[JSC] to_index_string should not assume incoming value is Uint32
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] to_index_string should not assume incoming value is Uint32
4         https://bugs.webkit.org/show_bug.cgi?id=196713
5
6         Reviewed by Saam Barati.
7
8         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
9         (foo):
10
11 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
12
13         [JSC] Add more tests for r243966
14         https://bugs.webkit.org/show_bug.cgi?id=196711
15
16         Reviewed by Saam Barati.
17
18         Adding one more test for r243966 fix. The added test will not crash after r243966.
19
20         * stress/stress-cleared-calllinkinfo.js: Added.
21         (runNearStackLimit.t):
22         (runNearStackLimit):
23         (repeat):
24         (cls):
25         (let.item.of.array.runNearStackLimit):
26
27 2019-04-08  Saam Barati  <sbarati@apple.com>
28
29         WebAssembly.RuntimeError missing exception check
30         https://bugs.webkit.org/show_bug.cgi?id=196700
31         <rdar://problem/49693932>
32
33         Reviewed by Yusuke Suzuki.
34
35         * wasm/js-api/runtime-error-should-exception-check.js: Added.
36
37 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
38
39         Unreviewed, rolling in r243948 with test fix
40         https://bugs.webkit.org/show_bug.cgi?id=196486
41
42         * stress/arrow-function-and-use-strict-directive.js: Added.
43         * stress/arrow-function-syntax.js: Added.
44         (checkSyntax):
45         (checkSyntaxError):
46
47 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
48
49         Unreviewed, rolling out r243948.
50
51         Caused inspector/runtime/parse.html to fail
52
53         Reverted changeset:
54
55         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
56         https://bugs.webkit.org/show_bug.cgi?id=196486
57         https://trac.webkit.org/changeset/243948
58
59 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
60
61         Unreviewed, rolling out r243943.
62
63         Caused test262 failures.
64
65         Reverted changeset:
66
67         "[JSC] Filter DontEnum properties in
68         ProxyObject::getOwnPropertyNames()"
69         https://bugs.webkit.org/show_bug.cgi?id=176810
70         https://trac.webkit.org/changeset/243943
71
72 2019-04-07  Michael Saboff  <msaboff@apple.com>
73
74         REGRESSION (r243642): Crash in reddit.com page
75         https://bugs.webkit.org/show_bug.cgi?id=196684
76
77         Reviewed by Geoffrey Garen.
78
79         New regression test.
80
81         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
82
83 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
84
85         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
86         https://bugs.webkit.org/show_bug.cgi?id=196683
87
88         Reviewed by Saam Barati.
89
90         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
91         (foo):
92
93 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
94
95         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
96         https://bugs.webkit.org/show_bug.cgi?id=196582
97
98         Reviewed by Saam Barati.
99
100         * stress/add-overflow-check-with-three-same-registers.js: Added.
101         (foo):
102         (Number.prototype.valueOf):
103         (runWithNumber):
104
105 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
106
107         Unreviewed, rolling out r243665.
108
109         Caused iOS JSC tests to exit with an exception.
110
111         Reverted changeset:
112
113         "Assertion failed in JSC::createError"
114         https://bugs.webkit.org/show_bug.cgi?id=196305
115         https://trac.webkit.org/changeset/243665
116
117 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
118
119         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
120         https://bugs.webkit.org/show_bug.cgi?id=196486
121
122         Reviewed by Saam Barati.
123
124         * stress/arrow-function-and-use-strict-directive.js: Added.
125         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
126         (checkSyntax):
127         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
128
129 2019-04-05  Caitlin Potter  <caitp@igalia.com>
130
131         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
132         https://bugs.webkit.org/show_bug.cgi?id=176810
133
134         Reviewed by Saam Barati.
135
136         Add tests for the DontEnum filtering, and variations of other tests
137         take the DontEnum-filtering path.
138
139         * stress/proxy-own-keys.js:
140         (i.catch):
141         (set assert):
142         (set add):
143         (let.set new):
144         (get let):
145
146 2019-04-05  Caitlin Potter  <caitp@igalia.com>
147
148         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
149         https://bugs.webkit.org/show_bug.cgi?id=185211
150
151         Reviewed by Saam Barati.
152
153         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
154
155         This changes several assertions to expect a TypeError to be thrown (in some cases,
156         changing thee expected message).
157
158         * es6/Proxy_ownKeys_duplicates.js:
159         (handler):
160         (shouldThrow):
161         (test):
162         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
163         (shouldThrow):
164         * stress/proxy-own-keys.js:
165         (i.catch):
166         (assert):
167
168 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
169
170         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
171         https://bugs.webkit.org/show_bug.cgi?id=196631
172
173         Reviewed by Saam Barati.
174
175         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
176         (assert):
177         (test):
178         (foo):
179
180 2019-04-04  Saam Barati  <sbarati@apple.com>
181
182         Unreviewed. Make the test from r243906 catch the thrown exceptions.
183
184         * stress/inferred-types-regex-matches-array.js:
185
186 2019-04-04  Saam Barati  <sbarati@apple.com>
187
188         createRegExpMatchesArray does not respect inferred types
189         https://bugs.webkit.org/show_bug.cgi?id=193287
190
191         Reviewed by Yusuke Suzuki.
192
193         This checks in the test case for 193287. This issue was discovered by
194         Samuel GroƟ of Google Project Zero.
195
196         * stress/inferred-types-regex-matches-array.js: Added.
197
198 2019-04-04  Saam barati  <sbarati@apple.com>
199
200         Teach Call ICs how to call Wasm
201         https://bugs.webkit.org/show_bug.cgi?id=196387
202
203         Reviewed by Filip Pizlo.
204
205         * wasm/function-tests/stack-trace.js:
206
207 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
208
209         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
210         https://bugs.webkit.org/show_bug.cgi?id=194944
211
212         Reviewed by Keith Miller.
213
214         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
215
216 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
217
218         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
219         https://bugs.webkit.org/show_bug.cgi?id=196409
220
221         Reviewed by Saam Barati.
222
223         * stress/bytecode-cache-cached-string-impl.js: Added.
224         (f):
225         (g):
226         * stress/bytecode-cache-run-string.js: Added.
227
228 2019-04-03  Robin Morisset  <rmorisset@apple.com>
229
230         B3 should use associativity to optimize expression trees
231         https://bugs.webkit.org/show_bug.cgi?id=194081
232
233         Reviewed by Filip Pizlo.
234
235         Added three microbenchmarks:
236         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
237         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
238           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
239         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
240
241         * microbenchmarks/add-tree.js: Added.
242         * microbenchmarks/bit-or-tree.js: Added.
243         * microbenchmarks/bit-xor-tree.js: Added.
244
245 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
246
247         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
248         https://bugs.webkit.org/show_bug.cgi?id=196574
249
250         Reviewed by Saam Barati.
251
252         * stress/string-index-of-exception-check.js: Added.
253         (blurType):
254         (1.forEach):
255
256 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
257
258         Assertion failed in JSC::createError
259         https://bugs.webkit.org/show_bug.cgi?id=196305
260         <rdar://problem/49387382>
261
262         Reviewed by Saam Barati.
263
264         * stress/create-error-out-of-memory-rope-string-2.js: Added.
265         (assert):
266         (catch):
267
268 2019-03-28  Saam Barati  <sbarati@apple.com>
269
270         BackwardsGraph needs to consider back edges as the backward's root successor
271         https://bugs.webkit.org/show_bug.cgi?id=195991
272
273         Reviewed by Filip Pizlo.
274
275         * stress/map-b3-licm-infinite-loop.js: Added.
276
277 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
278
279         CodeBlock::jettison() should disallow repatching its own calls
280         https://bugs.webkit.org/show_bug.cgi?id=196359
281         <rdar://problem/48973663>
282
283         Reviewed by Saam Barati.
284
285         * stress/call-link-info-osrexit-repatch.js: Added.
286         (foo):
287
288 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
289
290         [JSC] imports-oom.js intermittently fails
291         https://bugs.webkit.org/show_bug.cgi?id=196373
292
293         Reviewed by Saam Barati.
294
295         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
296         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
297         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
298         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
299         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
300
301         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
302         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
303
304         * wasm/lowExecutableMemory/imports-oom.js:
305
306 2019-03-27  Saam Barati  <sbarati@apple.com>
307
308         validateOSREntryValue with Int52 should box the value being checked into double format
309         https://bugs.webkit.org/show_bug.cgi?id=196313
310         <rdar://problem/49306703>
311
312         Reviewed by Yusuke Suzuki.
313
314         * stress/validate-int-52-ai-state.js: Added.
315
316 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
317
318         [JSC] Owner of watchpoints should validate at GC finalizing phase
319         https://bugs.webkit.org/show_bug.cgi?id=195827
320
321         Reviewed by Filip Pizlo.
322
323         * stress/gc-should-reap-dead-watchpoints.js: Added.
324         (foo):
325         (A.prototype.y):
326         (A):
327
328 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
329
330         Skip WebAssembly test on 32-bit systems
331         https://bugs.webkit.org/show_bug.cgi?id=196206
332
333         Reviewed by Saam Barati.
334
335         Invoking runDefault executes test immediately even though
336         that test should be skipped due to missing WASM support.
337         Therefore remove runDefault.
338
339         * wasm/regress/web-assembly-link-error-exception-check.js:
340
341 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
342
343         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
344         https://bugs.webkit.org/show_bug.cgi?id=196217
345
346         Reviewed by Saam Barati.
347
348         Re-enable all NaN tests for f32.min, f64.min and f64.max.
349
350         * wasm/spec-tests/f32.wast.js:
351         * wasm/spec-tests/f64.wast.js:
352         * wasm/wasm.json:
353
354 2019-03-25  Keith Miller  <keith_miller@apple.com>
355
356         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
357         https://bugs.webkit.org/show_bug.cgi?id=196176
358
359         Reviewed by Saam Barati.
360
361         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
362         (main.v10):
363         (main):
364
365 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
366
367         WebAssembly: f32.max with NaN generates incorrect result
368         https://bugs.webkit.org/show_bug.cgi?id=175691
369         <rdar://problem/33952228>
370
371         Reviewed by Saam Barati.
372
373         Enable all f32.max NaN tests
374
375         * wasm/spec-tests/f32.wast.js:
376         * wasm/wasm.json:
377
378 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
379
380         [JSC] Move test into directory for WASM tests
381         https://bugs.webkit.org/show_bug.cgi?id=196187
382
383         Reviewed by Mark Lam.
384
385         Move Test into wasm-directory. Otherwise this test
386         is also executed on systems without WASM support.
387
388         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
389
390 2019-03-23  Mark Lam  <mark.lam@apple.com>
391
392         Rolling out r243032 and r243071 because the fix is incorrect.
393         https://bugs.webkit.org/show_bug.cgi?id=195892
394         <rdar://problem/48981239>
395
396         Not reviewed.
397
398         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
399
400 2019-03-22  Mark Lam  <mark.lam@apple.com>
401
402         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
403         https://bugs.webkit.org/show_bug.cgi?id=196154
404         <rdar://problem/49145307>
405
406         Reviewed by Filip Pizlo.
407
408         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
409         There's no need to run this test on more than 1 test configuration.
410
411         * stress/typed-array-lastIndexOf-exception-check.js: Added.
412         * stress/web-assembly-link-error-exception-check.js:
413
414 2019-03-22  Mark Lam  <mark.lam@apple.com>
415
416         Placate exception check validation in constructJSWebAssemblyLinkError().
417         https://bugs.webkit.org/show_bug.cgi?id=196152
418         <rdar://problem/49145257>
419
420         Reviewed by Michael Saboff.
421
422         * stress/web-assembly-link-error-exception-check.js: Added.
423
424 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
425
426         Skip tests running out of memory on ARM/MIPS
427         https://bugs.webkit.org/show_bug.cgi?id=196131
428
429         Unreviewed. Skip test if memory is limited.
430
431         * microbenchmarks/put-by-val-direct-large-index.js:
432
433 2019-03-21  Mark Lam  <mark.lam@apple.com>
434
435         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
436         https://bugs.webkit.org/show_bug.cgi?id=196116
437         <rdar://problem/48976951>
438
439         Reviewed by Filip Pizlo.
440
441         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
442
443 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
444
445         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
446         https://bugs.webkit.org/show_bug.cgi?id=196078
447         <rdar://problem/35925380>
448
449         Reviewed by Mark Lam.
450
451         Add a new benchmark that allocates several objects and invokes put_by_val_direct
452         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
453
454         * microbenchmarks/put-by-val-direct-large-index.js: Added.
455
456 2019-03-21  Mark Lam  <mark.lam@apple.com>
457
458         Placate exception check validation in operationArrayIndexOfString().
459         https://bugs.webkit.org/show_bug.cgi?id=196067
460         <rdar://problem/49056572>
461
462         Reviewed by Michael Saboff.
463
464         * stress/string-equal-exception-check.js: Added.
465
466 2019-03-21  Mark Lam  <mark.lam@apple.com>
467
468         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
469         https://bugs.webkit.org/show_bug.cgi?id=196055
470         <rdar://problem/49067448>
471
472         Reviewed by Yusuke Suzuki.
473
474         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
475
476 2019-03-20  Saam Barati  <sbarati@apple.com>
477
478         typeOfDoubleSum is wrong for when NaN can be produced
479         https://bugs.webkit.org/show_bug.cgi?id=196030
480
481         Reviewed by Filip Pizlo.
482
483         * stress/double-add-sub-mul-can-produce-nan.js: Added.
484         (assert):
485         (noInline.sub):
486         (noInline):
487         (assert.mul):
488         (assert.add):
489
490 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
491
492         Update the test to ensure OutOfMemoryError is thrown as intended
493         https://bugs.webkit.org/show_bug.cgi?id=196032
494         <rdar://problem/46842740>
495
496         Rubber stamped by Saam Barati.
497
498         * stress/create-error-out-of-memory-rope-string.js:
499         (assert):
500         (catch):
501
502 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
503
504         JSC::createError needs to check for OOM in errorDescriptionForValue
505         https://bugs.webkit.org/show_bug.cgi?id=196032
506         <rdar://problem/46842740>
507
508         Reviewed by Mark Lam.
509
510         * stress/create-error-out-of-memory-rope-string.js: Added.
511
512 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
513
514         Unreviewed, reduce # of iterations to avoid timing out after r242991
515         https://bugs.webkit.org/show_bug.cgi?id=195791
516
517         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
518
519         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
520
521 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
522
523         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
524         https://bugs.webkit.org/show_bug.cgi?id=195950
525
526         Unreviewed, reducing the amount of memory used on this test to avoid
527         OOM on devices with memory restrictions.
528
529         * microbenchmarks/generate-multiple-llint-entrypoints.js:
530
531 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
532
533         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
534         https://bugs.webkit.org/show_bug.cgi?id=194648
535
536         Reviewed by Keith Miller.
537
538         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
539
540 2019-03-18  Mark Lam  <mark.lam@apple.com>
541
542         Missing a ThrowScope release in JSObject::toString().
543         https://bugs.webkit.org/show_bug.cgi?id=195893
544         <rdar://problem/48970986>
545
546         Reviewed by Michael Saboff.
547
548         * stress/to-string-exception-check-release.js: Added.
549
550 2019-03-18  Mark Lam  <mark.lam@apple.com>
551
552         Structure::flattenDictionary() should clear unused property slots.
553         https://bugs.webkit.org/show_bug.cgi?id=195871
554         <rdar://problem/48959497>
555
556         Reviewed by Michael Saboff.
557
558         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
559
560 2019-03-15  Mark Lam  <mark.lam@apple.com>
561
562         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
563         https://bugs.webkit.org/show_bug.cgi?id=195827
564         <rdar://problem/48845513>
565
566         Reviewed by Filip Pizlo.
567
568         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
569
570 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
571
572         [ARM,MIPS] Skip slow tests
573         https://bugs.webkit.org/show_bug.cgi?id=195799
574
575         Unreviewed, test does not finish on ARM and MIPS within the
576         timeout limit.
577
578         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
579
580 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
581
582         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
583         https://bugs.webkit.org/show_bug.cgi?id=195791
584         <rdar://problem/48806130>
585
586         Reviewed by Mark Lam.
587
588         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
589         (foo):
590
591 2019-03-14  Saam barati  <sbarati@apple.com>
592
593         We can't remove code after ForceOSRExit until after FixupPhase
594         https://bugs.webkit.org/show_bug.cgi?id=186916
595         <rdar://problem/41396612>
596
597         Reviewed by Yusuke Suzuki.
598
599         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
600         (foo):
601         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
602         (foo):
603
604 2019-03-13  Michael Saboff  <msaboff@apple.com>
605
606         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
607         https://bugs.webkit.org/show_bug.cgi?id=195735
608
609         Reviewed by Mark Lam.
610
611         New regression test.
612
613         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
614         (foo):
615         (bar):
616
617 2019-03-14  Saam barati  <sbarati@apple.com>
618
619         Fixup uses KnownInt32 incorrectly in some nodes
620         https://bugs.webkit.org/show_bug.cgi?id=195279
621         <rdar://problem/47915654>
622
623         Reviewed by Yusuke Suzuki.
624
625         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
626         (foo):
627
628 2019-03-14  Keith Miller  <keith_miller@apple.com>
629
630         DFG liveness can't skip tail caller inline frames
631         https://bugs.webkit.org/show_bug.cgi?id=195715
632
633         Reviewed by Saam Barati.
634
635         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
636         (i.foo):
637
638 2019-03-13  Mark Lam  <mark.lam@apple.com>
639
640         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
641         https://bugs.webkit.org/show_bug.cgi?id=195415
642
643         Not reviewed.
644
645         Changed these tests to only run the default configuration.
646         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
647         There's no strong need to run this test on that variant.
648
649         * stress/dfg-to-string-on-int-does-gc.js:
650         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
651
652 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
653
654         String overflow when using StringBuilder in JSC::createError
655         https://bugs.webkit.org/show_bug.cgi?id=194957
656
657         Reviewed by Mark Lam.
658
659         Add test string-overflow-createError-bulder.js that overflows
660         StringBuilder in notAFunctionSourceAppender. The second new test
661         string-overflow-createError-fit.js has an error message that doesn't
662         overflow, it still failed since the String's capacity can't be doubled.
663         Run test string-overflow-createError.js only in the default
664         configuration to reduce memory consumption when running the test
665         in all configurations on multiple CPUs in parallel.
666
667         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
668         (catch):
669         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
670         (catch):
671         * stress/string-overflow-createError.js:
672
673 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
674
675         [JSC] OSR entry should respect abstract values in addition to flush formats
676         https://bugs.webkit.org/show_bug.cgi?id=195653
677
678         Reviewed by Mark Lam.
679
680         * stress/osr-entry-locals-none.js: Added.
681
682 2019-03-12  Michael Saboff  <msaboff@apple.com>
683
684         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
685         https://bugs.webkit.org/show_bug.cgi?id=195613
686
687         Reviewed by Mark Lam.
688
689         New regression test.
690
691         * stress/regexp-backref-inbounds.js: Added.
692         (testRegExp):
693
694 2019-03-12  Mark Lam  <mark.lam@apple.com>
695
696         The HasIndexedProperty node does GC.
697         https://bugs.webkit.org/show_bug.cgi?id=195559
698         <rdar://problem/48767923>
699
700         Reviewed by Yusuke Suzuki.
701
702         * stress/HasIndexedProperty-does-gc.js: Added.
703
704 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
705
706         [ESNext][BigInt] Implement "~" unary operation
707         https://bugs.webkit.org/show_bug.cgi?id=182216
708
709         Reviewed by Keith Miller.
710
711         * stress/big-int-bit-not-general.js: Added.
712         * stress/big-int-bitwise-not-jit.js: Added.
713         * stress/big-int-bitwise-not-wrapped-value.js: Added.
714         * stress/bit-op-with-object-returning-int32.js:
715         * stress/bitwise-not-fixup-rules.js: Added.
716         * stress/value-bit-not-ai-rule.js: Added.
717
718 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
719
720         Invalid flags in a RegExp literal should be an early SyntaxError
721         https://bugs.webkit.org/show_bug.cgi?id=195514
722
723         Reviewed by Darin Adler.
724
725         * test262/expectations.yaml:
726         Mark 4 test cases as passing.
727
728         * stress/regexp-syntax-error-invalid-flags.js:
729         * stress/regress-161995.js: Removed.
730         Update existing test, merging in an older test for the same behavior.
731
732 2019-03-08  Mark Lam  <mark.lam@apple.com>
733
734         Stack overflow crash in JSC::JSObject::hasInstance.
735         https://bugs.webkit.org/show_bug.cgi?id=195458
736         <rdar://problem/48710195>
737
738         Reviewed by Yusuke Suzuki.
739
740         * stress/stack-overflow-in-custom-hasInstance.js: Added.
741
742 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
743
744         op_check_tdz does not def its argument
745         https://bugs.webkit.org/show_bug.cgi?id=192880
746         <rdar://problem/46221598>
747
748         Reviewed by Saam Barati.
749
750         * microbenchmarks/let-for-in.js: Added.
751         (foo):
752
753 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
754
755         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
756         https://bugs.webkit.org/show_bug.cgi?id=195429
757
758         Reviewed by Saam Barati.
759
760         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
761         (foo):
762         * stress/string-from-char-code-255.js: Added.
763
764 2019-03-06  Mark Lam  <mark.lam@apple.com>
765
766         Fix incorrect handling of try-finally completion values.
767         https://bugs.webkit.org/show_bug.cgi?id=195131
768         <rdar://problem/46222079>
769
770         Reviewed by Saam Barati and Yusuke Suzuki.
771
772         Added many permutations of new test case to test-finally.js.  test-finally.js has
773         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
774         tests passes there as well.
775
776         * stress/test-finally.js:
777
778 2019-03-06  Saam Barati  <sbarati@apple.com>
779
780         Air::reportUsedRegisters must padInterference
781         https://bugs.webkit.org/show_bug.cgi?id=195303
782         <rdar://problem/48270343>
783
784         Reviewed by Keith Miller.
785
786         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
787
788 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
789
790         [JSC] AI should not propagate AbstractValue relying on constant folding phase
791         https://bugs.webkit.org/show_bug.cgi?id=195375
792
793         Reviewed by Saam Barati.
794
795         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
796         (let.array):
797
798 2019-03-05  Saam barati  <sbarati@apple.com>
799
800         op_switch_char broken for rope strings after JSRopeString layout rewrite
801         https://bugs.webkit.org/show_bug.cgi?id=195339
802         <rdar://problem/48592545>
803
804         Reviewed by Yusuke Suzuki.
805
806         * stress/switch-on-char-llint-rope.js: Added.
807
808 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
809
810         [JSC] Store bits for JSRopeString in 3 stores
811         https://bugs.webkit.org/show_bug.cgi?id=195234
812
813         Reviewed by Saam Barati.
814
815         * stress/null-rope-and-collectors.js: Added.
816
817 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
818
819         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
820         https://bugs.webkit.org/show_bug.cgi?id=195207
821
822         Unreviewed. After test runtime was reduced in r242213, test can be
823         run again on ARM/MIPS.
824
825         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
826
827 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
828
829         [JSC] sizeof(JSString) should be 16
830         https://bugs.webkit.org/show_bug.cgi?id=194375
831
832         Reviewed by Saam Barati.
833
834         * microbenchmarks/make-rope.js: Added.
835         (makeRope):
836         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
837         (returnRope.helper): Deleted.
838         (returnRope): Deleted.
839
840 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
841
842         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
843         https://bugs.webkit.org/show_bug.cgi?id=195144
844
845         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
846         Change the number from 1e8 to 1e5.
847
848         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
849         (foo):
850
851 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
852
853         Test times out on ARM/MIPS
854         https://bugs.webkit.org/show_bug.cgi?id=195168
855
856         Unreviewed. Skip test on ARM/MIPS.
857
858         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
859
860 2019-02-27  Mark Lam  <mark.lam@apple.com>
861
862         The parser is failing to record the token location of new in new.target.
863         https://bugs.webkit.org/show_bug.cgi?id=195127
864         <rdar://problem/39645578>
865
866         Reviewed by Yusuke Suzuki.
867
868         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
869
870 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
871
872         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
873         https://bugs.webkit.org/show_bug.cgi?id=195144
874         <rdar://problem/47595961>
875
876         Reviewed by Mark Lam.
877
878         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
879         (bar):
880         (foo):
881         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
882         (bar):
883         (foo):
884
885 2019-02-27  Robin Morisset  <rmorisset@apple.com>
886
887         DFG: Loop-invariant code motion (LICM) should not hoist dead code
888         https://bugs.webkit.org/show_bug.cgi?id=194945
889         <rdar://problem/48311657>
890
891         Reviewed by Mark Lam.
892
893         * stress/licm-dead-code.js: Added.
894
895 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
896
897         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
898         https://bugs.webkit.org/show_bug.cgi?id=194677
899         <rdar://problem/48112492>
900
901         Reviewed by Mark Lam.
902
903         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
904         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
905         it immediately fails due the large size.
906
907         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
908         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
909         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
910         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
911
912         This patch changes the test to produce 16bit string from String.fromCharCode.
913
914         * stress/regress-178386.js:
915
916 2019-02-26  Mark Lam  <mark.lam@apple.com>
917
918         wasmToJS() should purify incoming NaNs.
919         https://bugs.webkit.org/show_bug.cgi?id=194807
920         <rdar://problem/48189132>
921
922         Reviewed by Saam Barati.
923
924         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
925
926 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
927
928         [JSC] Repeat string created from Array.prototype.join() take too much memory
929         https://bugs.webkit.org/show_bug.cgi?id=193912
930
931         Reviewed by Saam Barati.
932
933         Added a test and a microbenchmark for corner cases of
934         Array.prototype.join() with an uninitialized array.
935
936         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
937         * stress/array-prototype-join-uninitialized.js: Added.
938         (testArray):
939         (testABC):
940         (B):
941         (C):
942
943 2019-02-22  Robin Morisset  <rmorisset@apple.com>
944
945         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
946         https://bugs.webkit.org/show_bug.cgi?id=194953
947         <rdar://problem/47595253>
948
949         Reviewed by Saam Barati.
950
951         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
952
953         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
954
955 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
956
957         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
958         https://bugs.webkit.org/show_bug.cgi?id=172848
959         <rdar://problem/25709212>
960
961         Reviewed by Mark Lam.
962
963         * typeProfiler/inheritance.js:
964         Rewrite the test slightly for clarity. The hoisting was confusing.
965
966         * heapProfiler/class-names.js: Added.
967         (MyES5Class):
968         (MyES6Class):
969         (MyES6Subclass):
970         Test object types and improved class names.
971
972         * heapProfiler/driver/driver.js:
973         (CheapHeapSnapshotNode):
974         (CheapHeapSnapshot):
975         (createCheapHeapSnapshot):
976         (HeapSnapshot):
977         (createHeapSnapshot):
978         Update snapshot parsing from version 1 to version 2.
979
980 2019-02-19  Truitt Savell  <tsavell@apple.com>
981
982         Unreviewed, rolling out r241784.
983
984         Broke all OpenSource builds.
985
986         Reverted changeset:
987
988         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
989         instances view"
990         https://bugs.webkit.org/show_bug.cgi?id=172848
991         https://trac.webkit.org/changeset/241784
992
993 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
994
995         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
996         https://bugs.webkit.org/show_bug.cgi?id=172848
997         <rdar://problem/25709212>
998
999         Reviewed by Mark Lam.
1000
1001         * typeProfiler/inheritance.js:
1002         Rewrite the test slightly for clarity. The hoisting was confusing.
1003
1004         * heapProfiler/class-names.js: Added.
1005         (MyES5Class):
1006         (MyES6Class):
1007         (MyES6Subclass):
1008         Test object types and improved class names.
1009
1010         * heapProfiler/driver/driver.js:
1011         (CheapHeapSnapshotNode):
1012         (CheapHeapSnapshot):
1013         (createCheapHeapSnapshot):
1014         (HeapSnapshot):
1015         (createHeapSnapshot):
1016         Update snapshot parsing from version 1 to version 2.
1017
1018 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1019
1020         [ARM] Fix crash with sampling profiler
1021         https://bugs.webkit.org/show_bug.cgi?id=194772
1022
1023         Reviewed by Mark Lam.
1024
1025         Do not skip test since crash with sampling profiler is now fixed.
1026
1027         * stress/sampling-profiler-richards.js:
1028
1029 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1030
1031         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1032         https://bugs.webkit.org/show_bug.cgi?id=194784
1033         <rdar://problem/48154820>
1034
1035         Reviewed by Mark Lam.
1036
1037         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1038         (getProperties):
1039         (getRandomProperty):
1040         (i.catch):
1041
1042 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1043
1044         [ARM] Test gardening: Test running out of executable memory
1045         https://bugs.webkit.org/show_bug.cgi?id=194771
1046
1047         Unreviewed. Do not run test without LLInt, test is running out of executable
1048         memory on ARM otherwise.
1049
1050         * stress/tagged-template-object-collect.js:
1051
1052 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1053
1054         Unreviewed, skip the test on platforms without sampling profiler
1055
1056         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1057         (platformSupportsSamplingProfiler.foo):
1058         (platformSupportsSamplingProfiler.test):
1059         (platformSupportsSamplingProfiler):
1060         (foo): Deleted.
1061         (test): Deleted.
1062
1063 2019-02-17  Saam Barati  <sbarati@apple.com>
1064
1065         Deadlock when adding a Structure property transition and then doing incremental marking
1066         https://bugs.webkit.org/show_bug.cgi?id=194767
1067
1068         Reviewed by Mark Lam.
1069
1070         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1071
1072 2019-02-15  Michael Saboff  <msaboff@apple.com>
1073
1074         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1075         https://bugs.webkit.org/show_bug.cgi?id=194558
1076
1077         Reviewed by Saam Barati.
1078
1079         New regression test.
1080
1081         * stress/regexp-unicode-within-string.js: Added.
1082
1083 2019-02-15  Mark Lam  <mark.lam@apple.com>
1084
1085         SamplingProfiler::stackTracesAsJSON() should escape strings.
1086         https://bugs.webkit.org/show_bug.cgi?id=194649
1087         <rdar://problem/48072386>
1088
1089         Reviewed by Saam Barati.
1090
1091         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1092         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1093         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1094         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1095
1096 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1097         CodeBlock::jettison should clear related watchpoints
1098         https://bugs.webkit.org/show_bug.cgi?id=194544
1099
1100         Reviewed by Mark Lam.
1101
1102         * stress/regexp-replace-double-watchpoint.js: Added.
1103         (foo):
1104
1105 2019-02-15  Saam barati  <sbarati@apple.com>
1106
1107         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1108         https://bugs.webkit.org/show_bug.cgi?id=194036
1109
1110         Reviewed by Yusuke Suzuki.
1111
1112         * stress/tail-call-many-arguments.js: Added.
1113         (foo):
1114         (bar):
1115
1116 2019-02-14  Saam Barati  <sbarati@apple.com>
1117
1118         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1119         https://bugs.webkit.org/show_bug.cgi?id=194583
1120         <rdar://problem/48028140>
1121
1122         Reviewed by Yusuke Suzuki.
1123
1124         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1125
1126 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1127
1128         [JSC] String.fromCharCode's slow path always generates 16bit string
1129         https://bugs.webkit.org/show_bug.cgi?id=194466
1130
1131         Reviewed by Keith Miller.
1132
1133         * stress/string-from-char-code-slow-path.js: Added.
1134         (shouldBe):
1135         (testWithLength):
1136
1137 2019-02-08  Saam barati  <sbarati@apple.com>
1138
1139         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1140         https://bugs.webkit.org/show_bug.cgi?id=194334
1141         <rdar://problem/47844327>
1142
1143         Reviewed by Mark Lam.
1144
1145         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1146         (func):
1147
1148 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1149
1150         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1151         https://bugs.webkit.org/show_bug.cgi?id=194369
1152         <rdar://problem/47813087>
1153
1154         Reviewed by Saam Barati.
1155
1156         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1157         (A):
1158
1159 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1160
1161         [JSC] PrivateName to PublicName hash table is wasteful
1162         https://bugs.webkit.org/show_bug.cgi?id=194277
1163
1164         Reviewed by Michael Saboff.
1165
1166         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1167
1168         * ChakraCore.yaml:
1169
1170 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1171
1172         [ARM] Test running out of executable memory
1173         https://bugs.webkit.org/show_bug.cgi?id=194285
1174
1175         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1176         executable memory otherwise.
1177
1178         * stress/class-subclassing-function.js:
1179
1180 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1181
1182         when lowering AssertNotEmpty, create the value before creating the patchpoint
1183         https://bugs.webkit.org/show_bug.cgi?id=194231
1184
1185         Reviewed by Saam Barati.
1186
1187         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1188         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1189         So even tiny changes to this test can change the path code taken.
1190
1191         * stress/assert-not-empty.js: Added.
1192         (foo):
1193
1194 2019-02-01  Mark Lam  <mark.lam@apple.com>
1195
1196         Remove invalid assertion in DFG's compileDoubleRep().
1197         https://bugs.webkit.org/show_bug.cgi?id=194130
1198         <rdar://problem/47699474>
1199
1200         Reviewed by Saam Barati.
1201
1202         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1203
1204 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1205
1206         Import latest Test262 updates.
1207
1208         Rubber-stamped by Keith Miller.
1209
1210         * test262.yaml: Deleted.
1211         * test262/config.yaml:
1212         * test262/expectations.yaml:
1213         * test262/latest-changes-summary.txt:
1214         * test262/test/:
1215         * test262/test262-Revision.txt:
1216
1217 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1218
1219         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1220         https://bugs.webkit.org/show_bug.cgi?id=194050
1221         <rdar://problem/47595592>
1222
1223         Reviewed by Yusuke Suzuki.
1224
1225         * stress/object-keys-osr-exit.js: Added.
1226         (foo):
1227         (catch):
1228
1229 2019-01-29  Mark Lam  <mark.lam@apple.com>
1230
1231         ValueRecovery::recover() should purify NaN values it recovers.
1232         https://bugs.webkit.org/show_bug.cgi?id=193978
1233         <rdar://problem/47625488>
1234
1235         Reviewed by Saam Barati.
1236
1237         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1238
1239 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1240
1241         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1242         https://bugs.webkit.org/show_bug.cgi?id=193713
1243
1244         * stress/try-get-by-id-should-spill-registers-dfg.js:
1245         (let.f.createBuiltin):
1246
1247 2019-01-28  Mark Lam  <mark.lam@apple.com>
1248
1249         ToString node actually does GC.
1250         https://bugs.webkit.org/show_bug.cgi?id=193920
1251         <rdar://problem/46695900>
1252
1253         Reviewed by Yusuke Suzuki.
1254
1255         * stress/dfg-to-string-on-int-does-gc.js: Added.
1256         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1257         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1258
1259 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1260
1261         [JSC] NativeErrorConstructor should not have own IsoSubspace
1262         https://bugs.webkit.org/show_bug.cgi?id=193713
1263
1264         Reviewed by Saam Barati.
1265
1266         Remove @Error use.
1267
1268         * stress/try-get-by-id-should-spill-registers-dfg.js:
1269         (let.f.createBuiltin):
1270
1271 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1272
1273         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1274         https://bugs.webkit.org/show_bug.cgi?id=190693
1275
1276         Reviewed by Michael Saboff.
1277
1278         * stress/regress-190693.js: Added.
1279         (truth):
1280         (assert):
1281         (shouldThrowInvalidConstAssignment):
1282         (taz):
1283
1284 2019-01-24  Saam Barati  <sbarati@apple.com>
1285
1286         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1287         https://bugs.webkit.org/show_bug.cgi?id=193751
1288         <rdar://problem/47280215>
1289
1290         Reviewed by Michael Saboff.
1291
1292         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1293         (let.thing):
1294         (foo.let.hello):
1295         (foo):
1296
1297 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1298
1299         [JSC] Reenable baseline JIT on mips
1300         https://bugs.webkit.org/show_bug.cgi?id=192983
1301
1302         Reviewed by Mark Lam.
1303
1304         Added a new test for a case that was triggering a RELEASE_ASSERT when
1305         testing.
1306         Disable some slow tests that were already disabled for arm and x86.
1307
1308         * stress/json-parse-big-object.js: Added.
1309         * stress/new-largeish-contiguous-array-with-size.js:
1310         * stress/op_add.js:
1311         * stress/op_bitand.js:
1312         * stress/op_bitor.js:
1313         * stress/op_bitxor.js:
1314         * stress/op_lshift-ConstVar.js:
1315         * stress/op_lshift-VarConst.js:
1316         * stress/op_lshift-VarVar.js:
1317         * stress/op_mod-ConstVar.js:
1318         * stress/op_mod-VarConst.js:
1319         * stress/op_mod-VarVar.js:
1320         * stress/op_mul-ConstVar.js:
1321         * stress/op_mul-VarConst.js:
1322         * stress/op_mul-VarVar.js:
1323         * stress/op_rshift-ConstVar.js:
1324         * stress/op_rshift-VarConst.js:
1325         * stress/op_rshift-VarVar.js:
1326         * stress/op_sub-ConstVar.js:
1327         * stress/op_sub-VarConst.js:
1328         * stress/op_sub-VarVar.js:
1329         * stress/op_urshift-ConstVar.js:
1330         * stress/op_urshift-VarConst.js:
1331         * stress/op_urshift-VarVar.js:
1332         * stress/sampling-profiler-richards.js:
1333         * stress/spread-forward-call-varargs-stack-overflow.js:
1334
1335 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1336
1337         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1338         https://bugs.webkit.org/show_bug.cgi?id=193711
1339         <rdar://problem/47250262>
1340
1341         Reviewed by Saam Barati.
1342
1343         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1344         (shouldBe):
1345         (foo):
1346         (bar):
1347         (baz):
1348
1349 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1350
1351         Unreviewed, fix initial global lexical binding epoch
1352         https://bugs.webkit.org/show_bug.cgi?id=193603
1353         <rdar://problem/47380869>
1354
1355         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1356         (f1.f2.f3.f4):
1357         (f1.f2.f3):
1358         (f1.f2):
1359         (f1):
1360
1361 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1362
1363         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1364         https://bugs.webkit.org/show_bug.cgi?id=193709
1365         <rdar://problem/47363838>
1366
1367         Unreviewed, rollout to watch the tests.
1368
1369         * stress/object-tostring-changed-proto.js: Removed.
1370         * stress/object-tostring-changed.js: Removed.
1371         * stress/object-tostring-misc.js: Removed.
1372         * stress/object-tostring-other.js: Removed.
1373         * stress/object-tostring-untyped.js: Removed.
1374
1375 2019-01-22  Saam Barati  <sbarati@apple.com>
1376
1377         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1378
1379         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1380         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1381         (testUncheckedLessThanZero):
1382         (testUncheckedLessThanOrEqualZero):
1383         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1384         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1385
1386 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1387
1388         [JSC] Invalidate old scope operations using global lexical binding epoch
1389         https://bugs.webkit.org/show_bug.cgi?id=193603
1390         <rdar://problem/47380869>
1391
1392         Reviewed by Saam Barati.
1393
1394         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1395         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1396         (shouldThrow):
1397         (bar):
1398         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1399         (shouldBe):
1400         (get1):
1401         (get2):
1402         (get1If):
1403         (get2If):
1404         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1405         (shouldThrow):
1406         (foo):
1407
1408 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1409
1410         Unreviewed, roll out r240220 due to date-format-xparb regression
1411         https://bugs.webkit.org/show_bug.cgi?id=193603
1412
1413         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1414         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1415         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1416         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1417
1418 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1419
1420         DoesGC rule is wrong for nodes with BigIntUse
1421         https://bugs.webkit.org/show_bug.cgi?id=193652
1422
1423         Reviewed by Saam Barati.
1424
1425         * stress/big-int-value-op-update-gc-rules.js: Added.
1426         (assert):
1427         (doesGCAdd):
1428         (doesGCSub):
1429         (doesGCDiv):
1430         (doesGCMul):
1431         (doesGCBitAnd):
1432         (doesGCBitOr):
1433         (doesGCBitXor):
1434
1435 2019-01-20  Saam Barati  <sbarati@apple.com>
1436
1437         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1438         https://bugs.webkit.org/show_bug.cgi?id=193644
1439         <rdar://problem/46209745>
1440
1441         Reviewed by Yusuke Suzuki.
1442
1443         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1444         (foo):
1445         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1446         (foo):
1447         (bar):
1448
1449 2019-01-20  Saam Barati  <sbarati@apple.com>
1450
1451         MovHint must merge NodeBytecodeUsesAsValue for its child
1452         https://bugs.webkit.org/show_bug.cgi?id=186916
1453         <rdar://problem/41396612>
1454
1455         Reviewed by Yusuke Suzuki.
1456
1457         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1458         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1459
1460 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1461
1462         [JSC] Invalidate old scope operations using global lexical binding epoch
1463         https://bugs.webkit.org/show_bug.cgi?id=193603
1464         <rdar://problem/47380869>
1465
1466         Reviewed by Saam Barati.
1467
1468         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1469         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1470         (shouldThrow):
1471         (bar):
1472         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1473         (shouldBe):
1474         (get1):
1475         (get2):
1476         (get1If):
1477         (get2If):
1478         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1479         (shouldThrow):
1480         (foo):
1481
1482 2019-01-17  Saam barati  <sbarati@apple.com>
1483
1484         StringObjectUse should not be a structure check for the original string object structure
1485         https://bugs.webkit.org/show_bug.cgi?id=193483
1486         <rdar://problem/47280522>
1487
1488         Reviewed by Yusuke Suzuki.
1489
1490         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1491         (foo):
1492         (a.valueOf.0):
1493
1494 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1495
1496         [JSC] ToThis omission in DFGByteCodeParser is wrong
1497         https://bugs.webkit.org/show_bug.cgi?id=193513
1498         <rdar://problem/45842236>
1499
1500         Reviewed by Saam Barati.
1501
1502         * stress/to-this-omission-with-different-strict-modes.js: Added.
1503         (thisA):
1504         (thisAStrictWrapper):
1505
1506 2019-01-15  Mark Lam  <mark.lam@apple.com>
1507
1508         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1509         https://bugs.webkit.org/show_bug.cgi?id=193423
1510         <rdar://problem/46209355>
1511
1512         Reviewed by Saam Barati.
1513
1514         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1515         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1516         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1517         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1518
1519 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1520
1521         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1522         https://bugs.webkit.org/show_bug.cgi?id=193438
1523         <rdar://problem/45581249>
1524
1525         Reviewed by Saam Barati and Keith Miller.
1526
1527         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1528         Then, GetByVal(String) crashed.
1529
1530         * stress/string-get-by-val-lowering.js: Added.
1531         (shouldBe):
1532         (test):
1533         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1534         (Hello):
1535         (foo):
1536
1537 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1538
1539         Unreviewed, skip JIT tests if it's not enabled
1540
1541         * stress/bit-op-with-object-returning-int32.js:
1542
1543 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1544
1545         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1546         https://bugs.webkit.org/show_bug.cgi?id=192966
1547
1548         Reviewed by Yusuke Suzuki.
1549
1550         * stress/bit-op-with-object-returning-int32.js: Added.
1551
1552 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1553
1554         Skip a slow test and a flakey test on arm
1555
1556         Unreviewed gardening.
1557
1558         * typeProfiler/getter-richards.js:
1559         this test always times out, it used to be always skipped on arm and
1560         mips, but got accidentally enabled by r237919 now that we have DFG on
1561         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1562
1563 2019-01-14  Keith Miller  <keith_miller@apple.com>
1564
1565         Skip type-check-hoisting-phase-hoist... with no jit
1566         https://bugs.webkit.org/show_bug.cgi?id=193421
1567
1568         Reviewed by Mark Lam.
1569
1570         It's timing out the 32-bit bots and takes 330 seconds
1571         on my machine when run by itself.
1572
1573         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1574
1575 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1576
1577         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1578         https://bugs.webkit.org/show_bug.cgi?id=193413
1579         <rdar://problem/46092389>
1580
1581         Reviewed by Keith Miller.
1582
1583         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1584         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1585         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1586         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1587
1588         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1589         (compareArray):
1590
1591 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1592
1593         [BigInt] Literal parsing is crashing when used inside a Object Literal
1594         https://bugs.webkit.org/show_bug.cgi?id=193404
1595
1596         Reviewed by Yusuke Suzuki.
1597
1598         * stress/big-int-literal-inside-literal-object.js: Added.
1599
1600 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1601
1602         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1603         https://bugs.webkit.org/show_bug.cgi?id=193372
1604
1605         Reviewed by Saam Barati.
1606
1607         * stress/typed-array-array-modes-profile.js: Added.
1608         (foo):
1609
1610 2019-01-14  Mark Lam  <mark.lam@apple.com>
1611
1612         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1613         https://bugs.webkit.org/show_bug.cgi?id=193402
1614         <rdar://problem/46012309>
1615
1616         Reviewed by Keith Miller.
1617
1618         * stress/regexp-compile-oom.js:
1619         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1620           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1621
1622 2019-01-11  Saam barati  <sbarati@apple.com>
1623
1624         DFG combined liveness can be wrong for terminal basic blocks
1625         https://bugs.webkit.org/show_bug.cgi?id=193304
1626         <rdar://problem/45268632>
1627
1628         Reviewed by Yusuke Suzuki.
1629
1630         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1631
1632 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1633
1634         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1635         https://bugs.webkit.org/show_bug.cgi?id=193308
1636         <rdar://problem/45546542>
1637
1638         Reviewed by Saam Barati.
1639
1640         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1641         (shouldThrow):
1642         (shouldBe):
1643         (foo):
1644         (get shouldThrow):
1645         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1646         (shouldThrow):
1647         (shouldBe):
1648         (foo):
1649         (get shouldBe):
1650         (get shouldThrow):
1651         (get return):
1652         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1653         (shouldThrow):
1654         (shouldBe):
1655         (foo):
1656         (get shouldBe):
1657         (get shouldThrow):
1658         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1659         (shouldThrow):
1660         (shouldBe):
1661         (foo):
1662         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1663         (shouldThrow):
1664         (shouldBe):
1665         (foo):
1666         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1667         (shouldThrow):
1668         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1669         (shouldThrow):
1670         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1671         (shouldThrow):
1672         (shouldBe):
1673         (foo):
1674         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1675         (shouldThrow):
1676         (shouldBe):
1677         (foo):
1678         (get shouldBe):
1679         (get shouldThrow):
1680         (get return):
1681         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1682         (shouldThrow):
1683         (shouldBe):
1684         (foo):
1685         (get shouldBe):
1686         (get shouldThrow):
1687         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1688         (shouldThrow):
1689         (shouldBe):
1690         (foo):
1691         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1692         (shouldThrow):
1693         (shouldBe):
1694         (foo):
1695
1696 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1697
1698         Enable DFG on ARM/Linux again
1699         https://bugs.webkit.org/show_bug.cgi?id=192496
1700
1701         Reviewed by Yusuke Suzuki.
1702
1703         Test wasn't really skipped before moving the line with skip
1704         to the top.
1705
1706         * stress/regress-192717.js:
1707
1708 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1709
1710         Unreviewed, rolling out r239825.
1711         https://bugs.webkit.org/show_bug.cgi?id=193330
1712
1713         Broke tests on armv7/linux bots (Requested by guijemont on
1714         #webkit).
1715
1716         Reverted changeset:
1717
1718         "Enable DFG on ARM/Linux again"
1719         https://bugs.webkit.org/show_bug.cgi?id=192496
1720         https://trac.webkit.org/changeset/239825
1721
1722 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1723
1724         Enable DFG on ARM/Linux again
1725         https://bugs.webkit.org/show_bug.cgi?id=192496
1726
1727         Reviewed by Yusuke Suzuki.
1728
1729         Test wasn't really skipped before moving the line with skip
1730         to the top.
1731
1732         * stress/regress-192717.js:
1733
1734 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1735
1736         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1737         https://bugs.webkit.org/show_bug.cgi?id=193127
1738
1739         Reviewed by Saam Barati.
1740
1741         * stress/array-species-create-should-handle-masquerader.js: Added.
1742         (shouldThrow):
1743         * stress/is-undefined-or-null-builtin.js: Added.
1744         (shouldBe):
1745         (isUndefinedOrNull.vm.createBuiltin):
1746
1747 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1748
1749         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1750         https://bugs.webkit.org/show_bug.cgi?id=193221
1751
1752         Reviewed by Mark Lam.
1753
1754         * stress/put-by-id-flags.js: Added.
1755         (f):
1756         (g):
1757         (numberOfDFGCompiles):
1758
1759 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1760
1761         Baseline version of get_by_id may corrupt metadata
1762         https://bugs.webkit.org/show_bug.cgi?id=193085
1763         <rdar://problem/23453006>
1764
1765         Reviewed by Saam Barati.
1766
1767         * stress/get-by-id-change-mode.js: Added.
1768         (forEach):
1769
1770 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1771
1772         [JSC] Optimize Object.prototype.toString
1773         https://bugs.webkit.org/show_bug.cgi?id=193031
1774
1775         Reviewed by Saam Barati.
1776
1777         * stress/object-tostring-changed-proto.js: Added.
1778         (shouldBe):
1779         (test):
1780         * stress/object-tostring-changed.js: Added.
1781         (shouldBe):
1782         (test):
1783         * stress/object-tostring-misc.js: Added.
1784         (shouldBe):
1785         (test):
1786         (i.switch):
1787         * stress/object-tostring-other.js: Added.
1788         (shouldBe):
1789         (test):
1790         * stress/object-tostring-untyped.js: Added.
1791         (shouldBe):
1792         (test):
1793         (i.switch):
1794
1795 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1796
1797         test262-runner misbehaves when test file YAML has a trailing space
1798         https://bugs.webkit.org/show_bug.cgi?id=193053
1799
1800         Reviewed by Yusuke Suzuki.
1801
1802         * test262/expectations.yaml:
1803         Mark two dozen tests as passing (and correct the output of another).
1804
1805 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1806
1807         Unreviewed, JSTests gardening with memoryLimited
1808
1809         * stress/string-overflow-createError.js:
1810
1811 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1812
1813         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1814         https://bugs.webkit.org/show_bug.cgi?id=193050
1815
1816         Reviewed by Yusuke Suzuki.
1817
1818         * test262.yaml:
1819         * test262/expectations.yaml:
1820         Mark 16 tests as passing.
1821
1822 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1823
1824         [BigInt] Support BigInt in JSON.stringify
1825         https://bugs.webkit.org/show_bug.cgi?id=192624
1826
1827         Reviewed by Saam Barati.
1828
1829         * stress/big-int-json-stringify-to-json.js: Added.
1830         (shouldBe):
1831         (shouldThrow):
1832         (BigInt.prototype.toJSON):
1833         (shouldBe.JSON.stringify):
1834         * stress/big-int-json-stringify.js: Added.
1835         (shouldBe):
1836         (shouldThrow):
1837
1838 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1839
1840         [JSC] Implement "well-formed JSON.stringify" proposal
1841         https://bugs.webkit.org/show_bug.cgi?id=191677
1842
1843         Reviewed by Darin Adler.
1844
1845         * stress/json-surrogate-pair.js: Added.
1846         (shouldBe):
1847         * test262/expectations.yaml:
1848
1849 2018-12-20  Keith Miller  <keith_miller@apple.com>
1850
1851         Add support for globalThis
1852         https://bugs.webkit.org/show_bug.cgi?id=165171
1853
1854         Reviewed by Mark Lam.
1855
1856         * test262/config.yaml:
1857
1858 2018-12-19  Keith Miller  <keith_miller@apple.com>
1859
1860         Update test262 configuration to not run tests dependent on ICU version.
1861         https://bugs.webkit.org/show_bug.cgi?id=192920
1862
1863         Reviewed by Saam Barati.
1864
1865         * test262/expectations.yaml:
1866
1867 2018-12-20  Mark Lam  <mark.lam@apple.com>
1868
1869         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1870         https://bugs.webkit.org/show_bug.cgi?id=192939
1871         <rdar://problem/46869516>
1872
1873         Reviewed by Keith Miller.
1874
1875         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1876
1877 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1878
1879         WTF::String and StringImpl overflow MaxLength
1880         https://bugs.webkit.org/show_bug.cgi?id=192853
1881         <rdar://problem/45726906>
1882
1883         Reviewed by Mark Lam.
1884
1885         * stress/string-16bit-repeat-overflow.js: Added.
1886         (catch):
1887
1888 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1889
1890         Unreviewed follow-up to r192914.
1891
1892         * test262/expectations.yaml:
1893         Add the last 20 missing expectations.
1894
1895 2018-12-19  Keith Miller  <keith_miller@apple.com>
1896
1897         Fix test262 expectations
1898         https://bugs.webkit.org/show_bug.cgi?id=192914
1899
1900         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1901
1902         * test262/expectations.yaml:
1903
1904 2018-12-19  Keith Miller  <keith_miller@apple.com>
1905
1906         Update test262 tests.
1907         https://bugs.webkit.org/show_bug.cgi?id=192907
1908
1909         Rubber stamped by Mark Lam.
1910
1911         * test262/*: Omitted because prepare-changelog crashes.
1912
1913 2018-12-19  Mark Lam  <mark.lam@apple.com>
1914
1915         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1916         https://bugs.webkit.org/show_bug.cgi?id=192464
1917         <rdar://problem/46519455>
1918
1919         Reviewed by Saam Barati.
1920
1921         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1922         microbenchmark.
1923
1924         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1925         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1926
1927 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1928
1929         String overflow in JSC::createError results in ASSERT in WTF::makeString
1930         https://bugs.webkit.org/show_bug.cgi?id=192833
1931         <rdar://problem/45706868>
1932
1933         Reviewed by Mark Lam.
1934
1935         * stress/string-overflow-createError.js: Added.
1936
1937 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1938
1939         Error message for `-x ** y` contains a typo.
1940         https://bugs.webkit.org/show_bug.cgi?id=192832
1941
1942         Reviewed by Saam Barati.
1943
1944         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1945         (assert.assert.return.throws):
1946         * stress/pow-expects-update-expression-on-lhs.js:
1947         (throw.new.Error):
1948         Update test expectations which match against the exact error message.
1949
1950 2018-12-18  Mark Lam  <mark.lam@apple.com>
1951
1952         Gardening: test options fix.
1953         https://bugs.webkit.org/show_bug.cgi?id=192822
1954
1955         Unreviewed.
1956
1957         * stress/json-stringify-string-builder-overflow.js:
1958
1959 2018-12-18  Mark Lam  <mark.lam@apple.com>
1960
1961         JSON.stringify() should throw OOM on StringBuilder overflows.
1962         https://bugs.webkit.org/show_bug.cgi?id=192822
1963         <rdar://problem/46670577>
1964
1965         Reviewed by Saam Barati.
1966
1967         * stress/json-stringify-string-builder-overflow.js: Added.
1968
1969 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1970
1971         Redeclaration of var over let/const/class should be a syntax error.
1972         https://bugs.webkit.org/show_bug.cgi?id=192298
1973
1974         Reviewed by Keith Miller.
1975
1976         * test262.yaml:
1977         * test262/expectations.yaml:
1978         Mark 46 tests as passing.
1979
1980         * stress/block-scope-redeclarations.js:
1981         Add some new tests.
1982
1983         * stress/for-in-invalidate-context-weird-assignments.js:
1984         * stress/for-in-tests.js:
1985         Replace tests for outdated behavior with tests for SyntaxError.
1986
1987         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1988         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1989         Update expectations.
1990
1991 2018-12-18  Mark Lam  <mark.lam@apple.com>
1992
1993         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1994         https://bugs.webkit.org/show_bug.cgi?id=191374
1995         <rdar://problem/46525447>
1996
1997         Reviewed by Yusuke Suzuki.
1998
1999         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2000
2001         * stress/elidable-new-object-roflcopter-then-exit.js:
2002
2003 2018-12-17  Mark Lam  <mark.lam@apple.com>
2004
2005         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2006         https://bugs.webkit.org/show_bug.cgi?id=192019
2007         <rdar://problem/46525456>
2008
2009         Reviewed by Yusuke Suzuki.
2010
2011         The test runs too slow on 32-bit.
2012
2013         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2014
2015 2018-12-17  Mark Lam  <mark.lam@apple.com>
2016
2017         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2018         https://bugs.webkit.org/show_bug.cgi?id=191373
2019         <rdar://problem/46525458>
2020
2021         Reviewed by Yusuke Suzuki.
2022
2023         The test is already slow running with a JIT on 64-bit.  It will always timeout
2024         on 32-bit without a JIT.
2025
2026         * stress/materialize-regexp-cyclic-regexp.js:
2027
2028 2018-12-17  Mark Lam  <mark.lam@apple.com>
2029
2030         Array unshift/shift should not race against the AI in the compiler thread.
2031         https://bugs.webkit.org/show_bug.cgi?id=192795
2032         <rdar://problem/46724263>
2033
2034         Reviewed by Saam Barati.
2035
2036         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2037
2038 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2039
2040         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2041         https://bugs.webkit.org/show_bug.cgi?id=190047
2042
2043         Reviewed by Saam Barati.
2044
2045         * stress/object-keys-cached-zero.js: Added.
2046         (shouldBe):
2047         (test):
2048         * stress/object-keys-changed-attribute.js: Added.
2049         (shouldBe):
2050         (test):
2051         * stress/object-keys-changed-index.js: Added.
2052         (shouldBe):
2053         (test):
2054         * stress/object-keys-changed.js: Added.
2055         (shouldBe):
2056         (test):
2057         * stress/object-keys-indexed-non-cache.js: Added.
2058         (shouldBe):
2059         (test):
2060         * stress/object-keys-overrides-get-property-names.js: Added.
2061         (shouldBe):
2062         (test):
2063         (noInline):
2064
2065 2018-12-17  Mark Lam  <mark.lam@apple.com>
2066
2067         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2068         https://bugs.webkit.org/show_bug.cgi?id=192779
2069         <rdar://problem/46775869>
2070
2071         Reviewed by Saam Barati.
2072
2073         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2074
2075 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2076
2077         Unreviewed test gardening, address a syntax error in a new test.
2078
2079         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2080
2081 2018-12-17  Mark Lam  <mark.lam@apple.com>
2082
2083         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2084         https://bugs.webkit.org/show_bug.cgi?id=192776
2085         <rdar://problem/46772368>
2086
2087         Reviewed by Keith Miller.
2088
2089         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2090
2091 2018-12-17  Mark Lam  <mark.lam@apple.com>
2092
2093         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2094         https://bugs.webkit.org/show_bug.cgi?id=192770
2095         <rdar://problem/46449037>
2096
2097         Reviewed by Keith Miller.
2098
2099         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2100
2101 2018-12-14  Mark Lam  <mark.lam@apple.com>
2102
2103         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2104         https://bugs.webkit.org/show_bug.cgi?id=192717
2105         <rdar://problem/46660677>
2106
2107         Reviewed by Saam Barati.
2108
2109         * stress/regress-192717.js: Added.
2110
2111 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2112
2113         Unreviewed, rolling out r239153, r239154, and r239155.
2114         https://bugs.webkit.org/show_bug.cgi?id=192715
2115
2116         Caused flaky GC-related crashes seen with layout tests
2117         (Requested by ryanhaddad on #webkit).
2118
2119         Reverted changesets:
2120
2121         "[JSC] Optimize Object.keys by caching own keys results in
2122         StructureRareData"
2123         https://bugs.webkit.org/show_bug.cgi?id=190047
2124         https://trac.webkit.org/changeset/239153
2125
2126         "Unreviewed, build fix after r239153"
2127         https://bugs.webkit.org/show_bug.cgi?id=190047
2128         https://trac.webkit.org/changeset/239154
2129
2130         "Unreviewed, build fix after r239153, part 2"
2131         https://bugs.webkit.org/show_bug.cgi?id=190047
2132         https://trac.webkit.org/changeset/239155
2133
2134 2018-12-14  Keith Miller  <keith_miller@apple.com>
2135
2136         Callers of JSString::getIndex should check for OOM exceptions
2137         https://bugs.webkit.org/show_bug.cgi?id=192709
2138
2139         Reviewed by Mark Lam.
2140
2141         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2142
2143 2018-12-13  Mark Lam  <mark.lam@apple.com>
2144
2145         Add a missing exception check.
2146         https://bugs.webkit.org/show_bug.cgi?id=192626
2147         <rdar://problem/46662163>
2148
2149         Reviewed by Keith Miller.
2150
2151         * stress/regress-192626.js: Added.
2152
2153 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2154
2155         [BigInt] Add ValueDiv into DFG
2156         https://bugs.webkit.org/show_bug.cgi?id=186178
2157
2158         Reviewed by Yusuke Suzuki.
2159
2160         * stress/big-int-div-jit-osr.js: Added.
2161         * stress/big-int-div-jit-untyped.js: Added.
2162         * stress/value-div-fixup-int32-big-int.js: Added.
2163
2164 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2165
2166         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2167         https://bugs.webkit.org/show_bug.cgi?id=190047
2168
2169         Reviewed by Keith Miller.
2170
2171         * stress/object-keys-cached-zero.js: Added.
2172         (shouldBe):
2173         (test):
2174         * stress/object-keys-changed-attribute.js: Added.
2175         (shouldBe):
2176         (test):
2177         * stress/object-keys-changed-index.js: Added.
2178         (shouldBe):
2179         (test):
2180         * stress/object-keys-changed.js: Added.
2181         (shouldBe):
2182         (test):
2183         * stress/object-keys-indexed-non-cache.js: Added.
2184         (shouldBe):
2185         (test):
2186         * stress/object-keys-overrides-get-property-names.js: Added.
2187         (shouldBe):
2188         (test):
2189         (noInline):
2190
2191 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2192
2193         [DFG][FTL] Add NewSymbol
2194         https://bugs.webkit.org/show_bug.cgi?id=192620
2195
2196         Reviewed by Saam Barati.
2197
2198         * microbenchmarks/symbol-creation.js: Added.
2199         (test):
2200         * stress/symbol-description-identity.js: Added.
2201         (shouldBe):
2202         (test):
2203         * stress/symbol-identity.js: Added.
2204         (shouldBe):
2205         (test):
2206         * stress/symbol-with-description-throw-error.js: Added.
2207         (shouldBe):
2208         (shouldThrow):
2209         (test):
2210         (object.toString):
2211
2212 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2213
2214         [BigInt] Implement DFG/FTL typeof for BigInt
2215         https://bugs.webkit.org/show_bug.cgi?id=192619
2216
2217         Reviewed by Keith Miller.
2218
2219         * stress/big-int-boolean-proven-type.js: Added.
2220         (assert):
2221         (bool):
2222         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2223         (assert):
2224         (typeOf):
2225         (i.switch):
2226         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2227         (assert):
2228         (typeOf):
2229         * stress/big-int-type-of.js:
2230         (typeOf):
2231         (func):
2232
2233 2018-12-10  Mark Lam  <mark.lam@apple.com>
2234
2235         PropertyAttribute needs a CustomValue bit.
2236         https://bugs.webkit.org/show_bug.cgi?id=191993
2237         <rdar://problem/46264467>
2238
2239         Reviewed by Saam Barati.
2240
2241         * stress/regress-191993.js: Added.
2242
2243 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2244
2245         [BigInt] Add ValueMul into DFG
2246         https://bugs.webkit.org/show_bug.cgi?id=186175
2247
2248         Reviewed by Yusuke Suzuki.
2249
2250         * stress/big-int-mul-jit-osr.js: Added.
2251         * stress/big-int-mul-jit-untyped.js: Added.
2252         * stress/value-mul-fixup-int32-big-int.js: Added.
2253
2254 2018-12-06  Keith Miller  <keith_miller@apple.com>
2255
2256         stress/big-wasm-memory tests failing on 32-bit JSC bot
2257         https://bugs.webkit.org/show_bug.cgi?id=192020
2258
2259         Reviewed by Saam Barati.
2260
2261         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2262         the wasm stress tests if the WebAssembly object does not exist.
2263
2264         * stress/big-wasm-memory-grow-no-max.js:
2265         (test.foo):
2266         (test):
2267         (foo): Deleted.
2268         (catch): Deleted.
2269         * stress/big-wasm-memory-grow.js:
2270         (test.foo):
2271         (test):
2272         (foo): Deleted.
2273         (catch): Deleted.
2274         * stress/big-wasm-memory.js:
2275         (test.foo):
2276         (test):
2277         (foo): Deleted.
2278         (catch): Deleted.
2279
2280 2018-12-05  Mark Lam  <mark.lam@apple.com>
2281
2282         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2283         https://bugs.webkit.org/show_bug.cgi?id=192441
2284         <rdar://problem/46480355>
2285
2286         Reviewed by Saam Barati.
2287
2288         * stress/regress-192441.js: Added.
2289
2290 2018-12-04  Mark Lam  <mark.lam@apple.com>
2291
2292         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2293         https://bugs.webkit.org/show_bug.cgi?id=192386
2294         <rdar://problem/46445516>
2295
2296         Reviewed by Saam Barati.
2297
2298         * stress/regress-192386.js: Added.
2299
2300 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2301
2302         [ESNext][BigInt] Support logic operations
2303         https://bugs.webkit.org/show_bug.cgi?id=179903
2304
2305         Reviewed by Yusuke Suzuki.
2306
2307         * stress/big-int-branch-usage.js: Added.
2308         * stress/big-int-logical-and.js: Added.
2309         * stress/big-int-logical-not.js: Added.
2310         * stress/big-int-logical-or.js: Added.
2311
2312 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2313
2314         Unreviewed, rolling out r238833.
2315
2316         Breaks macOS and iOS debug builds.
2317
2318         Reverted changeset:
2319
2320         "[ESNext][BigInt] Support logic operations"
2321         https://bugs.webkit.org/show_bug.cgi?id=179903
2322         https://trac.webkit.org/changeset/238833
2323
2324 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2325
2326         [ESNext][BigInt] Support logic operations
2327         https://bugs.webkit.org/show_bug.cgi?id=179903
2328
2329         Reviewed by Yusuke Suzuki.
2330
2331         * stress/big-int-branch-usage.js: Added.
2332         * stress/big-int-logical-and.js: Added.
2333         * stress/big-int-logical-not.js: Added.
2334         * stress/big-int-logical-or.js: Added.
2335
2336 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2337
2338         [ESNext][BigInt] Implement support for "<<" and ">>"
2339         https://bugs.webkit.org/show_bug.cgi?id=186233
2340
2341         Reviewed by Yusuke Suzuki.
2342
2343         * stress/big-int-left-shift-general.js: Added.
2344         * stress/big-int-left-shift-range-error.js: Added.
2345         * stress/big-int-left-shift-type-error.js: Added.
2346         * stress/big-int-left-shift-wrapped-value.js: Added.
2347         * stress/big-int-right-shift-general.js: Added.
2348         * stress/big-int-right-shift-type-error.js: Added.
2349         * stress/big-int-right-shift-wrapped-value.js: Added.
2350         * stress/left-shift-to-primitive-precedence.js: Added.
2351         * stress/right-shift-to-primitive-precedence.js: Added.
2352
2353 2018-11-30  Dean Jackson  <dino@apple.com>
2354
2355         Add first-class support for .mjs files in jsc binary
2356         https://bugs.webkit.org/show_bug.cgi?id=192190
2357         <rdar://problem/46375715>
2358
2359         Reviewed by Keith Miller.
2360
2361         * stress/simple-module.mjs: Added.
2362         * stress/simple-script.js: Added.
2363
2364 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2365
2366         [BigInt] Implement ValueBitXor into DFG
2367         https://bugs.webkit.org/show_bug.cgi?id=190264
2368
2369         Reviewed by Yusuke Suzuki.
2370
2371         * stress/big-int-bitwise-xor-jit.js: Added.
2372         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2373         * stress/big-int-bitwise-xor-untyped.js: Added.
2374
2375 2018-11-27  Saam barati  <sbarati@apple.com>
2376
2377         r238510 broke scopes of size zero
2378         https://bugs.webkit.org/show_bug.cgi?id=192033
2379         <rdar://problem/46281734>
2380
2381         Reviewed by Keith Miller.
2382
2383         * stress/r238510-bad-loop.js: Added.
2384         (foo):
2385
2386 2018-11-27  Mark Lam  <mark.lam@apple.com>
2387
2388         [Re-landing] NaNs read from Wasm code needs to be be purified.
2389         https://bugs.webkit.org/show_bug.cgi?id=191056
2390         <rdar://problem/45660341>
2391
2392         Reviewed by Filip Pizlo.
2393
2394         * wasm/regress/regress-191056.js: Added.
2395
2396 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2397
2398         Unreviewed, rolling out r238509.
2399
2400         Causes JSC tests to fail on iOS.
2401
2402         Reverted changeset:
2403
2404         "NaNs read from Wasm code needs to be be purified."
2405         https://bugs.webkit.org/show_bug.cgi?id=191056
2406         https://trac.webkit.org/changeset/238509
2407
2408 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2409
2410         Re-introduce op_bitnot
2411         https://bugs.webkit.org/show_bug.cgi?id=190923
2412
2413         Reviewed by Yusuke Suzuki.
2414
2415         * stress/bit-not-must-generate.js: Added.
2416         * stress/bitwise-not-no-int32.js: Added.
2417
2418 2018-11-26  Saam barati  <sbarati@apple.com>
2419
2420         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2421         https://bugs.webkit.org/show_bug.cgi?id=191956
2422         <rdar://problem/45665806>
2423
2424         Reviewed by Yusuke Suzuki.
2425
2426         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2427         (bar):
2428         (foo):
2429
2430 2018-11-26  Saam barati  <sbarati@apple.com>
2431
2432         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2433         https://bugs.webkit.org/show_bug.cgi?id=191958
2434         <rdar://problem/46221877>
2435
2436         Reviewed by Yusuke Suzuki.
2437
2438         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2439         (x):
2440         (foo):
2441
2442 2018-11-26  Mark Lam  <mark.lam@apple.com>
2443
2444         NaNs read from Wasm code needs to be be purified.
2445         https://bugs.webkit.org/show_bug.cgi?id=191056
2446         <rdar://problem/45660341>
2447
2448         Reviewed by Filip Pizlo.
2449
2450         * wasm/regress/regress-191056.js: Added.
2451
2452 2018-11-26  Michael Saboff  <msaboff@apple.com>
2453
2454         32-bit JSC test failure: stress/regexp-compile-oom.js
2455         https://bugs.webkit.org/show_bug.cgi?id=191375
2456
2457         Reviewed by Mark Lam.
2458
2459         Disabled the test for 32 bit platforms.
2460
2461         * stress/regexp-compile-oom.js:
2462
2463 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2464
2465         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2466         https://bugs.webkit.org/show_bug.cgi?id=191716
2467         <rdar://problem/45723878>
2468
2469         Reviewed by Saam Barati.
2470
2471         * stress/regress-187373.js: Added.
2472         (async.fn):
2473
2474 2018-11-21  Saam barati  <sbarati@apple.com>
2475
2476         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2477         https://bugs.webkit.org/show_bug.cgi?id=191897
2478         <rdar://problem/45871998>
2479
2480         Reviewed by Mark Lam.
2481
2482         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2483         (bar):
2484         (foo):
2485
2486 2018-11-21  Saam barati  <sbarati@apple.com>
2487
2488         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2489         https://bugs.webkit.org/show_bug.cgi?id=191895
2490         <rdar://problem/46167406>
2491
2492         Reviewed by Mark Lam.
2493
2494         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2495         (foo):
2496         (bar):
2497
2498 2018-11-21  Mark Lam  <mark.lam@apple.com>
2499
2500         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2501         https://bugs.webkit.org/show_bug.cgi?id=191776
2502         <rdar://problem/46152851>
2503
2504         Reviewed by Saam Barati.
2505
2506         * stress/big-wasm-memory-grow-no-max.js:
2507         * stress/big-wasm-memory-grow.js:
2508         * stress/big-wasm-memory.js:
2509         - updated these to expect an OutOfMemoryError.
2510
2511         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2512         (Binary.prototype.emit_u8):
2513         (Binary.prototype.emit_u32v):
2514         (Binary.prototype.emit_header):
2515         (Binary.prototype.emit_section):
2516         (Binary):
2517         (WasmModuleBuilder):
2518         (WasmModuleBuilder.prototype.addMemory):
2519         (WasmModuleBuilder.prototype.toArray):
2520         (WasmModuleBuilder.prototype.toBuffer):
2521         (WasmModuleBuilder.prototype.instantiate):
2522         (catch):
2523         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2524         (catch):
2525
2526 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2527
2528         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2529         https://bugs.webkit.org/show_bug.cgi?id=190836
2530
2531         Reviewed by Saam Barati and Yusuke Suzuki.
2532
2533         * stress/big-int-out-of-memory-tests.js: Added.
2534
2535 2018-11-20  Mark Lam  <mark.lam@apple.com>
2536
2537         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2538         https://bugs.webkit.org/show_bug.cgi?id=191856
2539         <rdar://problem/46089992>
2540
2541         Reviewed by Yusuke Suzuki.
2542
2543         * stress/regress-191856.js: Added.
2544         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2545
2546 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2547
2548         Enable JIT on ARM/Linux
2549         https://bugs.webkit.org/show_bug.cgi?id=191548
2550
2551         Reviewed by Yusuke Suzuki.
2552
2553         Disable test on system with limited memory. Program was killed by
2554         the OS before the exception was thrown.
2555
2556         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2557
2558 2018-11-20  Saam barati  <sbarati@apple.com>
2559
2560         Merging an IC variant may lead to the IC status containing overlapping structure sets
2561         https://bugs.webkit.org/show_bug.cgi?id=191869
2562         <rdar://problem/45403453>
2563
2564         Reviewed by Mark Lam.
2565
2566         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2567
2568 2018-11-19  Mark Lam  <mark.lam@apple.com>
2569
2570         globalFuncImportModule() should return a promise when it clears exceptions.
2571         https://bugs.webkit.org/show_bug.cgi?id=191792
2572         <rdar://problem/46090763>
2573
2574         Reviewed by Michael Saboff.
2575
2576         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2577
2578 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2579
2580         Skip new memory-hungry tests on memory limited devices
2581
2582         Unreviewed gardening.
2583
2584         * stress/big-wasm-memory-grow-no-max.js:
2585         * stress/big-wasm-memory-grow.js:
2586         * stress/big-wasm-memory.js:
2587
2588 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2589
2590         Unreviewed, rolling in the rest of r237254
2591         https://bugs.webkit.org/show_bug.cgi?id=190340
2592
2593         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2594         * stress/function-cache-with-parameters-end-position.js: Added.
2595         (shouldBe):
2596         (shouldThrow):
2597         (i.anonymous):
2598         * stress/function-constructor-name.js: Added.
2599         (shouldBe):
2600         (GeneratorFunction):
2601         (AsyncFunction.async):
2602         (AsyncGeneratorFunction.async):
2603         (anonymous):
2604         (async.anonymous):
2605         * test262/expectations.yaml:
2606
2607 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2608
2609         All users of ArrayBuffer should agree on the same max size
2610         https://bugs.webkit.org/show_bug.cgi?id=191771
2611
2612         Reviewed by Mark Lam.
2613
2614         * stress/big-wasm-memory-grow-no-max.js: Added.
2615         (foo):
2616         (catch):
2617         * stress/big-wasm-memory-grow.js: Added.
2618         (foo):
2619         (catch):
2620         * stress/big-wasm-memory.js: Added.
2621         (foo):
2622         (catch):
2623
2624 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2625
2626         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2627         run for each JSC config since they're regression tests for runtime bugs.
2628
2629         * stress/json-stringified-overflow-2.js:
2630         * stress/json-stringified-overflow.js:
2631
2632 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2633
2634         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2635         config since they're regression tests for runtime bugs.
2636
2637         * stress/large-unshift-splice.js:
2638         * stress/regress-185888.js:
2639
2640 2018-11-16  Saam Barati  <sbarati@apple.com>
2641
2642         KnownCellUse should also have SpecCellCheck as its type filter
2643         https://bugs.webkit.org/show_bug.cgi?id=191729
2644         <rdar://problem/45872852>
2645
2646         Reviewed by Filip Pizlo.
2647
2648         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2649         (C):
2650
2651 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2652
2653         Fix assertion failure on BytecodeGenerator::recordOpcode
2654         https://bugs.webkit.org/show_bug.cgi?id=191724
2655         <rdar://problem/45724395>
2656
2657         Reviewed by Saam Barati.
2658
2659         * stress/regress-187373-2.js: Added.
2660         (foo):
2661
2662 2018-11-15  Mark Lam  <mark.lam@apple.com>
2663
2664         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2665         https://bugs.webkit.org/show_bug.cgi?id=191730
2666         <rdar://problem/46048517>
2667
2668         Reviewed by Saam Barati.
2669
2670         * stress/regress-187006.js: Removed.
2671           - this test is invalid because its sole purpose is to test for the non-spec
2672             compliant behavior that we just fixed.
2673
2674         * stress/regress-191730.js: Added.
2675
2676 2018-11-15  Mark Lam  <mark.lam@apple.com>
2677
2678         RegExp operations should not take fast patch if lastIndex is not numeric.
2679         https://bugs.webkit.org/show_bug.cgi?id=191731
2680         <rdar://problem/46017305>
2681
2682         Reviewed by Saam Barati.
2683
2684         * stress/regress-191731.js: Added.
2685
2686 2018-11-13  Saam Barati  <sbarati@apple.com>
2687
2688         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2689         https://bugs.webkit.org/show_bug.cgi?id=191600
2690
2691         Reviewed by Mark Lam.
2692
2693         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2694         (foo):
2695         (test):
2696         (bar):
2697
2698 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2699
2700         Unreviewed, rolling out r238132.
2701
2702         The test added with this change is timing out on Debug JSC
2703         bots.
2704
2705         Reverted changeset:
2706
2707         "[BigInt] JSBigInt::createWithLength should throw when length
2708         is greater than JSBigInt::maxLength"
2709         https://bugs.webkit.org/show_bug.cgi?id=190836
2710         https://trac.webkit.org/changeset/238132
2711
2712 2018-11-13  Mark Lam  <mark.lam@apple.com>
2713
2714         Add OOM detection to StringPrototype's substituteBackreferences().
2715         https://bugs.webkit.org/show_bug.cgi?id=191563
2716         <rdar://problem/45720428>
2717
2718         Reviewed by Saam Barati.
2719
2720         * stress/regress-191563.js: Added.
2721
2722 2018-11-13  Mark Lam  <mark.lam@apple.com>
2723
2724         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2725         https://bugs.webkit.org/show_bug.cgi?id=191579
2726         <rdar://problem/45942472>
2727
2728         Reviewed by Saam Barati.
2729
2730         * stress/regress-191579.js: Added.
2731
2732 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2733
2734         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2735         https://bugs.webkit.org/show_bug.cgi?id=190836
2736
2737         Reviewed by Saam Barati.
2738
2739         * stress/big-int-out-of-memory-tests.js: Added.
2740
2741 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2742
2743         U+180E is no longer a whitespace character
2744         https://bugs.webkit.org/show_bug.cgi?id=191415
2745
2746         Reviewed by Saam Barati.
2747
2748         * ChakraCore/test/es5/regexSpace.baseline:
2749         * ChakraCore/test/es6/unicode_whitespace.js:
2750         Update tests to latest version.
2751         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2752
2753         * test262.yaml:
2754         * test262/config.yaml:
2755         * test262/expectations.yaml:
2756         Update expectations.
2757
2758 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2759
2760         [BigInt] Add support to BigInt into ValueAdd
2761         https://bugs.webkit.org/show_bug.cgi?id=186177
2762
2763         Reviewed by Keith Miller.
2764
2765         * stress/big-int-negate-jit.js:
2766         * stress/value-add-big-int-and-string.js: Added.
2767         * stress/value-add-big-int-prediction-propagation.js: Added.
2768         * stress/value-add-big-int-untyped.js: Added.
2769
2770 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2771
2772         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2773         https://bugs.webkit.org/show_bug.cgi?id=191184
2774
2775         Reviewed by Saam Barati.
2776
2777         Most tests were failing due to timeouts, since they are too slow to
2778         run on CLoop. The exceptions are:
2779
2780         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2781         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2782         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2783         to change the stack size since CLoop requires it to be page aligned.
2784
2785         * microbenchmarks/array-push-1.js:
2786         * microbenchmarks/array-push-2.js:
2787         * microbenchmarks/elidable-new-object-dag.js:
2788         * microbenchmarks/elidable-new-object-roflcopter.js:
2789         * microbenchmarks/elidable-new-object-tree.js:
2790         * microbenchmarks/getter-richards.js:
2791         * microbenchmarks/sinkable-new-object-dag.js:
2792         * microbenchmarks/string-concat-long-convert.js:
2793         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2794         * slowMicrobenchmarks/array-push-3.js:
2795         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2796         * slowMicrobenchmarks/spread-small-array.js:
2797         * slowMicrobenchmarks/undefined-property-access.js:
2798         * stress/activation-sink-default-value-tdz-error.js:
2799         * stress/activation-sink-default-value.js:
2800         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2801         * stress/activation-sink-osrexit-default-value.js:
2802         * stress/activation-sink-osrexit.js:
2803         * stress/activation-sink.js:
2804         * stress/allow-math-ic-b3-code-duplication.js:
2805         * stress/array-push-multiple-int32.js:
2806         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2807         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2808         * stress/arrowfunction-lexical-this-activation-sink.js:
2809         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2810         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2811         * stress/elide-new-object-dag-then-exit.js:
2812         * stress/materialize-regexp-cyclic.js:
2813         * stress/new-regex-inline.js:
2814         * stress/op_add.js:
2815         * stress/op_bitand.js:
2816         * stress/op_bitor.js:
2817         * stress/op_bitxor.js:
2818         * stress/op_div-ConstVar.js:
2819         * stress/op_div-VarConst.js:
2820         * stress/op_div-VarVar.js:
2821         * stress/op_lshift-ConstVar.js:
2822         * stress/op_lshift-VarConst.js:
2823         * stress/op_lshift-VarVar.js:
2824         * stress/op_mod-ConstVar.js:
2825         * stress/op_mod-VarConst.js:
2826         * stress/op_mod-VarVar.js:
2827         * stress/op_mul-ConstVar.js:
2828         * stress/op_mul-VarConst.js:
2829         * stress/op_mul-VarVar.js:
2830         * stress/op_rshift-ConstVar.js:
2831         * stress/op_rshift-VarConst.js:
2832         * stress/op_rshift-VarVar.js:
2833         * stress/op_sub-ConstVar.js:
2834         * stress/op_sub-VarConst.js:
2835         * stress/op_sub-VarVar.js:
2836         * stress/op_urshift-ConstVar.js:
2837         * stress/op_urshift-VarConst.js:
2838         * stress/op_urshift-VarVar.js:
2839         * stress/proxy-get-set-correct-receiver.js:
2840         * stress/regress-179562.js:
2841         * stress/rest-parameter-many-arguments.js:
2842         * stress/sampling-profiler-richards.js:
2843         * stress/splay-flash-access-1ms.js:
2844         * stress/tailCallForwardArguments.js:
2845         * stress/typed-array-get-by-val-profiling.js:
2846         * typeProfiler/getter-richards.js:
2847
2848 2018-11-06  Michael Saboff  <msaboff@apple.com>
2849
2850         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2851         https://bugs.webkit.org/show_bug.cgi?id=191271
2852
2853         Reviewed by Saam Barati.
2854
2855         Added more test cases and made all test cases run with the same deeply recursive stack
2856         instead of finding that same point for each test case.
2857
2858         * stress/regexp-compile-oom.js:
2859         (prototype.runTest):
2860         (recurseAndTest):
2861         (testList.push.new.TestAndExpectedException):
2862
2863 2018-11-05  Michael Saboff  <msaboff@apple.com>
2864
2865         Unreviewed build fix for linux.
2866
2867         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2868
2869 2018-11-02  Michael Saboff  <msaboff@apple.com>
2870
2871         Rolling in r237753 with unreviewed build fix.
2872
2873         Fixed issues with DECLARE_THROW_SCOPE placement.
2874
2875 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2876
2877         Unreviewed, rolling out r237753.
2878
2879         Introduced JSC test failures
2880
2881         Reverted changeset:
2882
2883         "Running out of stack space not properly handled in
2884         RegExp::compile() and its callers"
2885         https://bugs.webkit.org/show_bug.cgi?id=191206
2886         https://trac.webkit.org/changeset/237753
2887
2888 2018-11-02  Michael Saboff  <msaboff@apple.com>
2889
2890         Running out of stack space not properly handled in RegExp::compile() and its callers
2891         https://bugs.webkit.org/show_bug.cgi?id=191206
2892
2893         Reviewed by Filip Pizlo.
2894
2895         New regression test.
2896
2897         * stress/regexp-compile-oom.js: Added.
2898         (recurseAndTest):
2899
2900 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2901
2902         Skip tests on arm/mips that time out now we're running on CLoop
2903
2904         Unreviewed gardening.
2905
2906         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2907         time out on the bots and need to be disabled. There's more tests
2908         disabled on arm because the timeout is longer on the mips bot (as the
2909         device is slower to start with), so many of the tests don't time out
2910         there.
2911
2912         * microbenchmarks/getter-richards.js: disable on arm and mips.
2913         * stress/op_add.js: disable on arm.
2914         * stress/op_bitand.js: disable on arm.
2915         * stress/op_bitor.js: disable on arm.
2916         * stress/op_bitxor.js: disable on arm.
2917         * stress/op_lshift-ConstVar.js: disable on arm.
2918         * stress/op_lshift-VarConst.js: disable on arm.
2919         * stress/op_lshift-VarVar.js: disable on arm.
2920         * stress/op_mod-ConstVar.js: disable on arm.
2921         * stress/op_mod-VarConst.js: disable on arm.
2922         * stress/op_mod-VarVar.js: disable on arm.
2923         * stress/op_mul-ConstVar.js: disable on arm.
2924         * stress/op_mul-VarConst.js: disable on arm.
2925         * stress/op_mul-VarVar.js: disable on arm.
2926         * stress/op_rshift-ConstVar.js: disable on arm.
2927         * stress/op_rshift-VarConst.js: disable on arm.
2928         * stress/op_rshift-VarVar.js: disable on arm.
2929         * stress/op_sub-ConstVar.js: disable on arm.
2930         * stress/op_sub-VarConst.js: disable on arm.
2931         * stress/op_sub-VarVar.js: disable on arm.
2932         * stress/op_urshift-ConstVar.js: disable on arm.
2933         * stress/op_urshift-VarConst.js: disable on arm.
2934         * stress/op_urshift-VarVar.js: disable on arm.
2935         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2936         * stress/value-to-boolean.js: disable on arm and mips.
2937
2938 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2939
2940         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2941         https://bugs.webkit.org/show_bug.cgi?id=191108
2942         <rdar://problem/45690700>
2943
2944         Reviewed by Saam Barati.
2945
2946         * stress/wide-op_catch.js: Added.
2947         (catch):
2948
2949 2018-10-29  Mark Lam  <mark.lam@apple.com>
2950
2951         Correctly detect string overflow when using the 'Function' constructor.
2952         https://bugs.webkit.org/show_bug.cgi?id=184883
2953         <rdar://problem/36320331>
2954
2955         Reviewed by Saam Barati.
2956
2957         I've verified that this passes on 32-bit as well.
2958
2959         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2960
2961 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2962
2963         Add support for GetStack FlushedDouble
2964         https://bugs.webkit.org/show_bug.cgi?id=191012
2965         <rdar://problem/45265141>
2966
2967         Reviewed by Saam Barati.
2968
2969         * stress/get-stack-double.js: Added.
2970         (bar):
2971         (noInline):
2972
2973 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2974
2975         New bytecode format for JSC
2976         https://bugs.webkit.org/show_bug.cgi?id=187373
2977         <rdar://problem/44186758>
2978
2979         Reviewed by Filip Pizlo.
2980
2981         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2982
2983         * stress/maximum-inline-capacity.js: Added.
2984         (test1):
2985         (test3.Foo):
2986         (test3):
2987
2988 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2989
2990         Unreviewed, rolling out r237479 and r237484.
2991         https://bugs.webkit.org/show_bug.cgi?id=190978
2992
2993         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2994
2995         Reverted changesets:
2996
2997         "New bytecode format for JSC"
2998         https://bugs.webkit.org/show_bug.cgi?id=187373
2999         https://trac.webkit.org/changeset/237479
3000
3001         "Gardening: Build fix after r237479."
3002         https://bugs.webkit.org/show_bug.cgi?id=187373
3003         https://trac.webkit.org/changeset/237484
3004
3005 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3006
3007         New bytecode format for JSC
3008         https://bugs.webkit.org/show_bug.cgi?id=187373
3009         <rdar://problem/44186758>
3010
3011         Reviewed by Filip Pizlo.
3012
3013         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3014
3015         * stress/maximum-inline-capacity.js: Added.
3016         (test1):
3017         (test3.Foo):
3018         (test3):
3019
3020 2018-10-26  Mark Lam  <mark.lam@apple.com>
3021
3022         Fix missing edge cases with JSGlobalObjects having a bad time.
3023         https://bugs.webkit.org/show_bug.cgi?id=189028
3024         <rdar://problem/45204939>
3025
3026         Reviewed by Saam Barati.
3027
3028         * stress/regress-189028.js: Added.
3029
3030 2018-10-22  Mark Lam  <mark.lam@apple.com>
3031
3032         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3033         https://bugs.webkit.org/show_bug.cgi?id=190515
3034         <rdar://problem/45222379>
3035
3036         Rubber-stamped by Saam Barati.
3037
3038         Adding another test.
3039
3040         * stress/regress-190515-2.js: Added.
3041
3042 2018-10-22  Mark Lam  <mark.lam@apple.com>
3043
3044         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3045         https://bugs.webkit.org/show_bug.cgi?id=190515
3046         <rdar://problem/45222379>
3047
3048         Reviewed by Saam Barati.
3049
3050         * stress/regress-190515.js: Added.
3051
3052 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3053
3054         Unreviewed, rolling out r237254.
3055         https://bugs.webkit.org/show_bug.cgi?id=190760
3056
3057         "It regresses JetStream 2 by 5% on some iOS devices"
3058         (Requested by saamyjoon on #webkit).
3059
3060         Reverted changeset:
3061
3062         "[JSC] JSC should have "parseFunction" to optimize Function
3063         constructor"
3064         https://bugs.webkit.org/show_bug.cgi?id=190340
3065         https://trac.webkit.org/changeset/237254
3066
3067 2018-10-19  Saam Barati  <sbarati@apple.com>
3068
3069         vmCall should check if we exit before emitting an OSR exit due to exceptions
3070         https://bugs.webkit.org/show_bug.cgi?id=190740
3071         <rdar://problem/45220139>
3072
3073         Reviewed by Mark Lam.
3074
3075         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3076         (foo):
3077
3078 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3079
3080         [ESNext][BigInt] Implement support for "^"
3081         https://bugs.webkit.org/show_bug.cgi?id=186235
3082
3083         Reviewed by Yusuke Suzuki.
3084
3085         * stress/big-int-bitwise-xor-general.js: Added.
3086         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3087         * stress/big-int-bitwise-xor-type-error.js: Added.
3088         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3089
3090 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3091
3092         [BigInt] Add ValueSub into DFG
3093         https://bugs.webkit.org/show_bug.cgi?id=186176
3094
3095         Reviewed by Yusuke Suzuki.
3096
3097         * stress/big-int-subtraction-jit.js:
3098         * stress/value-sub-big-int-prediction-propagation.js: Added.
3099         * stress/value-sub-big-int-untyped.js: Added.
3100         * stress/value-sub-spec-none-case.js: Added.
3101
3102 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3103
3104         [JSC] JSC should have "parseFunction" to optimize Function constructor
3105         https://bugs.webkit.org/show_bug.cgi?id=190340
3106
3107         Reviewed by Mark Lam.
3108
3109         This patch fixes the line number of syntax errors raised by the Function constructor,
3110         since we now parse the final code only once. And we no longer use block statement
3111         for Function constructor's parsing.
3112
3113         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3114         * stress/function-cache-with-parameters-end-position.js: Added.
3115         (shouldBe):
3116         (shouldThrow):
3117         (i.anonymous):
3118         * stress/function-constructor-name.js: Added.
3119         (shouldBe):
3120         (GeneratorFunction):
3121         (AsyncFunction.async):
3122         (AsyncGeneratorFunction.async):
3123         (anonymous):
3124         (async.anonymous):
3125         * test262/expectations.yaml:
3126
3127 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3128
3129         Unreviewed, rolling out r237242.
3130         https://bugs.webkit.org/show_bug.cgi?id=190701
3131
3132         it breaks "stress/sampling-profiler-basic.js" (Requested by
3133         caiolima on #webkit).
3134
3135         Reverted changeset:
3136
3137         "[BigInt] Add ValueSub into DFG"
3138         https://bugs.webkit.org/show_bug.cgi?id=186176
3139         https://trac.webkit.org/changeset/237242
3140
3141 2018-10-17  Keith Miller  <keith_miller@apple.com>
3142
3143         AI does not clear Phantom allocation nodes.
3144         https://bugs.webkit.org/show_bug.cgi?id=190694
3145
3146         Reviewed by Saam Barati.
3147
3148         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3149         (Day):
3150         (DaysInYear):
3151         (TimeInYear):
3152         (TimeFromYear):
3153         (DayFromYear):
3154         (InLeapYear):
3155         (YearFromTime):
3156         (WeekDay):
3157         (DaylightSavingTA):
3158         (GetSecondSundayInMarch):
3159         (TimeInMonth):
3160
3161 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3162
3163         [BigInt] Add ValueSub into DFG
3164         https://bugs.webkit.org/show_bug.cgi?id=186176
3165
3166         Reviewed by Yusuke Suzuki.
3167
3168         * stress/big-int-subtraction-jit.js:
3169         * stress/value-sub-big-int-prediction-propagation.js: Added.
3170         * stress/value-sub-big-int-untyped.js: Added.
3171
3172 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3173
3174         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3175         https://bugs.webkit.org/show_bug.cgi?id=190611
3176
3177         Reviewed by Saam Barati.
3178
3179         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3180         to improve test runtime. On ARM/MIPS this test even timed out when running all
3181         tests.
3182
3183         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3184         (test):
3185
3186 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3187
3188         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3189
3190         Unreviewed gardening.
3191
3192         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3193
3194 2018-10-15  Saam barati  <sbarati@apple.com>
3195
3196         Emit fjcvtzs on ARM64E on Darwin
3197         https://bugs.webkit.org/show_bug.cgi?id=184023
3198
3199         Reviewed by Yusuke Suzuki and Filip Pizlo.
3200
3201         * stress/double-to-int32-NaN.js: Added.
3202         (assert):
3203         (foo):
3204
3205 2018-10-15  Saam Barati  <sbarati@apple.com>
3206
3207         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3208         https://bugs.webkit.org/show_bug.cgi?id=190262
3209         <rdar://problem/44986241>
3210
3211         Reviewed by Mark Lam.
3212
3213         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3214         (test):
3215         * stress/slice-array-storage-with-holes.js: Added.
3216         (main):
3217
3218 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3219
3220         Unreviewed, rolling out r237054.
3221         https://bugs.webkit.org/show_bug.cgi?id=190593
3222
3223         "this regressed JetStream 2 by 6% on iOS" (Requested by
3224         saamyjoon on #webkit).
3225
3226         Reverted changeset:
3227
3228         "[JSC] JSC should have "parseFunction" to optimize Function
3229         constructor"
3230         https://bugs.webkit.org/show_bug.cgi?id=190340
3231         https://trac.webkit.org/changeset/237054
3232
3233 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3234
3235         [JSC] JSON.stringify can accept call-with-no-arguments
3236         https://bugs.webkit.org/show_bug.cgi?id=190343
3237
3238         Reviewed by Mark Lam.
3239
3240         * stress/json-stringify-no-arguments.js: Added.
3241         (shouldBe):
3242
3243 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3244
3245         [JSC] JSC should have "parseFunction" to optimize Function constructor
3246         https://bugs.webkit.org/show_bug.cgi?id=190340
3247
3248         Reviewed by Mark Lam.
3249
3250         This patch fixes the line number of syntax errors raised by the Function constructor,
3251         since we now parse the final code only once. And we no longer use block statement
3252         for Function constructor's parsing.
3253
3254         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3255         * stress/function-cache-with-parameters-end-position.js: Added.
3256         (shouldBe):
3257         (shouldThrow):
3258         (i.anonymous):
3259         * stress/function-constructor-name.js: Added.
3260         (shouldBe):
3261         (GeneratorFunction):
3262         (AsyncFunction.async):
3263         (AsyncGeneratorFunction.async):
3264         (anonymous):
3265         (async.anonymous):
3266         * test262/expectations.yaml:
3267
3268 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3269
3270         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3271         https://bugs.webkit.org/show_bug.cgi?id=190426
3272
3273         Unreviewed gardening.
3274
3275         * stress/sampling-profiler-richards.js:
3276
3277 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3278
3279         [ESNext][BigInt] Implement support for "|"
3280         https://bugs.webkit.org/show_bug.cgi?id=186229
3281
3282         Reviewed by Yusuke Suzuki.
3283
3284         * stress/big-int-bitwise-and-jit.js:
3285         * stress/big-int-bitwise-or-general.js: Added.
3286         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3287         * stress/big-int-bitwise-or-jit.js: Added.
3288         * stress/big-int-bitwise-or-memory-stress.js: Added.
3289         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3290         * stress/big-int-bitwise-or-type-error.js: Added.
3291         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3292
3293 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3294
3295         Skip test on systems with limited memory
3296         https://bugs.webkit.org/show_bug.cgi?id=190310
3297
3298         Invoking runDefault adds test to runlist, skipping the test in the next
3299         line does not prevent the test from executing. Change order of lines such
3300         that runDefault is only executed if test is not executed.
3301
3302         Reviewed by Mark Lam.
3303
3304         * stress/regress-190187.js:
3305
3306 2018-10-03  Saam barati  <sbarati@apple.com>
3307
3308         lowXYZ in FTLLower should always filter the type of the incoming edge
3309         https://bugs.webkit.org/show_bug.cgi?id=189939
3310         <rdar://problem/44407030>
3311
3312         Reviewed by Michael Saboff.
3313
3314         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3315         (foo):
3316         (test):
3317
3318 2018-10-03  Mark Lam  <mark.lam@apple.com>
3319
3320         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3321         https://bugs.webkit.org/show_bug.cgi?id=190187
3322         <rdar://problem/42512909>
3323
3324         Reviewed by Michael Saboff.
3325
3326         * stress/regress-190187.js: Added.
3327
3328 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3329
3330         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3331         https://bugs.webkit.org/show_bug.cgi?id=190033
3332
3333         Reviewed by Yusuke Suzuki.
3334
3335         * stress/big-int-to-string.js:
3336
3337 2018-10-01  Mark Lam  <mark.lam@apple.com>
3338
3339         Function.toString() should also copy the source code Functions that are class definitions.
3340         https://bugs.webkit.org/show_bug.cgi?id=190186
3341         <rdar://problem/44733360>
3342
3343         Reviewed by Saam Barati.
3344
3345         * stress/regress-190186.js: Added.
3346
3347 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3348
3349         Split NaN-check into separate test
3350         https://bugs.webkit.org/show_bug.cgi?id=190010
3351
3352         Reviewed by Saam Barati.
3353
3354         DataView exposes NaN-representation, which is not necessarily the same on each
3355         architecture. Therefore move the check of the NaN-representation into its own
3356         file such that we can disable this test on MIPS where NaN-representation can be
3357         different on older CPUs.
3358
3359         * stress/dataview-jit-set-nan.js: Added.
3360         (assert):
3361         (test.storeLittleEndian):
3362         (test.storeBigEndian):
3363         (test.store):
3364         (test):
3365         * stress/dataview-jit-set.js:
3366         (test5):
3367
3368 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3369
3370         Unreviewed, rolling out r236647.
3371         https://bugs.webkit.org/show_bug.cgi?id=190124
3372
3373         Breaking test stress/big-int-to-string.js (Requested by
3374         caiolima_ on #webkit).
3375
3376         Reverted changeset:
3377
3378         "[BigInt] BigInt.proptotype.toString is broken when radix is
3379         power of 2"
3380         https://bugs.webkit.org/show_bug.cgi?id=190033
3381         https://trac.webkit.org/changeset/236647
3382
3383 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3384
3385         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3386         https://bugs.webkit.org/show_bug.cgi?id=190033
3387
3388         Reviewed by Yusuke Suzuki.
3389
3390         * stress/big-int-to-string.js:
3391
3392 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3393
3394         [ESNext][BigInt] Implement support for "&"
3395         https://bugs.webkit.org/show_bug.cgi?id=186228
3396
3397         Reviewed by Yusuke Suzuki.
3398
3399         * stress/big-int-bitwise-and-general.js: Added.
3400         (assert):
3401         (assert.sameValue):
3402         * stress/big-int-bitwise-and-jit.js: Added.
3403         (let.assert.sameValue):
3404         (bigIntBitAnd):
3405         * stress/big-int-bitwise-and-memory-stress.js: Added.
3406         (assert):
3407         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3408         (assert.sameValue):
3409         (let.o.Symbol.toPrimitive):
3410         (catch):
3411         * stress/big-int-bitwise-and-type-error.js: Added.
3412         (assert):
3413         (assertThrowTypeError):
3414         (let.o.valueOf):
3415         (o.valueOf):
3416         (o.toString):
3417         (o.Symbol.toPrimitive):
3418         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3419         (assert.sameValue):
3420         (testBitAnd):
3421         (let.o.Symbol.toPrimitive):
3422         (o.valueOf):
3423         (o.toString):
3424
3425 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3426
3427         JSC test stress/jsc-read.js doesn't support CRLF
3428         https://bugs.webkit.org/show_bug.cgi?id=190063
3429
3430         Reviewed by Yusuke Suzuki.
3431
3432         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3433
3434         * stress/jsc-read.js:
3435         (test):
3436
3437 2018-09-27  Saam barati  <sbarati@apple.com>
3438
3439         Verify the contents of AssemblerBuffer on arm64e
3440         https://bugs.webkit.org/show_bug.cgi?id=190057
3441         <rdar://problem/38916630>
3442
3443         Reviewed by Mark Lam.
3444
3445         * stress/regress-189132.js:
3446
3447 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3448
3449         Disable test without LLInt on ARMv7
3450         https://bugs.webkit.org/show_bug.cgi?id=190037
3451
3452         Reviewed by Mark Lam.
3453
3454         Test runs out of executable memory on ARMv7, do not run
3455         this test without LLInt enabled.
3456
3457         * stress/regress-169445.js:
3458
3459 2018-09-26  Keith Miller  <keith_miller@apple.com>
3460
3461         We should zero unused property storage when rebalancing array storage.
3462         https://bugs.webkit.org/show_bug.cgi?id=188151
3463
3464         Reviewed by Michael Saboff.
3465
3466         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3467
3468 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3469
3470         [JSC] Optimize Array#lastIndexOf
3471         https://bugs.webkit.org/show_bug.cgi?id=189780
3472
3473         Reviewed by Saam Barati.
3474
3475         * stress/array-lastindexof-array-prototype-trap.js: Added.
3476         (shouldBe):
3477         (AncestorArray.prototype.get 2):
3478         (AncestorArray):
3479         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3480         (shouldBe):
3481         * stress/array-lastindexof-hole-nan.js: Added.
3482         (shouldBe):
3483         (throw.new.Error):
3484         * stress/array-lastindexof-infinity.js: Added.
3485         (shouldBe):
3486         (throw.new.Error):
3487         * stress/array-lastindexof-negative-zero.js: Added.
3488         (shouldBe):
3489         (throw.new.Error):
3490         * stress/array-lastindexof-own-getter.js: Added.
3491         (shouldBe):
3492         (throw.new.Error.get array):
3493         (get array):
3494         * stress/array-lastindexof-prototype-trap.js: Added.
3495         (shouldBe):
3496         (DerivedArray.prototype.get 2):
3497         (DerivedArray):
3498
3499 2018-09-25  Saam Barati  <sbarati@apple.com>
3500
3501         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3502         https://bugs.webkit.org/show_bug.cgi?id=189940
3503         <rdar://problem/43640987>
3504
3505         Reviewed by Mark Lam.
3506
3507         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3508
3509 2018-09-24  Saam Barati  <sbarati@apple.com>
3510
3511         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3512         https://bugs.webkit.org/show_bug.cgi?id=189922
3513         <rdar://problem/44651275>
3514
3515         Reviewed by Mark Lam.
3516
3517         * stress/array-indexof-fast-path-effects.js: Added.
3518         * stress/array-indexof-cached-length.js: Added.
3519
3520 2018-09-24  Saam barati  <sbarati@apple.com>
3521
3522         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3523         https://bugs.webkit.org/show_bug.cgi?id=189682
3524         <rdar://problem/43557315>
3525
3526         Reviewed by Mark Lam.
3527
3528         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3529         (foo):
3530
3531 2018-09-22  Saam barati  <sbarati@apple.com>
3532
3533         The sampling should not use Strong<CodeBlock> in its machineLocation field
3534         https://bugs.webkit.org/show_bug.cgi?id=189319
3535
3536         Reviewed by Filip Pizlo.
3537
3538         * stress/sampling-profiler-richards.js: Added.
3539
3540 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3541
3542         [JSC] Optimize Array#indexOf in C++ runtime
3543         https://bugs.webkit.org/show_bug.cgi?id=189507
3544
3545         Reviewed by Saam Barati.
3546
3547         * stress/array-indexof-array-prototype-trap.js: Added.
3548         (shouldBe):
3549         (AncestorArray.prototype.get 2):
3550         (AncestorArray):
3551         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3552         (shouldBe):
3553         * stress/array-indexof-hole-nan.js: Added.
3554         (shouldBe):
3555         (throw.new.Error):
3556         * stress/array-indexof-infinity.js: Added.
3557         (shouldBe):
3558         (throw.new.Error):
3559         * stress/array-indexof-negative-zero.js: Added.
3560         (shouldBe):
3561         (throw.new.Error):
3562         * stress/array-indexof-own-getter.js: Added.
3563         (shouldBe):
3564         (throw.new.Error.get array):
3565         (get array):
3566         * stress/array-indexof-prototype-trap.js: Added.
3567         (shouldBe):
3568         (DerivedArray.prototype.get 2):
3569         (DerivedArray):
3570
3571 2018-09-19  Saam barati  <sbarati@apple.com>
3572
3573         AI rule for MultiPutByOffset executes its effects in the wrong order
3574         https://bugs.webkit.org/show_bug.cgi?id=189757
3575         <rdar://problem/43535257>
3576
3577         Reviewed by Michael Saboff.
3578
3579         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3580         (foo):
3581         (Foo):
3582         (g):
3583
3584 2018-09-17  Mark Lam  <mark.lam@apple.com>
3585
3586         Ensure that ForInContexts are invalidated if their loop local is over-written.
3587         https://bugs.webkit.org/show_bug.cgi?id=189571
3588         <rdar://problem/44402277>
3589
3590         Reviewed by Saam Barati.
3591
3592         * stress/regress-189571.js: Added.
3593
3594 2018-09-17  Saam barati  <sbarati@apple.com>
3595
3596         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3597         https://bugs.webkit.org/show_bug.cgi?id=189676
3598         <rdar://problem/39682897>
3599
3600         Reviewed by Michael Saboff.
3601
3602         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3603         (A):
3604         (K):
3605         (i.catch):
3606
3607 2018-09-14  Saam barati  <sbarati@apple.com>
3608
3609         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3610         https://bugs.webkit.org/show_bug.cgi?id=189628
3611         <rdar://problem/39481690>
3612
3613         Reviewed by Mark Lam.
3614
3615         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3616         (foo):
3617
3618 2018-09-11  Mark Lam  <mark.lam@apple.com>
3619
3620         Test for array initialization in arrayProtoFuncSplice.
3621         https://bugs.webkit.org/show_bug.cgi?id=170253
3622         <rdar://problem/31328773>
3623
3624         Rubber-stamped by Saam Barati.
3625
3626         * stress/regress-170253.js: Added.
3627
3628 2018-09-11  Mark Lam  <mark.lam@apple.com>
3629
3630         Test for IntlObject initialization.
3631         https://bugs.webkit.org/show_bug.cgi?id=170251
3632         <rdar://problem/31328419>
3633
3634         Rubber-stamped by Saam Barati.
3635
3636         * stress/regress-170251.js: Added.
3637
3638 2018-09-11  Mark Lam  <mark.lam@apple.com>
3639
3640         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3641         https://bugs.webkit.org/show_bug.cgi?id=169889
3642         <rdar://problem/31155607>
3643
3644         Reviewed by Saam Barati.
3645
3646         * stress/regress-169889-array-concat.js: Added.
3647         * stress/regress-169889-array-concat1.js: Added.
3648         * stress/regress-169889-array-slice.js: Added.
3649
3650 2018-09-11  Mark Lam  <mark.lam@apple.com>
3651
3652         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3653         https://bugs.webkit.org/show_bug.cgi?id=169445
3654         <rdar://problem/30957435>
3655
3656         Reviewed by Saam Barati.
3657
3658         * stress/regress-169445.js: Added.
3659         (let.gun.eval.A):
3660         (let.gun.eval.B.C):
3661         (let.gun.eval.B.C.prototype.trigger):
3662         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3663         (let.gun.eval.B):
3664         (let.gun.eval):
3665
3666 == Rolled over to ChangeLog-2018-09-11 ==