SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-15  Saam barati  <sbarati@apple.com>
2
3         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
4         https://bugs.webkit.org/show_bug.cgi?id=196945
5         <rdar://problem/49802750>
6
7         Reviewed by Filip Pizlo.
8
9         * stress/get-by-offset-should-use-correct-child.js: Added.
10         (foo.bar):
11         (foo):
12
13 2019-04-15  Robin Morisset  <rmorisset@apple.com>
14
15         DFG should be able to constant fold Object.create() with a constant prototype operand
16         https://bugs.webkit.org/show_bug.cgi?id=196886
17
18         Reviewed by Yusuke Suzuki.
19
20         Note that this new benchmark does not currently see a speedup with inlining removed.
21         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
22
23         * microbenchmarks/object-create-constant-prototype.js: Added.
24         (test):
25
26 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
27
28         Incremental bytecode cache should not append function updates when loaded from memory
29         https://bugs.webkit.org/show_bug.cgi?id=196865
30
31         Reviewed by Filip Pizlo.
32
33         * stress/bytecode-cache-shared-code-block.js: Added.
34         (b):
35         (program):
36
37 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
38
39         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
40         https://bugs.webkit.org/show_bug.cgi?id=196880
41
42         Reviewed by Yusuke Suzuki.
43
44         * stress/bytecode-cache-syntax-error.js: Added.
45         (catch):
46
47 2019-04-12  Saam barati  <sbarati@apple.com>
48
49         r244079 logically broke shouldSpeculateInt52
50         https://bugs.webkit.org/show_bug.cgi?id=196884
51
52         Reviewed by Yusuke Suzuki.
53
54         * microbenchmarks/int52-rand-function.js: Added.
55         (Math.random):
56
57 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
58
59         [JSC] op_has_indexed_property should not assume subscript part is Uint32
60         https://bugs.webkit.org/show_bug.cgi?id=196850
61
62         Reviewed by Saam Barati.
63
64         * stress/has-indexed-property-should-accept-non-int32.js: Added.
65         (foo):
66
67 2019-04-11  Saam barati  <sbarati@apple.com>
68
69         Remove invalid assertion in operationInstanceOfCustom
70         https://bugs.webkit.org/show_bug.cgi?id=196842
71         <rdar://problem/49725493>
72
73         Reviewed by Michael Saboff.
74
75         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
76
77 2019-04-10  Saam Barati  <sbarati@apple.com>
78
79         AbstractValue::validateOSREntryValue is wrong for Int52 constants
80         https://bugs.webkit.org/show_bug.cgi?id=196801
81         <rdar://problem/49771122>
82
83         Reviewed by Yusuke Suzuki.
84
85         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
86
87 2019-04-10  Robin Morisset  <rmorisset@apple.com>
88
89         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
90         https://bugs.webkit.org/show_bug.cgi?id=196746
91
92         Reviewed by Yusuke Suzuki.
93
94         * stress/cyclic-define-properties.js: Added.
95         (foo):
96
97 2019-04-09  Saam barati  <sbarati@apple.com>
98
99         Clean up Int52 code and some bugs in it
100         https://bugs.webkit.org/show_bug.cgi?id=196639
101         <rdar://problem/49515757>
102
103         Reviewed by Yusuke Suzuki.
104
105         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
106
107 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
108
109         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
110         https://bugs.webkit.org/show_bug.cgi?id=196708
111         <rdar://problem/49556803>
112
113         Reviewed by Yusuke Suzuki.
114
115         * stress/proxy-getter-stack-overflow.js: Added.
116         (const.handler.get target):
117         (const.handler.has):
118         (try.with):
119         (catch):
120
121 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
122
123         [JSC] DFG should respect node's strict flag
124         https://bugs.webkit.org/show_bug.cgi?id=196617
125
126         Reviewed by Saam Barati.
127
128         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
129         (shouldEqual):
130         (makeUnwriteableUnconfigurableObject):
131         (runTest):
132         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
133         (shouldBe):
134         (shouldThrow):
135         (with.result):
136         (with.putValueStrict):
137         (with.putValueSloppy):
138
139 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
140
141         [JSC] isRope jump in StringSlice should not jump over register allocations
142         https://bugs.webkit.org/show_bug.cgi?id=196716
143
144         Reviewed by Saam Barati.
145
146         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
147         (foo.bar):
148         (foo):
149
150 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
151
152         [JSC] to_index_string should not assume incoming value is Uint32
153         https://bugs.webkit.org/show_bug.cgi?id=196713
154
155         Reviewed by Saam Barati.
156
157         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
158         (foo):
159
160 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
161
162         [JSC] Add more tests for r243966
163         https://bugs.webkit.org/show_bug.cgi?id=196711
164
165         Reviewed by Saam Barati.
166
167         Adding one more test for r243966 fix. The added test will not crash after r243966.
168
169         * stress/stress-cleared-calllinkinfo.js: Added.
170         (runNearStackLimit.t):
171         (runNearStackLimit):
172         (repeat):
173         (cls):
174         (let.item.of.array.runNearStackLimit):
175
176 2019-04-08  Saam Barati  <sbarati@apple.com>
177
178         WebAssembly.RuntimeError missing exception check
179         https://bugs.webkit.org/show_bug.cgi?id=196700
180         <rdar://problem/49693932>
181
182         Reviewed by Yusuke Suzuki.
183
184         * wasm/js-api/runtime-error-should-exception-check.js: Added.
185
186 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
187
188         Unreviewed, rolling in r243948 with test fix
189         https://bugs.webkit.org/show_bug.cgi?id=196486
190
191         * stress/arrow-function-and-use-strict-directive.js: Added.
192         * stress/arrow-function-syntax.js: Added.
193         (checkSyntax):
194         (checkSyntaxError):
195
196 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
197
198         Unreviewed, rolling out r243948.
199
200         Caused inspector/runtime/parse.html to fail
201
202         Reverted changeset:
203
204         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
205         https://bugs.webkit.org/show_bug.cgi?id=196486
206         https://trac.webkit.org/changeset/243948
207
208 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
209
210         Unreviewed, rolling out r243943.
211
212         Caused test262 failures.
213
214         Reverted changeset:
215
216         "[JSC] Filter DontEnum properties in
217         ProxyObject::getOwnPropertyNames()"
218         https://bugs.webkit.org/show_bug.cgi?id=176810
219         https://trac.webkit.org/changeset/243943
220
221 2019-04-07  Michael Saboff  <msaboff@apple.com>
222
223         REGRESSION (r243642): Crash in reddit.com page
224         https://bugs.webkit.org/show_bug.cgi?id=196684
225
226         Reviewed by Geoffrey Garen.
227
228         New regression test.
229
230         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
231
232 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
233
234         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
235         https://bugs.webkit.org/show_bug.cgi?id=196683
236
237         Reviewed by Saam Barati.
238
239         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
240         (foo):
241
242 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
243
244         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
245         https://bugs.webkit.org/show_bug.cgi?id=196582
246
247         Reviewed by Saam Barati.
248
249         * stress/add-overflow-check-with-three-same-registers.js: Added.
250         (foo):
251         (Number.prototype.valueOf):
252         (runWithNumber):
253
254 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
255
256         Unreviewed, rolling out r243665.
257
258         Caused iOS JSC tests to exit with an exception.
259
260         Reverted changeset:
261
262         "Assertion failed in JSC::createError"
263         https://bugs.webkit.org/show_bug.cgi?id=196305
264         https://trac.webkit.org/changeset/243665
265
266 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
267
268         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
269         https://bugs.webkit.org/show_bug.cgi?id=196486
270
271         Reviewed by Saam Barati.
272
273         * stress/arrow-function-and-use-strict-directive.js: Added.
274         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
275         (checkSyntax):
276         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
277
278 2019-04-05  Caitlin Potter  <caitp@igalia.com>
279
280         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
281         https://bugs.webkit.org/show_bug.cgi?id=176810
282
283         Reviewed by Saam Barati.
284
285         Add tests for the DontEnum filtering, and variations of other tests
286         take the DontEnum-filtering path.
287
288         * stress/proxy-own-keys.js:
289         (i.catch):
290         (set assert):
291         (set add):
292         (let.set new):
293         (get let):
294
295 2019-04-05  Caitlin Potter  <caitp@igalia.com>
296
297         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
298         https://bugs.webkit.org/show_bug.cgi?id=185211
299
300         Reviewed by Saam Barati.
301
302         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
303
304         This changes several assertions to expect a TypeError to be thrown (in some cases,
305         changing thee expected message).
306
307         * es6/Proxy_ownKeys_duplicates.js:
308         (handler):
309         (shouldThrow):
310         (test):
311         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
312         (shouldThrow):
313         * stress/proxy-own-keys.js:
314         (i.catch):
315         (assert):
316
317 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
318
319         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
320         https://bugs.webkit.org/show_bug.cgi?id=196631
321
322         Reviewed by Saam Barati.
323
324         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
325         (assert):
326         (test):
327         (foo):
328
329 2019-04-04  Saam Barati  <sbarati@apple.com>
330
331         Unreviewed. Make the test from r243906 catch the thrown exceptions.
332
333         * stress/inferred-types-regex-matches-array.js:
334
335 2019-04-04  Saam Barati  <sbarati@apple.com>
336
337         createRegExpMatchesArray does not respect inferred types
338         https://bugs.webkit.org/show_bug.cgi?id=193287
339
340         Reviewed by Yusuke Suzuki.
341
342         This checks in the test case for 193287. This issue was discovered by
343         Samuel GroƟ of Google Project Zero.
344
345         * stress/inferred-types-regex-matches-array.js: Added.
346
347 2019-04-04  Saam barati  <sbarati@apple.com>
348
349         Teach Call ICs how to call Wasm
350         https://bugs.webkit.org/show_bug.cgi?id=196387
351
352         Reviewed by Filip Pizlo.
353
354         * wasm/function-tests/stack-trace.js:
355
356 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
357
358         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
359         https://bugs.webkit.org/show_bug.cgi?id=194944
360
361         Reviewed by Keith Miller.
362
363         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
364
365 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
366
367         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
368         https://bugs.webkit.org/show_bug.cgi?id=196409
369
370         Reviewed by Saam Barati.
371
372         * stress/bytecode-cache-cached-string-impl.js: Added.
373         (f):
374         (g):
375         * stress/bytecode-cache-run-string.js: Added.
376
377 2019-04-03  Robin Morisset  <rmorisset@apple.com>
378
379         B3 should use associativity to optimize expression trees
380         https://bugs.webkit.org/show_bug.cgi?id=194081
381
382         Reviewed by Filip Pizlo.
383
384         Added three microbenchmarks:
385         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
386         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
387           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
388         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
389
390         * microbenchmarks/add-tree.js: Added.
391         * microbenchmarks/bit-or-tree.js: Added.
392         * microbenchmarks/bit-xor-tree.js: Added.
393
394 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
395
396         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
397         https://bugs.webkit.org/show_bug.cgi?id=196574
398
399         Reviewed by Saam Barati.
400
401         * stress/string-index-of-exception-check.js: Added.
402         (blurType):
403         (1.forEach):
404
405 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
406
407         Assertion failed in JSC::createError
408         https://bugs.webkit.org/show_bug.cgi?id=196305
409         <rdar://problem/49387382>
410
411         Reviewed by Saam Barati.
412
413         * stress/create-error-out-of-memory-rope-string-2.js: Added.
414         (assert):
415         (catch):
416
417 2019-03-28  Saam Barati  <sbarati@apple.com>
418
419         BackwardsGraph needs to consider back edges as the backward's root successor
420         https://bugs.webkit.org/show_bug.cgi?id=195991
421
422         Reviewed by Filip Pizlo.
423
424         * stress/map-b3-licm-infinite-loop.js: Added.
425
426 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
427
428         CodeBlock::jettison() should disallow repatching its own calls
429         https://bugs.webkit.org/show_bug.cgi?id=196359
430         <rdar://problem/48973663>
431
432         Reviewed by Saam Barati.
433
434         * stress/call-link-info-osrexit-repatch.js: Added.
435         (foo):
436
437 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
438
439         [JSC] imports-oom.js intermittently fails
440         https://bugs.webkit.org/show_bug.cgi?id=196373
441
442         Reviewed by Saam Barati.
443
444         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
445         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
446         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
447         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
448         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
449
450         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
451         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
452
453         * wasm/lowExecutableMemory/imports-oom.js:
454
455 2019-03-27  Saam Barati  <sbarati@apple.com>
456
457         validateOSREntryValue with Int52 should box the value being checked into double format
458         https://bugs.webkit.org/show_bug.cgi?id=196313
459         <rdar://problem/49306703>
460
461         Reviewed by Yusuke Suzuki.
462
463         * stress/validate-int-52-ai-state.js: Added.
464
465 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
466
467         [JSC] Owner of watchpoints should validate at GC finalizing phase
468         https://bugs.webkit.org/show_bug.cgi?id=195827
469
470         Reviewed by Filip Pizlo.
471
472         * stress/gc-should-reap-dead-watchpoints.js: Added.
473         (foo):
474         (A.prototype.y):
475         (A):
476
477 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
478
479         Skip WebAssembly test on 32-bit systems
480         https://bugs.webkit.org/show_bug.cgi?id=196206
481
482         Reviewed by Saam Barati.
483
484         Invoking runDefault executes test immediately even though
485         that test should be skipped due to missing WASM support.
486         Therefore remove runDefault.
487
488         * wasm/regress/web-assembly-link-error-exception-check.js:
489
490 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
491
492         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
493         https://bugs.webkit.org/show_bug.cgi?id=196217
494
495         Reviewed by Saam Barati.
496
497         Re-enable all NaN tests for f32.min, f64.min and f64.max.
498
499         * wasm/spec-tests/f32.wast.js:
500         * wasm/spec-tests/f64.wast.js:
501         * wasm/wasm.json:
502
503 2019-03-25  Keith Miller  <keith_miller@apple.com>
504
505         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
506         https://bugs.webkit.org/show_bug.cgi?id=196176
507
508         Reviewed by Saam Barati.
509
510         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
511         (main.v10):
512         (main):
513
514 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
515
516         WebAssembly: f32.max with NaN generates incorrect result
517         https://bugs.webkit.org/show_bug.cgi?id=175691
518         <rdar://problem/33952228>
519
520         Reviewed by Saam Barati.
521
522         Enable all f32.max NaN tests
523
524         * wasm/spec-tests/f32.wast.js:
525         * wasm/wasm.json:
526
527 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
528
529         [JSC] Move test into directory for WASM tests
530         https://bugs.webkit.org/show_bug.cgi?id=196187
531
532         Reviewed by Mark Lam.
533
534         Move Test into wasm-directory. Otherwise this test
535         is also executed on systems without WASM support.
536
537         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
538
539 2019-03-23  Mark Lam  <mark.lam@apple.com>
540
541         Rolling out r243032 and r243071 because the fix is incorrect.
542         https://bugs.webkit.org/show_bug.cgi?id=195892
543         <rdar://problem/48981239>
544
545         Not reviewed.
546
547         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
548
549 2019-03-22  Mark Lam  <mark.lam@apple.com>
550
551         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
552         https://bugs.webkit.org/show_bug.cgi?id=196154
553         <rdar://problem/49145307>
554
555         Reviewed by Filip Pizlo.
556
557         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
558         There's no need to run this test on more than 1 test configuration.
559
560         * stress/typed-array-lastIndexOf-exception-check.js: Added.
561         * stress/web-assembly-link-error-exception-check.js:
562
563 2019-03-22  Mark Lam  <mark.lam@apple.com>
564
565         Placate exception check validation in constructJSWebAssemblyLinkError().
566         https://bugs.webkit.org/show_bug.cgi?id=196152
567         <rdar://problem/49145257>
568
569         Reviewed by Michael Saboff.
570
571         * stress/web-assembly-link-error-exception-check.js: Added.
572
573 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
574
575         Skip tests running out of memory on ARM/MIPS
576         https://bugs.webkit.org/show_bug.cgi?id=196131
577
578         Unreviewed. Skip test if memory is limited.
579
580         * microbenchmarks/put-by-val-direct-large-index.js:
581
582 2019-03-21  Mark Lam  <mark.lam@apple.com>
583
584         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
585         https://bugs.webkit.org/show_bug.cgi?id=196116
586         <rdar://problem/48976951>
587
588         Reviewed by Filip Pizlo.
589
590         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
591
592 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
593
594         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
595         https://bugs.webkit.org/show_bug.cgi?id=196078
596         <rdar://problem/35925380>
597
598         Reviewed by Mark Lam.
599
600         Add a new benchmark that allocates several objects and invokes put_by_val_direct
601         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
602
603         * microbenchmarks/put-by-val-direct-large-index.js: Added.
604
605 2019-03-21  Mark Lam  <mark.lam@apple.com>
606
607         Placate exception check validation in operationArrayIndexOfString().
608         https://bugs.webkit.org/show_bug.cgi?id=196067
609         <rdar://problem/49056572>
610
611         Reviewed by Michael Saboff.
612
613         * stress/string-equal-exception-check.js: Added.
614
615 2019-03-21  Mark Lam  <mark.lam@apple.com>
616
617         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
618         https://bugs.webkit.org/show_bug.cgi?id=196055
619         <rdar://problem/49067448>
620
621         Reviewed by Yusuke Suzuki.
622
623         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
624
625 2019-03-20  Saam Barati  <sbarati@apple.com>
626
627         typeOfDoubleSum is wrong for when NaN can be produced
628         https://bugs.webkit.org/show_bug.cgi?id=196030
629
630         Reviewed by Filip Pizlo.
631
632         * stress/double-add-sub-mul-can-produce-nan.js: Added.
633         (assert):
634         (noInline.sub):
635         (noInline):
636         (assert.mul):
637         (assert.add):
638
639 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
640
641         Update the test to ensure OutOfMemoryError is thrown as intended
642         https://bugs.webkit.org/show_bug.cgi?id=196032
643         <rdar://problem/46842740>
644
645         Rubber stamped by Saam Barati.
646
647         * stress/create-error-out-of-memory-rope-string.js:
648         (assert):
649         (catch):
650
651 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
652
653         JSC::createError needs to check for OOM in errorDescriptionForValue
654         https://bugs.webkit.org/show_bug.cgi?id=196032
655         <rdar://problem/46842740>
656
657         Reviewed by Mark Lam.
658
659         * stress/create-error-out-of-memory-rope-string.js: Added.
660
661 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
662
663         Unreviewed, reduce # of iterations to avoid timing out after r242991
664         https://bugs.webkit.org/show_bug.cgi?id=195791
665
666         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
667
668         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
669
670 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
671
672         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
673         https://bugs.webkit.org/show_bug.cgi?id=195950
674
675         Unreviewed, reducing the amount of memory used on this test to avoid
676         OOM on devices with memory restrictions.
677
678         * microbenchmarks/generate-multiple-llint-entrypoints.js:
679
680 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
681
682         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
683         https://bugs.webkit.org/show_bug.cgi?id=194648
684
685         Reviewed by Keith Miller.
686
687         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
688
689 2019-03-18  Mark Lam  <mark.lam@apple.com>
690
691         Missing a ThrowScope release in JSObject::toString().
692         https://bugs.webkit.org/show_bug.cgi?id=195893
693         <rdar://problem/48970986>
694
695         Reviewed by Michael Saboff.
696
697         * stress/to-string-exception-check-release.js: Added.
698
699 2019-03-18  Mark Lam  <mark.lam@apple.com>
700
701         Structure::flattenDictionary() should clear unused property slots.
702         https://bugs.webkit.org/show_bug.cgi?id=195871
703         <rdar://problem/48959497>
704
705         Reviewed by Michael Saboff.
706
707         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
708
709 2019-03-15  Mark Lam  <mark.lam@apple.com>
710
711         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
712         https://bugs.webkit.org/show_bug.cgi?id=195827
713         <rdar://problem/48845513>
714
715         Reviewed by Filip Pizlo.
716
717         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
718
719 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
720
721         [ARM,MIPS] Skip slow tests
722         https://bugs.webkit.org/show_bug.cgi?id=195799
723
724         Unreviewed, test does not finish on ARM and MIPS within the
725         timeout limit.
726
727         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
728
729 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
730
731         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
732         https://bugs.webkit.org/show_bug.cgi?id=195791
733         <rdar://problem/48806130>
734
735         Reviewed by Mark Lam.
736
737         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
738         (foo):
739
740 2019-03-14  Saam barati  <sbarati@apple.com>
741
742         We can't remove code after ForceOSRExit until after FixupPhase
743         https://bugs.webkit.org/show_bug.cgi?id=186916
744         <rdar://problem/41396612>
745
746         Reviewed by Yusuke Suzuki.
747
748         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
749         (foo):
750         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
751         (foo):
752
753 2019-03-13  Michael Saboff  <msaboff@apple.com>
754
755         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
756         https://bugs.webkit.org/show_bug.cgi?id=195735
757
758         Reviewed by Mark Lam.
759
760         New regression test.
761
762         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
763         (foo):
764         (bar):
765
766 2019-03-14  Saam barati  <sbarati@apple.com>
767
768         Fixup uses KnownInt32 incorrectly in some nodes
769         https://bugs.webkit.org/show_bug.cgi?id=195279
770         <rdar://problem/47915654>
771
772         Reviewed by Yusuke Suzuki.
773
774         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
775         (foo):
776
777 2019-03-14  Keith Miller  <keith_miller@apple.com>
778
779         DFG liveness can't skip tail caller inline frames
780         https://bugs.webkit.org/show_bug.cgi?id=195715
781
782         Reviewed by Saam Barati.
783
784         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
785         (i.foo):
786
787 2019-03-13  Mark Lam  <mark.lam@apple.com>
788
789         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
790         https://bugs.webkit.org/show_bug.cgi?id=195415
791
792         Not reviewed.
793
794         Changed these tests to only run the default configuration.
795         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
796         There's no strong need to run this test on that variant.
797
798         * stress/dfg-to-string-on-int-does-gc.js:
799         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
800
801 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
802
803         String overflow when using StringBuilder in JSC::createError
804         https://bugs.webkit.org/show_bug.cgi?id=194957
805
806         Reviewed by Mark Lam.
807
808         Add test string-overflow-createError-bulder.js that overflows
809         StringBuilder in notAFunctionSourceAppender. The second new test
810         string-overflow-createError-fit.js has an error message that doesn't
811         overflow, it still failed since the String's capacity can't be doubled.
812         Run test string-overflow-createError.js only in the default
813         configuration to reduce memory consumption when running the test
814         in all configurations on multiple CPUs in parallel.
815
816         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
817         (catch):
818         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
819         (catch):
820         * stress/string-overflow-createError.js:
821
822 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
823
824         [JSC] OSR entry should respect abstract values in addition to flush formats
825         https://bugs.webkit.org/show_bug.cgi?id=195653
826
827         Reviewed by Mark Lam.
828
829         * stress/osr-entry-locals-none.js: Added.
830
831 2019-03-12  Michael Saboff  <msaboff@apple.com>
832
833         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
834         https://bugs.webkit.org/show_bug.cgi?id=195613
835
836         Reviewed by Mark Lam.
837
838         New regression test.
839
840         * stress/regexp-backref-inbounds.js: Added.
841         (testRegExp):
842
843 2019-03-12  Mark Lam  <mark.lam@apple.com>
844
845         The HasIndexedProperty node does GC.
846         https://bugs.webkit.org/show_bug.cgi?id=195559
847         <rdar://problem/48767923>
848
849         Reviewed by Yusuke Suzuki.
850
851         * stress/HasIndexedProperty-does-gc.js: Added.
852
853 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
854
855         [ESNext][BigInt] Implement "~" unary operation
856         https://bugs.webkit.org/show_bug.cgi?id=182216
857
858         Reviewed by Keith Miller.
859
860         * stress/big-int-bit-not-general.js: Added.
861         * stress/big-int-bitwise-not-jit.js: Added.
862         * stress/big-int-bitwise-not-wrapped-value.js: Added.
863         * stress/bit-op-with-object-returning-int32.js:
864         * stress/bitwise-not-fixup-rules.js: Added.
865         * stress/value-bit-not-ai-rule.js: Added.
866
867 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
868
869         Invalid flags in a RegExp literal should be an early SyntaxError
870         https://bugs.webkit.org/show_bug.cgi?id=195514
871
872         Reviewed by Darin Adler.
873
874         * test262/expectations.yaml:
875         Mark 4 test cases as passing.
876
877         * stress/regexp-syntax-error-invalid-flags.js:
878         * stress/regress-161995.js: Removed.
879         Update existing test, merging in an older test for the same behavior.
880
881 2019-03-08  Mark Lam  <mark.lam@apple.com>
882
883         Stack overflow crash in JSC::JSObject::hasInstance.
884         https://bugs.webkit.org/show_bug.cgi?id=195458
885         <rdar://problem/48710195>
886
887         Reviewed by Yusuke Suzuki.
888
889         * stress/stack-overflow-in-custom-hasInstance.js: Added.
890
891 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
892
893         op_check_tdz does not def its argument
894         https://bugs.webkit.org/show_bug.cgi?id=192880
895         <rdar://problem/46221598>
896
897         Reviewed by Saam Barati.
898
899         * microbenchmarks/let-for-in.js: Added.
900         (foo):
901
902 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
903
904         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
905         https://bugs.webkit.org/show_bug.cgi?id=195429
906
907         Reviewed by Saam Barati.
908
909         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
910         (foo):
911         * stress/string-from-char-code-255.js: Added.
912
913 2019-03-06  Mark Lam  <mark.lam@apple.com>
914
915         Fix incorrect handling of try-finally completion values.
916         https://bugs.webkit.org/show_bug.cgi?id=195131
917         <rdar://problem/46222079>
918
919         Reviewed by Saam Barati and Yusuke Suzuki.
920
921         Added many permutations of new test case to test-finally.js.  test-finally.js has
922         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
923         tests passes there as well.
924
925         * stress/test-finally.js:
926
927 2019-03-06  Saam Barati  <sbarati@apple.com>
928
929         Air::reportUsedRegisters must padInterference
930         https://bugs.webkit.org/show_bug.cgi?id=195303
931         <rdar://problem/48270343>
932
933         Reviewed by Keith Miller.
934
935         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
936
937 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
938
939         [JSC] AI should not propagate AbstractValue relying on constant folding phase
940         https://bugs.webkit.org/show_bug.cgi?id=195375
941
942         Reviewed by Saam Barati.
943
944         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
945         (let.array):
946
947 2019-03-05  Saam barati  <sbarati@apple.com>
948
949         op_switch_char broken for rope strings after JSRopeString layout rewrite
950         https://bugs.webkit.org/show_bug.cgi?id=195339
951         <rdar://problem/48592545>
952
953         Reviewed by Yusuke Suzuki.
954
955         * stress/switch-on-char-llint-rope.js: Added.
956
957 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
958
959         [JSC] Store bits for JSRopeString in 3 stores
960         https://bugs.webkit.org/show_bug.cgi?id=195234
961
962         Reviewed by Saam Barati.
963
964         * stress/null-rope-and-collectors.js: Added.
965
966 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
967
968         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
969         https://bugs.webkit.org/show_bug.cgi?id=195207
970
971         Unreviewed. After test runtime was reduced in r242213, test can be
972         run again on ARM/MIPS.
973
974         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
975
976 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
977
978         [JSC] sizeof(JSString) should be 16
979         https://bugs.webkit.org/show_bug.cgi?id=194375
980
981         Reviewed by Saam Barati.
982
983         * microbenchmarks/make-rope.js: Added.
984         (makeRope):
985         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
986         (returnRope.helper): Deleted.
987         (returnRope): Deleted.
988
989 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
990
991         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
992         https://bugs.webkit.org/show_bug.cgi?id=195144
993
994         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
995         Change the number from 1e8 to 1e5.
996
997         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
998         (foo):
999
1000 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
1001
1002         Test times out on ARM/MIPS
1003         https://bugs.webkit.org/show_bug.cgi?id=195168
1004
1005         Unreviewed. Skip test on ARM/MIPS.
1006
1007         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1008
1009 2019-02-27  Mark Lam  <mark.lam@apple.com>
1010
1011         The parser is failing to record the token location of new in new.target.
1012         https://bugs.webkit.org/show_bug.cgi?id=195127
1013         <rdar://problem/39645578>
1014
1015         Reviewed by Yusuke Suzuki.
1016
1017         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
1018
1019 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
1020
1021         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
1022         https://bugs.webkit.org/show_bug.cgi?id=195144
1023         <rdar://problem/47595961>
1024
1025         Reviewed by Mark Lam.
1026
1027         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
1028         (bar):
1029         (foo):
1030         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
1031         (bar):
1032         (foo):
1033
1034 2019-02-27  Robin Morisset  <rmorisset@apple.com>
1035
1036         DFG: Loop-invariant code motion (LICM) should not hoist dead code
1037         https://bugs.webkit.org/show_bug.cgi?id=194945
1038         <rdar://problem/48311657>
1039
1040         Reviewed by Mark Lam.
1041
1042         * stress/licm-dead-code.js: Added.
1043
1044 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
1045
1046         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
1047         https://bugs.webkit.org/show_bug.cgi?id=194677
1048         <rdar://problem/48112492>
1049
1050         Reviewed by Mark Lam.
1051
1052         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
1053         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
1054         it immediately fails due the large size.
1055
1056         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
1057         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
1058         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
1059         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
1060
1061         This patch changes the test to produce 16bit string from String.fromCharCode.
1062
1063         * stress/regress-178386.js:
1064
1065 2019-02-26  Mark Lam  <mark.lam@apple.com>
1066
1067         wasmToJS() should purify incoming NaNs.
1068         https://bugs.webkit.org/show_bug.cgi?id=194807
1069         <rdar://problem/48189132>
1070
1071         Reviewed by Saam Barati.
1072
1073         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
1074
1075 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
1076
1077         [JSC] Repeat string created from Array.prototype.join() take too much memory
1078         https://bugs.webkit.org/show_bug.cgi?id=193912
1079
1080         Reviewed by Saam Barati.
1081
1082         Added a test and a microbenchmark for corner cases of
1083         Array.prototype.join() with an uninitialized array.
1084
1085         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1086         * stress/array-prototype-join-uninitialized.js: Added.
1087         (testArray):
1088         (testABC):
1089         (B):
1090         (C):
1091
1092 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1093
1094         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1095         https://bugs.webkit.org/show_bug.cgi?id=194953
1096         <rdar://problem/47595253>
1097
1098         Reviewed by Saam Barati.
1099
1100         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1101
1102         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1103
1104 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1105
1106         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1107         https://bugs.webkit.org/show_bug.cgi?id=172848
1108         <rdar://problem/25709212>
1109
1110         Reviewed by Mark Lam.
1111
1112         * typeProfiler/inheritance.js:
1113         Rewrite the test slightly for clarity. The hoisting was confusing.
1114
1115         * heapProfiler/class-names.js: Added.
1116         (MyES5Class):
1117         (MyES6Class):
1118         (MyES6Subclass):
1119         Test object types and improved class names.
1120
1121         * heapProfiler/driver/driver.js:
1122         (CheapHeapSnapshotNode):
1123         (CheapHeapSnapshot):
1124         (createCheapHeapSnapshot):
1125         (HeapSnapshot):
1126         (createHeapSnapshot):
1127         Update snapshot parsing from version 1 to version 2.
1128
1129 2019-02-19  Truitt Savell  <tsavell@apple.com>
1130
1131         Unreviewed, rolling out r241784.
1132
1133         Broke all OpenSource builds.
1134
1135         Reverted changeset:
1136
1137         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1138         instances view"
1139         https://bugs.webkit.org/show_bug.cgi?id=172848
1140         https://trac.webkit.org/changeset/241784
1141
1142 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1143
1144         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1145         https://bugs.webkit.org/show_bug.cgi?id=172848
1146         <rdar://problem/25709212>
1147
1148         Reviewed by Mark Lam.
1149
1150         * typeProfiler/inheritance.js:
1151         Rewrite the test slightly for clarity. The hoisting was confusing.
1152
1153         * heapProfiler/class-names.js: Added.
1154         (MyES5Class):
1155         (MyES6Class):
1156         (MyES6Subclass):
1157         Test object types and improved class names.
1158
1159         * heapProfiler/driver/driver.js:
1160         (CheapHeapSnapshotNode):
1161         (CheapHeapSnapshot):
1162         (createCheapHeapSnapshot):
1163         (HeapSnapshot):
1164         (createHeapSnapshot):
1165         Update snapshot parsing from version 1 to version 2.
1166
1167 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1168
1169         [ARM] Fix crash with sampling profiler
1170         https://bugs.webkit.org/show_bug.cgi?id=194772
1171
1172         Reviewed by Mark Lam.
1173
1174         Do not skip test since crash with sampling profiler is now fixed.
1175
1176         * stress/sampling-profiler-richards.js:
1177
1178 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1179
1180         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1181         https://bugs.webkit.org/show_bug.cgi?id=194784
1182         <rdar://problem/48154820>
1183
1184         Reviewed by Mark Lam.
1185
1186         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1187         (getProperties):
1188         (getRandomProperty):
1189         (i.catch):
1190
1191 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1192
1193         [ARM] Test gardening: Test running out of executable memory
1194         https://bugs.webkit.org/show_bug.cgi?id=194771
1195
1196         Unreviewed. Do not run test without LLInt, test is running out of executable
1197         memory on ARM otherwise.
1198
1199         * stress/tagged-template-object-collect.js:
1200
1201 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1202
1203         Unreviewed, skip the test on platforms without sampling profiler
1204
1205         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1206         (platformSupportsSamplingProfiler.foo):
1207         (platformSupportsSamplingProfiler.test):
1208         (platformSupportsSamplingProfiler):
1209         (foo): Deleted.
1210         (test): Deleted.
1211
1212 2019-02-17  Saam Barati  <sbarati@apple.com>
1213
1214         Deadlock when adding a Structure property transition and then doing incremental marking
1215         https://bugs.webkit.org/show_bug.cgi?id=194767
1216
1217         Reviewed by Mark Lam.
1218
1219         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1220
1221 2019-02-15  Michael Saboff  <msaboff@apple.com>
1222
1223         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1224         https://bugs.webkit.org/show_bug.cgi?id=194558
1225
1226         Reviewed by Saam Barati.
1227
1228         New regression test.
1229
1230         * stress/regexp-unicode-within-string.js: Added.
1231
1232 2019-02-15  Mark Lam  <mark.lam@apple.com>
1233
1234         SamplingProfiler::stackTracesAsJSON() should escape strings.
1235         https://bugs.webkit.org/show_bug.cgi?id=194649
1236         <rdar://problem/48072386>
1237
1238         Reviewed by Saam Barati.
1239
1240         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1241         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1242         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1243         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1244
1245 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1246         CodeBlock::jettison should clear related watchpoints
1247         https://bugs.webkit.org/show_bug.cgi?id=194544
1248
1249         Reviewed by Mark Lam.
1250
1251         * stress/regexp-replace-double-watchpoint.js: Added.
1252         (foo):
1253
1254 2019-02-15  Saam barati  <sbarati@apple.com>
1255
1256         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1257         https://bugs.webkit.org/show_bug.cgi?id=194036
1258
1259         Reviewed by Yusuke Suzuki.
1260
1261         * stress/tail-call-many-arguments.js: Added.
1262         (foo):
1263         (bar):
1264
1265 2019-02-14  Saam Barati  <sbarati@apple.com>
1266
1267         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1268         https://bugs.webkit.org/show_bug.cgi?id=194583
1269         <rdar://problem/48028140>
1270
1271         Reviewed by Yusuke Suzuki.
1272
1273         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1274
1275 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1276
1277         [JSC] String.fromCharCode's slow path always generates 16bit string
1278         https://bugs.webkit.org/show_bug.cgi?id=194466
1279
1280         Reviewed by Keith Miller.
1281
1282         * stress/string-from-char-code-slow-path.js: Added.
1283         (shouldBe):
1284         (testWithLength):
1285
1286 2019-02-08  Saam barati  <sbarati@apple.com>
1287
1288         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1289         https://bugs.webkit.org/show_bug.cgi?id=194334
1290         <rdar://problem/47844327>
1291
1292         Reviewed by Mark Lam.
1293
1294         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1295         (func):
1296
1297 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1298
1299         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1300         https://bugs.webkit.org/show_bug.cgi?id=194369
1301         <rdar://problem/47813087>
1302
1303         Reviewed by Saam Barati.
1304
1305         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1306         (A):
1307
1308 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1309
1310         [JSC] PrivateName to PublicName hash table is wasteful
1311         https://bugs.webkit.org/show_bug.cgi?id=194277
1312
1313         Reviewed by Michael Saboff.
1314
1315         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1316
1317         * ChakraCore.yaml:
1318
1319 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1320
1321         [ARM] Test running out of executable memory
1322         https://bugs.webkit.org/show_bug.cgi?id=194285
1323
1324         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1325         executable memory otherwise.
1326
1327         * stress/class-subclassing-function.js:
1328
1329 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1330
1331         when lowering AssertNotEmpty, create the value before creating the patchpoint
1332         https://bugs.webkit.org/show_bug.cgi?id=194231
1333
1334         Reviewed by Saam Barati.
1335
1336         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1337         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1338         So even tiny changes to this test can change the path code taken.
1339
1340         * stress/assert-not-empty.js: Added.
1341         (foo):
1342
1343 2019-02-01  Mark Lam  <mark.lam@apple.com>
1344
1345         Remove invalid assertion in DFG's compileDoubleRep().
1346         https://bugs.webkit.org/show_bug.cgi?id=194130
1347         <rdar://problem/47699474>
1348
1349         Reviewed by Saam Barati.
1350
1351         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1352
1353 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1354
1355         Import latest Test262 updates.
1356
1357         Rubber-stamped by Keith Miller.
1358
1359         * test262.yaml: Deleted.
1360         * test262/config.yaml:
1361         * test262/expectations.yaml:
1362         * test262/latest-changes-summary.txt:
1363         * test262/test/:
1364         * test262/test262-Revision.txt:
1365
1366 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1367
1368         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1369         https://bugs.webkit.org/show_bug.cgi?id=194050
1370         <rdar://problem/47595592>
1371
1372         Reviewed by Yusuke Suzuki.
1373
1374         * stress/object-keys-osr-exit.js: Added.
1375         (foo):
1376         (catch):
1377
1378 2019-01-29  Mark Lam  <mark.lam@apple.com>
1379
1380         ValueRecovery::recover() should purify NaN values it recovers.
1381         https://bugs.webkit.org/show_bug.cgi?id=193978
1382         <rdar://problem/47625488>
1383
1384         Reviewed by Saam Barati.
1385
1386         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1387
1388 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1389
1390         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1391         https://bugs.webkit.org/show_bug.cgi?id=193713
1392
1393         * stress/try-get-by-id-should-spill-registers-dfg.js:
1394         (let.f.createBuiltin):
1395
1396 2019-01-28  Mark Lam  <mark.lam@apple.com>
1397
1398         ToString node actually does GC.
1399         https://bugs.webkit.org/show_bug.cgi?id=193920
1400         <rdar://problem/46695900>
1401
1402         Reviewed by Yusuke Suzuki.
1403
1404         * stress/dfg-to-string-on-int-does-gc.js: Added.
1405         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1406         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1407
1408 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1409
1410         [JSC] NativeErrorConstructor should not have own IsoSubspace
1411         https://bugs.webkit.org/show_bug.cgi?id=193713
1412
1413         Reviewed by Saam Barati.
1414
1415         Remove @Error use.
1416
1417         * stress/try-get-by-id-should-spill-registers-dfg.js:
1418         (let.f.createBuiltin):
1419
1420 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1421
1422         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1423         https://bugs.webkit.org/show_bug.cgi?id=190693
1424
1425         Reviewed by Michael Saboff.
1426
1427         * stress/regress-190693.js: Added.
1428         (truth):
1429         (assert):
1430         (shouldThrowInvalidConstAssignment):
1431         (taz):
1432
1433 2019-01-24  Saam Barati  <sbarati@apple.com>
1434
1435         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1436         https://bugs.webkit.org/show_bug.cgi?id=193751
1437         <rdar://problem/47280215>
1438
1439         Reviewed by Michael Saboff.
1440
1441         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1442         (let.thing):
1443         (foo.let.hello):
1444         (foo):
1445
1446 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1447
1448         [JSC] Reenable baseline JIT on mips
1449         https://bugs.webkit.org/show_bug.cgi?id=192983
1450
1451         Reviewed by Mark Lam.
1452
1453         Added a new test for a case that was triggering a RELEASE_ASSERT when
1454         testing.
1455         Disable some slow tests that were already disabled for arm and x86.
1456
1457         * stress/json-parse-big-object.js: Added.
1458         * stress/new-largeish-contiguous-array-with-size.js:
1459         * stress/op_add.js:
1460         * stress/op_bitand.js:
1461         * stress/op_bitor.js:
1462         * stress/op_bitxor.js:
1463         * stress/op_lshift-ConstVar.js:
1464         * stress/op_lshift-VarConst.js:
1465         * stress/op_lshift-VarVar.js:
1466         * stress/op_mod-ConstVar.js:
1467         * stress/op_mod-VarConst.js:
1468         * stress/op_mod-VarVar.js:
1469         * stress/op_mul-ConstVar.js:
1470         * stress/op_mul-VarConst.js:
1471         * stress/op_mul-VarVar.js:
1472         * stress/op_rshift-ConstVar.js:
1473         * stress/op_rshift-VarConst.js:
1474         * stress/op_rshift-VarVar.js:
1475         * stress/op_sub-ConstVar.js:
1476         * stress/op_sub-VarConst.js:
1477         * stress/op_sub-VarVar.js:
1478         * stress/op_urshift-ConstVar.js:
1479         * stress/op_urshift-VarConst.js:
1480         * stress/op_urshift-VarVar.js:
1481         * stress/sampling-profiler-richards.js:
1482         * stress/spread-forward-call-varargs-stack-overflow.js:
1483
1484 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1485
1486         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1487         https://bugs.webkit.org/show_bug.cgi?id=193711
1488         <rdar://problem/47250262>
1489
1490         Reviewed by Saam Barati.
1491
1492         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1493         (shouldBe):
1494         (foo):
1495         (bar):
1496         (baz):
1497
1498 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1499
1500         Unreviewed, fix initial global lexical binding epoch
1501         https://bugs.webkit.org/show_bug.cgi?id=193603
1502         <rdar://problem/47380869>
1503
1504         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1505         (f1.f2.f3.f4):
1506         (f1.f2.f3):
1507         (f1.f2):
1508         (f1):
1509
1510 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1511
1512         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1513         https://bugs.webkit.org/show_bug.cgi?id=193709
1514         <rdar://problem/47363838>
1515
1516         Unreviewed, rollout to watch the tests.
1517
1518         * stress/object-tostring-changed-proto.js: Removed.
1519         * stress/object-tostring-changed.js: Removed.
1520         * stress/object-tostring-misc.js: Removed.
1521         * stress/object-tostring-other.js: Removed.
1522         * stress/object-tostring-untyped.js: Removed.
1523
1524 2019-01-22  Saam Barati  <sbarati@apple.com>
1525
1526         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1527
1528         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1529         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1530         (testUncheckedLessThanZero):
1531         (testUncheckedLessThanOrEqualZero):
1532         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1533         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1534
1535 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1536
1537         [JSC] Invalidate old scope operations using global lexical binding epoch
1538         https://bugs.webkit.org/show_bug.cgi?id=193603
1539         <rdar://problem/47380869>
1540
1541         Reviewed by Saam Barati.
1542
1543         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1544         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1545         (shouldThrow):
1546         (bar):
1547         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1548         (shouldBe):
1549         (get1):
1550         (get2):
1551         (get1If):
1552         (get2If):
1553         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1554         (shouldThrow):
1555         (foo):
1556
1557 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1558
1559         Unreviewed, roll out r240220 due to date-format-xparb regression
1560         https://bugs.webkit.org/show_bug.cgi?id=193603
1561
1562         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1563         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1564         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1565         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1566
1567 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1568
1569         DoesGC rule is wrong for nodes with BigIntUse
1570         https://bugs.webkit.org/show_bug.cgi?id=193652
1571
1572         Reviewed by Saam Barati.
1573
1574         * stress/big-int-value-op-update-gc-rules.js: Added.
1575         (assert):
1576         (doesGCAdd):
1577         (doesGCSub):
1578         (doesGCDiv):
1579         (doesGCMul):
1580         (doesGCBitAnd):
1581         (doesGCBitOr):
1582         (doesGCBitXor):
1583
1584 2019-01-20  Saam Barati  <sbarati@apple.com>
1585
1586         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1587         https://bugs.webkit.org/show_bug.cgi?id=193644
1588         <rdar://problem/46209745>
1589
1590         Reviewed by Yusuke Suzuki.
1591
1592         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1593         (foo):
1594         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1595         (foo):
1596         (bar):
1597
1598 2019-01-20  Saam Barati  <sbarati@apple.com>
1599
1600         MovHint must merge NodeBytecodeUsesAsValue for its child
1601         https://bugs.webkit.org/show_bug.cgi?id=186916
1602         <rdar://problem/41396612>
1603
1604         Reviewed by Yusuke Suzuki.
1605
1606         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1607         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1608
1609 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1610
1611         [JSC] Invalidate old scope operations using global lexical binding epoch
1612         https://bugs.webkit.org/show_bug.cgi?id=193603
1613         <rdar://problem/47380869>
1614
1615         Reviewed by Saam Barati.
1616
1617         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1618         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1619         (shouldThrow):
1620         (bar):
1621         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1622         (shouldBe):
1623         (get1):
1624         (get2):
1625         (get1If):
1626         (get2If):
1627         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1628         (shouldThrow):
1629         (foo):
1630
1631 2019-01-17  Saam barati  <sbarati@apple.com>
1632
1633         StringObjectUse should not be a structure check for the original string object structure
1634         https://bugs.webkit.org/show_bug.cgi?id=193483
1635         <rdar://problem/47280522>
1636
1637         Reviewed by Yusuke Suzuki.
1638
1639         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1640         (foo):
1641         (a.valueOf.0):
1642
1643 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1644
1645         [JSC] ToThis omission in DFGByteCodeParser is wrong
1646         https://bugs.webkit.org/show_bug.cgi?id=193513
1647         <rdar://problem/45842236>
1648
1649         Reviewed by Saam Barati.
1650
1651         * stress/to-this-omission-with-different-strict-modes.js: Added.
1652         (thisA):
1653         (thisAStrictWrapper):
1654
1655 2019-01-15  Mark Lam  <mark.lam@apple.com>
1656
1657         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1658         https://bugs.webkit.org/show_bug.cgi?id=193423
1659         <rdar://problem/46209355>
1660
1661         Reviewed by Saam Barati.
1662
1663         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1664         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1665         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1666         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1667
1668 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1669
1670         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1671         https://bugs.webkit.org/show_bug.cgi?id=193438
1672         <rdar://problem/45581249>
1673
1674         Reviewed by Saam Barati and Keith Miller.
1675
1676         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1677         Then, GetByVal(String) crashed.
1678
1679         * stress/string-get-by-val-lowering.js: Added.
1680         (shouldBe):
1681         (test):
1682         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1683         (Hello):
1684         (foo):
1685
1686 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1687
1688         Unreviewed, skip JIT tests if it's not enabled
1689
1690         * stress/bit-op-with-object-returning-int32.js:
1691
1692 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1693
1694         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1695         https://bugs.webkit.org/show_bug.cgi?id=192966
1696
1697         Reviewed by Yusuke Suzuki.
1698
1699         * stress/bit-op-with-object-returning-int32.js: Added.
1700
1701 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1702
1703         Skip a slow test and a flakey test on arm
1704
1705         Unreviewed gardening.
1706
1707         * typeProfiler/getter-richards.js:
1708         this test always times out, it used to be always skipped on arm and
1709         mips, but got accidentally enabled by r237919 now that we have DFG on
1710         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1711
1712 2019-01-14  Keith Miller  <keith_miller@apple.com>
1713
1714         Skip type-check-hoisting-phase-hoist... with no jit
1715         https://bugs.webkit.org/show_bug.cgi?id=193421
1716
1717         Reviewed by Mark Lam.
1718
1719         It's timing out the 32-bit bots and takes 330 seconds
1720         on my machine when run by itself.
1721
1722         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1723
1724 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1725
1726         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1727         https://bugs.webkit.org/show_bug.cgi?id=193413
1728         <rdar://problem/46092389>
1729
1730         Reviewed by Keith Miller.
1731
1732         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1733         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1734         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1735         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1736
1737         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1738         (compareArray):
1739
1740 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1741
1742         [BigInt] Literal parsing is crashing when used inside a Object Literal
1743         https://bugs.webkit.org/show_bug.cgi?id=193404
1744
1745         Reviewed by Yusuke Suzuki.
1746
1747         * stress/big-int-literal-inside-literal-object.js: Added.
1748
1749 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1750
1751         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1752         https://bugs.webkit.org/show_bug.cgi?id=193372
1753
1754         Reviewed by Saam Barati.
1755
1756         * stress/typed-array-array-modes-profile.js: Added.
1757         (foo):
1758
1759 2019-01-14  Mark Lam  <mark.lam@apple.com>
1760
1761         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1762         https://bugs.webkit.org/show_bug.cgi?id=193402
1763         <rdar://problem/46012309>
1764
1765         Reviewed by Keith Miller.
1766
1767         * stress/regexp-compile-oom.js:
1768         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1769           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1770
1771 2019-01-11  Saam barati  <sbarati@apple.com>
1772
1773         DFG combined liveness can be wrong for terminal basic blocks
1774         https://bugs.webkit.org/show_bug.cgi?id=193304
1775         <rdar://problem/45268632>
1776
1777         Reviewed by Yusuke Suzuki.
1778
1779         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1780
1781 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1782
1783         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1784         https://bugs.webkit.org/show_bug.cgi?id=193308
1785         <rdar://problem/45546542>
1786
1787         Reviewed by Saam Barati.
1788
1789         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1790         (shouldThrow):
1791         (shouldBe):
1792         (foo):
1793         (get shouldThrow):
1794         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1795         (shouldThrow):
1796         (shouldBe):
1797         (foo):
1798         (get shouldBe):
1799         (get shouldThrow):
1800         (get return):
1801         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1802         (shouldThrow):
1803         (shouldBe):
1804         (foo):
1805         (get shouldBe):
1806         (get shouldThrow):
1807         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1808         (shouldThrow):
1809         (shouldBe):
1810         (foo):
1811         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1812         (shouldThrow):
1813         (shouldBe):
1814         (foo):
1815         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1816         (shouldThrow):
1817         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1818         (shouldThrow):
1819         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1820         (shouldThrow):
1821         (shouldBe):
1822         (foo):
1823         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1824         (shouldThrow):
1825         (shouldBe):
1826         (foo):
1827         (get shouldBe):
1828         (get shouldThrow):
1829         (get return):
1830         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1831         (shouldThrow):
1832         (shouldBe):
1833         (foo):
1834         (get shouldBe):
1835         (get shouldThrow):
1836         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1837         (shouldThrow):
1838         (shouldBe):
1839         (foo):
1840         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1841         (shouldThrow):
1842         (shouldBe):
1843         (foo):
1844
1845 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1846
1847         Enable DFG on ARM/Linux again
1848         https://bugs.webkit.org/show_bug.cgi?id=192496
1849
1850         Reviewed by Yusuke Suzuki.
1851
1852         Test wasn't really skipped before moving the line with skip
1853         to the top.
1854
1855         * stress/regress-192717.js:
1856
1857 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1858
1859         Unreviewed, rolling out r239825.
1860         https://bugs.webkit.org/show_bug.cgi?id=193330
1861
1862         Broke tests on armv7/linux bots (Requested by guijemont on
1863         #webkit).
1864
1865         Reverted changeset:
1866
1867         "Enable DFG on ARM/Linux again"
1868         https://bugs.webkit.org/show_bug.cgi?id=192496
1869         https://trac.webkit.org/changeset/239825
1870
1871 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1872
1873         Enable DFG on ARM/Linux again
1874         https://bugs.webkit.org/show_bug.cgi?id=192496
1875
1876         Reviewed by Yusuke Suzuki.
1877
1878         Test wasn't really skipped before moving the line with skip
1879         to the top.
1880
1881         * stress/regress-192717.js:
1882
1883 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1884
1885         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1886         https://bugs.webkit.org/show_bug.cgi?id=193127
1887
1888         Reviewed by Saam Barati.
1889
1890         * stress/array-species-create-should-handle-masquerader.js: Added.
1891         (shouldThrow):
1892         * stress/is-undefined-or-null-builtin.js: Added.
1893         (shouldBe):
1894         (isUndefinedOrNull.vm.createBuiltin):
1895
1896 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1897
1898         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1899         https://bugs.webkit.org/show_bug.cgi?id=193221
1900
1901         Reviewed by Mark Lam.
1902
1903         * stress/put-by-id-flags.js: Added.
1904         (f):
1905         (g):
1906         (numberOfDFGCompiles):
1907
1908 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1909
1910         Baseline version of get_by_id may corrupt metadata
1911         https://bugs.webkit.org/show_bug.cgi?id=193085
1912         <rdar://problem/23453006>
1913
1914         Reviewed by Saam Barati.
1915
1916         * stress/get-by-id-change-mode.js: Added.
1917         (forEach):
1918
1919 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1920
1921         [JSC] Optimize Object.prototype.toString
1922         https://bugs.webkit.org/show_bug.cgi?id=193031
1923
1924         Reviewed by Saam Barati.
1925
1926         * stress/object-tostring-changed-proto.js: Added.
1927         (shouldBe):
1928         (test):
1929         * stress/object-tostring-changed.js: Added.
1930         (shouldBe):
1931         (test):
1932         * stress/object-tostring-misc.js: Added.
1933         (shouldBe):
1934         (test):
1935         (i.switch):
1936         * stress/object-tostring-other.js: Added.
1937         (shouldBe):
1938         (test):
1939         * stress/object-tostring-untyped.js: Added.
1940         (shouldBe):
1941         (test):
1942         (i.switch):
1943
1944 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1945
1946         test262-runner misbehaves when test file YAML has a trailing space
1947         https://bugs.webkit.org/show_bug.cgi?id=193053
1948
1949         Reviewed by Yusuke Suzuki.
1950
1951         * test262/expectations.yaml:
1952         Mark two dozen tests as passing (and correct the output of another).
1953
1954 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1955
1956         Unreviewed, JSTests gardening with memoryLimited
1957
1958         * stress/string-overflow-createError.js:
1959
1960 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1961
1962         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1963         https://bugs.webkit.org/show_bug.cgi?id=193050
1964
1965         Reviewed by Yusuke Suzuki.
1966
1967         * test262.yaml:
1968         * test262/expectations.yaml:
1969         Mark 16 tests as passing.
1970
1971 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1972
1973         [BigInt] Support BigInt in JSON.stringify
1974         https://bugs.webkit.org/show_bug.cgi?id=192624
1975
1976         Reviewed by Saam Barati.
1977
1978         * stress/big-int-json-stringify-to-json.js: Added.
1979         (shouldBe):
1980         (shouldThrow):
1981         (BigInt.prototype.toJSON):
1982         (shouldBe.JSON.stringify):
1983         * stress/big-int-json-stringify.js: Added.
1984         (shouldBe):
1985         (shouldThrow):
1986
1987 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1988
1989         [JSC] Implement "well-formed JSON.stringify" proposal
1990         https://bugs.webkit.org/show_bug.cgi?id=191677
1991
1992         Reviewed by Darin Adler.
1993
1994         * stress/json-surrogate-pair.js: Added.
1995         (shouldBe):
1996         * test262/expectations.yaml:
1997
1998 2018-12-20  Keith Miller  <keith_miller@apple.com>
1999
2000         Add support for globalThis
2001         https://bugs.webkit.org/show_bug.cgi?id=165171
2002
2003         Reviewed by Mark Lam.
2004
2005         * test262/config.yaml:
2006
2007 2018-12-19  Keith Miller  <keith_miller@apple.com>
2008
2009         Update test262 configuration to not run tests dependent on ICU version.
2010         https://bugs.webkit.org/show_bug.cgi?id=192920
2011
2012         Reviewed by Saam Barati.
2013
2014         * test262/expectations.yaml:
2015
2016 2018-12-20  Mark Lam  <mark.lam@apple.com>
2017
2018         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
2019         https://bugs.webkit.org/show_bug.cgi?id=192939
2020         <rdar://problem/46869516>
2021
2022         Reviewed by Keith Miller.
2023
2024         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
2025
2026 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
2027
2028         WTF::String and StringImpl overflow MaxLength
2029         https://bugs.webkit.org/show_bug.cgi?id=192853
2030         <rdar://problem/45726906>
2031
2032         Reviewed by Mark Lam.
2033
2034         * stress/string-16bit-repeat-overflow.js: Added.
2035         (catch):
2036
2037 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
2038
2039         Unreviewed follow-up to r192914.
2040
2041         * test262/expectations.yaml:
2042         Add the last 20 missing expectations.
2043
2044 2018-12-19  Keith Miller  <keith_miller@apple.com>
2045
2046         Fix test262 expectations
2047         https://bugs.webkit.org/show_bug.cgi?id=192914
2048
2049         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
2050
2051         * test262/expectations.yaml:
2052
2053 2018-12-19  Keith Miller  <keith_miller@apple.com>
2054
2055         Update test262 tests.
2056         https://bugs.webkit.org/show_bug.cgi?id=192907
2057
2058         Rubber stamped by Mark Lam.
2059
2060         * test262/*: Omitted because prepare-changelog crashes.
2061
2062 2018-12-19  Mark Lam  <mark.lam@apple.com>
2063
2064         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
2065         https://bugs.webkit.org/show_bug.cgi?id=192464
2066         <rdar://problem/46519455>
2067
2068         Reviewed by Saam Barati.
2069
2070         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
2071         microbenchmark.
2072
2073         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
2074         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
2075
2076 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
2077
2078         String overflow in JSC::createError results in ASSERT in WTF::makeString
2079         https://bugs.webkit.org/show_bug.cgi?id=192833
2080         <rdar://problem/45706868>
2081
2082         Reviewed by Mark Lam.
2083
2084         * stress/string-overflow-createError.js: Added.
2085
2086 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2087
2088         Error message for `-x ** y` contains a typo.
2089         https://bugs.webkit.org/show_bug.cgi?id=192832
2090
2091         Reviewed by Saam Barati.
2092
2093         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2094         (assert.assert.return.throws):
2095         * stress/pow-expects-update-expression-on-lhs.js:
2096         (throw.new.Error):
2097         Update test expectations which match against the exact error message.
2098
2099 2018-12-18  Mark Lam  <mark.lam@apple.com>
2100
2101         Gardening: test options fix.
2102         https://bugs.webkit.org/show_bug.cgi?id=192822
2103
2104         Unreviewed.
2105
2106         * stress/json-stringify-string-builder-overflow.js:
2107
2108 2018-12-18  Mark Lam  <mark.lam@apple.com>
2109
2110         JSON.stringify() should throw OOM on StringBuilder overflows.
2111         https://bugs.webkit.org/show_bug.cgi?id=192822
2112         <rdar://problem/46670577>
2113
2114         Reviewed by Saam Barati.
2115
2116         * stress/json-stringify-string-builder-overflow.js: Added.
2117
2118 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2119
2120         Redeclaration of var over let/const/class should be a syntax error.
2121         https://bugs.webkit.org/show_bug.cgi?id=192298
2122
2123         Reviewed by Keith Miller.
2124
2125         * test262.yaml:
2126         * test262/expectations.yaml:
2127         Mark 46 tests as passing.
2128
2129         * stress/block-scope-redeclarations.js:
2130         Add some new tests.
2131
2132         * stress/for-in-invalidate-context-weird-assignments.js:
2133         * stress/for-in-tests.js:
2134         Replace tests for outdated behavior with tests for SyntaxError.
2135
2136         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2137         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2138         Update expectations.
2139
2140 2018-12-18  Mark Lam  <mark.lam@apple.com>
2141
2142         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2143         https://bugs.webkit.org/show_bug.cgi?id=191374
2144         <rdar://problem/46525447>
2145
2146         Reviewed by Yusuke Suzuki.
2147
2148         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2149
2150         * stress/elidable-new-object-roflcopter-then-exit.js:
2151
2152 2018-12-17  Mark Lam  <mark.lam@apple.com>
2153
2154         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2155         https://bugs.webkit.org/show_bug.cgi?id=192019
2156         <rdar://problem/46525456>
2157
2158         Reviewed by Yusuke Suzuki.
2159
2160         The test runs too slow on 32-bit.
2161
2162         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2163
2164 2018-12-17  Mark Lam  <mark.lam@apple.com>
2165
2166         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2167         https://bugs.webkit.org/show_bug.cgi?id=191373
2168         <rdar://problem/46525458>
2169
2170         Reviewed by Yusuke Suzuki.
2171
2172         The test is already slow running with a JIT on 64-bit.  It will always timeout
2173         on 32-bit without a JIT.
2174
2175         * stress/materialize-regexp-cyclic-regexp.js:
2176
2177 2018-12-17  Mark Lam  <mark.lam@apple.com>
2178
2179         Array unshift/shift should not race against the AI in the compiler thread.
2180         https://bugs.webkit.org/show_bug.cgi?id=192795
2181         <rdar://problem/46724263>
2182
2183         Reviewed by Saam Barati.
2184
2185         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2186
2187 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2188
2189         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2190         https://bugs.webkit.org/show_bug.cgi?id=190047
2191
2192         Reviewed by Saam Barati.
2193
2194         * stress/object-keys-cached-zero.js: Added.
2195         (shouldBe):
2196         (test):
2197         * stress/object-keys-changed-attribute.js: Added.
2198         (shouldBe):
2199         (test):
2200         * stress/object-keys-changed-index.js: Added.
2201         (shouldBe):
2202         (test):
2203         * stress/object-keys-changed.js: Added.
2204         (shouldBe):
2205         (test):
2206         * stress/object-keys-indexed-non-cache.js: Added.
2207         (shouldBe):
2208         (test):
2209         * stress/object-keys-overrides-get-property-names.js: Added.
2210         (shouldBe):
2211         (test):
2212         (noInline):
2213
2214 2018-12-17  Mark Lam  <mark.lam@apple.com>
2215
2216         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2217         https://bugs.webkit.org/show_bug.cgi?id=192779
2218         <rdar://problem/46775869>
2219
2220         Reviewed by Saam Barati.
2221
2222         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2223
2224 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2225
2226         Unreviewed test gardening, address a syntax error in a new test.
2227
2228         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2229
2230 2018-12-17  Mark Lam  <mark.lam@apple.com>
2231
2232         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2233         https://bugs.webkit.org/show_bug.cgi?id=192776
2234         <rdar://problem/46772368>
2235
2236         Reviewed by Keith Miller.
2237
2238         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2239
2240 2018-12-17  Mark Lam  <mark.lam@apple.com>
2241
2242         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2243         https://bugs.webkit.org/show_bug.cgi?id=192770
2244         <rdar://problem/46449037>
2245
2246         Reviewed by Keith Miller.
2247
2248         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2249
2250 2018-12-14  Mark Lam  <mark.lam@apple.com>
2251
2252         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2253         https://bugs.webkit.org/show_bug.cgi?id=192717
2254         <rdar://problem/46660677>
2255
2256         Reviewed by Saam Barati.
2257
2258         * stress/regress-192717.js: Added.
2259
2260 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2261
2262         Unreviewed, rolling out r239153, r239154, and r239155.
2263         https://bugs.webkit.org/show_bug.cgi?id=192715
2264
2265         Caused flaky GC-related crashes seen with layout tests
2266         (Requested by ryanhaddad on #webkit).
2267
2268         Reverted changesets:
2269
2270         "[JSC] Optimize Object.keys by caching own keys results in
2271         StructureRareData"
2272         https://bugs.webkit.org/show_bug.cgi?id=190047
2273         https://trac.webkit.org/changeset/239153
2274
2275         "Unreviewed, build fix after r239153"
2276         https://bugs.webkit.org/show_bug.cgi?id=190047
2277         https://trac.webkit.org/changeset/239154
2278
2279         "Unreviewed, build fix after r239153, part 2"
2280         https://bugs.webkit.org/show_bug.cgi?id=190047
2281         https://trac.webkit.org/changeset/239155
2282
2283 2018-12-14  Keith Miller  <keith_miller@apple.com>
2284
2285         Callers of JSString::getIndex should check for OOM exceptions
2286         https://bugs.webkit.org/show_bug.cgi?id=192709
2287
2288         Reviewed by Mark Lam.
2289
2290         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2291
2292 2018-12-13  Mark Lam  <mark.lam@apple.com>
2293
2294         Add a missing exception check.
2295         https://bugs.webkit.org/show_bug.cgi?id=192626
2296         <rdar://problem/46662163>
2297
2298         Reviewed by Keith Miller.
2299
2300         * stress/regress-192626.js: Added.
2301
2302 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2303
2304         [BigInt] Add ValueDiv into DFG
2305         https://bugs.webkit.org/show_bug.cgi?id=186178
2306
2307         Reviewed by Yusuke Suzuki.
2308
2309         * stress/big-int-div-jit-osr.js: Added.
2310         * stress/big-int-div-jit-untyped.js: Added.
2311         * stress/value-div-fixup-int32-big-int.js: Added.
2312
2313 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2314
2315         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2316         https://bugs.webkit.org/show_bug.cgi?id=190047
2317
2318         Reviewed by Keith Miller.
2319
2320         * stress/object-keys-cached-zero.js: Added.
2321         (shouldBe):
2322         (test):
2323         * stress/object-keys-changed-attribute.js: Added.
2324         (shouldBe):
2325         (test):
2326         * stress/object-keys-changed-index.js: Added.
2327         (shouldBe):
2328         (test):
2329         * stress/object-keys-changed.js: Added.
2330         (shouldBe):
2331         (test):
2332         * stress/object-keys-indexed-non-cache.js: Added.
2333         (shouldBe):
2334         (test):
2335         * stress/object-keys-overrides-get-property-names.js: Added.
2336         (shouldBe):
2337         (test):
2338         (noInline):
2339
2340 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2341
2342         [DFG][FTL] Add NewSymbol
2343         https://bugs.webkit.org/show_bug.cgi?id=192620
2344
2345         Reviewed by Saam Barati.
2346
2347         * microbenchmarks/symbol-creation.js: Added.
2348         (test):
2349         * stress/symbol-description-identity.js: Added.
2350         (shouldBe):
2351         (test):
2352         * stress/symbol-identity.js: Added.
2353         (shouldBe):
2354         (test):
2355         * stress/symbol-with-description-throw-error.js: Added.
2356         (shouldBe):
2357         (shouldThrow):
2358         (test):
2359         (object.toString):
2360
2361 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2362
2363         [BigInt] Implement DFG/FTL typeof for BigInt
2364         https://bugs.webkit.org/show_bug.cgi?id=192619
2365
2366         Reviewed by Keith Miller.
2367
2368         * stress/big-int-boolean-proven-type.js: Added.
2369         (assert):
2370         (bool):
2371         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2372         (assert):
2373         (typeOf):
2374         (i.switch):
2375         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2376         (assert):
2377         (typeOf):
2378         * stress/big-int-type-of.js:
2379         (typeOf):
2380         (func):
2381
2382 2018-12-10  Mark Lam  <mark.lam@apple.com>
2383
2384         PropertyAttribute needs a CustomValue bit.
2385         https://bugs.webkit.org/show_bug.cgi?id=191993
2386         <rdar://problem/46264467>
2387
2388         Reviewed by Saam Barati.
2389
2390         * stress/regress-191993.js: Added.
2391
2392 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2393
2394         [BigInt] Add ValueMul into DFG
2395         https://bugs.webkit.org/show_bug.cgi?id=186175
2396
2397         Reviewed by Yusuke Suzuki.
2398
2399         * stress/big-int-mul-jit-osr.js: Added.
2400         * stress/big-int-mul-jit-untyped.js: Added.
2401         * stress/value-mul-fixup-int32-big-int.js: Added.
2402
2403 2018-12-06  Keith Miller  <keith_miller@apple.com>
2404
2405         stress/big-wasm-memory tests failing on 32-bit JSC bot
2406         https://bugs.webkit.org/show_bug.cgi?id=192020
2407
2408         Reviewed by Saam Barati.
2409
2410         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2411         the wasm stress tests if the WebAssembly object does not exist.
2412
2413         * stress/big-wasm-memory-grow-no-max.js:
2414         (test.foo):
2415         (test):
2416         (foo): Deleted.
2417         (catch): Deleted.
2418         * stress/big-wasm-memory-grow.js:
2419         (test.foo):
2420         (test):
2421         (foo): Deleted.
2422         (catch): Deleted.
2423         * stress/big-wasm-memory.js:
2424         (test.foo):
2425         (test):
2426         (foo): Deleted.
2427         (catch): Deleted.
2428
2429 2018-12-05  Mark Lam  <mark.lam@apple.com>
2430
2431         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2432         https://bugs.webkit.org/show_bug.cgi?id=192441
2433         <rdar://problem/46480355>
2434
2435         Reviewed by Saam Barati.
2436
2437         * stress/regress-192441.js: Added.
2438
2439 2018-12-04  Mark Lam  <mark.lam@apple.com>
2440
2441         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2442         https://bugs.webkit.org/show_bug.cgi?id=192386
2443         <rdar://problem/46445516>
2444
2445         Reviewed by Saam Barati.
2446
2447         * stress/regress-192386.js: Added.
2448
2449 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2450
2451         [ESNext][BigInt] Support logic operations
2452         https://bugs.webkit.org/show_bug.cgi?id=179903
2453
2454         Reviewed by Yusuke Suzuki.
2455
2456         * stress/big-int-branch-usage.js: Added.
2457         * stress/big-int-logical-and.js: Added.
2458         * stress/big-int-logical-not.js: Added.
2459         * stress/big-int-logical-or.js: Added.
2460
2461 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2462
2463         Unreviewed, rolling out r238833.
2464
2465         Breaks macOS and iOS debug builds.
2466
2467         Reverted changeset:
2468
2469         "[ESNext][BigInt] Support logic operations"
2470         https://bugs.webkit.org/show_bug.cgi?id=179903
2471         https://trac.webkit.org/changeset/238833
2472
2473 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2474
2475         [ESNext][BigInt] Support logic operations
2476         https://bugs.webkit.org/show_bug.cgi?id=179903
2477
2478         Reviewed by Yusuke Suzuki.
2479
2480         * stress/big-int-branch-usage.js: Added.
2481         * stress/big-int-logical-and.js: Added.
2482         * stress/big-int-logical-not.js: Added.
2483         * stress/big-int-logical-or.js: Added.
2484
2485 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2486
2487         [ESNext][BigInt] Implement support for "<<" and ">>"
2488         https://bugs.webkit.org/show_bug.cgi?id=186233
2489
2490         Reviewed by Yusuke Suzuki.
2491
2492         * stress/big-int-left-shift-general.js: Added.
2493         * stress/big-int-left-shift-range-error.js: Added.
2494         * stress/big-int-left-shift-type-error.js: Added.
2495         * stress/big-int-left-shift-wrapped-value.js: Added.
2496         * stress/big-int-right-shift-general.js: Added.
2497         * stress/big-int-right-shift-type-error.js: Added.
2498         * stress/big-int-right-shift-wrapped-value.js: Added.
2499         * stress/left-shift-to-primitive-precedence.js: Added.
2500         * stress/right-shift-to-primitive-precedence.js: Added.
2501
2502 2018-11-30  Dean Jackson  <dino@apple.com>
2503
2504         Add first-class support for .mjs files in jsc binary
2505         https://bugs.webkit.org/show_bug.cgi?id=192190
2506         <rdar://problem/46375715>
2507
2508         Reviewed by Keith Miller.
2509
2510         * stress/simple-module.mjs: Added.
2511         * stress/simple-script.js: Added.
2512
2513 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2514
2515         [BigInt] Implement ValueBitXor into DFG
2516         https://bugs.webkit.org/show_bug.cgi?id=190264
2517
2518         Reviewed by Yusuke Suzuki.
2519
2520         * stress/big-int-bitwise-xor-jit.js: Added.
2521         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2522         * stress/big-int-bitwise-xor-untyped.js: Added.
2523
2524 2018-11-27  Saam barati  <sbarati@apple.com>
2525
2526         r238510 broke scopes of size zero
2527         https://bugs.webkit.org/show_bug.cgi?id=192033
2528         <rdar://problem/46281734>
2529
2530         Reviewed by Keith Miller.
2531
2532         * stress/r238510-bad-loop.js: Added.
2533         (foo):
2534
2535 2018-11-27  Mark Lam  <mark.lam@apple.com>
2536
2537         [Re-landing] NaNs read from Wasm code needs to be be purified.
2538         https://bugs.webkit.org/show_bug.cgi?id=191056
2539         <rdar://problem/45660341>
2540
2541         Reviewed by Filip Pizlo.
2542
2543         * wasm/regress/regress-191056.js: Added.
2544
2545 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2546
2547         Unreviewed, rolling out r238509.
2548
2549         Causes JSC tests to fail on iOS.
2550
2551         Reverted changeset:
2552
2553         "NaNs read from Wasm code needs to be be purified."
2554         https://bugs.webkit.org/show_bug.cgi?id=191056
2555         https://trac.webkit.org/changeset/238509
2556
2557 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2558
2559         Re-introduce op_bitnot
2560         https://bugs.webkit.org/show_bug.cgi?id=190923
2561
2562         Reviewed by Yusuke Suzuki.
2563
2564         * stress/bit-not-must-generate.js: Added.
2565         * stress/bitwise-not-no-int32.js: Added.
2566
2567 2018-11-26  Saam barati  <sbarati@apple.com>
2568
2569         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2570         https://bugs.webkit.org/show_bug.cgi?id=191956
2571         <rdar://problem/45665806>
2572
2573         Reviewed by Yusuke Suzuki.
2574
2575         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2576         (bar):
2577         (foo):
2578
2579 2018-11-26  Saam barati  <sbarati@apple.com>
2580
2581         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2582         https://bugs.webkit.org/show_bug.cgi?id=191958
2583         <rdar://problem/46221877>
2584
2585         Reviewed by Yusuke Suzuki.
2586
2587         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2588         (x):
2589         (foo):
2590
2591 2018-11-26  Mark Lam  <mark.lam@apple.com>
2592
2593         NaNs read from Wasm code needs to be be purified.
2594         https://bugs.webkit.org/show_bug.cgi?id=191056
2595         <rdar://problem/45660341>
2596
2597         Reviewed by Filip Pizlo.
2598
2599         * wasm/regress/regress-191056.js: Added.
2600
2601 2018-11-26  Michael Saboff  <msaboff@apple.com>
2602
2603         32-bit JSC test failure: stress/regexp-compile-oom.js
2604         https://bugs.webkit.org/show_bug.cgi?id=191375
2605
2606         Reviewed by Mark Lam.
2607
2608         Disabled the test for 32 bit platforms.
2609
2610         * stress/regexp-compile-oom.js:
2611
2612 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2613
2614         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2615         https://bugs.webkit.org/show_bug.cgi?id=191716
2616         <rdar://problem/45723878>
2617
2618         Reviewed by Saam Barati.
2619
2620         * stress/regress-187373.js: Added.
2621         (async.fn):
2622
2623 2018-11-21  Saam barati  <sbarati@apple.com>
2624
2625         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2626         https://bugs.webkit.org/show_bug.cgi?id=191897
2627         <rdar://problem/45871998>
2628
2629         Reviewed by Mark Lam.
2630
2631         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2632         (bar):
2633         (foo):
2634
2635 2018-11-21  Saam barati  <sbarati@apple.com>
2636
2637         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2638         https://bugs.webkit.org/show_bug.cgi?id=191895
2639         <rdar://problem/46167406>
2640
2641         Reviewed by Mark Lam.
2642
2643         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2644         (foo):
2645         (bar):
2646
2647 2018-11-21  Mark Lam  <mark.lam@apple.com>
2648
2649         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2650         https://bugs.webkit.org/show_bug.cgi?id=191776
2651         <rdar://problem/46152851>
2652
2653         Reviewed by Saam Barati.
2654
2655         * stress/big-wasm-memory-grow-no-max.js:
2656         * stress/big-wasm-memory-grow.js:
2657         * stress/big-wasm-memory.js:
2658         - updated these to expect an OutOfMemoryError.
2659
2660         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2661         (Binary.prototype.emit_u8):
2662         (Binary.prototype.emit_u32v):
2663         (Binary.prototype.emit_header):
2664         (Binary.prototype.emit_section):
2665         (Binary):
2666         (WasmModuleBuilder):
2667         (WasmModuleBuilder.prototype.addMemory):
2668         (WasmModuleBuilder.prototype.toArray):
2669         (WasmModuleBuilder.prototype.toBuffer):
2670         (WasmModuleBuilder.prototype.instantiate):
2671         (catch):
2672         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2673         (catch):
2674
2675 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2676
2677         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2678         https://bugs.webkit.org/show_bug.cgi?id=190836
2679
2680         Reviewed by Saam Barati and Yusuke Suzuki.
2681
2682         * stress/big-int-out-of-memory-tests.js: Added.
2683
2684 2018-11-20  Mark Lam  <mark.lam@apple.com>
2685
2686         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2687         https://bugs.webkit.org/show_bug.cgi?id=191856
2688         <rdar://problem/46089992>
2689
2690         Reviewed by Yusuke Suzuki.
2691
2692         * stress/regress-191856.js: Added.
2693         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2694
2695 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2696
2697         Enable JIT on ARM/Linux
2698         https://bugs.webkit.org/show_bug.cgi?id=191548
2699
2700         Reviewed by Yusuke Suzuki.
2701
2702         Disable test on system with limited memory. Program was killed by
2703         the OS before the exception was thrown.
2704
2705         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2706
2707 2018-11-20  Saam barati  <sbarati@apple.com>
2708
2709         Merging an IC variant may lead to the IC status containing overlapping structure sets
2710         https://bugs.webkit.org/show_bug.cgi?id=191869
2711         <rdar://problem/45403453>
2712
2713         Reviewed by Mark Lam.
2714
2715         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2716
2717 2018-11-19  Mark Lam  <mark.lam@apple.com>
2718
2719         globalFuncImportModule() should return a promise when it clears exceptions.
2720         https://bugs.webkit.org/show_bug.cgi?id=191792
2721         <rdar://problem/46090763>
2722
2723         Reviewed by Michael Saboff.
2724
2725         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2726
2727 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2728
2729         Skip new memory-hungry tests on memory limited devices
2730
2731         Unreviewed gardening.
2732
2733         * stress/big-wasm-memory-grow-no-max.js:
2734         * stress/big-wasm-memory-grow.js:
2735         * stress/big-wasm-memory.js:
2736
2737 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2738
2739         Unreviewed, rolling in the rest of r237254
2740         https://bugs.webkit.org/show_bug.cgi?id=190340
2741
2742         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2743         * stress/function-cache-with-parameters-end-position.js: Added.
2744         (shouldBe):
2745         (shouldThrow):
2746         (i.anonymous):
2747         * stress/function-constructor-name.js: Added.
2748         (shouldBe):
2749         (GeneratorFunction):
2750         (AsyncFunction.async):
2751         (AsyncGeneratorFunction.async):
2752         (anonymous):
2753         (async.anonymous):
2754         * test262/expectations.yaml:
2755
2756 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2757
2758         All users of ArrayBuffer should agree on the same max size
2759         https://bugs.webkit.org/show_bug.cgi?id=191771
2760
2761         Reviewed by Mark Lam.
2762
2763         * stress/big-wasm-memory-grow-no-max.js: Added.
2764         (foo):
2765         (catch):
2766         * stress/big-wasm-memory-grow.js: Added.
2767         (foo):
2768         (catch):
2769         * stress/big-wasm-memory.js: Added.
2770         (foo):
2771         (catch):
2772
2773 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2774
2775         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2776         run for each JSC config since they're regression tests for runtime bugs.
2777
2778         * stress/json-stringified-overflow-2.js:
2779         * stress/json-stringified-overflow.js:
2780
2781 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2782
2783         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2784         config since they're regression tests for runtime bugs.
2785
2786         * stress/large-unshift-splice.js:
2787         * stress/regress-185888.js:
2788
2789 2018-11-16  Saam Barati  <sbarati@apple.com>
2790
2791         KnownCellUse should also have SpecCellCheck as its type filter
2792         https://bugs.webkit.org/show_bug.cgi?id=191729
2793         <rdar://problem/45872852>
2794
2795         Reviewed by Filip Pizlo.
2796
2797         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2798         (C):
2799
2800 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2801
2802         Fix assertion failure on BytecodeGenerator::recordOpcode
2803         https://bugs.webkit.org/show_bug.cgi?id=191724
2804         <rdar://problem/45724395>
2805
2806         Reviewed by Saam Barati.
2807
2808         * stress/regress-187373-2.js: Added.
2809         (foo):
2810
2811 2018-11-15  Mark Lam  <mark.lam@apple.com>
2812
2813         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2814         https://bugs.webkit.org/show_bug.cgi?id=191730
2815         <rdar://problem/46048517>
2816
2817         Reviewed by Saam Barati.
2818
2819         * stress/regress-187006.js: Removed.
2820           - this test is invalid because its sole purpose is to test for the non-spec
2821             compliant behavior that we just fixed.
2822
2823         * stress/regress-191730.js: Added.
2824
2825 2018-11-15  Mark Lam  <mark.lam@apple.com>
2826
2827         RegExp operations should not take fast patch if lastIndex is not numeric.
2828         https://bugs.webkit.org/show_bug.cgi?id=191731
2829         <rdar://problem/46017305>
2830
2831         Reviewed by Saam Barati.
2832
2833         * stress/regress-191731.js: Added.
2834
2835 2018-11-13  Saam Barati  <sbarati@apple.com>
2836
2837         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2838         https://bugs.webkit.org/show_bug.cgi?id=191600
2839
2840         Reviewed by Mark Lam.
2841
2842         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2843         (foo):
2844         (test):
2845         (bar):
2846
2847 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2848
2849         Unreviewed, rolling out r238132.
2850
2851         The test added with this change is timing out on Debug JSC
2852         bots.
2853
2854         Reverted changeset:
2855
2856         "[BigInt] JSBigInt::createWithLength should throw when length
2857         is greater than JSBigInt::maxLength"
2858         https://bugs.webkit.org/show_bug.cgi?id=190836
2859         https://trac.webkit.org/changeset/238132
2860
2861 2018-11-13  Mark Lam  <mark.lam@apple.com>
2862
2863         Add OOM detection to StringPrototype's substituteBackreferences().
2864         https://bugs.webkit.org/show_bug.cgi?id=191563
2865         <rdar://problem/45720428>
2866
2867         Reviewed by Saam Barati.
2868
2869         * stress/regress-191563.js: Added.
2870
2871 2018-11-13  Mark Lam  <mark.lam@apple.com>
2872
2873         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2874         https://bugs.webkit.org/show_bug.cgi?id=191579
2875         <rdar://problem/45942472>
2876
2877         Reviewed by Saam Barati.
2878
2879         * stress/regress-191579.js: Added.
2880
2881 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2882
2883         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2884         https://bugs.webkit.org/show_bug.cgi?id=190836
2885
2886         Reviewed by Saam Barati.
2887
2888         * stress/big-int-out-of-memory-tests.js: Added.
2889
2890 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2891
2892         U+180E is no longer a whitespace character
2893         https://bugs.webkit.org/show_bug.cgi?id=191415
2894
2895         Reviewed by Saam Barati.
2896
2897         * ChakraCore/test/es5/regexSpace.baseline:
2898         * ChakraCore/test/es6/unicode_whitespace.js:
2899         Update tests to latest version.
2900         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2901
2902         * test262.yaml:
2903         * test262/config.yaml:
2904         * test262/expectations.yaml:
2905         Update expectations.
2906
2907 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2908
2909         [BigInt] Add support to BigInt into ValueAdd
2910         https://bugs.webkit.org/show_bug.cgi?id=186177
2911
2912         Reviewed by Keith Miller.
2913
2914         * stress/big-int-negate-jit.js:
2915         * stress/value-add-big-int-and-string.js: Added.
2916         * stress/value-add-big-int-prediction-propagation.js: Added.
2917         * stress/value-add-big-int-untyped.js: Added.
2918
2919 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2920
2921         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2922         https://bugs.webkit.org/show_bug.cgi?id=191184
2923
2924         Reviewed by Saam Barati.
2925
2926         Most tests were failing due to timeouts, since they are too slow to
2927         run on CLoop. The exceptions are:
2928
2929         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2930         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2931         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2932         to change the stack size since CLoop requires it to be page aligned.
2933
2934         * microbenchmarks/array-push-1.js:
2935         * microbenchmarks/array-push-2.js:
2936         * microbenchmarks/elidable-new-object-dag.js:
2937         * microbenchmarks/elidable-new-object-roflcopter.js:
2938         * microbenchmarks/elidable-new-object-tree.js:
2939         * microbenchmarks/getter-richards.js:
2940         * microbenchmarks/sinkable-new-object-dag.js:
2941         * microbenchmarks/string-concat-long-convert.js:
2942         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2943         * slowMicrobenchmarks/array-push-3.js:
2944         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2945         * slowMicrobenchmarks/spread-small-array.js:
2946         * slowMicrobenchmarks/undefined-property-access.js:
2947         * stress/activation-sink-default-value-tdz-error.js:
2948         * stress/activation-sink-default-value.js:
2949         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2950         * stress/activation-sink-osrexit-default-value.js:
2951         * stress/activation-sink-osrexit.js:
2952         * stress/activation-sink.js:
2953         * stress/allow-math-ic-b3-code-duplication.js:
2954         * stress/array-push-multiple-int32.js:
2955         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2956         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2957         * stress/arrowfunction-lexical-this-activation-sink.js:
2958         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2959         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2960         * stress/elide-new-object-dag-then-exit.js:
2961         * stress/materialize-regexp-cyclic.js:
2962         * stress/new-regex-inline.js:
2963         * stress/op_add.js:
2964         * stress/op_bitand.js:
2965         * stress/op_bitor.js:
2966         * stress/op_bitxor.js:
2967         * stress/op_div-ConstVar.js:
2968         * stress/op_div-VarConst.js:
2969         * stress/op_div-VarVar.js:
2970         * stress/op_lshift-ConstVar.js:
2971         * stress/op_lshift-VarConst.js:
2972         * stress/op_lshift-VarVar.js:
2973         * stress/op_mod-ConstVar.js:
2974         * stress/op_mod-VarConst.js:
2975         * stress/op_mod-VarVar.js:
2976         * stress/op_mul-ConstVar.js:
2977         * stress/op_mul-VarConst.js:
2978         * stress/op_mul-VarVar.js:
2979         * stress/op_rshift-ConstVar.js:
2980         * stress/op_rshift-VarConst.js:
2981         * stress/op_rshift-VarVar.js:
2982         * stress/op_sub-ConstVar.js:
2983         * stress/op_sub-VarConst.js:
2984         * stress/op_sub-VarVar.js:
2985         * stress/op_urshift-ConstVar.js:
2986         * stress/op_urshift-VarConst.js:
2987         * stress/op_urshift-VarVar.js:
2988         * stress/proxy-get-set-correct-receiver.js:
2989         * stress/regress-179562.js:
2990         * stress/rest-parameter-many-arguments.js:
2991         * stress/sampling-profiler-richards.js:
2992         * stress/splay-flash-access-1ms.js:
2993         * stress/tailCallForwardArguments.js:
2994         * stress/typed-array-get-by-val-profiling.js:
2995         * typeProfiler/getter-richards.js:
2996
2997 2018-11-06  Michael Saboff  <msaboff@apple.com>
2998
2999         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
3000         https://bugs.webkit.org/show_bug.cgi?id=191271
3001
3002         Reviewed by Saam Barati.
3003
3004         Added more test cases and made all test cases run with the same deeply recursive stack
3005         instead of finding that same point for each test case.
3006
3007         * stress/regexp-compile-oom.js:
3008         (prototype.runTest):
3009         (recurseAndTest):
3010         (testList.push.new.TestAndExpectedException):
3011
3012 2018-11-05  Michael Saboff  <msaboff@apple.com>
3013
3014         Unreviewed build fix for linux.
3015
3016         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
3017
3018 2018-11-02  Michael Saboff  <msaboff@apple.com>
3019
3020         Rolling in r237753 with unreviewed build fix.
3021
3022         Fixed issues with DECLARE_THROW_SCOPE placement.
3023
3024 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
3025
3026         Unreviewed, rolling out r237753.
3027
3028         Introduced JSC test failures
3029
3030         Reverted changeset:
3031
3032         "Running out of stack space not properly handled in
3033         RegExp::compile() and its callers"
3034         https://bugs.webkit.org/show_bug.cgi?id=191206
3035         https://trac.webkit.org/changeset/237753
3036
3037 2018-11-02  Michael Saboff  <msaboff@apple.com>
3038
3039         Running out of stack space not properly handled in RegExp::compile() and its callers
3040         https://bugs.webkit.org/show_bug.cgi?id=191206
3041
3042         Reviewed by Filip Pizlo.
3043
3044         New regression test.
3045
3046         * stress/regexp-compile-oom.js: Added.
3047         (recurseAndTest):
3048
3049 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
3050
3051         Skip tests on arm/mips that time out now we're running on CLoop
3052
3053         Unreviewed gardening.
3054
3055         Since the JIT is temporarily disabled on 32-bit platforms, these tests
3056         time out on the bots and need to be disabled. There's more tests
3057         disabled on arm because the timeout is longer on the mips bot (as the
3058         device is slower to start with), so many of the tests don't time out
3059         there.
3060
3061         * microbenchmarks/getter-richards.js: disable on arm and mips.
3062         * stress/op_add.js: disable on arm.
3063         * stress/op_bitand.js: disable on arm.
3064         * stress/op_bitor.js: disable on arm.
3065         * stress/op_bitxor.js: disable on arm.
3066         * stress/op_lshift-ConstVar.js: disable on arm.
3067         * stress/op_lshift-VarConst.js: disable on arm.
3068         * stress/op_lshift-VarVar.js: disable on arm.
3069         * stress/op_mod-ConstVar.js: disable on arm.
3070         * stress/op_mod-VarConst.js: disable on arm.
3071         * stress/op_mod-VarVar.js: disable on arm.
3072         * stress/op_mul-ConstVar.js: disable on arm.
3073         * stress/op_mul-VarConst.js: disable on arm.
3074         * stress/op_mul-VarVar.js: disable on arm.
3075         * stress/op_rshift-ConstVar.js: disable on arm.
3076         * stress/op_rshift-VarConst.js: disable on arm.
3077         * stress/op_rshift-VarVar.js: disable on arm.
3078         * stress/op_sub-ConstVar.js: disable on arm.
3079         * stress/op_sub-VarConst.js: disable on arm.
3080         * stress/op_sub-VarVar.js: disable on arm.
3081         * stress/op_urshift-ConstVar.js: disable on arm.
3082         * stress/op_urshift-VarConst.js: disable on arm.
3083         * stress/op_urshift-VarVar.js: disable on arm.
3084         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
3085         * stress/value-to-boolean.js: disable on arm and mips.
3086
3087 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3088
3089         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3090         https://bugs.webkit.org/show_bug.cgi?id=191108
3091         <rdar://problem/45690700>
3092
3093         Reviewed by Saam Barati.
3094
3095         * stress/wide-op_catch.js: Added.
3096         (catch):
3097
3098 2018-10-29  Mark Lam  <mark.lam@apple.com>
3099
3100         Correctly detect string overflow when using the 'Function' constructor.
3101         https://bugs.webkit.org/show_bug.cgi?id=184883
3102         <rdar://problem/36320331>
3103
3104         Reviewed by Saam Barati.
3105
3106         I've verified that this passes on 32-bit as well.
3107
3108         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3109
3110 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3111
3112         Add support for GetStack FlushedDouble
3113         https://bugs.webkit.org/show_bug.cgi?id=191012
3114         <rdar://problem/45265141>
3115
3116         Reviewed by Saam Barati.
3117
3118         * stress/get-stack-double.js: Added.
3119         (bar):
3120         (noInline):
3121
3122 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3123
3124         New bytecode format for JSC
3125         https://bugs.webkit.org/show_bug.cgi?id=187373
3126         <rdar://problem/44186758>
3127
3128         Reviewed by Filip Pizlo.
3129
3130         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3131
3132         * stress/maximum-inline-capacity.js: Added.
3133         (test1):
3134         (test3.Foo):
3135         (test3):
3136
3137 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3138
3139         Unreviewed, rolling out r237479 and r237484.
3140         https://bugs.webkit.org/show_bug.cgi?id=190978
3141
3142         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3143
3144         Reverted changesets:
3145
3146         "New bytecode format for JSC"
3147         https://bugs.webkit.org/show_bug.cgi?id=187373
3148         https://trac.webkit.org/changeset/237479
3149
3150         "Gardening: Build fix after r237479."
3151         https://bugs.webkit.org/show_bug.cgi?id=187373
3152         https://trac.webkit.org/changeset/237484
3153
3154 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3155
3156         New bytecode format for JSC
3157         https://bugs.webkit.org/show_bug.cgi?id=187373
3158         <rdar://problem/44186758>
3159
3160         Reviewed by Filip Pizlo.
3161
3162         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3163
3164         * stress/maximum-inline-capacity.js: Added.
3165         (test1):
3166         (test3.Foo):
3167         (test3):
3168
3169 2018-10-26  Mark Lam  <mark.lam@apple.com>
3170
3171         Fix missing edge cases with JSGlobalObjects having a bad time.
3172         https://bugs.webkit.org/show_bug.cgi?id=189028
3173         <rdar://problem/45204939>
3174
3175         Reviewed by Saam Barati.
3176
3177         * stress/regress-189028.js: Added.
3178
3179 2018-10-22  Mark Lam  <mark.lam@apple.com>
3180
3181         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3182         https://bugs.webkit.org/show_bug.cgi?id=190515
3183         <rdar://problem/45222379>
3184
3185         Rubber-stamped by Saam Barati.
3186
3187         Adding another test.
3188
3189         * stress/regress-190515-2.js: Added.
3190
3191 2018-10-22  Mark Lam  <mark.lam@apple.com>
3192
3193         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3194         https://bugs.webkit.org/show_bug.cgi?id=190515
3195         <rdar://problem/45222379>
3196
3197         Reviewed by Saam Barati.
3198
3199         * stress/regress-190515.js: Added.
3200
3201 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3202
3203         Unreviewed, rolling out r237254.
3204         https://bugs.webkit.org/show_bug.cgi?id=190760
3205
3206         "It regresses JetStream 2 by 5% on some iOS devices"
3207         (Requested by saamyjoon on #webkit).
3208
3209         Reverted changeset:
3210
3211         "[JSC] JSC should have "parseFunction" to optimize Function
3212         constructor"
3213         https://bugs.webkit.org/show_bug.cgi?id=190340
3214         https://trac.webkit.org/changeset/237254
3215
3216 2018-10-19  Saam Barati  <sbarati@apple.com>
3217
3218         vmCall should check if we exit before emitting an OSR exit due to exceptions
3219         https://bugs.webkit.org/show_bug.cgi?id=190740
3220         <rdar://problem/45220139>
3221
3222         Reviewed by Mark Lam.
3223
3224         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3225         (foo):
3226
3227 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3228
3229         [ESNext][BigInt] Implement support for "^"
3230         https://bugs.webkit.org/show_bug.cgi?id=186235
3231
3232         Reviewed by Yusuke Suzuki.
3233
3234         * stress/big-int-bitwise-xor-general.js: Added.
3235         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3236         * stress/big-int-bitwise-xor-type-error.js: Added.
3237         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3238
3239 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3240
3241         [BigInt] Add ValueSub into DFG
3242         https://bugs.webkit.org/show_bug.cgi?id=186176
3243
3244         Reviewed by Yusuke Suzuki.
3245
3246         * stress/big-int-subtraction-jit.js:
3247         * stress/value-sub-big-int-prediction-propagation.js: Added.
3248         * stress/value-sub-big-int-untyped.js: Added.
3249         * stress/value-sub-spec-none-case.js: Added.
3250
3251 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3252
3253         [JSC] JSC should have "parseFunction" to optimize Function constructor
3254         https://bugs.webkit.org/show_bug.cgi?id=190340
3255
3256         Reviewed by Mark Lam.
3257
3258         This patch fixes the line number of syntax errors raised by the Function constructor,
3259         since we now parse the final code only once. And we no longer use block statement
3260         for Function constructor's parsing.
3261
3262         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3263         * stress/function-cache-with-parameters-end-position.js: Added.
3264         (shouldBe):
3265         (shouldThrow):
3266         (i.anonymous):
3267         * stress/function-constructor-name.js: Added.
3268         (shouldBe):
3269         (GeneratorFunction):
3270         (AsyncFunction.async):
3271         (AsyncGeneratorFunction.async):
3272         (anonymous):
3273         (async.anonymous):
3274         * test262/expectations.yaml:
3275
3276 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3277
3278         Unreviewed, rolling out r237242.
3279         https://bugs.webkit.org/show_bug.cgi?id=190701
3280
3281         it breaks "stress/sampling-profiler-basic.js" (Requested by
3282         caiolima on #webkit).
3283
3284         Reverted changeset:
3285
3286         "[BigInt] Add ValueSub into DFG"
3287         https://bugs.webkit.org/show_bug.cgi?id=186176
3288         https://trac.webkit.org/changeset/237242
3289
3290 2018-10-17  Keith Miller  <keith_miller@apple.com>
3291
3292         AI does not clear Phantom allocation nodes.
3293         https://bugs.webkit.org/show_bug.cgi?id=190694
3294
3295         Reviewed by Saam Barati.
3296
3297         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3298         (Day):
3299         (DaysInYear):
3300         (TimeInYear):
3301         (TimeFromYear):
3302         (DayFromYear):
3303         (InLeapYear):
3304         (YearFromTime):
3305         (WeekDay):
3306         (DaylightSavingTA):
3307         (GetSecondSundayInMarch):
3308         (TimeInMonth):
3309
3310 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3311
3312         [BigInt] Add ValueSub into DFG
3313         https://bugs.webkit.org/show_bug.cgi?id=186176
3314
3315         Reviewed by Yusuke Suzuki.
3316
3317         * stress/big-int-subtraction-jit.js:
3318         * stress/value-sub-big-int-prediction-propagation.js: Added.
3319         * stress/value-sub-big-int-untyped.js: Added.
3320
3321 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3322
3323         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3324         https://bugs.webkit.org/show_bug.cgi?id=190611
3325
3326         Reviewed by Saam Barati.
3327
3328         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3329         to improve test runtime. On ARM/MIPS this test even timed out when running all
3330         tests.
3331
3332         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3333         (test):
3334
3335 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3336
3337         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3338
3339         Unreviewed gardening.
3340
3341         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3342
3343 2018-10-15  Saam barati  <sbarati@apple.com>
3344
3345         Emit fjcvtzs on ARM64E on Darwin
3346         https://bugs.webkit.org/show_bug.cgi?id=184023
3347
3348         Reviewed by Yusuke Suzuki and Filip Pizlo.
3349
3350         * stress/double-to-int32-NaN.js: Added.
3351         (assert):
3352         (foo):
3353
3354 2018-10-15  Saam Barati  <sbarati@apple.com>
3355
3356         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3357         https://bugs.webkit.org/show_bug.cgi?id=190262
3358         <rdar://problem/44986241>
3359
3360         Reviewed by Mark Lam.
3361
3362         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3363         (test):
3364         * stress/slice-array-storage-with-holes.js: Added.
3365         (main):
3366
3367 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3368
3369         Unreviewed, rolling out r237054.
3370         https://bugs.webkit.org/show_bug.cgi?id=190593
3371
3372         "this regressed JetStream 2 by 6% on iOS" (Requested by
3373         saamyjoon on #webkit).
3374
3375         Reverted changeset:
3376
3377         "[JSC] JSC should have "parseFunction" to optimize Function
3378         constructor"
3379         https://bugs.webkit.org/show_bug.cgi?id=190340
3380         https://trac.webkit.org/changeset/237054
3381
3382 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3383
3384         [JSC] JSON.stringify can accept call-with-no-arguments
3385         https://bugs.webkit.org/show_bug.cgi?id=190343
3386
3387         Reviewed by Mark Lam.
3388
3389         * stress/json-stringify-no-arguments.js: Added.
3390         (shouldBe):
3391
3392 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3393
3394         [JSC] JSC should have "parseFunction" to optimize Function constructor
3395         https://bugs.webkit.org/show_bug.cgi?id=190340
3396
3397         Reviewed by Mark Lam.
3398
3399         This patch fixes the line number of syntax errors raised by the Function constructor,
3400         since we now parse the final code only once. And we no longer use block statement
3401         for Function constructor's parsing.
3402
3403         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3404         * stress/function-cache-with-parameters-end-position.js: Added.
3405         (shouldBe):
3406         (shouldThrow):
3407         (i.anonymous):
3408         * stress/function-constructor-name.js: Added.
3409         (shouldBe):
3410         (GeneratorFunction):
3411         (AsyncFunction.async):
3412         (AsyncGeneratorFunction.async):
3413         (anonymous):
3414         (async.anonymous):
3415         * test262/expectations.yaml:
3416
3417 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3418
3419         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3420         https://bugs.webkit.org/show_bug.cgi?id=190426
3421
3422         Unreviewed gardening.
3423
3424         * stress/sampling-profiler-richards.js:
3425
3426 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3427
3428         [ESNext][BigInt] Implement support for "|"
3429         https://bugs.webkit.org/show_bug.cgi?id=186229
3430
3431         Reviewed by Yusuke Suzuki.
3432
3433         * stress/big-int-bitwise-and-jit.js:
3434         * stress/big-int-bitwise-or-general.js: Added.
3435         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3436         * stress/big-int-bitwise-or-jit.js: Added.
3437         * stress/big-int-bitwise-or-memory-stress.js: Added.
3438         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3439         * stress/big-int-bitwise-or-type-error.js: Added.
3440         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3441
3442 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3443
3444         Skip test on systems with limited memory
3445         https://bugs.webkit.org/show_bug.cgi?id=190310
3446
3447         Invoking runDefault adds test to runlist, skipping the test in the next
3448         line does not prevent the test from executing. Change order of lines such
3449         that runDefault is only executed if test is not executed.
3450
3451         Reviewed by Mark Lam.
3452
3453         * stress/regress-190187.js:
3454
3455 2018-10-03  Saam barati  <sbarati@apple.com>
3456
3457         lowXYZ in FTLLower should always filter the type of the incoming edge
3458         https://bugs.webkit.org/show_bug.cgi?id=189939
3459         <rdar://problem/44407030>
3460
3461         Reviewed by Michael Saboff.
3462
3463         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3464         (foo):
3465         (test):
3466
3467 2018-10-03  Mark Lam  <mark.lam@apple.com>
3468
3469         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3470         https://bugs.webkit.org/show_bug.cgi?id=190187
3471         <rdar://problem/42512909>
3472
3473         Reviewed by Michael Saboff.
3474
3475         * stress/regress-190187.js: Added.
3476
3477 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3478
3479         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3480         https://bugs.webkit.org/show_bug.cgi?id=190033
3481
3482         Reviewed by Yusuke Suzuki.
3483
3484         * stress/big-int-to-string.js:
3485
3486 2018-10-01  Mark Lam  <mark.lam@apple.com>
3487
3488         Function.toString() should also copy the source code Functions that are class definitions.
3489         https://bugs.webkit.org/show_bug.cgi?id=190186
3490         <rdar://problem/44733360>
3491
3492         Reviewed by Saam Barati.
3493
3494         * stress/regress-190186.js: Added.
3495
3496 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3497
3498         Split NaN-check into separate test
3499         https://bugs.webkit.org/show_bug.cgi?id=190010
3500
3501         Reviewed by Saam Barati.
3502
3503         DataView exposes NaN-representation, which is not necessarily the same on each
3504         architecture. Therefore move the check of the NaN-representation into its own
3505         file such that we can disable this test on MIPS where NaN-representation can be
3506         different on older CPUs.
3507
3508         * stress/dataview-jit-set-nan.js: Added.
3509         (assert):
3510         (test.storeLittleEndian):
3511         (test.storeBigEndian):
3512         (test.store):
3513         (test):
3514         * stress/dataview-jit-set.js:
3515         (test5):
3516
3517 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3518
3519         Unreviewed, rolling out r236647.
3520         https://bugs.webkit.org/show_bug.cgi?id=190124
3521
3522         Breaking test stress/big-int-to-string.js (Requested by
3523         caiolima_ on #webkit).
3524
3525         Reverted changeset:
3526
3527         "[BigInt] BigInt.proptotype.toString is broken when radix is
3528         power of 2"
3529         https://bugs.webkit.org/show_bug.cgi?id=190033
3530         https://trac.webkit.org/changeset/236647
3531
3532 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3533
3534         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3535         https://bugs.webkit.org/show_bug.cgi?id=190033
3536
3537         Reviewed by Yusuke Suzuki.
3538
3539         * stress/big-int-to-string.js:
3540
3541 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3542
3543         [ESNext][BigInt] Implement support for "&"
3544         https://bugs.webkit.org/show_bug.cgi?id=186228
3545
3546         Reviewed by Yusuke Suzuki.
3547
3548         * stress/big-int-bitwise-and-general.js: Added.
3549         (assert):
3550         (assert.sameValue):
3551         * stress/big-int-bitwise-and-jit.js: Added.
3552         (let.assert.sameValue):
3553         (bigIntBitAnd):
3554         * stress/big-int-bitwise-and-memory-stress.js: Added.
3555         (assert):
3556         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3557         (assert.sameValue):
3558         (let.o.Symbol.toPrimitive):
3559         (catch):
3560         * stress/big-int-bitwise-and-type-error.js: Added.
3561         (assert):
3562         (assertThrowTypeError):
3563         (let.o.valueOf):
3564         (o.valueOf):
3565         (o.toString):
3566         (o.Symbol.toPrimitive):
3567         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3568         (assert.sameValue):
3569         (testBitAnd):
3570         (let.o.Symbol.toPrimitive):
3571         (o.valueOf):
3572         (o.toString):
3573
3574 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3575
3576         JSC test stress/jsc-read.js doesn't support CRLF
3577         https://bugs.webkit.org/show_bug.cgi?id=190063
3578
3579         Reviewed by Yusuke Suzuki.
3580
3581         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3582
3583         * stress/jsc-read.js:
3584         (test):
3585
3586 2018-09-27  Saam barati  <sbarati@apple.com>
3587
3588         Verify the contents of AssemblerBuffer on arm64e
3589         https://bugs.webkit.org/show_bug.cgi?id=190057
3590         <rdar://problem/38916630>
3591
3592         Reviewed by Mark Lam.
3593
3594         * stress/regress-189132.js:
3595
3596 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3597
3598         Disable test without LLInt on ARMv7
3599         https://bugs.webkit.org/show_bug.cgi?id=190037
3600
3601         Reviewed by Mark Lam.
3602
3603         Test runs out of executable memory on ARMv7, do not run
3604         this test without LLInt enabled.
3605
3606         * stress/regress-169445.js:
3607
3608 2018-09-26  Keith Miller  <keith_miller@apple.com>
3609
3610         We should zero unused property storage when rebalancing array storage.
3611         https://bugs.webkit.org/show_bug.cgi?id=188151
3612
3613         Reviewed by Michael Saboff.
3614
3615         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3616
3617 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3618
3619         [JSC] Optimize Array#lastIndexOf
3620         https://bugs.webkit.org/show_bug.cgi?id=189780
3621
3622         Reviewed by Saam Barati.
3623
3624         * stress/array-lastindexof-array-prototype-trap.js: Added.
3625         (shouldBe):
3626         (AncestorArray.prototype.get 2):
3627         (AncestorArray):
3628         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3629         (shouldBe):
3630         * stress/array-lastindexof-hole-nan.js: Added.
3631         (shouldBe):
3632         (throw.new.Error):
3633         * stress/array-lastindexof-infinity.js: Added.
3634         (shouldBe):
3635         (throw.new.Error):
3636         * stress/array-lastindexof-negative-zero.js: Added.
3637         (shouldBe):
3638         (throw.new.Error):
3639         * stress/array-lastindexof-own-getter.js: Added.
3640         (shouldBe):
3641         (throw.new.Error.get array):
3642         (get array):
3643         * stress/array-lastindexof-prototype-trap.js: Added.
3644         (shouldBe):
3645         (DerivedArray.prototype.get 2):
3646         (DerivedArray):
3647
3648 2018-09-25  Saam Barati  <sbarati@apple.com>
3649
3650         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3651         https://bugs.webkit.org/show_bug.cgi?id=189940
3652         <rdar://problem/43640987>
3653
3654         Reviewed by Mark Lam.
3655
3656         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3657
3658 2018-09-24  Saam Barati  <sbarati@apple.com>
3659
3660         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3661         https://bugs.webkit.org/show_bug.cgi?id=189922
3662         <rdar://problem/44651275>
3663
3664         Reviewed by Mark Lam.
3665
3666         * stress/array-indexof-fast-path-effects.js: Added.
3667         * stress/array-indexof-cached-length.js: Added.
3668
3669 2018-09-24  Saam barati  <sbarati@apple.com>
3670
3671         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3672         https://bugs.webkit.org/show_bug.cgi?id=189682
3673         <rdar://problem/43557315>
3674
3675         Reviewed by Mark Lam.
3676
3677         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3678         (foo):
3679
3680 2018-09-22  Saam barati  <sbarati@apple.com>
3681
3682         The sampling should not use Strong<CodeBlock> in its machineLocation field
3683         https://bugs.webkit.org/show_bug.cgi?id=189319
3684
3685         Reviewed by Filip Pizlo.
3686
3687         * stress/sampling-profiler-richards.js: Added.
3688
3689 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3690
3691         [JSC] Optimize Array#indexOf in C++ runtime
3692         https://bugs.webkit.org/show_bug.cgi?id=189507
3693
3694         Reviewed by Saam Barati.
3695
3696         * stress/array-indexof-array-prototype-trap.js: Added.
3697         (shouldBe):
3698         (AncestorArray.prototype.get 2):
3699         (AncestorArray):
3700         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3701         (shouldBe):
3702         * stress/array-indexof-hole-nan.js: Added.
3703         (shouldBe):
3704         (throw.new.Error):
3705         * stress/array-indexof-infinity.js: Added.
3706         (shouldBe):
3707         (throw.new.Error):
3708         * stress/array-indexof-negative-zero.js: Added.
3709         (shouldBe):
3710         (throw.new.Error):
3711         * stress/array-indexof-own-getter.js: Added.
3712         (shouldBe):
3713         (throw.new.Error.get array):
3714         (get array):
3715         * stress/array-indexof-prototype-trap.js: Added.
3716         (shouldBe):
3717         (DerivedArray.prototype.get 2):
3718         (DerivedArray):
3719
3720 2018-09-19  Saam barati  <sbarati@apple.com>
3721
3722         AI rule for MultiPutByOffset executes its effects in the wrong order
3723         https://bugs.webkit.org/show_bug.cgi?id=189757
3724         <rdar://problem/43535257>
3725
3726         Reviewed by Michael Saboff.
3727
3728         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3729         (foo):
3730         (Foo):
3731         (g):
3732
3733 2018-09-17  Mark Lam  <mark.lam@apple.com>
3734
3735         Ensure that ForInContexts are invalidated if their loop local is over-written.
3736         https://bugs.webkit.org/show_bug.cgi?id=189571
3737         <rdar://problem/44402277>
3738
3739         Reviewed by Saam Barati.
3740
3741         * stress/regress-189571.js: Added.
3742
3743 2018-09-17  Saam barati  <sbarati@apple.com>
3744
3745         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3746         https://bugs.webkit.org/show_bug.cgi?id=189676
3747         <rdar://problem/39682897>
3748
3749         Reviewed by Michael Saboff.
3750
3751         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3752         (A):
3753         (K):
3754         (i.catch):
3755
3756 2018-09-14  Saam barati  <sbarati@apple.com>
3757
3758         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3759         https://bugs.webkit.org/show_bug.cgi?id=189628
3760         <rdar://problem/39481690>
3761
3762         Reviewed by Mark Lam.
3763
3764         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3765         (foo):
3766
3767 2018-09-11  Mark Lam  <mark.lam@apple.com>
3768
3769         Test for array initialization in arrayProtoFuncSplice.
3770         https://bugs.webkit.org/show_bug.cgi?id=170253
3771         <rdar://problem/31328773>
3772
3773         Rubber-stamped by Saam Barati.
3774
3775         * stress/regress-170253.js: Added.
3776
3777 2018-09-11  Mark Lam  <mark.lam@apple.com>
3778
3779         Test for IntlObject initialization.
3780         https://bugs.webkit.org/show_bug.cgi?id=170251
3781         <rdar://problem/31328419>
3782
3783         Rubber-stamped by Saam Barati.
3784
3785         * stress/regress-170251.js: Added.
3786
3787 2018-09-11  Mark Lam  <mark.lam@apple.com>
3788
3789         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3790         https://bugs.webkit.org/show_bug.cgi?id=169889
3791         <rdar://problem/31155607>
3792
3793         Reviewed by Saam Barati.
3794
3795         * stress/regress-169889-array-concat.js: Added.
3796         * stress/regress-169889-array-concat1.js: Added.
3797         * stress/regress-169889-array-slice.js: Added.
3798
3799 2018-09-11  Mark Lam  <mark.lam@apple.com>
3800
3801         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3802         https://bugs.webkit.org/show_bug.cgi?id=169445
3803         <rdar://problem/30957435>
3804
3805         Reviewed by Saam Barati.
3806
3807         * stress/regress-169445.js: Added.
3808         (let.gun.eval.A):
3809         (let.gun.eval.B.C):
3810         (let.gun.eval.B.C.prototype.trigger):
3811         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3812         (let.gun.eval.B):
3813         (let.gun.eval):
3814
3815 == Rolled over to ChangeLog-2018-09-11 ==