SIGSEGV in JSC::BytecodeGenerator::addStringConstant
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
4         https://bugs.webkit.org/show_bug.cgi?id=196486
5
6         Reviewed by Saam Barati.
7
8         * stress/arrow-function-and-use-strict-directive.js: Added.
9         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
10         (checkSyntax):
11         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
12
13 2019-04-05  Caitlin Potter  <caitp@igalia.com>
14
15         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
16         https://bugs.webkit.org/show_bug.cgi?id=176810
17
18         Reviewed by Saam Barati.
19
20         Add tests for the DontEnum filtering, and variations of other tests
21         take the DontEnum-filtering path.
22
23         * stress/proxy-own-keys.js:
24         (i.catch):
25         (set assert):
26         (set add):
27         (let.set new):
28         (get let):
29
30 2019-04-05  Caitlin Potter  <caitp@igalia.com>
31
32         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
33         https://bugs.webkit.org/show_bug.cgi?id=185211
34
35         Reviewed by Saam Barati.
36
37         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
38
39         This changes several assertions to expect a TypeError to be thrown (in some cases,
40         changing thee expected message).
41
42         * es6/Proxy_ownKeys_duplicates.js:
43         (handler):
44         (shouldThrow):
45         (test):
46         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
47         (shouldThrow):
48         * stress/proxy-own-keys.js:
49         (i.catch):
50         (assert):
51
52 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
53
54         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
55         https://bugs.webkit.org/show_bug.cgi?id=196631
56
57         Reviewed by Saam Barati.
58
59         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
60         (assert):
61         (test):
62         (foo):
63
64 2019-04-04  Saam Barati  <sbarati@apple.com>
65
66         Unreviewed. Make the test from r243906 catch the thrown exceptions.
67
68         * stress/inferred-types-regex-matches-array.js:
69
70 2019-04-04  Saam Barati  <sbarati@apple.com>
71
72         createRegExpMatchesArray does not respect inferred types
73         https://bugs.webkit.org/show_bug.cgi?id=193287
74
75         Reviewed by Yusuke Suzuki.
76
77         This checks in the test case for 193287. This issue was discovered by
78         Samuel GroƟ of Google Project Zero.
79
80         * stress/inferred-types-regex-matches-array.js: Added.
81
82 2019-04-04  Saam barati  <sbarati@apple.com>
83
84         Teach Call ICs how to call Wasm
85         https://bugs.webkit.org/show_bug.cgi?id=196387
86
87         Reviewed by Filip Pizlo.
88
89         * wasm/function-tests/stack-trace.js:
90
91 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
92
93         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
94         https://bugs.webkit.org/show_bug.cgi?id=194944
95
96         Reviewed by Keith Miller.
97
98         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
99
100 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
101
102         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
103         https://bugs.webkit.org/show_bug.cgi?id=196409
104
105         Reviewed by Saam Barati.
106
107         * stress/bytecode-cache-cached-string-impl.js: Added.
108         (f):
109         (g):
110         * stress/bytecode-cache-run-string.js: Added.
111
112 2019-04-03  Robin Morisset  <rmorisset@apple.com>
113
114         B3 should use associativity to optimize expression trees
115         https://bugs.webkit.org/show_bug.cgi?id=194081
116
117         Reviewed by Filip Pizlo.
118
119         Added three microbenchmarks:
120         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
121         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
122           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
123         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
124
125         * microbenchmarks/add-tree.js: Added.
126         * microbenchmarks/bit-or-tree.js: Added.
127         * microbenchmarks/bit-xor-tree.js: Added.
128
129 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
130
131         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
132         https://bugs.webkit.org/show_bug.cgi?id=196574
133
134         Reviewed by Saam Barati.
135
136         * stress/string-index-of-exception-check.js: Added.
137         (blurType):
138         (1.forEach):
139
140 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
141
142         Assertion failed in JSC::createError
143         https://bugs.webkit.org/show_bug.cgi?id=196305
144         <rdar://problem/49387382>
145
146         Reviewed by Saam Barati.
147
148         * stress/create-error-out-of-memory-rope-string-2.js: Added.
149         (assert):
150         (catch):
151
152 2019-03-28  Saam Barati  <sbarati@apple.com>
153
154         BackwardsGraph needs to consider back edges as the backward's root successor
155         https://bugs.webkit.org/show_bug.cgi?id=195991
156
157         Reviewed by Filip Pizlo.
158
159         * stress/map-b3-licm-infinite-loop.js: Added.
160
161 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
162
163         CodeBlock::jettison() should disallow repatching its own calls
164         https://bugs.webkit.org/show_bug.cgi?id=196359
165         <rdar://problem/48973663>
166
167         Reviewed by Saam Barati.
168
169         * stress/call-link-info-osrexit-repatch.js: Added.
170         (foo):
171
172 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
173
174         [JSC] imports-oom.js intermittently fails
175         https://bugs.webkit.org/show_bug.cgi?id=196373
176
177         Reviewed by Saam Barati.
178
179         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
180         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
181         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
182         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
183         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
184
185         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
186         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
187
188         * wasm/lowExecutableMemory/imports-oom.js:
189
190 2019-03-27  Saam Barati  <sbarati@apple.com>
191
192         validateOSREntryValue with Int52 should box the value being checked into double format
193         https://bugs.webkit.org/show_bug.cgi?id=196313
194         <rdar://problem/49306703>
195
196         Reviewed by Yusuke Suzuki.
197
198         * stress/validate-int-52-ai-state.js: Added.
199
200 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
201
202         [JSC] Owner of watchpoints should validate at GC finalizing phase
203         https://bugs.webkit.org/show_bug.cgi?id=195827
204
205         Reviewed by Filip Pizlo.
206
207         * stress/gc-should-reap-dead-watchpoints.js: Added.
208         (foo):
209         (A.prototype.y):
210         (A):
211
212 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
213
214         Skip WebAssembly test on 32-bit systems
215         https://bugs.webkit.org/show_bug.cgi?id=196206
216
217         Reviewed by Saam Barati.
218
219         Invoking runDefault executes test immediately even though
220         that test should be skipped due to missing WASM support.
221         Therefore remove runDefault.
222
223         * wasm/regress/web-assembly-link-error-exception-check.js:
224
225 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
226
227         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
228         https://bugs.webkit.org/show_bug.cgi?id=196217
229
230         Reviewed by Saam Barati.
231
232         Re-enable all NaN tests for f32.min, f64.min and f64.max.
233
234         * wasm/spec-tests/f32.wast.js:
235         * wasm/spec-tests/f64.wast.js:
236         * wasm/wasm.json:
237
238 2019-03-25  Keith Miller  <keith_miller@apple.com>
239
240         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
241         https://bugs.webkit.org/show_bug.cgi?id=196176
242
243         Reviewed by Saam Barati.
244
245         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
246         (main.v10):
247         (main):
248
249 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
250
251         WebAssembly: f32.max with NaN generates incorrect result
252         https://bugs.webkit.org/show_bug.cgi?id=175691
253         <rdar://problem/33952228>
254
255         Reviewed by Saam Barati.
256
257         Enable all f32.max NaN tests
258
259         * wasm/spec-tests/f32.wast.js:
260         * wasm/wasm.json:
261
262 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
263
264         [JSC] Move test into directory for WASM tests
265         https://bugs.webkit.org/show_bug.cgi?id=196187
266
267         Reviewed by Mark Lam.
268
269         Move Test into wasm-directory. Otherwise this test
270         is also executed on systems without WASM support.
271
272         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
273
274 2019-03-23  Mark Lam  <mark.lam@apple.com>
275
276         Rolling out r243032 and r243071 because the fix is incorrect.
277         https://bugs.webkit.org/show_bug.cgi?id=195892
278         <rdar://problem/48981239>
279
280         Not reviewed.
281
282         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
283
284 2019-03-22  Mark Lam  <mark.lam@apple.com>
285
286         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
287         https://bugs.webkit.org/show_bug.cgi?id=196154
288         <rdar://problem/49145307>
289
290         Reviewed by Filip Pizlo.
291
292         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
293         There's no need to run this test on more than 1 test configuration.
294
295         * stress/typed-array-lastIndexOf-exception-check.js: Added.
296         * stress/web-assembly-link-error-exception-check.js:
297
298 2019-03-22  Mark Lam  <mark.lam@apple.com>
299
300         Placate exception check validation in constructJSWebAssemblyLinkError().
301         https://bugs.webkit.org/show_bug.cgi?id=196152
302         <rdar://problem/49145257>
303
304         Reviewed by Michael Saboff.
305
306         * stress/web-assembly-link-error-exception-check.js: Added.
307
308 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
309
310         Skip tests running out of memory on ARM/MIPS
311         https://bugs.webkit.org/show_bug.cgi?id=196131
312
313         Unreviewed. Skip test if memory is limited.
314
315         * microbenchmarks/put-by-val-direct-large-index.js:
316
317 2019-03-21  Mark Lam  <mark.lam@apple.com>
318
319         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
320         https://bugs.webkit.org/show_bug.cgi?id=196116
321         <rdar://problem/48976951>
322
323         Reviewed by Filip Pizlo.
324
325         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
326
327 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
328
329         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
330         https://bugs.webkit.org/show_bug.cgi?id=196078
331         <rdar://problem/35925380>
332
333         Reviewed by Mark Lam.
334
335         Add a new benchmark that allocates several objects and invokes put_by_val_direct
336         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
337
338         * microbenchmarks/put-by-val-direct-large-index.js: Added.
339
340 2019-03-21  Mark Lam  <mark.lam@apple.com>
341
342         Placate exception check validation in operationArrayIndexOfString().
343         https://bugs.webkit.org/show_bug.cgi?id=196067
344         <rdar://problem/49056572>
345
346         Reviewed by Michael Saboff.
347
348         * stress/string-equal-exception-check.js: Added.
349
350 2019-03-21  Mark Lam  <mark.lam@apple.com>
351
352         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
353         https://bugs.webkit.org/show_bug.cgi?id=196055
354         <rdar://problem/49067448>
355
356         Reviewed by Yusuke Suzuki.
357
358         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
359
360 2019-03-20  Saam Barati  <sbarati@apple.com>
361
362         typeOfDoubleSum is wrong for when NaN can be produced
363         https://bugs.webkit.org/show_bug.cgi?id=196030
364
365         Reviewed by Filip Pizlo.
366
367         * stress/double-add-sub-mul-can-produce-nan.js: Added.
368         (assert):
369         (noInline.sub):
370         (noInline):
371         (assert.mul):
372         (assert.add):
373
374 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
375
376         Update the test to ensure OutOfMemoryError is thrown as intended
377         https://bugs.webkit.org/show_bug.cgi?id=196032
378         <rdar://problem/46842740>
379
380         Rubber stamped by Saam Barati.
381
382         * stress/create-error-out-of-memory-rope-string.js:
383         (assert):
384         (catch):
385
386 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
387
388         JSC::createError needs to check for OOM in errorDescriptionForValue
389         https://bugs.webkit.org/show_bug.cgi?id=196032
390         <rdar://problem/46842740>
391
392         Reviewed by Mark Lam.
393
394         * stress/create-error-out-of-memory-rope-string.js: Added.
395
396 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
397
398         Unreviewed, reduce # of iterations to avoid timing out after r242991
399         https://bugs.webkit.org/show_bug.cgi?id=195791
400
401         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
402
403         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
404
405 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
406
407         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
408         https://bugs.webkit.org/show_bug.cgi?id=195950
409
410         Unreviewed, reducing the amount of memory used on this test to avoid
411         OOM on devices with memory restrictions.
412
413         * microbenchmarks/generate-multiple-llint-entrypoints.js:
414
415 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
416
417         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
418         https://bugs.webkit.org/show_bug.cgi?id=194648
419
420         Reviewed by Keith Miller.
421
422         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
423
424 2019-03-18  Mark Lam  <mark.lam@apple.com>
425
426         Missing a ThrowScope release in JSObject::toString().
427         https://bugs.webkit.org/show_bug.cgi?id=195893
428         <rdar://problem/48970986>
429
430         Reviewed by Michael Saboff.
431
432         * stress/to-string-exception-check-release.js: Added.
433
434 2019-03-18  Mark Lam  <mark.lam@apple.com>
435
436         Structure::flattenDictionary() should clear unused property slots.
437         https://bugs.webkit.org/show_bug.cgi?id=195871
438         <rdar://problem/48959497>
439
440         Reviewed by Michael Saboff.
441
442         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
443
444 2019-03-15  Mark Lam  <mark.lam@apple.com>
445
446         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
447         https://bugs.webkit.org/show_bug.cgi?id=195827
448         <rdar://problem/48845513>
449
450         Reviewed by Filip Pizlo.
451
452         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
453
454 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
455
456         [ARM,MIPS] Skip slow tests
457         https://bugs.webkit.org/show_bug.cgi?id=195799
458
459         Unreviewed, test does not finish on ARM and MIPS within the
460         timeout limit.
461
462         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
463
464 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
465
466         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
467         https://bugs.webkit.org/show_bug.cgi?id=195791
468         <rdar://problem/48806130>
469
470         Reviewed by Mark Lam.
471
472         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
473         (foo):
474
475 2019-03-14  Saam barati  <sbarati@apple.com>
476
477         We can't remove code after ForceOSRExit until after FixupPhase
478         https://bugs.webkit.org/show_bug.cgi?id=186916
479         <rdar://problem/41396612>
480
481         Reviewed by Yusuke Suzuki.
482
483         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
484         (foo):
485         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
486         (foo):
487
488 2019-03-13  Michael Saboff  <msaboff@apple.com>
489
490         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
491         https://bugs.webkit.org/show_bug.cgi?id=195735
492
493         Reviewed by Mark Lam.
494
495         New regression test.
496
497         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
498         (foo):
499         (bar):
500
501 2019-03-14  Saam barati  <sbarati@apple.com>
502
503         Fixup uses KnownInt32 incorrectly in some nodes
504         https://bugs.webkit.org/show_bug.cgi?id=195279
505         <rdar://problem/47915654>
506
507         Reviewed by Yusuke Suzuki.
508
509         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
510         (foo):
511
512 2019-03-14  Keith Miller  <keith_miller@apple.com>
513
514         DFG liveness can't skip tail caller inline frames
515         https://bugs.webkit.org/show_bug.cgi?id=195715
516
517         Reviewed by Saam Barati.
518
519         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
520         (i.foo):
521
522 2019-03-13  Mark Lam  <mark.lam@apple.com>
523
524         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
525         https://bugs.webkit.org/show_bug.cgi?id=195415
526
527         Not reviewed.
528
529         Changed these tests to only run the default configuration.
530         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
531         There's no strong need to run this test on that variant.
532
533         * stress/dfg-to-string-on-int-does-gc.js:
534         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
535
536 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
537
538         String overflow when using StringBuilder in JSC::createError
539         https://bugs.webkit.org/show_bug.cgi?id=194957
540
541         Reviewed by Mark Lam.
542
543         Add test string-overflow-createError-bulder.js that overflows
544         StringBuilder in notAFunctionSourceAppender. The second new test
545         string-overflow-createError-fit.js has an error message that doesn't
546         overflow, it still failed since the String's capacity can't be doubled.
547         Run test string-overflow-createError.js only in the default
548         configuration to reduce memory consumption when running the test
549         in all configurations on multiple CPUs in parallel.
550
551         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
552         (catch):
553         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
554         (catch):
555         * stress/string-overflow-createError.js:
556
557 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
558
559         [JSC] OSR entry should respect abstract values in addition to flush formats
560         https://bugs.webkit.org/show_bug.cgi?id=195653
561
562         Reviewed by Mark Lam.
563
564         * stress/osr-entry-locals-none.js: Added.
565
566 2019-03-12  Michael Saboff  <msaboff@apple.com>
567
568         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
569         https://bugs.webkit.org/show_bug.cgi?id=195613
570
571         Reviewed by Mark Lam.
572
573         New regression test.
574
575         * stress/regexp-backref-inbounds.js: Added.
576         (testRegExp):
577
578 2019-03-12  Mark Lam  <mark.lam@apple.com>
579
580         The HasIndexedProperty node does GC.
581         https://bugs.webkit.org/show_bug.cgi?id=195559
582         <rdar://problem/48767923>
583
584         Reviewed by Yusuke Suzuki.
585
586         * stress/HasIndexedProperty-does-gc.js: Added.
587
588 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
589
590         [ESNext][BigInt] Implement "~" unary operation
591         https://bugs.webkit.org/show_bug.cgi?id=182216
592
593         Reviewed by Keith Miller.
594
595         * stress/big-int-bit-not-general.js: Added.
596         * stress/big-int-bitwise-not-jit.js: Added.
597         * stress/big-int-bitwise-not-wrapped-value.js: Added.
598         * stress/bit-op-with-object-returning-int32.js:
599         * stress/bitwise-not-fixup-rules.js: Added.
600         * stress/value-bit-not-ai-rule.js: Added.
601
602 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
603
604         Invalid flags in a RegExp literal should be an early SyntaxError
605         https://bugs.webkit.org/show_bug.cgi?id=195514
606
607         Reviewed by Darin Adler.
608
609         * test262/expectations.yaml:
610         Mark 4 test cases as passing.
611
612         * stress/regexp-syntax-error-invalid-flags.js:
613         * stress/regress-161995.js: Removed.
614         Update existing test, merging in an older test for the same behavior.
615
616 2019-03-08  Mark Lam  <mark.lam@apple.com>
617
618         Stack overflow crash in JSC::JSObject::hasInstance.
619         https://bugs.webkit.org/show_bug.cgi?id=195458
620         <rdar://problem/48710195>
621
622         Reviewed by Yusuke Suzuki.
623
624         * stress/stack-overflow-in-custom-hasInstance.js: Added.
625
626 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
627
628         op_check_tdz does not def its argument
629         https://bugs.webkit.org/show_bug.cgi?id=192880
630         <rdar://problem/46221598>
631
632         Reviewed by Saam Barati.
633
634         * microbenchmarks/let-for-in.js: Added.
635         (foo):
636
637 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
638
639         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
640         https://bugs.webkit.org/show_bug.cgi?id=195429
641
642         Reviewed by Saam Barati.
643
644         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
645         (foo):
646         * stress/string-from-char-code-255.js: Added.
647
648 2019-03-06  Mark Lam  <mark.lam@apple.com>
649
650         Fix incorrect handling of try-finally completion values.
651         https://bugs.webkit.org/show_bug.cgi?id=195131
652         <rdar://problem/46222079>
653
654         Reviewed by Saam Barati and Yusuke Suzuki.
655
656         Added many permutations of new test case to test-finally.js.  test-finally.js has
657         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
658         tests passes there as well.
659
660         * stress/test-finally.js:
661
662 2019-03-06  Saam Barati  <sbarati@apple.com>
663
664         Air::reportUsedRegisters must padInterference
665         https://bugs.webkit.org/show_bug.cgi?id=195303
666         <rdar://problem/48270343>
667
668         Reviewed by Keith Miller.
669
670         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
671
672 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
673
674         [JSC] AI should not propagate AbstractValue relying on constant folding phase
675         https://bugs.webkit.org/show_bug.cgi?id=195375
676
677         Reviewed by Saam Barati.
678
679         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
680         (let.array):
681
682 2019-03-05  Saam barati  <sbarati@apple.com>
683
684         op_switch_char broken for rope strings after JSRopeString layout rewrite
685         https://bugs.webkit.org/show_bug.cgi?id=195339
686         <rdar://problem/48592545>
687
688         Reviewed by Yusuke Suzuki.
689
690         * stress/switch-on-char-llint-rope.js: Added.
691
692 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
693
694         [JSC] Store bits for JSRopeString in 3 stores
695         https://bugs.webkit.org/show_bug.cgi?id=195234
696
697         Reviewed by Saam Barati.
698
699         * stress/null-rope-and-collectors.js: Added.
700
701 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
702
703         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
704         https://bugs.webkit.org/show_bug.cgi?id=195207
705
706         Unreviewed. After test runtime was reduced in r242213, test can be
707         run again on ARM/MIPS.
708
709         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
710
711 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
712
713         [JSC] sizeof(JSString) should be 16
714         https://bugs.webkit.org/show_bug.cgi?id=194375
715
716         Reviewed by Saam Barati.
717
718         * microbenchmarks/make-rope.js: Added.
719         (makeRope):
720         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
721         (returnRope.helper): Deleted.
722         (returnRope): Deleted.
723
724 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
725
726         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
727         https://bugs.webkit.org/show_bug.cgi?id=195144
728
729         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
730         Change the number from 1e8 to 1e5.
731
732         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
733         (foo):
734
735 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
736
737         Test times out on ARM/MIPS
738         https://bugs.webkit.org/show_bug.cgi?id=195168
739
740         Unreviewed. Skip test on ARM/MIPS.
741
742         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
743
744 2019-02-27  Mark Lam  <mark.lam@apple.com>
745
746         The parser is failing to record the token location of new in new.target.
747         https://bugs.webkit.org/show_bug.cgi?id=195127
748         <rdar://problem/39645578>
749
750         Reviewed by Yusuke Suzuki.
751
752         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
753
754 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
755
756         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
757         https://bugs.webkit.org/show_bug.cgi?id=195144
758         <rdar://problem/47595961>
759
760         Reviewed by Mark Lam.
761
762         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
763         (bar):
764         (foo):
765         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
766         (bar):
767         (foo):
768
769 2019-02-27  Robin Morisset  <rmorisset@apple.com>
770
771         DFG: Loop-invariant code motion (LICM) should not hoist dead code
772         https://bugs.webkit.org/show_bug.cgi?id=194945
773         <rdar://problem/48311657>
774
775         Reviewed by Mark Lam.
776
777         * stress/licm-dead-code.js: Added.
778
779 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
780
781         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
782         https://bugs.webkit.org/show_bug.cgi?id=194677
783         <rdar://problem/48112492>
784
785         Reviewed by Mark Lam.
786
787         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
788         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
789         it immediately fails due the large size.
790
791         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
792         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
793         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
794         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
795
796         This patch changes the test to produce 16bit string from String.fromCharCode.
797
798         * stress/regress-178386.js:
799
800 2019-02-26  Mark Lam  <mark.lam@apple.com>
801
802         wasmToJS() should purify incoming NaNs.
803         https://bugs.webkit.org/show_bug.cgi?id=194807
804         <rdar://problem/48189132>
805
806         Reviewed by Saam Barati.
807
808         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
809
810 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
811
812         [JSC] Repeat string created from Array.prototype.join() take too much memory
813         https://bugs.webkit.org/show_bug.cgi?id=193912
814
815         Reviewed by Saam Barati.
816
817         Added a test and a microbenchmark for corner cases of
818         Array.prototype.join() with an uninitialized array.
819
820         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
821         * stress/array-prototype-join-uninitialized.js: Added.
822         (testArray):
823         (testABC):
824         (B):
825         (C):
826
827 2019-02-22  Robin Morisset  <rmorisset@apple.com>
828
829         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
830         https://bugs.webkit.org/show_bug.cgi?id=194953
831         <rdar://problem/47595253>
832
833         Reviewed by Saam Barati.
834
835         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
836
837         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
838
839 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
840
841         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
842         https://bugs.webkit.org/show_bug.cgi?id=172848
843         <rdar://problem/25709212>
844
845         Reviewed by Mark Lam.
846
847         * typeProfiler/inheritance.js:
848         Rewrite the test slightly for clarity. The hoisting was confusing.
849
850         * heapProfiler/class-names.js: Added.
851         (MyES5Class):
852         (MyES6Class):
853         (MyES6Subclass):
854         Test object types and improved class names.
855
856         * heapProfiler/driver/driver.js:
857         (CheapHeapSnapshotNode):
858         (CheapHeapSnapshot):
859         (createCheapHeapSnapshot):
860         (HeapSnapshot):
861         (createHeapSnapshot):
862         Update snapshot parsing from version 1 to version 2.
863
864 2019-02-19  Truitt Savell  <tsavell@apple.com>
865
866         Unreviewed, rolling out r241784.
867
868         Broke all OpenSource builds.
869
870         Reverted changeset:
871
872         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
873         instances view"
874         https://bugs.webkit.org/show_bug.cgi?id=172848
875         https://trac.webkit.org/changeset/241784
876
877 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
878
879         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
880         https://bugs.webkit.org/show_bug.cgi?id=172848
881         <rdar://problem/25709212>
882
883         Reviewed by Mark Lam.
884
885         * typeProfiler/inheritance.js:
886         Rewrite the test slightly for clarity. The hoisting was confusing.
887
888         * heapProfiler/class-names.js: Added.
889         (MyES5Class):
890         (MyES6Class):
891         (MyES6Subclass):
892         Test object types and improved class names.
893
894         * heapProfiler/driver/driver.js:
895         (CheapHeapSnapshotNode):
896         (CheapHeapSnapshot):
897         (createCheapHeapSnapshot):
898         (HeapSnapshot):
899         (createHeapSnapshot):
900         Update snapshot parsing from version 1 to version 2.
901
902 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
903
904         [ARM] Fix crash with sampling profiler
905         https://bugs.webkit.org/show_bug.cgi?id=194772
906
907         Reviewed by Mark Lam.
908
909         Do not skip test since crash with sampling profiler is now fixed.
910
911         * stress/sampling-profiler-richards.js:
912
913 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
914
915         [JSC] Add LazyClassStructure::getInitializedOnMainThread
916         https://bugs.webkit.org/show_bug.cgi?id=194784
917         <rdar://problem/48154820>
918
919         Reviewed by Mark Lam.
920
921         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
922         (getProperties):
923         (getRandomProperty):
924         (i.catch):
925
926 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
927
928         [ARM] Test gardening: Test running out of executable memory
929         https://bugs.webkit.org/show_bug.cgi?id=194771
930
931         Unreviewed. Do not run test without LLInt, test is running out of executable
932         memory on ARM otherwise.
933
934         * stress/tagged-template-object-collect.js:
935
936 2019-02-18  Tomas Popela  <tpopela@redhat.com>
937
938         Unreviewed, skip the test on platforms without sampling profiler
939
940         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
941         (platformSupportsSamplingProfiler.foo):
942         (platformSupportsSamplingProfiler.test):
943         (platformSupportsSamplingProfiler):
944         (foo): Deleted.
945         (test): Deleted.
946
947 2019-02-17  Saam Barati  <sbarati@apple.com>
948
949         Deadlock when adding a Structure property transition and then doing incremental marking
950         https://bugs.webkit.org/show_bug.cgi?id=194767
951
952         Reviewed by Mark Lam.
953
954         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
955
956 2019-02-15  Michael Saboff  <msaboff@apple.com>
957
958         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
959         https://bugs.webkit.org/show_bug.cgi?id=194558
960
961         Reviewed by Saam Barati.
962
963         New regression test.
964
965         * stress/regexp-unicode-within-string.js: Added.
966
967 2019-02-15  Mark Lam  <mark.lam@apple.com>
968
969         SamplingProfiler::stackTracesAsJSON() should escape strings.
970         https://bugs.webkit.org/show_bug.cgi?id=194649
971         <rdar://problem/48072386>
972
973         Reviewed by Saam Barati.
974
975         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
976         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
977         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
978         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
979
980 2019-02-15  Robin Morisset  <rmorisset@apple.com>
981         CodeBlock::jettison should clear related watchpoints
982         https://bugs.webkit.org/show_bug.cgi?id=194544
983
984         Reviewed by Mark Lam.
985
986         * stress/regexp-replace-double-watchpoint.js: Added.
987         (foo):
988
989 2019-02-15  Saam barati  <sbarati@apple.com>
990
991         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
992         https://bugs.webkit.org/show_bug.cgi?id=194036
993
994         Reviewed by Yusuke Suzuki.
995
996         * stress/tail-call-many-arguments.js: Added.
997         (foo):
998         (bar):
999
1000 2019-02-14  Saam Barati  <sbarati@apple.com>
1001
1002         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1003         https://bugs.webkit.org/show_bug.cgi?id=194583
1004         <rdar://problem/48028140>
1005
1006         Reviewed by Yusuke Suzuki.
1007
1008         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1009
1010 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1011
1012         [JSC] String.fromCharCode's slow path always generates 16bit string
1013         https://bugs.webkit.org/show_bug.cgi?id=194466
1014
1015         Reviewed by Keith Miller.
1016
1017         * stress/string-from-char-code-slow-path.js: Added.
1018         (shouldBe):
1019         (testWithLength):
1020
1021 2019-02-08  Saam barati  <sbarati@apple.com>
1022
1023         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1024         https://bugs.webkit.org/show_bug.cgi?id=194334
1025         <rdar://problem/47844327>
1026
1027         Reviewed by Mark Lam.
1028
1029         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1030         (func):
1031
1032 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1033
1034         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1035         https://bugs.webkit.org/show_bug.cgi?id=194369
1036         <rdar://problem/47813087>
1037
1038         Reviewed by Saam Barati.
1039
1040         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1041         (A):
1042
1043 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1044
1045         [JSC] PrivateName to PublicName hash table is wasteful
1046         https://bugs.webkit.org/show_bug.cgi?id=194277
1047
1048         Reviewed by Michael Saboff.
1049
1050         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1051
1052         * ChakraCore.yaml:
1053
1054 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1055
1056         [ARM] Test running out of executable memory
1057         https://bugs.webkit.org/show_bug.cgi?id=194285
1058
1059         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1060         executable memory otherwise.
1061
1062         * stress/class-subclassing-function.js:
1063
1064 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1065
1066         when lowering AssertNotEmpty, create the value before creating the patchpoint
1067         https://bugs.webkit.org/show_bug.cgi?id=194231
1068
1069         Reviewed by Saam Barati.
1070
1071         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1072         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1073         So even tiny changes to this test can change the path code taken.
1074
1075         * stress/assert-not-empty.js: Added.
1076         (foo):
1077
1078 2019-02-01  Mark Lam  <mark.lam@apple.com>
1079
1080         Remove invalid assertion in DFG's compileDoubleRep().
1081         https://bugs.webkit.org/show_bug.cgi?id=194130
1082         <rdar://problem/47699474>
1083
1084         Reviewed by Saam Barati.
1085
1086         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1087
1088 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1089
1090         Import latest Test262 updates.
1091
1092         Rubber-stamped by Keith Miller.
1093
1094         * test262.yaml: Deleted.
1095         * test262/config.yaml:
1096         * test262/expectations.yaml:
1097         * test262/latest-changes-summary.txt:
1098         * test262/test/:
1099         * test262/test262-Revision.txt:
1100
1101 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1102
1103         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1104         https://bugs.webkit.org/show_bug.cgi?id=194050
1105         <rdar://problem/47595592>
1106
1107         Reviewed by Yusuke Suzuki.
1108
1109         * stress/object-keys-osr-exit.js: Added.
1110         (foo):
1111         (catch):
1112
1113 2019-01-29  Mark Lam  <mark.lam@apple.com>
1114
1115         ValueRecovery::recover() should purify NaN values it recovers.
1116         https://bugs.webkit.org/show_bug.cgi?id=193978
1117         <rdar://problem/47625488>
1118
1119         Reviewed by Saam Barati.
1120
1121         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1122
1123 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1124
1125         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1126         https://bugs.webkit.org/show_bug.cgi?id=193713
1127
1128         * stress/try-get-by-id-should-spill-registers-dfg.js:
1129         (let.f.createBuiltin):
1130
1131 2019-01-28  Mark Lam  <mark.lam@apple.com>
1132
1133         ToString node actually does GC.
1134         https://bugs.webkit.org/show_bug.cgi?id=193920
1135         <rdar://problem/46695900>
1136
1137         Reviewed by Yusuke Suzuki.
1138
1139         * stress/dfg-to-string-on-int-does-gc.js: Added.
1140         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1141         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1142
1143 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1144
1145         [JSC] NativeErrorConstructor should not have own IsoSubspace
1146         https://bugs.webkit.org/show_bug.cgi?id=193713
1147
1148         Reviewed by Saam Barati.
1149
1150         Remove @Error use.
1151
1152         * stress/try-get-by-id-should-spill-registers-dfg.js:
1153         (let.f.createBuiltin):
1154
1155 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1156
1157         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1158         https://bugs.webkit.org/show_bug.cgi?id=190693
1159
1160         Reviewed by Michael Saboff.
1161
1162         * stress/regress-190693.js: Added.
1163         (truth):
1164         (assert):
1165         (shouldThrowInvalidConstAssignment):
1166         (taz):
1167
1168 2019-01-24  Saam Barati  <sbarati@apple.com>
1169
1170         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1171         https://bugs.webkit.org/show_bug.cgi?id=193751
1172         <rdar://problem/47280215>
1173
1174         Reviewed by Michael Saboff.
1175
1176         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1177         (let.thing):
1178         (foo.let.hello):
1179         (foo):
1180
1181 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1182
1183         [JSC] Reenable baseline JIT on mips
1184         https://bugs.webkit.org/show_bug.cgi?id=192983
1185
1186         Reviewed by Mark Lam.
1187
1188         Added a new test for a case that was triggering a RELEASE_ASSERT when
1189         testing.
1190         Disable some slow tests that were already disabled for arm and x86.
1191
1192         * stress/json-parse-big-object.js: Added.
1193         * stress/new-largeish-contiguous-array-with-size.js:
1194         * stress/op_add.js:
1195         * stress/op_bitand.js:
1196         * stress/op_bitor.js:
1197         * stress/op_bitxor.js:
1198         * stress/op_lshift-ConstVar.js:
1199         * stress/op_lshift-VarConst.js:
1200         * stress/op_lshift-VarVar.js:
1201         * stress/op_mod-ConstVar.js:
1202         * stress/op_mod-VarConst.js:
1203         * stress/op_mod-VarVar.js:
1204         * stress/op_mul-ConstVar.js:
1205         * stress/op_mul-VarConst.js:
1206         * stress/op_mul-VarVar.js:
1207         * stress/op_rshift-ConstVar.js:
1208         * stress/op_rshift-VarConst.js:
1209         * stress/op_rshift-VarVar.js:
1210         * stress/op_sub-ConstVar.js:
1211         * stress/op_sub-VarConst.js:
1212         * stress/op_sub-VarVar.js:
1213         * stress/op_urshift-ConstVar.js:
1214         * stress/op_urshift-VarConst.js:
1215         * stress/op_urshift-VarVar.js:
1216         * stress/sampling-profiler-richards.js:
1217         * stress/spread-forward-call-varargs-stack-overflow.js:
1218
1219 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1220
1221         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1222         https://bugs.webkit.org/show_bug.cgi?id=193711
1223         <rdar://problem/47250262>
1224
1225         Reviewed by Saam Barati.
1226
1227         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1228         (shouldBe):
1229         (foo):
1230         (bar):
1231         (baz):
1232
1233 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1234
1235         Unreviewed, fix initial global lexical binding epoch
1236         https://bugs.webkit.org/show_bug.cgi?id=193603
1237         <rdar://problem/47380869>
1238
1239         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1240         (f1.f2.f3.f4):
1241         (f1.f2.f3):
1242         (f1.f2):
1243         (f1):
1244
1245 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1246
1247         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1248         https://bugs.webkit.org/show_bug.cgi?id=193709
1249         <rdar://problem/47363838>
1250
1251         Unreviewed, rollout to watch the tests.
1252
1253         * stress/object-tostring-changed-proto.js: Removed.
1254         * stress/object-tostring-changed.js: Removed.
1255         * stress/object-tostring-misc.js: Removed.
1256         * stress/object-tostring-other.js: Removed.
1257         * stress/object-tostring-untyped.js: Removed.
1258
1259 2019-01-22  Saam Barati  <sbarati@apple.com>
1260
1261         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1262
1263         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1264         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1265         (testUncheckedLessThanZero):
1266         (testUncheckedLessThanOrEqualZero):
1267         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1268         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1269
1270 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1271
1272         [JSC] Invalidate old scope operations using global lexical binding epoch
1273         https://bugs.webkit.org/show_bug.cgi?id=193603
1274         <rdar://problem/47380869>
1275
1276         Reviewed by Saam Barati.
1277
1278         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1279         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1280         (shouldThrow):
1281         (bar):
1282         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1283         (shouldBe):
1284         (get1):
1285         (get2):
1286         (get1If):
1287         (get2If):
1288         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1289         (shouldThrow):
1290         (foo):
1291
1292 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1293
1294         Unreviewed, roll out r240220 due to date-format-xparb regression
1295         https://bugs.webkit.org/show_bug.cgi?id=193603
1296
1297         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1298         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1299         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1300         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1301
1302 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1303
1304         DoesGC rule is wrong for nodes with BigIntUse
1305         https://bugs.webkit.org/show_bug.cgi?id=193652
1306
1307         Reviewed by Saam Barati.
1308
1309         * stress/big-int-value-op-update-gc-rules.js: Added.
1310         (assert):
1311         (doesGCAdd):
1312         (doesGCSub):
1313         (doesGCDiv):
1314         (doesGCMul):
1315         (doesGCBitAnd):
1316         (doesGCBitOr):
1317         (doesGCBitXor):
1318
1319 2019-01-20  Saam Barati  <sbarati@apple.com>
1320
1321         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1322         https://bugs.webkit.org/show_bug.cgi?id=193644
1323         <rdar://problem/46209745>
1324
1325         Reviewed by Yusuke Suzuki.
1326
1327         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1328         (foo):
1329         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1330         (foo):
1331         (bar):
1332
1333 2019-01-20  Saam Barati  <sbarati@apple.com>
1334
1335         MovHint must merge NodeBytecodeUsesAsValue for its child
1336         https://bugs.webkit.org/show_bug.cgi?id=186916
1337         <rdar://problem/41396612>
1338
1339         Reviewed by Yusuke Suzuki.
1340
1341         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1342         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1343
1344 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1345
1346         [JSC] Invalidate old scope operations using global lexical binding epoch
1347         https://bugs.webkit.org/show_bug.cgi?id=193603
1348         <rdar://problem/47380869>
1349
1350         Reviewed by Saam Barati.
1351
1352         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1353         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1354         (shouldThrow):
1355         (bar):
1356         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1357         (shouldBe):
1358         (get1):
1359         (get2):
1360         (get1If):
1361         (get2If):
1362         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1363         (shouldThrow):
1364         (foo):
1365
1366 2019-01-17  Saam barati  <sbarati@apple.com>
1367
1368         StringObjectUse should not be a structure check for the original string object structure
1369         https://bugs.webkit.org/show_bug.cgi?id=193483
1370         <rdar://problem/47280522>
1371
1372         Reviewed by Yusuke Suzuki.
1373
1374         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1375         (foo):
1376         (a.valueOf.0):
1377
1378 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1379
1380         [JSC] ToThis omission in DFGByteCodeParser is wrong
1381         https://bugs.webkit.org/show_bug.cgi?id=193513
1382         <rdar://problem/45842236>
1383
1384         Reviewed by Saam Barati.
1385
1386         * stress/to-this-omission-with-different-strict-modes.js: Added.
1387         (thisA):
1388         (thisAStrictWrapper):
1389
1390 2019-01-15  Mark Lam  <mark.lam@apple.com>
1391
1392         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1393         https://bugs.webkit.org/show_bug.cgi?id=193423
1394         <rdar://problem/46209355>
1395
1396         Reviewed by Saam Barati.
1397
1398         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1399         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1400         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1401         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1402
1403 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1404
1405         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1406         https://bugs.webkit.org/show_bug.cgi?id=193438
1407         <rdar://problem/45581249>
1408
1409         Reviewed by Saam Barati and Keith Miller.
1410
1411         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1412         Then, GetByVal(String) crashed.
1413
1414         * stress/string-get-by-val-lowering.js: Added.
1415         (shouldBe):
1416         (test):
1417         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1418         (Hello):
1419         (foo):
1420
1421 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1422
1423         Unreviewed, skip JIT tests if it's not enabled
1424
1425         * stress/bit-op-with-object-returning-int32.js:
1426
1427 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1428
1429         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1430         https://bugs.webkit.org/show_bug.cgi?id=192966
1431
1432         Reviewed by Yusuke Suzuki.
1433
1434         * stress/bit-op-with-object-returning-int32.js: Added.
1435
1436 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1437
1438         Skip a slow test and a flakey test on arm
1439
1440         Unreviewed gardening.
1441
1442         * typeProfiler/getter-richards.js:
1443         this test always times out, it used to be always skipped on arm and
1444         mips, but got accidentally enabled by r237919 now that we have DFG on
1445         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1446
1447 2019-01-14  Keith Miller  <keith_miller@apple.com>
1448
1449         Skip type-check-hoisting-phase-hoist... with no jit
1450         https://bugs.webkit.org/show_bug.cgi?id=193421
1451
1452         Reviewed by Mark Lam.
1453
1454         It's timing out the 32-bit bots and takes 330 seconds
1455         on my machine when run by itself.
1456
1457         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1458
1459 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1460
1461         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1462         https://bugs.webkit.org/show_bug.cgi?id=193413
1463         <rdar://problem/46092389>
1464
1465         Reviewed by Keith Miller.
1466
1467         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1468         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1469         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1470         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1471
1472         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1473         (compareArray):
1474
1475 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1476
1477         [BigInt] Literal parsing is crashing when used inside a Object Literal
1478         https://bugs.webkit.org/show_bug.cgi?id=193404
1479
1480         Reviewed by Yusuke Suzuki.
1481
1482         * stress/big-int-literal-inside-literal-object.js: Added.
1483
1484 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1485
1486         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1487         https://bugs.webkit.org/show_bug.cgi?id=193372
1488
1489         Reviewed by Saam Barati.
1490
1491         * stress/typed-array-array-modes-profile.js: Added.
1492         (foo):
1493
1494 2019-01-14  Mark Lam  <mark.lam@apple.com>
1495
1496         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1497         https://bugs.webkit.org/show_bug.cgi?id=193402
1498         <rdar://problem/46012309>
1499
1500         Reviewed by Keith Miller.
1501
1502         * stress/regexp-compile-oom.js:
1503         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1504           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1505
1506 2019-01-11  Saam barati  <sbarati@apple.com>
1507
1508         DFG combined liveness can be wrong for terminal basic blocks
1509         https://bugs.webkit.org/show_bug.cgi?id=193304
1510         <rdar://problem/45268632>
1511
1512         Reviewed by Yusuke Suzuki.
1513
1514         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1515
1516 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1517
1518         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1519         https://bugs.webkit.org/show_bug.cgi?id=193308
1520         <rdar://problem/45546542>
1521
1522         Reviewed by Saam Barati.
1523
1524         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1525         (shouldThrow):
1526         (shouldBe):
1527         (foo):
1528         (get shouldThrow):
1529         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1530         (shouldThrow):
1531         (shouldBe):
1532         (foo):
1533         (get shouldBe):
1534         (get shouldThrow):
1535         (get return):
1536         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1537         (shouldThrow):
1538         (shouldBe):
1539         (foo):
1540         (get shouldBe):
1541         (get shouldThrow):
1542         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1543         (shouldThrow):
1544         (shouldBe):
1545         (foo):
1546         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1547         (shouldThrow):
1548         (shouldBe):
1549         (foo):
1550         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1551         (shouldThrow):
1552         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1553         (shouldThrow):
1554         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1555         (shouldThrow):
1556         (shouldBe):
1557         (foo):
1558         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1559         (shouldThrow):
1560         (shouldBe):
1561         (foo):
1562         (get shouldBe):
1563         (get shouldThrow):
1564         (get return):
1565         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1566         (shouldThrow):
1567         (shouldBe):
1568         (foo):
1569         (get shouldBe):
1570         (get shouldThrow):
1571         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1572         (shouldThrow):
1573         (shouldBe):
1574         (foo):
1575         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1576         (shouldThrow):
1577         (shouldBe):
1578         (foo):
1579
1580 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1581
1582         Enable DFG on ARM/Linux again
1583         https://bugs.webkit.org/show_bug.cgi?id=192496
1584
1585         Reviewed by Yusuke Suzuki.
1586
1587         Test wasn't really skipped before moving the line with skip
1588         to the top.
1589
1590         * stress/regress-192717.js:
1591
1592 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1593
1594         Unreviewed, rolling out r239825.
1595         https://bugs.webkit.org/show_bug.cgi?id=193330
1596
1597         Broke tests on armv7/linux bots (Requested by guijemont on
1598         #webkit).
1599
1600         Reverted changeset:
1601
1602         "Enable DFG on ARM/Linux again"
1603         https://bugs.webkit.org/show_bug.cgi?id=192496
1604         https://trac.webkit.org/changeset/239825
1605
1606 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1607
1608         Enable DFG on ARM/Linux again
1609         https://bugs.webkit.org/show_bug.cgi?id=192496
1610
1611         Reviewed by Yusuke Suzuki.
1612
1613         Test wasn't really skipped before moving the line with skip
1614         to the top.
1615
1616         * stress/regress-192717.js:
1617
1618 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1619
1620         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1621         https://bugs.webkit.org/show_bug.cgi?id=193127
1622
1623         Reviewed by Saam Barati.
1624
1625         * stress/array-species-create-should-handle-masquerader.js: Added.
1626         (shouldThrow):
1627         * stress/is-undefined-or-null-builtin.js: Added.
1628         (shouldBe):
1629         (isUndefinedOrNull.vm.createBuiltin):
1630
1631 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1632
1633         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1634         https://bugs.webkit.org/show_bug.cgi?id=193221
1635
1636         Reviewed by Mark Lam.
1637
1638         * stress/put-by-id-flags.js: Added.
1639         (f):
1640         (g):
1641         (numberOfDFGCompiles):
1642
1643 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1644
1645         Baseline version of get_by_id may corrupt metadata
1646         https://bugs.webkit.org/show_bug.cgi?id=193085
1647         <rdar://problem/23453006>
1648
1649         Reviewed by Saam Barati.
1650
1651         * stress/get-by-id-change-mode.js: Added.
1652         (forEach):
1653
1654 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1655
1656         [JSC] Optimize Object.prototype.toString
1657         https://bugs.webkit.org/show_bug.cgi?id=193031
1658
1659         Reviewed by Saam Barati.
1660
1661         * stress/object-tostring-changed-proto.js: Added.
1662         (shouldBe):
1663         (test):
1664         * stress/object-tostring-changed.js: Added.
1665         (shouldBe):
1666         (test):
1667         * stress/object-tostring-misc.js: Added.
1668         (shouldBe):
1669         (test):
1670         (i.switch):
1671         * stress/object-tostring-other.js: Added.
1672         (shouldBe):
1673         (test):
1674         * stress/object-tostring-untyped.js: Added.
1675         (shouldBe):
1676         (test):
1677         (i.switch):
1678
1679 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1680
1681         test262-runner misbehaves when test file YAML has a trailing space
1682         https://bugs.webkit.org/show_bug.cgi?id=193053
1683
1684         Reviewed by Yusuke Suzuki.
1685
1686         * test262/expectations.yaml:
1687         Mark two dozen tests as passing (and correct the output of another).
1688
1689 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1690
1691         Unreviewed, JSTests gardening with memoryLimited
1692
1693         * stress/string-overflow-createError.js:
1694
1695 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1696
1697         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1698         https://bugs.webkit.org/show_bug.cgi?id=193050
1699
1700         Reviewed by Yusuke Suzuki.
1701
1702         * test262.yaml:
1703         * test262/expectations.yaml:
1704         Mark 16 tests as passing.
1705
1706 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1707
1708         [BigInt] Support BigInt in JSON.stringify
1709         https://bugs.webkit.org/show_bug.cgi?id=192624
1710
1711         Reviewed by Saam Barati.
1712
1713         * stress/big-int-json-stringify-to-json.js: Added.
1714         (shouldBe):
1715         (shouldThrow):
1716         (BigInt.prototype.toJSON):
1717         (shouldBe.JSON.stringify):
1718         * stress/big-int-json-stringify.js: Added.
1719         (shouldBe):
1720         (shouldThrow):
1721
1722 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1723
1724         [JSC] Implement "well-formed JSON.stringify" proposal
1725         https://bugs.webkit.org/show_bug.cgi?id=191677
1726
1727         Reviewed by Darin Adler.
1728
1729         * stress/json-surrogate-pair.js: Added.
1730         (shouldBe):
1731         * test262/expectations.yaml:
1732
1733 2018-12-20  Keith Miller  <keith_miller@apple.com>
1734
1735         Add support for globalThis
1736         https://bugs.webkit.org/show_bug.cgi?id=165171
1737
1738         Reviewed by Mark Lam.
1739
1740         * test262/config.yaml:
1741
1742 2018-12-19  Keith Miller  <keith_miller@apple.com>
1743
1744         Update test262 configuration to not run tests dependent on ICU version.
1745         https://bugs.webkit.org/show_bug.cgi?id=192920
1746
1747         Reviewed by Saam Barati.
1748
1749         * test262/expectations.yaml:
1750
1751 2018-12-20  Mark Lam  <mark.lam@apple.com>
1752
1753         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1754         https://bugs.webkit.org/show_bug.cgi?id=192939
1755         <rdar://problem/46869516>
1756
1757         Reviewed by Keith Miller.
1758
1759         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1760
1761 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1762
1763         WTF::String and StringImpl overflow MaxLength
1764         https://bugs.webkit.org/show_bug.cgi?id=192853
1765         <rdar://problem/45726906>
1766
1767         Reviewed by Mark Lam.
1768
1769         * stress/string-16bit-repeat-overflow.js: Added.
1770         (catch):
1771
1772 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1773
1774         Unreviewed follow-up to r192914.
1775
1776         * test262/expectations.yaml:
1777         Add the last 20 missing expectations.
1778
1779 2018-12-19  Keith Miller  <keith_miller@apple.com>
1780
1781         Fix test262 expectations
1782         https://bugs.webkit.org/show_bug.cgi?id=192914
1783
1784         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1785
1786         * test262/expectations.yaml:
1787
1788 2018-12-19  Keith Miller  <keith_miller@apple.com>
1789
1790         Update test262 tests.
1791         https://bugs.webkit.org/show_bug.cgi?id=192907
1792
1793         Rubber stamped by Mark Lam.
1794
1795         * test262/*: Omitted because prepare-changelog crashes.
1796
1797 2018-12-19  Mark Lam  <mark.lam@apple.com>
1798
1799         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1800         https://bugs.webkit.org/show_bug.cgi?id=192464
1801         <rdar://problem/46519455>
1802
1803         Reviewed by Saam Barati.
1804
1805         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1806         microbenchmark.
1807
1808         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1809         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1810
1811 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1812
1813         String overflow in JSC::createError results in ASSERT in WTF::makeString
1814         https://bugs.webkit.org/show_bug.cgi?id=192833
1815         <rdar://problem/45706868>
1816
1817         Reviewed by Mark Lam.
1818
1819         * stress/string-overflow-createError.js: Added.
1820
1821 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1822
1823         Error message for `-x ** y` contains a typo.
1824         https://bugs.webkit.org/show_bug.cgi?id=192832
1825
1826         Reviewed by Saam Barati.
1827
1828         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1829         (assert.assert.return.throws):
1830         * stress/pow-expects-update-expression-on-lhs.js:
1831         (throw.new.Error):
1832         Update test expectations which match against the exact error message.
1833
1834 2018-12-18  Mark Lam  <mark.lam@apple.com>
1835
1836         Gardening: test options fix.
1837         https://bugs.webkit.org/show_bug.cgi?id=192822
1838
1839         Unreviewed.
1840
1841         * stress/json-stringify-string-builder-overflow.js:
1842
1843 2018-12-18  Mark Lam  <mark.lam@apple.com>
1844
1845         JSON.stringify() should throw OOM on StringBuilder overflows.
1846         https://bugs.webkit.org/show_bug.cgi?id=192822
1847         <rdar://problem/46670577>
1848
1849         Reviewed by Saam Barati.
1850
1851         * stress/json-stringify-string-builder-overflow.js: Added.
1852
1853 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1854
1855         Redeclaration of var over let/const/class should be a syntax error.
1856         https://bugs.webkit.org/show_bug.cgi?id=192298
1857
1858         Reviewed by Keith Miller.
1859
1860         * test262.yaml:
1861         * test262/expectations.yaml:
1862         Mark 46 tests as passing.
1863
1864         * stress/block-scope-redeclarations.js:
1865         Add some new tests.
1866
1867         * stress/for-in-invalidate-context-weird-assignments.js:
1868         * stress/for-in-tests.js:
1869         Replace tests for outdated behavior with tests for SyntaxError.
1870
1871         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1872         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1873         Update expectations.
1874
1875 2018-12-18  Mark Lam  <mark.lam@apple.com>
1876
1877         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1878         https://bugs.webkit.org/show_bug.cgi?id=191374
1879         <rdar://problem/46525447>
1880
1881         Reviewed by Yusuke Suzuki.
1882
1883         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1884
1885         * stress/elidable-new-object-roflcopter-then-exit.js:
1886
1887 2018-12-17  Mark Lam  <mark.lam@apple.com>
1888
1889         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1890         https://bugs.webkit.org/show_bug.cgi?id=192019
1891         <rdar://problem/46525456>
1892
1893         Reviewed by Yusuke Suzuki.
1894
1895         The test runs too slow on 32-bit.
1896
1897         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1898
1899 2018-12-17  Mark Lam  <mark.lam@apple.com>
1900
1901         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1902         https://bugs.webkit.org/show_bug.cgi?id=191373
1903         <rdar://problem/46525458>
1904
1905         Reviewed by Yusuke Suzuki.
1906
1907         The test is already slow running with a JIT on 64-bit.  It will always timeout
1908         on 32-bit without a JIT.
1909
1910         * stress/materialize-regexp-cyclic-regexp.js:
1911
1912 2018-12-17  Mark Lam  <mark.lam@apple.com>
1913
1914         Array unshift/shift should not race against the AI in the compiler thread.
1915         https://bugs.webkit.org/show_bug.cgi?id=192795
1916         <rdar://problem/46724263>
1917
1918         Reviewed by Saam Barati.
1919
1920         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1921
1922 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1923
1924         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1925         https://bugs.webkit.org/show_bug.cgi?id=190047
1926
1927         Reviewed by Saam Barati.
1928
1929         * stress/object-keys-cached-zero.js: Added.
1930         (shouldBe):
1931         (test):
1932         * stress/object-keys-changed-attribute.js: Added.
1933         (shouldBe):
1934         (test):
1935         * stress/object-keys-changed-index.js: Added.
1936         (shouldBe):
1937         (test):
1938         * stress/object-keys-changed.js: Added.
1939         (shouldBe):
1940         (test):
1941         * stress/object-keys-indexed-non-cache.js: Added.
1942         (shouldBe):
1943         (test):
1944         * stress/object-keys-overrides-get-property-names.js: Added.
1945         (shouldBe):
1946         (test):
1947         (noInline):
1948
1949 2018-12-17  Mark Lam  <mark.lam@apple.com>
1950
1951         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1952         https://bugs.webkit.org/show_bug.cgi?id=192779
1953         <rdar://problem/46775869>
1954
1955         Reviewed by Saam Barati.
1956
1957         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1958
1959 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1960
1961         Unreviewed test gardening, address a syntax error in a new test.
1962
1963         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1964
1965 2018-12-17  Mark Lam  <mark.lam@apple.com>
1966
1967         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1968         https://bugs.webkit.org/show_bug.cgi?id=192776
1969         <rdar://problem/46772368>
1970
1971         Reviewed by Keith Miller.
1972
1973         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1974
1975 2018-12-17  Mark Lam  <mark.lam@apple.com>
1976
1977         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1978         https://bugs.webkit.org/show_bug.cgi?id=192770
1979         <rdar://problem/46449037>
1980
1981         Reviewed by Keith Miller.
1982
1983         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1984
1985 2018-12-14  Mark Lam  <mark.lam@apple.com>
1986
1987         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1988         https://bugs.webkit.org/show_bug.cgi?id=192717
1989         <rdar://problem/46660677>
1990
1991         Reviewed by Saam Barati.
1992
1993         * stress/regress-192717.js: Added.
1994
1995 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1996
1997         Unreviewed, rolling out r239153, r239154, and r239155.
1998         https://bugs.webkit.org/show_bug.cgi?id=192715
1999
2000         Caused flaky GC-related crashes seen with layout tests
2001         (Requested by ryanhaddad on #webkit).
2002
2003         Reverted changesets:
2004
2005         "[JSC] Optimize Object.keys by caching own keys results in
2006         StructureRareData"
2007         https://bugs.webkit.org/show_bug.cgi?id=190047
2008         https://trac.webkit.org/changeset/239153
2009
2010         "Unreviewed, build fix after r239153"
2011         https://bugs.webkit.org/show_bug.cgi?id=190047
2012         https://trac.webkit.org/changeset/239154
2013
2014         "Unreviewed, build fix after r239153, part 2"
2015         https://bugs.webkit.org/show_bug.cgi?id=190047
2016         https://trac.webkit.org/changeset/239155
2017
2018 2018-12-14  Keith Miller  <keith_miller@apple.com>
2019
2020         Callers of JSString::getIndex should check for OOM exceptions
2021         https://bugs.webkit.org/show_bug.cgi?id=192709
2022
2023         Reviewed by Mark Lam.
2024
2025         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2026
2027 2018-12-13  Mark Lam  <mark.lam@apple.com>
2028
2029         Add a missing exception check.
2030         https://bugs.webkit.org/show_bug.cgi?id=192626
2031         <rdar://problem/46662163>
2032
2033         Reviewed by Keith Miller.
2034
2035         * stress/regress-192626.js: Added.
2036
2037 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2038
2039         [BigInt] Add ValueDiv into DFG
2040         https://bugs.webkit.org/show_bug.cgi?id=186178
2041
2042         Reviewed by Yusuke Suzuki.
2043
2044         * stress/big-int-div-jit-osr.js: Added.
2045         * stress/big-int-div-jit-untyped.js: Added.
2046         * stress/value-div-fixup-int32-big-int.js: Added.
2047
2048 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2049
2050         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2051         https://bugs.webkit.org/show_bug.cgi?id=190047
2052
2053         Reviewed by Keith Miller.
2054
2055         * stress/object-keys-cached-zero.js: Added.
2056         (shouldBe):
2057         (test):
2058         * stress/object-keys-changed-attribute.js: Added.
2059         (shouldBe):
2060         (test):
2061         * stress/object-keys-changed-index.js: Added.
2062         (shouldBe):
2063         (test):
2064         * stress/object-keys-changed.js: Added.
2065         (shouldBe):
2066         (test):
2067         * stress/object-keys-indexed-non-cache.js: Added.
2068         (shouldBe):
2069         (test):
2070         * stress/object-keys-overrides-get-property-names.js: Added.
2071         (shouldBe):
2072         (test):
2073         (noInline):
2074
2075 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2076
2077         [DFG][FTL] Add NewSymbol
2078         https://bugs.webkit.org/show_bug.cgi?id=192620
2079
2080         Reviewed by Saam Barati.
2081
2082         * microbenchmarks/symbol-creation.js: Added.
2083         (test):
2084         * stress/symbol-description-identity.js: Added.
2085         (shouldBe):
2086         (test):
2087         * stress/symbol-identity.js: Added.
2088         (shouldBe):
2089         (test):
2090         * stress/symbol-with-description-throw-error.js: Added.
2091         (shouldBe):
2092         (shouldThrow):
2093         (test):
2094         (object.toString):
2095
2096 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2097
2098         [BigInt] Implement DFG/FTL typeof for BigInt
2099         https://bugs.webkit.org/show_bug.cgi?id=192619
2100
2101         Reviewed by Keith Miller.
2102
2103         * stress/big-int-boolean-proven-type.js: Added.
2104         (assert):
2105         (bool):
2106         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2107         (assert):
2108         (typeOf):
2109         (i.switch):
2110         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2111         (assert):
2112         (typeOf):
2113         * stress/big-int-type-of.js:
2114         (typeOf):
2115         (func):
2116
2117 2018-12-10  Mark Lam  <mark.lam@apple.com>
2118
2119         PropertyAttribute needs a CustomValue bit.
2120         https://bugs.webkit.org/show_bug.cgi?id=191993
2121         <rdar://problem/46264467>
2122
2123         Reviewed by Saam Barati.
2124
2125         * stress/regress-191993.js: Added.
2126
2127 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2128
2129         [BigInt] Add ValueMul into DFG
2130         https://bugs.webkit.org/show_bug.cgi?id=186175
2131
2132         Reviewed by Yusuke Suzuki.
2133
2134         * stress/big-int-mul-jit-osr.js: Added.
2135         * stress/big-int-mul-jit-untyped.js: Added.
2136         * stress/value-mul-fixup-int32-big-int.js: Added.
2137
2138 2018-12-06  Keith Miller  <keith_miller@apple.com>
2139
2140         stress/big-wasm-memory tests failing on 32-bit JSC bot
2141         https://bugs.webkit.org/show_bug.cgi?id=192020
2142
2143         Reviewed by Saam Barati.
2144
2145         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2146         the wasm stress tests if the WebAssembly object does not exist.
2147
2148         * stress/big-wasm-memory-grow-no-max.js:
2149         (test.foo):
2150         (test):
2151         (foo): Deleted.
2152         (catch): Deleted.
2153         * stress/big-wasm-memory-grow.js:
2154         (test.foo):
2155         (test):
2156         (foo): Deleted.
2157         (catch): Deleted.
2158         * stress/big-wasm-memory.js:
2159         (test.foo):
2160         (test):
2161         (foo): Deleted.
2162         (catch): Deleted.
2163
2164 2018-12-05  Mark Lam  <mark.lam@apple.com>
2165
2166         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2167         https://bugs.webkit.org/show_bug.cgi?id=192441
2168         <rdar://problem/46480355>
2169
2170         Reviewed by Saam Barati.
2171
2172         * stress/regress-192441.js: Added.
2173
2174 2018-12-04  Mark Lam  <mark.lam@apple.com>
2175
2176         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2177         https://bugs.webkit.org/show_bug.cgi?id=192386
2178         <rdar://problem/46445516>
2179
2180         Reviewed by Saam Barati.
2181
2182         * stress/regress-192386.js: Added.
2183
2184 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2185
2186         [ESNext][BigInt] Support logic operations
2187         https://bugs.webkit.org/show_bug.cgi?id=179903
2188
2189         Reviewed by Yusuke Suzuki.
2190
2191         * stress/big-int-branch-usage.js: Added.
2192         * stress/big-int-logical-and.js: Added.
2193         * stress/big-int-logical-not.js: Added.
2194         * stress/big-int-logical-or.js: Added.
2195
2196 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2197
2198         Unreviewed, rolling out r238833.
2199
2200         Breaks macOS and iOS debug builds.
2201
2202         Reverted changeset:
2203
2204         "[ESNext][BigInt] Support logic operations"
2205         https://bugs.webkit.org/show_bug.cgi?id=179903
2206         https://trac.webkit.org/changeset/238833
2207
2208 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2209
2210         [ESNext][BigInt] Support logic operations
2211         https://bugs.webkit.org/show_bug.cgi?id=179903
2212
2213         Reviewed by Yusuke Suzuki.
2214
2215         * stress/big-int-branch-usage.js: Added.
2216         * stress/big-int-logical-and.js: Added.
2217         * stress/big-int-logical-not.js: Added.
2218         * stress/big-int-logical-or.js: Added.
2219
2220 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2221
2222         [ESNext][BigInt] Implement support for "<<" and ">>"
2223         https://bugs.webkit.org/show_bug.cgi?id=186233
2224
2225         Reviewed by Yusuke Suzuki.
2226
2227         * stress/big-int-left-shift-general.js: Added.
2228         * stress/big-int-left-shift-range-error.js: Added.
2229         * stress/big-int-left-shift-type-error.js: Added.
2230         * stress/big-int-left-shift-wrapped-value.js: Added.
2231         * stress/big-int-right-shift-general.js: Added.
2232         * stress/big-int-right-shift-type-error.js: Added.
2233         * stress/big-int-right-shift-wrapped-value.js: Added.
2234         * stress/left-shift-to-primitive-precedence.js: Added.
2235         * stress/right-shift-to-primitive-precedence.js: Added.
2236
2237 2018-11-30  Dean Jackson  <dino@apple.com>
2238
2239         Add first-class support for .mjs files in jsc binary
2240         https://bugs.webkit.org/show_bug.cgi?id=192190
2241         <rdar://problem/46375715>
2242
2243         Reviewed by Keith Miller.
2244
2245         * stress/simple-module.mjs: Added.
2246         * stress/simple-script.js: Added.
2247
2248 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2249
2250         [BigInt] Implement ValueBitXor into DFG
2251         https://bugs.webkit.org/show_bug.cgi?id=190264
2252
2253         Reviewed by Yusuke Suzuki.
2254
2255         * stress/big-int-bitwise-xor-jit.js: Added.
2256         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2257         * stress/big-int-bitwise-xor-untyped.js: Added.
2258
2259 2018-11-27  Saam barati  <sbarati@apple.com>
2260
2261         r238510 broke scopes of size zero
2262         https://bugs.webkit.org/show_bug.cgi?id=192033
2263         <rdar://problem/46281734>
2264
2265         Reviewed by Keith Miller.
2266
2267         * stress/r238510-bad-loop.js: Added.
2268         (foo):
2269
2270 2018-11-27  Mark Lam  <mark.lam@apple.com>
2271
2272         [Re-landing] NaNs read from Wasm code needs to be be purified.
2273         https://bugs.webkit.org/show_bug.cgi?id=191056
2274         <rdar://problem/45660341>
2275
2276         Reviewed by Filip Pizlo.
2277
2278         * wasm/regress/regress-191056.js: Added.
2279
2280 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2281
2282         Unreviewed, rolling out r238509.
2283
2284         Causes JSC tests to fail on iOS.
2285
2286         Reverted changeset:
2287
2288         "NaNs read from Wasm code needs to be be purified."
2289         https://bugs.webkit.org/show_bug.cgi?id=191056
2290         https://trac.webkit.org/changeset/238509
2291
2292 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2293
2294         Re-introduce op_bitnot
2295         https://bugs.webkit.org/show_bug.cgi?id=190923
2296
2297         Reviewed by Yusuke Suzuki.
2298
2299         * stress/bit-not-must-generate.js: Added.
2300         * stress/bitwise-not-no-int32.js: Added.
2301
2302 2018-11-26  Saam barati  <sbarati@apple.com>
2303
2304         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2305         https://bugs.webkit.org/show_bug.cgi?id=191956
2306         <rdar://problem/45665806>
2307
2308         Reviewed by Yusuke Suzuki.
2309
2310         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2311         (bar):
2312         (foo):
2313
2314 2018-11-26  Saam barati  <sbarati@apple.com>
2315
2316         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2317         https://bugs.webkit.org/show_bug.cgi?id=191958
2318         <rdar://problem/46221877>
2319
2320         Reviewed by Yusuke Suzuki.
2321
2322         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2323         (x):
2324         (foo):
2325
2326 2018-11-26  Mark Lam  <mark.lam@apple.com>
2327
2328         NaNs read from Wasm code needs to be be purified.
2329         https://bugs.webkit.org/show_bug.cgi?id=191056
2330         <rdar://problem/45660341>
2331
2332         Reviewed by Filip Pizlo.
2333
2334         * wasm/regress/regress-191056.js: Added.
2335
2336 2018-11-26  Michael Saboff  <msaboff@apple.com>
2337
2338         32-bit JSC test failure: stress/regexp-compile-oom.js
2339         https://bugs.webkit.org/show_bug.cgi?id=191375
2340
2341         Reviewed by Mark Lam.
2342
2343         Disabled the test for 32 bit platforms.
2344
2345         * stress/regexp-compile-oom.js:
2346
2347 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2348
2349         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2350         https://bugs.webkit.org/show_bug.cgi?id=191716
2351         <rdar://problem/45723878>
2352
2353         Reviewed by Saam Barati.
2354
2355         * stress/regress-187373.js: Added.
2356         (async.fn):
2357
2358 2018-11-21  Saam barati  <sbarati@apple.com>
2359
2360         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2361         https://bugs.webkit.org/show_bug.cgi?id=191897
2362         <rdar://problem/45871998>
2363
2364         Reviewed by Mark Lam.
2365
2366         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2367         (bar):
2368         (foo):
2369
2370 2018-11-21  Saam barati  <sbarati@apple.com>
2371
2372         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2373         https://bugs.webkit.org/show_bug.cgi?id=191895
2374         <rdar://problem/46167406>
2375
2376         Reviewed by Mark Lam.
2377
2378         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2379         (foo):
2380         (bar):
2381
2382 2018-11-21  Mark Lam  <mark.lam@apple.com>
2383
2384         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2385         https://bugs.webkit.org/show_bug.cgi?id=191776
2386         <rdar://problem/46152851>
2387
2388         Reviewed by Saam Barati.
2389
2390         * stress/big-wasm-memory-grow-no-max.js:
2391         * stress/big-wasm-memory-grow.js:
2392         * stress/big-wasm-memory.js:
2393         - updated these to expect an OutOfMemoryError.
2394
2395         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2396         (Binary.prototype.emit_u8):
2397         (Binary.prototype.emit_u32v):
2398         (Binary.prototype.emit_header):
2399         (Binary.prototype.emit_section):
2400         (Binary):
2401         (WasmModuleBuilder):
2402         (WasmModuleBuilder.prototype.addMemory):
2403         (WasmModuleBuilder.prototype.toArray):
2404         (WasmModuleBuilder.prototype.toBuffer):
2405         (WasmModuleBuilder.prototype.instantiate):
2406         (catch):
2407         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2408         (catch):
2409
2410 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2411
2412         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2413         https://bugs.webkit.org/show_bug.cgi?id=190836
2414
2415         Reviewed by Saam Barati and Yusuke Suzuki.
2416
2417         * stress/big-int-out-of-memory-tests.js: Added.
2418
2419 2018-11-20  Mark Lam  <mark.lam@apple.com>
2420
2421         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2422         https://bugs.webkit.org/show_bug.cgi?id=191856
2423         <rdar://problem/46089992>
2424
2425         Reviewed by Yusuke Suzuki.
2426
2427         * stress/regress-191856.js: Added.
2428         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2429
2430 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2431
2432         Enable JIT on ARM/Linux
2433         https://bugs.webkit.org/show_bug.cgi?id=191548
2434
2435         Reviewed by Yusuke Suzuki.
2436
2437         Disable test on system with limited memory. Program was killed by
2438         the OS before the exception was thrown.
2439
2440         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2441
2442 2018-11-20  Saam barati  <sbarati@apple.com>
2443
2444         Merging an IC variant may lead to the IC status containing overlapping structure sets
2445         https://bugs.webkit.org/show_bug.cgi?id=191869
2446         <rdar://problem/45403453>
2447
2448         Reviewed by Mark Lam.
2449
2450         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2451
2452 2018-11-19  Mark Lam  <mark.lam@apple.com>
2453
2454         globalFuncImportModule() should return a promise when it clears exceptions.
2455         https://bugs.webkit.org/show_bug.cgi?id=191792
2456         <rdar://problem/46090763>
2457
2458         Reviewed by Michael Saboff.
2459
2460         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2461
2462 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2463
2464         Skip new memory-hungry tests on memory limited devices
2465
2466         Unreviewed gardening.
2467
2468         * stress/big-wasm-memory-grow-no-max.js:
2469         * stress/big-wasm-memory-grow.js:
2470         * stress/big-wasm-memory.js:
2471
2472 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2473
2474         Unreviewed, rolling in the rest of r237254
2475         https://bugs.webkit.org/show_bug.cgi?id=190340
2476
2477         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2478         * stress/function-cache-with-parameters-end-position.js: Added.
2479         (shouldBe):
2480         (shouldThrow):
2481         (i.anonymous):
2482         * stress/function-constructor-name.js: Added.
2483         (shouldBe):
2484         (GeneratorFunction):
2485         (AsyncFunction.async):
2486         (AsyncGeneratorFunction.async):
2487         (anonymous):
2488         (async.anonymous):
2489         * test262/expectations.yaml:
2490
2491 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2492
2493         All users of ArrayBuffer should agree on the same max size
2494         https://bugs.webkit.org/show_bug.cgi?id=191771
2495
2496         Reviewed by Mark Lam.
2497
2498         * stress/big-wasm-memory-grow-no-max.js: Added.
2499         (foo):
2500         (catch):
2501         * stress/big-wasm-memory-grow.js: Added.
2502         (foo):
2503         (catch):
2504         * stress/big-wasm-memory.js: Added.
2505         (foo):
2506         (catch):
2507
2508 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2509
2510         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2511         run for each JSC config since they're regression tests for runtime bugs.
2512
2513         * stress/json-stringified-overflow-2.js:
2514         * stress/json-stringified-overflow.js:
2515
2516 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2517
2518         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2519         config since they're regression tests for runtime bugs.
2520
2521         * stress/large-unshift-splice.js:
2522         * stress/regress-185888.js:
2523
2524 2018-11-16  Saam Barati  <sbarati@apple.com>
2525
2526         KnownCellUse should also have SpecCellCheck as its type filter
2527         https://bugs.webkit.org/show_bug.cgi?id=191729
2528         <rdar://problem/45872852>
2529
2530         Reviewed by Filip Pizlo.
2531
2532         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2533         (C):
2534
2535 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2536
2537         Fix assertion failure on BytecodeGenerator::recordOpcode
2538         https://bugs.webkit.org/show_bug.cgi?id=191724
2539         <rdar://problem/45724395>
2540
2541         Reviewed by Saam Barati.
2542
2543         * stress/regress-187373-2.js: Added.
2544         (foo):
2545
2546 2018-11-15  Mark Lam  <mark.lam@apple.com>
2547
2548         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2549         https://bugs.webkit.org/show_bug.cgi?id=191730
2550         <rdar://problem/46048517>
2551
2552         Reviewed by Saam Barati.
2553
2554         * stress/regress-187006.js: Removed.
2555           - this test is invalid because its sole purpose is to test for the non-spec
2556             compliant behavior that we just fixed.
2557
2558         * stress/regress-191730.js: Added.
2559
2560 2018-11-15  Mark Lam  <mark.lam@apple.com>
2561
2562         RegExp operations should not take fast patch if lastIndex is not numeric.
2563         https://bugs.webkit.org/show_bug.cgi?id=191731
2564         <rdar://problem/46017305>
2565
2566         Reviewed by Saam Barati.
2567
2568         * stress/regress-191731.js: Added.
2569
2570 2018-11-13  Saam Barati  <sbarati@apple.com>
2571
2572         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2573         https://bugs.webkit.org/show_bug.cgi?id=191600
2574
2575         Reviewed by Mark Lam.
2576
2577         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2578         (foo):
2579         (test):
2580         (bar):
2581
2582 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2583
2584         Unreviewed, rolling out r238132.
2585
2586         The test added with this change is timing out on Debug JSC
2587         bots.
2588
2589         Reverted changeset:
2590
2591         "[BigInt] JSBigInt::createWithLength should throw when length
2592         is greater than JSBigInt::maxLength"
2593         https://bugs.webkit.org/show_bug.cgi?id=190836
2594         https://trac.webkit.org/changeset/238132
2595
2596 2018-11-13  Mark Lam  <mark.lam@apple.com>
2597
2598         Add OOM detection to StringPrototype's substituteBackreferences().
2599         https://bugs.webkit.org/show_bug.cgi?id=191563
2600         <rdar://problem/45720428>
2601
2602         Reviewed by Saam Barati.
2603
2604         * stress/regress-191563.js: Added.
2605
2606 2018-11-13  Mark Lam  <mark.lam@apple.com>
2607
2608         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2609         https://bugs.webkit.org/show_bug.cgi?id=191579
2610         <rdar://problem/45942472>
2611
2612         Reviewed by Saam Barati.
2613
2614         * stress/regress-191579.js: Added.
2615
2616 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2617
2618         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2619         https://bugs.webkit.org/show_bug.cgi?id=190836
2620
2621         Reviewed by Saam Barati.
2622
2623         * stress/big-int-out-of-memory-tests.js: Added.
2624
2625 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2626
2627         U+180E is no longer a whitespace character
2628         https://bugs.webkit.org/show_bug.cgi?id=191415
2629
2630         Reviewed by Saam Barati.
2631
2632         * ChakraCore/test/es5/regexSpace.baseline:
2633         * ChakraCore/test/es6/unicode_whitespace.js:
2634         Update tests to latest version.
2635         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2636
2637         * test262.yaml:
2638         * test262/config.yaml:
2639         * test262/expectations.yaml:
2640         Update expectations.
2641
2642 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2643
2644         [BigInt] Add support to BigInt into ValueAdd
2645         https://bugs.webkit.org/show_bug.cgi?id=186177
2646
2647         Reviewed by Keith Miller.
2648
2649         * stress/big-int-negate-jit.js:
2650         * stress/value-add-big-int-and-string.js: Added.
2651         * stress/value-add-big-int-prediction-propagation.js: Added.
2652         * stress/value-add-big-int-untyped.js: Added.
2653
2654 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2655
2656         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2657         https://bugs.webkit.org/show_bug.cgi?id=191184
2658
2659         Reviewed by Saam Barati.
2660
2661         Most tests were failing due to timeouts, since they are too slow to
2662         run on CLoop. The exceptions are:
2663
2664         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2665         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2666         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2667         to change the stack size since CLoop requires it to be page aligned.
2668
2669         * microbenchmarks/array-push-1.js:
2670         * microbenchmarks/array-push-2.js:
2671         * microbenchmarks/elidable-new-object-dag.js:
2672         * microbenchmarks/elidable-new-object-roflcopter.js:
2673         * microbenchmarks/elidable-new-object-tree.js:
2674         * microbenchmarks/getter-richards.js:
2675         * microbenchmarks/sinkable-new-object-dag.js:
2676         * microbenchmarks/string-concat-long-convert.js:
2677         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2678         * slowMicrobenchmarks/array-push-3.js:
2679         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2680         * slowMicrobenchmarks/spread-small-array.js:
2681         * slowMicrobenchmarks/undefined-property-access.js:
2682         * stress/activation-sink-default-value-tdz-error.js:
2683         * stress/activation-sink-default-value.js:
2684         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2685         * stress/activation-sink-osrexit-default-value.js:
2686         * stress/activation-sink-osrexit.js:
2687         * stress/activation-sink.js:
2688         * stress/allow-math-ic-b3-code-duplication.js:
2689         * stress/array-push-multiple-int32.js:
2690         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2691         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2692         * stress/arrowfunction-lexical-this-activation-sink.js:
2693         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2694         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2695         * stress/elide-new-object-dag-then-exit.js:
2696         * stress/materialize-regexp-cyclic.js:
2697         * stress/new-regex-inline.js:
2698         * stress/op_add.js:
2699         * stress/op_bitand.js:
2700         * stress/op_bitor.js:
2701         * stress/op_bitxor.js:
2702         * stress/op_div-ConstVar.js:
2703         * stress/op_div-VarConst.js:
2704         * stress/op_div-VarVar.js:
2705         * stress/op_lshift-ConstVar.js:
2706         * stress/op_lshift-VarConst.js:
2707         * stress/op_lshift-VarVar.js:
2708         * stress/op_mod-ConstVar.js:
2709         * stress/op_mod-VarConst.js:
2710         * stress/op_mod-VarVar.js:
2711         * stress/op_mul-ConstVar.js:
2712         * stress/op_mul-VarConst.js:
2713         * stress/op_mul-VarVar.js:
2714         * stress/op_rshift-ConstVar.js:
2715         * stress/op_rshift-VarConst.js:
2716         * stress/op_rshift-VarVar.js:
2717         * stress/op_sub-ConstVar.js:
2718         * stress/op_sub-VarConst.js:
2719         * stress/op_sub-VarVar.js:
2720         * stress/op_urshift-ConstVar.js:
2721         * stress/op_urshift-VarConst.js:
2722         * stress/op_urshift-VarVar.js:
2723         * stress/proxy-get-set-correct-receiver.js:
2724         * stress/regress-179562.js:
2725         * stress/rest-parameter-many-arguments.js:
2726         * stress/sampling-profiler-richards.js:
2727         * stress/splay-flash-access-1ms.js:
2728         * stress/tailCallForwardArguments.js:
2729         * stress/typed-array-get-by-val-profiling.js:
2730         * typeProfiler/getter-richards.js:
2731
2732 2018-11-06  Michael Saboff  <msaboff@apple.com>
2733
2734         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2735         https://bugs.webkit.org/show_bug.cgi?id=191271
2736
2737         Reviewed by Saam Barati.
2738
2739         Added more test cases and made all test cases run with the same deeply recursive stack
2740         instead of finding that same point for each test case.
2741
2742         * stress/regexp-compile-oom.js:
2743         (prototype.runTest):
2744         (recurseAndTest):
2745         (testList.push.new.TestAndExpectedException):
2746
2747 2018-11-05  Michael Saboff  <msaboff@apple.com>
2748
2749         Unreviewed build fix for linux.
2750
2751         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2752
2753 2018-11-02  Michael Saboff  <msaboff@apple.com>
2754
2755         Rolling in r237753 with unreviewed build fix.
2756
2757         Fixed issues with DECLARE_THROW_SCOPE placement.
2758
2759 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2760
2761         Unreviewed, rolling out r237753.
2762
2763         Introduced JSC test failures
2764
2765         Reverted changeset:
2766
2767         "Running out of stack space not properly handled in
2768         RegExp::compile() and its callers"
2769         https://bugs.webkit.org/show_bug.cgi?id=191206
2770         https://trac.webkit.org/changeset/237753
2771
2772 2018-11-02  Michael Saboff  <msaboff@apple.com>
2773
2774         Running out of stack space not properly handled in RegExp::compile() and its callers
2775         https://bugs.webkit.org/show_bug.cgi?id=191206
2776
2777         Reviewed by Filip Pizlo.
2778
2779         New regression test.
2780
2781         * stress/regexp-compile-oom.js: Added.
2782         (recurseAndTest):
2783
2784 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2785
2786         Skip tests on arm/mips that time out now we're running on CLoop
2787
2788         Unreviewed gardening.
2789
2790         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2791         time out on the bots and need to be disabled. There's more tests
2792         disabled on arm because the timeout is longer on the mips bot (as the
2793         device is slower to start with), so many of the tests don't time out
2794         there.
2795
2796         * microbenchmarks/getter-richards.js: disable on arm and mips.
2797         * stress/op_add.js: disable on arm.
2798         * stress/op_bitand.js: disable on arm.
2799         * stress/op_bitor.js: disable on arm.
2800         * stress/op_bitxor.js: disable on arm.
2801         * stress/op_lshift-ConstVar.js: disable on arm.
2802         * stress/op_lshift-VarConst.js: disable on arm.
2803         * stress/op_lshift-VarVar.js: disable on arm.
2804         * stress/op_mod-ConstVar.js: disable on arm.
2805         * stress/op_mod-VarConst.js: disable on arm.
2806         * stress/op_mod-VarVar.js: disable on arm.
2807         * stress/op_mul-ConstVar.js: disable on arm.
2808         * stress/op_mul-VarConst.js: disable on arm.
2809         * stress/op_mul-VarVar.js: disable on arm.
2810         * stress/op_rshift-ConstVar.js: disable on arm.
2811         * stress/op_rshift-VarConst.js: disable on arm.
2812         * stress/op_rshift-VarVar.js: disable on arm.
2813         * stress/op_sub-ConstVar.js: disable on arm.
2814         * stress/op_sub-VarConst.js: disable on arm.
2815         * stress/op_sub-VarVar.js: disable on arm.
2816         * stress/op_urshift-ConstVar.js: disable on arm.
2817         * stress/op_urshift-VarConst.js: disable on arm.
2818         * stress/op_urshift-VarVar.js: disable on arm.
2819         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2820         * stress/value-to-boolean.js: disable on arm and mips.
2821
2822 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2823
2824         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2825         https://bugs.webkit.org/show_bug.cgi?id=191108
2826         <rdar://problem/45690700>
2827
2828         Reviewed by Saam Barati.
2829
2830         * stress/wide-op_catch.js: Added.
2831         (catch):
2832
2833 2018-10-29  Mark Lam  <mark.lam@apple.com>
2834
2835         Correctly detect string overflow when using the 'Function' constructor.
2836         https://bugs.webkit.org/show_bug.cgi?id=184883
2837         <rdar://problem/36320331>
2838
2839         Reviewed by Saam Barati.
2840
2841         I've verified that this passes on 32-bit as well.
2842
2843         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2844
2845 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2846
2847         Add support for GetStack FlushedDouble
2848         https://bugs.webkit.org/show_bug.cgi?id=191012
2849         <rdar://problem/45265141>
2850
2851         Reviewed by Saam Barati.
2852
2853         * stress/get-stack-double.js: Added.
2854         (bar):
2855         (noInline):
2856
2857 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2858
2859         New bytecode format for JSC
2860         https://bugs.webkit.org/show_bug.cgi?id=187373
2861         <rdar://problem/44186758>
2862
2863         Reviewed by Filip Pizlo.
2864
2865         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2866
2867         * stress/maximum-inline-capacity.js: Added.
2868         (test1):
2869         (test3.Foo):
2870         (test3):
2871
2872 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2873
2874         Unreviewed, rolling out r237479 and r237484.
2875         https://bugs.webkit.org/show_bug.cgi?id=190978
2876
2877         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2878
2879         Reverted changesets:
2880
2881         "New bytecode format for JSC"
2882         https://bugs.webkit.org/show_bug.cgi?id=187373
2883         https://trac.webkit.org/changeset/237479
2884
2885         "Gardening: Build fix after r237479."
2886         https://bugs.webkit.org/show_bug.cgi?id=187373
2887         https://trac.webkit.org/changeset/237484
2888
2889 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2890
2891         New bytecode format for JSC
2892         https://bugs.webkit.org/show_bug.cgi?id=187373
2893         <rdar://problem/44186758>
2894
2895         Reviewed by Filip Pizlo.
2896
2897         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2898
2899         * stress/maximum-inline-capacity.js: Added.
2900         (test1):
2901         (test3.Foo):
2902         (test3):
2903
2904 2018-10-26  Mark Lam  <mark.lam@apple.com>
2905
2906         Fix missing edge cases with JSGlobalObjects having a bad time.
2907         https://bugs.webkit.org/show_bug.cgi?id=189028
2908         <rdar://problem/45204939>
2909
2910         Reviewed by Saam Barati.
2911
2912         * stress/regress-189028.js: Added.
2913
2914 2018-10-22  Mark Lam  <mark.lam@apple.com>
2915
2916         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2917         https://bugs.webkit.org/show_bug.cgi?id=190515
2918         <rdar://problem/45222379>
2919
2920         Rubber-stamped by Saam Barati.
2921
2922         Adding another test.
2923
2924         * stress/regress-190515-2.js: Added.
2925
2926 2018-10-22  Mark Lam  <mark.lam@apple.com>
2927
2928         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2929         https://bugs.webkit.org/show_bug.cgi?id=190515
2930         <rdar://problem/45222379>
2931
2932         Reviewed by Saam Barati.
2933
2934         * stress/regress-190515.js: Added.
2935
2936 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2937
2938         Unreviewed, rolling out r237254.
2939         https://bugs.webkit.org/show_bug.cgi?id=190760
2940
2941         "It regresses JetStream 2 by 5% on some iOS devices"
2942         (Requested by saamyjoon on #webkit).
2943
2944         Reverted changeset:
2945
2946         "[JSC] JSC should have "parseFunction" to optimize Function
2947         constructor"
2948         https://bugs.webkit.org/show_bug.cgi?id=190340
2949         https://trac.webkit.org/changeset/237254
2950
2951 2018-10-19  Saam Barati  <sbarati@apple.com>
2952
2953         vmCall should check if we exit before emitting an OSR exit due to exceptions
2954         https://bugs.webkit.org/show_bug.cgi?id=190740
2955         <rdar://problem/45220139>
2956
2957         Reviewed by Mark Lam.
2958
2959         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2960         (foo):
2961
2962 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2963
2964         [ESNext][BigInt] Implement support for "^"
2965         https://bugs.webkit.org/show_bug.cgi?id=186235
2966
2967         Reviewed by Yusuke Suzuki.
2968
2969         * stress/big-int-bitwise-xor-general.js: Added.
2970         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2971         * stress/big-int-bitwise-xor-type-error.js: Added.
2972         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2973
2974 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2975
2976         [BigInt] Add ValueSub into DFG
2977         https://bugs.webkit.org/show_bug.cgi?id=186176
2978
2979         Reviewed by Yusuke Suzuki.
2980
2981         * stress/big-int-subtraction-jit.js:
2982         * stress/value-sub-big-int-prediction-propagation.js: Added.
2983         * stress/value-sub-big-int-untyped.js: Added.
2984         * stress/value-sub-spec-none-case.js: Added.
2985
2986 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2987
2988         [JSC] JSC should have "parseFunction" to optimize Function constructor
2989         https://bugs.webkit.org/show_bug.cgi?id=190340
2990
2991         Reviewed by Mark Lam.
2992
2993         This patch fixes the line number of syntax errors raised by the Function constructor,
2994         since we now parse the final code only once. And we no longer use block statement
2995         for Function constructor's parsing.
2996
2997         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2998         * stress/function-cache-with-parameters-end-position.js: Added.
2999         (shouldBe):
3000         (shouldThrow):
3001         (i.anonymous):
3002         * stress/function-constructor-name.js: Added.
3003         (shouldBe):
3004         (GeneratorFunction):
3005         (AsyncFunction.async):
3006         (AsyncGeneratorFunction.async):
3007         (anonymous):
3008         (async.anonymous):
3009         * test262/expectations.yaml:
3010
3011 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3012
3013         Unreviewed, rolling out r237242.
3014         https://bugs.webkit.org/show_bug.cgi?id=190701
3015
3016         it breaks "stress/sampling-profiler-basic.js" (Requested by
3017         caiolima on #webkit).
3018
3019         Reverted changeset:
3020
3021         "[BigInt] Add ValueSub into DFG"
3022         https://bugs.webkit.org/show_bug.cgi?id=186176
3023         https://trac.webkit.org/changeset/237242
3024
3025 2018-10-17  Keith Miller  <keith_miller@apple.com>
3026
3027         AI does not clear Phantom allocation nodes.
3028         https://bugs.webkit.org/show_bug.cgi?id=190694
3029
3030         Reviewed by Saam Barati.
3031
3032         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3033         (Day):
3034         (DaysInYear):
3035         (TimeInYear):
3036         (TimeFromYear):
3037         (DayFromYear):
3038         (InLeapYear):
3039         (YearFromTime):
3040         (WeekDay):
3041         (DaylightSavingTA):
3042         (GetSecondSundayInMarch):
3043         (TimeInMonth):
3044
3045 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3046
3047         [BigInt] Add ValueSub into DFG
3048         https://bugs.webkit.org/show_bug.cgi?id=186176
3049
3050         Reviewed by Yusuke Suzuki.
3051
3052         * stress/big-int-subtraction-jit.js:
3053         * stress/value-sub-big-int-prediction-propagation.js: Added.
3054         * stress/value-sub-big-int-untyped.js: Added.
3055
3056 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3057
3058         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3059         https://bugs.webkit.org/show_bug.cgi?id=190611
3060
3061         Reviewed by Saam Barati.
3062
3063         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3064         to improve test runtime. On ARM/MIPS this test even timed out when running all
3065         tests.
3066
3067         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3068         (test):
3069
3070 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3071
3072         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3073
3074         Unreviewed gardening.
3075
3076         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3077
3078 2018-10-15  Saam barati  <sbarati@apple.com>
3079
3080         Emit fjcvtzs on ARM64E on Darwin
3081         https://bugs.webkit.org/show_bug.cgi?id=184023
3082
3083         Reviewed by Yusuke Suzuki and Filip Pizlo.
3084
3085         * stress/double-to-int32-NaN.js: Added.
3086         (assert):
3087         (foo):
3088
3089 2018-10-15  Saam Barati  <sbarati@apple.com>
3090
3091         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3092         https://bugs.webkit.org/show_bug.cgi?id=190262
3093         <rdar://problem/44986241>
3094
3095         Reviewed by Mark Lam.
3096
3097         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3098         (test):
3099         * stress/slice-array-storage-with-holes.js: Added.
3100         (main):
3101
3102 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3103
3104         Unreviewed, rolling out r237054.
3105         https://bugs.webkit.org/show_bug.cgi?id=190593
3106
3107         "this regressed JetStream 2 by 6% on iOS" (Requested by
3108         saamyjoon on #webkit).
3109
3110         Reverted changeset:
3111
3112         "[JSC] JSC should have "parseFunction" to optimize Function
3113         constructor"
3114         https://bugs.webkit.org/show_bug.cgi?id=190340
3115         https://trac.webkit.org/changeset/237054
3116
3117 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3118
3119         [JSC] JSON.stringify can accept call-with-no-arguments
3120         https://bugs.webkit.org/show_bug.cgi?id=190343
3121
3122         Reviewed by Mark Lam.
3123
3124         * stress/json-stringify-no-arguments.js: Added.
3125         (shouldBe):
3126
3127 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3128
3129         [JSC] JSC should have "parseFunction" to optimize Function constructor
3130         https://bugs.webkit.org/show_bug.cgi?id=190340
3131
3132         Reviewed by Mark Lam.
3133
3134         This patch fixes the line number of syntax errors raised by the Function constructor,
3135         since we now parse the final code only once. And we no longer use block statement
3136         for Function constructor's parsing.
3137
3138         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3139         * stress/function-cache-with-parameters-end-position.js: Added.
3140         (shouldBe):
3141         (shouldThrow):
3142         (i.anonymous):
3143         * stress/function-constructor-name.js: Added.
3144         (shouldBe):
3145         (GeneratorFunction):
3146         (AsyncFunction.async):
3147         (AsyncGeneratorFunction.async):
3148         (anonymous):
3149         (async.anonymous):
3150         * test262/expectations.yaml:
3151
3152 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3153
3154         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3155         https://bugs.webkit.org/show_bug.cgi?id=190426
3156
3157         Unreviewed gardening.
3158
3159         * stress/sampling-profiler-richards.js:
3160
3161 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3162
3163         [ESNext][BigInt] Implement support for "|"
3164         https://bugs.webkit.org/show_bug.cgi?id=186229
3165
3166         Reviewed by Yusuke Suzuki.
3167
3168         * stress/big-int-bitwise-and-jit.js:
3169         * stress/big-int-bitwise-or-general.js: Added.
3170         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3171         * stress/big-int-bitwise-or-jit.js: Added.
3172         * stress/big-int-bitwise-or-memory-stress.js: Added.
3173         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3174         * stress/big-int-bitwise-or-type-error.js: Added.
3175         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3176
3177 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3178
3179         Skip test on systems with limited memory
3180         https://bugs.webkit.org/show_bug.cgi?id=190310
3181
3182         Invoking runDefault adds test to runlist, skipping the test in the next
3183         line does not prevent the test from executing. Change order of lines such
3184         that runDefault is only executed if test is not executed.
3185
3186         Reviewed by Mark Lam.
3187
3188         * stress/regress-190187.js:
3189
3190 2018-10-03  Saam barati  <sbarati@apple.com>
3191
3192         lowXYZ in FTLLower should always filter the type of the incoming edge
3193         https://bugs.webkit.org/show_bug.cgi?id=189939
3194         <rdar://problem/44407030>
3195
3196         Reviewed by Michael Saboff.
3197
3198         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3199         (foo):
3200         (test):
3201
3202 2018-10-03  Mark Lam  <mark.lam@apple.com>
3203
3204         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3205         https://bugs.webkit.org/show_bug.cgi?id=190187
3206         <rdar://problem/42512909>
3207
3208         Reviewed by Michael Saboff.
3209
3210         * stress/regress-190187.js: Added.
3211
3212 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3213
3214         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3215         https://bugs.webkit.org/show_bug.cgi?id=190033
3216
3217         Reviewed by Yusuke Suzuki.
3218
3219         * stress/big-int-to-string.js:
3220
3221 2018-10-01  Mark Lam  <mark.lam@apple.com>
3222
3223         Function.toString() should also copy the source code Functions that are class definitions.
3224         https://bugs.webkit.org/show_bug.cgi?id=190186
3225         <rdar://problem/44733360>
3226
3227         Reviewed by Saam Barati.
3228
3229         * stress/regress-190186.js: Added.
3230
3231 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3232
3233         Split NaN-check into separate test
3234         https://bugs.webkit.org/show_bug.cgi?id=190010
3235
3236         Reviewed by Saam Barati.
3237
3238         DataView exposes NaN-representation, which is not necessarily the same on each
3239         architecture. Therefore move the check of the NaN-representation into its own
3240         file such that we can disable this test on MIPS where NaN-representation can be
3241         different on older CPUs.
3242
3243         * stress/dataview-jit-set-nan.js: Added.
3244         (assert):
3245         (test.storeLittleEndian):
3246         (test.storeBigEndian):
3247         (test.store):
3248         (test):
3249         * stress/dataview-jit-set.js:
3250         (test5):
3251
3252 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3253
3254         Unreviewed, rolling out r236647.
3255         https://bugs.webkit.org/show_bug.cgi?id=190124
3256
3257         Breaking test stress/big-int-to-string.js (Requested by
3258         caiolima_ on #webkit).
3259
3260         Reverted changeset:
3261
3262         "[BigInt] BigInt.proptotype.toString is broken when radix is
3263         power of 2"
3264         https://bugs.webkit.org/show_bug.cgi?id=190033
3265         https://trac.webkit.org/changeset/236647
3266
3267 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3268
3269         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3270         https://bugs.webkit.org/show_bug.cgi?id=190033
3271
3272         Reviewed by Yusuke Suzuki.
3273
3274         * stress/big-int-to-string.js:
3275
3276 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3277
3278         [ESNext][BigInt] Implement support for "&"
3279         https://bugs.webkit.org/show_bug.cgi?id=186228
3280
3281         Reviewed by Yusuke Suzuki.
3282
3283         * stress/big-int-bitwise-and-general.js: Added.
3284         (assert):
3285         (assert.sameValue):
3286         * stress/big-int-bitwise-and-jit.js: Added.
3287         (let.assert.sameValue):
3288         (bigIntBitAnd):
3289         * stress/big-int-bitwise-and-memory-stress.js: Added.
3290         (assert):
3291         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3292         (assert.sameValue):
3293         (let.o.Symbol.toPrimitive):
3294         (catch):
3295         * stress/big-int-bitwise-and-type-error.js: Added.
3296         (assert):
3297         (assertThrowTypeError):
3298         (let.o.valueOf):
3299         (o.valueOf):
3300         (o.toString):
3301         (o.Symbol.toPrimitive):
3302         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3303         (assert.sameValue):
3304         (testBitAnd):
3305         (let.o.Symbol.toPrimitive):
3306         (o.valueOf):
3307         (o.toString):
3308
3309 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3310
3311         JSC test stress/jsc-read.js doesn't support CRLF
3312         https://bugs.webkit.org/show_bug.cgi?id=190063
3313
3314         Reviewed by Yusuke Suzuki.
3315
3316         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3317
3318         * stress/jsc-read.js:
3319         (test):
3320
3321 2018-09-27  Saam barati  <sbarati@apple.com>
3322
3323         Verify the contents of AssemblerBuffer on arm64e
3324         https://bugs.webkit.org/show_bug.cgi?id=190057
3325         <rdar://problem/38916630>
3326
3327         Reviewed by Mark Lam.
3328
3329         * stress/regress-189132.js:
3330
3331 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3332
3333         Disable test without LLInt on ARMv7
3334         https://bugs.webkit.org/show_bug.cgi?id=190037
3335
3336         Reviewed by Mark Lam.
3337
3338         Test runs out of executable memory on ARMv7, do not run
3339         this test without LLInt enabled.
3340
3341         * stress/regress-169445.js:
3342
3343 2018-09-26  Keith Miller  <keith_miller@apple.com>
3344
3345         We should zero unused property storage when rebalancing array storage.
3346         https://bugs.webkit.org/show_bug.cgi?id=188151
3347
3348         Reviewed by Michael Saboff.
3349
3350         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3351
3352 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3353
3354         [JSC] Optimize Array#lastIndexOf
3355         https://bugs.webkit.org/show_bug.cgi?id=189780
3356
3357         Reviewed by Saam Barati.
3358
3359         * stress/array-lastindexof-array-prototype-trap.js: Added.
3360         (shouldBe):
3361         (AncestorArray.prototype.get 2):
3362         (AncestorArray):
3363         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3364         (shouldBe):
3365         * stress/array-lastindexof-hole-nan.js: Added.
3366         (shouldBe):
3367         (throw.new.Error):
3368         * stress/array-lastindexof-infinity.js: Added.
3369         (shouldBe):
3370         (throw.new.Error):
3371         * stress/array-lastindexof-negative-zero.js: Added.
3372         (shouldBe):
3373         (throw.new.Error):
3374         * stress/array-lastindexof-own-getter.js: Added.
3375         (shouldBe):
3376         (throw.new.Error.get array):
3377         (get array):
3378         * stress/array-lastindexof-prototype-trap.js: Added.
3379         (shouldBe):
3380         (DerivedArray.prototype.get 2):
3381         (DerivedArray):
3382
3383 2018-09-25  Saam Barati  <sbarati@apple.com>
3384
3385         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3386         https://bugs.webkit.org/show_bug.cgi?id=189940
3387         <rdar://problem/43640987>
3388
3389         Reviewed by Mark Lam.
3390
3391         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3392
3393 2018-09-24  Saam Barati  <sbarati@apple.com>
3394
3395         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3396         https://bugs.webkit.org/show_bug.cgi?id=189922
3397         <rdar://problem/44651275>
3398
3399         Reviewed by Mark Lam.
3400
3401         * stress/array-indexof-fast-path-effects.js: Added.
3402         * stress/array-indexof-cached-length.js: Added.
3403
3404 2018-09-24  Saam barati  <sbarati@apple.com>
3405
3406         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3407         https://bugs.webkit.org/show_bug.cgi?id=189682
3408         <rdar://problem/43557315>
3409
3410         Reviewed by Mark Lam.
3411
3412         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3413         (foo):
3414
3415 2018-09-22  Saam barati  <sbarati@apple.com>
3416
3417         The sampling should not use Strong<CodeBlock> in its machineLocation field
3418         https://bugs.webkit.org/show_bug.cgi?id=189319
3419
3420         Reviewed by Filip Pizlo.
3421
3422         * stress/sampling-profiler-richards.js: Added.
3423
3424 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3425
3426         [JSC] Optimize Array#indexOf in C++ runtime
3427         https://bugs.webkit.org/show_bug.cgi?id=189507
3428
3429         Reviewed by Saam Barati.
3430
3431         * stress/array-indexof-array-prototype-trap.js: Added.
3432         (shouldBe):
3433         (AncestorArray.prototype.get 2):
3434         (AncestorArray):
3435         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3436         (shouldBe):
3437         * stress/array-indexof-hole-nan.js: Added.
3438         (shouldBe):
3439         (throw.new.Error):
3440         * stress/array-indexof-infinity.js: Added.
3441         (shouldBe):
3442         (throw.new.Error):
3443         * stress/array-indexof-negative-zero.js: Added.
3444         (shouldBe):
3445         (throw.new.Error):
3446         * stress/array-indexof-own-getter.js: Added.
3447         (shouldBe):
3448         (throw.new.Error.get array):
3449         (get array):
3450         * stress/array-indexof-prototype-trap.js: Added.
3451         (shouldBe):
3452         (DerivedArray.prototype.get 2):
3453         (DerivedArray):
3454
3455 2018-09-19  Saam barati  <sbarati@apple.com>
3456
3457         AI rule for MultiPutByOffset executes its effects in the wrong order
3458         https://bugs.webkit.org/show_bug.cgi?id=189757
3459         <rdar://problem/43535257>
3460
3461         Reviewed by Michael Saboff.
3462
3463         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3464         (foo):
3465         (Foo):
3466         (g):
3467
3468 2018-09-17  Mark Lam  <mark.lam@apple.com>
3469
3470         Ensure that ForInContexts are invalidated if their loop local is over-written.
3471         https://bugs.webkit.org/show_bug.cgi?id=189571
3472         <rdar://problem/44402277>
3473
3474         Reviewed by Saam Barati.
3475
3476         * stress/regress-189571.js: Added.
3477
3478 2018-09-17  Saam barati  <sbarati@apple.com>
3479
3480         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3481         https://bugs.webkit.org/show_bug.cgi?id=189676
3482         <rdar://problem/39682897>
3483
3484         Reviewed by Michael Saboff.
3485
3486         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3487         (A):
3488         (K):
3489         (i.catch):
3490
3491 2018-09-14  Saam barati  <sbarati@apple.com>
3492
3493         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3494         https://bugs.webkit.org/show_bug.cgi?id=189628
3495         <rdar://problem/39481690>
3496
3497         Reviewed by Mark Lam.
3498
3499         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3500         (foo):
3501
3502 2018-09-11  Mark Lam  <mark.lam@apple.com>
3503
3504         Test for array initialization in arrayProtoFuncSplice.
3505         https://bugs.webkit.org/show_bug.cgi?id=170253
3506         <rdar://problem/31328773>
3507
3508         Rubber-stamped by Saam Barati.
3509
3510         * stress/regress-170253.js: Added.
3511
3512 2018-09-11  Mark Lam  <mark.lam@apple.com>
3513
3514         Test for IntlObject initialization.
3515         https://bugs.webkit.org/show_bug.cgi?id=170251
3516         <rdar://problem/31328419>
3517
3518         Rubber-stamped by Saam Barati.
3519
3520         * stress/regress-170251.js: Added.
3521
3522 2018-09-11  Mark Lam  <mark.lam@apple.com>
3523
3524         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3525         https://bugs.webkit.org/show_bug.cgi?id=169889
3526         <rdar://problem/31155607>
3527
3528         Reviewed by Saam Barati.
3529
3530         * stress/regress-169889-array-concat.js: Added.
3531         * stress/regress-169889-array-concat1.js: Added.
3532         * stress/regress-169889-array-slice.js: Added.
3533
3534 2018-09-11  Mark Lam  <mark.lam@apple.com>
3535
3536         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3537         https://bugs.webkit.org/show_bug.cgi?id=169445
3538         <rdar://problem/30957435>
3539
3540         Reviewed by Saam Barati.
3541
3542         * stress/regress-169445.js: Added.
3543         (let.gun.eval.A):
3544         (let.gun.eval.B.C):
3545         (let.gun.eval.B.C.prototype.trigger):
3546         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3547         (let.gun.eval.B):
3548         (let.gun.eval):
3549
3550 == Rolled over to ChangeLog-2018-09-11 ==