Rolling out r243032 and r243071 because the fix is incorrect.
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-23  Mark Lam  <mark.lam@apple.com>
2
3         Rolling out r243032 and r243071 because the fix is incorrect.
4         https://bugs.webkit.org/show_bug.cgi?id=195892
5         <rdar://problem/48981239>
6
7         Not reviewed.
8
9         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
10
11 2019-03-22  Mark Lam  <mark.lam@apple.com>
12
13         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
14         https://bugs.webkit.org/show_bug.cgi?id=196154
15         <rdar://problem/49145307>
16
17         Reviewed by Filip Pizlo.
18
19         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
20         There's no need to run this test on more than 1 test configuration.
21
22         * stress/typed-array-lastIndexOf-exception-check.js: Added.
23         * stress/web-assembly-link-error-exception-check.js:
24
25 2019-03-22  Mark Lam  <mark.lam@apple.com>
26
27         Placate exception check validation in constructJSWebAssemblyLinkError().
28         https://bugs.webkit.org/show_bug.cgi?id=196152
29         <rdar://problem/49145257>
30
31         Reviewed by Michael Saboff.
32
33         * stress/web-assembly-link-error-exception-check.js: Added.
34
35 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
36
37         Skip tests running out of memory on ARM/MIPS
38         https://bugs.webkit.org/show_bug.cgi?id=196131
39
40         Unreviewed. Skip test if memory is limited.
41
42         * microbenchmarks/put-by-val-direct-large-index.js:
43
44 2019-03-21  Mark Lam  <mark.lam@apple.com>
45
46         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
47         https://bugs.webkit.org/show_bug.cgi?id=196116
48         <rdar://problem/48976951>
49
50         Reviewed by Filip Pizlo.
51
52         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
53
54 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
55
56         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
57         https://bugs.webkit.org/show_bug.cgi?id=196078
58         <rdar://problem/35925380>
59
60         Reviewed by Mark Lam.
61
62         Add a new benchmark that allocates several objects and invokes put_by_val_direct
63         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
64
65         * microbenchmarks/put-by-val-direct-large-index.js: Added.
66
67 2019-03-21  Mark Lam  <mark.lam@apple.com>
68
69         Placate exception check validation in operationArrayIndexOfString().
70         https://bugs.webkit.org/show_bug.cgi?id=196067
71         <rdar://problem/49056572>
72
73         Reviewed by Michael Saboff.
74
75         * stress/string-equal-exception-check.js: Added.
76
77 2019-03-21  Mark Lam  <mark.lam@apple.com>
78
79         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
80         https://bugs.webkit.org/show_bug.cgi?id=196055
81         <rdar://problem/49067448>
82
83         Reviewed by Yusuke Suzuki.
84
85         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
86
87 2019-03-20  Saam Barati  <sbarati@apple.com>
88
89         typeOfDoubleSum is wrong for when NaN can be produced
90         https://bugs.webkit.org/show_bug.cgi?id=196030
91
92         Reviewed by Filip Pizlo.
93
94         * stress/double-add-sub-mul-can-produce-nan.js: Added.
95         (assert):
96         (noInline.sub):
97         (noInline):
98         (assert.mul):
99         (assert.add):
100
101 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
102
103         Update the test to ensure OutOfMemoryError is thrown as intended
104         https://bugs.webkit.org/show_bug.cgi?id=196032
105         <rdar://problem/46842740>
106
107         Rubber stamped by Saam Barati.
108
109         * stress/create-error-out-of-memory-rope-string.js:
110         (assert):
111         (catch):
112
113 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
114
115         JSC::createError needs to check for OOM in errorDescriptionForValue
116         https://bugs.webkit.org/show_bug.cgi?id=196032
117         <rdar://problem/46842740>
118
119         Reviewed by Mark Lam.
120
121         * stress/create-error-out-of-memory-rope-string.js: Added.
122
123 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
124
125         Unreviewed, reduce # of iterations to avoid timing out after r242991
126         https://bugs.webkit.org/show_bug.cgi?id=195791
127
128         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
129
130         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
131
132 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
133
134         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
135         https://bugs.webkit.org/show_bug.cgi?id=195950
136
137         Unreviewed, reducing the amount of memory used on this test to avoid
138         OOM on devices with memory restrictions.
139
140         * microbenchmarks/generate-multiple-llint-entrypoints.js:
141
142 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
143
144         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
145         https://bugs.webkit.org/show_bug.cgi?id=194648
146
147         Reviewed by Keith Miller.
148
149         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
150
151 2019-03-18  Mark Lam  <mark.lam@apple.com>
152
153         Missing a ThrowScope release in JSObject::toString().
154         https://bugs.webkit.org/show_bug.cgi?id=195893
155         <rdar://problem/48970986>
156
157         Reviewed by Michael Saboff.
158
159         * stress/to-string-exception-check-release.js: Added.
160
161 2019-03-18  Mark Lam  <mark.lam@apple.com>
162
163         Structure::flattenDictionary() should clear unused property slots.
164         https://bugs.webkit.org/show_bug.cgi?id=195871
165         <rdar://problem/48959497>
166
167         Reviewed by Michael Saboff.
168
169         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
170
171 2019-03-15  Mark Lam  <mark.lam@apple.com>
172
173         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
174         https://bugs.webkit.org/show_bug.cgi?id=195827
175         <rdar://problem/48845513>
176
177         Reviewed by Filip Pizlo.
178
179         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
180
181 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
182
183         [ARM,MIPS] Skip slow tests
184         https://bugs.webkit.org/show_bug.cgi?id=195799
185
186         Unreviewed, test does not finish on ARM and MIPS within the
187         timeout limit.
188
189         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
190
191 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
192
193         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
194         https://bugs.webkit.org/show_bug.cgi?id=195791
195         <rdar://problem/48806130>
196
197         Reviewed by Mark Lam.
198
199         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
200         (foo):
201
202 2019-03-14  Saam barati  <sbarati@apple.com>
203
204         We can't remove code after ForceOSRExit until after FixupPhase
205         https://bugs.webkit.org/show_bug.cgi?id=186916
206         <rdar://problem/41396612>
207
208         Reviewed by Yusuke Suzuki.
209
210         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
211         (foo):
212         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
213         (foo):
214
215 2019-03-13  Michael Saboff  <msaboff@apple.com>
216
217         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
218         https://bugs.webkit.org/show_bug.cgi?id=195735
219
220         Reviewed by Mark Lam.
221
222         New regression test.
223
224         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
225         (foo):
226         (bar):
227
228 2019-03-14  Saam barati  <sbarati@apple.com>
229
230         Fixup uses KnownInt32 incorrectly in some nodes
231         https://bugs.webkit.org/show_bug.cgi?id=195279
232         <rdar://problem/47915654>
233
234         Reviewed by Yusuke Suzuki.
235
236         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
237         (foo):
238
239 2019-03-14  Keith Miller  <keith_miller@apple.com>
240
241         DFG liveness can't skip tail caller inline frames
242         https://bugs.webkit.org/show_bug.cgi?id=195715
243
244         Reviewed by Saam Barati.
245
246         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
247         (i.foo):
248
249 2019-03-13  Mark Lam  <mark.lam@apple.com>
250
251         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
252         https://bugs.webkit.org/show_bug.cgi?id=195415
253
254         Not reviewed.
255
256         Changed these tests to only run the default configuration.
257         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
258         There's no strong need to run this test on that variant.
259
260         * stress/dfg-to-string-on-int-does-gc.js:
261         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
262
263 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
264
265         String overflow when using StringBuilder in JSC::createError
266         https://bugs.webkit.org/show_bug.cgi?id=194957
267
268         Reviewed by Mark Lam.
269
270         Add test string-overflow-createError-bulder.js that overflows
271         StringBuilder in notAFunctionSourceAppender. The second new test
272         string-overflow-createError-fit.js has an error message that doesn't
273         overflow, it still failed since the String's capacity can't be doubled.
274         Run test string-overflow-createError.js only in the default
275         configuration to reduce memory consumption when running the test
276         in all configurations on multiple CPUs in parallel.
277
278         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
279         (catch):
280         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
281         (catch):
282         * stress/string-overflow-createError.js:
283
284 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
285
286         [JSC] OSR entry should respect abstract values in addition to flush formats
287         https://bugs.webkit.org/show_bug.cgi?id=195653
288
289         Reviewed by Mark Lam.
290
291         * stress/osr-entry-locals-none.js: Added.
292
293 2019-03-12  Michael Saboff  <msaboff@apple.com>
294
295         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
296         https://bugs.webkit.org/show_bug.cgi?id=195613
297
298         Reviewed by Mark Lam.
299
300         New regression test.
301
302         * stress/regexp-backref-inbounds.js: Added.
303         (testRegExp):
304
305 2019-03-12  Mark Lam  <mark.lam@apple.com>
306
307         The HasIndexedProperty node does GC.
308         https://bugs.webkit.org/show_bug.cgi?id=195559
309         <rdar://problem/48767923>
310
311         Reviewed by Yusuke Suzuki.
312
313         * stress/HasIndexedProperty-does-gc.js: Added.
314
315 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
316
317         [ESNext][BigInt] Implement "~" unary operation
318         https://bugs.webkit.org/show_bug.cgi?id=182216
319
320         Reviewed by Keith Miller.
321
322         * stress/big-int-bit-not-general.js: Added.
323         * stress/big-int-bitwise-not-jit.js: Added.
324         * stress/big-int-bitwise-not-wrapped-value.js: Added.
325         * stress/bit-op-with-object-returning-int32.js:
326         * stress/bitwise-not-fixup-rules.js: Added.
327         * stress/value-bit-not-ai-rule.js: Added.
328
329 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
330
331         Invalid flags in a RegExp literal should be an early SyntaxError
332         https://bugs.webkit.org/show_bug.cgi?id=195514
333
334         Reviewed by Darin Adler.
335
336         * test262/expectations.yaml:
337         Mark 4 test cases as passing.
338
339         * stress/regexp-syntax-error-invalid-flags.js:
340         * stress/regress-161995.js: Removed.
341         Update existing test, merging in an older test for the same behavior.
342
343 2019-03-08  Mark Lam  <mark.lam@apple.com>
344
345         Stack overflow crash in JSC::JSObject::hasInstance.
346         https://bugs.webkit.org/show_bug.cgi?id=195458
347         <rdar://problem/48710195>
348
349         Reviewed by Yusuke Suzuki.
350
351         * stress/stack-overflow-in-custom-hasInstance.js: Added.
352
353 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
354
355         op_check_tdz does not def its argument
356         https://bugs.webkit.org/show_bug.cgi?id=192880
357         <rdar://problem/46221598>
358
359         Reviewed by Saam Barati.
360
361         * microbenchmarks/let-for-in.js: Added.
362         (foo):
363
364 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
365
366         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
367         https://bugs.webkit.org/show_bug.cgi?id=195429
368
369         Reviewed by Saam Barati.
370
371         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
372         (foo):
373         * stress/string-from-char-code-255.js: Added.
374
375 2019-03-06  Mark Lam  <mark.lam@apple.com>
376
377         Fix incorrect handling of try-finally completion values.
378         https://bugs.webkit.org/show_bug.cgi?id=195131
379         <rdar://problem/46222079>
380
381         Reviewed by Saam Barati and Yusuke Suzuki.
382
383         Added many permutations of new test case to test-finally.js.  test-finally.js has
384         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
385         tests passes there as well.
386
387         * stress/test-finally.js:
388
389 2019-03-06  Saam Barati  <sbarati@apple.com>
390
391         Air::reportUsedRegisters must padInterference
392         https://bugs.webkit.org/show_bug.cgi?id=195303
393         <rdar://problem/48270343>
394
395         Reviewed by Keith Miller.
396
397         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
398
399 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
400
401         [JSC] AI should not propagate AbstractValue relying on constant folding phase
402         https://bugs.webkit.org/show_bug.cgi?id=195375
403
404         Reviewed by Saam Barati.
405
406         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
407         (let.array):
408
409 2019-03-05  Saam barati  <sbarati@apple.com>
410
411         op_switch_char broken for rope strings after JSRopeString layout rewrite
412         https://bugs.webkit.org/show_bug.cgi?id=195339
413         <rdar://problem/48592545>
414
415         Reviewed by Yusuke Suzuki.
416
417         * stress/switch-on-char-llint-rope.js: Added.
418
419 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
420
421         [JSC] Store bits for JSRopeString in 3 stores
422         https://bugs.webkit.org/show_bug.cgi?id=195234
423
424         Reviewed by Saam Barati.
425
426         * stress/null-rope-and-collectors.js: Added.
427
428 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
429
430         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
431         https://bugs.webkit.org/show_bug.cgi?id=195207
432
433         Unreviewed. After test runtime was reduced in r242213, test can be
434         run again on ARM/MIPS.
435
436         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
437
438 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
439
440         [JSC] sizeof(JSString) should be 16
441         https://bugs.webkit.org/show_bug.cgi?id=194375
442
443         Reviewed by Saam Barati.
444
445         * microbenchmarks/make-rope.js: Added.
446         (makeRope):
447         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
448         (returnRope.helper): Deleted.
449         (returnRope): Deleted.
450
451 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
452
453         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
454         https://bugs.webkit.org/show_bug.cgi?id=195144
455
456         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
457         Change the number from 1e8 to 1e5.
458
459         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
460         (foo):
461
462 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
463
464         Test times out on ARM/MIPS
465         https://bugs.webkit.org/show_bug.cgi?id=195168
466
467         Unreviewed. Skip test on ARM/MIPS.
468
469         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
470
471 2019-02-27  Mark Lam  <mark.lam@apple.com>
472
473         The parser is failing to record the token location of new in new.target.
474         https://bugs.webkit.org/show_bug.cgi?id=195127
475         <rdar://problem/39645578>
476
477         Reviewed by Yusuke Suzuki.
478
479         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
480
481 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
482
483         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
484         https://bugs.webkit.org/show_bug.cgi?id=195144
485         <rdar://problem/47595961>
486
487         Reviewed by Mark Lam.
488
489         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
490         (bar):
491         (foo):
492         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
493         (bar):
494         (foo):
495
496 2019-02-27  Robin Morisset  <rmorisset@apple.com>
497
498         DFG: Loop-invariant code motion (LICM) should not hoist dead code
499         https://bugs.webkit.org/show_bug.cgi?id=194945
500         <rdar://problem/48311657>
501
502         Reviewed by Mark Lam.
503
504         * stress/licm-dead-code.js: Added.
505
506 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
507
508         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
509         https://bugs.webkit.org/show_bug.cgi?id=194677
510         <rdar://problem/48112492>
511
512         Reviewed by Mark Lam.
513
514         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
515         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
516         it immediately fails due the large size.
517
518         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
519         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
520         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
521         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
522
523         This patch changes the test to produce 16bit string from String.fromCharCode.
524
525         * stress/regress-178386.js:
526
527 2019-02-26  Mark Lam  <mark.lam@apple.com>
528
529         wasmToJS() should purify incoming NaNs.
530         https://bugs.webkit.org/show_bug.cgi?id=194807
531         <rdar://problem/48189132>
532
533         Reviewed by Saam Barati.
534
535         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
536
537 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
538
539         [JSC] Repeat string created from Array.prototype.join() take too much memory
540         https://bugs.webkit.org/show_bug.cgi?id=193912
541
542         Reviewed by Saam Barati.
543
544         Added a test and a microbenchmark for corner cases of
545         Array.prototype.join() with an uninitialized array.
546
547         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
548         * stress/array-prototype-join-uninitialized.js: Added.
549         (testArray):
550         (testABC):
551         (B):
552         (C):
553
554 2019-02-22  Robin Morisset  <rmorisset@apple.com>
555
556         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
557         https://bugs.webkit.org/show_bug.cgi?id=194953
558         <rdar://problem/47595253>
559
560         Reviewed by Saam Barati.
561
562         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
563
564         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
565
566 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
567
568         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
569         https://bugs.webkit.org/show_bug.cgi?id=172848
570         <rdar://problem/25709212>
571
572         Reviewed by Mark Lam.
573
574         * typeProfiler/inheritance.js:
575         Rewrite the test slightly for clarity. The hoisting was confusing.
576
577         * heapProfiler/class-names.js: Added.
578         (MyES5Class):
579         (MyES6Class):
580         (MyES6Subclass):
581         Test object types and improved class names.
582
583         * heapProfiler/driver/driver.js:
584         (CheapHeapSnapshotNode):
585         (CheapHeapSnapshot):
586         (createCheapHeapSnapshot):
587         (HeapSnapshot):
588         (createHeapSnapshot):
589         Update snapshot parsing from version 1 to version 2.
590
591 2019-02-19  Truitt Savell  <tsavell@apple.com>
592
593         Unreviewed, rolling out r241784.
594
595         Broke all OpenSource builds.
596
597         Reverted changeset:
598
599         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
600         instances view"
601         https://bugs.webkit.org/show_bug.cgi?id=172848
602         https://trac.webkit.org/changeset/241784
603
604 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
605
606         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
607         https://bugs.webkit.org/show_bug.cgi?id=172848
608         <rdar://problem/25709212>
609
610         Reviewed by Mark Lam.
611
612         * typeProfiler/inheritance.js:
613         Rewrite the test slightly for clarity. The hoisting was confusing.
614
615         * heapProfiler/class-names.js: Added.
616         (MyES5Class):
617         (MyES6Class):
618         (MyES6Subclass):
619         Test object types and improved class names.
620
621         * heapProfiler/driver/driver.js:
622         (CheapHeapSnapshotNode):
623         (CheapHeapSnapshot):
624         (createCheapHeapSnapshot):
625         (HeapSnapshot):
626         (createHeapSnapshot):
627         Update snapshot parsing from version 1 to version 2.
628
629 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
630
631         [ARM] Fix crash with sampling profiler
632         https://bugs.webkit.org/show_bug.cgi?id=194772
633
634         Reviewed by Mark Lam.
635
636         Do not skip test since crash with sampling profiler is now fixed.
637
638         * stress/sampling-profiler-richards.js:
639
640 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
641
642         [JSC] Add LazyClassStructure::getInitializedOnMainThread
643         https://bugs.webkit.org/show_bug.cgi?id=194784
644         <rdar://problem/48154820>
645
646         Reviewed by Mark Lam.
647
648         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
649         (getProperties):
650         (getRandomProperty):
651         (i.catch):
652
653 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
654
655         [ARM] Test gardening: Test running out of executable memory
656         https://bugs.webkit.org/show_bug.cgi?id=194771
657
658         Unreviewed. Do not run test without LLInt, test is running out of executable
659         memory on ARM otherwise.
660
661         * stress/tagged-template-object-collect.js:
662
663 2019-02-18  Tomas Popela  <tpopela@redhat.com>
664
665         Unreviewed, skip the test on platforms without sampling profiler
666
667         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
668         (platformSupportsSamplingProfiler.foo):
669         (platformSupportsSamplingProfiler.test):
670         (platformSupportsSamplingProfiler):
671         (foo): Deleted.
672         (test): Deleted.
673
674 2019-02-17  Saam Barati  <sbarati@apple.com>
675
676         Deadlock when adding a Structure property transition and then doing incremental marking
677         https://bugs.webkit.org/show_bug.cgi?id=194767
678
679         Reviewed by Mark Lam.
680
681         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
682
683 2019-02-15  Michael Saboff  <msaboff@apple.com>
684
685         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
686         https://bugs.webkit.org/show_bug.cgi?id=194558
687
688         Reviewed by Saam Barati.
689
690         New regression test.
691
692         * stress/regexp-unicode-within-string.js: Added.
693
694 2019-02-15  Mark Lam  <mark.lam@apple.com>
695
696         SamplingProfiler::stackTracesAsJSON() should escape strings.
697         https://bugs.webkit.org/show_bug.cgi?id=194649
698         <rdar://problem/48072386>
699
700         Reviewed by Saam Barati.
701
702         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
703         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
704         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
705         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
706
707 2019-02-15  Robin Morisset  <rmorisset@apple.com>
708         CodeBlock::jettison should clear related watchpoints
709         https://bugs.webkit.org/show_bug.cgi?id=194544
710
711         Reviewed by Mark Lam.
712
713         * stress/regexp-replace-double-watchpoint.js: Added.
714         (foo):
715
716 2019-02-15  Saam barati  <sbarati@apple.com>
717
718         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
719         https://bugs.webkit.org/show_bug.cgi?id=194036
720
721         Reviewed by Yusuke Suzuki.
722
723         * stress/tail-call-many-arguments.js: Added.
724         (foo):
725         (bar):
726
727 2019-02-14  Saam Barati  <sbarati@apple.com>
728
729         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
730         https://bugs.webkit.org/show_bug.cgi?id=194583
731         <rdar://problem/48028140>
732
733         Reviewed by Yusuke Suzuki.
734
735         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
736
737 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
738
739         [JSC] String.fromCharCode's slow path always generates 16bit string
740         https://bugs.webkit.org/show_bug.cgi?id=194466
741
742         Reviewed by Keith Miller.
743
744         * stress/string-from-char-code-slow-path.js: Added.
745         (shouldBe):
746         (testWithLength):
747
748 2019-02-08  Saam barati  <sbarati@apple.com>
749
750         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
751         https://bugs.webkit.org/show_bug.cgi?id=194334
752         <rdar://problem/47844327>
753
754         Reviewed by Mark Lam.
755
756         * stress/check-in-bounds-should-be-a-child-use.js: Added.
757         (func):
758
759 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
760
761         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
762         https://bugs.webkit.org/show_bug.cgi?id=194369
763         <rdar://problem/47813087>
764
765         Reviewed by Saam Barati.
766
767         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
768         (A):
769
770 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
771
772         [JSC] PrivateName to PublicName hash table is wasteful
773         https://bugs.webkit.org/show_bug.cgi?id=194277
774
775         Reviewed by Michael Saboff.
776
777         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
778
779         * ChakraCore.yaml:
780
781 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
782
783         [ARM] Test running out of executable memory
784         https://bugs.webkit.org/show_bug.cgi?id=194285
785
786         Unreviewed. Do no execute test with LLInt disabled, test runs out of
787         executable memory otherwise.
788
789         * stress/class-subclassing-function.js:
790
791 2019-02-04  Robin Morisset  <rmorisset@apple.com>
792
793         when lowering AssertNotEmpty, create the value before creating the patchpoint
794         https://bugs.webkit.org/show_bug.cgi?id=194231
795
796         Reviewed by Saam Barati.
797
798         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
799         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
800         So even tiny changes to this test can change the path code taken.
801
802         * stress/assert-not-empty.js: Added.
803         (foo):
804
805 2019-02-01  Mark Lam  <mark.lam@apple.com>
806
807         Remove invalid assertion in DFG's compileDoubleRep().
808         https://bugs.webkit.org/show_bug.cgi?id=194130
809         <rdar://problem/47699474>
810
811         Reviewed by Saam Barati.
812
813         * stress/constant-fold-double-rep-into-double-constant.js: Added.
814
815 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
816
817         Import latest Test262 updates.
818
819         Rubber-stamped by Keith Miller.
820
821         * test262.yaml: Deleted.
822         * test262/config.yaml:
823         * test262/expectations.yaml:
824         * test262/latest-changes-summary.txt:
825         * test262/test/:
826         * test262/test262-Revision.txt:
827
828 2019-01-30  Robin Morisset  <rmorisset@apple.com>
829
830         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
831         https://bugs.webkit.org/show_bug.cgi?id=194050
832         <rdar://problem/47595592>
833
834         Reviewed by Yusuke Suzuki.
835
836         * stress/object-keys-osr-exit.js: Added.
837         (foo):
838         (catch):
839
840 2019-01-29  Mark Lam  <mark.lam@apple.com>
841
842         ValueRecovery::recover() should purify NaN values it recovers.
843         https://bugs.webkit.org/show_bug.cgi?id=193978
844         <rdar://problem/47625488>
845
846         Reviewed by Saam Barati.
847
848         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
849
850 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
851
852         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
853         https://bugs.webkit.org/show_bug.cgi?id=193713
854
855         * stress/try-get-by-id-should-spill-registers-dfg.js:
856         (let.f.createBuiltin):
857
858 2019-01-28  Mark Lam  <mark.lam@apple.com>
859
860         ToString node actually does GC.
861         https://bugs.webkit.org/show_bug.cgi?id=193920
862         <rdar://problem/46695900>
863
864         Reviewed by Yusuke Suzuki.
865
866         * stress/dfg-to-string-on-int-does-gc.js: Added.
867         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
868         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
869
870 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
871
872         [JSC] NativeErrorConstructor should not have own IsoSubspace
873         https://bugs.webkit.org/show_bug.cgi?id=193713
874
875         Reviewed by Saam Barati.
876
877         Remove @Error use.
878
879         * stress/try-get-by-id-should-spill-registers-dfg.js:
880         (let.f.createBuiltin):
881
882 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
883
884         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
885         https://bugs.webkit.org/show_bug.cgi?id=190693
886
887         Reviewed by Michael Saboff.
888
889         * stress/regress-190693.js: Added.
890         (truth):
891         (assert):
892         (shouldThrowInvalidConstAssignment):
893         (taz):
894
895 2019-01-24  Saam Barati  <sbarati@apple.com>
896
897         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
898         https://bugs.webkit.org/show_bug.cgi?id=193751
899         <rdar://problem/47280215>
900
901         Reviewed by Michael Saboff.
902
903         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
904         (let.thing):
905         (foo.let.hello):
906         (foo):
907
908 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
909
910         [JSC] Reenable baseline JIT on mips
911         https://bugs.webkit.org/show_bug.cgi?id=192983
912
913         Reviewed by Mark Lam.
914
915         Added a new test for a case that was triggering a RELEASE_ASSERT when
916         testing.
917         Disable some slow tests that were already disabled for arm and x86.
918
919         * stress/json-parse-big-object.js: Added.
920         * stress/new-largeish-contiguous-array-with-size.js:
921         * stress/op_add.js:
922         * stress/op_bitand.js:
923         * stress/op_bitor.js:
924         * stress/op_bitxor.js:
925         * stress/op_lshift-ConstVar.js:
926         * stress/op_lshift-VarConst.js:
927         * stress/op_lshift-VarVar.js:
928         * stress/op_mod-ConstVar.js:
929         * stress/op_mod-VarConst.js:
930         * stress/op_mod-VarVar.js:
931         * stress/op_mul-ConstVar.js:
932         * stress/op_mul-VarConst.js:
933         * stress/op_mul-VarVar.js:
934         * stress/op_rshift-ConstVar.js:
935         * stress/op_rshift-VarConst.js:
936         * stress/op_rshift-VarVar.js:
937         * stress/op_sub-ConstVar.js:
938         * stress/op_sub-VarConst.js:
939         * stress/op_sub-VarVar.js:
940         * stress/op_urshift-ConstVar.js:
941         * stress/op_urshift-VarConst.js:
942         * stress/op_urshift-VarVar.js:
943         * stress/sampling-profiler-richards.js:
944         * stress/spread-forward-call-varargs-stack-overflow.js:
945
946 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
947
948         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
949         https://bugs.webkit.org/show_bug.cgi?id=193711
950         <rdar://problem/47250262>
951
952         Reviewed by Saam Barati.
953
954         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
955         (shouldBe):
956         (foo):
957         (bar):
958         (baz):
959
960 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
961
962         Unreviewed, fix initial global lexical binding epoch
963         https://bugs.webkit.org/show_bug.cgi?id=193603
964         <rdar://problem/47380869>
965
966         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
967         (f1.f2.f3.f4):
968         (f1.f2.f3):
969         (f1.f2):
970         (f1):
971
972 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
973
974         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
975         https://bugs.webkit.org/show_bug.cgi?id=193709
976         <rdar://problem/47363838>
977
978         Unreviewed, rollout to watch the tests.
979
980         * stress/object-tostring-changed-proto.js: Removed.
981         * stress/object-tostring-changed.js: Removed.
982         * stress/object-tostring-misc.js: Removed.
983         * stress/object-tostring-other.js: Removed.
984         * stress/object-tostring-untyped.js: Removed.
985
986 2019-01-22  Saam Barati  <sbarati@apple.com>
987
988         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
989
990         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
991         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
992         (testUncheckedLessThanZero):
993         (testUncheckedLessThanOrEqualZero):
994         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
995         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
996
997 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
998
999         [JSC] Invalidate old scope operations using global lexical binding epoch
1000         https://bugs.webkit.org/show_bug.cgi?id=193603
1001         <rdar://problem/47380869>
1002
1003         Reviewed by Saam Barati.
1004
1005         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1006         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1007         (shouldThrow):
1008         (bar):
1009         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1010         (shouldBe):
1011         (get1):
1012         (get2):
1013         (get1If):
1014         (get2If):
1015         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1016         (shouldThrow):
1017         (foo):
1018
1019 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1020
1021         Unreviewed, roll out r240220 due to date-format-xparb regression
1022         https://bugs.webkit.org/show_bug.cgi?id=193603
1023
1024         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1025         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1026         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1027         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1028
1029 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1030
1031         DoesGC rule is wrong for nodes with BigIntUse
1032         https://bugs.webkit.org/show_bug.cgi?id=193652
1033
1034         Reviewed by Saam Barati.
1035
1036         * stress/big-int-value-op-update-gc-rules.js: Added.
1037         (assert):
1038         (doesGCAdd):
1039         (doesGCSub):
1040         (doesGCDiv):
1041         (doesGCMul):
1042         (doesGCBitAnd):
1043         (doesGCBitOr):
1044         (doesGCBitXor):
1045
1046 2019-01-20  Saam Barati  <sbarati@apple.com>
1047
1048         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1049         https://bugs.webkit.org/show_bug.cgi?id=193644
1050         <rdar://problem/46209745>
1051
1052         Reviewed by Yusuke Suzuki.
1053
1054         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1055         (foo):
1056         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1057         (foo):
1058         (bar):
1059
1060 2019-01-20  Saam Barati  <sbarati@apple.com>
1061
1062         MovHint must merge NodeBytecodeUsesAsValue for its child
1063         https://bugs.webkit.org/show_bug.cgi?id=186916
1064         <rdar://problem/41396612>
1065
1066         Reviewed by Yusuke Suzuki.
1067
1068         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1069         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1070
1071 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1072
1073         [JSC] Invalidate old scope operations using global lexical binding epoch
1074         https://bugs.webkit.org/show_bug.cgi?id=193603
1075         <rdar://problem/47380869>
1076
1077         Reviewed by Saam Barati.
1078
1079         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1080         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1081         (shouldThrow):
1082         (bar):
1083         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1084         (shouldBe):
1085         (get1):
1086         (get2):
1087         (get1If):
1088         (get2If):
1089         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1090         (shouldThrow):
1091         (foo):
1092
1093 2019-01-17  Saam barati  <sbarati@apple.com>
1094
1095         StringObjectUse should not be a structure check for the original string object structure
1096         https://bugs.webkit.org/show_bug.cgi?id=193483
1097         <rdar://problem/47280522>
1098
1099         Reviewed by Yusuke Suzuki.
1100
1101         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1102         (foo):
1103         (a.valueOf.0):
1104
1105 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1106
1107         [JSC] ToThis omission in DFGByteCodeParser is wrong
1108         https://bugs.webkit.org/show_bug.cgi?id=193513
1109         <rdar://problem/45842236>
1110
1111         Reviewed by Saam Barati.
1112
1113         * stress/to-this-omission-with-different-strict-modes.js: Added.
1114         (thisA):
1115         (thisAStrictWrapper):
1116
1117 2019-01-15  Mark Lam  <mark.lam@apple.com>
1118
1119         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1120         https://bugs.webkit.org/show_bug.cgi?id=193423
1121         <rdar://problem/46209355>
1122
1123         Reviewed by Saam Barati.
1124
1125         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1126         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1127         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1128         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1129
1130 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1131
1132         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1133         https://bugs.webkit.org/show_bug.cgi?id=193438
1134         <rdar://problem/45581249>
1135
1136         Reviewed by Saam Barati and Keith Miller.
1137
1138         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1139         Then, GetByVal(String) crashed.
1140
1141         * stress/string-get-by-val-lowering.js: Added.
1142         (shouldBe):
1143         (test):
1144         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1145         (Hello):
1146         (foo):
1147
1148 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1149
1150         Unreviewed, skip JIT tests if it's not enabled
1151
1152         * stress/bit-op-with-object-returning-int32.js:
1153
1154 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1155
1156         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1157         https://bugs.webkit.org/show_bug.cgi?id=192966
1158
1159         Reviewed by Yusuke Suzuki.
1160
1161         * stress/bit-op-with-object-returning-int32.js: Added.
1162
1163 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1164
1165         Skip a slow test and a flakey test on arm
1166
1167         Unreviewed gardening.
1168
1169         * typeProfiler/getter-richards.js:
1170         this test always times out, it used to be always skipped on arm and
1171         mips, but got accidentally enabled by r237919 now that we have DFG on
1172         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1173
1174 2019-01-14  Keith Miller  <keith_miller@apple.com>
1175
1176         Skip type-check-hoisting-phase-hoist... with no jit
1177         https://bugs.webkit.org/show_bug.cgi?id=193421
1178
1179         Reviewed by Mark Lam.
1180
1181         It's timing out the 32-bit bots and takes 330 seconds
1182         on my machine when run by itself.
1183
1184         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1185
1186 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1187
1188         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1189         https://bugs.webkit.org/show_bug.cgi?id=193413
1190         <rdar://problem/46092389>
1191
1192         Reviewed by Keith Miller.
1193
1194         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1195         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1196         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1197         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1198
1199         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1200         (compareArray):
1201
1202 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1203
1204         [BigInt] Literal parsing is crashing when used inside a Object Literal
1205         https://bugs.webkit.org/show_bug.cgi?id=193404
1206
1207         Reviewed by Yusuke Suzuki.
1208
1209         * stress/big-int-literal-inside-literal-object.js: Added.
1210
1211 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1212
1213         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1214         https://bugs.webkit.org/show_bug.cgi?id=193372
1215
1216         Reviewed by Saam Barati.
1217
1218         * stress/typed-array-array-modes-profile.js: Added.
1219         (foo):
1220
1221 2019-01-14  Mark Lam  <mark.lam@apple.com>
1222
1223         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1224         https://bugs.webkit.org/show_bug.cgi?id=193402
1225         <rdar://problem/46012309>
1226
1227         Reviewed by Keith Miller.
1228
1229         * stress/regexp-compile-oom.js:
1230         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1231           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1232
1233 2019-01-11  Saam barati  <sbarati@apple.com>
1234
1235         DFG combined liveness can be wrong for terminal basic blocks
1236         https://bugs.webkit.org/show_bug.cgi?id=193304
1237         <rdar://problem/45268632>
1238
1239         Reviewed by Yusuke Suzuki.
1240
1241         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1242
1243 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1244
1245         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1246         https://bugs.webkit.org/show_bug.cgi?id=193308
1247         <rdar://problem/45546542>
1248
1249         Reviewed by Saam Barati.
1250
1251         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1252         (shouldThrow):
1253         (shouldBe):
1254         (foo):
1255         (get shouldThrow):
1256         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1257         (shouldThrow):
1258         (shouldBe):
1259         (foo):
1260         (get shouldBe):
1261         (get shouldThrow):
1262         (get return):
1263         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1264         (shouldThrow):
1265         (shouldBe):
1266         (foo):
1267         (get shouldBe):
1268         (get shouldThrow):
1269         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1270         (shouldThrow):
1271         (shouldBe):
1272         (foo):
1273         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1274         (shouldThrow):
1275         (shouldBe):
1276         (foo):
1277         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1278         (shouldThrow):
1279         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1280         (shouldThrow):
1281         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1282         (shouldThrow):
1283         (shouldBe):
1284         (foo):
1285         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1286         (shouldThrow):
1287         (shouldBe):
1288         (foo):
1289         (get shouldBe):
1290         (get shouldThrow):
1291         (get return):
1292         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1293         (shouldThrow):
1294         (shouldBe):
1295         (foo):
1296         (get shouldBe):
1297         (get shouldThrow):
1298         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1299         (shouldThrow):
1300         (shouldBe):
1301         (foo):
1302         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1303         (shouldThrow):
1304         (shouldBe):
1305         (foo):
1306
1307 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1308
1309         Enable DFG on ARM/Linux again
1310         https://bugs.webkit.org/show_bug.cgi?id=192496
1311
1312         Reviewed by Yusuke Suzuki.
1313
1314         Test wasn't really skipped before moving the line with skip
1315         to the top.
1316
1317         * stress/regress-192717.js:
1318
1319 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1320
1321         Unreviewed, rolling out r239825.
1322         https://bugs.webkit.org/show_bug.cgi?id=193330
1323
1324         Broke tests on armv7/linux bots (Requested by guijemont on
1325         #webkit).
1326
1327         Reverted changeset:
1328
1329         "Enable DFG on ARM/Linux again"
1330         https://bugs.webkit.org/show_bug.cgi?id=192496
1331         https://trac.webkit.org/changeset/239825
1332
1333 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1334
1335         Enable DFG on ARM/Linux again
1336         https://bugs.webkit.org/show_bug.cgi?id=192496
1337
1338         Reviewed by Yusuke Suzuki.
1339
1340         Test wasn't really skipped before moving the line with skip
1341         to the top.
1342
1343         * stress/regress-192717.js:
1344
1345 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1346
1347         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1348         https://bugs.webkit.org/show_bug.cgi?id=193127
1349
1350         Reviewed by Saam Barati.
1351
1352         * stress/array-species-create-should-handle-masquerader.js: Added.
1353         (shouldThrow):
1354         * stress/is-undefined-or-null-builtin.js: Added.
1355         (shouldBe):
1356         (isUndefinedOrNull.vm.createBuiltin):
1357
1358 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1359
1360         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1361         https://bugs.webkit.org/show_bug.cgi?id=193221
1362
1363         Reviewed by Mark Lam.
1364
1365         * stress/put-by-id-flags.js: Added.
1366         (f):
1367         (g):
1368         (numberOfDFGCompiles):
1369
1370 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1371
1372         Baseline version of get_by_id may corrupt metadata
1373         https://bugs.webkit.org/show_bug.cgi?id=193085
1374         <rdar://problem/23453006>
1375
1376         Reviewed by Saam Barati.
1377
1378         * stress/get-by-id-change-mode.js: Added.
1379         (forEach):
1380
1381 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1382
1383         [JSC] Optimize Object.prototype.toString
1384         https://bugs.webkit.org/show_bug.cgi?id=193031
1385
1386         Reviewed by Saam Barati.
1387
1388         * stress/object-tostring-changed-proto.js: Added.
1389         (shouldBe):
1390         (test):
1391         * stress/object-tostring-changed.js: Added.
1392         (shouldBe):
1393         (test):
1394         * stress/object-tostring-misc.js: Added.
1395         (shouldBe):
1396         (test):
1397         (i.switch):
1398         * stress/object-tostring-other.js: Added.
1399         (shouldBe):
1400         (test):
1401         * stress/object-tostring-untyped.js: Added.
1402         (shouldBe):
1403         (test):
1404         (i.switch):
1405
1406 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1407
1408         test262-runner misbehaves when test file YAML has a trailing space
1409         https://bugs.webkit.org/show_bug.cgi?id=193053
1410
1411         Reviewed by Yusuke Suzuki.
1412
1413         * test262/expectations.yaml:
1414         Mark two dozen tests as passing (and correct the output of another).
1415
1416 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1417
1418         Unreviewed, JSTests gardening with memoryLimited
1419
1420         * stress/string-overflow-createError.js:
1421
1422 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1423
1424         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1425         https://bugs.webkit.org/show_bug.cgi?id=193050
1426
1427         Reviewed by Yusuke Suzuki.
1428
1429         * test262.yaml:
1430         * test262/expectations.yaml:
1431         Mark 16 tests as passing.
1432
1433 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1434
1435         [BigInt] Support BigInt in JSON.stringify
1436         https://bugs.webkit.org/show_bug.cgi?id=192624
1437
1438         Reviewed by Saam Barati.
1439
1440         * stress/big-int-json-stringify-to-json.js: Added.
1441         (shouldBe):
1442         (shouldThrow):
1443         (BigInt.prototype.toJSON):
1444         (shouldBe.JSON.stringify):
1445         * stress/big-int-json-stringify.js: Added.
1446         (shouldBe):
1447         (shouldThrow):
1448
1449 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1450
1451         [JSC] Implement "well-formed JSON.stringify" proposal
1452         https://bugs.webkit.org/show_bug.cgi?id=191677
1453
1454         Reviewed by Darin Adler.
1455
1456         * stress/json-surrogate-pair.js: Added.
1457         (shouldBe):
1458         * test262/expectations.yaml:
1459
1460 2018-12-20  Keith Miller  <keith_miller@apple.com>
1461
1462         Add support for globalThis
1463         https://bugs.webkit.org/show_bug.cgi?id=165171
1464
1465         Reviewed by Mark Lam.
1466
1467         * test262/config.yaml:
1468
1469 2018-12-19  Keith Miller  <keith_miller@apple.com>
1470
1471         Update test262 configuration to not run tests dependent on ICU version.
1472         https://bugs.webkit.org/show_bug.cgi?id=192920
1473
1474         Reviewed by Saam Barati.
1475
1476         * test262/expectations.yaml:
1477
1478 2018-12-20  Mark Lam  <mark.lam@apple.com>
1479
1480         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1481         https://bugs.webkit.org/show_bug.cgi?id=192939
1482         <rdar://problem/46869516>
1483
1484         Reviewed by Keith Miller.
1485
1486         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1487
1488 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1489
1490         WTF::String and StringImpl overflow MaxLength
1491         https://bugs.webkit.org/show_bug.cgi?id=192853
1492         <rdar://problem/45726906>
1493
1494         Reviewed by Mark Lam.
1495
1496         * stress/string-16bit-repeat-overflow.js: Added.
1497         (catch):
1498
1499 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1500
1501         Unreviewed follow-up to r192914.
1502
1503         * test262/expectations.yaml:
1504         Add the last 20 missing expectations.
1505
1506 2018-12-19  Keith Miller  <keith_miller@apple.com>
1507
1508         Fix test262 expectations
1509         https://bugs.webkit.org/show_bug.cgi?id=192914
1510
1511         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1512
1513         * test262/expectations.yaml:
1514
1515 2018-12-19  Keith Miller  <keith_miller@apple.com>
1516
1517         Update test262 tests.
1518         https://bugs.webkit.org/show_bug.cgi?id=192907
1519
1520         Rubber stamped by Mark Lam.
1521
1522         * test262/*: Omitted because prepare-changelog crashes.
1523
1524 2018-12-19  Mark Lam  <mark.lam@apple.com>
1525
1526         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1527         https://bugs.webkit.org/show_bug.cgi?id=192464
1528         <rdar://problem/46519455>
1529
1530         Reviewed by Saam Barati.
1531
1532         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1533         microbenchmark.
1534
1535         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1536         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1537
1538 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1539
1540         String overflow in JSC::createError results in ASSERT in WTF::makeString
1541         https://bugs.webkit.org/show_bug.cgi?id=192833
1542         <rdar://problem/45706868>
1543
1544         Reviewed by Mark Lam.
1545
1546         * stress/string-overflow-createError.js: Added.
1547
1548 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1549
1550         Error message for `-x ** y` contains a typo.
1551         https://bugs.webkit.org/show_bug.cgi?id=192832
1552
1553         Reviewed by Saam Barati.
1554
1555         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1556         (assert.assert.return.throws):
1557         * stress/pow-expects-update-expression-on-lhs.js:
1558         (throw.new.Error):
1559         Update test expectations which match against the exact error message.
1560
1561 2018-12-18  Mark Lam  <mark.lam@apple.com>
1562
1563         Gardening: test options fix.
1564         https://bugs.webkit.org/show_bug.cgi?id=192822
1565
1566         Unreviewed.
1567
1568         * stress/json-stringify-string-builder-overflow.js:
1569
1570 2018-12-18  Mark Lam  <mark.lam@apple.com>
1571
1572         JSON.stringify() should throw OOM on StringBuilder overflows.
1573         https://bugs.webkit.org/show_bug.cgi?id=192822
1574         <rdar://problem/46670577>
1575
1576         Reviewed by Saam Barati.
1577
1578         * stress/json-stringify-string-builder-overflow.js: Added.
1579
1580 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1581
1582         Redeclaration of var over let/const/class should be a syntax error.
1583         https://bugs.webkit.org/show_bug.cgi?id=192298
1584
1585         Reviewed by Keith Miller.
1586
1587         * test262.yaml:
1588         * test262/expectations.yaml:
1589         Mark 46 tests as passing.
1590
1591         * stress/block-scope-redeclarations.js:
1592         Add some new tests.
1593
1594         * stress/for-in-invalidate-context-weird-assignments.js:
1595         * stress/for-in-tests.js:
1596         Replace tests for outdated behavior with tests for SyntaxError.
1597
1598         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1599         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1600         Update expectations.
1601
1602 2018-12-18  Mark Lam  <mark.lam@apple.com>
1603
1604         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1605         https://bugs.webkit.org/show_bug.cgi?id=191374
1606         <rdar://problem/46525447>
1607
1608         Reviewed by Yusuke Suzuki.
1609
1610         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1611
1612         * stress/elidable-new-object-roflcopter-then-exit.js:
1613
1614 2018-12-17  Mark Lam  <mark.lam@apple.com>
1615
1616         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1617         https://bugs.webkit.org/show_bug.cgi?id=192019
1618         <rdar://problem/46525456>
1619
1620         Reviewed by Yusuke Suzuki.
1621
1622         The test runs too slow on 32-bit.
1623
1624         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1625
1626 2018-12-17  Mark Lam  <mark.lam@apple.com>
1627
1628         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1629         https://bugs.webkit.org/show_bug.cgi?id=191373
1630         <rdar://problem/46525458>
1631
1632         Reviewed by Yusuke Suzuki.
1633
1634         The test is already slow running with a JIT on 64-bit.  It will always timeout
1635         on 32-bit without a JIT.
1636
1637         * stress/materialize-regexp-cyclic-regexp.js:
1638
1639 2018-12-17  Mark Lam  <mark.lam@apple.com>
1640
1641         Array unshift/shift should not race against the AI in the compiler thread.
1642         https://bugs.webkit.org/show_bug.cgi?id=192795
1643         <rdar://problem/46724263>
1644
1645         Reviewed by Saam Barati.
1646
1647         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1648
1649 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1650
1651         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1652         https://bugs.webkit.org/show_bug.cgi?id=190047
1653
1654         Reviewed by Saam Barati.
1655
1656         * stress/object-keys-cached-zero.js: Added.
1657         (shouldBe):
1658         (test):
1659         * stress/object-keys-changed-attribute.js: Added.
1660         (shouldBe):
1661         (test):
1662         * stress/object-keys-changed-index.js: Added.
1663         (shouldBe):
1664         (test):
1665         * stress/object-keys-changed.js: Added.
1666         (shouldBe):
1667         (test):
1668         * stress/object-keys-indexed-non-cache.js: Added.
1669         (shouldBe):
1670         (test):
1671         * stress/object-keys-overrides-get-property-names.js: Added.
1672         (shouldBe):
1673         (test):
1674         (noInline):
1675
1676 2018-12-17  Mark Lam  <mark.lam@apple.com>
1677
1678         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1679         https://bugs.webkit.org/show_bug.cgi?id=192779
1680         <rdar://problem/46775869>
1681
1682         Reviewed by Saam Barati.
1683
1684         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1685
1686 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1687
1688         Unreviewed test gardening, address a syntax error in a new test.
1689
1690         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1691
1692 2018-12-17  Mark Lam  <mark.lam@apple.com>
1693
1694         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1695         https://bugs.webkit.org/show_bug.cgi?id=192776
1696         <rdar://problem/46772368>
1697
1698         Reviewed by Keith Miller.
1699
1700         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1701
1702 2018-12-17  Mark Lam  <mark.lam@apple.com>
1703
1704         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1705         https://bugs.webkit.org/show_bug.cgi?id=192770
1706         <rdar://problem/46449037>
1707
1708         Reviewed by Keith Miller.
1709
1710         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1711
1712 2018-12-14  Mark Lam  <mark.lam@apple.com>
1713
1714         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1715         https://bugs.webkit.org/show_bug.cgi?id=192717
1716         <rdar://problem/46660677>
1717
1718         Reviewed by Saam Barati.
1719
1720         * stress/regress-192717.js: Added.
1721
1722 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1723
1724         Unreviewed, rolling out r239153, r239154, and r239155.
1725         https://bugs.webkit.org/show_bug.cgi?id=192715
1726
1727         Caused flaky GC-related crashes seen with layout tests
1728         (Requested by ryanhaddad on #webkit).
1729
1730         Reverted changesets:
1731
1732         "[JSC] Optimize Object.keys by caching own keys results in
1733         StructureRareData"
1734         https://bugs.webkit.org/show_bug.cgi?id=190047
1735         https://trac.webkit.org/changeset/239153
1736
1737         "Unreviewed, build fix after r239153"
1738         https://bugs.webkit.org/show_bug.cgi?id=190047
1739         https://trac.webkit.org/changeset/239154
1740
1741         "Unreviewed, build fix after r239153, part 2"
1742         https://bugs.webkit.org/show_bug.cgi?id=190047
1743         https://trac.webkit.org/changeset/239155
1744
1745 2018-12-14  Keith Miller  <keith_miller@apple.com>
1746
1747         Callers of JSString::getIndex should check for OOM exceptions
1748         https://bugs.webkit.org/show_bug.cgi?id=192709
1749
1750         Reviewed by Mark Lam.
1751
1752         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1753
1754 2018-12-13  Mark Lam  <mark.lam@apple.com>
1755
1756         Add a missing exception check.
1757         https://bugs.webkit.org/show_bug.cgi?id=192626
1758         <rdar://problem/46662163>
1759
1760         Reviewed by Keith Miller.
1761
1762         * stress/regress-192626.js: Added.
1763
1764 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1765
1766         [BigInt] Add ValueDiv into DFG
1767         https://bugs.webkit.org/show_bug.cgi?id=186178
1768
1769         Reviewed by Yusuke Suzuki.
1770
1771         * stress/big-int-div-jit-osr.js: Added.
1772         * stress/big-int-div-jit-untyped.js: Added.
1773         * stress/value-div-fixup-int32-big-int.js: Added.
1774
1775 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1776
1777         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1778         https://bugs.webkit.org/show_bug.cgi?id=190047
1779
1780         Reviewed by Keith Miller.
1781
1782         * stress/object-keys-cached-zero.js: Added.
1783         (shouldBe):
1784         (test):
1785         * stress/object-keys-changed-attribute.js: Added.
1786         (shouldBe):
1787         (test):
1788         * stress/object-keys-changed-index.js: Added.
1789         (shouldBe):
1790         (test):
1791         * stress/object-keys-changed.js: Added.
1792         (shouldBe):
1793         (test):
1794         * stress/object-keys-indexed-non-cache.js: Added.
1795         (shouldBe):
1796         (test):
1797         * stress/object-keys-overrides-get-property-names.js: Added.
1798         (shouldBe):
1799         (test):
1800         (noInline):
1801
1802 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1803
1804         [DFG][FTL] Add NewSymbol
1805         https://bugs.webkit.org/show_bug.cgi?id=192620
1806
1807         Reviewed by Saam Barati.
1808
1809         * microbenchmarks/symbol-creation.js: Added.
1810         (test):
1811         * stress/symbol-description-identity.js: Added.
1812         (shouldBe):
1813         (test):
1814         * stress/symbol-identity.js: Added.
1815         (shouldBe):
1816         (test):
1817         * stress/symbol-with-description-throw-error.js: Added.
1818         (shouldBe):
1819         (shouldThrow):
1820         (test):
1821         (object.toString):
1822
1823 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1824
1825         [BigInt] Implement DFG/FTL typeof for BigInt
1826         https://bugs.webkit.org/show_bug.cgi?id=192619
1827
1828         Reviewed by Keith Miller.
1829
1830         * stress/big-int-boolean-proven-type.js: Added.
1831         (assert):
1832         (bool):
1833         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1834         (assert):
1835         (typeOf):
1836         (i.switch):
1837         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1838         (assert):
1839         (typeOf):
1840         * stress/big-int-type-of.js:
1841         (typeOf):
1842         (func):
1843
1844 2018-12-10  Mark Lam  <mark.lam@apple.com>
1845
1846         PropertyAttribute needs a CustomValue bit.
1847         https://bugs.webkit.org/show_bug.cgi?id=191993
1848         <rdar://problem/46264467>
1849
1850         Reviewed by Saam Barati.
1851
1852         * stress/regress-191993.js: Added.
1853
1854 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1855
1856         [BigInt] Add ValueMul into DFG
1857         https://bugs.webkit.org/show_bug.cgi?id=186175
1858
1859         Reviewed by Yusuke Suzuki.
1860
1861         * stress/big-int-mul-jit-osr.js: Added.
1862         * stress/big-int-mul-jit-untyped.js: Added.
1863         * stress/value-mul-fixup-int32-big-int.js: Added.
1864
1865 2018-12-06  Keith Miller  <keith_miller@apple.com>
1866
1867         stress/big-wasm-memory tests failing on 32-bit JSC bot
1868         https://bugs.webkit.org/show_bug.cgi?id=192020
1869
1870         Reviewed by Saam Barati.
1871
1872         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1873         the wasm stress tests if the WebAssembly object does not exist.
1874
1875         * stress/big-wasm-memory-grow-no-max.js:
1876         (test.foo):
1877         (test):
1878         (foo): Deleted.
1879         (catch): Deleted.
1880         * stress/big-wasm-memory-grow.js:
1881         (test.foo):
1882         (test):
1883         (foo): Deleted.
1884         (catch): Deleted.
1885         * stress/big-wasm-memory.js:
1886         (test.foo):
1887         (test):
1888         (foo): Deleted.
1889         (catch): Deleted.
1890
1891 2018-12-05  Mark Lam  <mark.lam@apple.com>
1892
1893         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1894         https://bugs.webkit.org/show_bug.cgi?id=192441
1895         <rdar://problem/46480355>
1896
1897         Reviewed by Saam Barati.
1898
1899         * stress/regress-192441.js: Added.
1900
1901 2018-12-04  Mark Lam  <mark.lam@apple.com>
1902
1903         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1904         https://bugs.webkit.org/show_bug.cgi?id=192386
1905         <rdar://problem/46445516>
1906
1907         Reviewed by Saam Barati.
1908
1909         * stress/regress-192386.js: Added.
1910
1911 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1912
1913         [ESNext][BigInt] Support logic operations
1914         https://bugs.webkit.org/show_bug.cgi?id=179903
1915
1916         Reviewed by Yusuke Suzuki.
1917
1918         * stress/big-int-branch-usage.js: Added.
1919         * stress/big-int-logical-and.js: Added.
1920         * stress/big-int-logical-not.js: Added.
1921         * stress/big-int-logical-or.js: Added.
1922
1923 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1924
1925         Unreviewed, rolling out r238833.
1926
1927         Breaks macOS and iOS debug builds.
1928
1929         Reverted changeset:
1930
1931         "[ESNext][BigInt] Support logic operations"
1932         https://bugs.webkit.org/show_bug.cgi?id=179903
1933         https://trac.webkit.org/changeset/238833
1934
1935 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1936
1937         [ESNext][BigInt] Support logic operations
1938         https://bugs.webkit.org/show_bug.cgi?id=179903
1939
1940         Reviewed by Yusuke Suzuki.
1941
1942         * stress/big-int-branch-usage.js: Added.
1943         * stress/big-int-logical-and.js: Added.
1944         * stress/big-int-logical-not.js: Added.
1945         * stress/big-int-logical-or.js: Added.
1946
1947 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1948
1949         [ESNext][BigInt] Implement support for "<<" and ">>"
1950         https://bugs.webkit.org/show_bug.cgi?id=186233
1951
1952         Reviewed by Yusuke Suzuki.
1953
1954         * stress/big-int-left-shift-general.js: Added.
1955         * stress/big-int-left-shift-range-error.js: Added.
1956         * stress/big-int-left-shift-type-error.js: Added.
1957         * stress/big-int-left-shift-wrapped-value.js: Added.
1958         * stress/big-int-right-shift-general.js: Added.
1959         * stress/big-int-right-shift-type-error.js: Added.
1960         * stress/big-int-right-shift-wrapped-value.js: Added.
1961         * stress/left-shift-to-primitive-precedence.js: Added.
1962         * stress/right-shift-to-primitive-precedence.js: Added.
1963
1964 2018-11-30  Dean Jackson  <dino@apple.com>
1965
1966         Add first-class support for .mjs files in jsc binary
1967         https://bugs.webkit.org/show_bug.cgi?id=192190
1968         <rdar://problem/46375715>
1969
1970         Reviewed by Keith Miller.
1971
1972         * stress/simple-module.mjs: Added.
1973         * stress/simple-script.js: Added.
1974
1975 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1976
1977         [BigInt] Implement ValueBitXor into DFG
1978         https://bugs.webkit.org/show_bug.cgi?id=190264
1979
1980         Reviewed by Yusuke Suzuki.
1981
1982         * stress/big-int-bitwise-xor-jit.js: Added.
1983         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1984         * stress/big-int-bitwise-xor-untyped.js: Added.
1985
1986 2018-11-27  Saam barati  <sbarati@apple.com>
1987
1988         r238510 broke scopes of size zero
1989         https://bugs.webkit.org/show_bug.cgi?id=192033
1990         <rdar://problem/46281734>
1991
1992         Reviewed by Keith Miller.
1993
1994         * stress/r238510-bad-loop.js: Added.
1995         (foo):
1996
1997 2018-11-27  Mark Lam  <mark.lam@apple.com>
1998
1999         [Re-landing] NaNs read from Wasm code needs to be be purified.
2000         https://bugs.webkit.org/show_bug.cgi?id=191056
2001         <rdar://problem/45660341>
2002
2003         Reviewed by Filip Pizlo.
2004
2005         * wasm/regress/regress-191056.js: Added.
2006
2007 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2008
2009         Unreviewed, rolling out r238509.
2010
2011         Causes JSC tests to fail on iOS.
2012
2013         Reverted changeset:
2014
2015         "NaNs read from Wasm code needs to be be purified."
2016         https://bugs.webkit.org/show_bug.cgi?id=191056
2017         https://trac.webkit.org/changeset/238509
2018
2019 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2020
2021         Re-introduce op_bitnot
2022         https://bugs.webkit.org/show_bug.cgi?id=190923
2023
2024         Reviewed by Yusuke Suzuki.
2025
2026         * stress/bit-not-must-generate.js: Added.
2027         * stress/bitwise-not-no-int32.js: Added.
2028
2029 2018-11-26  Saam barati  <sbarati@apple.com>
2030
2031         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2032         https://bugs.webkit.org/show_bug.cgi?id=191956
2033         <rdar://problem/45665806>
2034
2035         Reviewed by Yusuke Suzuki.
2036
2037         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2038         (bar):
2039         (foo):
2040
2041 2018-11-26  Saam barati  <sbarati@apple.com>
2042
2043         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2044         https://bugs.webkit.org/show_bug.cgi?id=191958
2045         <rdar://problem/46221877>
2046
2047         Reviewed by Yusuke Suzuki.
2048
2049         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2050         (x):
2051         (foo):
2052
2053 2018-11-26  Mark Lam  <mark.lam@apple.com>
2054
2055         NaNs read from Wasm code needs to be be purified.
2056         https://bugs.webkit.org/show_bug.cgi?id=191056
2057         <rdar://problem/45660341>
2058
2059         Reviewed by Filip Pizlo.
2060
2061         * wasm/regress/regress-191056.js: Added.
2062
2063 2018-11-26  Michael Saboff  <msaboff@apple.com>
2064
2065         32-bit JSC test failure: stress/regexp-compile-oom.js
2066         https://bugs.webkit.org/show_bug.cgi?id=191375
2067
2068         Reviewed by Mark Lam.
2069
2070         Disabled the test for 32 bit platforms.
2071
2072         * stress/regexp-compile-oom.js:
2073
2074 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2075
2076         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2077         https://bugs.webkit.org/show_bug.cgi?id=191716
2078         <rdar://problem/45723878>
2079
2080         Reviewed by Saam Barati.
2081
2082         * stress/regress-187373.js: Added.
2083         (async.fn):
2084
2085 2018-11-21  Saam barati  <sbarati@apple.com>
2086
2087         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2088         https://bugs.webkit.org/show_bug.cgi?id=191897
2089         <rdar://problem/45871998>
2090
2091         Reviewed by Mark Lam.
2092
2093         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2094         (bar):
2095         (foo):
2096
2097 2018-11-21  Saam barati  <sbarati@apple.com>
2098
2099         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2100         https://bugs.webkit.org/show_bug.cgi?id=191895
2101         <rdar://problem/46167406>
2102
2103         Reviewed by Mark Lam.
2104
2105         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2106         (foo):
2107         (bar):
2108
2109 2018-11-21  Mark Lam  <mark.lam@apple.com>
2110
2111         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2112         https://bugs.webkit.org/show_bug.cgi?id=191776
2113         <rdar://problem/46152851>
2114
2115         Reviewed by Saam Barati.
2116
2117         * stress/big-wasm-memory-grow-no-max.js:
2118         * stress/big-wasm-memory-grow.js:
2119         * stress/big-wasm-memory.js:
2120         - updated these to expect an OutOfMemoryError.
2121
2122         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2123         (Binary.prototype.emit_u8):
2124         (Binary.prototype.emit_u32v):
2125         (Binary.prototype.emit_header):
2126         (Binary.prototype.emit_section):
2127         (Binary):
2128         (WasmModuleBuilder):
2129         (WasmModuleBuilder.prototype.addMemory):
2130         (WasmModuleBuilder.prototype.toArray):
2131         (WasmModuleBuilder.prototype.toBuffer):
2132         (WasmModuleBuilder.prototype.instantiate):
2133         (catch):
2134         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2135         (catch):
2136
2137 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2138
2139         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2140         https://bugs.webkit.org/show_bug.cgi?id=190836
2141
2142         Reviewed by Saam Barati and Yusuke Suzuki.
2143
2144         * stress/big-int-out-of-memory-tests.js: Added.
2145
2146 2018-11-20  Mark Lam  <mark.lam@apple.com>
2147
2148         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2149         https://bugs.webkit.org/show_bug.cgi?id=191856
2150         <rdar://problem/46089992>
2151
2152         Reviewed by Yusuke Suzuki.
2153
2154         * stress/regress-191856.js: Added.
2155         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2156
2157 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2158
2159         Enable JIT on ARM/Linux
2160         https://bugs.webkit.org/show_bug.cgi?id=191548
2161
2162         Reviewed by Yusuke Suzuki.
2163
2164         Disable test on system with limited memory. Program was killed by
2165         the OS before the exception was thrown.
2166
2167         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2168
2169 2018-11-20  Saam barati  <sbarati@apple.com>
2170
2171         Merging an IC variant may lead to the IC status containing overlapping structure sets
2172         https://bugs.webkit.org/show_bug.cgi?id=191869
2173         <rdar://problem/45403453>
2174
2175         Reviewed by Mark Lam.
2176
2177         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2178
2179 2018-11-19  Mark Lam  <mark.lam@apple.com>
2180
2181         globalFuncImportModule() should return a promise when it clears exceptions.
2182         https://bugs.webkit.org/show_bug.cgi?id=191792
2183         <rdar://problem/46090763>
2184
2185         Reviewed by Michael Saboff.
2186
2187         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2188
2189 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2190
2191         Skip new memory-hungry tests on memory limited devices
2192
2193         Unreviewed gardening.
2194
2195         * stress/big-wasm-memory-grow-no-max.js:
2196         * stress/big-wasm-memory-grow.js:
2197         * stress/big-wasm-memory.js:
2198
2199 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2200
2201         Unreviewed, rolling in the rest of r237254
2202         https://bugs.webkit.org/show_bug.cgi?id=190340
2203
2204         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2205         * stress/function-cache-with-parameters-end-position.js: Added.
2206         (shouldBe):
2207         (shouldThrow):
2208         (i.anonymous):
2209         * stress/function-constructor-name.js: Added.
2210         (shouldBe):
2211         (GeneratorFunction):
2212         (AsyncFunction.async):
2213         (AsyncGeneratorFunction.async):
2214         (anonymous):
2215         (async.anonymous):
2216         * test262/expectations.yaml:
2217
2218 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2219
2220         All users of ArrayBuffer should agree on the same max size
2221         https://bugs.webkit.org/show_bug.cgi?id=191771
2222
2223         Reviewed by Mark Lam.
2224
2225         * stress/big-wasm-memory-grow-no-max.js: Added.
2226         (foo):
2227         (catch):
2228         * stress/big-wasm-memory-grow.js: Added.
2229         (foo):
2230         (catch):
2231         * stress/big-wasm-memory.js: Added.
2232         (foo):
2233         (catch):
2234
2235 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2236
2237         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2238         run for each JSC config since they're regression tests for runtime bugs.
2239
2240         * stress/json-stringified-overflow-2.js:
2241         * stress/json-stringified-overflow.js:
2242
2243 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2244
2245         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2246         config since they're regression tests for runtime bugs.
2247
2248         * stress/large-unshift-splice.js:
2249         * stress/regress-185888.js:
2250
2251 2018-11-16  Saam Barati  <sbarati@apple.com>
2252
2253         KnownCellUse should also have SpecCellCheck as its type filter
2254         https://bugs.webkit.org/show_bug.cgi?id=191729
2255         <rdar://problem/45872852>
2256
2257         Reviewed by Filip Pizlo.
2258
2259         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2260         (C):
2261
2262 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2263
2264         Fix assertion failure on BytecodeGenerator::recordOpcode
2265         https://bugs.webkit.org/show_bug.cgi?id=191724
2266         <rdar://problem/45724395>
2267
2268         Reviewed by Saam Barati.
2269
2270         * stress/regress-187373-2.js: Added.
2271         (foo):
2272
2273 2018-11-15  Mark Lam  <mark.lam@apple.com>
2274
2275         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2276         https://bugs.webkit.org/show_bug.cgi?id=191730
2277         <rdar://problem/46048517>
2278
2279         Reviewed by Saam Barati.
2280
2281         * stress/regress-187006.js: Removed.
2282           - this test is invalid because its sole purpose is to test for the non-spec
2283             compliant behavior that we just fixed.
2284
2285         * stress/regress-191730.js: Added.
2286
2287 2018-11-15  Mark Lam  <mark.lam@apple.com>
2288
2289         RegExp operations should not take fast patch if lastIndex is not numeric.
2290         https://bugs.webkit.org/show_bug.cgi?id=191731
2291         <rdar://problem/46017305>
2292
2293         Reviewed by Saam Barati.
2294
2295         * stress/regress-191731.js: Added.
2296
2297 2018-11-13  Saam Barati  <sbarati@apple.com>
2298
2299         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2300         https://bugs.webkit.org/show_bug.cgi?id=191600
2301
2302         Reviewed by Mark Lam.
2303
2304         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2305         (foo):
2306         (test):
2307         (bar):
2308
2309 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2310
2311         Unreviewed, rolling out r238132.
2312
2313         The test added with this change is timing out on Debug JSC
2314         bots.
2315
2316         Reverted changeset:
2317
2318         "[BigInt] JSBigInt::createWithLength should throw when length
2319         is greater than JSBigInt::maxLength"
2320         https://bugs.webkit.org/show_bug.cgi?id=190836
2321         https://trac.webkit.org/changeset/238132
2322
2323 2018-11-13  Mark Lam  <mark.lam@apple.com>
2324
2325         Add OOM detection to StringPrototype's substituteBackreferences().
2326         https://bugs.webkit.org/show_bug.cgi?id=191563
2327         <rdar://problem/45720428>
2328
2329         Reviewed by Saam Barati.
2330
2331         * stress/regress-191563.js: Added.
2332
2333 2018-11-13  Mark Lam  <mark.lam@apple.com>
2334
2335         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2336         https://bugs.webkit.org/show_bug.cgi?id=191579
2337         <rdar://problem/45942472>
2338
2339         Reviewed by Saam Barati.
2340
2341         * stress/regress-191579.js: Added.
2342
2343 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2344
2345         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2346         https://bugs.webkit.org/show_bug.cgi?id=190836
2347
2348         Reviewed by Saam Barati.
2349
2350         * stress/big-int-out-of-memory-tests.js: Added.
2351
2352 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2353
2354         U+180E is no longer a whitespace character
2355         https://bugs.webkit.org/show_bug.cgi?id=191415
2356
2357         Reviewed by Saam Barati.
2358
2359         * ChakraCore/test/es5/regexSpace.baseline:
2360         * ChakraCore/test/es6/unicode_whitespace.js:
2361         Update tests to latest version.
2362         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2363
2364         * test262.yaml:
2365         * test262/config.yaml:
2366         * test262/expectations.yaml:
2367         Update expectations.
2368
2369 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2370
2371         [BigInt] Add support to BigInt into ValueAdd
2372         https://bugs.webkit.org/show_bug.cgi?id=186177
2373
2374         Reviewed by Keith Miller.
2375
2376         * stress/big-int-negate-jit.js:
2377         * stress/value-add-big-int-and-string.js: Added.
2378         * stress/value-add-big-int-prediction-propagation.js: Added.
2379         * stress/value-add-big-int-untyped.js: Added.
2380
2381 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2382
2383         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2384         https://bugs.webkit.org/show_bug.cgi?id=191184
2385
2386         Reviewed by Saam Barati.
2387
2388         Most tests were failing due to timeouts, since they are too slow to
2389         run on CLoop. The exceptions are:
2390
2391         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2392         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2393         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2394         to change the stack size since CLoop requires it to be page aligned.
2395
2396         * microbenchmarks/array-push-1.js:
2397         * microbenchmarks/array-push-2.js:
2398         * microbenchmarks/elidable-new-object-dag.js:
2399         * microbenchmarks/elidable-new-object-roflcopter.js:
2400         * microbenchmarks/elidable-new-object-tree.js:
2401         * microbenchmarks/getter-richards.js:
2402         * microbenchmarks/sinkable-new-object-dag.js:
2403         * microbenchmarks/string-concat-long-convert.js:
2404         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2405         * slowMicrobenchmarks/array-push-3.js:
2406         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2407         * slowMicrobenchmarks/spread-small-array.js:
2408         * slowMicrobenchmarks/undefined-property-access.js:
2409         * stress/activation-sink-default-value-tdz-error.js:
2410         * stress/activation-sink-default-value.js:
2411         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2412         * stress/activation-sink-osrexit-default-value.js:
2413         * stress/activation-sink-osrexit.js:
2414         * stress/activation-sink.js:
2415         * stress/allow-math-ic-b3-code-duplication.js:
2416         * stress/array-push-multiple-int32.js:
2417         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2418         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2419         * stress/arrowfunction-lexical-this-activation-sink.js:
2420         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2421         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2422         * stress/elide-new-object-dag-then-exit.js:
2423         * stress/materialize-regexp-cyclic.js:
2424         * stress/new-regex-inline.js:
2425         * stress/op_add.js:
2426         * stress/op_bitand.js:
2427         * stress/op_bitor.js:
2428         * stress/op_bitxor.js:
2429         * stress/op_div-ConstVar.js:
2430         * stress/op_div-VarConst.js:
2431         * stress/op_div-VarVar.js:
2432         * stress/op_lshift-ConstVar.js:
2433         * stress/op_lshift-VarConst.js:
2434         * stress/op_lshift-VarVar.js:
2435         * stress/op_mod-ConstVar.js:
2436         * stress/op_mod-VarConst.js:
2437         * stress/op_mod-VarVar.js:
2438         * stress/op_mul-ConstVar.js:
2439         * stress/op_mul-VarConst.js:
2440         * stress/op_mul-VarVar.js:
2441         * stress/op_rshift-ConstVar.js:
2442         * stress/op_rshift-VarConst.js:
2443         * stress/op_rshift-VarVar.js:
2444         * stress/op_sub-ConstVar.js:
2445         * stress/op_sub-VarConst.js:
2446         * stress/op_sub-VarVar.js:
2447         * stress/op_urshift-ConstVar.js:
2448         * stress/op_urshift-VarConst.js:
2449         * stress/op_urshift-VarVar.js:
2450         * stress/proxy-get-set-correct-receiver.js:
2451         * stress/regress-179562.js:
2452         * stress/rest-parameter-many-arguments.js:
2453         * stress/sampling-profiler-richards.js:
2454         * stress/splay-flash-access-1ms.js:
2455         * stress/tailCallForwardArguments.js:
2456         * stress/typed-array-get-by-val-profiling.js:
2457         * typeProfiler/getter-richards.js:
2458
2459 2018-11-06  Michael Saboff  <msaboff@apple.com>
2460
2461         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2462         https://bugs.webkit.org/show_bug.cgi?id=191271
2463
2464         Reviewed by Saam Barati.
2465
2466         Added more test cases and made all test cases run with the same deeply recursive stack
2467         instead of finding that same point for each test case.
2468
2469         * stress/regexp-compile-oom.js:
2470         (prototype.runTest):
2471         (recurseAndTest):
2472         (testList.push.new.TestAndExpectedException):
2473
2474 2018-11-05  Michael Saboff  <msaboff@apple.com>
2475
2476         Unreviewed build fix for linux.
2477
2478         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2479
2480 2018-11-02  Michael Saboff  <msaboff@apple.com>
2481
2482         Rolling in r237753 with unreviewed build fix.
2483
2484         Fixed issues with DECLARE_THROW_SCOPE placement.
2485
2486 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2487
2488         Unreviewed, rolling out r237753.
2489
2490         Introduced JSC test failures
2491
2492         Reverted changeset:
2493
2494         "Running out of stack space not properly handled in
2495         RegExp::compile() and its callers"
2496         https://bugs.webkit.org/show_bug.cgi?id=191206
2497         https://trac.webkit.org/changeset/237753
2498
2499 2018-11-02  Michael Saboff  <msaboff@apple.com>
2500
2501         Running out of stack space not properly handled in RegExp::compile() and its callers
2502         https://bugs.webkit.org/show_bug.cgi?id=191206
2503
2504         Reviewed by Filip Pizlo.
2505
2506         New regression test.
2507
2508         * stress/regexp-compile-oom.js: Added.
2509         (recurseAndTest):
2510
2511 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2512
2513         Skip tests on arm/mips that time out now we're running on CLoop
2514
2515         Unreviewed gardening.
2516
2517         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2518         time out on the bots and need to be disabled. There's more tests
2519         disabled on arm because the timeout is longer on the mips bot (as the
2520         device is slower to start with), so many of the tests don't time out
2521         there.
2522
2523         * microbenchmarks/getter-richards.js: disable on arm and mips.
2524         * stress/op_add.js: disable on arm.
2525         * stress/op_bitand.js: disable on arm.
2526         * stress/op_bitor.js: disable on arm.
2527         * stress/op_bitxor.js: disable on arm.
2528         * stress/op_lshift-ConstVar.js: disable on arm.
2529         * stress/op_lshift-VarConst.js: disable on arm.
2530         * stress/op_lshift-VarVar.js: disable on arm.
2531         * stress/op_mod-ConstVar.js: disable on arm.
2532         * stress/op_mod-VarConst.js: disable on arm.
2533         * stress/op_mod-VarVar.js: disable on arm.
2534         * stress/op_mul-ConstVar.js: disable on arm.
2535         * stress/op_mul-VarConst.js: disable on arm.
2536         * stress/op_mul-VarVar.js: disable on arm.
2537         * stress/op_rshift-ConstVar.js: disable on arm.
2538         * stress/op_rshift-VarConst.js: disable on arm.
2539         * stress/op_rshift-VarVar.js: disable on arm.
2540         * stress/op_sub-ConstVar.js: disable on arm.
2541         * stress/op_sub-VarConst.js: disable on arm.
2542         * stress/op_sub-VarVar.js: disable on arm.
2543         * stress/op_urshift-ConstVar.js: disable on arm.
2544         * stress/op_urshift-VarConst.js: disable on arm.
2545         * stress/op_urshift-VarVar.js: disable on arm.
2546         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2547         * stress/value-to-boolean.js: disable on arm and mips.
2548
2549 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2550
2551         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2552         https://bugs.webkit.org/show_bug.cgi?id=191108
2553         <rdar://problem/45690700>
2554
2555         Reviewed by Saam Barati.
2556
2557         * stress/wide-op_catch.js: Added.
2558         (catch):
2559
2560 2018-10-29  Mark Lam  <mark.lam@apple.com>
2561
2562         Correctly detect string overflow when using the 'Function' constructor.
2563         https://bugs.webkit.org/show_bug.cgi?id=184883
2564         <rdar://problem/36320331>
2565
2566         Reviewed by Saam Barati.
2567
2568         I've verified that this passes on 32-bit as well.
2569
2570         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2571
2572 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2573
2574         Add support for GetStack FlushedDouble
2575         https://bugs.webkit.org/show_bug.cgi?id=191012
2576         <rdar://problem/45265141>
2577
2578         Reviewed by Saam Barati.
2579
2580         * stress/get-stack-double.js: Added.
2581         (bar):
2582         (noInline):
2583
2584 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2585
2586         New bytecode format for JSC
2587         https://bugs.webkit.org/show_bug.cgi?id=187373
2588         <rdar://problem/44186758>
2589
2590         Reviewed by Filip Pizlo.
2591
2592         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2593
2594         * stress/maximum-inline-capacity.js: Added.
2595         (test1):
2596         (test3.Foo):
2597         (test3):
2598
2599 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2600
2601         Unreviewed, rolling out r237479 and r237484.
2602         https://bugs.webkit.org/show_bug.cgi?id=190978
2603
2604         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2605
2606         Reverted changesets:
2607
2608         "New bytecode format for JSC"
2609         https://bugs.webkit.org/show_bug.cgi?id=187373
2610         https://trac.webkit.org/changeset/237479
2611
2612         "Gardening: Build fix after r237479."
2613         https://bugs.webkit.org/show_bug.cgi?id=187373
2614         https://trac.webkit.org/changeset/237484
2615
2616 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2617
2618         New bytecode format for JSC
2619         https://bugs.webkit.org/show_bug.cgi?id=187373
2620         <rdar://problem/44186758>
2621
2622         Reviewed by Filip Pizlo.
2623
2624         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2625
2626         * stress/maximum-inline-capacity.js: Added.
2627         (test1):
2628         (test3.Foo):
2629         (test3):
2630
2631 2018-10-26  Mark Lam  <mark.lam@apple.com>
2632
2633         Fix missing edge cases with JSGlobalObjects having a bad time.
2634         https://bugs.webkit.org/show_bug.cgi?id=189028
2635         <rdar://problem/45204939>
2636
2637         Reviewed by Saam Barati.
2638
2639         * stress/regress-189028.js: Added.
2640
2641 2018-10-22  Mark Lam  <mark.lam@apple.com>
2642
2643         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2644         https://bugs.webkit.org/show_bug.cgi?id=190515
2645         <rdar://problem/45222379>
2646
2647         Rubber-stamped by Saam Barati.
2648
2649         Adding another test.
2650
2651         * stress/regress-190515-2.js: Added.
2652
2653 2018-10-22  Mark Lam  <mark.lam@apple.com>
2654
2655         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2656         https://bugs.webkit.org/show_bug.cgi?id=190515
2657         <rdar://problem/45222379>
2658
2659         Reviewed by Saam Barati.
2660
2661         * stress/regress-190515.js: Added.
2662
2663 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2664
2665         Unreviewed, rolling out r237254.
2666         https://bugs.webkit.org/show_bug.cgi?id=190760
2667
2668         "It regresses JetStream 2 by 5% on some iOS devices"
2669         (Requested by saamyjoon on #webkit).
2670
2671         Reverted changeset:
2672
2673         "[JSC] JSC should have "parseFunction" to optimize Function
2674         constructor"
2675         https://bugs.webkit.org/show_bug.cgi?id=190340
2676         https://trac.webkit.org/changeset/237254
2677
2678 2018-10-19  Saam Barati  <sbarati@apple.com>
2679
2680         vmCall should check if we exit before emitting an OSR exit due to exceptions
2681         https://bugs.webkit.org/show_bug.cgi?id=190740
2682         <rdar://problem/45220139>
2683
2684         Reviewed by Mark Lam.
2685
2686         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2687         (foo):
2688
2689 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2690
2691         [ESNext][BigInt] Implement support for "^"
2692         https://bugs.webkit.org/show_bug.cgi?id=186235
2693
2694         Reviewed by Yusuke Suzuki.
2695
2696         * stress/big-int-bitwise-xor-general.js: Added.
2697         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2698         * stress/big-int-bitwise-xor-type-error.js: Added.
2699         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2700
2701 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2702
2703         [BigInt] Add ValueSub into DFG
2704         https://bugs.webkit.org/show_bug.cgi?id=186176
2705
2706         Reviewed by Yusuke Suzuki.
2707
2708         * stress/big-int-subtraction-jit.js:
2709         * stress/value-sub-big-int-prediction-propagation.js: Added.
2710         * stress/value-sub-big-int-untyped.js: Added.
2711         * stress/value-sub-spec-none-case.js: Added.
2712
2713 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2714
2715         [JSC] JSC should have "parseFunction" to optimize Function constructor
2716         https://bugs.webkit.org/show_bug.cgi?id=190340
2717
2718         Reviewed by Mark Lam.
2719
2720         This patch fixes the line number of syntax errors raised by the Function constructor,
2721         since we now parse the final code only once. And we no longer use block statement
2722         for Function constructor's parsing.
2723
2724         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2725         * stress/function-cache-with-parameters-end-position.js: Added.
2726         (shouldBe):
2727         (shouldThrow):
2728         (i.anonymous):
2729         * stress/function-constructor-name.js: Added.
2730         (shouldBe):
2731         (GeneratorFunction):
2732         (AsyncFunction.async):
2733         (AsyncGeneratorFunction.async):
2734         (anonymous):
2735         (async.anonymous):
2736         * test262/expectations.yaml:
2737
2738 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2739
2740         Unreviewed, rolling out r237242.
2741         https://bugs.webkit.org/show_bug.cgi?id=190701
2742
2743         it breaks "stress/sampling-profiler-basic.js" (Requested by
2744         caiolima on #webkit).
2745
2746         Reverted changeset:
2747
2748         "[BigInt] Add ValueSub into DFG"
2749         https://bugs.webkit.org/show_bug.cgi?id=186176
2750         https://trac.webkit.org/changeset/237242
2751
2752 2018-10-17  Keith Miller  <keith_miller@apple.com>
2753
2754         AI does not clear Phantom allocation nodes.
2755         https://bugs.webkit.org/show_bug.cgi?id=190694
2756
2757         Reviewed by Saam Barati.
2758
2759         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2760         (Day):
2761         (DaysInYear):
2762         (TimeInYear):
2763         (TimeFromYear):
2764         (DayFromYear):
2765         (InLeapYear):
2766         (YearFromTime):
2767         (WeekDay):
2768         (DaylightSavingTA):
2769         (GetSecondSundayInMarch):
2770         (TimeInMonth):
2771
2772 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2773
2774         [BigInt] Add ValueSub into DFG
2775         https://bugs.webkit.org/show_bug.cgi?id=186176
2776
2777         Reviewed by Yusuke Suzuki.
2778
2779         * stress/big-int-subtraction-jit.js:
2780         * stress/value-sub-big-int-prediction-propagation.js: Added.
2781         * stress/value-sub-big-int-untyped.js: Added.
2782
2783 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2784
2785         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2786         https://bugs.webkit.org/show_bug.cgi?id=190611
2787
2788         Reviewed by Saam Barati.
2789
2790         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2791         to improve test runtime. On ARM/MIPS this test even timed out when running all
2792         tests.
2793
2794         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2795         (test):
2796
2797 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2798
2799         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2800
2801         Unreviewed gardening.
2802
2803         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2804
2805 2018-10-15  Saam barati  <sbarati@apple.com>
2806
2807         Emit fjcvtzs on ARM64E on Darwin
2808         https://bugs.webkit.org/show_bug.cgi?id=184023
2809
2810         Reviewed by Yusuke Suzuki and Filip Pizlo.
2811
2812         * stress/double-to-int32-NaN.js: Added.
2813         (assert):
2814         (foo):
2815
2816 2018-10-15  Saam Barati  <sbarati@apple.com>
2817
2818         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2819         https://bugs.webkit.org/show_bug.cgi?id=190262
2820         <rdar://problem/44986241>
2821
2822         Reviewed by Mark Lam.
2823
2824         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2825         (test):
2826         * stress/slice-array-storage-with-holes.js: Added.
2827         (main):
2828
2829 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2830
2831         Unreviewed, rolling out r237054.
2832         https://bugs.webkit.org/show_bug.cgi?id=190593
2833
2834         "this regressed JetStream 2 by 6% on iOS" (Requested by
2835         saamyjoon on #webkit).
2836
2837         Reverted changeset:
2838
2839         "[JSC] JSC should have "parseFunction" to optimize Function
2840         constructor"
2841         https://bugs.webkit.org/show_bug.cgi?id=190340
2842         https://trac.webkit.org/changeset/237054
2843
2844 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2845
2846         [JSC] JSON.stringify can accept call-with-no-arguments
2847         https://bugs.webkit.org/show_bug.cgi?id=190343
2848
2849         Reviewed by Mark Lam.
2850
2851         * stress/json-stringify-no-arguments.js: Added.
2852         (shouldBe):
2853
2854 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2855
2856         [JSC] JSC should have "parseFunction" to optimize Function constructor
2857         https://bugs.webkit.org/show_bug.cgi?id=190340
2858
2859         Reviewed by Mark Lam.
2860
2861         This patch fixes the line number of syntax errors raised by the Function constructor,
2862         since we now parse the final code only once. And we no longer use block statement
2863         for Function constructor's parsing.
2864
2865         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2866         * stress/function-cache-with-parameters-end-position.js: Added.
2867         (shouldBe):
2868         (shouldThrow):
2869         (i.anonymous):
2870         * stress/function-constructor-name.js: Added.
2871         (shouldBe):
2872         (GeneratorFunction):
2873         (AsyncFunction.async):
2874         (AsyncGeneratorFunction.async):
2875         (anonymous):
2876         (async.anonymous):
2877         * test262/expectations.yaml:
2878
2879 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2880
2881         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2882         https://bugs.webkit.org/show_bug.cgi?id=190426
2883
2884         Unreviewed gardening.
2885
2886         * stress/sampling-profiler-richards.js:
2887
2888 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2889
2890         [ESNext][BigInt] Implement support for "|"
2891         https://bugs.webkit.org/show_bug.cgi?id=186229
2892
2893         Reviewed by Yusuke Suzuki.
2894
2895         * stress/big-int-bitwise-and-jit.js:
2896         * stress/big-int-bitwise-or-general.js: Added.
2897         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2898         * stress/big-int-bitwise-or-jit.js: Added.
2899         * stress/big-int-bitwise-or-memory-stress.js: Added.
2900         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2901         * stress/big-int-bitwise-or-type-error.js: Added.
2902         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2903
2904 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2905
2906         Skip test on systems with limited memory
2907         https://bugs.webkit.org/show_bug.cgi?id=190310
2908
2909         Invoking runDefault adds test to runlist, skipping the test in the next
2910         line does not prevent the test from executing. Change order of lines such
2911         that runDefault is only executed if test is not executed.
2912
2913         Reviewed by Mark Lam.
2914
2915         * stress/regress-190187.js:
2916
2917 2018-10-03  Saam barati  <sbarati@apple.com>
2918
2919         lowXYZ in FTLLower should always filter the type of the incoming edge
2920         https://bugs.webkit.org/show_bug.cgi?id=189939
2921         <rdar://problem/44407030>
2922
2923         Reviewed by Michael Saboff.
2924
2925         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2926         (foo):
2927         (test):
2928
2929 2018-10-03  Mark Lam  <mark.lam@apple.com>
2930
2931         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2932         https://bugs.webkit.org/show_bug.cgi?id=190187
2933         <rdar://problem/42512909>
2934
2935         Reviewed by Michael Saboff.
2936
2937         * stress/regress-190187.js: Added.
2938
2939 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2940
2941         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2942         https://bugs.webkit.org/show_bug.cgi?id=190033
2943
2944         Reviewed by Yusuke Suzuki.
2945
2946         * stress/big-int-to-string.js:
2947
2948 2018-10-01  Mark Lam  <mark.lam@apple.com>
2949
2950         Function.toString() should also copy the source code Functions that are class definitions.
2951         https://bugs.webkit.org/show_bug.cgi?id=190186
2952         <rdar://problem/44733360>
2953
2954         Reviewed by Saam Barati.
2955
2956         * stress/regress-190186.js: Added.
2957
2958 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2959
2960         Split NaN-check into separate test
2961         https://bugs.webkit.org/show_bug.cgi?id=190010
2962
2963         Reviewed by Saam Barati.
2964
2965         DataView exposes NaN-representation, which is not necessarily the same on each
2966         architecture. Therefore move the check of the NaN-representation into its own
2967         file such that we can disable this test on MIPS where NaN-representation can be
2968         different on older CPUs.
2969
2970         * stress/dataview-jit-set-nan.js: Added.
2971         (assert):
2972         (test.storeLittleEndian):
2973         (test.storeBigEndian):
2974         (test.store):
2975         (test):
2976         * stress/dataview-jit-set.js:
2977         (test5):
2978
2979 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2980
2981         Unreviewed, rolling out r236647.
2982         https://bugs.webkit.org/show_bug.cgi?id=190124
2983
2984         Breaking test stress/big-int-to-string.js (Requested by
2985         caiolima_ on #webkit).
2986
2987         Reverted changeset:
2988
2989         "[BigInt] BigInt.proptotype.toString is broken when radix is
2990         power of 2"
2991         https://bugs.webkit.org/show_bug.cgi?id=190033
2992         https://trac.webkit.org/changeset/236647
2993
2994 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2995
2996         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2997         https://bugs.webkit.org/show_bug.cgi?id=190033
2998
2999         Reviewed by Yusuke Suzuki.
3000
3001         * stress/big-int-to-string.js:
3002
3003 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3004
3005         [ESNext][BigInt] Implement support for "&"
3006         https://bugs.webkit.org/show_bug.cgi?id=186228
3007
3008         Reviewed by Yusuke Suzuki.
3009
3010         * stress/big-int-bitwise-and-general.js: Added.
3011         (assert):
3012         (assert.sameValue):
3013         * stress/big-int-bitwise-and-jit.js: Added.
3014         (let.assert.sameValue):
3015         (bigIntBitAnd):
3016         * stress/big-int-bitwise-and-memory-stress.js: Added.
3017         (assert):
3018         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3019         (assert.sameValue):
3020         (let.o.Symbol.toPrimitive):
3021         (catch):
3022         * stress/big-int-bitwise-and-type-error.js: Added.
3023         (assert):
3024         (assertThrowTypeError):
3025         (let.o.valueOf):
3026         (o.valueOf):
3027         (o.toString):
3028         (o.Symbol.toPrimitive):
3029         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3030         (assert.sameValue):
3031         (testBitAnd):
3032         (let.o.Symbol.toPrimitive):
3033         (o.valueOf):
3034         (o.toString):
3035
3036 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3037
3038         JSC test stress/jsc-read.js doesn't support CRLF
3039         https://bugs.webkit.org/show_bug.cgi?id=190063
3040
3041         Reviewed by Yusuke Suzuki.
3042
3043         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3044
3045         * stress/jsc-read.js:
3046         (test):
3047
3048 2018-09-27  Saam barati  <sbarati@apple.com>
3049
3050         Verify the contents of AssemblerBuffer on arm64e
3051         https://bugs.webkit.org/show_bug.cgi?id=190057
3052         <rdar://problem/38916630>
3053
3054         Reviewed by Mark Lam.
3055
3056         * stress/regress-189132.js:
3057
3058 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3059
3060         Disable test without LLInt on ARMv7
3061         https://bugs.webkit.org/show_bug.cgi?id=190037
3062
3063         Reviewed by Mark Lam.
3064
3065         Test runs out of executable memory on ARMv7, do not run
3066         this test without LLInt enabled.
3067
3068         * stress/regress-169445.js:
3069
3070 2018-09-26  Keith Miller  <keith_miller@apple.com>
3071
3072         We should zero unused property storage when rebalancing array storage.
3073         https://bugs.webkit.org/show_bug.cgi?id=188151
3074
3075         Reviewed by Michael Saboff.
3076
3077         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3078
3079 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3080
3081         [JSC] Optimize Array#lastIndexOf
3082         https://bugs.webkit.org/show_bug.cgi?id=189780
3083
3084         Reviewed by Saam Barati.
3085
3086         * stress/array-lastindexof-array-prototype-trap.js: Added.
3087         (shouldBe):
3088         (AncestorArray.prototype.get 2):
3089         (AncestorArray):
3090         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3091         (shouldBe):
3092         * stress/array-lastindexof-hole-nan.js: Added.
3093         (shouldBe):
3094         (throw.new.Error):
3095         * stress/array-lastindexof-infinity.js: Added.
3096         (shouldBe):
3097         (throw.new.Error):
3098         * stress/array-lastindexof-negative-zero.js: Added.
3099         (shouldBe):
3100         (throw.new.Error):
3101         * stress/array-lastindexof-own-getter.js: Added.
3102         (shouldBe):
3103         (throw.new.Error.get array):
3104         (get array):
3105         * stress/array-lastindexof-prototype-trap.js: Added.
3106         (shouldBe):
3107         (DerivedArray.prototype.get 2):
3108         (DerivedArray):
3109
3110 2018-09-25  Saam Barati  <sbarati@apple.com>
3111
3112         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3113         https://bugs.webkit.org/show_bug.cgi?id=189940
3114         <rdar://problem/43640987>
3115
3116         Reviewed by Mark Lam.
3117
3118         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3119
3120 2018-09-24  Saam Barati  <sbarati@apple.com>
3121
3122         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3123         https://bugs.webkit.org/show_bug.cgi?id=189922
3124         <rdar://problem/44651275>
3125
3126         Reviewed by Mark Lam.
3127
3128         * stress/array-indexof-fast-path-effects.js: Added.
3129         * stress/array-indexof-cached-length.js: Added.
3130
3131 2018-09-24  Saam barati  <sbarati@apple.com>
3132
3133         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3134         https://bugs.webkit.org/show_bug.cgi?id=189682
3135         <rdar://problem/43557315>
3136
3137         Reviewed by Mark Lam.
3138
3139         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3140         (foo):
3141
3142 2018-09-22  Saam barati  <sbarati@apple.com>
3143
3144         The sampling should not use Strong<CodeBlock> in its machineLocation field
3145         https://bugs.webkit.org/show_bug.cgi?id=189319
3146
3147         Reviewed by Filip Pizlo.
3148
3149         * stress/sampling-profiler-richards.js: Added.
3150
3151 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3152
3153         [JSC] Optimize Array#indexOf in C++ runtime
3154         https://bugs.webkit.org/show_bug.cgi?id=189507
3155
3156         Reviewed by Saam Barati.
3157
3158         * stress/array-indexof-array-prototype-trap.js: Added.
3159         (shouldBe):
3160         (AncestorArray.prototype.get 2):
3161         (AncestorArray):
3162         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3163         (shouldBe):
3164         * stress/array-indexof-hole-nan.js: Added.
3165         (shouldBe):
3166         (throw.new.Error):
3167         * stress/array-indexof-infinity.js: Added.
3168         (shouldBe):
3169         (throw.new.Error):
3170         * stress/array-indexof-negative-zero.js: Added.
3171         (shouldBe):
3172         (throw.new.Error):
3173         * stress/array-indexof-own-getter.js: Added.
3174         (shouldBe):
3175         (throw.new.Error.get array):
3176         (get array):
3177         * stress/array-indexof-prototype-trap.js: Added.
3178         (shouldBe):
3179         (DerivedArray.prototype.get 2):
3180         (DerivedArray):
3181
3182 2018-09-19  Saam barati  <sbarati@apple.com>
3183
3184         AI rule for MultiPutByOffset executes its effects in the wrong order
3185         https://bugs.webkit.org/show_bug.cgi?id=189757
3186         <rdar://problem/43535257>
3187
3188         Reviewed by Michael Saboff.
3189
3190         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3191         (foo):
3192         (Foo):
3193         (g):
3194
3195 2018-09-17  Mark Lam  <mark.lam@apple.com>
3196
3197         Ensure that ForInContexts are invalidated if their loop local is over-written.
3198         https://bugs.webkit.org/show_bug.cgi?id=189571
3199         <rdar://problem/44402277>
3200
3201         Reviewed by Saam Barati.
3202
3203         * stress/regress-189571.js: Added.
3204
3205 2018-09-17  Saam barati  <sbarati@apple.com>
3206
3207         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3208         https://bugs.webkit.org/show_bug.cgi?id=189676
3209         <rdar://problem/39682897>
3210
3211         Reviewed by Michael Saboff.
3212
3213         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3214         (A):
3215         (K):
3216         (i.catch):
3217
3218 2018-09-14  Saam barati  <sbarati@apple.com>
3219
3220         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3221         https://bugs.webkit.org/show_bug.cgi?id=189628
3222         <rdar://problem/39481690>
3223
3224         Reviewed by Mark Lam.
3225
3226         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3227         (foo):
3228
3229 2018-09-11  Mark Lam  <mark.lam@apple.com>
3230
3231         Test for array initialization in arrayProtoFuncSplice.
3232         https://bugs.webkit.org/show_bug.cgi?id=170253
3233         <rdar://problem/31328773>
3234
3235         Rubber-stamped by Saam Barati.
3236
3237         * stress/regress-170253.js: Added.
3238
3239 2018-09-11  Mark Lam  <mark.lam@apple.com>
3240
3241         Test for IntlObject initialization.
3242         https://bugs.webkit.org/show_bug.cgi?id=170251
3243         <rdar://problem/31328419>
3244
3245         Rubber-stamped by Saam Barati.
3246
3247         * stress/regress-170251.js: Added.
3248
3249 2018-09-11  Mark Lam  <mark.lam@apple.com>
3250
3251         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3252         https://bugs.webkit.org/show_bug.cgi?id=169889
3253         <rdar://problem/31155607>
3254
3255         Reviewed by Saam Barati.
3256
3257         * stress/regress-169889-array-concat.js: Added.
3258         * stress/regress-169889-array-concat1.js: Added.
3259         * stress/regress-169889-array-slice.js: Added.
3260
3261 2018-09-11  Mark Lam  <mark.lam@apple.com>
3262
3263         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3264         https://bugs.webkit.org/show_bug.cgi?id=169445
3265         <rdar://problem/30957435>
3266
3267         Reviewed by Saam Barati.
3268
3269         * stress/regress-169445.js: Added.
3270         (let.gun.eval.A):
3271         (let.gun.eval.B.C):
3272         (let.gun.eval.B.C.prototype.trigger):
3273         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3274         (let.gun.eval.B):
3275         (let.gun.eval):
3276
3277 == Rolled over to ChangeLog-2018-09-11 ==