Unreviewed, reduce # of iterations to avoid timing out after r242991
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         Unreviewed, reduce # of iterations to avoid timing out after r242991
4         https://bugs.webkit.org/show_bug.cgi?id=195791
5
6         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
7
8         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
9
10 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
11
12         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
13         https://bugs.webkit.org/show_bug.cgi?id=195950
14
15         Unreviewed, reducing the amount of memory used on this test to avoid
16         OOM on devices with memory restrictions.
17
18         * microbenchmarks/generate-multiple-llint-entrypoints.js:
19
20 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
21
22         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
23         https://bugs.webkit.org/show_bug.cgi?id=194648
24
25         Reviewed by Keith Miller.
26
27         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
28
29 2019-03-18  Mark Lam  <mark.lam@apple.com>
30
31         Missing a ThrowScope release in JSObject::toString().
32         https://bugs.webkit.org/show_bug.cgi?id=195893
33         <rdar://problem/48970986>
34
35         Reviewed by Michael Saboff.
36
37         * stress/to-string-exception-check-release.js: Added.
38
39 2019-03-18  Mark Lam  <mark.lam@apple.com>
40
41         Structure::flattenDictionary() should clear unused property slots.
42         https://bugs.webkit.org/show_bug.cgi?id=195871
43         <rdar://problem/48959497>
44
45         Reviewed by Michael Saboff.
46
47         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
48
49 2019-03-15  Mark Lam  <mark.lam@apple.com>
50
51         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
52         https://bugs.webkit.org/show_bug.cgi?id=195827
53         <rdar://problem/48845513>
54
55         Reviewed by Filip Pizlo.
56
57         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
58
59 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
60
61         [ARM,MIPS] Skip slow tests
62         https://bugs.webkit.org/show_bug.cgi?id=195799
63
64         Unreviewed, test does not finish on ARM and MIPS within the
65         timeout limit.
66
67         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
68
69 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
70
71         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
72         https://bugs.webkit.org/show_bug.cgi?id=195791
73         <rdar://problem/48806130>
74
75         Reviewed by Mark Lam.
76
77         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
78         (foo):
79
80 2019-03-14  Saam barati  <sbarati@apple.com>
81
82         We can't remove code after ForceOSRExit until after FixupPhase
83         https://bugs.webkit.org/show_bug.cgi?id=186916
84         <rdar://problem/41396612>
85
86         Reviewed by Yusuke Suzuki.
87
88         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
89         (foo):
90         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
91         (foo):
92
93 2019-03-13  Michael Saboff  <msaboff@apple.com>
94
95         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
96         https://bugs.webkit.org/show_bug.cgi?id=195735
97
98         Reviewed by Mark Lam.
99
100         New regression test.
101
102         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
103         (foo):
104         (bar):
105
106 2019-03-14  Saam barati  <sbarati@apple.com>
107
108         Fixup uses KnownInt32 incorrectly in some nodes
109         https://bugs.webkit.org/show_bug.cgi?id=195279
110         <rdar://problem/47915654>
111
112         Reviewed by Yusuke Suzuki.
113
114         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
115         (foo):
116
117 2019-03-14  Keith Miller  <keith_miller@apple.com>
118
119         DFG liveness can't skip tail caller inline frames
120         https://bugs.webkit.org/show_bug.cgi?id=195715
121
122         Reviewed by Saam Barati.
123
124         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
125         (i.foo):
126
127 2019-03-13  Mark Lam  <mark.lam@apple.com>
128
129         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
130         https://bugs.webkit.org/show_bug.cgi?id=195415
131
132         Not reviewed.
133
134         Changed these tests to only run the default configuration.
135         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
136         There's no strong need to run this test on that variant.
137
138         * stress/dfg-to-string-on-int-does-gc.js:
139         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
140
141 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
142
143         String overflow when using StringBuilder in JSC::createError
144         https://bugs.webkit.org/show_bug.cgi?id=194957
145
146         Reviewed by Mark Lam.
147
148         Add test string-overflow-createError-bulder.js that overflows
149         StringBuilder in notAFunctionSourceAppender. The second new test
150         string-overflow-createError-fit.js has an error message that doesn't
151         overflow, it still failed since the String's capacity can't be doubled.
152         Run test string-overflow-createError.js only in the default
153         configuration to reduce memory consumption when running the test
154         in all configurations on multiple CPUs in parallel.
155
156         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
157         (catch):
158         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
159         (catch):
160         * stress/string-overflow-createError.js:
161
162 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
163
164         [JSC] OSR entry should respect abstract values in addition to flush formats
165         https://bugs.webkit.org/show_bug.cgi?id=195653
166
167         Reviewed by Mark Lam.
168
169         * stress/osr-entry-locals-none.js: Added.
170
171 2019-03-12  Michael Saboff  <msaboff@apple.com>
172
173         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
174         https://bugs.webkit.org/show_bug.cgi?id=195613
175
176         Reviewed by Mark Lam.
177
178         New regression test.
179
180         * stress/regexp-backref-inbounds.js: Added.
181         (testRegExp):
182
183 2019-03-12  Mark Lam  <mark.lam@apple.com>
184
185         The HasIndexedProperty node does GC.
186         https://bugs.webkit.org/show_bug.cgi?id=195559
187         <rdar://problem/48767923>
188
189         Reviewed by Yusuke Suzuki.
190
191         * stress/HasIndexedProperty-does-gc.js: Added.
192
193 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
194
195         [ESNext][BigInt] Implement "~" unary operation
196         https://bugs.webkit.org/show_bug.cgi?id=182216
197
198         Reviewed by Keith Miller.
199
200         * stress/big-int-bit-not-general.js: Added.
201         * stress/big-int-bitwise-not-jit.js: Added.
202         * stress/big-int-bitwise-not-wrapped-value.js: Added.
203         * stress/bit-op-with-object-returning-int32.js:
204         * stress/bitwise-not-fixup-rules.js: Added.
205         * stress/value-bit-not-ai-rule.js: Added.
206
207 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
208
209         Invalid flags in a RegExp literal should be an early SyntaxError
210         https://bugs.webkit.org/show_bug.cgi?id=195514
211
212         Reviewed by Darin Adler.
213
214         * test262/expectations.yaml:
215         Mark 4 test cases as passing.
216
217         * stress/regexp-syntax-error-invalid-flags.js:
218         * stress/regress-161995.js: Removed.
219         Update existing test, merging in an older test for the same behavior.
220
221 2019-03-08  Mark Lam  <mark.lam@apple.com>
222
223         Stack overflow crash in JSC::JSObject::hasInstance.
224         https://bugs.webkit.org/show_bug.cgi?id=195458
225         <rdar://problem/48710195>
226
227         Reviewed by Yusuke Suzuki.
228
229         * stress/stack-overflow-in-custom-hasInstance.js: Added.
230
231 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
232
233         op_check_tdz does not def its argument
234         https://bugs.webkit.org/show_bug.cgi?id=192880
235         <rdar://problem/46221598>
236
237         Reviewed by Saam Barati.
238
239         * microbenchmarks/let-for-in.js: Added.
240         (foo):
241
242 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
243
244         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
245         https://bugs.webkit.org/show_bug.cgi?id=195429
246
247         Reviewed by Saam Barati.
248
249         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
250         (foo):
251         * stress/string-from-char-code-255.js: Added.
252
253 2019-03-06  Mark Lam  <mark.lam@apple.com>
254
255         Fix incorrect handling of try-finally completion values.
256         https://bugs.webkit.org/show_bug.cgi?id=195131
257         <rdar://problem/46222079>
258
259         Reviewed by Saam Barati and Yusuke Suzuki.
260
261         Added many permutations of new test case to test-finally.js.  test-finally.js has
262         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
263         tests passes there as well.
264
265         * stress/test-finally.js:
266
267 2019-03-06  Saam Barati  <sbarati@apple.com>
268
269         Air::reportUsedRegisters must padInterference
270         https://bugs.webkit.org/show_bug.cgi?id=195303
271         <rdar://problem/48270343>
272
273         Reviewed by Keith Miller.
274
275         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
276
277 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
278
279         [JSC] AI should not propagate AbstractValue relying on constant folding phase
280         https://bugs.webkit.org/show_bug.cgi?id=195375
281
282         Reviewed by Saam Barati.
283
284         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
285         (let.array):
286
287 2019-03-05  Saam barati  <sbarati@apple.com>
288
289         op_switch_char broken for rope strings after JSRopeString layout rewrite
290         https://bugs.webkit.org/show_bug.cgi?id=195339
291         <rdar://problem/48592545>
292
293         Reviewed by Yusuke Suzuki.
294
295         * stress/switch-on-char-llint-rope.js: Added.
296
297 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
298
299         [JSC] Store bits for JSRopeString in 3 stores
300         https://bugs.webkit.org/show_bug.cgi?id=195234
301
302         Reviewed by Saam Barati.
303
304         * stress/null-rope-and-collectors.js: Added.
305
306 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
307
308         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
309         https://bugs.webkit.org/show_bug.cgi?id=195207
310
311         Unreviewed. After test runtime was reduced in r242213, test can be
312         run again on ARM/MIPS.
313
314         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
315
316 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
317
318         [JSC] sizeof(JSString) should be 16
319         https://bugs.webkit.org/show_bug.cgi?id=194375
320
321         Reviewed by Saam Barati.
322
323         * microbenchmarks/make-rope.js: Added.
324         (makeRope):
325         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
326         (returnRope.helper): Deleted.
327         (returnRope): Deleted.
328
329 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
330
331         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
332         https://bugs.webkit.org/show_bug.cgi?id=195144
333
334         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
335         Change the number from 1e8 to 1e5.
336
337         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
338         (foo):
339
340 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
341
342         Test times out on ARM/MIPS
343         https://bugs.webkit.org/show_bug.cgi?id=195168
344
345         Unreviewed. Skip test on ARM/MIPS.
346
347         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
348
349 2019-02-27  Mark Lam  <mark.lam@apple.com>
350
351         The parser is failing to record the token location of new in new.target.
352         https://bugs.webkit.org/show_bug.cgi?id=195127
353         <rdar://problem/39645578>
354
355         Reviewed by Yusuke Suzuki.
356
357         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
358
359 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
360
361         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
362         https://bugs.webkit.org/show_bug.cgi?id=195144
363         <rdar://problem/47595961>
364
365         Reviewed by Mark Lam.
366
367         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
368         (bar):
369         (foo):
370         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
371         (bar):
372         (foo):
373
374 2019-02-27  Robin Morisset  <rmorisset@apple.com>
375
376         DFG: Loop-invariant code motion (LICM) should not hoist dead code
377         https://bugs.webkit.org/show_bug.cgi?id=194945
378         <rdar://problem/48311657>
379
380         Reviewed by Mark Lam.
381
382         * stress/licm-dead-code.js: Added.
383
384 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
385
386         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
387         https://bugs.webkit.org/show_bug.cgi?id=194677
388         <rdar://problem/48112492>
389
390         Reviewed by Mark Lam.
391
392         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
393         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
394         it immediately fails due the large size.
395
396         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
397         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
398         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
399         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
400
401         This patch changes the test to produce 16bit string from String.fromCharCode.
402
403         * stress/regress-178386.js:
404
405 2019-02-26  Mark Lam  <mark.lam@apple.com>
406
407         wasmToJS() should purify incoming NaNs.
408         https://bugs.webkit.org/show_bug.cgi?id=194807
409         <rdar://problem/48189132>
410
411         Reviewed by Saam Barati.
412
413         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
414
415 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
416
417         [JSC] Repeat string created from Array.prototype.join() take too much memory
418         https://bugs.webkit.org/show_bug.cgi?id=193912
419
420         Reviewed by Saam Barati.
421
422         Added a test and a microbenchmark for corner cases of
423         Array.prototype.join() with an uninitialized array.
424
425         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
426         * stress/array-prototype-join-uninitialized.js: Added.
427         (testArray):
428         (testABC):
429         (B):
430         (C):
431
432 2019-02-22  Robin Morisset  <rmorisset@apple.com>
433
434         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
435         https://bugs.webkit.org/show_bug.cgi?id=194953
436         <rdar://problem/47595253>
437
438         Reviewed by Saam Barati.
439
440         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
441
442         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
443
444 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
445
446         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
447         https://bugs.webkit.org/show_bug.cgi?id=172848
448         <rdar://problem/25709212>
449
450         Reviewed by Mark Lam.
451
452         * typeProfiler/inheritance.js:
453         Rewrite the test slightly for clarity. The hoisting was confusing.
454
455         * heapProfiler/class-names.js: Added.
456         (MyES5Class):
457         (MyES6Class):
458         (MyES6Subclass):
459         Test object types and improved class names.
460
461         * heapProfiler/driver/driver.js:
462         (CheapHeapSnapshotNode):
463         (CheapHeapSnapshot):
464         (createCheapHeapSnapshot):
465         (HeapSnapshot):
466         (createHeapSnapshot):
467         Update snapshot parsing from version 1 to version 2.
468
469 2019-02-19  Truitt Savell  <tsavell@apple.com>
470
471         Unreviewed, rolling out r241784.
472
473         Broke all OpenSource builds.
474
475         Reverted changeset:
476
477         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
478         instances view"
479         https://bugs.webkit.org/show_bug.cgi?id=172848
480         https://trac.webkit.org/changeset/241784
481
482 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
483
484         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
485         https://bugs.webkit.org/show_bug.cgi?id=172848
486         <rdar://problem/25709212>
487
488         Reviewed by Mark Lam.
489
490         * typeProfiler/inheritance.js:
491         Rewrite the test slightly for clarity. The hoisting was confusing.
492
493         * heapProfiler/class-names.js: Added.
494         (MyES5Class):
495         (MyES6Class):
496         (MyES6Subclass):
497         Test object types and improved class names.
498
499         * heapProfiler/driver/driver.js:
500         (CheapHeapSnapshotNode):
501         (CheapHeapSnapshot):
502         (createCheapHeapSnapshot):
503         (HeapSnapshot):
504         (createHeapSnapshot):
505         Update snapshot parsing from version 1 to version 2.
506
507 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
508
509         [ARM] Fix crash with sampling profiler
510         https://bugs.webkit.org/show_bug.cgi?id=194772
511
512         Reviewed by Mark Lam.
513
514         Do not skip test since crash with sampling profiler is now fixed.
515
516         * stress/sampling-profiler-richards.js:
517
518 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
519
520         [JSC] Add LazyClassStructure::getInitializedOnMainThread
521         https://bugs.webkit.org/show_bug.cgi?id=194784
522         <rdar://problem/48154820>
523
524         Reviewed by Mark Lam.
525
526         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
527         (getProperties):
528         (getRandomProperty):
529         (i.catch):
530
531 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
532
533         [ARM] Test gardening: Test running out of executable memory
534         https://bugs.webkit.org/show_bug.cgi?id=194771
535
536         Unreviewed. Do not run test without LLInt, test is running out of executable
537         memory on ARM otherwise.
538
539         * stress/tagged-template-object-collect.js:
540
541 2019-02-18  Tomas Popela  <tpopela@redhat.com>
542
543         Unreviewed, skip the test on platforms without sampling profiler
544
545         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
546         (platformSupportsSamplingProfiler.foo):
547         (platformSupportsSamplingProfiler.test):
548         (platformSupportsSamplingProfiler):
549         (foo): Deleted.
550         (test): Deleted.
551
552 2019-02-17  Saam Barati  <sbarati@apple.com>
553
554         Deadlock when adding a Structure property transition and then doing incremental marking
555         https://bugs.webkit.org/show_bug.cgi?id=194767
556
557         Reviewed by Mark Lam.
558
559         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
560
561 2019-02-15  Michael Saboff  <msaboff@apple.com>
562
563         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
564         https://bugs.webkit.org/show_bug.cgi?id=194558
565
566         Reviewed by Saam Barati.
567
568         New regression test.
569
570         * stress/regexp-unicode-within-string.js: Added.
571
572 2019-02-15  Mark Lam  <mark.lam@apple.com>
573
574         SamplingProfiler::stackTracesAsJSON() should escape strings.
575         https://bugs.webkit.org/show_bug.cgi?id=194649
576         <rdar://problem/48072386>
577
578         Reviewed by Saam Barati.
579
580         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
581         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
582         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
583         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
584
585 2019-02-15  Robin Morisset  <rmorisset@apple.com>
586         CodeBlock::jettison should clear related watchpoints
587         https://bugs.webkit.org/show_bug.cgi?id=194544
588
589         Reviewed by Mark Lam.
590
591         * stress/regexp-replace-double-watchpoint.js: Added.
592         (foo):
593
594 2019-02-15  Saam barati  <sbarati@apple.com>
595
596         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
597         https://bugs.webkit.org/show_bug.cgi?id=194036
598
599         Reviewed by Yusuke Suzuki.
600
601         * stress/tail-call-many-arguments.js: Added.
602         (foo):
603         (bar):
604
605 2019-02-14  Saam Barati  <sbarati@apple.com>
606
607         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
608         https://bugs.webkit.org/show_bug.cgi?id=194583
609         <rdar://problem/48028140>
610
611         Reviewed by Yusuke Suzuki.
612
613         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
614
615 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
616
617         [JSC] String.fromCharCode's slow path always generates 16bit string
618         https://bugs.webkit.org/show_bug.cgi?id=194466
619
620         Reviewed by Keith Miller.
621
622         * stress/string-from-char-code-slow-path.js: Added.
623         (shouldBe):
624         (testWithLength):
625
626 2019-02-08  Saam barati  <sbarati@apple.com>
627
628         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
629         https://bugs.webkit.org/show_bug.cgi?id=194334
630         <rdar://problem/47844327>
631
632         Reviewed by Mark Lam.
633
634         * stress/check-in-bounds-should-be-a-child-use.js: Added.
635         (func):
636
637 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
638
639         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
640         https://bugs.webkit.org/show_bug.cgi?id=194369
641         <rdar://problem/47813087>
642
643         Reviewed by Saam Barati.
644
645         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
646         (A):
647
648 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
649
650         [JSC] PrivateName to PublicName hash table is wasteful
651         https://bugs.webkit.org/show_bug.cgi?id=194277
652
653         Reviewed by Michael Saboff.
654
655         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
656
657         * ChakraCore.yaml:
658
659 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
660
661         [ARM] Test running out of executable memory
662         https://bugs.webkit.org/show_bug.cgi?id=194285
663
664         Unreviewed. Do no execute test with LLInt disabled, test runs out of
665         executable memory otherwise.
666
667         * stress/class-subclassing-function.js:
668
669 2019-02-04  Robin Morisset  <rmorisset@apple.com>
670
671         when lowering AssertNotEmpty, create the value before creating the patchpoint
672         https://bugs.webkit.org/show_bug.cgi?id=194231
673
674         Reviewed by Saam Barati.
675
676         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
677         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
678         So even tiny changes to this test can change the path code taken.
679
680         * stress/assert-not-empty.js: Added.
681         (foo):
682
683 2019-02-01  Mark Lam  <mark.lam@apple.com>
684
685         Remove invalid assertion in DFG's compileDoubleRep().
686         https://bugs.webkit.org/show_bug.cgi?id=194130
687         <rdar://problem/47699474>
688
689         Reviewed by Saam Barati.
690
691         * stress/constant-fold-double-rep-into-double-constant.js: Added.
692
693 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
694
695         Import latest Test262 updates.
696
697         Rubber-stamped by Keith Miller.
698
699         * test262.yaml: Deleted.
700         * test262/config.yaml:
701         * test262/expectations.yaml:
702         * test262/latest-changes-summary.txt:
703         * test262/test/:
704         * test262/test262-Revision.txt:
705
706 2019-01-30  Robin Morisset  <rmorisset@apple.com>
707
708         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
709         https://bugs.webkit.org/show_bug.cgi?id=194050
710         <rdar://problem/47595592>
711
712         Reviewed by Yusuke Suzuki.
713
714         * stress/object-keys-osr-exit.js: Added.
715         (foo):
716         (catch):
717
718 2019-01-29  Mark Lam  <mark.lam@apple.com>
719
720         ValueRecovery::recover() should purify NaN values it recovers.
721         https://bugs.webkit.org/show_bug.cgi?id=193978
722         <rdar://problem/47625488>
723
724         Reviewed by Saam Barati.
725
726         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
727
728 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
729
730         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
731         https://bugs.webkit.org/show_bug.cgi?id=193713
732
733         * stress/try-get-by-id-should-spill-registers-dfg.js:
734         (let.f.createBuiltin):
735
736 2019-01-28  Mark Lam  <mark.lam@apple.com>
737
738         ToString node actually does GC.
739         https://bugs.webkit.org/show_bug.cgi?id=193920
740         <rdar://problem/46695900>
741
742         Reviewed by Yusuke Suzuki.
743
744         * stress/dfg-to-string-on-int-does-gc.js: Added.
745         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
746         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
747
748 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
749
750         [JSC] NativeErrorConstructor should not have own IsoSubspace
751         https://bugs.webkit.org/show_bug.cgi?id=193713
752
753         Reviewed by Saam Barati.
754
755         Remove @Error use.
756
757         * stress/try-get-by-id-should-spill-registers-dfg.js:
758         (let.f.createBuiltin):
759
760 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
761
762         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
763         https://bugs.webkit.org/show_bug.cgi?id=190693
764
765         Reviewed by Michael Saboff.
766
767         * stress/regress-190693.js: Added.
768         (truth):
769         (assert):
770         (shouldThrowInvalidConstAssignment):
771         (taz):
772
773 2019-01-24  Saam Barati  <sbarati@apple.com>
774
775         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
776         https://bugs.webkit.org/show_bug.cgi?id=193751
777         <rdar://problem/47280215>
778
779         Reviewed by Michael Saboff.
780
781         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
782         (let.thing):
783         (foo.let.hello):
784         (foo):
785
786 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
787
788         [JSC] Reenable baseline JIT on mips
789         https://bugs.webkit.org/show_bug.cgi?id=192983
790
791         Reviewed by Mark Lam.
792
793         Added a new test for a case that was triggering a RELEASE_ASSERT when
794         testing.
795         Disable some slow tests that were already disabled for arm and x86.
796
797         * stress/json-parse-big-object.js: Added.
798         * stress/new-largeish-contiguous-array-with-size.js:
799         * stress/op_add.js:
800         * stress/op_bitand.js:
801         * stress/op_bitor.js:
802         * stress/op_bitxor.js:
803         * stress/op_lshift-ConstVar.js:
804         * stress/op_lshift-VarConst.js:
805         * stress/op_lshift-VarVar.js:
806         * stress/op_mod-ConstVar.js:
807         * stress/op_mod-VarConst.js:
808         * stress/op_mod-VarVar.js:
809         * stress/op_mul-ConstVar.js:
810         * stress/op_mul-VarConst.js:
811         * stress/op_mul-VarVar.js:
812         * stress/op_rshift-ConstVar.js:
813         * stress/op_rshift-VarConst.js:
814         * stress/op_rshift-VarVar.js:
815         * stress/op_sub-ConstVar.js:
816         * stress/op_sub-VarConst.js:
817         * stress/op_sub-VarVar.js:
818         * stress/op_urshift-ConstVar.js:
819         * stress/op_urshift-VarConst.js:
820         * stress/op_urshift-VarVar.js:
821         * stress/sampling-profiler-richards.js:
822         * stress/spread-forward-call-varargs-stack-overflow.js:
823
824 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
825
826         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
827         https://bugs.webkit.org/show_bug.cgi?id=193711
828         <rdar://problem/47250262>
829
830         Reviewed by Saam Barati.
831
832         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
833         (shouldBe):
834         (foo):
835         (bar):
836         (baz):
837
838 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
839
840         Unreviewed, fix initial global lexical binding epoch
841         https://bugs.webkit.org/show_bug.cgi?id=193603
842         <rdar://problem/47380869>
843
844         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
845         (f1.f2.f3.f4):
846         (f1.f2.f3):
847         (f1.f2):
848         (f1):
849
850 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
851
852         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
853         https://bugs.webkit.org/show_bug.cgi?id=193709
854         <rdar://problem/47363838>
855
856         Unreviewed, rollout to watch the tests.
857
858         * stress/object-tostring-changed-proto.js: Removed.
859         * stress/object-tostring-changed.js: Removed.
860         * stress/object-tostring-misc.js: Removed.
861         * stress/object-tostring-other.js: Removed.
862         * stress/object-tostring-untyped.js: Removed.
863
864 2019-01-22  Saam Barati  <sbarati@apple.com>
865
866         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
867
868         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
869         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
870         (testUncheckedLessThanZero):
871         (testUncheckedLessThanOrEqualZero):
872         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
873         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
874
875 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
876
877         [JSC] Invalidate old scope operations using global lexical binding epoch
878         https://bugs.webkit.org/show_bug.cgi?id=193603
879         <rdar://problem/47380869>
880
881         Reviewed by Saam Barati.
882
883         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
884         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
885         (shouldThrow):
886         (bar):
887         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
888         (shouldBe):
889         (get1):
890         (get2):
891         (get1If):
892         (get2If):
893         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
894         (shouldThrow):
895         (foo):
896
897 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
898
899         Unreviewed, roll out r240220 due to date-format-xparb regression
900         https://bugs.webkit.org/show_bug.cgi?id=193603
901
902         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
903         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
904         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
905         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
906
907 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
908
909         DoesGC rule is wrong for nodes with BigIntUse
910         https://bugs.webkit.org/show_bug.cgi?id=193652
911
912         Reviewed by Saam Barati.
913
914         * stress/big-int-value-op-update-gc-rules.js: Added.
915         (assert):
916         (doesGCAdd):
917         (doesGCSub):
918         (doesGCDiv):
919         (doesGCMul):
920         (doesGCBitAnd):
921         (doesGCBitOr):
922         (doesGCBitXor):
923
924 2019-01-20  Saam Barati  <sbarati@apple.com>
925
926         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
927         https://bugs.webkit.org/show_bug.cgi?id=193644
928         <rdar://problem/46209745>
929
930         Reviewed by Yusuke Suzuki.
931
932         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
933         (foo):
934         * stress/data-view-set-intrinsic-undefined-result.js: Added.
935         (foo):
936         (bar):
937
938 2019-01-20  Saam Barati  <sbarati@apple.com>
939
940         MovHint must merge NodeBytecodeUsesAsValue for its child
941         https://bugs.webkit.org/show_bug.cgi?id=186916
942         <rdar://problem/41396612>
943
944         Reviewed by Yusuke Suzuki.
945
946         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
947         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
948
949 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
950
951         [JSC] Invalidate old scope operations using global lexical binding epoch
952         https://bugs.webkit.org/show_bug.cgi?id=193603
953         <rdar://problem/47380869>
954
955         Reviewed by Saam Barati.
956
957         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
958         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
959         (shouldThrow):
960         (bar):
961         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
962         (shouldBe):
963         (get1):
964         (get2):
965         (get1If):
966         (get2If):
967         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
968         (shouldThrow):
969         (foo):
970
971 2019-01-17  Saam barati  <sbarati@apple.com>
972
973         StringObjectUse should not be a structure check for the original string object structure
974         https://bugs.webkit.org/show_bug.cgi?id=193483
975         <rdar://problem/47280522>
976
977         Reviewed by Yusuke Suzuki.
978
979         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
980         (foo):
981         (a.valueOf.0):
982
983 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
984
985         [JSC] ToThis omission in DFGByteCodeParser is wrong
986         https://bugs.webkit.org/show_bug.cgi?id=193513
987         <rdar://problem/45842236>
988
989         Reviewed by Saam Barati.
990
991         * stress/to-this-omission-with-different-strict-modes.js: Added.
992         (thisA):
993         (thisAStrictWrapper):
994
995 2019-01-15  Mark Lam  <mark.lam@apple.com>
996
997         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
998         https://bugs.webkit.org/show_bug.cgi?id=193423
999         <rdar://problem/46209355>
1000
1001         Reviewed by Saam Barati.
1002
1003         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1004         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1005         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1006         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1007
1008 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1009
1010         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1011         https://bugs.webkit.org/show_bug.cgi?id=193438
1012         <rdar://problem/45581249>
1013
1014         Reviewed by Saam Barati and Keith Miller.
1015
1016         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1017         Then, GetByVal(String) crashed.
1018
1019         * stress/string-get-by-val-lowering.js: Added.
1020         (shouldBe):
1021         (test):
1022         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1023         (Hello):
1024         (foo):
1025
1026 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1027
1028         Unreviewed, skip JIT tests if it's not enabled
1029
1030         * stress/bit-op-with-object-returning-int32.js:
1031
1032 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1033
1034         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1035         https://bugs.webkit.org/show_bug.cgi?id=192966
1036
1037         Reviewed by Yusuke Suzuki.
1038
1039         * stress/bit-op-with-object-returning-int32.js: Added.
1040
1041 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1042
1043         Skip a slow test and a flakey test on arm
1044
1045         Unreviewed gardening.
1046
1047         * typeProfiler/getter-richards.js:
1048         this test always times out, it used to be always skipped on arm and
1049         mips, but got accidentally enabled by r237919 now that we have DFG on
1050         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1051
1052 2019-01-14  Keith Miller  <keith_miller@apple.com>
1053
1054         Skip type-check-hoisting-phase-hoist... with no jit
1055         https://bugs.webkit.org/show_bug.cgi?id=193421
1056
1057         Reviewed by Mark Lam.
1058
1059         It's timing out the 32-bit bots and takes 330 seconds
1060         on my machine when run by itself.
1061
1062         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1063
1064 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1065
1066         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1067         https://bugs.webkit.org/show_bug.cgi?id=193413
1068         <rdar://problem/46092389>
1069
1070         Reviewed by Keith Miller.
1071
1072         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1073         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1074         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1075         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1076
1077         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1078         (compareArray):
1079
1080 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1081
1082         [BigInt] Literal parsing is crashing when used inside a Object Literal
1083         https://bugs.webkit.org/show_bug.cgi?id=193404
1084
1085         Reviewed by Yusuke Suzuki.
1086
1087         * stress/big-int-literal-inside-literal-object.js: Added.
1088
1089 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1090
1091         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1092         https://bugs.webkit.org/show_bug.cgi?id=193372
1093
1094         Reviewed by Saam Barati.
1095
1096         * stress/typed-array-array-modes-profile.js: Added.
1097         (foo):
1098
1099 2019-01-14  Mark Lam  <mark.lam@apple.com>
1100
1101         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1102         https://bugs.webkit.org/show_bug.cgi?id=193402
1103         <rdar://problem/46012309>
1104
1105         Reviewed by Keith Miller.
1106
1107         * stress/regexp-compile-oom.js:
1108         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1109           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1110
1111 2019-01-11  Saam barati  <sbarati@apple.com>
1112
1113         DFG combined liveness can be wrong for terminal basic blocks
1114         https://bugs.webkit.org/show_bug.cgi?id=193304
1115         <rdar://problem/45268632>
1116
1117         Reviewed by Yusuke Suzuki.
1118
1119         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1120
1121 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1122
1123         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1124         https://bugs.webkit.org/show_bug.cgi?id=193308
1125         <rdar://problem/45546542>
1126
1127         Reviewed by Saam Barati.
1128
1129         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1130         (shouldThrow):
1131         (shouldBe):
1132         (foo):
1133         (get shouldThrow):
1134         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1135         (shouldThrow):
1136         (shouldBe):
1137         (foo):
1138         (get shouldBe):
1139         (get shouldThrow):
1140         (get return):
1141         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1142         (shouldThrow):
1143         (shouldBe):
1144         (foo):
1145         (get shouldBe):
1146         (get shouldThrow):
1147         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1148         (shouldThrow):
1149         (shouldBe):
1150         (foo):
1151         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1152         (shouldThrow):
1153         (shouldBe):
1154         (foo):
1155         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1156         (shouldThrow):
1157         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1158         (shouldThrow):
1159         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1160         (shouldThrow):
1161         (shouldBe):
1162         (foo):
1163         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1164         (shouldThrow):
1165         (shouldBe):
1166         (foo):
1167         (get shouldBe):
1168         (get shouldThrow):
1169         (get return):
1170         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1171         (shouldThrow):
1172         (shouldBe):
1173         (foo):
1174         (get shouldBe):
1175         (get shouldThrow):
1176         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1177         (shouldThrow):
1178         (shouldBe):
1179         (foo):
1180         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1181         (shouldThrow):
1182         (shouldBe):
1183         (foo):
1184
1185 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1186
1187         Enable DFG on ARM/Linux again
1188         https://bugs.webkit.org/show_bug.cgi?id=192496
1189
1190         Reviewed by Yusuke Suzuki.
1191
1192         Test wasn't really skipped before moving the line with skip
1193         to the top.
1194
1195         * stress/regress-192717.js:
1196
1197 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1198
1199         Unreviewed, rolling out r239825.
1200         https://bugs.webkit.org/show_bug.cgi?id=193330
1201
1202         Broke tests on armv7/linux bots (Requested by guijemont on
1203         #webkit).
1204
1205         Reverted changeset:
1206
1207         "Enable DFG on ARM/Linux again"
1208         https://bugs.webkit.org/show_bug.cgi?id=192496
1209         https://trac.webkit.org/changeset/239825
1210
1211 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1212
1213         Enable DFG on ARM/Linux again
1214         https://bugs.webkit.org/show_bug.cgi?id=192496
1215
1216         Reviewed by Yusuke Suzuki.
1217
1218         Test wasn't really skipped before moving the line with skip
1219         to the top.
1220
1221         * stress/regress-192717.js:
1222
1223 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1224
1225         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1226         https://bugs.webkit.org/show_bug.cgi?id=193127
1227
1228         Reviewed by Saam Barati.
1229
1230         * stress/array-species-create-should-handle-masquerader.js: Added.
1231         (shouldThrow):
1232         * stress/is-undefined-or-null-builtin.js: Added.
1233         (shouldBe):
1234         (isUndefinedOrNull.vm.createBuiltin):
1235
1236 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1237
1238         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1239         https://bugs.webkit.org/show_bug.cgi?id=193221
1240
1241         Reviewed by Mark Lam.
1242
1243         * stress/put-by-id-flags.js: Added.
1244         (f):
1245         (g):
1246         (numberOfDFGCompiles):
1247
1248 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1249
1250         Baseline version of get_by_id may corrupt metadata
1251         https://bugs.webkit.org/show_bug.cgi?id=193085
1252         <rdar://problem/23453006>
1253
1254         Reviewed by Saam Barati.
1255
1256         * stress/get-by-id-change-mode.js: Added.
1257         (forEach):
1258
1259 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1260
1261         [JSC] Optimize Object.prototype.toString
1262         https://bugs.webkit.org/show_bug.cgi?id=193031
1263
1264         Reviewed by Saam Barati.
1265
1266         * stress/object-tostring-changed-proto.js: Added.
1267         (shouldBe):
1268         (test):
1269         * stress/object-tostring-changed.js: Added.
1270         (shouldBe):
1271         (test):
1272         * stress/object-tostring-misc.js: Added.
1273         (shouldBe):
1274         (test):
1275         (i.switch):
1276         * stress/object-tostring-other.js: Added.
1277         (shouldBe):
1278         (test):
1279         * stress/object-tostring-untyped.js: Added.
1280         (shouldBe):
1281         (test):
1282         (i.switch):
1283
1284 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1285
1286         test262-runner misbehaves when test file YAML has a trailing space
1287         https://bugs.webkit.org/show_bug.cgi?id=193053
1288
1289         Reviewed by Yusuke Suzuki.
1290
1291         * test262/expectations.yaml:
1292         Mark two dozen tests as passing (and correct the output of another).
1293
1294 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1295
1296         Unreviewed, JSTests gardening with memoryLimited
1297
1298         * stress/string-overflow-createError.js:
1299
1300 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1301
1302         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1303         https://bugs.webkit.org/show_bug.cgi?id=193050
1304
1305         Reviewed by Yusuke Suzuki.
1306
1307         * test262.yaml:
1308         * test262/expectations.yaml:
1309         Mark 16 tests as passing.
1310
1311 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1312
1313         [BigInt] Support BigInt in JSON.stringify
1314         https://bugs.webkit.org/show_bug.cgi?id=192624
1315
1316         Reviewed by Saam Barati.
1317
1318         * stress/big-int-json-stringify-to-json.js: Added.
1319         (shouldBe):
1320         (shouldThrow):
1321         (BigInt.prototype.toJSON):
1322         (shouldBe.JSON.stringify):
1323         * stress/big-int-json-stringify.js: Added.
1324         (shouldBe):
1325         (shouldThrow):
1326
1327 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1328
1329         [JSC] Implement "well-formed JSON.stringify" proposal
1330         https://bugs.webkit.org/show_bug.cgi?id=191677
1331
1332         Reviewed by Darin Adler.
1333
1334         * stress/json-surrogate-pair.js: Added.
1335         (shouldBe):
1336         * test262/expectations.yaml:
1337
1338 2018-12-20  Keith Miller  <keith_miller@apple.com>
1339
1340         Add support for globalThis
1341         https://bugs.webkit.org/show_bug.cgi?id=165171
1342
1343         Reviewed by Mark Lam.
1344
1345         * test262/config.yaml:
1346
1347 2018-12-19  Keith Miller  <keith_miller@apple.com>
1348
1349         Update test262 configuration to not run tests dependent on ICU version.
1350         https://bugs.webkit.org/show_bug.cgi?id=192920
1351
1352         Reviewed by Saam Barati.
1353
1354         * test262/expectations.yaml:
1355
1356 2018-12-20  Mark Lam  <mark.lam@apple.com>
1357
1358         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1359         https://bugs.webkit.org/show_bug.cgi?id=192939
1360         <rdar://problem/46869516>
1361
1362         Reviewed by Keith Miller.
1363
1364         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1365
1366 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1367
1368         WTF::String and StringImpl overflow MaxLength
1369         https://bugs.webkit.org/show_bug.cgi?id=192853
1370         <rdar://problem/45726906>
1371
1372         Reviewed by Mark Lam.
1373
1374         * stress/string-16bit-repeat-overflow.js: Added.
1375         (catch):
1376
1377 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1378
1379         Unreviewed follow-up to r192914.
1380
1381         * test262/expectations.yaml:
1382         Add the last 20 missing expectations.
1383
1384 2018-12-19  Keith Miller  <keith_miller@apple.com>
1385
1386         Fix test262 expectations
1387         https://bugs.webkit.org/show_bug.cgi?id=192914
1388
1389         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1390
1391         * test262/expectations.yaml:
1392
1393 2018-12-19  Keith Miller  <keith_miller@apple.com>
1394
1395         Update test262 tests.
1396         https://bugs.webkit.org/show_bug.cgi?id=192907
1397
1398         Rubber stamped by Mark Lam.
1399
1400         * test262/*: Omitted because prepare-changelog crashes.
1401
1402 2018-12-19  Mark Lam  <mark.lam@apple.com>
1403
1404         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1405         https://bugs.webkit.org/show_bug.cgi?id=192464
1406         <rdar://problem/46519455>
1407
1408         Reviewed by Saam Barati.
1409
1410         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1411         microbenchmark.
1412
1413         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1414         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1415
1416 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1417
1418         String overflow in JSC::createError results in ASSERT in WTF::makeString
1419         https://bugs.webkit.org/show_bug.cgi?id=192833
1420         <rdar://problem/45706868>
1421
1422         Reviewed by Mark Lam.
1423
1424         * stress/string-overflow-createError.js: Added.
1425
1426 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1427
1428         Error message for `-x ** y` contains a typo.
1429         https://bugs.webkit.org/show_bug.cgi?id=192832
1430
1431         Reviewed by Saam Barati.
1432
1433         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1434         (assert.assert.return.throws):
1435         * stress/pow-expects-update-expression-on-lhs.js:
1436         (throw.new.Error):
1437         Update test expectations which match against the exact error message.
1438
1439 2018-12-18  Mark Lam  <mark.lam@apple.com>
1440
1441         Gardening: test options fix.
1442         https://bugs.webkit.org/show_bug.cgi?id=192822
1443
1444         Unreviewed.
1445
1446         * stress/json-stringify-string-builder-overflow.js:
1447
1448 2018-12-18  Mark Lam  <mark.lam@apple.com>
1449
1450         JSON.stringify() should throw OOM on StringBuilder overflows.
1451         https://bugs.webkit.org/show_bug.cgi?id=192822
1452         <rdar://problem/46670577>
1453
1454         Reviewed by Saam Barati.
1455
1456         * stress/json-stringify-string-builder-overflow.js: Added.
1457
1458 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1459
1460         Redeclaration of var over let/const/class should be a syntax error.
1461         https://bugs.webkit.org/show_bug.cgi?id=192298
1462
1463         Reviewed by Keith Miller.
1464
1465         * test262.yaml:
1466         * test262/expectations.yaml:
1467         Mark 46 tests as passing.
1468
1469         * stress/block-scope-redeclarations.js:
1470         Add some new tests.
1471
1472         * stress/for-in-invalidate-context-weird-assignments.js:
1473         * stress/for-in-tests.js:
1474         Replace tests for outdated behavior with tests for SyntaxError.
1475
1476         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1477         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1478         Update expectations.
1479
1480 2018-12-18  Mark Lam  <mark.lam@apple.com>
1481
1482         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1483         https://bugs.webkit.org/show_bug.cgi?id=191374
1484         <rdar://problem/46525447>
1485
1486         Reviewed by Yusuke Suzuki.
1487
1488         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1489
1490         * stress/elidable-new-object-roflcopter-then-exit.js:
1491
1492 2018-12-17  Mark Lam  <mark.lam@apple.com>
1493
1494         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1495         https://bugs.webkit.org/show_bug.cgi?id=192019
1496         <rdar://problem/46525456>
1497
1498         Reviewed by Yusuke Suzuki.
1499
1500         The test runs too slow on 32-bit.
1501
1502         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1503
1504 2018-12-17  Mark Lam  <mark.lam@apple.com>
1505
1506         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1507         https://bugs.webkit.org/show_bug.cgi?id=191373
1508         <rdar://problem/46525458>
1509
1510         Reviewed by Yusuke Suzuki.
1511
1512         The test is already slow running with a JIT on 64-bit.  It will always timeout
1513         on 32-bit without a JIT.
1514
1515         * stress/materialize-regexp-cyclic-regexp.js:
1516
1517 2018-12-17  Mark Lam  <mark.lam@apple.com>
1518
1519         Array unshift/shift should not race against the AI in the compiler thread.
1520         https://bugs.webkit.org/show_bug.cgi?id=192795
1521         <rdar://problem/46724263>
1522
1523         Reviewed by Saam Barati.
1524
1525         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1526
1527 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1528
1529         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1530         https://bugs.webkit.org/show_bug.cgi?id=190047
1531
1532         Reviewed by Saam Barati.
1533
1534         * stress/object-keys-cached-zero.js: Added.
1535         (shouldBe):
1536         (test):
1537         * stress/object-keys-changed-attribute.js: Added.
1538         (shouldBe):
1539         (test):
1540         * stress/object-keys-changed-index.js: Added.
1541         (shouldBe):
1542         (test):
1543         * stress/object-keys-changed.js: Added.
1544         (shouldBe):
1545         (test):
1546         * stress/object-keys-indexed-non-cache.js: Added.
1547         (shouldBe):
1548         (test):
1549         * stress/object-keys-overrides-get-property-names.js: Added.
1550         (shouldBe):
1551         (test):
1552         (noInline):
1553
1554 2018-12-17  Mark Lam  <mark.lam@apple.com>
1555
1556         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1557         https://bugs.webkit.org/show_bug.cgi?id=192779
1558         <rdar://problem/46775869>
1559
1560         Reviewed by Saam Barati.
1561
1562         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1563
1564 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1565
1566         Unreviewed test gardening, address a syntax error in a new test.
1567
1568         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1569
1570 2018-12-17  Mark Lam  <mark.lam@apple.com>
1571
1572         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1573         https://bugs.webkit.org/show_bug.cgi?id=192776
1574         <rdar://problem/46772368>
1575
1576         Reviewed by Keith Miller.
1577
1578         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1579
1580 2018-12-17  Mark Lam  <mark.lam@apple.com>
1581
1582         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1583         https://bugs.webkit.org/show_bug.cgi?id=192770
1584         <rdar://problem/46449037>
1585
1586         Reviewed by Keith Miller.
1587
1588         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1589
1590 2018-12-14  Mark Lam  <mark.lam@apple.com>
1591
1592         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1593         https://bugs.webkit.org/show_bug.cgi?id=192717
1594         <rdar://problem/46660677>
1595
1596         Reviewed by Saam Barati.
1597
1598         * stress/regress-192717.js: Added.
1599
1600 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1601
1602         Unreviewed, rolling out r239153, r239154, and r239155.
1603         https://bugs.webkit.org/show_bug.cgi?id=192715
1604
1605         Caused flaky GC-related crashes seen with layout tests
1606         (Requested by ryanhaddad on #webkit).
1607
1608         Reverted changesets:
1609
1610         "[JSC] Optimize Object.keys by caching own keys results in
1611         StructureRareData"
1612         https://bugs.webkit.org/show_bug.cgi?id=190047
1613         https://trac.webkit.org/changeset/239153
1614
1615         "Unreviewed, build fix after r239153"
1616         https://bugs.webkit.org/show_bug.cgi?id=190047
1617         https://trac.webkit.org/changeset/239154
1618
1619         "Unreviewed, build fix after r239153, part 2"
1620         https://bugs.webkit.org/show_bug.cgi?id=190047
1621         https://trac.webkit.org/changeset/239155
1622
1623 2018-12-14  Keith Miller  <keith_miller@apple.com>
1624
1625         Callers of JSString::getIndex should check for OOM exceptions
1626         https://bugs.webkit.org/show_bug.cgi?id=192709
1627
1628         Reviewed by Mark Lam.
1629
1630         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1631
1632 2018-12-13  Mark Lam  <mark.lam@apple.com>
1633
1634         Add a missing exception check.
1635         https://bugs.webkit.org/show_bug.cgi?id=192626
1636         <rdar://problem/46662163>
1637
1638         Reviewed by Keith Miller.
1639
1640         * stress/regress-192626.js: Added.
1641
1642 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1643
1644         [BigInt] Add ValueDiv into DFG
1645         https://bugs.webkit.org/show_bug.cgi?id=186178
1646
1647         Reviewed by Yusuke Suzuki.
1648
1649         * stress/big-int-div-jit-osr.js: Added.
1650         * stress/big-int-div-jit-untyped.js: Added.
1651         * stress/value-div-fixup-int32-big-int.js: Added.
1652
1653 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1654
1655         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1656         https://bugs.webkit.org/show_bug.cgi?id=190047
1657
1658         Reviewed by Keith Miller.
1659
1660         * stress/object-keys-cached-zero.js: Added.
1661         (shouldBe):
1662         (test):
1663         * stress/object-keys-changed-attribute.js: Added.
1664         (shouldBe):
1665         (test):
1666         * stress/object-keys-changed-index.js: Added.
1667         (shouldBe):
1668         (test):
1669         * stress/object-keys-changed.js: Added.
1670         (shouldBe):
1671         (test):
1672         * stress/object-keys-indexed-non-cache.js: Added.
1673         (shouldBe):
1674         (test):
1675         * stress/object-keys-overrides-get-property-names.js: Added.
1676         (shouldBe):
1677         (test):
1678         (noInline):
1679
1680 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1681
1682         [DFG][FTL] Add NewSymbol
1683         https://bugs.webkit.org/show_bug.cgi?id=192620
1684
1685         Reviewed by Saam Barati.
1686
1687         * microbenchmarks/symbol-creation.js: Added.
1688         (test):
1689         * stress/symbol-description-identity.js: Added.
1690         (shouldBe):
1691         (test):
1692         * stress/symbol-identity.js: Added.
1693         (shouldBe):
1694         (test):
1695         * stress/symbol-with-description-throw-error.js: Added.
1696         (shouldBe):
1697         (shouldThrow):
1698         (test):
1699         (object.toString):
1700
1701 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1702
1703         [BigInt] Implement DFG/FTL typeof for BigInt
1704         https://bugs.webkit.org/show_bug.cgi?id=192619
1705
1706         Reviewed by Keith Miller.
1707
1708         * stress/big-int-boolean-proven-type.js: Added.
1709         (assert):
1710         (bool):
1711         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1712         (assert):
1713         (typeOf):
1714         (i.switch):
1715         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1716         (assert):
1717         (typeOf):
1718         * stress/big-int-type-of.js:
1719         (typeOf):
1720         (func):
1721
1722 2018-12-10  Mark Lam  <mark.lam@apple.com>
1723
1724         PropertyAttribute needs a CustomValue bit.
1725         https://bugs.webkit.org/show_bug.cgi?id=191993
1726         <rdar://problem/46264467>
1727
1728         Reviewed by Saam Barati.
1729
1730         * stress/regress-191993.js: Added.
1731
1732 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1733
1734         [BigInt] Add ValueMul into DFG
1735         https://bugs.webkit.org/show_bug.cgi?id=186175
1736
1737         Reviewed by Yusuke Suzuki.
1738
1739         * stress/big-int-mul-jit-osr.js: Added.
1740         * stress/big-int-mul-jit-untyped.js: Added.
1741         * stress/value-mul-fixup-int32-big-int.js: Added.
1742
1743 2018-12-06  Keith Miller  <keith_miller@apple.com>
1744
1745         stress/big-wasm-memory tests failing on 32-bit JSC bot
1746         https://bugs.webkit.org/show_bug.cgi?id=192020
1747
1748         Reviewed by Saam Barati.
1749
1750         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1751         the wasm stress tests if the WebAssembly object does not exist.
1752
1753         * stress/big-wasm-memory-grow-no-max.js:
1754         (test.foo):
1755         (test):
1756         (foo): Deleted.
1757         (catch): Deleted.
1758         * stress/big-wasm-memory-grow.js:
1759         (test.foo):
1760         (test):
1761         (foo): Deleted.
1762         (catch): Deleted.
1763         * stress/big-wasm-memory.js:
1764         (test.foo):
1765         (test):
1766         (foo): Deleted.
1767         (catch): Deleted.
1768
1769 2018-12-05  Mark Lam  <mark.lam@apple.com>
1770
1771         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1772         https://bugs.webkit.org/show_bug.cgi?id=192441
1773         <rdar://problem/46480355>
1774
1775         Reviewed by Saam Barati.
1776
1777         * stress/regress-192441.js: Added.
1778
1779 2018-12-04  Mark Lam  <mark.lam@apple.com>
1780
1781         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1782         https://bugs.webkit.org/show_bug.cgi?id=192386
1783         <rdar://problem/46445516>
1784
1785         Reviewed by Saam Barati.
1786
1787         * stress/regress-192386.js: Added.
1788
1789 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1790
1791         [ESNext][BigInt] Support logic operations
1792         https://bugs.webkit.org/show_bug.cgi?id=179903
1793
1794         Reviewed by Yusuke Suzuki.
1795
1796         * stress/big-int-branch-usage.js: Added.
1797         * stress/big-int-logical-and.js: Added.
1798         * stress/big-int-logical-not.js: Added.
1799         * stress/big-int-logical-or.js: Added.
1800
1801 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1802
1803         Unreviewed, rolling out r238833.
1804
1805         Breaks macOS and iOS debug builds.
1806
1807         Reverted changeset:
1808
1809         "[ESNext][BigInt] Support logic operations"
1810         https://bugs.webkit.org/show_bug.cgi?id=179903
1811         https://trac.webkit.org/changeset/238833
1812
1813 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1814
1815         [ESNext][BigInt] Support logic operations
1816         https://bugs.webkit.org/show_bug.cgi?id=179903
1817
1818         Reviewed by Yusuke Suzuki.
1819
1820         * stress/big-int-branch-usage.js: Added.
1821         * stress/big-int-logical-and.js: Added.
1822         * stress/big-int-logical-not.js: Added.
1823         * stress/big-int-logical-or.js: Added.
1824
1825 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1826
1827         [ESNext][BigInt] Implement support for "<<" and ">>"
1828         https://bugs.webkit.org/show_bug.cgi?id=186233
1829
1830         Reviewed by Yusuke Suzuki.
1831
1832         * stress/big-int-left-shift-general.js: Added.
1833         * stress/big-int-left-shift-range-error.js: Added.
1834         * stress/big-int-left-shift-type-error.js: Added.
1835         * stress/big-int-left-shift-wrapped-value.js: Added.
1836         * stress/big-int-right-shift-general.js: Added.
1837         * stress/big-int-right-shift-type-error.js: Added.
1838         * stress/big-int-right-shift-wrapped-value.js: Added.
1839         * stress/left-shift-to-primitive-precedence.js: Added.
1840         * stress/right-shift-to-primitive-precedence.js: Added.
1841
1842 2018-11-30  Dean Jackson  <dino@apple.com>
1843
1844         Add first-class support for .mjs files in jsc binary
1845         https://bugs.webkit.org/show_bug.cgi?id=192190
1846         <rdar://problem/46375715>
1847
1848         Reviewed by Keith Miller.
1849
1850         * stress/simple-module.mjs: Added.
1851         * stress/simple-script.js: Added.
1852
1853 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1854
1855         [BigInt] Implement ValueBitXor into DFG
1856         https://bugs.webkit.org/show_bug.cgi?id=190264
1857
1858         Reviewed by Yusuke Suzuki.
1859
1860         * stress/big-int-bitwise-xor-jit.js: Added.
1861         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1862         * stress/big-int-bitwise-xor-untyped.js: Added.
1863
1864 2018-11-27  Saam barati  <sbarati@apple.com>
1865
1866         r238510 broke scopes of size zero
1867         https://bugs.webkit.org/show_bug.cgi?id=192033
1868         <rdar://problem/46281734>
1869
1870         Reviewed by Keith Miller.
1871
1872         * stress/r238510-bad-loop.js: Added.
1873         (foo):
1874
1875 2018-11-27  Mark Lam  <mark.lam@apple.com>
1876
1877         [Re-landing] NaNs read from Wasm code needs to be be purified.
1878         https://bugs.webkit.org/show_bug.cgi?id=191056
1879         <rdar://problem/45660341>
1880
1881         Reviewed by Filip Pizlo.
1882
1883         * wasm/regress/regress-191056.js: Added.
1884
1885 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1886
1887         Unreviewed, rolling out r238509.
1888
1889         Causes JSC tests to fail on iOS.
1890
1891         Reverted changeset:
1892
1893         "NaNs read from Wasm code needs to be be purified."
1894         https://bugs.webkit.org/show_bug.cgi?id=191056
1895         https://trac.webkit.org/changeset/238509
1896
1897 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1898
1899         Re-introduce op_bitnot
1900         https://bugs.webkit.org/show_bug.cgi?id=190923
1901
1902         Reviewed by Yusuke Suzuki.
1903
1904         * stress/bit-not-must-generate.js: Added.
1905         * stress/bitwise-not-no-int32.js: Added.
1906
1907 2018-11-26  Saam barati  <sbarati@apple.com>
1908
1909         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1910         https://bugs.webkit.org/show_bug.cgi?id=191956
1911         <rdar://problem/45665806>
1912
1913         Reviewed by Yusuke Suzuki.
1914
1915         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1916         (bar):
1917         (foo):
1918
1919 2018-11-26  Saam barati  <sbarati@apple.com>
1920
1921         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1922         https://bugs.webkit.org/show_bug.cgi?id=191958
1923         <rdar://problem/46221877>
1924
1925         Reviewed by Yusuke Suzuki.
1926
1927         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1928         (x):
1929         (foo):
1930
1931 2018-11-26  Mark Lam  <mark.lam@apple.com>
1932
1933         NaNs read from Wasm code needs to be be purified.
1934         https://bugs.webkit.org/show_bug.cgi?id=191056
1935         <rdar://problem/45660341>
1936
1937         Reviewed by Filip Pizlo.
1938
1939         * wasm/regress/regress-191056.js: Added.
1940
1941 2018-11-26  Michael Saboff  <msaboff@apple.com>
1942
1943         32-bit JSC test failure: stress/regexp-compile-oom.js
1944         https://bugs.webkit.org/show_bug.cgi?id=191375
1945
1946         Reviewed by Mark Lam.
1947
1948         Disabled the test for 32 bit platforms.
1949
1950         * stress/regexp-compile-oom.js:
1951
1952 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1953
1954         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1955         https://bugs.webkit.org/show_bug.cgi?id=191716
1956         <rdar://problem/45723878>
1957
1958         Reviewed by Saam Barati.
1959
1960         * stress/regress-187373.js: Added.
1961         (async.fn):
1962
1963 2018-11-21  Saam barati  <sbarati@apple.com>
1964
1965         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1966         https://bugs.webkit.org/show_bug.cgi?id=191897
1967         <rdar://problem/45871998>
1968
1969         Reviewed by Mark Lam.
1970
1971         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1972         (bar):
1973         (foo):
1974
1975 2018-11-21  Saam barati  <sbarati@apple.com>
1976
1977         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1978         https://bugs.webkit.org/show_bug.cgi?id=191895
1979         <rdar://problem/46167406>
1980
1981         Reviewed by Mark Lam.
1982
1983         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1984         (foo):
1985         (bar):
1986
1987 2018-11-21  Mark Lam  <mark.lam@apple.com>
1988
1989         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1990         https://bugs.webkit.org/show_bug.cgi?id=191776
1991         <rdar://problem/46152851>
1992
1993         Reviewed by Saam Barati.
1994
1995         * stress/big-wasm-memory-grow-no-max.js:
1996         * stress/big-wasm-memory-grow.js:
1997         * stress/big-wasm-memory.js:
1998         - updated these to expect an OutOfMemoryError.
1999
2000         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2001         (Binary.prototype.emit_u8):
2002         (Binary.prototype.emit_u32v):
2003         (Binary.prototype.emit_header):
2004         (Binary.prototype.emit_section):
2005         (Binary):
2006         (WasmModuleBuilder):
2007         (WasmModuleBuilder.prototype.addMemory):
2008         (WasmModuleBuilder.prototype.toArray):
2009         (WasmModuleBuilder.prototype.toBuffer):
2010         (WasmModuleBuilder.prototype.instantiate):
2011         (catch):
2012         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2013         (catch):
2014
2015 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2016
2017         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2018         https://bugs.webkit.org/show_bug.cgi?id=190836
2019
2020         Reviewed by Saam Barati and Yusuke Suzuki.
2021
2022         * stress/big-int-out-of-memory-tests.js: Added.
2023
2024 2018-11-20  Mark Lam  <mark.lam@apple.com>
2025
2026         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2027         https://bugs.webkit.org/show_bug.cgi?id=191856
2028         <rdar://problem/46089992>
2029
2030         Reviewed by Yusuke Suzuki.
2031
2032         * stress/regress-191856.js: Added.
2033         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2034
2035 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2036
2037         Enable JIT on ARM/Linux
2038         https://bugs.webkit.org/show_bug.cgi?id=191548
2039
2040         Reviewed by Yusuke Suzuki.
2041
2042         Disable test on system with limited memory. Program was killed by
2043         the OS before the exception was thrown.
2044
2045         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2046
2047 2018-11-20  Saam barati  <sbarati@apple.com>
2048
2049         Merging an IC variant may lead to the IC status containing overlapping structure sets
2050         https://bugs.webkit.org/show_bug.cgi?id=191869
2051         <rdar://problem/45403453>
2052
2053         Reviewed by Mark Lam.
2054
2055         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2056
2057 2018-11-19  Mark Lam  <mark.lam@apple.com>
2058
2059         globalFuncImportModule() should return a promise when it clears exceptions.
2060         https://bugs.webkit.org/show_bug.cgi?id=191792
2061         <rdar://problem/46090763>
2062
2063         Reviewed by Michael Saboff.
2064
2065         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2066
2067 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2068
2069         Skip new memory-hungry tests on memory limited devices
2070
2071         Unreviewed gardening.
2072
2073         * stress/big-wasm-memory-grow-no-max.js:
2074         * stress/big-wasm-memory-grow.js:
2075         * stress/big-wasm-memory.js:
2076
2077 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2078
2079         Unreviewed, rolling in the rest of r237254
2080         https://bugs.webkit.org/show_bug.cgi?id=190340
2081
2082         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2083         * stress/function-cache-with-parameters-end-position.js: Added.
2084         (shouldBe):
2085         (shouldThrow):
2086         (i.anonymous):
2087         * stress/function-constructor-name.js: Added.
2088         (shouldBe):
2089         (GeneratorFunction):
2090         (AsyncFunction.async):
2091         (AsyncGeneratorFunction.async):
2092         (anonymous):
2093         (async.anonymous):
2094         * test262/expectations.yaml:
2095
2096 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2097
2098         All users of ArrayBuffer should agree on the same max size
2099         https://bugs.webkit.org/show_bug.cgi?id=191771
2100
2101         Reviewed by Mark Lam.
2102
2103         * stress/big-wasm-memory-grow-no-max.js: Added.
2104         (foo):
2105         (catch):
2106         * stress/big-wasm-memory-grow.js: Added.
2107         (foo):
2108         (catch):
2109         * stress/big-wasm-memory.js: Added.
2110         (foo):
2111         (catch):
2112
2113 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2114
2115         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2116         run for each JSC config since they're regression tests for runtime bugs.
2117
2118         * stress/json-stringified-overflow-2.js:
2119         * stress/json-stringified-overflow.js:
2120
2121 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2122
2123         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2124         config since they're regression tests for runtime bugs.
2125
2126         * stress/large-unshift-splice.js:
2127         * stress/regress-185888.js:
2128
2129 2018-11-16  Saam Barati  <sbarati@apple.com>
2130
2131         KnownCellUse should also have SpecCellCheck as its type filter
2132         https://bugs.webkit.org/show_bug.cgi?id=191729
2133         <rdar://problem/45872852>
2134
2135         Reviewed by Filip Pizlo.
2136
2137         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2138         (C):
2139
2140 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2141
2142         Fix assertion failure on BytecodeGenerator::recordOpcode
2143         https://bugs.webkit.org/show_bug.cgi?id=191724
2144         <rdar://problem/45724395>
2145
2146         Reviewed by Saam Barati.
2147
2148         * stress/regress-187373-2.js: Added.
2149         (foo):
2150
2151 2018-11-15  Mark Lam  <mark.lam@apple.com>
2152
2153         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2154         https://bugs.webkit.org/show_bug.cgi?id=191730
2155         <rdar://problem/46048517>
2156
2157         Reviewed by Saam Barati.
2158
2159         * stress/regress-187006.js: Removed.
2160           - this test is invalid because its sole purpose is to test for the non-spec
2161             compliant behavior that we just fixed.
2162
2163         * stress/regress-191730.js: Added.
2164
2165 2018-11-15  Mark Lam  <mark.lam@apple.com>
2166
2167         RegExp operations should not take fast patch if lastIndex is not numeric.
2168         https://bugs.webkit.org/show_bug.cgi?id=191731
2169         <rdar://problem/46017305>
2170
2171         Reviewed by Saam Barati.
2172
2173         * stress/regress-191731.js: Added.
2174
2175 2018-11-13  Saam Barati  <sbarati@apple.com>
2176
2177         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2178         https://bugs.webkit.org/show_bug.cgi?id=191600
2179
2180         Reviewed by Mark Lam.
2181
2182         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2183         (foo):
2184         (test):
2185         (bar):
2186
2187 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2188
2189         Unreviewed, rolling out r238132.
2190
2191         The test added with this change is timing out on Debug JSC
2192         bots.
2193
2194         Reverted changeset:
2195
2196         "[BigInt] JSBigInt::createWithLength should throw when length
2197         is greater than JSBigInt::maxLength"
2198         https://bugs.webkit.org/show_bug.cgi?id=190836
2199         https://trac.webkit.org/changeset/238132
2200
2201 2018-11-13  Mark Lam  <mark.lam@apple.com>
2202
2203         Add OOM detection to StringPrototype's substituteBackreferences().
2204         https://bugs.webkit.org/show_bug.cgi?id=191563
2205         <rdar://problem/45720428>
2206
2207         Reviewed by Saam Barati.
2208
2209         * stress/regress-191563.js: Added.
2210
2211 2018-11-13  Mark Lam  <mark.lam@apple.com>
2212
2213         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2214         https://bugs.webkit.org/show_bug.cgi?id=191579
2215         <rdar://problem/45942472>
2216
2217         Reviewed by Saam Barati.
2218
2219         * stress/regress-191579.js: Added.
2220
2221 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2222
2223         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2224         https://bugs.webkit.org/show_bug.cgi?id=190836
2225
2226         Reviewed by Saam Barati.
2227
2228         * stress/big-int-out-of-memory-tests.js: Added.
2229
2230 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2231
2232         U+180E is no longer a whitespace character
2233         https://bugs.webkit.org/show_bug.cgi?id=191415
2234
2235         Reviewed by Saam Barati.
2236
2237         * ChakraCore/test/es5/regexSpace.baseline:
2238         * ChakraCore/test/es6/unicode_whitespace.js:
2239         Update tests to latest version.
2240         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2241
2242         * test262.yaml:
2243         * test262/config.yaml:
2244         * test262/expectations.yaml:
2245         Update expectations.
2246
2247 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2248
2249         [BigInt] Add support to BigInt into ValueAdd
2250         https://bugs.webkit.org/show_bug.cgi?id=186177
2251
2252         Reviewed by Keith Miller.
2253
2254         * stress/big-int-negate-jit.js:
2255         * stress/value-add-big-int-and-string.js: Added.
2256         * stress/value-add-big-int-prediction-propagation.js: Added.
2257         * stress/value-add-big-int-untyped.js: Added.
2258
2259 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2260
2261         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2262         https://bugs.webkit.org/show_bug.cgi?id=191184
2263
2264         Reviewed by Saam Barati.
2265
2266         Most tests were failing due to timeouts, since they are too slow to
2267         run on CLoop. The exceptions are:
2268
2269         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2270         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2271         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2272         to change the stack size since CLoop requires it to be page aligned.
2273
2274         * microbenchmarks/array-push-1.js:
2275         * microbenchmarks/array-push-2.js:
2276         * microbenchmarks/elidable-new-object-dag.js:
2277         * microbenchmarks/elidable-new-object-roflcopter.js:
2278         * microbenchmarks/elidable-new-object-tree.js:
2279         * microbenchmarks/getter-richards.js:
2280         * microbenchmarks/sinkable-new-object-dag.js:
2281         * microbenchmarks/string-concat-long-convert.js:
2282         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2283         * slowMicrobenchmarks/array-push-3.js:
2284         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2285         * slowMicrobenchmarks/spread-small-array.js:
2286         * slowMicrobenchmarks/undefined-property-access.js:
2287         * stress/activation-sink-default-value-tdz-error.js:
2288         * stress/activation-sink-default-value.js:
2289         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2290         * stress/activation-sink-osrexit-default-value.js:
2291         * stress/activation-sink-osrexit.js:
2292         * stress/activation-sink.js:
2293         * stress/allow-math-ic-b3-code-duplication.js:
2294         * stress/array-push-multiple-int32.js:
2295         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2296         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2297         * stress/arrowfunction-lexical-this-activation-sink.js:
2298         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2299         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2300         * stress/elide-new-object-dag-then-exit.js:
2301         * stress/materialize-regexp-cyclic.js:
2302         * stress/new-regex-inline.js:
2303         * stress/op_add.js:
2304         * stress/op_bitand.js:
2305         * stress/op_bitor.js:
2306         * stress/op_bitxor.js:
2307         * stress/op_div-ConstVar.js:
2308         * stress/op_div-VarConst.js:
2309         * stress/op_div-VarVar.js:
2310         * stress/op_lshift-ConstVar.js:
2311         * stress/op_lshift-VarConst.js:
2312         * stress/op_lshift-VarVar.js:
2313         * stress/op_mod-ConstVar.js:
2314         * stress/op_mod-VarConst.js:
2315         * stress/op_mod-VarVar.js:
2316         * stress/op_mul-ConstVar.js:
2317         * stress/op_mul-VarConst.js:
2318         * stress/op_mul-VarVar.js:
2319         * stress/op_rshift-ConstVar.js:
2320         * stress/op_rshift-VarConst.js:
2321         * stress/op_rshift-VarVar.js:
2322         * stress/op_sub-ConstVar.js:
2323         * stress/op_sub-VarConst.js:
2324         * stress/op_sub-VarVar.js:
2325         * stress/op_urshift-ConstVar.js:
2326         * stress/op_urshift-VarConst.js:
2327         * stress/op_urshift-VarVar.js:
2328         * stress/proxy-get-set-correct-receiver.js:
2329         * stress/regress-179562.js:
2330         * stress/rest-parameter-many-arguments.js:
2331         * stress/sampling-profiler-richards.js:
2332         * stress/splay-flash-access-1ms.js:
2333         * stress/tailCallForwardArguments.js:
2334         * stress/typed-array-get-by-val-profiling.js:
2335         * typeProfiler/getter-richards.js:
2336
2337 2018-11-06  Michael Saboff  <msaboff@apple.com>
2338
2339         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2340         https://bugs.webkit.org/show_bug.cgi?id=191271
2341
2342         Reviewed by Saam Barati.
2343
2344         Added more test cases and made all test cases run with the same deeply recursive stack
2345         instead of finding that same point for each test case.
2346
2347         * stress/regexp-compile-oom.js:
2348         (prototype.runTest):
2349         (recurseAndTest):
2350         (testList.push.new.TestAndExpectedException):
2351
2352 2018-11-05  Michael Saboff  <msaboff@apple.com>
2353
2354         Unreviewed build fix for linux.
2355
2356         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2357
2358 2018-11-02  Michael Saboff  <msaboff@apple.com>
2359
2360         Rolling in r237753 with unreviewed build fix.
2361
2362         Fixed issues with DECLARE_THROW_SCOPE placement.
2363
2364 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2365
2366         Unreviewed, rolling out r237753.
2367
2368         Introduced JSC test failures
2369
2370         Reverted changeset:
2371
2372         "Running out of stack space not properly handled in
2373         RegExp::compile() and its callers"
2374         https://bugs.webkit.org/show_bug.cgi?id=191206
2375         https://trac.webkit.org/changeset/237753
2376
2377 2018-11-02  Michael Saboff  <msaboff@apple.com>
2378
2379         Running out of stack space not properly handled in RegExp::compile() and its callers
2380         https://bugs.webkit.org/show_bug.cgi?id=191206
2381
2382         Reviewed by Filip Pizlo.
2383
2384         New regression test.
2385
2386         * stress/regexp-compile-oom.js: Added.
2387         (recurseAndTest):
2388
2389 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2390
2391         Skip tests on arm/mips that time out now we're running on CLoop
2392
2393         Unreviewed gardening.
2394
2395         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2396         time out on the bots and need to be disabled. There's more tests
2397         disabled on arm because the timeout is longer on the mips bot (as the
2398         device is slower to start with), so many of the tests don't time out
2399         there.
2400
2401         * microbenchmarks/getter-richards.js: disable on arm and mips.
2402         * stress/op_add.js: disable on arm.
2403         * stress/op_bitand.js: disable on arm.
2404         * stress/op_bitor.js: disable on arm.
2405         * stress/op_bitxor.js: disable on arm.
2406         * stress/op_lshift-ConstVar.js: disable on arm.
2407         * stress/op_lshift-VarConst.js: disable on arm.
2408         * stress/op_lshift-VarVar.js: disable on arm.
2409         * stress/op_mod-ConstVar.js: disable on arm.
2410         * stress/op_mod-VarConst.js: disable on arm.
2411         * stress/op_mod-VarVar.js: disable on arm.
2412         * stress/op_mul-ConstVar.js: disable on arm.
2413         * stress/op_mul-VarConst.js: disable on arm.
2414         * stress/op_mul-VarVar.js: disable on arm.
2415         * stress/op_rshift-ConstVar.js: disable on arm.
2416         * stress/op_rshift-VarConst.js: disable on arm.
2417         * stress/op_rshift-VarVar.js: disable on arm.
2418         * stress/op_sub-ConstVar.js: disable on arm.
2419         * stress/op_sub-VarConst.js: disable on arm.
2420         * stress/op_sub-VarVar.js: disable on arm.
2421         * stress/op_urshift-ConstVar.js: disable on arm.
2422         * stress/op_urshift-VarConst.js: disable on arm.
2423         * stress/op_urshift-VarVar.js: disable on arm.
2424         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2425         * stress/value-to-boolean.js: disable on arm and mips.
2426
2427 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2428
2429         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2430         https://bugs.webkit.org/show_bug.cgi?id=191108
2431         <rdar://problem/45690700>
2432
2433         Reviewed by Saam Barati.
2434
2435         * stress/wide-op_catch.js: Added.
2436         (catch):
2437
2438 2018-10-29  Mark Lam  <mark.lam@apple.com>
2439
2440         Correctly detect string overflow when using the 'Function' constructor.
2441         https://bugs.webkit.org/show_bug.cgi?id=184883
2442         <rdar://problem/36320331>
2443
2444         Reviewed by Saam Barati.
2445
2446         I've verified that this passes on 32-bit as well.
2447
2448         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2449
2450 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2451
2452         Add support for GetStack FlushedDouble
2453         https://bugs.webkit.org/show_bug.cgi?id=191012
2454         <rdar://problem/45265141>
2455
2456         Reviewed by Saam Barati.
2457
2458         * stress/get-stack-double.js: Added.
2459         (bar):
2460         (noInline):
2461
2462 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2463
2464         New bytecode format for JSC
2465         https://bugs.webkit.org/show_bug.cgi?id=187373
2466         <rdar://problem/44186758>
2467
2468         Reviewed by Filip Pizlo.
2469
2470         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2471
2472         * stress/maximum-inline-capacity.js: Added.
2473         (test1):
2474         (test3.Foo):
2475         (test3):
2476
2477 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2478
2479         Unreviewed, rolling out r237479 and r237484.
2480         https://bugs.webkit.org/show_bug.cgi?id=190978
2481
2482         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2483
2484         Reverted changesets:
2485
2486         "New bytecode format for JSC"
2487         https://bugs.webkit.org/show_bug.cgi?id=187373
2488         https://trac.webkit.org/changeset/237479
2489
2490         "Gardening: Build fix after r237479."
2491         https://bugs.webkit.org/show_bug.cgi?id=187373
2492         https://trac.webkit.org/changeset/237484
2493
2494 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2495
2496         New bytecode format for JSC
2497         https://bugs.webkit.org/show_bug.cgi?id=187373
2498         <rdar://problem/44186758>
2499
2500         Reviewed by Filip Pizlo.
2501
2502         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2503
2504         * stress/maximum-inline-capacity.js: Added.
2505         (test1):
2506         (test3.Foo):
2507         (test3):
2508
2509 2018-10-26  Mark Lam  <mark.lam@apple.com>
2510
2511         Fix missing edge cases with JSGlobalObjects having a bad time.
2512         https://bugs.webkit.org/show_bug.cgi?id=189028
2513         <rdar://problem/45204939>
2514
2515         Reviewed by Saam Barati.
2516
2517         * stress/regress-189028.js: Added.
2518
2519 2018-10-22  Mark Lam  <mark.lam@apple.com>
2520
2521         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2522         https://bugs.webkit.org/show_bug.cgi?id=190515
2523         <rdar://problem/45222379>
2524
2525         Rubber-stamped by Saam Barati.
2526
2527         Adding another test.
2528
2529         * stress/regress-190515-2.js: Added.
2530
2531 2018-10-22  Mark Lam  <mark.lam@apple.com>
2532
2533         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2534         https://bugs.webkit.org/show_bug.cgi?id=190515
2535         <rdar://problem/45222379>
2536
2537         Reviewed by Saam Barati.
2538
2539         * stress/regress-190515.js: Added.
2540
2541 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2542
2543         Unreviewed, rolling out r237254.
2544         https://bugs.webkit.org/show_bug.cgi?id=190760
2545
2546         "It regresses JetStream 2 by 5% on some iOS devices"
2547         (Requested by saamyjoon on #webkit).
2548
2549         Reverted changeset:
2550
2551         "[JSC] JSC should have "parseFunction" to optimize Function
2552         constructor"
2553         https://bugs.webkit.org/show_bug.cgi?id=190340
2554         https://trac.webkit.org/changeset/237254
2555
2556 2018-10-19  Saam Barati  <sbarati@apple.com>
2557
2558         vmCall should check if we exit before emitting an OSR exit due to exceptions
2559         https://bugs.webkit.org/show_bug.cgi?id=190740
2560         <rdar://problem/45220139>
2561
2562         Reviewed by Mark Lam.
2563
2564         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2565         (foo):
2566
2567 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2568
2569         [ESNext][BigInt] Implement support for "^"
2570         https://bugs.webkit.org/show_bug.cgi?id=186235
2571
2572         Reviewed by Yusuke Suzuki.
2573
2574         * stress/big-int-bitwise-xor-general.js: Added.
2575         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2576         * stress/big-int-bitwise-xor-type-error.js: Added.
2577         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2578
2579 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2580
2581         [BigInt] Add ValueSub into DFG
2582         https://bugs.webkit.org/show_bug.cgi?id=186176
2583
2584         Reviewed by Yusuke Suzuki.
2585
2586         * stress/big-int-subtraction-jit.js:
2587         * stress/value-sub-big-int-prediction-propagation.js: Added.
2588         * stress/value-sub-big-int-untyped.js: Added.
2589         * stress/value-sub-spec-none-case.js: Added.
2590
2591 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2592
2593         [JSC] JSC should have "parseFunction" to optimize Function constructor
2594         https://bugs.webkit.org/show_bug.cgi?id=190340
2595
2596         Reviewed by Mark Lam.
2597
2598         This patch fixes the line number of syntax errors raised by the Function constructor,
2599         since we now parse the final code only once. And we no longer use block statement
2600         for Function constructor's parsing.
2601
2602         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2603         * stress/function-cache-with-parameters-end-position.js: Added.
2604         (shouldBe):
2605         (shouldThrow):
2606         (i.anonymous):
2607         * stress/function-constructor-name.js: Added.
2608         (shouldBe):
2609         (GeneratorFunction):
2610         (AsyncFunction.async):
2611         (AsyncGeneratorFunction.async):
2612         (anonymous):
2613         (async.anonymous):
2614         * test262/expectations.yaml:
2615
2616 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2617
2618         Unreviewed, rolling out r237242.
2619         https://bugs.webkit.org/show_bug.cgi?id=190701
2620
2621         it breaks "stress/sampling-profiler-basic.js" (Requested by
2622         caiolima on #webkit).
2623
2624         Reverted changeset:
2625
2626         "[BigInt] Add ValueSub into DFG"
2627         https://bugs.webkit.org/show_bug.cgi?id=186176
2628         https://trac.webkit.org/changeset/237242
2629
2630 2018-10-17  Keith Miller  <keith_miller@apple.com>
2631
2632         AI does not clear Phantom allocation nodes.
2633         https://bugs.webkit.org/show_bug.cgi?id=190694
2634
2635         Reviewed by Saam Barati.
2636
2637         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2638         (Day):
2639         (DaysInYear):
2640         (TimeInYear):
2641         (TimeFromYear):
2642         (DayFromYear):
2643         (InLeapYear):
2644         (YearFromTime):
2645         (WeekDay):
2646         (DaylightSavingTA):
2647         (GetSecondSundayInMarch):
2648         (TimeInMonth):
2649
2650 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2651
2652         [BigInt] Add ValueSub into DFG
2653         https://bugs.webkit.org/show_bug.cgi?id=186176
2654
2655         Reviewed by Yusuke Suzuki.
2656
2657         * stress/big-int-subtraction-jit.js:
2658         * stress/value-sub-big-int-prediction-propagation.js: Added.
2659         * stress/value-sub-big-int-untyped.js: Added.
2660
2661 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2662
2663         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2664         https://bugs.webkit.org/show_bug.cgi?id=190611
2665
2666         Reviewed by Saam Barati.
2667
2668         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2669         to improve test runtime. On ARM/MIPS this test even timed out when running all
2670         tests.
2671
2672         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2673         (test):
2674
2675 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2676
2677         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2678
2679         Unreviewed gardening.
2680
2681         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2682
2683 2018-10-15  Saam barati  <sbarati@apple.com>
2684
2685         Emit fjcvtzs on ARM64E on Darwin
2686         https://bugs.webkit.org/show_bug.cgi?id=184023
2687
2688         Reviewed by Yusuke Suzuki and Filip Pizlo.
2689
2690         * stress/double-to-int32-NaN.js: Added.
2691         (assert):
2692         (foo):
2693
2694 2018-10-15  Saam Barati  <sbarati@apple.com>
2695
2696         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2697         https://bugs.webkit.org/show_bug.cgi?id=190262
2698         <rdar://problem/44986241>
2699
2700         Reviewed by Mark Lam.
2701
2702         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2703         (test):
2704         * stress/slice-array-storage-with-holes.js: Added.
2705         (main):
2706
2707 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2708
2709         Unreviewed, rolling out r237054.
2710         https://bugs.webkit.org/show_bug.cgi?id=190593
2711
2712         "this regressed JetStream 2 by 6% on iOS" (Requested by
2713         saamyjoon on #webkit).
2714
2715         Reverted changeset:
2716
2717         "[JSC] JSC should have "parseFunction" to optimize Function
2718         constructor"
2719         https://bugs.webkit.org/show_bug.cgi?id=190340
2720         https://trac.webkit.org/changeset/237054
2721
2722 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2723
2724         [JSC] JSON.stringify can accept call-with-no-arguments
2725         https://bugs.webkit.org/show_bug.cgi?id=190343
2726
2727         Reviewed by Mark Lam.
2728
2729         * stress/json-stringify-no-arguments.js: Added.
2730         (shouldBe):
2731
2732 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2733
2734         [JSC] JSC should have "parseFunction" to optimize Function constructor
2735         https://bugs.webkit.org/show_bug.cgi?id=190340
2736
2737         Reviewed by Mark Lam.
2738
2739         This patch fixes the line number of syntax errors raised by the Function constructor,
2740         since we now parse the final code only once. And we no longer use block statement
2741         for Function constructor's parsing.
2742
2743         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2744         * stress/function-cache-with-parameters-end-position.js: Added.
2745         (shouldBe):
2746         (shouldThrow):
2747         (i.anonymous):
2748         * stress/function-constructor-name.js: Added.
2749         (shouldBe):
2750         (GeneratorFunction):
2751         (AsyncFunction.async):
2752         (AsyncGeneratorFunction.async):
2753         (anonymous):
2754         (async.anonymous):
2755         * test262/expectations.yaml:
2756
2757 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2758
2759         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2760         https://bugs.webkit.org/show_bug.cgi?id=190426
2761
2762         Unreviewed gardening.
2763
2764         * stress/sampling-profiler-richards.js:
2765
2766 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2767
2768         [ESNext][BigInt] Implement support for "|"
2769         https://bugs.webkit.org/show_bug.cgi?id=186229
2770
2771         Reviewed by Yusuke Suzuki.
2772
2773         * stress/big-int-bitwise-and-jit.js:
2774         * stress/big-int-bitwise-or-general.js: Added.
2775         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2776         * stress/big-int-bitwise-or-jit.js: Added.
2777         * stress/big-int-bitwise-or-memory-stress.js: Added.
2778         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2779         * stress/big-int-bitwise-or-type-error.js: Added.
2780         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2781
2782 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2783
2784         Skip test on systems with limited memory
2785         https://bugs.webkit.org/show_bug.cgi?id=190310
2786
2787         Invoking runDefault adds test to runlist, skipping the test in the next
2788         line does not prevent the test from executing. Change order of lines such
2789         that runDefault is only executed if test is not executed.
2790
2791         Reviewed by Mark Lam.
2792
2793         * stress/regress-190187.js:
2794
2795 2018-10-03  Saam barati  <sbarati@apple.com>
2796
2797         lowXYZ in FTLLower should always filter the type of the incoming edge
2798         https://bugs.webkit.org/show_bug.cgi?id=189939
2799         <rdar://problem/44407030>
2800
2801         Reviewed by Michael Saboff.
2802
2803         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2804         (foo):
2805         (test):
2806
2807 2018-10-03  Mark Lam  <mark.lam@apple.com>
2808
2809         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2810         https://bugs.webkit.org/show_bug.cgi?id=190187
2811         <rdar://problem/42512909>
2812
2813         Reviewed by Michael Saboff.
2814
2815         * stress/regress-190187.js: Added.
2816
2817 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2818
2819         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2820         https://bugs.webkit.org/show_bug.cgi?id=190033
2821
2822         Reviewed by Yusuke Suzuki.
2823
2824         * stress/big-int-to-string.js:
2825
2826 2018-10-01  Mark Lam  <mark.lam@apple.com>
2827
2828         Function.toString() should also copy the source code Functions that are class definitions.
2829         https://bugs.webkit.org/show_bug.cgi?id=190186
2830         <rdar://problem/44733360>
2831
2832         Reviewed by Saam Barati.
2833
2834         * stress/regress-190186.js: Added.
2835
2836 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2837
2838         Split NaN-check into separate test
2839         https://bugs.webkit.org/show_bug.cgi?id=190010
2840
2841         Reviewed by Saam Barati.
2842
2843         DataView exposes NaN-representation, which is not necessarily the same on each
2844         architecture. Therefore move the check of the NaN-representation into its own
2845         file such that we can disable this test on MIPS where NaN-representation can be
2846         different on older CPUs.
2847
2848         * stress/dataview-jit-set-nan.js: Added.
2849         (assert):
2850         (test.storeLittleEndian):
2851         (test.storeBigEndian):
2852         (test.store):
2853         (test):
2854         * stress/dataview-jit-set.js:
2855         (test5):
2856
2857 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2858
2859         Unreviewed, rolling out r236647.
2860         https://bugs.webkit.org/show_bug.cgi?id=190124
2861
2862         Breaking test stress/big-int-to-string.js (Requested by
2863         caiolima_ on #webkit).
2864
2865         Reverted changeset:
2866
2867         "[BigInt] BigInt.proptotype.toString is broken when radix is
2868         power of 2"
2869         https://bugs.webkit.org/show_bug.cgi?id=190033
2870         https://trac.webkit.org/changeset/236647
2871
2872 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2873
2874         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2875         https://bugs.webkit.org/show_bug.cgi?id=190033
2876
2877         Reviewed by Yusuke Suzuki.
2878
2879         * stress/big-int-to-string.js:
2880
2881 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2882
2883         [ESNext][BigInt] Implement support for "&"
2884         https://bugs.webkit.org/show_bug.cgi?id=186228
2885
2886         Reviewed by Yusuke Suzuki.
2887
2888         * stress/big-int-bitwise-and-general.js: Added.
2889         (assert):
2890         (assert.sameValue):
2891         * stress/big-int-bitwise-and-jit.js: Added.
2892         (let.assert.sameValue):
2893         (bigIntBitAnd):
2894         * stress/big-int-bitwise-and-memory-stress.js: Added.
2895         (assert):
2896         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2897         (assert.sameValue):
2898         (let.o.Symbol.toPrimitive):
2899         (catch):
2900         * stress/big-int-bitwise-and-type-error.js: Added.
2901         (assert):
2902         (assertThrowTypeError):
2903         (let.o.valueOf):
2904         (o.valueOf):
2905         (o.toString):
2906         (o.Symbol.toPrimitive):
2907         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2908         (assert.sameValue):
2909         (testBitAnd):
2910         (let.o.Symbol.toPrimitive):
2911         (o.valueOf):
2912         (o.toString):
2913
2914 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2915
2916         JSC test stress/jsc-read.js doesn't support CRLF
2917         https://bugs.webkit.org/show_bug.cgi?id=190063
2918
2919         Reviewed by Yusuke Suzuki.
2920
2921         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2922
2923         * stress/jsc-read.js:
2924         (test):
2925
2926 2018-09-27  Saam barati  <sbarati@apple.com>
2927
2928         Verify the contents of AssemblerBuffer on arm64e
2929         https://bugs.webkit.org/show_bug.cgi?id=190057
2930         <rdar://problem/38916630>
2931
2932         Reviewed by Mark Lam.
2933
2934         * stress/regress-189132.js:
2935
2936 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2937
2938         Disable test without LLInt on ARMv7
2939         https://bugs.webkit.org/show_bug.cgi?id=190037
2940
2941         Reviewed by Mark Lam.
2942
2943         Test runs out of executable memory on ARMv7, do not run
2944         this test without LLInt enabled.
2945
2946         * stress/regress-169445.js:
2947
2948 2018-09-26  Keith Miller  <keith_miller@apple.com>
2949
2950         We should zero unused property storage when rebalancing array storage.
2951         https://bugs.webkit.org/show_bug.cgi?id=188151
2952
2953         Reviewed by Michael Saboff.
2954
2955         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2956
2957 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2958
2959         [JSC] Optimize Array#lastIndexOf
2960         https://bugs.webkit.org/show_bug.cgi?id=189780
2961
2962         Reviewed by Saam Barati.
2963
2964         * stress/array-lastindexof-array-prototype-trap.js: Added.
2965         (shouldBe):
2966         (AncestorArray.prototype.get 2):
2967         (AncestorArray):
2968         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2969         (shouldBe):
2970         * stress/array-lastindexof-hole-nan.js: Added.
2971         (shouldBe):
2972         (throw.new.Error):
2973         * stress/array-lastindexof-infinity.js: Added.
2974         (shouldBe):
2975         (throw.new.Error):
2976         * stress/array-lastindexof-negative-zero.js: Added.
2977         (shouldBe):
2978         (throw.new.Error):
2979         * stress/array-lastindexof-own-getter.js: Added.
2980         (shouldBe):
2981         (throw.new.Error.get array):
2982         (get array):
2983         * stress/array-lastindexof-prototype-trap.js: Added.
2984         (shouldBe):
2985         (DerivedArray.prototype.get 2):
2986         (DerivedArray):
2987
2988 2018-09-25  Saam Barati  <sbarati@apple.com>
2989
2990         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2991         https://bugs.webkit.org/show_bug.cgi?id=189940
2992         <rdar://problem/43640987>
2993
2994         Reviewed by Mark Lam.
2995
2996         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2997
2998 2018-09-24  Saam Barati  <sbarati@apple.com>
2999
3000         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3001         https://bugs.webkit.org/show_bug.cgi?id=189922
3002         <rdar://problem/44651275>
3003
3004         Reviewed by Mark Lam.
3005
3006         * stress/array-indexof-fast-path-effects.js: Added.
3007         * stress/array-indexof-cached-length.js: Added.
3008
3009 2018-09-24  Saam barati  <sbarati@apple.com>
3010
3011         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3012         https://bugs.webkit.org/show_bug.cgi?id=189682
3013         <rdar://problem/43557315>
3014
3015         Reviewed by Mark Lam.
3016
3017         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3018         (foo):
3019
3020 2018-09-22  Saam barati  <sbarati@apple.com>
3021
3022         The sampling should not use Strong<CodeBlock> in its machineLocation field
3023         https://bugs.webkit.org/show_bug.cgi?id=189319
3024
3025         Reviewed by Filip Pizlo.
3026
3027         * stress/sampling-profiler-richards.js: Added.
3028
3029 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3030
3031         [JSC] Optimize Array#indexOf in C++ runtime
3032         https://bugs.webkit.org/show_bug.cgi?id=189507
3033
3034         Reviewed by Saam Barati.
3035
3036         * stress/array-indexof-array-prototype-trap.js: Added.
3037         (shouldBe):
3038         (AncestorArray.prototype.get 2):
3039         (AncestorArray):
3040         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3041         (shouldBe):
3042         * stress/array-indexof-hole-nan.js: Added.
3043         (shouldBe):
3044         (throw.new.Error):
3045         * stress/array-indexof-infinity.js: Added.
3046         (shouldBe):
3047         (throw.new.Error):
3048         * stress/array-indexof-negative-zero.js: Added.
3049         (shouldBe):
3050         (throw.new.Error):
3051         * stress/array-indexof-own-getter.js: Added.
3052         (shouldBe):
3053         (throw.new.Error.get array):
3054         (get array):
3055         * stress/array-indexof-prototype-trap.js: Added.
3056         (shouldBe):
3057         (DerivedArray.prototype.get 2):
3058         (DerivedArray):
3059
3060 2018-09-19  Saam barati  <sbarati@apple.com>
3061
3062         AI rule for MultiPutByOffset executes its effects in the wrong order
3063         https://bugs.webkit.org/show_bug.cgi?id=189757
3064         <rdar://problem/43535257>
3065
3066         Reviewed by Michael Saboff.
3067
3068         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3069         (foo):
3070         (Foo):
3071         (g):
3072
3073 2018-09-17  Mark Lam  <mark.lam@apple.com>
3074
3075         Ensure that ForInContexts are invalidated if their loop local is over-written.
3076         https://bugs.webkit.org/show_bug.cgi?id=189571
3077         <rdar://problem/44402277>
3078
3079         Reviewed by Saam Barati.
3080
3081         * stress/regress-189571.js: Added.
3082
3083 2018-09-17  Saam barati  <sbarati@apple.com>
3084
3085         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3086         https://bugs.webkit.org/show_bug.cgi?id=189676
3087         <rdar://problem/39682897>
3088
3089         Reviewed by Michael Saboff.
3090
3091         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3092         (A):
3093         (K):
3094         (i.catch):
3095
3096 2018-09-14  Saam barati  <sbarati@apple.com>
3097
3098         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3099         https://bugs.webkit.org/show_bug.cgi?id=189628
3100         <rdar://problem/39481690>
3101
3102         Reviewed by Mark Lam.
3103
3104         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3105         (foo):
3106
3107 2018-09-11  Mark Lam  <mark.lam@apple.com>
3108
3109         Test for array initialization in arrayProtoFuncSplice.
3110         https://bugs.webkit.org/show_bug.cgi?id=170253
3111         <rdar://problem/31328773>
3112
3113         Rubber-stamped by Saam Barati.
3114
3115         * stress/regress-170253.js: Added.
3116
3117 2018-09-11  Mark Lam  <mark.lam@apple.com>
3118
3119         Test for IntlObject initialization.
3120         https://bugs.webkit.org/show_bug.cgi?id=170251
3121         <rdar://problem/31328419>
3122
3123         Rubber-stamped by Saam Barati.
3124
3125         * stress/regress-170251.js: Added.
3126
3127 2018-09-11  Mark Lam  <mark.lam@apple.com>
3128
3129         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3130         https://bugs.webkit.org/show_bug.cgi?id=169889
3131         <rdar://problem/31155607>
3132
3133         Reviewed by Saam Barati.
3134
3135         * stress/regress-169889-array-concat.js: Added.
3136         * stress/regress-169889-array-concat1.js: Added.
3137         * stress/regress-169889-array-slice.js: Added.
3138
3139 2018-09-11  Mark Lam  <mark.lam@apple.com>
3140
3141         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3142         https://bugs.webkit.org/show_bug.cgi?id=169445
3143         <rdar://problem/30957435>
3144
3145         Reviewed by Saam Barati.
3146
3147         * stress/regress-169445.js: Added.
3148         (let.gun.eval.A):
3149         (let.gun.eval.B.C):
3150         (let.gun.eval.B.C.prototype.trigger):
3151         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3152         (let.gun.eval.B):
3153         (let.gun.eval):
3154
3155 == Rolled over to ChangeLog-2018-09-11 ==