838>
663
664         Unreviewed, rollout to watch the tests.
665
666         * stress/object-tostring-changed-proto.js: Removed.
667         * stress/object-tostring-changed.js: Removed.
668         * stress/object-tostring-misc.js: Removed.
669         * stress/object-tostring-other.js: Removed.
670         * stress/object-tostring-untyped.js: Removed.
671
672 2019-01-22  Saam Barati  <sbarati@apple.com>
673
674         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
675
676         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
677         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
678         (testUncheckedLessThanZero):
679         (testUncheckedLessThanOrEqualZero):
680         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
681         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
682
683 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
684
685         [JSC] Invalidate old scope operations using global lexical binding epoch
686         https://bugs.webkit.org/show_bug.cgi?id=193603
687         <rdar://problem/47380869>
688
689         Reviewed by Saam Barati.
690
691         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
692         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
693         (shouldThrow):
694         (bar):
695         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
696         (shouldBe):
697         (get1):
698         (get2):
699         (get1If):
700         (get2If):
701         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
702         (shouldThrow):
703         (foo):
704
705 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
706
707         Unreviewed, roll out r240220 due to date-format-xparb regression
708         https://bugs.webkit.org/show_bug.cgi?id=193603
709
710         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
711         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
712         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
713         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
714
715 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
716
717         DoesGC rule is wrong for nodes with BigIntUse
718         https://bugs.webkit.org/show_bug.cgi?id=193652
719
720         Reviewed by Saam Barati.
721
722         * stress/big-int-value-op-update-gc-rules.js: Added.
723         (assert):
724         (doesGCAdd):
725         (doesGCSub):
726         (doesGCDiv):
727         (doesGCMul):
728         (doesGCBitAnd):
729         (doesGCBitOr):
730         (doesGCBitXor):
731
732 2019-01-20  Saam Barati  <sbarati@apple.com>
733
734         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
735         https://bugs.webkit.org/show_bug.cgi?id=193644
736         <rdar://problem/46209745>
737
738         Reviewed by Yusuke Suzuki.
739
740         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
741         (foo):
742         * stress/data-view-set-intrinsic-undefined-result.js: Added.
743         (foo):
744         (bar):
745
746 2019-01-20  Saam Barati  <sbarati@apple.com>
747
748         MovHint must merge NodeBytecodeUsesAsValue for its child
749         https://bugs.webkit.org/show_bug.cgi?id=186916
750         <rdar://problem/41396612>
751
752         Reviewed by Yusuke Suzuki.
753
754         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
755         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
756
757 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
758
759         [JSC] Invalidate old scope operations using global lexical binding epoch
760         https://bugs.webkit.org/show_bug.cgi?id=193603
761         <rdar://problem/47380869>
762
763         Reviewed by Saam Barati.
764
765         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
766         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
767         (shouldThrow):
768         (bar):
769         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
770         (shouldBe):
771         (get1):
772         (get2):
773         (get1If):
774         (get2If):
775         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
776         (shouldThrow):
777         (foo):
778
779 2019-01-17  Saam barati  <sbarati@apple.com>
780
781         StringObjectUse should not be a structure check for the original string object structure
782         https://bugs.webkit.org/show_bug.cgi?id=193483
783         <rdar://problem/47280522>
784
785         Reviewed by Yusuke Suzuki.
786
787         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
788         (foo):
789         (a.valueOf.0):
790
791 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
792
793         [JSC] ToThis omission in DFGByteCodeParser is wrong
794         https://bugs.webkit.org/show_bug.cgi?id=193513
795         <rdar://problem/45842236>
796
797         Reviewed by Saam Barati.
798
799         * stress/to-this-omission-with-different-strict-modes.js: Added.
800         (thisA):
801         (thisAStrictWrapper):
802
803 2019-01-15  Mark Lam  <mark.lam@apple.com>
804
805         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
806         https://bugs.webkit.org/show_bug.cgi?id=193423
807         <rdar://problem/46209355>
808
809         Reviewed by Saam Barati.
810
811         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
812         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
813         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
814         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
815
816 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
817
818         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
819         https://bugs.webkit.org/show_bug.cgi?id=193438
820         <rdar://problem/45581249>
821
822         Reviewed by Saam Barati and Keith Miller.
823
824         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
825         Then, GetByVal(String) crashed.
826
827         * stress/string-get-by-val-lowering.js: Added.
828         (shouldBe):
829         (test):
830         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
831         (Hello):
832         (foo):
833
834 2019-01-15  Tomas Popela  <tpopela@redhat.com>
835
836         Unreviewed, skip JIT tests if it's not enabled
837
838         * stress/bit-op-with-object-returning-int32.js:
839
840 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
841
842         DFGByteCodeParser rules for bitwise operations should consider type of their operands
843         https://bugs.webkit.org/show_bug.cgi?id=192966
844
845         Reviewed by Yusuke Suzuki.
846
847         * stress/bit-op-with-object-returning-int32.js: Added.
848
849 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
850
851         Skip a slow test and a flakey test on arm
852
853         Unreviewed gardening.
854
855         * typeProfiler/getter-richards.js:
856         this test always times out, it used to be always skipped on arm and
857         mips, but got accidentally enabled by r237919 now that we have DFG on
858         arm. Also skipping on mips as we plan to soon enable DFG for it too.
859
860 2019-01-14  Keith Miller  <keith_miller@apple.com>
861
862         Skip type-check-hoisting-phase-hoist... with no jit
863         https://bugs.webkit.org/show_bug.cgi?id=193421
864
865         Reviewed by Mark Lam.
866
867         It's timing out the 32-bit bots and takes 330 seconds
868         on my machine when run by itself.
869
870         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
871
872 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
873
874         [JSC] AI should check the given constant's array type when folding GetByVal into constant
875         https://bugs.webkit.org/show_bug.cgi?id=193413
876         <rdar://problem/46092389>
877
878         Reviewed by Keith Miller.
879
880         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
881         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
882         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
883         but GetByVal does not have appropriate ArrayModes, JSC crashes.
884
885         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
886         (compareArray):
887
888 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
889
890         [BigInt] Literal parsing is crashing when used inside a Object Literal
891         https://bugs.webkit.org/show_bug.cgi?id=193404
892
893         Reviewed by Yusuke Suzuki.
894
895         * stress/big-int-literal-inside-literal-object.js: Added.
896
897 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
898
899         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
900         https://bugs.webkit.org/show_bug.cgi?id=193372
901
902         Reviewed by Saam Barati.
903
904         * stress/typed-array-array-modes-profile.js: Added.
905         (foo):
906
907 2019-01-14  Mark Lam  <mark.lam@apple.com>
908
909         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
910         https://bugs.webkit.org/show_bug.cgi?id=193402
911         <rdar://problem/46012309>
912
913         Reviewed by Keith Miller.
914
915         * stress/regexp-compile-oom.js:
916         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
917           is enabled.  As a result, it will fail on cloop builds though there is no bug.
918
919 2019-01-11  Saam barati  <sbarati@apple.com>
920
921         DFG combined liveness can be wrong for terminal basic blocks
922         https://bugs.webkit.org/show_bug.cgi?id=193304
923         <rdar://problem/45268632>
924
925         Reviewed by Yusuke Suzuki.
926
927         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
928
929 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
930
931         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
932         https://bugs.webkit.org/show_bug.cgi?id=193308
933         <rdar://problem/45546542>
934
935         Reviewed by Saam Barati.
936
937         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
938         (shouldThrow):
939         (shouldBe):
940         (foo):
941         (get shouldThrow):
942         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
943         (shouldThrow):
944         (shouldBe):
945         (foo):
946         (get shouldBe):
947         (get shouldThrow):
948         (get return):
949         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
950         (shouldThrow):
951         (shouldBe):
952         (foo):
953         (get shouldBe):
954         (get shouldThrow):
955         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
956         (shouldThrow):
957         (shouldBe):
958         (foo):
959         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
960         (shouldThrow):
961         (shouldBe):
962         (foo):
963         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
964         (shouldThrow):
965         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
966         (shouldThrow):
967         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
968         (shouldThrow):
969         (shouldBe):
970         (foo):
971         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
972         (shouldThrow):
973         (shouldBe):
974         (foo):
975         (get shouldBe):
976         (get shouldThrow):
977         (get return):
978         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
979         (shouldThrow):
980         (shouldBe):
981         (foo):
982         (get shouldBe):
983         (get shouldThrow):
984         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
985         (shouldThrow):
986         (shouldBe):
987         (foo):
988         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
989         (shouldThrow):
990         (shouldBe):
991         (foo):
992
993 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
994
995         Enable DFG on ARM/Linux again
996         https://bugs.webkit.org/show_bug.cgi?id=192496
997
998         Reviewed by Yusuke Suzuki.
999
1000         Test wasn't really skipped before moving the line with skip
1001         to the top.
1002
1003         * stress/regress-192717.js:
1004
1005 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1006
1007         Unreviewed, rolling out r239825.
1008         https://bugs.webkit.org/show_bug.cgi?id=193330
1009
1010         Broke tests on armv7/linux bots (Requested by guijemont on
1011         #webkit).
1012
1013         Reverted changeset:
1014
1015         "Enable DFG on ARM/Linux again"
1016         https://bugs.webkit.org/show_bug.cgi?id=192496
1017         https://trac.webkit.org/changeset/239825
1018
1019 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1020
1021         Enable DFG on ARM/Linux again
1022         https://bugs.webkit.org/show_bug.cgi?id=192496
1023
1024         Reviewed by Yusuke Suzuki.
1025
1026         Test wasn't really skipped before moving the line with skip
1027         to the top.
1028
1029         * stress/regress-192717.js:
1030
1031 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1032
1033         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1034         https://bugs.webkit.org/show_bug.cgi?id=193127
1035
1036         Reviewed by Saam Barati.
1037
1038         * stress/array-species-create-should-handle-masquerader.js: Added.
1039         (shouldThrow):
1040         * stress/is-undefined-or-null-builtin.js: Added.
1041         (shouldBe):
1042         (isUndefinedOrNull.vm.createBuiltin):
1043
1044 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1045
1046         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1047         https://bugs.webkit.org/show_bug.cgi?id=193221
1048
1049         Reviewed by Mark Lam.
1050
1051         * stress/put-by-id-flags.js: Added.
1052         (f):
1053         (g):
1054         (numberOfDFGCompiles):
1055
1056 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1057
1058         Baseline version of get_by_id may corrupt metadata
1059         https://bugs.webkit.org/show_bug.cgi?id=193085
1060         <rdar://problem/23453006>
1061
1062         Reviewed by Saam Barati.
1063
1064         * stress/get-by-id-change-mode.js: Added.
1065         (forEach):
1066
1067 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1068
1069         [JSC] Optimize Object.prototype.toString
1070         https://bugs.webkit.org/show_bug.cgi?id=193031
1071
1072         Reviewed by Saam Barati.
1073
1074         * stress/object-tostring-changed-proto.js: Added.
1075         (shouldBe):
1076         (test):
1077         * stress/object-tostring-changed.js: Added.
1078         (shouldBe):
1079         (test):
1080         * stress/object-tostring-misc.js: Added.
1081         (shouldBe):
1082         (test):
1083         (i.switch):
1084         * stress/object-tostring-other.js: Added.
1085         (shouldBe):
1086         (test):
1087         * stress/object-tostring-untyped.js: Added.
1088         (shouldBe):
1089         (test):
1090         (i.switch):
1091
1092 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1093
1094         test262-runner misbehaves when test file YAML has a trailing space
1095         https://bugs.webkit.org/show_bug.cgi?id=193053
1096
1097         Reviewed by Yusuke Suzuki.
1098
1099         * test262/expectations.yaml:
1100         Mark two dozen tests as passing (and correct the output of another).
1101
1102 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1103
1104         Unreviewed, JSTests gardening with memoryLimited
1105
1106         * stress/string-overflow-createError.js:
1107
1108 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1109
1110         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1111         https://bugs.webkit.org/show_bug.cgi?id=193050
1112
1113         Reviewed by Yusuke Suzuki.
1114
1115         * test262.yaml:
1116         * test262/expectations.yaml:
1117         Mark 16 tests as passing.
1118
1119 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1120
1121         [BigInt] Support BigInt in JSON.stringify
1122         https://bugs.webkit.org/show_bug.cgi?id=192624
1123
1124         Reviewed by Saam Barati.
1125
1126         * stress/big-int-json-stringify-to-json.js: Added.
1127         (shouldBe):
1128         (shouldThrow):
1129         (BigInt.prototype.toJSON):
1130         (shouldBe.JSON.stringify):
1131         * stress/big-int-json-stringify.js: Added.
1132         (shouldBe):
1133         (shouldThrow):
1134
1135 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1136
1137         [JSC] Implement "well-formed JSON.stringify" proposal
1138         https://bugs.webkit.org/show_bug.cgi?id=191677
1139
1140         Reviewed by Darin Adler.
1141
1142         * stress/json-surrogate-pair.js: Added.
1143         (shouldBe):
1144         * test262/expectations.yaml:
1145
1146 2018-12-20  Keith Miller  <keith_miller@apple.com>
1147
1148         Add support for globalThis
1149         https://bugs.webkit.org/show_bug.cgi?id=165171
1150
1151         Reviewed by Mark Lam.
1152
1153         * test262/config.yaml:
1154
1155 2018-12-19  Keith Miller  <keith_miller@apple.com>
1156
1157         Update test262 configuration to not run tests dependent on ICU version.
1158         https://bugs.webkit.org/show_bug.cgi?id=192920
1159
1160         Reviewed by Saam Barati.
1161
1162         * test262/expectations.yaml:
1163
1164 2018-12-20  Mark Lam  <mark.lam@apple.com>
1165
1166         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1167         https://bugs.webkit.org/show_bug.cgi?id=192939
1168         <rdar://problem/46869516>
1169
1170         Reviewed by Keith Miller.
1171
1172         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1173
1174 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1175
1176         WTF::String and StringImpl overflow MaxLength
1177         https://bugs.webkit.org/show_bug.cgi?id=192853
1178         <rdar://problem/45726906>
1179
1180         Reviewed by Mark Lam.
1181
1182         * stress/string-16bit-repeat-overflow.js: Added.
1183         (catch):
1184
1185 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1186
1187         Unreviewed follow-up to r192914.
1188
1189         * test262/expectations.yaml:
1190         Add the last 20 missing expectations.
1191
1192 2018-12-19  Keith Miller  <keith_miller@apple.com>
1193
1194         Fix test262 expectations
1195         https://bugs.webkit.org/show_bug.cgi?id=192914
1196
1197         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1198
1199         * test262/expectations.yaml:
1200
1201 2018-12-19  Keith Miller  <keith_miller@apple.com>
1202
1203         Update test262 tests.
1204         https://bugs.webkit.org/show_bug.cgi?id=192907
1205
1206         Rubber stamped by Mark Lam.
1207
1208         * test262/*: Omitted because prepare-changelog crashes.
1209
1210 2018-12-19  Mark Lam  <mark.lam@apple.com>
1211
1212         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1213         https://bugs.webkit.org/show_bug.cgi?id=192464
1214         <rdar://problem/46519455>
1215
1216         Reviewed by Saam Barati.
1217
1218         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1219         microbenchmark.
1220
1221         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1222         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1223
1224 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1225
1226         String overflow in JSC::createError results in ASSERT in WTF::makeString
1227         https://bugs.webkit.org/show_bug.cgi?id=192833
1228         <rdar://problem/45706868>
1229
1230         Reviewed by Mark Lam.
1231
1232         * stress/string-overflow-createError.js: Added.
1233
1234 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1235
1236         Error message for `-x ** y` contains a typo.
1237         https://bugs.webkit.org/show_bug.cgi?id=192832
1238
1239         Reviewed by Saam Barati.
1240
1241         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1242         (assert.assert.return.throws):
1243         * stress/pow-expects-update-expression-on-lhs.js:
1244         (throw.new.Error):
1245         Update test expectations which match against the exact error message.
1246
1247 2018-12-18  Mark Lam  <mark.lam@apple.com>
1248
1249         Gardening: test options fix.
1250         https://bugs.webkit.org/show_bug.cgi?id=192822
1251
1252         Unreviewed.
1253
1254         * stress/json-stringify-string-builder-overflow.js:
1255
1256 2018-12-18  Mark Lam  <mark.lam@apple.com>
1257
1258         JSON.stringify() should throw OOM on StringBuilder overflows.
1259         https://bugs.webkit.org/show_bug.cgi?id=192822
1260         <rdar://problem/46670577>
1261
1262         Reviewed by Saam Barati.
1263
1264         * stress/json-stringify-string-builder-overflow.js: Added.
1265
1266 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1267
1268         Redeclaration of var over let/const/class should be a syntax error.
1269         https://bugs.webkit.org/show_bug.cgi?id=192298
1270
1271         Reviewed by Keith Miller.
1272
1273         * test262.yaml:
1274         * test262/expectations.yaml:
1275         Mark 46 tests as passing.
1276
1277         * stress/block-scope-redeclarations.js:
1278         Add some new tests.
1279
1280         * stress/for-in-invalidate-context-weird-assignments.js:
1281         * stress/for-in-tests.js:
1282         Replace tests for outdated behavior with tests for SyntaxError.
1283
1284         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1285         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1286         Update expectations.
1287
1288 2018-12-18  Mark Lam  <mark.lam@apple.com>
1289
1290         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1291         https://bugs.webkit.org/show_bug.cgi?id=191374
1292         <rdar://problem/46525447>
1293
1294         Reviewed by Yusuke Suzuki.
1295
1296         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1297
1298         * stress/elidable-new-object-roflcopter-then-exit.js:
1299
1300 2018-12-17  Mark Lam  <mark.lam@apple.com>
1301
1302         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1303         https://bugs.webkit.org/show_bug.cgi?id=192019
1304         <rdar://problem/46525456>
1305
1306         Reviewed by Yusuke Suzuki.
1307
1308         The test runs too slow on 32-bit.
1309
1310         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1311
1312 2018-12-17  Mark Lam  <mark.lam@apple.com>
1313
1314         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1315         https://bugs.webkit.org/show_bug.cgi?id=191373
1316         <rdar://problem/46525458>
1317
1318         Reviewed by Yusuke Suzuki.
1319
1320         The test is already slow running with a JIT on 64-bit.  It will always timeout
1321         on 32-bit without a JIT.
1322
1323         * stress/materialize-regexp-cyclic-regexp.js:
1324
1325 2018-12-17  Mark Lam  <mark.lam@apple.com>
1326
1327         Array unshift/shift should not race against the AI in the compiler thread.
1328         https://bugs.webkit.org/show_bug.cgi?id=192795
1329         <rdar://problem/46724263>
1330
1331         Reviewed by Saam Barati.
1332
1333         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1334
1335 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1336
1337         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1338         https://bugs.webkit.org/show_bug.cgi?id=190047
1339
1340         Reviewed by Saam Barati.
1341
1342         * stress/object-keys-cached-zero.js: Added.
1343         (shouldBe):
1344         (test):
1345         * stress/object-keys-changed-attribute.js: Added.
1346         (shouldBe):
1347         (test):
1348         * stress/object-keys-changed-index.js: Added.
1349         (shouldBe):
1350         (test):
1351         * stress/object-keys-changed.js: Added.
1352         (shouldBe):
1353         (test):
1354         * stress/object-keys-indexed-non-cache.js: Added.
1355         (shouldBe):
1356         (test):
1357         * stress/object-keys-overrides-get-property-names.js: Added.
1358         (shouldBe):
1359         (test):
1360         (noInline):
1361
1362 2018-12-17  Mark Lam  <mark.lam@apple.com>
1363
1364         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1365         https://bugs.webkit.org/show_bug.cgi?id=192779
1366         <rdar://problem/46775869>
1367
1368         Reviewed by Saam Barati.
1369
1370         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1371
1372 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1373
1374         Unreviewed test gardening, address a syntax error in a new test.
1375
1376         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1377
1378 2018-12-17  Mark Lam  <mark.lam@apple.com>
1379
1380         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1381         https://bugs.webkit.org/show_bug.cgi?id=192776
1382         <rdar://problem/46772368>
1383
1384         Reviewed by Keith Miller.
1385
1386         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1387
1388 2018-12-17  Mark Lam  <mark.lam@apple.com>
1389
1390         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1391         https://bugs.webkit.org/show_bug.cgi?id=192770
1392         <rdar://problem/46449037>
1393
1394         Reviewed by Keith Miller.
1395
1396         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1397
1398 2018-12-14  Mark Lam  <mark.lam@apple.com>
1399
1400         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1401         https://bugs.webkit.org/show_bug.cgi?id=192717
1402         <rdar://problem/46660677>
1403
1404         Reviewed by Saam Barati.
1405
1406         * stress/regress-192717.js: Added.
1407
1408 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1409
1410         Unreviewed, rolling out r239153, r239154, and r239155.
1411         https://bugs.webkit.org/show_bug.cgi?id=192715
1412
1413         Caused flaky GC-related crashes seen with layout tests
1414         (Requested by ryanhaddad on #webkit).
1415
1416         Reverted changesets:
1417
1418         "[JSC] Optimize Object.keys by caching own keys results in
1419         StructureRareData"
1420         https://bugs.webkit.org/show_bug.cgi?id=190047
1421         https://trac.webkit.org/changeset/239153
1422
1423         "Unreviewed, build fix after r239153"
1424         https://bugs.webkit.org/show_bug.cgi?id=190047
1425         https://trac.webkit.org/changeset/239154
1426
1427         "Unreviewed, build fix after r239153, part 2"
1428         https://bugs.webkit.org/show_bug.cgi?id=190047
1429         https://trac.webkit.org/changeset/239155
1430
1431 2018-12-14  Keith Miller  <keith_miller@apple.com>
1432
1433         Callers of JSString::getIndex should check for OOM exceptions
1434         https://bugs.webkit.org/show_bug.cgi?id=192709
1435
1436         Reviewed by Mark Lam.
1437
1438         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1439
1440 2018-12-13  Mark Lam  <mark.lam@apple.com>
1441
1442         Add a missing exception check.
1443         https://bugs.webkit.org/show_bug.cgi?id=192626
1444         <rdar://problem/46662163>
1445
1446         Reviewed by Keith Miller.
1447
1448         * stress/regress-192626.js: Added.
1449
1450 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1451
1452         [BigInt] Add ValueDiv into DFG
1453         https://bugs.webkit.org/show_bug.cgi?id=186178
1454
1455         Reviewed by Yusuke Suzuki.
1456
1457         * stress/big-int-div-jit-osr.js: Added.
1458         * stress/big-int-div-jit-untyped.js: Added.
1459         * stress/value-div-fixup-int32-big-int.js: Added.
1460
1461 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1462
1463         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1464         https://bugs.webkit.org/show_bug.cgi?id=190047
1465
1466         Reviewed by Keith Miller.
1467
1468         * stress/object-keys-cached-zero.js: Added.
1469         (shouldBe):
1470         (test):
1471         * stress/object-keys-changed-attribute.js: Added.
1472         (shouldBe):
1473         (test):
1474         * stress/object-keys-changed-index.js: Added.
1475         (shouldBe):
1476         (test):
1477         * stress/object-keys-changed.js: Added.
1478         (shouldBe):
1479         (test):
1480         * stress/object-keys-indexed-non-cache.js: Added.
1481         (shouldBe):
1482         (test):
1483         * stress/object-keys-overrides-get-property-names.js: Added.
1484         (shouldBe):
1485         (test):
1486         (noInline):
1487
1488 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1489
1490         [DFG][FTL] Add NewSymbol
1491         https://bugs.webkit.org/show_bug.cgi?id=192620
1492
1493         Reviewed by Saam Barati.
1494
1495         * microbenchmarks/symbol-creation.js: Added.
1496         (test):
1497         * stress/symbol-description-identity.js: Added.
1498         (shouldBe):
1499         (test):
1500         * stress/symbol-identity.js: Added.
1501         (shouldBe):
1502         (test):
1503         * stress/symbol-with-description-throw-error.js: Added.
1504         (shouldBe):
1505         (shouldThrow):
1506         (test):
1507         (object.toString):
1508
1509 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1510
1511         [BigInt] Implement DFG/FTL typeof for BigInt
1512         https://bugs.webkit.org/show_bug.cgi?id=192619
1513
1514         Reviewed by Keith Miller.
1515
1516         * stress/big-int-boolean-proven-type.js: Added.
1517         (assert):
1518         (bool):
1519         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1520         (assert):
1521         (typeOf):
1522         (i.switch):
1523         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1524         (assert):
1525         (typeOf):
1526         * stress/big-int-type-of.js:
1527         (typeOf):
1528         (func):
1529
1530 2018-12-10  Mark Lam  <mark.lam@apple.com>
1531
1532         PropertyAttribute needs a CustomValue bit.
1533         https://bugs.webkit.org/show_bug.cgi?id=191993
1534         <rdar://problem/46264467>
1535
1536         Reviewed by Saam Barati.
1537
1538         * stress/regress-191993.js: Added.
1539
1540 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1541
1542         [BigInt] Add ValueMul into DFG
1543         https://bugs.webkit.org/show_bug.cgi?id=186175
1544
1545         Reviewed by Yusuke Suzuki.
1546
1547         * stress/big-int-mul-jit-osr.js: Added.
1548         * stress/big-int-mul-jit-untyped.js: Added.
1549         * stress/value-mul-fixup-int32-big-int.js: Added.
1550
1551 2018-12-06  Keith Miller  <keith_miller@apple.com>
1552
1553         stress/big-wasm-memory tests failing on 32-bit JSC bot
1554         https://bugs.webkit.org/show_bug.cgi?id=192020
1555
1556         Reviewed by Saam Barati.
1557
1558         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1559         the wasm stress tests if the WebAssembly object does not exist.
1560
1561         * stress/big-wasm-memory-grow-no-max.js:
1562         (test.foo):
1563         (test):
1564         (foo): Deleted.
1565         (catch): Deleted.
1566         * stress/big-wasm-memory-grow.js:
1567         (test.foo):
1568         (test):
1569         (foo): Deleted.
1570         (catch): Deleted.
1571         * stress/big-wasm-memory.js:
1572         (test.foo):
1573         (test):
1574         (foo): Deleted.
1575         (catch): Deleted.
1576
1577 2018-12-05  Mark Lam  <mark.lam@apple.com>
1578
1579         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1580         https://bugs.webkit.org/show_bug.cgi?id=192441
1581         <rdar://problem/46480355>
1582
1583         Reviewed by Saam Barati.
1584
1585         * stress/regress-192441.js: Added.
1586
1587 2018-12-04  Mark Lam  <mark.lam@apple.com>
1588
1589         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1590         https://bugs.webkit.org/show_bug.cgi?id=192386
1591         <rdar://problem/46445516>
1592
1593         Reviewed by Saam Barati.
1594
1595         * stress/regress-192386.js: Added.
1596
1597 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1598
1599         [ESNext][BigInt] Support logic operations
1600         https://bugs.webkit.org/show_bug.cgi?id=179903
1601
1602         Reviewed by Yusuke Suzuki.
1603
1604         * stress/big-int-branch-usage.js: Added.
1605         * stress/big-int-logical-and.js: Added.
1606         * stress/big-int-logical-not.js: Added.
1607         * stress/big-int-logical-or.js: Added.
1608
1609 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1610
1611         Unreviewed, rolling out r238833.
1612
1613         Breaks macOS and iOS debug builds.
1614
1615         Reverted changeset:
1616
1617         "[ESNext][BigInt] Support logic operations"
1618         https://bugs.webkit.org/show_bug.cgi?id=179903
1619         https://trac.webkit.org/changeset/238833
1620
1621 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1622
1623         [ESNext][BigInt] Support logic operations
1624         https://bugs.webkit.org/show_bug.cgi?id=179903
1625
1626         Reviewed by Yusuke Suzuki.
1627
1628         * stress/big-int-branch-usage.js: Added.
1629         * stress/big-int-logical-and.js: Added.
1630         * stress/big-int-logical-not.js: Added.
1631         * stress/big-int-logical-or.js: Added.
1632
1633 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1634
1635         [ESNext][BigInt] Implement support for "<<" and ">>"
1636         https://bugs.webkit.org/show_bug.cgi?id=186233
1637
1638         Reviewed by Yusuke Suzuki.
1639
1640         * stress/big-int-left-shift-general.js: Added.
1641         * stress/big-int-left-shift-range-error.js: Added.
1642         * stress/big-int-left-shift-type-error.js: Added.
1643         * stress/big-int-left-shift-wrapped-value.js: Added.
1644         * stress/big-int-right-shift-general.js: Added.
1645         * stress/big-int-right-shift-type-error.js: Added.
1646         * stress/big-int-right-shift-wrapped-value.js: Added.
1647         * stress/left-shift-to-primitive-precedence.js: Added.
1648         * stress/right-shift-to-primitive-precedence.js: Added.
1649
1650 2018-11-30  Dean Jackson  <dino@apple.com>
1651
1652         Add first-class support for .mjs files in jsc binary
1653         https://bugs.webkit.org/show_bug.cgi?id=192190
1654         <rdar://problem/46375715>
1655
1656         Reviewed by Keith Miller.
1657
1658         * stress/simple-module.mjs: Added.
1659         * stress/simple-script.js: Added.
1660
1661 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1662
1663         [BigInt] Implement ValueBitXor into DFG
1664         https://bugs.webkit.org/show_bug.cgi?id=190264
1665
1666         Reviewed by Yusuke Suzuki.
1667
1668         * stress/big-int-bitwise-xor-jit.js: Added.
1669         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1670         * stress/big-int-bitwise-xor-untyped.js: Added.
1671
1672 2018-11-27  Saam barati  <sbarati@apple.com>
1673
1674         r238510 broke scopes of size zero
1675         https://bugs.webkit.org/show_bug.cgi?id=192033
1676         <rdar://problem/46281734>
1677
1678         Reviewed by Keith Miller.
1679
1680         * stress/r238510-bad-loop.js: Added.
1681         (foo):
1682
1683 2018-11-27  Mark Lam  <mark.lam@apple.com>
1684
1685         [Re-landing] NaNs read from Wasm code needs to be be purified.
1686         https://bugs.webkit.org/show_bug.cgi?id=191056
1687         <rdar://problem/45660341>
1688
1689         Reviewed by Filip Pizlo.
1690
1691         * wasm/regress/regress-191056.js: Added.
1692
1693 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1694
1695         Unreviewed, rolling out r238509.
1696
1697         Causes JSC tests to fail on iOS.
1698
1699         Reverted changeset:
1700
1701         "NaNs read from Wasm code needs to be be purified."
1702         https://bugs.webkit.org/show_bug.cgi?id=191056
1703         https://trac.webkit.org/changeset/238509
1704
1705 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1706
1707         Re-introduce op_bitnot
1708         https://bugs.webkit.org/show_bug.cgi?id=190923
1709
1710         Reviewed by Yusuke Suzuki.
1711
1712         * stress/bit-not-must-generate.js: Added.
1713         * stress/bitwise-not-no-int32.js: Added.
1714
1715 2018-11-26  Saam barati  <sbarati@apple.com>
1716
1717         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1718         https://bugs.webkit.org/show_bug.cgi?id=191956
1719         <rdar://problem/45665806>
1720
1721         Reviewed by Yusuke Suzuki.
1722
1723         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1724         (bar):
1725         (foo):
1726
1727 2018-11-26  Saam barati  <sbarati@apple.com>
1728
1729         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1730         https://bugs.webkit.org/show_bug.cgi?id=191958
1731         <rdar://problem/46221877>
1732
1733         Reviewed by Yusuke Suzuki.
1734
1735         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1736         (x):
1737         (foo):
1738
1739 2018-11-26  Mark Lam  <mark.lam@apple.com>
1740
1741         NaNs read from Wasm code needs to be be purified.
1742         https://bugs.webkit.org/show_bug.cgi?id=191056
1743         <rdar://problem/45660341>
1744
1745         Reviewed by Filip Pizlo.
1746
1747         * wasm/regress/regress-191056.js: Added.
1748
1749 2018-11-26  Michael Saboff  <msaboff@apple.com>
1750
1751         32-bit JSC test failure: stress/regexp-compile-oom.js
1752         https://bugs.webkit.org/show_bug.cgi?id=191375
1753
1754         Reviewed by Mark Lam.
1755
1756         Disabled the test for 32 bit platforms.
1757
1758         * stress/regexp-compile-oom.js:
1759
1760 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1761
1762         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1763         https://bugs.webkit.org/show_bug.cgi?id=191716
1764         <rdar://problem/45723878>
1765
1766         Reviewed by Saam Barati.
1767
1768         * stress/regress-187373.js: Added.
1769         (async.fn):
1770
1771 2018-11-21  Saam barati  <sbarati@apple.com>
1772
1773         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1774         https://bugs.webkit.org/show_bug.cgi?id=191897
1775         <rdar://problem/45871998>
1776
1777         Reviewed by Mark Lam.
1778
1779         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1780         (bar):
1781         (foo):
1782
1783 2018-11-21  Saam barati  <sbarati@apple.com>
1784
1785         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1786         https://bugs.webkit.org/show_bug.cgi?id=191895
1787         <rdar://problem/46167406>
1788
1789         Reviewed by Mark Lam.
1790
1791         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1792         (foo):
1793         (bar):
1794
1795 2018-11-21  Mark Lam  <mark.lam@apple.com>
1796
1797         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1798         https://bugs.webkit.org/show_bug.cgi?id=191776
1799         <rdar://problem/46152851>
1800
1801         Reviewed by Saam Barati.
1802
1803         * stress/big-wasm-memory-grow-no-max.js:
1804         * stress/big-wasm-memory-grow.js:
1805         * stress/big-wasm-memory.js:
1806         - updated these to expect an OutOfMemoryError.
1807
1808         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1809         (Binary.prototype.emit_u8):
1810         (Binary.prototype.emit_u32v):
1811         (Binary.prototype.emit_header):
1812         (Binary.prototype.emit_section):
1813         (Binary):
1814         (WasmModuleBuilder):
1815         (WasmModuleBuilder.prototype.addMemory):
1816         (WasmModuleBuilder.prototype.toArray):
1817         (WasmModuleBuilder.prototype.toBuffer):
1818         (WasmModuleBuilder.prototype.instantiate):
1819         (catch):
1820         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1821         (catch):
1822
1823 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1824
1825         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1826         https://bugs.webkit.org/show_bug.cgi?id=190836
1827
1828         Reviewed by Saam Barati and Yusuke Suzuki.
1829
1830         * stress/big-int-out-of-memory-tests.js: Added.
1831
1832 2018-11-20  Mark Lam  <mark.lam@apple.com>
1833
1834         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1835         https://bugs.webkit.org/show_bug.cgi?id=191856
1836         <rdar://problem/46089992>
1837
1838         Reviewed by Yusuke Suzuki.
1839
1840         * stress/regress-191856.js: Added.
1841         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1842
1843 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1844
1845         Enable JIT on ARM/Linux
1846         https://bugs.webkit.org/show_bug.cgi?id=191548
1847
1848         Reviewed by Yusuke Suzuki.
1849
1850         Disable test on system with limited memory. Program was killed by
1851         the OS before the exception was thrown.
1852
1853         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1854
1855 2018-11-20  Saam barati  <sbarati@apple.com>
1856
1857         Merging an IC variant may lead to the IC status containing overlapping structure sets
1858         https://bugs.webkit.org/show_bug.cgi?id=191869
1859         <rdar://problem/45403453>
1860
1861         Reviewed by Mark Lam.
1862
1863         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1864
1865 2018-11-19  Mark Lam  <mark.lam@apple.com>
1866
1867         globalFuncImportModule() should return a promise when it clears exceptions.
1868         https://bugs.webkit.org/show_bug.cgi?id=191792
1869         <rdar://problem/46090763>
1870
1871         Reviewed by Michael Saboff.
1872
1873         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1874
1875 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1876
1877         Skip new memory-hungry tests on memory limited devices
1878
1879         Unreviewed gardening.
1880
1881         * stress/big-wasm-memory-grow-no-max.js:
1882         * stress/big-wasm-memory-grow.js:
1883         * stress/big-wasm-memory.js:
1884
1885 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1886
1887         Unreviewed, rolling in the rest of r237254
1888         https://bugs.webkit.org/show_bug.cgi?id=190340
1889
1890         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1891         * stress/function-cache-with-parameters-end-position.js: Added.
1892         (shouldBe):
1893         (shouldThrow):
1894         (i.anonymous):
1895         * stress/function-constructor-name.js: Added.
1896         (shouldBe):
1897         (GeneratorFunction):
1898         (AsyncFunction.async):
1899         (AsyncGeneratorFunction.async):
1900         (anonymous):
1901         (async.anonymous):
1902         * test262/expectations.yaml:
1903
1904 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1905
1906         All users of ArrayBuffer should agree on the same max size
1907         https://bugs.webkit.org/show_bug.cgi?id=191771
1908
1909         Reviewed by Mark Lam.
1910
1911         * stress/big-wasm-memory-grow-no-max.js: Added.
1912         (foo):
1913         (catch):
1914         * stress/big-wasm-memory-grow.js: Added.
1915         (foo):
1916         (catch):
1917         * stress/big-wasm-memory.js: Added.
1918         (foo):
1919         (catch):
1920
1921 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1922
1923         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1924         run for each JSC config since they're regression tests for runtime bugs.
1925
1926         * stress/json-stringified-overflow-2.js:
1927         * stress/json-stringified-overflow.js:
1928
1929 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1930
1931         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1932         config since they're regression tests for runtime bugs.
1933
1934         * stress/large-unshift-splice.js:
1935         * stress/regress-185888.js:
1936
1937 2018-11-16  Saam Barati  <sbarati@apple.com>
1938
1939         KnownCellUse should also have SpecCellCheck as its type filter
1940         https://bugs.webkit.org/show_bug.cgi?id=191729
1941         <rdar://problem/45872852>
1942
1943         Reviewed by Filip Pizlo.
1944
1945         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1946         (C):
1947
1948 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1949
1950         Fix assertion failure on BytecodeGenerator::recordOpcode
1951         https://bugs.webkit.org/show_bug.cgi?id=191724
1952         <rdar://problem/45724395>
1953
1954         Reviewed by Saam Barati.
1955
1956         * stress/regress-187373-2.js: Added.
1957         (foo):
1958
1959 2018-11-15  Mark Lam  <mark.lam@apple.com>
1960
1961         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1962         https://bugs.webkit.org/show_bug.cgi?id=191730
1963         <rdar://problem/46048517>
1964
1965         Reviewed by Saam Barati.
1966
1967         * stress/regress-187006.js: Removed.
1968           - this test is invalid because its sole purpose is to test for the non-spec
1969             compliant behavior that we just fixed.
1970
1971         * stress/regress-191730.js: Added.
1972
1973 2018-11-15  Mark Lam  <mark.lam@apple.com>
1974
1975         RegExp operations should not take fast patch if lastIndex is not numeric.
1976         https://bugs.webkit.org/show_bug.cgi?id=191731
1977         <rdar://problem/46017305>
1978
1979         Reviewed by Saam Barati.
1980
1981         * stress/regress-191731.js: Added.
1982
1983 2018-11-13  Saam Barati  <sbarati@apple.com>
1984
1985         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1986         https://bugs.webkit.org/show_bug.cgi?id=191600
1987
1988         Reviewed by Mark Lam.
1989
1990         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1991         (foo):
1992         (test):
1993         (bar):
1994
1995 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1996
1997         Unreviewed, rolling out r238132.
1998
1999         The test added with this change is timing out on Debug JSC
2000         bots.
2001
2002         Reverted changeset:
2003
2004         "[BigInt] JSBigInt::createWithLength should throw when length
2005         is greater than JSBigInt::maxLength"
2006         https://bugs.webkit.org/show_bug.cgi?id=190836
2007         https://trac.webkit.org/changeset/238132
2008
2009 2018-11-13  Mark Lam  <mark.lam@apple.com>
2010
2011         Add OOM detection to StringPrototype's substituteBackreferences().
2012         https://bugs.webkit.org/show_bug.cgi?id=191563
2013         <rdar://problem/45720428>
2014
2015         Reviewed by Saam Barati.
2016
2017         * stress/regress-191563.js: Added.
2018
2019 2018-11-13  Mark Lam  <mark.lam@apple.com>
2020
2021         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2022         https://bugs.webkit.org/show_bug.cgi?id=191579
2023         <rdar://problem/45942472>
2024
2025         Reviewed by Saam Barati.
2026
2027         * stress/regress-191579.js: Added.
2028
2029 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2030
2031         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2032         https://bugs.webkit.org/show_bug.cgi?id=190836
2033
2034         Reviewed by Saam Barati.
2035
2036         * stress/big-int-out-of-memory-tests.js: Added.
2037
2038 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2039
2040         U+180E is no longer a whitespace character
2041         https://bugs.webkit.org/show_bug.cgi?id=191415
2042
2043         Reviewed by Saam Barati.
2044
2045         * ChakraCore/test/es5/regexSpace.baseline:
2046         * ChakraCore/test/es6/unicode_whitespace.js:
2047         Update tests to latest version.
2048         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2049
2050         * test262.yaml:
2051         * test262/config.yaml:
2052         * test262/expectations.yaml:
2053         Update expectations.
2054
2055 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2056
2057         [BigInt] Add support to BigInt into ValueAdd
2058         https://bugs.webkit.org/show_bug.cgi?id=186177
2059
2060         Reviewed by Keith Miller.
2061
2062         * stress/big-int-negate-jit.js:
2063         * stress/value-add-big-int-and-string.js: Added.
2064         * stress/value-add-big-int-prediction-propagation.js: Added.
2065         * stress/value-add-big-int-untyped.js: Added.
2066
2067 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2068
2069         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2070         https://bugs.webkit.org/show_bug.cgi?id=191184
2071
2072         Reviewed by Saam Barati.
2073
2074         Most tests were failing due to timeouts, since they are too slow to
2075         run on CLoop. The exceptions are:
2076
2077         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2078         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2079         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2080         to change the stack size since CLoop requires it to be page aligned.
2081
2082         * microbenchmarks/array-push-1.js:
2083         * microbenchmarks/array-push-2.js:
2084         * microbenchmarks/elidable-new-object-dag.js:
2085         * microbenchmarks/elidable-new-object-roflcopter.js:
2086         * microbenchmarks/elidable-new-object-tree.js:
2087         * microbenchmarks/getter-richards.js:
2088         * microbenchmarks/sinkable-new-object-dag.js:
2089         * microbenchmarks/string-concat-long-convert.js:
2090         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2091         * slowMicrobenchmarks/array-push-3.js:
2092         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2093         * slowMicrobenchmarks/spread-small-array.js:
2094         * slowMicrobenchmarks/undefined-property-access.js:
2095         * stress/activation-sink-default-value-tdz-error.js:
2096         * stress/activation-sink-default-value.js:
2097         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2098         * stress/activation-sink-osrexit-default-value.js:
2099         * stress/activation-sink-osrexit.js:
2100         * stress/activation-sink.js:
2101         * stress/allow-math-ic-b3-code-duplication.js:
2102         * stress/array-push-multiple-int32.js:
2103         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2104         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2105         * stress/arrowfunction-lexical-this-activation-sink.js:
2106         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2107         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2108         * stress/elide-new-object-dag-then-exit.js:
2109         * stress/materialize-regexp-cyclic.js:
2110         * stress/new-regex-inline.js:
2111         * stress/op_add.js:
2112         * stress/op_bitand.js:
2113         * stress/op_bitor.js:
2114         * stress/op_bitxor.js:
2115         * stress/op_div-ConstVar.js:
2116         * stress/op_div-VarConst.js:
2117         * stress/op_div-VarVar.js:
2118         * stress/op_lshift-ConstVar.js:
2119         * stress/op_lshift-VarConst.js:
2120         * stress/op_lshift-VarVar.js:
2121         * stress/op_mod-ConstVar.js:
2122         * stress/op_mod-VarConst.js:
2123         * stress/op_mod-VarVar.js:
2124         * stress/op_mul-ConstVar.js:
2125         * stress/op_mul-VarConst.js:
2126         * stress/op_mul-VarVar.js:
2127         * stress/op_rshift-ConstVar.js:
2128         * stress/op_rshift-VarConst.js:
2129         * stress/op_rshift-VarVar.js:
2130         * stress/op_sub-ConstVar.js:
2131         * stress/op_sub-VarConst.js:
2132         * stress/op_sub-VarVar.js:
2133         * stress/op_urshift-ConstVar.js:
2134         * stress/op_urshift-VarConst.js:
2135         * stress/op_urshift-VarVar.js:
2136         * stress/proxy-get-set-correct-receiver.js:
2137         * stress/regress-179562.js:
2138         * stress/rest-parameter-many-arguments.js:
2139         * stress/sampling-profiler-richards.js:
2140         * stress/splay-flash-access-1ms.js:
2141         * stress/tailCallForwardArguments.js:
2142         * stress/typed-array-get-by-val-profiling.js:
2143         * typeProfiler/getter-richards.js:
2144
2145 2018-11-06  Michael Saboff  <msaboff@apple.com>
2146
2147         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2148         https://bugs.webkit.org/show_bug.cgi?id=191271
2149
2150         Reviewed by Saam Barati.
2151
2152         Added more test cases and made all test cases run with the same deeply recursive stack
2153         instead of finding that same point for each test case.
2154
2155         * stress/regexp-compile-oom.js:
2156         (prototype.runTest):
2157         (recurseAndTest):
2158         (testList.push.new.TestAndExpectedException):
2159
2160 2018-11-05  Michael Saboff  <msaboff@apple.com>
2161
2162         Unreviewed build fix for linux.
2163
2164         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2165
2166 2018-11-02  Michael Saboff  <msaboff@apple.com>
2167
2168         Rolling in r237753 with unreviewed build fix.
2169
2170         Fixed issues with DECLARE_THROW_SCOPE placement.
2171
2172 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2173
2174         Unreviewed, rolling out r237753.
2175
2176         Introduced JSC test failures
2177
2178         Reverted changeset:
2179
2180         "Running out of stack space not properly handled in
2181         RegExp::compile() and its callers"
2182         https://bugs.webkit.org/show_bug.cgi?id=191206
2183         https://trac.webkit.org/changeset/237753
2184
2185 2018-11-02  Michael Saboff  <msaboff@apple.com>
2186
2187         Running out of stack space not properly handled in RegExp::compile() and its callers
2188         https://bugs.webkit.org/show_bug.cgi?id=191206
2189
2190         Reviewed by Filip Pizlo.
2191
2192         New regression test.
2193
2194         * stress/regexp-compile-oom.js: Added.
2195         (recurseAndTest):
2196
2197 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2198
2199         Skip tests on arm/mips that time out now we're running on CLoop
2200
2201         Unreviewed gardening.
2202
2203         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2204         time out on the bots and need to be disabled. There's more tests
2205         disabled on arm because the timeout is longer on the mips bot (as the
2206         device is slower to start with), so many of the tests don't time out
2207         there.
2208
2209         * microbenchmarks/getter-richards.js: disable on arm and mips.
2210         * stress/op_add.js: disable on arm.
2211         * stress/op_bitand.js: disable on arm.
2212         * stress/op_bitor.js: disable on arm.
2213         * stress/op_bitxor.js: disable on arm.
2214         * stress/op_lshift-ConstVar.js: disable on arm.
2215         * stress/op_lshift-VarConst.js: disable on arm.
2216         * stress/op_lshift-VarVar.js: disable on arm.
2217         * stress/op_mod-ConstVar.js: disable on arm.
2218         * stress/op_mod-VarConst.js: disable on arm.
2219         * stress/op_mod-VarVar.js: disable on arm.
2220         * stress/op_mul-ConstVar.js: disable on arm.
2221         * stress/op_mul-VarConst.js: disable on arm.
2222         * stress/op_mul-VarVar.js: disable on arm.
2223         * stress/op_rshift-ConstVar.js: disable on arm.
2224         * stress/op_rshift-VarConst.js: disable on arm.
2225         * stress/op_rshift-VarVar.js: disable on arm.
2226         * stress/op_sub-ConstVar.js: disable on arm.
2227         * stress/op_sub-VarConst.js: disable on arm.
2228         * stress/op_sub-VarVar.js: disable on arm.
2229         * stress/op_urshift-ConstVar.js: disable on arm.
2230         * stress/op_urshift-VarConst.js: disable on arm.
2231         * stress/op_urshift-VarVar.js: disable on arm.
2232         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2233         * stress/value-to-boolean.js: disable on arm and mips.
2234
2235 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2236
2237         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2238         https://bugs.webkit.org/show_bug.cgi?id=191108
2239         <rdar://problem/45690700>
2240
2241         Reviewed by Saam Barati.
2242
2243         * stress/wide-op_catch.js: Added.
2244         (catch):
2245
2246 2018-10-29  Mark Lam  <mark.lam@apple.com>
2247
2248         Correctly detect string overflow when using the 'Function' constructor.
2249         https://bugs.webkit.org/show_bug.cgi?id=184883
2250         <rdar://problem/36320331>
2251
2252         Reviewed by Saam Barati.
2253
2254         I've verified that this passes on 32-bit as well.
2255
2256         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2257
2258 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2259
2260         Add support for GetStack FlushedDouble
2261         https://bugs.webkit.org/show_bug.cgi?id=191012
2262         <rdar://problem/45265141>
2263
2264         Reviewed by Saam Barati.
2265
2266         * stress/get-stack-double.js: Added.
2267         (bar):
2268         (noInline):
2269
2270 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2271
2272         New bytecode format for JSC
2273         https://bugs.webkit.org/show_bug.cgi?id=187373
2274         <rdar://problem/44186758>
2275
2276         Reviewed by Filip Pizlo.
2277
2278         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2279
2280         * stress/maximum-inline-capacity.js: Added.
2281         (test1):
2282         (test3.Foo):
2283         (test3):
2284
2285 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2286
2287         Unreviewed, rolling out r237479 and r237484.
2288         https://bugs.webkit.org/show_bug.cgi?id=190978
2289
2290         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2291
2292         Reverted changesets:
2293
2294         "New bytecode format for JSC"
2295         https://bugs.webkit.org/show_bug.cgi?id=187373
2296         https://trac.webkit.org/changeset/237479
2297
2298         "Gardening: Build fix after r237479."
2299         https://bugs.webkit.org/show_bug.cgi?id=187373
2300         https://trac.webkit.org/changeset/237484
2301
2302 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2303
2304         New bytecode format for JSC
2305         https://bugs.webkit.org/show_bug.cgi?id=187373
2306         <rdar://problem/44186758>
2307
2308         Reviewed by Filip Pizlo.
2309
2310         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2311
2312         * stress/maximum-inline-capacity.js: Added.
2313         (test1):
2314         (test3.Foo):
2315         (test3):
2316
2317 2018-10-26  Mark Lam  <mark.lam@apple.com>
2318
2319         Fix missing edge cases with JSGlobalObjects having a bad time.
2320         https://bugs.webkit.org/show_bug.cgi?id=189028
2321         <rdar://problem/45204939>
2322
2323         Reviewed by Saam Barati.
2324
2325         * stress/regress-189028.js: Added.
2326
2327 2018-10-22  Mark Lam  <mark.lam@apple.com>
2328
2329         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2330         https://bugs.webkit.org/show_bug.cgi?id=190515
2331         <rdar://problem/45222379>
2332
2333         Rubber-stamped by Saam Barati.
2334
2335         Adding another test.
2336
2337         * stress/regress-190515-2.js: Added.
2338
2339 2018-10-22  Mark Lam  <mark.lam@apple.com>
2340
2341         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2342         https://bugs.webkit.org/show_bug.cgi?id=190515
2343         <rdar://problem/45222379>
2344
2345         Reviewed by Saam Barati.
2346
2347         * stress/regress-190515.js: Added.
2348
2349 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2350
2351         Unreviewed, rolling out r237254.
2352         https://bugs.webkit.org/show_bug.cgi?id=190760
2353
2354         "It regresses JetStream 2 by 5% on some iOS devices"
2355         (Requested by saamyjoon on #webkit).
2356
2357         Reverted changeset:
2358
2359         "[JSC] JSC should have "parseFunction" to optimize Function
2360         constructor"
2361         https://bugs.webkit.org/show_bug.cgi?id=190340
2362         https://trac.webkit.org/changeset/237254
2363
2364 2018-10-19  Saam Barati  <sbarati@apple.com>
2365
2366         vmCall should check if we exit before emitting an OSR exit due to exceptions
2367         https://bugs.webkit.org/show_bug.cgi?id=190740
2368         <rdar://problem/45220139>
2369
2370         Reviewed by Mark Lam.
2371
2372         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2373         (foo):
2374
2375 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2376
2377         [ESNext][BigInt] Implement support for "^"
2378         https://bugs.webkit.org/show_bug.cgi?id=186235
2379
2380         Reviewed by Yusuke Suzuki.
2381
2382         * stress/big-int-bitwise-xor-general.js: Added.
2383         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2384         * stress/big-int-bitwise-xor-type-error.js: Added.
2385         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2386
2387 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2388
2389         [BigInt] Add ValueSub into DFG
2390         https://bugs.webkit.org/show_bug.cgi?id=186176
2391
2392         Reviewed by Yusuke Suzuki.
2393
2394         * stress/big-int-subtraction-jit.js:
2395         * stress/value-sub-big-int-prediction-propagation.js: Added.
2396         * stress/value-sub-big-int-untyped.js: Added.
2397         * stress/value-sub-spec-none-case.js: Added.
2398
2399 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2400
2401         [JSC] JSC should have "parseFunction" to optimize Function constructor
2402         https://bugs.webkit.org/show_bug.cgi?id=190340
2403
2404         Reviewed by Mark Lam.
2405
2406         This patch fixes the line number of syntax errors raised by the Function constructor,
2407         since we now parse the final code only once. And we no longer use block statement
2408         for Function constructor's parsing.
2409
2410         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2411         * stress/function-cache-with-parameters-end-position.js: Added.
2412         (shouldBe):
2413         (shouldThrow):
2414         (i.anonymous):
2415         * stress/function-constructor-name.js: Added.
2416         (shouldBe):
2417         (GeneratorFunction):
2418         (AsyncFunction.async):
2419         (AsyncGeneratorFunction.async):
2420         (anonymous):
2421         (async.anonymous):
2422         * test262/expectations.yaml:
2423
2424 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2425
2426         Unreviewed, rolling out r237242.
2427         https://bugs.webkit.org/show_bug.cgi?id=190701
2428
2429         it breaks "stress/sampling-profiler-basic.js" (Requested by
2430         caiolima on #webkit).
2431
2432         Reverted changeset:
2433
2434         "[BigInt] Add ValueSub into DFG"
2435         https://bugs.webkit.org/show_bug.cgi?id=186176
2436         https://trac.webkit.org/changeset/237242
2437
2438 2018-10-17  Keith Miller  <keith_miller@apple.com>
2439
2440         AI does not clear Phantom allocation nodes.
2441         https://bugs.webkit.org/show_bug.cgi?id=190694
2442
2443         Reviewed by Saam Barati.
2444
2445         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2446         (Day):
2447         (DaysInYear):
2448         (TimeInYear):
2449         (TimeFromYear):
2450         (DayFromYear):
2451         (InLeapYear):
2452         (YearFromTime):
2453         (WeekDay):
2454         (DaylightSavingTA):
2455         (GetSecondSundayInMarch):
2456         (TimeInMonth):
2457
2458 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2459
2460         [BigInt] Add ValueSub into DFG
2461         https://bugs.webkit.org/show_bug.cgi?id=186176
2462
2463         Reviewed by Yusuke Suzuki.
2464
2465         * stress/big-int-subtraction-jit.js:
2466         * stress/value-sub-big-int-prediction-propagation.js: Added.
2467         * stress/value-sub-big-int-untyped.js: Added.
2468
2469 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2470
2471         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2472         https://bugs.webkit.org/show_bug.cgi?id=190611
2473
2474         Reviewed by Saam Barati.
2475
2476         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2477         to improve test runtime. On ARM/MIPS this test even timed out when running all
2478         tests.
2479
2480         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2481         (test):
2482
2483 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2484
2485         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2486
2487         Unreviewed gardening.
2488
2489         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2490
2491 2018-10-15  Saam barati  <sbarati@apple.com>
2492
2493         Emit fjcvtzs on ARM64E on Darwin
2494         https://bugs.webkit.org/show_bug.cgi?id=184023
2495
2496         Reviewed by Yusuke Suzuki and Filip Pizlo.
2497
2498         * stress/double-to-int32-NaN.js: Added.
2499         (assert):
2500         (foo):
2501
2502 2018-10-15  Saam Barati  <sbarati@apple.com>
2503
2504         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2505         https://bugs.webkit.org/show_bug.cgi?id=190262
2506         <rdar://problem/44986241>
2507
2508         Reviewed by Mark Lam.
2509
2510         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2511         (test):
2512         * stress/slice-array-storage-with-holes.js: Added.
2513         (main):
2514
2515 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2516
2517         Unreviewed, rolling out r237054.
2518         https://bugs.webkit.org/show_bug.cgi?id=190593
2519
2520         "this regressed JetStream 2 by 6% on iOS" (Requested by
2521         saamyjoon on #webkit).
2522
2523         Reverted changeset:
2524
2525         "[JSC] JSC should have "parseFunction" to optimize Function
2526         constructor"
2527         https://bugs.webkit.org/show_bug.cgi?id=190340
2528         https://trac.webkit.org/changeset/237054
2529
2530 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2531
2532         [JSC] JSON.stringify can accept call-with-no-arguments
2533         https://bugs.webkit.org/show_bug.cgi?id=190343
2534
2535         Reviewed by Mark Lam.
2536
2537         * stress/json-stringify-no-arguments.js: Added.
2538         (shouldBe):
2539
2540 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2541
2542         [JSC] JSC should have "parseFunction" to optimize Function constructor
2543         https://bugs.webkit.org/show_bug.cgi?id=190340
2544
2545         Reviewed by Mark Lam.
2546
2547         This patch fixes the line number of syntax errors raised by the Function constructor,
2548         since we now parse the final code only once. And we no longer use block statement
2549         for Function constructor's parsing.
2550
2551         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2552         * stress/function-cache-with-parameters-end-position.js: Added.
2553         (shouldBe):
2554         (shouldThrow):
2555         (i.anonymous):
2556         * stress/function-constructor-name.js: Added.
2557         (shouldBe):
2558         (GeneratorFunction):
2559         (AsyncFunction.async):
2560         (AsyncGeneratorFunction.async):
2561         (anonymous):
2562         (async.anonymous):
2563         * test262/expectations.yaml:
2564
2565 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2566
2567         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2568         https://bugs.webkit.org/show_bug.cgi?id=190426
2569
2570         Unreviewed gardening.
2571
2572         * stress/sampling-profiler-richards.js:
2573
2574 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2575
2576         [ESNext][BigInt] Implement support for "|"
2577         https://bugs.webkit.org/show_bug.cgi?id=186229
2578
2579         Reviewed by Yusuke Suzuki.
2580
2581         * stress/big-int-bitwise-and-jit.js:
2582         * stress/big-int-bitwise-or-general.js: Added.
2583         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2584         * stress/big-int-bitwise-or-jit.js: Added.
2585         * stress/big-int-bitwise-or-memory-stress.js: Added.
2586         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2587         * stress/big-int-bitwise-or-type-error.js: Added.
2588         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2589
2590 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2591
2592         Skip test on systems with limited memory
2593         https://bugs.webkit.org/show_bug.cgi?id=190310
2594
2595         Invoking runDefault adds test to runlist, skipping the test in the next
2596         line does not prevent the test from executing. Change order of lines such
2597         that runDefault is only executed if test is not executed.
2598
2599         Reviewed by Mark Lam.
2600
2601         * stress/regress-190187.js:
2602
2603 2018-10-03  Saam barati  <sbarati@apple.com>
2604
2605         lowXYZ in FTLLower should always filter the type of the incoming edge
2606         https://bugs.webkit.org/show_bug.cgi?id=189939
2607         <rdar://problem/44407030>
2608
2609         Reviewed by Michael Saboff.
2610
2611         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2612         (foo):
2613         (test):
2614
2615 2018-10-03  Mark Lam  <mark.lam@apple.com>
2616
2617         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2618         https://bugs.webkit.org/show_bug.cgi?id=190187
2619         <rdar://problem/42512909>
2620
2621         Reviewed by Michael Saboff.
2622
2623         * stress/regress-190187.js: Added.
2624
2625 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2626
2627         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2628         https://bugs.webkit.org/show_bug.cgi?id=190033
2629
2630         Reviewed by Yusuke Suzuki.
2631
2632         * stress/big-int-to-string.js:
2633
2634 2018-10-01  Mark Lam  <mark.lam@apple.com>
2635
2636         Function.toString() should also copy the source code Functions that are class definitions.
2637         https://bugs.webkit.org/show_bug.cgi?id=190186
2638         <rdar://problem/44733360>
2639
2640         Reviewed by Saam Barati.
2641
2642         * stress/regress-190186.js: Added.
2643
2644 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2645
2646         Split NaN-check into separate test
2647         https://bugs.webkit.org/show_bug.cgi?id=190010
2648
2649         Reviewed by Saam Barati.
2650
2651         DataView exposes NaN-representation, which is not necessarily the same on each
2652         architecture. Therefore move the check of the NaN-representation into its own
2653         file such that we can disable this test on MIPS where NaN-representation can be
2654         different on older CPUs.
2655
2656         * stress/dataview-jit-set-nan.js: Added.
2657         (assert):
2658         (test.storeLittleEndian):
2659         (test.storeBigEndian):
2660         (test.store):
2661         (test):
2662         * stress/dataview-jit-set.js:
2663         (test5):
2664
2665 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2666
2667         Unreviewed, rolling out r236647.
2668         https://bugs.webkit.org/show_bug.cgi?id=190124
2669
2670         Breaking test stress/big-int-to-string.js (Requested by
2671         caiolima_ on #webkit).
2672
2673         Reverted changeset:
2674
2675         "[BigInt] BigInt.proptotype.toString is broken when radix is
2676         power of 2"
2677         https://bugs.webkit.org/show_bug.cgi?id=190033
2678         https://trac.webkit.org/changeset/236647
2679
2680 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2681
2682         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2683         https://bugs.webkit.org/show_bug.cgi?id=190033
2684
2685         Reviewed by Yusuke Suzuki.
2686
2687         * stress/big-int-to-string.js:
2688
2689 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2690
2691         [ESNext][BigInt] Implement support for "&"
2692         https://bugs.webkit.org/show_bug.cgi?id=186228
2693
2694         Reviewed by Yusuke Suzuki.
2695
2696         * stress/big-int-bitwise-and-general.js: Added.
2697         (assert):
2698         (assert.sameValue):
2699         * stress/big-int-bitwise-and-jit.js: Added.
2700         (let.assert.sameValue):
2701         (bigIntBitAnd):
2702         * stress/big-int-bitwise-and-memory-stress.js: Added.
2703         (assert):
2704         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2705         (assert.sameValue):
2706         (let.o.Symbol.toPrimitive):
2707         (catch):
2708         * stress/big-int-bitwise-and-type-error.js: Added.
2709         (assert):
2710         (assertThrowTypeError):
2711         (let.o.valueOf):
2712         (o.valueOf):
2713         (o.toString):
2714         (o.Symbol.toPrimitive):
2715         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2716         (assert.sameValue):
2717         (testBitAnd):
2718         (let.o.Symbol.toPrimitive):
2719         (o.valueOf):
2720         (o.toString):
2721
2722 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2723
2724         JSC test stress/jsc-read.js doesn't support CRLF
2725         https://bugs.webkit.org/show_bug.cgi?id=190063
2726
2727         Reviewed by Yusuke Suzuki.
2728
2729         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2730
2731         * stress/jsc-read.js:
2732         (test):
2733
2734 2018-09-27  Saam barati  <sbarati@apple.com>
2735
2736         Verify the contents of AssemblerBuffer on arm64e
2737         https://bugs.webkit.org/show_bug.cgi?id=190057
2738         <rdar://problem/38916630>
2739
2740         Reviewed by Mark Lam.
2741
2742         * stress/regress-189132.js:
2743
2744 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2745
2746         Disable test without LLInt on ARMv7
2747         https://bugs.webkit.org/show_bug.cgi?id=190037
2748
2749         Reviewed by Mark Lam.
2750
2751         Test runs out of executable memory on ARMv7, do not run
2752         this test without LLInt enabled.
2753
2754         * stress/regress-169445.js:
2755
2756 2018-09-26  Keith Miller  <keith_miller@apple.com>
2757
2758         We should zero unused property storage when rebalancing array storage.
2759         https://bugs.webkit.org/show_bug.cgi?id=188151
2760
2761         Reviewed by Michael Saboff.
2762
2763         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2764
2765 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2766
2767         [JSC] Optimize Array#lastIndexOf
2768         https://bugs.webkit.org/show_bug.cgi?id=189780
2769
2770         Reviewed by Saam Barati.
2771
2772         * stress/array-lastindexof-array-prototype-trap.js: Added.
2773         (shouldBe):
2774         (AncestorArray.prototype.get 2):
2775         (AncestorArray):
2776         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2777         (shouldBe):
2778         * stress/array-lastindexof-hole-nan.js: Added.
2779         (shouldBe):
2780         (throw.new.Error):
2781         * stress/array-lastindexof-infinity.js: Added.
2782         (shouldBe):
2783         (throw.new.Error):
2784         * stress/array-lastindexof-negative-zero.js: Added.
2785         (shouldBe):
2786         (throw.new.Error):
2787         * stress/array-lastindexof-own-getter.js: Added.
2788         (shouldBe):
2789         (throw.new.Error.get array):
2790         (get array):
2791         * stress/array-lastindexof-prototype-trap.js: Added.
2792         (shouldBe):
2793         (DerivedArray.prototype.get 2):
2794         (DerivedArray):
2795
2796 2018-09-25  Saam Barati  <sbarati@apple.com>
2797
2798         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2799         https://bugs.webkit.org/show_bug.cgi?id=189940
2800         <rdar://problem/43640987>
2801
2802         Reviewed by Mark Lam.
2803
2804         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2805
2806 2018-09-24  Saam Barati  <sbarati@apple.com>
2807
2808         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2809         https://bugs.webkit.org/show_bug.cgi?id=189922
2810         <rdar://problem/44651275>
2811
2812         Reviewed by Mark Lam.
2813
2814         * stress/array-indexof-fast-path-effects.js: Added.
2815         * stress/array-indexof-cached-length.js: Added.
2816
2817 2018-09-24  Saam barati  <sbarati@apple.com>
2818
2819         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2820         https://bugs.webkit.org/show_bug.cgi?id=189682
2821         <rdar://problem/43557315>
2822
2823         Reviewed by Mark Lam.
2824
2825         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2826         (foo):
2827
2828 2018-09-22  Saam barati  <sbarati@apple.com>
2829
2830         The sampling should not use Strong<CodeBlock> in its machineLocation field
2831         https://bugs.webkit.org/show_bug.cgi?id=189319
2832
2833         Reviewed by Filip Pizlo.
2834
2835         * stress/sampling-profiler-richards.js: Added.
2836
2837 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2838
2839         [JSC] Optimize Array#indexOf in C++ runtime
2840         https://bugs.webkit.org/show_bug.cgi?id=189507
2841
2842         Reviewed by Saam Barati.
2843
2844         * stress/array-indexof-array-prototype-trap.js: Added.
2845         (shouldBe):
2846         (AncestorArray.prototype.get 2):
2847         (AncestorArray):
2848         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2849         (shouldBe):
2850         * stress/array-indexof-hole-nan.js: Added.
2851         (shouldBe):
2852         (throw.new.Error):
2853         * stress/array-indexof-infinity.js: Added.
2854         (shouldBe):
2855         (throw.new.Error):
2856         * stress/array-indexof-negative-zero.js: Added.
2857         (shouldBe):
2858         (throw.new.Error):
2859         * stress/array-indexof-own-getter.js: Added.
2860         (shouldBe):
2861         (throw.new.Error.get array):
2862         (get array):
2863         * stress/array-indexof-prototype-trap.js: Added.
2864         (shouldBe):
2865         (DerivedArray.prototype.get 2):
2866         (DerivedArray):
2867
2868 2018-09-19  Saam barati  <sbarati@apple.com>
2869
2870         AI rule for MultiPutByOffset executes its effects in the wrong order
2871         https://bugs.webkit.org/show_bug.cgi?id=189757
2872         <rdar://problem/43535257>
2873
2874         Reviewed by Michael Saboff.
2875
2876         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2877         (foo):
2878         (Foo):
2879         (g):
2880
2881 2018-09-17  Mark Lam  <mark.lam@apple.com>
2882
2883         Ensure that ForInContexts are invalidated if their loop local is over-written.
2884         https://bugs.webkit.org/show_bug.cgi?id=189571
2885         <rdar://problem/44402277>
2886
2887         Reviewed by Saam Barati.
2888
2889         * stress/regress-189571.js: Added.
2890
2891 2018-09-17  Saam barati  <sbarati@apple.com>
2892
2893         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2894         https://bugs.webkit.org/show_bug.cgi?id=189676
2895         <rdar://problem/39682897>
2896
2897         Reviewed by Michael Saboff.
2898
2899         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2900         (A):
2901         (K):
2902         (i.catch):
2903
2904 2018-09-14  Saam barati  <sbarati@apple.com>
2905
2906         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2907         https://bugs.webkit.org/show_bug.cgi?id=189628
2908         <rdar://problem/39481690>
2909
2910         Reviewed by Mark Lam.
2911
2912         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2913         (foo):
2914
2915 2018-09-11  Mark Lam  <mark.lam@apple.com>
2916
2917         Test for array initialization in arrayProtoFuncSplice.
2918         https://bugs.webkit.org/show_bug.cgi?id=170253
2919         <rdar://problem/31328773>
2920
2921         Rubber-stamped by Saam Barati.
2922
2923         * stress/regress-170253.js: Added.
2924
2925 2018-09-11  Mark Lam  <mark.lam@apple.com>
2926
2927         Test for IntlObject initialization.
2928         https://bugs.webkit.org/show_bug.cgi?id=170251
2929         <rdar://problem/31328419>
2930
2931         Rubber-stamped by Saam Barati.
2932
2933         * stress/regress-170251.js: Added.
2934
2935 2018-09-11  Mark Lam  <mark.lam@apple.com>
2936
2937         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2938         https://bugs.webkit.org/show_bug.cgi?id=169889
2939         <rdar://problem/31155607>
2940
2941         Reviewed by Saam Barati.
2942
2943         * stress/regress-169889-array-concat.js: Added.
2944         * stress/regress-169889-array-concat1.js: Added.
2945         * stress/regress-169889-array-slice.js: Added.
2946
2947 2018-09-11  Mark Lam  <mark.lam@apple.com>
2948
2949         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2950         https://bugs.webkit.org/show_bug.cgi?id=169445
2951         <rdar://problem/30957435>
2952
2953         Reviewed by Saam Barati.
2954
2955         * stress/regress-169445.js: Added.
2956         (let.gun.eval.A):
2957         (let.gun.eval.B.C):
2958         (let.gun.eval.B.C.prototype.trigger):
2959         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2960         (let.gun.eval.B):
2961         (let.gun.eval):
2962
2963 == Rolled over to ChangeLog-2018-09-11 ==