String overflow when using StringBuilder in JSC::createError
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
2
3         String overflow when using StringBuilder in JSC::createError
4         https://bugs.webkit.org/show_bug.cgi?id=194957
5
6         Reviewed by Mark Lam.
7
8         Add test string-overflow-createError-bulder.js that overflows
9         StringBuilder in notAFunctionSourceAppender. The second new test
10         string-overflow-createError-fit.js has an error message that doesn't
11         overflow, it still failed since the String's capacity can't be doubled.
12         Run test string-overflow-createError.js only in the default
13         configuration to reduce memory consumption when running the test
14         in all configurations on multiple CPUs in parallel.
15
16         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
17         (catch):
18         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
19         (catch):
20         * stress/string-overflow-createError.js:
21
22 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
23
24         [JSC] OSR entry should respect abstract values in addition to flush formats
25         https://bugs.webkit.org/show_bug.cgi?id=195653
26
27         Reviewed by Mark Lam.
28
29         * stress/osr-entry-locals-none.js: Added.
30
31 2019-03-12  Michael Saboff  <msaboff@apple.com>
32
33         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
34         https://bugs.webkit.org/show_bug.cgi?id=195613
35
36         Reviewed by Mark Lam.
37
38         New regression test.
39
40         * stress/regexp-backref-inbounds.js: Added.
41         (testRegExp):
42
43 2019-03-12  Mark Lam  <mark.lam@apple.com>
44
45         The HasIndexedProperty node does GC.
46         https://bugs.webkit.org/show_bug.cgi?id=195559
47         <rdar://problem/48767923>
48
49         Reviewed by Yusuke Suzuki.
50
51         * stress/HasIndexedProperty-does-gc.js: Added.
52
53 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
54
55         [ESNext][BigInt] Implement "~" unary operation
56         https://bugs.webkit.org/show_bug.cgi?id=182216
57
58         Reviewed by Keith Miller.
59
60         * stress/big-int-bit-not-general.js: Added.
61         * stress/big-int-bitwise-not-jit.js: Added.
62         * stress/big-int-bitwise-not-wrapped-value.js: Added.
63         * stress/bit-op-with-object-returning-int32.js:
64         * stress/bitwise-not-fixup-rules.js: Added.
65         * stress/value-bit-not-ai-rule.js: Added.
66
67 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
68
69         Invalid flags in a RegExp literal should be an early SyntaxError
70         https://bugs.webkit.org/show_bug.cgi?id=195514
71
72         Reviewed by Darin Adler.
73
74         * test262/expectations.yaml:
75         Mark 4 test cases as passing.
76
77         * stress/regexp-syntax-error-invalid-flags.js:
78         * stress/regress-161995.js: Removed.
79         Update existing test, merging in an older test for the same behavior.
80
81 2019-03-08  Mark Lam  <mark.lam@apple.com>
82
83         Stack overflow crash in JSC::JSObject::hasInstance.
84         https://bugs.webkit.org/show_bug.cgi?id=195458
85         <rdar://problem/48710195>
86
87         Reviewed by Yusuke Suzuki.
88
89         * stress/stack-overflow-in-custom-hasInstance.js: Added.
90
91 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
92
93         op_check_tdz does not def its argument
94         https://bugs.webkit.org/show_bug.cgi?id=192880
95         <rdar://problem/46221598>
96
97         Reviewed by Saam Barati.
98
99         * microbenchmarks/let-for-in.js: Added.
100         (foo):
101
102 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
103
104         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
105         https://bugs.webkit.org/show_bug.cgi?id=195429
106
107         Reviewed by Saam Barati.
108
109         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
110         (foo):
111         * stress/string-from-char-code-255.js: Added.
112
113 2019-03-06  Mark Lam  <mark.lam@apple.com>
114
115         Fix incorrect handling of try-finally completion values.
116         https://bugs.webkit.org/show_bug.cgi?id=195131
117         <rdar://problem/46222079>
118
119         Reviewed by Saam Barati and Yusuke Suzuki.
120
121         Added many permutations of new test case to test-finally.js.  test-finally.js has
122         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
123         tests passes there as well.
124
125         * stress/test-finally.js:
126
127 2019-03-06  Saam Barati  <sbarati@apple.com>
128
129         Air::reportUsedRegisters must padInterference
130         https://bugs.webkit.org/show_bug.cgi?id=195303
131         <rdar://problem/48270343>
132
133         Reviewed by Keith Miller.
134
135         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
136
137 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
138
139         [JSC] AI should not propagate AbstractValue relying on constant folding phase
140         https://bugs.webkit.org/show_bug.cgi?id=195375
141
142         Reviewed by Saam Barati.
143
144         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
145         (let.array):
146
147 2019-03-05  Saam barati  <sbarati@apple.com>
148
149         op_switch_char broken for rope strings after JSRopeString layout rewrite
150         https://bugs.webkit.org/show_bug.cgi?id=195339
151         <rdar://problem/48592545>
152
153         Reviewed by Yusuke Suzuki.
154
155         * stress/switch-on-char-llint-rope.js: Added.
156
157 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
158
159         [JSC] Store bits for JSRopeString in 3 stores
160         https://bugs.webkit.org/show_bug.cgi?id=195234
161
162         Reviewed by Saam Barati.
163
164         * stress/null-rope-and-collectors.js: Added.
165
166 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
167
168         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
169         https://bugs.webkit.org/show_bug.cgi?id=195207
170
171         Unreviewed. After test runtime was reduced in r242213, test can be
172         run again on ARM/MIPS.
173
174         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
175
176 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
177
178         [JSC] sizeof(JSString) should be 16
179         https://bugs.webkit.org/show_bug.cgi?id=194375
180
181         Reviewed by Saam Barati.
182
183         * microbenchmarks/make-rope.js: Added.
184         (makeRope):
185         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
186         (returnRope.helper): Deleted.
187         (returnRope): Deleted.
188
189 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
190
191         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
192         https://bugs.webkit.org/show_bug.cgi?id=195144
193
194         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
195         Change the number from 1e8 to 1e5.
196
197         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
198         (foo):
199
200 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
201
202         Test times out on ARM/MIPS
203         https://bugs.webkit.org/show_bug.cgi?id=195168
204
205         Unreviewed. Skip test on ARM/MIPS.
206
207         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
208
209 2019-02-27  Mark Lam  <mark.lam@apple.com>
210
211         The parser is failing to record the token location of new in new.target.
212         https://bugs.webkit.org/show_bug.cgi?id=195127
213         <rdar://problem/39645578>
214
215         Reviewed by Yusuke Suzuki.
216
217         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
218
219 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
220
221         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
222         https://bugs.webkit.org/show_bug.cgi?id=195144
223         <rdar://problem/47595961>
224
225         Reviewed by Mark Lam.
226
227         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
228         (bar):
229         (foo):
230         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
231         (bar):
232         (foo):
233
234 2019-02-27  Robin Morisset  <rmorisset@apple.com>
235
236         DFG: Loop-invariant code motion (LICM) should not hoist dead code
237         https://bugs.webkit.org/show_bug.cgi?id=194945
238         <rdar://problem/48311657>
239
240         Reviewed by Mark Lam.
241
242         * stress/licm-dead-code.js: Added.
243
244 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
245
246         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
247         https://bugs.webkit.org/show_bug.cgi?id=194677
248         <rdar://problem/48112492>
249
250         Reviewed by Mark Lam.
251
252         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
253         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
254         it immediately fails due the large size.
255
256         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
257         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
258         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
259         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
260
261         This patch changes the test to produce 16bit string from String.fromCharCode.
262
263         * stress/regress-178386.js:
264
265 2019-02-26  Mark Lam  <mark.lam@apple.com>
266
267         wasmToJS() should purify incoming NaNs.
268         https://bugs.webkit.org/show_bug.cgi?id=194807
269         <rdar://problem/48189132>
270
271         Reviewed by Saam Barati.
272
273         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
274
275 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
276
277         [JSC] Repeat string created from Array.prototype.join() take too much memory
278         https://bugs.webkit.org/show_bug.cgi?id=193912
279
280         Reviewed by Saam Barati.
281
282         Added a test and a microbenchmark for corner cases of
283         Array.prototype.join() with an uninitialized array.
284
285         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
286         * stress/array-prototype-join-uninitialized.js: Added.
287         (testArray):
288         (testABC):
289         (B):
290         (C):
291
292 2019-02-22  Robin Morisset  <rmorisset@apple.com>
293
294         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
295         https://bugs.webkit.org/show_bug.cgi?id=194953
296         <rdar://problem/47595253>
297
298         Reviewed by Saam Barati.
299
300         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
301
302         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
303
304 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
305
306         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
307         https://bugs.webkit.org/show_bug.cgi?id=172848
308         <rdar://problem/25709212>
309
310         Reviewed by Mark Lam.
311
312         * typeProfiler/inheritance.js:
313         Rewrite the test slightly for clarity. The hoisting was confusing.
314
315         * heapProfiler/class-names.js: Added.
316         (MyES5Class):
317         (MyES6Class):
318         (MyES6Subclass):
319         Test object types and improved class names.
320
321         * heapProfiler/driver/driver.js:
322         (CheapHeapSnapshotNode):
323         (CheapHeapSnapshot):
324         (createCheapHeapSnapshot):
325         (HeapSnapshot):
326         (createHeapSnapshot):
327         Update snapshot parsing from version 1 to version 2.
328
329 2019-02-19  Truitt Savell  <tsavell@apple.com>
330
331         Unreviewed, rolling out r241784.
332
333         Broke all OpenSource builds.
334
335         Reverted changeset:
336
337         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
338         instances view"
339         https://bugs.webkit.org/show_bug.cgi?id=172848
340         https://trac.webkit.org/changeset/241784
341
342 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
343
344         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
345         https://bugs.webkit.org/show_bug.cgi?id=172848
346         <rdar://problem/25709212>
347
348         Reviewed by Mark Lam.
349
350         * typeProfiler/inheritance.js:
351         Rewrite the test slightly for clarity. The hoisting was confusing.
352
353         * heapProfiler/class-names.js: Added.
354         (MyES5Class):
355         (MyES6Class):
356         (MyES6Subclass):
357         Test object types and improved class names.
358
359         * heapProfiler/driver/driver.js:
360         (CheapHeapSnapshotNode):
361         (CheapHeapSnapshot):
362         (createCheapHeapSnapshot):
363         (HeapSnapshot):
364         (createHeapSnapshot):
365         Update snapshot parsing from version 1 to version 2.
366
367 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
368
369         [ARM] Fix crash with sampling profiler
370         https://bugs.webkit.org/show_bug.cgi?id=194772
371
372         Reviewed by Mark Lam.
373
374         Do not skip test since crash with sampling profiler is now fixed.
375
376         * stress/sampling-profiler-richards.js:
377
378 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
379
380         [JSC] Add LazyClassStructure::getInitializedOnMainThread
381         https://bugs.webkit.org/show_bug.cgi?id=194784
382         <rdar://problem/48154820>
383
384         Reviewed by Mark Lam.
385
386         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
387         (getProperties):
388         (getRandomProperty):
389         (i.catch):
390
391 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
392
393         [ARM] Test gardening: Test running out of executable memory
394         https://bugs.webkit.org/show_bug.cgi?id=194771
395
396         Unreviewed. Do not run test without LLInt, test is running out of executable
397         memory on ARM otherwise.
398
399         * stress/tagged-template-object-collect.js:
400
401 2019-02-18  Tomas Popela  <tpopela@redhat.com>
402
403         Unreviewed, skip the test on platforms without sampling profiler
404
405         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
406         (platformSupportsSamplingProfiler.foo):
407         (platformSupportsSamplingProfiler.test):
408         (platformSupportsSamplingProfiler):
409         (foo): Deleted.
410         (test): Deleted.
411
412 2019-02-17  Saam Barati  <sbarati@apple.com>
413
414         Deadlock when adding a Structure property transition and then doing incremental marking
415         https://bugs.webkit.org/show_bug.cgi?id=194767
416
417         Reviewed by Mark Lam.
418
419         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
420
421 2019-02-15  Michael Saboff  <msaboff@apple.com>
422
423         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
424         https://bugs.webkit.org/show_bug.cgi?id=194558
425
426         Reviewed by Saam Barati.
427
428         New regression test.
429
430         * stress/regexp-unicode-within-string.js: Added.
431
432 2019-02-15  Mark Lam  <mark.lam@apple.com>
433
434         SamplingProfiler::stackTracesAsJSON() should escape strings.
435         https://bugs.webkit.org/show_bug.cgi?id=194649
436         <rdar://problem/48072386>
437
438         Reviewed by Saam Barati.
439
440         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
441         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
442         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
443         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
444
445 2019-02-15  Robin Morisset  <rmorisset@apple.com>
446         CodeBlock::jettison should clear related watchpoints
447         https://bugs.webkit.org/show_bug.cgi?id=194544
448
449         Reviewed by Mark Lam.
450
451         * stress/regexp-replace-double-watchpoint.js: Added.
452         (foo):
453
454 2019-02-15  Saam barati  <sbarati@apple.com>
455
456         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
457         https://bugs.webkit.org/show_bug.cgi?id=194036
458
459         Reviewed by Yusuke Suzuki.
460
461         * stress/tail-call-many-arguments.js: Added.
462         (foo):
463         (bar):
464
465 2019-02-14  Saam Barati  <sbarati@apple.com>
466
467         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
468         https://bugs.webkit.org/show_bug.cgi?id=194583
469         <rdar://problem/48028140>
470
471         Reviewed by Yusuke Suzuki.
472
473         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
474
475 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
476
477         [JSC] String.fromCharCode's slow path always generates 16bit string
478         https://bugs.webkit.org/show_bug.cgi?id=194466
479
480         Reviewed by Keith Miller.
481
482         * stress/string-from-char-code-slow-path.js: Added.
483         (shouldBe):
484         (testWithLength):
485
486 2019-02-08  Saam barati  <sbarati@apple.com>
487
488         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
489         https://bugs.webkit.org/show_bug.cgi?id=194334
490         <rdar://problem/47844327>
491
492         Reviewed by Mark Lam.
493
494         * stress/check-in-bounds-should-be-a-child-use.js: Added.
495         (func):
496
497 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
498
499         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
500         https://bugs.webkit.org/show_bug.cgi?id=194369
501         <rdar://problem/47813087>
502
503         Reviewed by Saam Barati.
504
505         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
506         (A):
507
508 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
509
510         [JSC] PrivateName to PublicName hash table is wasteful
511         https://bugs.webkit.org/show_bug.cgi?id=194277
512
513         Reviewed by Michael Saboff.
514
515         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
516
517         * ChakraCore.yaml:
518
519 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
520
521         [ARM] Test running out of executable memory
522         https://bugs.webkit.org/show_bug.cgi?id=194285
523
524         Unreviewed. Do no execute test with LLInt disabled, test runs out of
525         executable memory otherwise.
526
527         * stress/class-subclassing-function.js:
528
529 2019-02-04  Robin Morisset  <rmorisset@apple.com>
530
531         when lowering AssertNotEmpty, create the value before creating the patchpoint
532         https://bugs.webkit.org/show_bug.cgi?id=194231
533
534         Reviewed by Saam Barati.
535
536         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
537         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
538         So even tiny changes to this test can change the path code taken.
539
540         * stress/assert-not-empty.js: Added.
541         (foo):
542
543 2019-02-01  Mark Lam  <mark.lam@apple.com>
544
545         Remove invalid assertion in DFG's compileDoubleRep().
546         https://bugs.webkit.org/show_bug.cgi?id=194130
547         <rdar://problem/47699474>
548
549         Reviewed by Saam Barati.
550
551         * stress/constant-fold-double-rep-into-double-constant.js: Added.
552
553 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
554
555         Import latest Test262 updates.
556
557         Rubber-stamped by Keith Miller.
558
559         * test262.yaml: Deleted.
560         * test262/config.yaml:
561         * test262/expectations.yaml:
562         * test262/latest-changes-summary.txt:
563         * test262/test/:
564         * test262/test262-Revision.txt:
565
566 2019-01-30  Robin Morisset  <rmorisset@apple.com>
567
568         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
569         https://bugs.webkit.org/show_bug.cgi?id=194050
570         <rdar://problem/47595592>
571
572         Reviewed by Yusuke Suzuki.
573
574         * stress/object-keys-osr-exit.js: Added.
575         (foo):
576         (catch):
577
578 2019-01-29  Mark Lam  <mark.lam@apple.com>
579
580         ValueRecovery::recover() should purify NaN values it recovers.
581         https://bugs.webkit.org/show_bug.cgi?id=193978
582         <rdar://problem/47625488>
583
584         Reviewed by Saam Barati.
585
586         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
587
588 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
589
590         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
591         https://bugs.webkit.org/show_bug.cgi?id=193713
592
593         * stress/try-get-by-id-should-spill-registers-dfg.js:
594         (let.f.createBuiltin):
595
596 2019-01-28  Mark Lam  <mark.lam@apple.com>
597
598         ToString node actually does GC.
599         https://bugs.webkit.org/show_bug.cgi?id=193920
600         <rdar://problem/46695900>
601
602         Reviewed by Yusuke Suzuki.
603
604         * stress/dfg-to-string-on-int-does-gc.js: Added.
605         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
606         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
607
608 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
609
610         [JSC] NativeErrorConstructor should not have own IsoSubspace
611         https://bugs.webkit.org/show_bug.cgi?id=193713
612
613         Reviewed by Saam Barati.
614
615         Remove @Error use.
616
617         * stress/try-get-by-id-should-spill-registers-dfg.js:
618         (let.f.createBuiltin):
619
620 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
621
622         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
623         https://bugs.webkit.org/show_bug.cgi?id=190693
624
625         Reviewed by Michael Saboff.
626
627         * stress/regress-190693.js: Added.
628         (truth):
629         (assert):
630         (shouldThrowInvalidConstAssignment):
631         (taz):
632
633 2019-01-24  Saam Barati  <sbarati@apple.com>
634
635         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
636         https://bugs.webkit.org/show_bug.cgi?id=193751
637         <rdar://problem/47280215>
638
639         Reviewed by Michael Saboff.
640
641         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
642         (let.thing):
643         (foo.let.hello):
644         (foo):
645
646 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
647
648         [JSC] Reenable baseline JIT on mips
649         https://bugs.webkit.org/show_bug.cgi?id=192983
650
651         Reviewed by Mark Lam.
652
653         Added a new test for a case that was triggering a RELEASE_ASSERT when
654         testing.
655         Disable some slow tests that were already disabled for arm and x86.
656
657         * stress/json-parse-big-object.js: Added.
658         * stress/new-largeish-contiguous-array-with-size.js:
659         * stress/op_add.js:
660         * stress/op_bitand.js:
661         * stress/op_bitor.js:
662         * stress/op_bitxor.js:
663         * stress/op_lshift-ConstVar.js:
664         * stress/op_lshift-VarConst.js:
665         * stress/op_lshift-VarVar.js:
666         * stress/op_mod-ConstVar.js:
667         * stress/op_mod-VarConst.js:
668         * stress/op_mod-VarVar.js:
669         * stress/op_mul-ConstVar.js:
670         * stress/op_mul-VarConst.js:
671         * stress/op_mul-VarVar.js:
672         * stress/op_rshift-ConstVar.js:
673         * stress/op_rshift-VarConst.js:
674         * stress/op_rshift-VarVar.js:
675         * stress/op_sub-ConstVar.js:
676         * stress/op_sub-VarConst.js:
677         * stress/op_sub-VarVar.js:
678         * stress/op_urshift-ConstVar.js:
679         * stress/op_urshift-VarConst.js:
680         * stress/op_urshift-VarVar.js:
681         * stress/sampling-profiler-richards.js:
682         * stress/spread-forward-call-varargs-stack-overflow.js:
683
684 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
685
686         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
687         https://bugs.webkit.org/show_bug.cgi?id=193711
688         <rdar://problem/47250262>
689
690         Reviewed by Saam Barati.
691
692         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
693         (shouldBe):
694         (foo):
695         (bar):
696         (baz):
697
698 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
699
700         Unreviewed, fix initial global lexical binding epoch
701         https://bugs.webkit.org/show_bug.cgi?id=193603
702         <rdar://problem/47380869>
703
704         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
705         (f1.f2.f3.f4):
706         (f1.f2.f3):
707         (f1.f2):
708         (f1):
709
710 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
711
712         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
713         https://bugs.webkit.org/show_bug.cgi?id=193709
714         <rdar://problem/47363838>
715
716         Unreviewed, rollout to watch the tests.
717
718         * stress/object-tostring-changed-proto.js: Removed.
719         * stress/object-tostring-changed.js: Removed.
720         * stress/object-tostring-misc.js: Removed.
721         * stress/object-tostring-other.js: Removed.
722         * stress/object-tostring-untyped.js: Removed.
723
724 2019-01-22  Saam Barati  <sbarati@apple.com>
725
726         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
727
728         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
729         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
730         (testUncheckedLessThanZero):
731         (testUncheckedLessThanOrEqualZero):
732         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
733         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
734
735 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
736
737         [JSC] Invalidate old scope operations using global lexical binding epoch
738         https://bugs.webkit.org/show_bug.cgi?id=193603
739         <rdar://problem/47380869>
740
741         Reviewed by Saam Barati.
742
743         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
744         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
745         (shouldThrow):
746         (bar):
747         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
748         (shouldBe):
749         (get1):
750         (get2):
751         (get1If):
752         (get2If):
753         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
754         (shouldThrow):
755         (foo):
756
757 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
758
759         Unreviewed, roll out r240220 due to date-format-xparb regression
760         https://bugs.webkit.org/show_bug.cgi?id=193603
761
762         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
763         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
764         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
765         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
766
767 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
768
769         DoesGC rule is wrong for nodes with BigIntUse
770         https://bugs.webkit.org/show_bug.cgi?id=193652
771
772         Reviewed by Saam Barati.
773
774         * stress/big-int-value-op-update-gc-rules.js: Added.
775         (assert):
776         (doesGCAdd):
777         (doesGCSub):
778         (doesGCDiv):
779         (doesGCMul):
780         (doesGCBitAnd):
781         (doesGCBitOr):
782         (doesGCBitXor):
783
784 2019-01-20  Saam Barati  <sbarati@apple.com>
785
786         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
787         https://bugs.webkit.org/show_bug.cgi?id=193644
788         <rdar://problem/46209745>
789
790         Reviewed by Yusuke Suzuki.
791
792         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
793         (foo):
794         * stress/data-view-set-intrinsic-undefined-result.js: Added.
795         (foo):
796         (bar):
797
798 2019-01-20  Saam Barati  <sbarati@apple.com>
799
800         MovHint must merge NodeBytecodeUsesAsValue for its child
801         https://bugs.webkit.org/show_bug.cgi?id=186916
802         <rdar://problem/41396612>
803
804         Reviewed by Yusuke Suzuki.
805
806         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
807         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
808
809 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
810
811         [JSC] Invalidate old scope operations using global lexical binding epoch
812         https://bugs.webkit.org/show_bug.cgi?id=193603
813         <rdar://problem/47380869>
814
815         Reviewed by Saam Barati.
816
817         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
818         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
819         (shouldThrow):
820         (bar):
821         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
822         (shouldBe):
823         (get1):
824         (get2):
825         (get1If):
826         (get2If):
827         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
828         (shouldThrow):
829         (foo):
830
831 2019-01-17  Saam barati  <sbarati@apple.com>
832
833         StringObjectUse should not be a structure check for the original string object structure
834         https://bugs.webkit.org/show_bug.cgi?id=193483
835         <rdar://problem/47280522>
836
837         Reviewed by Yusuke Suzuki.
838
839         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
840         (foo):
841         (a.valueOf.0):
842
843 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
844
845         [JSC] ToThis omission in DFGByteCodeParser is wrong
846         https://bugs.webkit.org/show_bug.cgi?id=193513
847         <rdar://problem/45842236>
848
849         Reviewed by Saam Barati.
850
851         * stress/to-this-omission-with-different-strict-modes.js: Added.
852         (thisA):
853         (thisAStrictWrapper):
854
855 2019-01-15  Mark Lam  <mark.lam@apple.com>
856
857         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
858         https://bugs.webkit.org/show_bug.cgi?id=193423
859         <rdar://problem/46209355>
860
861         Reviewed by Saam Barati.
862
863         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
864         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
865         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
866         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
867
868 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
869
870         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
871         https://bugs.webkit.org/show_bug.cgi?id=193438
872         <rdar://problem/45581249>
873
874         Reviewed by Saam Barati and Keith Miller.
875
876         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
877         Then, GetByVal(String) crashed.
878
879         * stress/string-get-by-val-lowering.js: Added.
880         (shouldBe):
881         (test):
882         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
883         (Hello):
884         (foo):
885
886 2019-01-15  Tomas Popela  <tpopela@redhat.com>
887
888         Unreviewed, skip JIT tests if it's not enabled
889
890         * stress/bit-op-with-object-returning-int32.js:
891
892 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
893
894         DFGByteCodeParser rules for bitwise operations should consider type of their operands
895         https://bugs.webkit.org/show_bug.cgi?id=192966
896
897         Reviewed by Yusuke Suzuki.
898
899         * stress/bit-op-with-object-returning-int32.js: Added.
900
901 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
902
903         Skip a slow test and a flakey test on arm
904
905         Unreviewed gardening.
906
907         * typeProfiler/getter-richards.js:
908         this test always times out, it used to be always skipped on arm and
909         mips, but got accidentally enabled by r237919 now that we have DFG on
910         arm. Also skipping on mips as we plan to soon enable DFG for it too.
911
912 2019-01-14  Keith Miller  <keith_miller@apple.com>
913
914         Skip type-check-hoisting-phase-hoist... with no jit
915         https://bugs.webkit.org/show_bug.cgi?id=193421
916
917         Reviewed by Mark Lam.
918
919         It's timing out the 32-bit bots and takes 330 seconds
920         on my machine when run by itself.
921
922         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
923
924 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
925
926         [JSC] AI should check the given constant's array type when folding GetByVal into constant
927         https://bugs.webkit.org/show_bug.cgi?id=193413
928         <rdar://problem/46092389>
929
930         Reviewed by Keith Miller.
931
932         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
933         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
934         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
935         but GetByVal does not have appropriate ArrayModes, JSC crashes.
936
937         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
938         (compareArray):
939
940 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
941
942         [BigInt] Literal parsing is crashing when used inside a Object Literal
943         https://bugs.webkit.org/show_bug.cgi?id=193404
944
945         Reviewed by Yusuke Suzuki.
946
947         * stress/big-int-literal-inside-literal-object.js: Added.
948
949 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
950
951         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
952         https://bugs.webkit.org/show_bug.cgi?id=193372
953
954         Reviewed by Saam Barati.
955
956         * stress/typed-array-array-modes-profile.js: Added.
957         (foo):
958
959 2019-01-14  Mark Lam  <mark.lam@apple.com>
960
961         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
962         https://bugs.webkit.org/show_bug.cgi?id=193402
963         <rdar://problem/46012309>
964
965         Reviewed by Keith Miller.
966
967         * stress/regexp-compile-oom.js:
968         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
969           is enabled.  As a result, it will fail on cloop builds though there is no bug.
970
971 2019-01-11  Saam barati  <sbarati@apple.com>
972
973         DFG combined liveness can be wrong for terminal basic blocks
974         https://bugs.webkit.org/show_bug.cgi?id=193304
975         <rdar://problem/45268632>
976
977         Reviewed by Yusuke Suzuki.
978
979         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
980
981 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
982
983         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
984         https://bugs.webkit.org/show_bug.cgi?id=193308
985         <rdar://problem/45546542>
986
987         Reviewed by Saam Barati.
988
989         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
990         (shouldThrow):
991         (shouldBe):
992         (foo):
993         (get shouldThrow):
994         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
995         (shouldThrow):
996         (shouldBe):
997         (foo):
998         (get shouldBe):
999         (get shouldThrow):
1000         (get return):
1001         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1002         (shouldThrow):
1003         (shouldBe):
1004         (foo):
1005         (get shouldBe):
1006         (get shouldThrow):
1007         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1008         (shouldThrow):
1009         (shouldBe):
1010         (foo):
1011         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1012         (shouldThrow):
1013         (shouldBe):
1014         (foo):
1015         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1016         (shouldThrow):
1017         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1018         (shouldThrow):
1019         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1020         (shouldThrow):
1021         (shouldBe):
1022         (foo):
1023         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1024         (shouldThrow):
1025         (shouldBe):
1026         (foo):
1027         (get shouldBe):
1028         (get shouldThrow):
1029         (get return):
1030         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1031         (shouldThrow):
1032         (shouldBe):
1033         (foo):
1034         (get shouldBe):
1035         (get shouldThrow):
1036         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1037         (shouldThrow):
1038         (shouldBe):
1039         (foo):
1040         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1041         (shouldThrow):
1042         (shouldBe):
1043         (foo):
1044
1045 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1046
1047         Enable DFG on ARM/Linux again
1048         https://bugs.webkit.org/show_bug.cgi?id=192496
1049
1050         Reviewed by Yusuke Suzuki.
1051
1052         Test wasn't really skipped before moving the line with skip
1053         to the top.
1054
1055         * stress/regress-192717.js:
1056
1057 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1058
1059         Unreviewed, rolling out r239825.
1060         https://bugs.webkit.org/show_bug.cgi?id=193330
1061
1062         Broke tests on armv7/linux bots (Requested by guijemont on
1063         #webkit).
1064
1065         Reverted changeset:
1066
1067         "Enable DFG on ARM/Linux again"
1068         https://bugs.webkit.org/show_bug.cgi?id=192496
1069         https://trac.webkit.org/changeset/239825
1070
1071 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1072
1073         Enable DFG on ARM/Linux again
1074         https://bugs.webkit.org/show_bug.cgi?id=192496
1075
1076         Reviewed by Yusuke Suzuki.
1077
1078         Test wasn't really skipped before moving the line with skip
1079         to the top.
1080
1081         * stress/regress-192717.js:
1082
1083 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1084
1085         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1086         https://bugs.webkit.org/show_bug.cgi?id=193127
1087
1088         Reviewed by Saam Barati.
1089
1090         * stress/array-species-create-should-handle-masquerader.js: Added.
1091         (shouldThrow):
1092         * stress/is-undefined-or-null-builtin.js: Added.
1093         (shouldBe):
1094         (isUndefinedOrNull.vm.createBuiltin):
1095
1096 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1097
1098         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1099         https://bugs.webkit.org/show_bug.cgi?id=193221
1100
1101         Reviewed by Mark Lam.
1102
1103         * stress/put-by-id-flags.js: Added.
1104         (f):
1105         (g):
1106         (numberOfDFGCompiles):
1107
1108 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1109
1110         Baseline version of get_by_id may corrupt metadata
1111         https://bugs.webkit.org/show_bug.cgi?id=193085
1112         <rdar://problem/23453006>
1113
1114         Reviewed by Saam Barati.
1115
1116         * stress/get-by-id-change-mode.js: Added.
1117         (forEach):
1118
1119 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1120
1121         [JSC] Optimize Object.prototype.toString
1122         https://bugs.webkit.org/show_bug.cgi?id=193031
1123
1124         Reviewed by Saam Barati.
1125
1126         * stress/object-tostring-changed-proto.js: Added.
1127         (shouldBe):
1128         (test):
1129         * stress/object-tostring-changed.js: Added.
1130         (shouldBe):
1131         (test):
1132         * stress/object-tostring-misc.js: Added.
1133         (shouldBe):
1134         (test):
1135         (i.switch):
1136         * stress/object-tostring-other.js: Added.
1137         (shouldBe):
1138         (test):
1139         * stress/object-tostring-untyped.js: Added.
1140         (shouldBe):
1141         (test):
1142         (i.switch):
1143
1144 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1145
1146         test262-runner misbehaves when test file YAML has a trailing space
1147         https://bugs.webkit.org/show_bug.cgi?id=193053
1148
1149         Reviewed by Yusuke Suzuki.
1150
1151         * test262/expectations.yaml:
1152         Mark two dozen tests as passing (and correct the output of another).
1153
1154 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1155
1156         Unreviewed, JSTests gardening with memoryLimited
1157
1158         * stress/string-overflow-createError.js:
1159
1160 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1161
1162         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1163         https://bugs.webkit.org/show_bug.cgi?id=193050
1164
1165         Reviewed by Yusuke Suzuki.
1166
1167         * test262.yaml:
1168         * test262/expectations.yaml:
1169         Mark 16 tests as passing.
1170
1171 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1172
1173         [BigInt] Support BigInt in JSON.stringify
1174         https://bugs.webkit.org/show_bug.cgi?id=192624
1175
1176         Reviewed by Saam Barati.
1177
1178         * stress/big-int-json-stringify-to-json.js: Added.
1179         (shouldBe):
1180         (shouldThrow):
1181         (BigInt.prototype.toJSON):
1182         (shouldBe.JSON.stringify):
1183         * stress/big-int-json-stringify.js: Added.
1184         (shouldBe):
1185         (shouldThrow):
1186
1187 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1188
1189         [JSC] Implement "well-formed JSON.stringify" proposal
1190         https://bugs.webkit.org/show_bug.cgi?id=191677
1191
1192         Reviewed by Darin Adler.
1193
1194         * stress/json-surrogate-pair.js: Added.
1195         (shouldBe):
1196         * test262/expectations.yaml:
1197
1198 2018-12-20  Keith Miller  <keith_miller@apple.com>
1199
1200         Add support for globalThis
1201         https://bugs.webkit.org/show_bug.cgi?id=165171
1202
1203         Reviewed by Mark Lam.
1204
1205         * test262/config.yaml:
1206
1207 2018-12-19  Keith Miller  <keith_miller@apple.com>
1208
1209         Update test262 configuration to not run tests dependent on ICU version.
1210         https://bugs.webkit.org/show_bug.cgi?id=192920
1211
1212         Reviewed by Saam Barati.
1213
1214         * test262/expectations.yaml:
1215
1216 2018-12-20  Mark Lam  <mark.lam@apple.com>
1217
1218         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1219         https://bugs.webkit.org/show_bug.cgi?id=192939
1220         <rdar://problem/46869516>
1221
1222         Reviewed by Keith Miller.
1223
1224         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1225
1226 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1227
1228         WTF::String and StringImpl overflow MaxLength
1229         https://bugs.webkit.org/show_bug.cgi?id=192853
1230         <rdar://problem/45726906>
1231
1232         Reviewed by Mark Lam.
1233
1234         * stress/string-16bit-repeat-overflow.js: Added.
1235         (catch):
1236
1237 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1238
1239         Unreviewed follow-up to r192914.
1240
1241         * test262/expectations.yaml:
1242         Add the last 20 missing expectations.
1243
1244 2018-12-19  Keith Miller  <keith_miller@apple.com>
1245
1246         Fix test262 expectations
1247         https://bugs.webkit.org/show_bug.cgi?id=192914
1248
1249         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1250
1251         * test262/expectations.yaml:
1252
1253 2018-12-19  Keith Miller  <keith_miller@apple.com>
1254
1255         Update test262 tests.
1256         https://bugs.webkit.org/show_bug.cgi?id=192907
1257
1258         Rubber stamped by Mark Lam.
1259
1260         * test262/*: Omitted because prepare-changelog crashes.
1261
1262 2018-12-19  Mark Lam  <mark.lam@apple.com>
1263
1264         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1265         https://bugs.webkit.org/show_bug.cgi?id=192464
1266         <rdar://problem/46519455>
1267
1268         Reviewed by Saam Barati.
1269
1270         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1271         microbenchmark.
1272
1273         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1274         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1275
1276 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1277
1278         String overflow in JSC::createError results in ASSERT in WTF::makeString
1279         https://bugs.webkit.org/show_bug.cgi?id=192833
1280         <rdar://problem/45706868>
1281
1282         Reviewed by Mark Lam.
1283
1284         * stress/string-overflow-createError.js: Added.
1285
1286 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1287
1288         Error message for `-x ** y` contains a typo.
1289         https://bugs.webkit.org/show_bug.cgi?id=192832
1290
1291         Reviewed by Saam Barati.
1292
1293         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1294         (assert.assert.return.throws):
1295         * stress/pow-expects-update-expression-on-lhs.js:
1296         (throw.new.Error):
1297         Update test expectations which match against the exact error message.
1298
1299 2018-12-18  Mark Lam  <mark.lam@apple.com>
1300
1301         Gardening: test options fix.
1302         https://bugs.webkit.org/show_bug.cgi?id=192822
1303
1304         Unreviewed.
1305
1306         * stress/json-stringify-string-builder-overflow.js:
1307
1308 2018-12-18  Mark Lam  <mark.lam@apple.com>
1309
1310         JSON.stringify() should throw OOM on StringBuilder overflows.
1311         https://bugs.webkit.org/show_bug.cgi?id=192822
1312         <rdar://problem/46670577>
1313
1314         Reviewed by Saam Barati.
1315
1316         * stress/json-stringify-string-builder-overflow.js: Added.
1317
1318 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1319
1320         Redeclaration of var over let/const/class should be a syntax error.
1321         https://bugs.webkit.org/show_bug.cgi?id=192298
1322
1323         Reviewed by Keith Miller.
1324
1325         * test262.yaml:
1326         * test262/expectations.yaml:
1327         Mark 46 tests as passing.
1328
1329         * stress/block-scope-redeclarations.js:
1330         Add some new tests.
1331
1332         * stress/for-in-invalidate-context-weird-assignments.js:
1333         * stress/for-in-tests.js:
1334         Replace tests for outdated behavior with tests for SyntaxError.
1335
1336         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1337         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1338         Update expectations.
1339
1340 2018-12-18  Mark Lam  <mark.lam@apple.com>
1341
1342         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1343         https://bugs.webkit.org/show_bug.cgi?id=191374
1344         <rdar://problem/46525447>
1345
1346         Reviewed by Yusuke Suzuki.
1347
1348         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1349
1350         * stress/elidable-new-object-roflcopter-then-exit.js:
1351
1352 2018-12-17  Mark Lam  <mark.lam@apple.com>
1353
1354         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1355         https://bugs.webkit.org/show_bug.cgi?id=192019
1356         <rdar://problem/46525456>
1357
1358         Reviewed by Yusuke Suzuki.
1359
1360         The test runs too slow on 32-bit.
1361
1362         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1363
1364 2018-12-17  Mark Lam  <mark.lam@apple.com>
1365
1366         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1367         https://bugs.webkit.org/show_bug.cgi?id=191373
1368         <rdar://problem/46525458>
1369
1370         Reviewed by Yusuke Suzuki.
1371
1372         The test is already slow running with a JIT on 64-bit.  It will always timeout
1373         on 32-bit without a JIT.
1374
1375         * stress/materialize-regexp-cyclic-regexp.js:
1376
1377 2018-12-17  Mark Lam  <mark.lam@apple.com>
1378
1379         Array unshift/shift should not race against the AI in the compiler thread.
1380         https://bugs.webkit.org/show_bug.cgi?id=192795
1381         <rdar://problem/46724263>
1382
1383         Reviewed by Saam Barati.
1384
1385         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1386
1387 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1388
1389         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1390         https://bugs.webkit.org/show_bug.cgi?id=190047
1391
1392         Reviewed by Saam Barati.
1393
1394         * stress/object-keys-cached-zero.js: Added.
1395         (shouldBe):
1396         (test):
1397         * stress/object-keys-changed-attribute.js: Added.
1398         (shouldBe):
1399         (test):
1400         * stress/object-keys-changed-index.js: Added.
1401         (shouldBe):
1402         (test):
1403         * stress/object-keys-changed.js: Added.
1404         (shouldBe):
1405         (test):
1406         * stress/object-keys-indexed-non-cache.js: Added.
1407         (shouldBe):
1408         (test):
1409         * stress/object-keys-overrides-get-property-names.js: Added.
1410         (shouldBe):
1411         (test):
1412         (noInline):
1413
1414 2018-12-17  Mark Lam  <mark.lam@apple.com>
1415
1416         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1417         https://bugs.webkit.org/show_bug.cgi?id=192779
1418         <rdar://problem/46775869>
1419
1420         Reviewed by Saam Barati.
1421
1422         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1423
1424 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1425
1426         Unreviewed test gardening, address a syntax error in a new test.
1427
1428         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1429
1430 2018-12-17  Mark Lam  <mark.lam@apple.com>
1431
1432         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1433         https://bugs.webkit.org/show_bug.cgi?id=192776
1434         <rdar://problem/46772368>
1435
1436         Reviewed by Keith Miller.
1437
1438         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1439
1440 2018-12-17  Mark Lam  <mark.lam@apple.com>
1441
1442         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1443         https://bugs.webkit.org/show_bug.cgi?id=192770
1444         <rdar://problem/46449037>
1445
1446         Reviewed by Keith Miller.
1447
1448         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1449
1450 2018-12-14  Mark Lam  <mark.lam@apple.com>
1451
1452         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1453         https://bugs.webkit.org/show_bug.cgi?id=192717
1454         <rdar://problem/46660677>
1455
1456         Reviewed by Saam Barati.
1457
1458         * stress/regress-192717.js: Added.
1459
1460 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1461
1462         Unreviewed, rolling out r239153, r239154, and r239155.
1463         https://bugs.webkit.org/show_bug.cgi?id=192715
1464
1465         Caused flaky GC-related crashes seen with layout tests
1466         (Requested by ryanhaddad on #webkit).
1467
1468         Reverted changesets:
1469
1470         "[JSC] Optimize Object.keys by caching own keys results in
1471         StructureRareData"
1472         https://bugs.webkit.org/show_bug.cgi?id=190047
1473         https://trac.webkit.org/changeset/239153
1474
1475         "Unreviewed, build fix after r239153"
1476         https://bugs.webkit.org/show_bug.cgi?id=190047
1477         https://trac.webkit.org/changeset/239154
1478
1479         "Unreviewed, build fix after r239153, part 2"
1480         https://bugs.webkit.org/show_bug.cgi?id=190047
1481         https://trac.webkit.org/changeset/239155
1482
1483 2018-12-14  Keith Miller  <keith_miller@apple.com>
1484
1485         Callers of JSString::getIndex should check for OOM exceptions
1486         https://bugs.webkit.org/show_bug.cgi?id=192709
1487
1488         Reviewed by Mark Lam.
1489
1490         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1491
1492 2018-12-13  Mark Lam  <mark.lam@apple.com>
1493
1494         Add a missing exception check.
1495         https://bugs.webkit.org/show_bug.cgi?id=192626
1496         <rdar://problem/46662163>
1497
1498         Reviewed by Keith Miller.
1499
1500         * stress/regress-192626.js: Added.
1501
1502 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1503
1504         [BigInt] Add ValueDiv into DFG
1505         https://bugs.webkit.org/show_bug.cgi?id=186178
1506
1507         Reviewed by Yusuke Suzuki.
1508
1509         * stress/big-int-div-jit-osr.js: Added.
1510         * stress/big-int-div-jit-untyped.js: Added.
1511         * stress/value-div-fixup-int32-big-int.js: Added.
1512
1513 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1514
1515         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1516         https://bugs.webkit.org/show_bug.cgi?id=190047
1517
1518         Reviewed by Keith Miller.
1519
1520         * stress/object-keys-cached-zero.js: Added.
1521         (shouldBe):
1522         (test):
1523         * stress/object-keys-changed-attribute.js: Added.
1524         (shouldBe):
1525         (test):
1526         * stress/object-keys-changed-index.js: Added.
1527         (shouldBe):
1528         (test):
1529         * stress/object-keys-changed.js: Added.
1530         (shouldBe):
1531         (test):
1532         * stress/object-keys-indexed-non-cache.js: Added.
1533         (shouldBe):
1534         (test):
1535         * stress/object-keys-overrides-get-property-names.js: Added.
1536         (shouldBe):
1537         (test):
1538         (noInline):
1539
1540 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1541
1542         [DFG][FTL] Add NewSymbol
1543         https://bugs.webkit.org/show_bug.cgi?id=192620
1544
1545         Reviewed by Saam Barati.
1546
1547         * microbenchmarks/symbol-creation.js: Added.
1548         (test):
1549         * stress/symbol-description-identity.js: Added.
1550         (shouldBe):
1551         (test):
1552         * stress/symbol-identity.js: Added.
1553         (shouldBe):
1554         (test):
1555         * stress/symbol-with-description-throw-error.js: Added.
1556         (shouldBe):
1557         (shouldThrow):
1558         (test):
1559         (object.toString):
1560
1561 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1562
1563         [BigInt] Implement DFG/FTL typeof for BigInt
1564         https://bugs.webkit.org/show_bug.cgi?id=192619
1565
1566         Reviewed by Keith Miller.
1567
1568         * stress/big-int-boolean-proven-type.js: Added.
1569         (assert):
1570         (bool):
1571         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1572         (assert):
1573         (typeOf):
1574         (i.switch):
1575         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1576         (assert):
1577         (typeOf):
1578         * stress/big-int-type-of.js:
1579         (typeOf):
1580         (func):
1581
1582 2018-12-10  Mark Lam  <mark.lam@apple.com>
1583
1584         PropertyAttribute needs a CustomValue bit.
1585         https://bugs.webkit.org/show_bug.cgi?id=191993
1586         <rdar://problem/46264467>
1587
1588         Reviewed by Saam Barati.
1589
1590         * stress/regress-191993.js: Added.
1591
1592 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1593
1594         [BigInt] Add ValueMul into DFG
1595         https://bugs.webkit.org/show_bug.cgi?id=186175
1596
1597         Reviewed by Yusuke Suzuki.
1598
1599         * stress/big-int-mul-jit-osr.js: Added.
1600         * stress/big-int-mul-jit-untyped.js: Added.
1601         * stress/value-mul-fixup-int32-big-int.js: Added.
1602
1603 2018-12-06  Keith Miller  <keith_miller@apple.com>
1604
1605         stress/big-wasm-memory tests failing on 32-bit JSC bot
1606         https://bugs.webkit.org/show_bug.cgi?id=192020
1607
1608         Reviewed by Saam Barati.
1609
1610         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1611         the wasm stress tests if the WebAssembly object does not exist.
1612
1613         * stress/big-wasm-memory-grow-no-max.js:
1614         (test.foo):
1615         (test):
1616         (foo): Deleted.
1617         (catch): Deleted.
1618         * stress/big-wasm-memory-grow.js:
1619         (test.foo):
1620         (test):
1621         (foo): Deleted.
1622         (catch): Deleted.
1623         * stress/big-wasm-memory.js:
1624         (test.foo):
1625         (test):
1626         (foo): Deleted.
1627         (catch): Deleted.
1628
1629 2018-12-05  Mark Lam  <mark.lam@apple.com>
1630
1631         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1632         https://bugs.webkit.org/show_bug.cgi?id=192441
1633         <rdar://problem/46480355>
1634
1635         Reviewed by Saam Barati.
1636
1637         * stress/regress-192441.js: Added.
1638
1639 2018-12-04  Mark Lam  <mark.lam@apple.com>
1640
1641         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1642         https://bugs.webkit.org/show_bug.cgi?id=192386
1643         <rdar://problem/46445516>
1644
1645         Reviewed by Saam Barati.
1646
1647         * stress/regress-192386.js: Added.
1648
1649 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1650
1651         [ESNext][BigInt] Support logic operations
1652         https://bugs.webkit.org/show_bug.cgi?id=179903
1653
1654         Reviewed by Yusuke Suzuki.
1655
1656         * stress/big-int-branch-usage.js: Added.
1657         * stress/big-int-logical-and.js: Added.
1658         * stress/big-int-logical-not.js: Added.
1659         * stress/big-int-logical-or.js: Added.
1660
1661 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1662
1663         Unreviewed, rolling out r238833.
1664
1665         Breaks macOS and iOS debug builds.
1666
1667         Reverted changeset:
1668
1669         "[ESNext][BigInt] Support logic operations"
1670         https://bugs.webkit.org/show_bug.cgi?id=179903
1671         https://trac.webkit.org/changeset/238833
1672
1673 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1674
1675         [ESNext][BigInt] Support logic operations
1676         https://bugs.webkit.org/show_bug.cgi?id=179903
1677
1678         Reviewed by Yusuke Suzuki.
1679
1680         * stress/big-int-branch-usage.js: Added.
1681         * stress/big-int-logical-and.js: Added.
1682         * stress/big-int-logical-not.js: Added.
1683         * stress/big-int-logical-or.js: Added.
1684
1685 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1686
1687         [ESNext][BigInt] Implement support for "<<" and ">>"
1688         https://bugs.webkit.org/show_bug.cgi?id=186233
1689
1690         Reviewed by Yusuke Suzuki.
1691
1692         * stress/big-int-left-shift-general.js: Added.
1693         * stress/big-int-left-shift-range-error.js: Added.
1694         * stress/big-int-left-shift-type-error.js: Added.
1695         * stress/big-int-left-shift-wrapped-value.js: Added.
1696         * stress/big-int-right-shift-general.js: Added.
1697         * stress/big-int-right-shift-type-error.js: Added.
1698         * stress/big-int-right-shift-wrapped-value.js: Added.
1699         * stress/left-shift-to-primitive-precedence.js: Added.
1700         * stress/right-shift-to-primitive-precedence.js: Added.
1701
1702 2018-11-30  Dean Jackson  <dino@apple.com>
1703
1704         Add first-class support for .mjs files in jsc binary
1705         https://bugs.webkit.org/show_bug.cgi?id=192190
1706         <rdar://problem/46375715>
1707
1708         Reviewed by Keith Miller.
1709
1710         * stress/simple-module.mjs: Added.
1711         * stress/simple-script.js: Added.
1712
1713 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1714
1715         [BigInt] Implement ValueBitXor into DFG
1716         https://bugs.webkit.org/show_bug.cgi?id=190264
1717
1718         Reviewed by Yusuke Suzuki.
1719
1720         * stress/big-int-bitwise-xor-jit.js: Added.
1721         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1722         * stress/big-int-bitwise-xor-untyped.js: Added.
1723
1724 2018-11-27  Saam barati  <sbarati@apple.com>
1725
1726         r238510 broke scopes of size zero
1727         https://bugs.webkit.org/show_bug.cgi?id=192033
1728         <rdar://problem/46281734>
1729
1730         Reviewed by Keith Miller.
1731
1732         * stress/r238510-bad-loop.js: Added.
1733         (foo):
1734
1735 2018-11-27  Mark Lam  <mark.lam@apple.com>
1736
1737         [Re-landing] NaNs read from Wasm code needs to be be purified.
1738         https://bugs.webkit.org/show_bug.cgi?id=191056
1739         <rdar://problem/45660341>
1740
1741         Reviewed by Filip Pizlo.
1742
1743         * wasm/regress/regress-191056.js: Added.
1744
1745 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1746
1747         Unreviewed, rolling out r238509.
1748
1749         Causes JSC tests to fail on iOS.
1750
1751         Reverted changeset:
1752
1753         "NaNs read from Wasm code needs to be be purified."
1754         https://bugs.webkit.org/show_bug.cgi?id=191056
1755         https://trac.webkit.org/changeset/238509
1756
1757 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1758
1759         Re-introduce op_bitnot
1760         https://bugs.webkit.org/show_bug.cgi?id=190923
1761
1762         Reviewed by Yusuke Suzuki.
1763
1764         * stress/bit-not-must-generate.js: Added.
1765         * stress/bitwise-not-no-int32.js: Added.
1766
1767 2018-11-26  Saam barati  <sbarati@apple.com>
1768
1769         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1770         https://bugs.webkit.org/show_bug.cgi?id=191956
1771         <rdar://problem/45665806>
1772
1773         Reviewed by Yusuke Suzuki.
1774
1775         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1776         (bar):
1777         (foo):
1778
1779 2018-11-26  Saam barati  <sbarati@apple.com>
1780
1781         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1782         https://bugs.webkit.org/show_bug.cgi?id=191958
1783         <rdar://problem/46221877>
1784
1785         Reviewed by Yusuke Suzuki.
1786
1787         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1788         (x):
1789         (foo):
1790
1791 2018-11-26  Mark Lam  <mark.lam@apple.com>
1792
1793         NaNs read from Wasm code needs to be be purified.
1794         https://bugs.webkit.org/show_bug.cgi?id=191056
1795         <rdar://problem/45660341>
1796
1797         Reviewed by Filip Pizlo.
1798
1799         * wasm/regress/regress-191056.js: Added.
1800
1801 2018-11-26  Michael Saboff  <msaboff@apple.com>
1802
1803         32-bit JSC test failure: stress/regexp-compile-oom.js
1804         https://bugs.webkit.org/show_bug.cgi?id=191375
1805
1806         Reviewed by Mark Lam.
1807
1808         Disabled the test for 32 bit platforms.
1809
1810         * stress/regexp-compile-oom.js:
1811
1812 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1813
1814         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1815         https://bugs.webkit.org/show_bug.cgi?id=191716
1816         <rdar://problem/45723878>
1817
1818         Reviewed by Saam Barati.
1819
1820         * stress/regress-187373.js: Added.
1821         (async.fn):
1822
1823 2018-11-21  Saam barati  <sbarati@apple.com>
1824
1825         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1826         https://bugs.webkit.org/show_bug.cgi?id=191897
1827         <rdar://problem/45871998>
1828
1829         Reviewed by Mark Lam.
1830
1831         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1832         (bar):
1833         (foo):
1834
1835 2018-11-21  Saam barati  <sbarati@apple.com>
1836
1837         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1838         https://bugs.webkit.org/show_bug.cgi?id=191895
1839         <rdar://problem/46167406>
1840
1841         Reviewed by Mark Lam.
1842
1843         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1844         (foo):
1845         (bar):
1846
1847 2018-11-21  Mark Lam  <mark.lam@apple.com>
1848
1849         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1850         https://bugs.webkit.org/show_bug.cgi?id=191776
1851         <rdar://problem/46152851>
1852
1853         Reviewed by Saam Barati.
1854
1855         * stress/big-wasm-memory-grow-no-max.js:
1856         * stress/big-wasm-memory-grow.js:
1857         * stress/big-wasm-memory.js:
1858         - updated these to expect an OutOfMemoryError.
1859
1860         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1861         (Binary.prototype.emit_u8):
1862         (Binary.prototype.emit_u32v):
1863         (Binary.prototype.emit_header):
1864         (Binary.prototype.emit_section):
1865         (Binary):
1866         (WasmModuleBuilder):
1867         (WasmModuleBuilder.prototype.addMemory):
1868         (WasmModuleBuilder.prototype.toArray):
1869         (WasmModuleBuilder.prototype.toBuffer):
1870         (WasmModuleBuilder.prototype.instantiate):
1871         (catch):
1872         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1873         (catch):
1874
1875 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1876
1877         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1878         https://bugs.webkit.org/show_bug.cgi?id=190836
1879
1880         Reviewed by Saam Barati and Yusuke Suzuki.
1881
1882         * stress/big-int-out-of-memory-tests.js: Added.
1883
1884 2018-11-20  Mark Lam  <mark.lam@apple.com>
1885
1886         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1887         https://bugs.webkit.org/show_bug.cgi?id=191856
1888         <rdar://problem/46089992>
1889
1890         Reviewed by Yusuke Suzuki.
1891
1892         * stress/regress-191856.js: Added.
1893         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1894
1895 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1896
1897         Enable JIT on ARM/Linux
1898         https://bugs.webkit.org/show_bug.cgi?id=191548
1899
1900         Reviewed by Yusuke Suzuki.
1901
1902         Disable test on system with limited memory. Program was killed by
1903         the OS before the exception was thrown.
1904
1905         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1906
1907 2018-11-20  Saam barati  <sbarati@apple.com>
1908
1909         Merging an IC variant may lead to the IC status containing overlapping structure sets
1910         https://bugs.webkit.org/show_bug.cgi?id=191869
1911         <rdar://problem/45403453>
1912
1913         Reviewed by Mark Lam.
1914
1915         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1916
1917 2018-11-19  Mark Lam  <mark.lam@apple.com>
1918
1919         globalFuncImportModule() should return a promise when it clears exceptions.
1920         https://bugs.webkit.org/show_bug.cgi?id=191792
1921         <rdar://problem/46090763>
1922
1923         Reviewed by Michael Saboff.
1924
1925         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1926
1927 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1928
1929         Skip new memory-hungry tests on memory limited devices
1930
1931         Unreviewed gardening.
1932
1933         * stress/big-wasm-memory-grow-no-max.js:
1934         * stress/big-wasm-memory-grow.js:
1935         * stress/big-wasm-memory.js:
1936
1937 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1938
1939         Unreviewed, rolling in the rest of r237254
1940         https://bugs.webkit.org/show_bug.cgi?id=190340
1941
1942         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1943         * stress/function-cache-with-parameters-end-position.js: Added.
1944         (shouldBe):
1945         (shouldThrow):
1946         (i.anonymous):
1947         * stress/function-constructor-name.js: Added.
1948         (shouldBe):
1949         (GeneratorFunction):
1950         (AsyncFunction.async):
1951         (AsyncGeneratorFunction.async):
1952         (anonymous):
1953         (async.anonymous):
1954         * test262/expectations.yaml:
1955
1956 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1957
1958         All users of ArrayBuffer should agree on the same max size
1959         https://bugs.webkit.org/show_bug.cgi?id=191771
1960
1961         Reviewed by Mark Lam.
1962
1963         * stress/big-wasm-memory-grow-no-max.js: Added.
1964         (foo):
1965         (catch):
1966         * stress/big-wasm-memory-grow.js: Added.
1967         (foo):
1968         (catch):
1969         * stress/big-wasm-memory.js: Added.
1970         (foo):
1971         (catch):
1972
1973 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1974
1975         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1976         run for each JSC config since they're regression tests for runtime bugs.
1977
1978         * stress/json-stringified-overflow-2.js:
1979         * stress/json-stringified-overflow.js:
1980
1981 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1982
1983         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1984         config since they're regression tests for runtime bugs.
1985
1986         * stress/large-unshift-splice.js:
1987         * stress/regress-185888.js:
1988
1989 2018-11-16  Saam Barati  <sbarati@apple.com>
1990
1991         KnownCellUse should also have SpecCellCheck as its type filter
1992         https://bugs.webkit.org/show_bug.cgi?id=191729
1993         <rdar://problem/45872852>
1994
1995         Reviewed by Filip Pizlo.
1996
1997         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1998         (C):
1999
2000 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2001
2002         Fix assertion failure on BytecodeGenerator::recordOpcode
2003         https://bugs.webkit.org/show_bug.cgi?id=191724
2004         <rdar://problem/45724395>
2005
2006         Reviewed by Saam Barati.
2007
2008         * stress/regress-187373-2.js: Added.
2009         (foo):
2010
2011 2018-11-15  Mark Lam  <mark.lam@apple.com>
2012
2013         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2014         https://bugs.webkit.org/show_bug.cgi?id=191730
2015         <rdar://problem/46048517>
2016
2017         Reviewed by Saam Barati.
2018
2019         * stress/regress-187006.js: Removed.
2020           - this test is invalid because its sole purpose is to test for the non-spec
2021             compliant behavior that we just fixed.
2022
2023         * stress/regress-191730.js: Added.
2024
2025 2018-11-15  Mark Lam  <mark.lam@apple.com>
2026
2027         RegExp operations should not take fast patch if lastIndex is not numeric.
2028         https://bugs.webkit.org/show_bug.cgi?id=191731
2029         <rdar://problem/46017305>
2030
2031         Reviewed by Saam Barati.
2032
2033         * stress/regress-191731.js: Added.
2034
2035 2018-11-13  Saam Barati  <sbarati@apple.com>
2036
2037         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2038         https://bugs.webkit.org/show_bug.cgi?id=191600
2039
2040         Reviewed by Mark Lam.
2041
2042         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2043         (foo):
2044         (test):
2045         (bar):
2046
2047 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2048
2049         Unreviewed, rolling out r238132.
2050
2051         The test added with this change is timing out on Debug JSC
2052         bots.
2053
2054         Reverted changeset:
2055
2056         "[BigInt] JSBigInt::createWithLength should throw when length
2057         is greater than JSBigInt::maxLength"
2058         https://bugs.webkit.org/show_bug.cgi?id=190836
2059         https://trac.webkit.org/changeset/238132
2060
2061 2018-11-13  Mark Lam  <mark.lam@apple.com>
2062
2063         Add OOM detection to StringPrototype's substituteBackreferences().
2064         https://bugs.webkit.org/show_bug.cgi?id=191563
2065         <rdar://problem/45720428>
2066
2067         Reviewed by Saam Barati.
2068
2069         * stress/regress-191563.js: Added.
2070
2071 2018-11-13  Mark Lam  <mark.lam@apple.com>
2072
2073         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2074         https://bugs.webkit.org/show_bug.cgi?id=191579
2075         <rdar://problem/45942472>
2076
2077         Reviewed by Saam Barati.
2078
2079         * stress/regress-191579.js: Added.
2080
2081 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2082
2083         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2084         https://bugs.webkit.org/show_bug.cgi?id=190836
2085
2086         Reviewed by Saam Barati.
2087
2088         * stress/big-int-out-of-memory-tests.js: Added.
2089
2090 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2091
2092         U+180E is no longer a whitespace character
2093         https://bugs.webkit.org/show_bug.cgi?id=191415
2094
2095         Reviewed by Saam Barati.
2096
2097         * ChakraCore/test/es5/regexSpace.baseline:
2098         * ChakraCore/test/es6/unicode_whitespace.js:
2099         Update tests to latest version.
2100         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2101
2102         * test262.yaml:
2103         * test262/config.yaml:
2104         * test262/expectations.yaml:
2105         Update expectations.
2106
2107 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2108
2109         [BigInt] Add support to BigInt into ValueAdd
2110         https://bugs.webkit.org/show_bug.cgi?id=186177
2111
2112         Reviewed by Keith Miller.
2113
2114         * stress/big-int-negate-jit.js:
2115         * stress/value-add-big-int-and-string.js: Added.
2116         * stress/value-add-big-int-prediction-propagation.js: Added.
2117         * stress/value-add-big-int-untyped.js: Added.
2118
2119 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2120
2121         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2122         https://bugs.webkit.org/show_bug.cgi?id=191184
2123
2124         Reviewed by Saam Barati.
2125
2126         Most tests were failing due to timeouts, since they are too slow to
2127         run on CLoop. The exceptions are:
2128
2129         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2130         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2131         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2132         to change the stack size since CLoop requires it to be page aligned.
2133
2134         * microbenchmarks/array-push-1.js:
2135         * microbenchmarks/array-push-2.js:
2136         * microbenchmarks/elidable-new-object-dag.js:
2137         * microbenchmarks/elidable-new-object-roflcopter.js:
2138         * microbenchmarks/elidable-new-object-tree.js:
2139         * microbenchmarks/getter-richards.js:
2140         * microbenchmarks/sinkable-new-object-dag.js:
2141         * microbenchmarks/string-concat-long-convert.js:
2142         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2143         * slowMicrobenchmarks/array-push-3.js:
2144         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2145         * slowMicrobenchmarks/spread-small-array.js:
2146         * slowMicrobenchmarks/undefined-property-access.js:
2147         * stress/activation-sink-default-value-tdz-error.js:
2148         * stress/activation-sink-default-value.js:
2149         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2150         * stress/activation-sink-osrexit-default-value.js:
2151         * stress/activation-sink-osrexit.js:
2152         * stress/activation-sink.js:
2153         * stress/allow-math-ic-b3-code-duplication.js:
2154         * stress/array-push-multiple-int32.js:
2155         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2156         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2157         * stress/arrowfunction-lexical-this-activation-sink.js:
2158         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2159         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2160         * stress/elide-new-object-dag-then-exit.js:
2161         * stress/materialize-regexp-cyclic.js:
2162         * stress/new-regex-inline.js:
2163         * stress/op_add.js:
2164         * stress/op_bitand.js:
2165         * stress/op_bitor.js:
2166         * stress/op_bitxor.js:
2167         * stress/op_div-ConstVar.js:
2168         * stress/op_div-VarConst.js:
2169         * stress/op_div-VarVar.js:
2170         * stress/op_lshift-ConstVar.js:
2171         * stress/op_lshift-VarConst.js:
2172         * stress/op_lshift-VarVar.js:
2173         * stress/op_mod-ConstVar.js:
2174         * stress/op_mod-VarConst.js:
2175         * stress/op_mod-VarVar.js:
2176         * stress/op_mul-ConstVar.js:
2177         * stress/op_mul-VarConst.js:
2178         * stress/op_mul-VarVar.js:
2179         * stress/op_rshift-ConstVar.js:
2180         * stress/op_rshift-VarConst.js:
2181         * stress/op_rshift-VarVar.js:
2182         * stress/op_sub-ConstVar.js:
2183         * stress/op_sub-VarConst.js:
2184         * stress/op_sub-VarVar.js:
2185         * stress/op_urshift-ConstVar.js:
2186         * stress/op_urshift-VarConst.js:
2187         * stress/op_urshift-VarVar.js:
2188         * stress/proxy-get-set-correct-receiver.js:
2189         * stress/regress-179562.js:
2190         * stress/rest-parameter-many-arguments.js:
2191         * stress/sampling-profiler-richards.js:
2192         * stress/splay-flash-access-1ms.js:
2193         * stress/tailCallForwardArguments.js:
2194         * stress/typed-array-get-by-val-profiling.js:
2195         * typeProfiler/getter-richards.js:
2196
2197 2018-11-06  Michael Saboff  <msaboff@apple.com>
2198
2199         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2200         https://bugs.webkit.org/show_bug.cgi?id=191271
2201
2202         Reviewed by Saam Barati.
2203
2204         Added more test cases and made all test cases run with the same deeply recursive stack
2205         instead of finding that same point for each test case.
2206
2207         * stress/regexp-compile-oom.js:
2208         (prototype.runTest):
2209         (recurseAndTest):
2210         (testList.push.new.TestAndExpectedException):
2211
2212 2018-11-05  Michael Saboff  <msaboff@apple.com>
2213
2214         Unreviewed build fix for linux.
2215
2216         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2217
2218 2018-11-02  Michael Saboff  <msaboff@apple.com>
2219
2220         Rolling in r237753 with unreviewed build fix.
2221
2222         Fixed issues with DECLARE_THROW_SCOPE placement.
2223
2224 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2225
2226         Unreviewed, rolling out r237753.
2227
2228         Introduced JSC test failures
2229
2230         Reverted changeset:
2231
2232         "Running out of stack space not properly handled in
2233         RegExp::compile() and its callers"
2234         https://bugs.webkit.org/show_bug.cgi?id=191206
2235         https://trac.webkit.org/changeset/237753
2236
2237 2018-11-02  Michael Saboff  <msaboff@apple.com>
2238
2239         Running out of stack space not properly handled in RegExp::compile() and its callers
2240         https://bugs.webkit.org/show_bug.cgi?id=191206
2241
2242         Reviewed by Filip Pizlo.
2243
2244         New regression test.
2245
2246         * stress/regexp-compile-oom.js: Added.
2247         (recurseAndTest):
2248
2249 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2250
2251         Skip tests on arm/mips that time out now we're running on CLoop
2252
2253         Unreviewed gardening.
2254
2255         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2256         time out on the bots and need to be disabled. There's more tests
2257         disabled on arm because the timeout is longer on the mips bot (as the
2258         device is slower to start with), so many of the tests don't time out
2259         there.
2260
2261         * microbenchmarks/getter-richards.js: disable on arm and mips.
2262         * stress/op_add.js: disable on arm.
2263         * stress/op_bitand.js: disable on arm.
2264         * stress/op_bitor.js: disable on arm.
2265         * stress/op_bitxor.js: disable on arm.
2266         * stress/op_lshift-ConstVar.js: disable on arm.
2267         * stress/op_lshift-VarConst.js: disable on arm.
2268         * stress/op_lshift-VarVar.js: disable on arm.
2269         * stress/op_mod-ConstVar.js: disable on arm.
2270         * stress/op_mod-VarConst.js: disable on arm.
2271         * stress/op_mod-VarVar.js: disable on arm.
2272         * stress/op_mul-ConstVar.js: disable on arm.
2273         * stress/op_mul-VarConst.js: disable on arm.
2274         * stress/op_mul-VarVar.js: disable on arm.
2275         * stress/op_rshift-ConstVar.js: disable on arm.
2276         * stress/op_rshift-VarConst.js: disable on arm.
2277         * stress/op_rshift-VarVar.js: disable on arm.
2278         * stress/op_sub-ConstVar.js: disable on arm.
2279         * stress/op_sub-VarConst.js: disable on arm.
2280         * stress/op_sub-VarVar.js: disable on arm.
2281         * stress/op_urshift-ConstVar.js: disable on arm.
2282         * stress/op_urshift-VarConst.js: disable on arm.
2283         * stress/op_urshift-VarVar.js: disable on arm.
2284         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2285         * stress/value-to-boolean.js: disable on arm and mips.
2286
2287 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2288
2289         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2290         https://bugs.webkit.org/show_bug.cgi?id=191108
2291         <rdar://problem/45690700>
2292
2293         Reviewed by Saam Barati.
2294
2295         * stress/wide-op_catch.js: Added.
2296         (catch):
2297
2298 2018-10-29  Mark Lam  <mark.lam@apple.com>
2299
2300         Correctly detect string overflow when using the 'Function' constructor.
2301         https://bugs.webkit.org/show_bug.cgi?id=184883
2302         <rdar://problem/36320331>
2303
2304         Reviewed by Saam Barati.
2305
2306         I've verified that this passes on 32-bit as well.
2307
2308         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2309
2310 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2311
2312         Add support for GetStack FlushedDouble
2313         https://bugs.webkit.org/show_bug.cgi?id=191012
2314         <rdar://problem/45265141>
2315
2316         Reviewed by Saam Barati.
2317
2318         * stress/get-stack-double.js: Added.
2319         (bar):
2320         (noInline):
2321
2322 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2323
2324         New bytecode format for JSC
2325         https://bugs.webkit.org/show_bug.cgi?id=187373
2326         <rdar://problem/44186758>
2327
2328         Reviewed by Filip Pizlo.
2329
2330         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2331
2332         * stress/maximum-inline-capacity.js: Added.
2333         (test1):
2334         (test3.Foo):
2335         (test3):
2336
2337 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2338
2339         Unreviewed, rolling out r237479 and r237484.
2340         https://bugs.webkit.org/show_bug.cgi?id=190978
2341
2342         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2343
2344         Reverted changesets:
2345
2346         "New bytecode format for JSC"
2347         https://bugs.webkit.org/show_bug.cgi?id=187373
2348         https://trac.webkit.org/changeset/237479
2349
2350         "Gardening: Build fix after r237479."
2351         https://bugs.webkit.org/show_bug.cgi?id=187373
2352         https://trac.webkit.org/changeset/237484
2353
2354 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2355
2356         New bytecode format for JSC
2357         https://bugs.webkit.org/show_bug.cgi?id=187373
2358         <rdar://problem/44186758>
2359
2360         Reviewed by Filip Pizlo.
2361
2362         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2363
2364         * stress/maximum-inline-capacity.js: Added.
2365         (test1):
2366         (test3.Foo):
2367         (test3):
2368
2369 2018-10-26  Mark Lam  <mark.lam@apple.com>
2370
2371         Fix missing edge cases with JSGlobalObjects having a bad time.
2372         https://bugs.webkit.org/show_bug.cgi?id=189028
2373         <rdar://problem/45204939>
2374
2375         Reviewed by Saam Barati.
2376
2377         * stress/regress-189028.js: Added.
2378
2379 2018-10-22  Mark Lam  <mark.lam@apple.com>
2380
2381         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2382         https://bugs.webkit.org/show_bug.cgi?id=190515
2383         <rdar://problem/45222379>
2384
2385         Rubber-stamped by Saam Barati.
2386
2387         Adding another test.
2388
2389         * stress/regress-190515-2.js: Added.
2390
2391 2018-10-22  Mark Lam  <mark.lam@apple.com>
2392
2393         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2394         https://bugs.webkit.org/show_bug.cgi?id=190515
2395         <rdar://problem/45222379>
2396
2397         Reviewed by Saam Barati.
2398
2399         * stress/regress-190515.js: Added.
2400
2401 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2402
2403         Unreviewed, rolling out r237254.
2404         https://bugs.webkit.org/show_bug.cgi?id=190760
2405
2406         "It regresses JetStream 2 by 5% on some iOS devices"
2407         (Requested by saamyjoon on #webkit).
2408
2409         Reverted changeset:
2410
2411         "[JSC] JSC should have "parseFunction" to optimize Function
2412         constructor"
2413         https://bugs.webkit.org/show_bug.cgi?id=190340
2414         https://trac.webkit.org/changeset/237254
2415
2416 2018-10-19  Saam Barati  <sbarati@apple.com>
2417
2418         vmCall should check if we exit before emitting an OSR exit due to exceptions
2419         https://bugs.webkit.org/show_bug.cgi?id=190740
2420         <rdar://problem/45220139>
2421
2422         Reviewed by Mark Lam.
2423
2424         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2425         (foo):
2426
2427 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2428
2429         [ESNext][BigInt] Implement support for "^"
2430         https://bugs.webkit.org/show_bug.cgi?id=186235
2431
2432         Reviewed by Yusuke Suzuki.
2433
2434         * stress/big-int-bitwise-xor-general.js: Added.
2435         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2436         * stress/big-int-bitwise-xor-type-error.js: Added.
2437         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2438
2439 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2440
2441         [BigInt] Add ValueSub into DFG
2442         https://bugs.webkit.org/show_bug.cgi?id=186176
2443
2444         Reviewed by Yusuke Suzuki.
2445
2446         * stress/big-int-subtraction-jit.js:
2447         * stress/value-sub-big-int-prediction-propagation.js: Added.
2448         * stress/value-sub-big-int-untyped.js: Added.
2449         * stress/value-sub-spec-none-case.js: Added.
2450
2451 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2452
2453         [JSC] JSC should have "parseFunction" to optimize Function constructor
2454         https://bugs.webkit.org/show_bug.cgi?id=190340
2455
2456         Reviewed by Mark Lam.
2457
2458         This patch fixes the line number of syntax errors raised by the Function constructor,
2459         since we now parse the final code only once. And we no longer use block statement
2460         for Function constructor's parsing.
2461
2462         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2463         * stress/function-cache-with-parameters-end-position.js: Added.
2464         (shouldBe):
2465         (shouldThrow):
2466         (i.anonymous):
2467         * stress/function-constructor-name.js: Added.
2468         (shouldBe):
2469         (GeneratorFunction):
2470         (AsyncFunction.async):
2471         (AsyncGeneratorFunction.async):
2472         (anonymous):
2473         (async.anonymous):
2474         * test262/expectations.yaml:
2475
2476 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2477
2478         Unreviewed, rolling out r237242.
2479         https://bugs.webkit.org/show_bug.cgi?id=190701
2480
2481         it breaks "stress/sampling-profiler-basic.js" (Requested by
2482         caiolima on #webkit).
2483
2484         Reverted changeset:
2485
2486         "[BigInt] Add ValueSub into DFG"
2487         https://bugs.webkit.org/show_bug.cgi?id=186176
2488         https://trac.webkit.org/changeset/237242
2489
2490 2018-10-17  Keith Miller  <keith_miller@apple.com>
2491
2492         AI does not clear Phantom allocation nodes.
2493         https://bugs.webkit.org/show_bug.cgi?id=190694
2494
2495         Reviewed by Saam Barati.
2496
2497         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2498         (Day):
2499         (DaysInYear):
2500         (TimeInYear):
2501         (TimeFromYear):
2502         (DayFromYear):
2503         (InLeapYear):
2504         (YearFromTime):
2505         (WeekDay):
2506         (DaylightSavingTA):
2507         (GetSecondSundayInMarch):
2508         (TimeInMonth):
2509
2510 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2511
2512         [BigInt] Add ValueSub into DFG
2513         https://bugs.webkit.org/show_bug.cgi?id=186176
2514
2515         Reviewed by Yusuke Suzuki.
2516
2517         * stress/big-int-subtraction-jit.js:
2518         * stress/value-sub-big-int-prediction-propagation.js: Added.
2519         * stress/value-sub-big-int-untyped.js: Added.
2520
2521 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2522
2523         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2524         https://bugs.webkit.org/show_bug.cgi?id=190611
2525
2526         Reviewed by Saam Barati.
2527
2528         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2529         to improve test runtime. On ARM/MIPS this test even timed out when running all
2530         tests.
2531
2532         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2533         (test):
2534
2535 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2536
2537         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2538
2539         Unreviewed gardening.
2540
2541         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2542
2543 2018-10-15  Saam barati  <sbarati@apple.com>
2544
2545         Emit fjcvtzs on ARM64E on Darwin
2546         https://bugs.webkit.org/show_bug.cgi?id=184023
2547
2548         Reviewed by Yusuke Suzuki and Filip Pizlo.
2549
2550         * stress/double-to-int32-NaN.js: Added.
2551         (assert):
2552         (foo):
2553
2554 2018-10-15  Saam Barati  <sbarati@apple.com>
2555
2556         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2557         https://bugs.webkit.org/show_bug.cgi?id=190262
2558         <rdar://problem/44986241>
2559
2560         Reviewed by Mark Lam.
2561
2562         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2563         (test):
2564         * stress/slice-array-storage-with-holes.js: Added.
2565         (main):
2566
2567 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2568
2569         Unreviewed, rolling out r237054.
2570         https://bugs.webkit.org/show_bug.cgi?id=190593
2571
2572         "this regressed JetStream 2 by 6% on iOS" (Requested by
2573         saamyjoon on #webkit).
2574
2575         Reverted changeset:
2576
2577         "[JSC] JSC should have "parseFunction" to optimize Function
2578         constructor"
2579         https://bugs.webkit.org/show_bug.cgi?id=190340
2580         https://trac.webkit.org/changeset/237054
2581
2582 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2583
2584         [JSC] JSON.stringify can accept call-with-no-arguments
2585         https://bugs.webkit.org/show_bug.cgi?id=190343
2586
2587         Reviewed by Mark Lam.
2588
2589         * stress/json-stringify-no-arguments.js: Added.
2590         (shouldBe):
2591
2592 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2593
2594         [JSC] JSC should have "parseFunction" to optimize Function constructor
2595         https://bugs.webkit.org/show_bug.cgi?id=190340
2596
2597         Reviewed by Mark Lam.
2598
2599         This patch fixes the line number of syntax errors raised by the Function constructor,
2600         since we now parse the final code only once. And we no longer use block statement
2601         for Function constructor's parsing.
2602
2603         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2604         * stress/function-cache-with-parameters-end-position.js: Added.
2605         (shouldBe):
2606         (shouldThrow):
2607         (i.anonymous):
2608         * stress/function-constructor-name.js: Added.
2609         (shouldBe):
2610         (GeneratorFunction):
2611         (AsyncFunction.async):
2612         (AsyncGeneratorFunction.async):
2613         (anonymous):
2614         (async.anonymous):
2615         * test262/expectations.yaml:
2616
2617 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2618
2619         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2620         https://bugs.webkit.org/show_bug.cgi?id=190426
2621
2622         Unreviewed gardening.
2623
2624         * stress/sampling-profiler-richards.js:
2625
2626 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2627
2628         [ESNext][BigInt] Implement support for "|"
2629         https://bugs.webkit.org/show_bug.cgi?id=186229
2630
2631         Reviewed by Yusuke Suzuki.
2632
2633         * stress/big-int-bitwise-and-jit.js:
2634         * stress/big-int-bitwise-or-general.js: Added.
2635         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2636         * stress/big-int-bitwise-or-jit.js: Added.
2637         * stress/big-int-bitwise-or-memory-stress.js: Added.
2638         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2639         * stress/big-int-bitwise-or-type-error.js: Added.
2640         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2641
2642 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2643
2644         Skip test on systems with limited memory
2645         https://bugs.webkit.org/show_bug.cgi?id=190310
2646
2647         Invoking runDefault adds test to runlist, skipping the test in the next
2648         line does not prevent the test from executing. Change order of lines such
2649         that runDefault is only executed if test is not executed.
2650
2651         Reviewed by Mark Lam.
2652
2653         * stress/regress-190187.js:
2654
2655 2018-10-03  Saam barati  <sbarati@apple.com>
2656
2657         lowXYZ in FTLLower should always filter the type of the incoming edge
2658         https://bugs.webkit.org/show_bug.cgi?id=189939
2659         <rdar://problem/44407030>
2660
2661         Reviewed by Michael Saboff.
2662
2663         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2664         (foo):
2665         (test):
2666
2667 2018-10-03  Mark Lam  <mark.lam@apple.com>
2668
2669         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2670         https://bugs.webkit.org/show_bug.cgi?id=190187
2671         <rdar://problem/42512909>
2672
2673         Reviewed by Michael Saboff.
2674
2675         * stress/regress-190187.js: Added.
2676
2677 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2678
2679         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2680         https://bugs.webkit.org/show_bug.cgi?id=190033
2681
2682         Reviewed by Yusuke Suzuki.
2683
2684         * stress/big-int-to-string.js:
2685
2686 2018-10-01  Mark Lam  <mark.lam@apple.com>
2687
2688         Function.toString() should also copy the source code Functions that are class definitions.
2689         https://bugs.webkit.org/show_bug.cgi?id=190186
2690         <rdar://problem/44733360>
2691
2692         Reviewed by Saam Barati.
2693
2694         * stress/regress-190186.js: Added.
2695
2696 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2697
2698         Split NaN-check into separate test
2699         https://bugs.webkit.org/show_bug.cgi?id=190010
2700
2701         Reviewed by Saam Barati.
2702
2703         DataView exposes NaN-representation, which is not necessarily the same on each
2704         architecture. Therefore move the check of the NaN-representation into its own
2705         file such that we can disable this test on MIPS where NaN-representation can be
2706         different on older CPUs.
2707
2708         * stress/dataview-jit-set-nan.js: Added.
2709         (assert):
2710         (test.storeLittleEndian):
2711         (test.storeBigEndian):
2712         (test.store):
2713         (test):
2714         * stress/dataview-jit-set.js:
2715         (test5):
2716
2717 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2718
2719         Unreviewed, rolling out r236647.
2720         https://bugs.webkit.org/show_bug.cgi?id=190124
2721
2722         Breaking test stress/big-int-to-string.js (Requested by
2723         caiolima_ on #webkit).
2724
2725         Reverted changeset:
2726
2727         "[BigInt] BigInt.proptotype.toString is broken when radix is
2728         power of 2"
2729         https://bugs.webkit.org/show_bug.cgi?id=190033
2730         https://trac.webkit.org/changeset/236647
2731
2732 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2733
2734         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2735         https://bugs.webkit.org/show_bug.cgi?id=190033
2736
2737         Reviewed by Yusuke Suzuki.
2738
2739         * stress/big-int-to-string.js:
2740
2741 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2742
2743         [ESNext][BigInt] Implement support for "&"
2744         https://bugs.webkit.org/show_bug.cgi?id=186228
2745
2746         Reviewed by Yusuke Suzuki.
2747
2748         * stress/big-int-bitwise-and-general.js: Added.
2749         (assert):
2750         (assert.sameValue):
2751         * stress/big-int-bitwise-and-jit.js: Added.
2752         (let.assert.sameValue):
2753         (bigIntBitAnd):
2754         * stress/big-int-bitwise-and-memory-stress.js: Added.
2755         (assert):
2756         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2757         (assert.sameValue):
2758         (let.o.Symbol.toPrimitive):
2759         (catch):
2760         * stress/big-int-bitwise-and-type-error.js: Added.
2761         (assert):
2762         (assertThrowTypeError):
2763         (let.o.valueOf):
2764         (o.valueOf):
2765         (o.toString):
2766         (o.Symbol.toPrimitive):
2767         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2768         (assert.sameValue):
2769         (testBitAnd):
2770         (let.o.Symbol.toPrimitive):
2771         (o.valueOf):
2772         (o.toString):
2773
2774 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2775
2776         JSC test stress/jsc-read.js doesn't support CRLF
2777         https://bugs.webkit.org/show_bug.cgi?id=190063
2778
2779         Reviewed by Yusuke Suzuki.
2780
2781         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2782
2783         * stress/jsc-read.js:
2784         (test):
2785
2786 2018-09-27  Saam barati  <sbarati@apple.com>
2787
2788         Verify the contents of AssemblerBuffer on arm64e
2789         https://bugs.webkit.org/show_bug.cgi?id=190057
2790         <rdar://problem/38916630>
2791
2792         Reviewed by Mark Lam.
2793
2794         * stress/regress-189132.js:
2795
2796 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2797
2798         Disable test without LLInt on ARMv7
2799         https://bugs.webkit.org/show_bug.cgi?id=190037
2800
2801         Reviewed by Mark Lam.
2802
2803         Test runs out of executable memory on ARMv7, do not run
2804         this test without LLInt enabled.
2805
2806         * stress/regress-169445.js:
2807
2808 2018-09-26  Keith Miller  <keith_miller@apple.com>
2809
2810         We should zero unused property storage when rebalancing array storage.
2811         https://bugs.webkit.org/show_bug.cgi?id=188151
2812
2813         Reviewed by Michael Saboff.
2814
2815         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2816
2817 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2818
2819         [JSC] Optimize Array#lastIndexOf
2820         https://bugs.webkit.org/show_bug.cgi?id=189780
2821
2822         Reviewed by Saam Barati.
2823
2824         * stress/array-lastindexof-array-prototype-trap.js: Added.
2825         (shouldBe):
2826         (AncestorArray.prototype.get 2):
2827         (AncestorArray):
2828         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2829         (shouldBe):
2830         * stress/array-lastindexof-hole-nan.js: Added.
2831         (shouldBe):
2832         (throw.new.Error):
2833         * stress/array-lastindexof-infinity.js: Added.
2834         (shouldBe):
2835         (throw.new.Error):
2836         * stress/array-lastindexof-negative-zero.js: Added.
2837         (shouldBe):
2838         (throw.new.Error):
2839         * stress/array-lastindexof-own-getter.js: Added.
2840         (shouldBe):
2841         (throw.new.Error.get array):
2842         (get array):
2843         * stress/array-lastindexof-prototype-trap.js: Added.
2844         (shouldBe):
2845         (DerivedArray.prototype.get 2):
2846         (DerivedArray):
2847
2848 2018-09-25  Saam Barati  <sbarati@apple.com>
2849
2850         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2851         https://bugs.webkit.org/show_bug.cgi?id=189940
2852         <rdar://problem/43640987>
2853
2854         Reviewed by Mark Lam.
2855
2856         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2857
2858 2018-09-24  Saam Barati  <sbarati@apple.com>
2859
2860         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2861         https://bugs.webkit.org/show_bug.cgi?id=189922
2862         <rdar://problem/44651275>
2863
2864         Reviewed by Mark Lam.
2865
2866         * stress/array-indexof-fast-path-effects.js: Added.
2867         * stress/array-indexof-cached-length.js: Added.
2868
2869 2018-09-24  Saam barati  <sbarati@apple.com>
2870
2871         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2872         https://bugs.webkit.org/show_bug.cgi?id=189682
2873         <rdar://problem/43557315>
2874
2875         Reviewed by Mark Lam.
2876
2877         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2878         (foo):
2879
2880 2018-09-22  Saam barati  <sbarati@apple.com>
2881
2882         The sampling should not use Strong<CodeBlock> in its machineLocation field
2883         https://bugs.webkit.org/show_bug.cgi?id=189319
2884
2885         Reviewed by Filip Pizlo.
2886
2887         * stress/sampling-profiler-richards.js: Added.
2888
2889 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2890
2891         [JSC] Optimize Array#indexOf in C++ runtime
2892         https://bugs.webkit.org/show_bug.cgi?id=189507
2893
2894         Reviewed by Saam Barati.
2895
2896         * stress/array-indexof-array-prototype-trap.js: Added.
2897         (shouldBe):
2898         (AncestorArray.prototype.get 2):
2899         (AncestorArray):
2900         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2901         (shouldBe):
2902         * stress/array-indexof-hole-nan.js: Added.
2903         (shouldBe):
2904         (throw.new.Error):
2905         * stress/array-indexof-infinity.js: Added.
2906         (shouldBe):
2907         (throw.new.Error):
2908         * stress/array-indexof-negative-zero.js: Added.
2909         (shouldBe):
2910         (throw.new.Error):
2911         * stress/array-indexof-own-getter.js: Added.
2912         (shouldBe):
2913         (throw.new.Error.get array):
2914         (get array):
2915         * stress/array-indexof-prototype-trap.js: Added.
2916         (shouldBe):
2917         (DerivedArray.prototype.get 2):
2918         (DerivedArray):
2919
2920 2018-09-19  Saam barati  <sbarati@apple.com>
2921
2922         AI rule for MultiPutByOffset executes its effects in the wrong order
2923         https://bugs.webkit.org/show_bug.cgi?id=189757
2924         <rdar://problem/43535257>
2925
2926         Reviewed by Michael Saboff.
2927
2928         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2929         (foo):
2930         (Foo):
2931         (g):
2932
2933 2018-09-17  Mark Lam  <mark.lam@apple.com>
2934
2935         Ensure that ForInContexts are invalidated if their loop local is over-written.
2936         https://bugs.webkit.org/show_bug.cgi?id=189571
2937         <rdar://problem/44402277>
2938
2939         Reviewed by Saam Barati.
2940
2941         * stress/regress-189571.js: Added.
2942
2943 2018-09-17  Saam barati  <sbarati@apple.com>
2944
2945         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2946         https://bugs.webkit.org/show_bug.cgi?id=189676
2947         <rdar://problem/39682897>
2948
2949         Reviewed by Michael Saboff.
2950
2951         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2952         (A):
2953         (K):
2954         (i.catch):
2955
2956 2018-09-14  Saam barati  <sbarati@apple.com>
2957
2958         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2959         https://bugs.webkit.org/show_bug.cgi?id=189628
2960         <rdar://problem/39481690>
2961
2962         Reviewed by Mark Lam.
2963
2964         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2965         (foo):
2966
2967 2018-09-11  Mark Lam  <mark.lam@apple.com>
2968
2969         Test for array initialization in arrayProtoFuncSplice.
2970         https://bugs.webkit.org/show_bug.cgi?id=170253
2971         <rdar://problem/31328773>
2972
2973         Rubber-stamped by Saam Barati.
2974
2975         * stress/regress-170253.js: Added.
2976
2977 2018-09-11  Mark Lam  <mark.lam@apple.com>
2978
2979         Test for IntlObject initialization.
2980         https://bugs.webkit.org/show_bug.cgi?id=170251
2981         <rdar://problem/31328419>
2982
2983         Rubber-stamped by Saam Barati.
2984
2985         * stress/regress-170251.js: Added.
2986
2987 2018-09-11  Mark Lam  <mark.lam@apple.com>
2988
2989         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2990         https://bugs.webkit.org/show_bug.cgi?id=169889
2991         <rdar://problem/31155607>
2992
2993         Reviewed by Saam Barati.
2994
2995         * stress/regress-169889-array-concat.js: Added.
2996         * stress/regress-169889-array-concat1.js: Added.
2997         * stress/regress-169889-array-slice.js: Added.
2998
2999 2018-09-11  Mark Lam  <mark.lam@apple.com>
3000
3001         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3002         https://bugs.webkit.org/show_bug.cgi?id=169445
3003         <rdar://problem/30957435>
3004
3005         Reviewed by Saam Barati.
3006
3007         * stress/regress-169445.js: Added.
3008         (let.gun.eval.A):
3009         (let.gun.eval.B.C):
3010         (let.gun.eval.B.C.prototype.trigger):
3011         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3012         (let.gun.eval.B):
3013         (let.gun.eval):
3014
3015 == Rolled over to ChangeLog-2018-09-11 ==