Unreviewed. Make the test from r243906 catch the thrown exceptions.
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-04  Saam Barati  <sbarati@apple.com>
2
3         Unreviewed. Make the test from r243906 catch the thrown exceptions.
4
5         * stress/inferred-types-regex-matches-array.js:
6
7 2019-04-04  Saam Barati  <sbarati@apple.com>
8
9         createRegExpMatchesArray does not respect inferred types
10         https://bugs.webkit.org/show_bug.cgi?id=193287
11
12         Reviewed by Yusuke Suzuki.
13
14         This checks in the test case for 193287. This issue was discovered by
15         Samuel GroƟ of Google Project Zero.
16
17         * stress/inferred-types-regex-matches-array.js: Added.
18
19 2019-04-04  Saam barati  <sbarati@apple.com>
20
21         Teach Call ICs how to call Wasm
22         https://bugs.webkit.org/show_bug.cgi?id=196387
23
24         Reviewed by Filip Pizlo.
25
26         * wasm/function-tests/stack-trace.js:
27
28 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
29
30         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
31         https://bugs.webkit.org/show_bug.cgi?id=194944
32
33         Reviewed by Keith Miller.
34
35         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
36
37 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
38
39         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
40         https://bugs.webkit.org/show_bug.cgi?id=196409
41
42         Reviewed by Saam Barati.
43
44         * stress/bytecode-cache-cached-string-impl.js: Added.
45         (f):
46         (g):
47         * stress/bytecode-cache-run-string.js: Added.
48
49 2019-04-03  Robin Morisset  <rmorisset@apple.com>
50
51         B3 should use associativity to optimize expression trees
52         https://bugs.webkit.org/show_bug.cgi?id=194081
53
54         Reviewed by Filip Pizlo.
55
56         Added three microbenchmarks:
57         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
58         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
59           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
60         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
61
62         * microbenchmarks/add-tree.js: Added.
63         * microbenchmarks/bit-or-tree.js: Added.
64         * microbenchmarks/bit-xor-tree.js: Added.
65
66 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
67
68         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
69         https://bugs.webkit.org/show_bug.cgi?id=196574
70
71         Reviewed by Saam Barati.
72
73         * stress/string-index-of-exception-check.js: Added.
74         (blurType):
75         (1.forEach):
76
77 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
78
79         Assertion failed in JSC::createError
80         https://bugs.webkit.org/show_bug.cgi?id=196305
81         <rdar://problem/49387382>
82
83         Reviewed by Saam Barati.
84
85         * stress/create-error-out-of-memory-rope-string-2.js: Added.
86         (assert):
87         (catch):
88
89 2019-03-28  Saam Barati  <sbarati@apple.com>
90
91         BackwardsGraph needs to consider back edges as the backward's root successor
92         https://bugs.webkit.org/show_bug.cgi?id=195991
93
94         Reviewed by Filip Pizlo.
95
96         * stress/map-b3-licm-infinite-loop.js: Added.
97
98 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
99
100         CodeBlock::jettison() should disallow repatching its own calls
101         https://bugs.webkit.org/show_bug.cgi?id=196359
102         <rdar://problem/48973663>
103
104         Reviewed by Saam Barati.
105
106         * stress/call-link-info-osrexit-repatch.js: Added.
107         (foo):
108
109 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
110
111         [JSC] imports-oom.js intermittently fails
112         https://bugs.webkit.org/show_bug.cgi?id=196373
113
114         Reviewed by Saam Barati.
115
116         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
117         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
118         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
119         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
120         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
121
122         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
123         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
124
125         * wasm/lowExecutableMemory/imports-oom.js:
126
127 2019-03-27  Saam Barati  <sbarati@apple.com>
128
129         validateOSREntryValue with Int52 should box the value being checked into double format
130         https://bugs.webkit.org/show_bug.cgi?id=196313
131         <rdar://problem/49306703>
132
133         Reviewed by Yusuke Suzuki.
134
135         * stress/validate-int-52-ai-state.js: Added.
136
137 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
138
139         [JSC] Owner of watchpoints should validate at GC finalizing phase
140         https://bugs.webkit.org/show_bug.cgi?id=195827
141
142         Reviewed by Filip Pizlo.
143
144         * stress/gc-should-reap-dead-watchpoints.js: Added.
145         (foo):
146         (A.prototype.y):
147         (A):
148
149 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
150
151         Skip WebAssembly test on 32-bit systems
152         https://bugs.webkit.org/show_bug.cgi?id=196206
153
154         Reviewed by Saam Barati.
155
156         Invoking runDefault executes test immediately even though
157         that test should be skipped due to missing WASM support.
158         Therefore remove runDefault.
159
160         * wasm/regress/web-assembly-link-error-exception-check.js:
161
162 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
163
164         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
165         https://bugs.webkit.org/show_bug.cgi?id=196217
166
167         Reviewed by Saam Barati.
168
169         Re-enable all NaN tests for f32.min, f64.min and f64.max.
170
171         * wasm/spec-tests/f32.wast.js:
172         * wasm/spec-tests/f64.wast.js:
173         * wasm/wasm.json:
174
175 2019-03-25  Keith Miller  <keith_miller@apple.com>
176
177         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
178         https://bugs.webkit.org/show_bug.cgi?id=196176
179
180         Reviewed by Saam Barati.
181
182         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
183         (main.v10):
184         (main):
185
186 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
187
188         WebAssembly: f32.max with NaN generates incorrect result
189         https://bugs.webkit.org/show_bug.cgi?id=175691
190         <rdar://problem/33952228>
191
192         Reviewed by Saam Barati.
193
194         Enable all f32.max NaN tests
195
196         * wasm/spec-tests/f32.wast.js:
197         * wasm/wasm.json:
198
199 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
200
201         [JSC] Move test into directory for WASM tests
202         https://bugs.webkit.org/show_bug.cgi?id=196187
203
204         Reviewed by Mark Lam.
205
206         Move Test into wasm-directory. Otherwise this test
207         is also executed on systems without WASM support.
208
209         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
210
211 2019-03-23  Mark Lam  <mark.lam@apple.com>
212
213         Rolling out r243032 and r243071 because the fix is incorrect.
214         https://bugs.webkit.org/show_bug.cgi?id=195892
215         <rdar://problem/48981239>
216
217         Not reviewed.
218
219         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
220
221 2019-03-22  Mark Lam  <mark.lam@apple.com>
222
223         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
224         https://bugs.webkit.org/show_bug.cgi?id=196154
225         <rdar://problem/49145307>
226
227         Reviewed by Filip Pizlo.
228
229         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
230         There's no need to run this test on more than 1 test configuration.
231
232         * stress/typed-array-lastIndexOf-exception-check.js: Added.
233         * stress/web-assembly-link-error-exception-check.js:
234
235 2019-03-22  Mark Lam  <mark.lam@apple.com>
236
237         Placate exception check validation in constructJSWebAssemblyLinkError().
238         https://bugs.webkit.org/show_bug.cgi?id=196152
239         <rdar://problem/49145257>
240
241         Reviewed by Michael Saboff.
242
243         * stress/web-assembly-link-error-exception-check.js: Added.
244
245 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
246
247         Skip tests running out of memory on ARM/MIPS
248         https://bugs.webkit.org/show_bug.cgi?id=196131
249
250         Unreviewed. Skip test if memory is limited.
251
252         * microbenchmarks/put-by-val-direct-large-index.js:
253
254 2019-03-21  Mark Lam  <mark.lam@apple.com>
255
256         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
257         https://bugs.webkit.org/show_bug.cgi?id=196116
258         <rdar://problem/48976951>
259
260         Reviewed by Filip Pizlo.
261
262         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
263
264 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
265
266         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
267         https://bugs.webkit.org/show_bug.cgi?id=196078
268         <rdar://problem/35925380>
269
270         Reviewed by Mark Lam.
271
272         Add a new benchmark that allocates several objects and invokes put_by_val_direct
273         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
274
275         * microbenchmarks/put-by-val-direct-large-index.js: Added.
276
277 2019-03-21  Mark Lam  <mark.lam@apple.com>
278
279         Placate exception check validation in operationArrayIndexOfString().
280         https://bugs.webkit.org/show_bug.cgi?id=196067
281         <rdar://problem/49056572>
282
283         Reviewed by Michael Saboff.
284
285         * stress/string-equal-exception-check.js: Added.
286
287 2019-03-21  Mark Lam  <mark.lam@apple.com>
288
289         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
290         https://bugs.webkit.org/show_bug.cgi?id=196055
291         <rdar://problem/49067448>
292
293         Reviewed by Yusuke Suzuki.
294
295         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
296
297 2019-03-20  Saam Barati  <sbarati@apple.com>
298
299         typeOfDoubleSum is wrong for when NaN can be produced
300         https://bugs.webkit.org/show_bug.cgi?id=196030
301
302         Reviewed by Filip Pizlo.
303
304         * stress/double-add-sub-mul-can-produce-nan.js: Added.
305         (assert):
306         (noInline.sub):
307         (noInline):
308         (assert.mul):
309         (assert.add):
310
311 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
312
313         Update the test to ensure OutOfMemoryError is thrown as intended
314         https://bugs.webkit.org/show_bug.cgi?id=196032
315         <rdar://problem/46842740>
316
317         Rubber stamped by Saam Barati.
318
319         * stress/create-error-out-of-memory-rope-string.js:
320         (assert):
321         (catch):
322
323 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
324
325         JSC::createError needs to check for OOM in errorDescriptionForValue
326         https://bugs.webkit.org/show_bug.cgi?id=196032
327         <rdar://problem/46842740>
328
329         Reviewed by Mark Lam.
330
331         * stress/create-error-out-of-memory-rope-string.js: Added.
332
333 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
334
335         Unreviewed, reduce # of iterations to avoid timing out after r242991
336         https://bugs.webkit.org/show_bug.cgi?id=195791
337
338         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
339
340         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
341
342 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
343
344         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
345         https://bugs.webkit.org/show_bug.cgi?id=195950
346
347         Unreviewed, reducing the amount of memory used on this test to avoid
348         OOM on devices with memory restrictions.
349
350         * microbenchmarks/generate-multiple-llint-entrypoints.js:
351
352 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
353
354         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
355         https://bugs.webkit.org/show_bug.cgi?id=194648
356
357         Reviewed by Keith Miller.
358
359         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
360
361 2019-03-18  Mark Lam  <mark.lam@apple.com>
362
363         Missing a ThrowScope release in JSObject::toString().
364         https://bugs.webkit.org/show_bug.cgi?id=195893
365         <rdar://problem/48970986>
366
367         Reviewed by Michael Saboff.
368
369         * stress/to-string-exception-check-release.js: Added.
370
371 2019-03-18  Mark Lam  <mark.lam@apple.com>
372
373         Structure::flattenDictionary() should clear unused property slots.
374         https://bugs.webkit.org/show_bug.cgi?id=195871
375         <rdar://problem/48959497>
376
377         Reviewed by Michael Saboff.
378
379         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
380
381 2019-03-15  Mark Lam  <mark.lam@apple.com>
382
383         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
384         https://bugs.webkit.org/show_bug.cgi?id=195827
385         <rdar://problem/48845513>
386
387         Reviewed by Filip Pizlo.
388
389         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
390
391 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
392
393         [ARM,MIPS] Skip slow tests
394         https://bugs.webkit.org/show_bug.cgi?id=195799
395
396         Unreviewed, test does not finish on ARM and MIPS within the
397         timeout limit.
398
399         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
400
401 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
402
403         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
404         https://bugs.webkit.org/show_bug.cgi?id=195791
405         <rdar://problem/48806130>
406
407         Reviewed by Mark Lam.
408
409         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
410         (foo):
411
412 2019-03-14  Saam barati  <sbarati@apple.com>
413
414         We can't remove code after ForceOSRExit until after FixupPhase
415         https://bugs.webkit.org/show_bug.cgi?id=186916
416         <rdar://problem/41396612>
417
418         Reviewed by Yusuke Suzuki.
419
420         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
421         (foo):
422         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
423         (foo):
424
425 2019-03-13  Michael Saboff  <msaboff@apple.com>
426
427         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
428         https://bugs.webkit.org/show_bug.cgi?id=195735
429
430         Reviewed by Mark Lam.
431
432         New regression test.
433
434         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
435         (foo):
436         (bar):
437
438 2019-03-14  Saam barati  <sbarati@apple.com>
439
440         Fixup uses KnownInt32 incorrectly in some nodes
441         https://bugs.webkit.org/show_bug.cgi?id=195279
442         <rdar://problem/47915654>
443
444         Reviewed by Yusuke Suzuki.
445
446         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
447         (foo):
448
449 2019-03-14  Keith Miller  <keith_miller@apple.com>
450
451         DFG liveness can't skip tail caller inline frames
452         https://bugs.webkit.org/show_bug.cgi?id=195715
453
454         Reviewed by Saam Barati.
455
456         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
457         (i.foo):
458
459 2019-03-13  Mark Lam  <mark.lam@apple.com>
460
461         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
462         https://bugs.webkit.org/show_bug.cgi?id=195415
463
464         Not reviewed.
465
466         Changed these tests to only run the default configuration.
467         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
468         There's no strong need to run this test on that variant.
469
470         * stress/dfg-to-string-on-int-does-gc.js:
471         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
472
473 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
474
475         String overflow when using StringBuilder in JSC::createError
476         https://bugs.webkit.org/show_bug.cgi?id=194957
477
478         Reviewed by Mark Lam.
479
480         Add test string-overflow-createError-bulder.js that overflows
481         StringBuilder in notAFunctionSourceAppender. The second new test
482         string-overflow-createError-fit.js has an error message that doesn't
483         overflow, it still failed since the String's capacity can't be doubled.
484         Run test string-overflow-createError.js only in the default
485         configuration to reduce memory consumption when running the test
486         in all configurations on multiple CPUs in parallel.
487
488         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
489         (catch):
490         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
491         (catch):
492         * stress/string-overflow-createError.js:
493
494 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
495
496         [JSC] OSR entry should respect abstract values in addition to flush formats
497         https://bugs.webkit.org/show_bug.cgi?id=195653
498
499         Reviewed by Mark Lam.
500
501         * stress/osr-entry-locals-none.js: Added.
502
503 2019-03-12  Michael Saboff  <msaboff@apple.com>
504
505         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
506         https://bugs.webkit.org/show_bug.cgi?id=195613
507
508         Reviewed by Mark Lam.
509
510         New regression test.
511
512         * stress/regexp-backref-inbounds.js: Added.
513         (testRegExp):
514
515 2019-03-12  Mark Lam  <mark.lam@apple.com>
516
517         The HasIndexedProperty node does GC.
518         https://bugs.webkit.org/show_bug.cgi?id=195559
519         <rdar://problem/48767923>
520
521         Reviewed by Yusuke Suzuki.
522
523         * stress/HasIndexedProperty-does-gc.js: Added.
524
525 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
526
527         [ESNext][BigInt] Implement "~" unary operation
528         https://bugs.webkit.org/show_bug.cgi?id=182216
529
530         Reviewed by Keith Miller.
531
532         * stress/big-int-bit-not-general.js: Added.
533         * stress/big-int-bitwise-not-jit.js: Added.
534         * stress/big-int-bitwise-not-wrapped-value.js: Added.
535         * stress/bit-op-with-object-returning-int32.js:
536         * stress/bitwise-not-fixup-rules.js: Added.
537         * stress/value-bit-not-ai-rule.js: Added.
538
539 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
540
541         Invalid flags in a RegExp literal should be an early SyntaxError
542         https://bugs.webkit.org/show_bug.cgi?id=195514
543
544         Reviewed by Darin Adler.
545
546         * test262/expectations.yaml:
547         Mark 4 test cases as passing.
548
549         * stress/regexp-syntax-error-invalid-flags.js:
550         * stress/regress-161995.js: Removed.
551         Update existing test, merging in an older test for the same behavior.
552
553 2019-03-08  Mark Lam  <mark.lam@apple.com>
554
555         Stack overflow crash in JSC::JSObject::hasInstance.
556         https://bugs.webkit.org/show_bug.cgi?id=195458
557         <rdar://problem/48710195>
558
559         Reviewed by Yusuke Suzuki.
560
561         * stress/stack-overflow-in-custom-hasInstance.js: Added.
562
563 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
564
565         op_check_tdz does not def its argument
566         https://bugs.webkit.org/show_bug.cgi?id=192880
567         <rdar://problem/46221598>
568
569         Reviewed by Saam Barati.
570
571         * microbenchmarks/let-for-in.js: Added.
572         (foo):
573
574 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
575
576         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
577         https://bugs.webkit.org/show_bug.cgi?id=195429
578
579         Reviewed by Saam Barati.
580
581         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
582         (foo):
583         * stress/string-from-char-code-255.js: Added.
584
585 2019-03-06  Mark Lam  <mark.lam@apple.com>
586
587         Fix incorrect handling of try-finally completion values.
588         https://bugs.webkit.org/show_bug.cgi?id=195131
589         <rdar://problem/46222079>
590
591         Reviewed by Saam Barati and Yusuke Suzuki.
592
593         Added many permutations of new test case to test-finally.js.  test-finally.js has
594         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
595         tests passes there as well.
596
597         * stress/test-finally.js:
598
599 2019-03-06  Saam Barati  <sbarati@apple.com>
600
601         Air::reportUsedRegisters must padInterference
602         https://bugs.webkit.org/show_bug.cgi?id=195303
603         <rdar://problem/48270343>
604
605         Reviewed by Keith Miller.
606
607         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
608
609 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
610
611         [JSC] AI should not propagate AbstractValue relying on constant folding phase
612         https://bugs.webkit.org/show_bug.cgi?id=195375
613
614         Reviewed by Saam Barati.
615
616         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
617         (let.array):
618
619 2019-03-05  Saam barati  <sbarati@apple.com>
620
621         op_switch_char broken for rope strings after JSRopeString layout rewrite
622         https://bugs.webkit.org/show_bug.cgi?id=195339
623         <rdar://problem/48592545>
624
625         Reviewed by Yusuke Suzuki.
626
627         * stress/switch-on-char-llint-rope.js: Added.
628
629 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
630
631         [JSC] Store bits for JSRopeString in 3 stores
632         https://bugs.webkit.org/show_bug.cgi?id=195234
633
634         Reviewed by Saam Barati.
635
636         * stress/null-rope-and-collectors.js: Added.
637
638 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
639
640         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
641         https://bugs.webkit.org/show_bug.cgi?id=195207
642
643         Unreviewed. After test runtime was reduced in r242213, test can be
644         run again on ARM/MIPS.
645
646         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
647
648 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
649
650         [JSC] sizeof(JSString) should be 16
651         https://bugs.webkit.org/show_bug.cgi?id=194375
652
653         Reviewed by Saam Barati.
654
655         * microbenchmarks/make-rope.js: Added.
656         (makeRope):
657         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
658         (returnRope.helper): Deleted.
659         (returnRope): Deleted.
660
661 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
662
663         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
664         https://bugs.webkit.org/show_bug.cgi?id=195144
665
666         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
667         Change the number from 1e8 to 1e5.
668
669         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
670         (foo):
671
672 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
673
674         Test times out on ARM/MIPS
675         https://bugs.webkit.org/show_bug.cgi?id=195168
676
677         Unreviewed. Skip test on ARM/MIPS.
678
679         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
680
681 2019-02-27  Mark Lam  <mark.lam@apple.com>
682
683         The parser is failing to record the token location of new in new.target.
684         https://bugs.webkit.org/show_bug.cgi?id=195127
685         <rdar://problem/39645578>
686
687         Reviewed by Yusuke Suzuki.
688
689         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
690
691 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
692
693         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
694         https://bugs.webkit.org/show_bug.cgi?id=195144
695         <rdar://problem/47595961>
696
697         Reviewed by Mark Lam.
698
699         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
700         (bar):
701         (foo):
702         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
703         (bar):
704         (foo):
705
706 2019-02-27  Robin Morisset  <rmorisset@apple.com>
707
708         DFG: Loop-invariant code motion (LICM) should not hoist dead code
709         https://bugs.webkit.org/show_bug.cgi?id=194945
710         <rdar://problem/48311657>
711
712         Reviewed by Mark Lam.
713
714         * stress/licm-dead-code.js: Added.
715
716 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
717
718         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
719         https://bugs.webkit.org/show_bug.cgi?id=194677
720         <rdar://problem/48112492>
721
722         Reviewed by Mark Lam.
723
724         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
725         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
726         it immediately fails due the large size.
727
728         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
729         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
730         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
731         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
732
733         This patch changes the test to produce 16bit string from String.fromCharCode.
734
735         * stress/regress-178386.js:
736
737 2019-02-26  Mark Lam  <mark.lam@apple.com>
738
739         wasmToJS() should purify incoming NaNs.
740         https://bugs.webkit.org/show_bug.cgi?id=194807
741         <rdar://problem/48189132>
742
743         Reviewed by Saam Barati.
744
745         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
746
747 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
748
749         [JSC] Repeat string created from Array.prototype.join() take too much memory
750         https://bugs.webkit.org/show_bug.cgi?id=193912
751
752         Reviewed by Saam Barati.
753
754         Added a test and a microbenchmark for corner cases of
755         Array.prototype.join() with an uninitialized array.
756
757         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
758         * stress/array-prototype-join-uninitialized.js: Added.
759         (testArray):
760         (testABC):
761         (B):
762         (C):
763
764 2019-02-22  Robin Morisset  <rmorisset@apple.com>
765
766         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
767         https://bugs.webkit.org/show_bug.cgi?id=194953
768         <rdar://problem/47595253>
769
770         Reviewed by Saam Barati.
771
772         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
773
774         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
775
776 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
777
778         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
779         https://bugs.webkit.org/show_bug.cgi?id=172848
780         <rdar://problem/25709212>
781
782         Reviewed by Mark Lam.
783
784         * typeProfiler/inheritance.js:
785         Rewrite the test slightly for clarity. The hoisting was confusing.
786
787         * heapProfiler/class-names.js: Added.
788         (MyES5Class):
789         (MyES6Class):
790         (MyES6Subclass):
791         Test object types and improved class names.
792
793         * heapProfiler/driver/driver.js:
794         (CheapHeapSnapshotNode):
795         (CheapHeapSnapshot):
796         (createCheapHeapSnapshot):
797         (HeapSnapshot):
798         (createHeapSnapshot):
799         Update snapshot parsing from version 1 to version 2.
800
801 2019-02-19  Truitt Savell  <tsavell@apple.com>
802
803         Unreviewed, rolling out r241784.
804
805         Broke all OpenSource builds.
806
807         Reverted changeset:
808
809         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
810         instances view"
811         https://bugs.webkit.org/show_bug.cgi?id=172848
812         https://trac.webkit.org/changeset/241784
813
814 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
815
816         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
817         https://bugs.webkit.org/show_bug.cgi?id=172848
818         <rdar://problem/25709212>
819
820         Reviewed by Mark Lam.
821
822         * typeProfiler/inheritance.js:
823         Rewrite the test slightly for clarity. The hoisting was confusing.
824
825         * heapProfiler/class-names.js: Added.
826         (MyES5Class):
827         (MyES6Class):
828         (MyES6Subclass):
829         Test object types and improved class names.
830
831         * heapProfiler/driver/driver.js:
832         (CheapHeapSnapshotNode):
833         (CheapHeapSnapshot):
834         (createCheapHeapSnapshot):
835         (HeapSnapshot):
836         (createHeapSnapshot):
837         Update snapshot parsing from version 1 to version 2.
838
839 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
840
841         [ARM] Fix crash with sampling profiler
842         https://bugs.webkit.org/show_bug.cgi?id=194772
843
844         Reviewed by Mark Lam.
845
846         Do not skip test since crash with sampling profiler is now fixed.
847
848         * stress/sampling-profiler-richards.js:
849
850 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
851
852         [JSC] Add LazyClassStructure::getInitializedOnMainThread
853         https://bugs.webkit.org/show_bug.cgi?id=194784
854         <rdar://problem/48154820>
855
856         Reviewed by Mark Lam.
857
858         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
859         (getProperties):
860         (getRandomProperty):
861         (i.catch):
862
863 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
864
865         [ARM] Test gardening: Test running out of executable memory
866         https://bugs.webkit.org/show_bug.cgi?id=194771
867
868         Unreviewed. Do not run test without LLInt, test is running out of executable
869         memory on ARM otherwise.
870
871         * stress/tagged-template-object-collect.js:
872
873 2019-02-18  Tomas Popela  <tpopela@redhat.com>
874
875         Unreviewed, skip the test on platforms without sampling profiler
876
877         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
878         (platformSupportsSamplingProfiler.foo):
879         (platformSupportsSamplingProfiler.test):
880         (platformSupportsSamplingProfiler):
881         (foo): Deleted.
882         (test): Deleted.
883
884 2019-02-17  Saam Barati  <sbarati@apple.com>
885
886         Deadlock when adding a Structure property transition and then doing incremental marking
887         https://bugs.webkit.org/show_bug.cgi?id=194767
888
889         Reviewed by Mark Lam.
890
891         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
892
893 2019-02-15  Michael Saboff  <msaboff@apple.com>
894
895         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
896         https://bugs.webkit.org/show_bug.cgi?id=194558
897
898         Reviewed by Saam Barati.
899
900         New regression test.
901
902         * stress/regexp-unicode-within-string.js: Added.
903
904 2019-02-15  Mark Lam  <mark.lam@apple.com>
905
906         SamplingProfiler::stackTracesAsJSON() should escape strings.
907         https://bugs.webkit.org/show_bug.cgi?id=194649
908         <rdar://problem/48072386>
909
910         Reviewed by Saam Barati.
911
912         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
913         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
914         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
915         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
916
917 2019-02-15  Robin Morisset  <rmorisset@apple.com>
918         CodeBlock::jettison should clear related watchpoints
919         https://bugs.webkit.org/show_bug.cgi?id=194544
920
921         Reviewed by Mark Lam.
922
923         * stress/regexp-replace-double-watchpoint.js: Added.
924         (foo):
925
926 2019-02-15  Saam barati  <sbarati@apple.com>
927
928         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
929         https://bugs.webkit.org/show_bug.cgi?id=194036
930
931         Reviewed by Yusuke Suzuki.
932
933         * stress/tail-call-many-arguments.js: Added.
934         (foo):
935         (bar):
936
937 2019-02-14  Saam Barati  <sbarati@apple.com>
938
939         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
940         https://bugs.webkit.org/show_bug.cgi?id=194583
941         <rdar://problem/48028140>
942
943         Reviewed by Yusuke Suzuki.
944
945         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
946
947 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
948
949         [JSC] String.fromCharCode's slow path always generates 16bit string
950         https://bugs.webkit.org/show_bug.cgi?id=194466
951
952         Reviewed by Keith Miller.
953
954         * stress/string-from-char-code-slow-path.js: Added.
955         (shouldBe):
956         (testWithLength):
957
958 2019-02-08  Saam barati  <sbarati@apple.com>
959
960         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
961         https://bugs.webkit.org/show_bug.cgi?id=194334
962         <rdar://problem/47844327>
963
964         Reviewed by Mark Lam.
965
966         * stress/check-in-bounds-should-be-a-child-use.js: Added.
967         (func):
968
969 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
970
971         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
972         https://bugs.webkit.org/show_bug.cgi?id=194369
973         <rdar://problem/47813087>
974
975         Reviewed by Saam Barati.
976
977         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
978         (A):
979
980 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
981
982         [JSC] PrivateName to PublicName hash table is wasteful
983         https://bugs.webkit.org/show_bug.cgi?id=194277
984
985         Reviewed by Michael Saboff.
986
987         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
988
989         * ChakraCore.yaml:
990
991 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
992
993         [ARM] Test running out of executable memory
994         https://bugs.webkit.org/show_bug.cgi?id=194285
995
996         Unreviewed. Do no execute test with LLInt disabled, test runs out of
997         executable memory otherwise.
998
999         * stress/class-subclassing-function.js:
1000
1001 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1002
1003         when lowering AssertNotEmpty, create the value before creating the patchpoint
1004         https://bugs.webkit.org/show_bug.cgi?id=194231
1005
1006         Reviewed by Saam Barati.
1007
1008         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1009         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1010         So even tiny changes to this test can change the path code taken.
1011
1012         * stress/assert-not-empty.js: Added.
1013         (foo):
1014
1015 2019-02-01  Mark Lam  <mark.lam@apple.com>
1016
1017         Remove invalid assertion in DFG's compileDoubleRep().
1018         https://bugs.webkit.org/show_bug.cgi?id=194130
1019         <rdar://problem/47699474>
1020
1021         Reviewed by Saam Barati.
1022
1023         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1024
1025 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1026
1027         Import latest Test262 updates.
1028
1029         Rubber-stamped by Keith Miller.
1030
1031         * test262.yaml: Deleted.
1032         * test262/config.yaml:
1033         * test262/expectations.yaml:
1034         * test262/latest-changes-summary.txt:
1035         * test262/test/:
1036         * test262/test262-Revision.txt:
1037
1038 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1039
1040         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1041         https://bugs.webkit.org/show_bug.cgi?id=194050
1042         <rdar://problem/47595592>
1043
1044         Reviewed by Yusuke Suzuki.
1045
1046         * stress/object-keys-osr-exit.js: Added.
1047         (foo):
1048         (catch):
1049
1050 2019-01-29  Mark Lam  <mark.lam@apple.com>
1051
1052         ValueRecovery::recover() should purify NaN values it recovers.
1053         https://bugs.webkit.org/show_bug.cgi?id=193978
1054         <rdar://problem/47625488>
1055
1056         Reviewed by Saam Barati.
1057
1058         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1059
1060 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1061
1062         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1063         https://bugs.webkit.org/show_bug.cgi?id=193713
1064
1065         * stress/try-get-by-id-should-spill-registers-dfg.js:
1066         (let.f.createBuiltin):
1067
1068 2019-01-28  Mark Lam  <mark.lam@apple.com>
1069
1070         ToString node actually does GC.
1071         https://bugs.webkit.org/show_bug.cgi?id=193920
1072         <rdar://problem/46695900>
1073
1074         Reviewed by Yusuke Suzuki.
1075
1076         * stress/dfg-to-string-on-int-does-gc.js: Added.
1077         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1078         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1079
1080 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1081
1082         [JSC] NativeErrorConstructor should not have own IsoSubspace
1083         https://bugs.webkit.org/show_bug.cgi?id=193713
1084
1085         Reviewed by Saam Barati.
1086
1087         Remove @Error use.
1088
1089         * stress/try-get-by-id-should-spill-registers-dfg.js:
1090         (let.f.createBuiltin):
1091
1092 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1093
1094         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1095         https://bugs.webkit.org/show_bug.cgi?id=190693
1096
1097         Reviewed by Michael Saboff.
1098
1099         * stress/regress-190693.js: Added.
1100         (truth):
1101         (assert):
1102         (shouldThrowInvalidConstAssignment):
1103         (taz):
1104
1105 2019-01-24  Saam Barati  <sbarati@apple.com>
1106
1107         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1108         https://bugs.webkit.org/show_bug.cgi?id=193751
1109         <rdar://problem/47280215>
1110
1111         Reviewed by Michael Saboff.
1112
1113         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1114         (let.thing):
1115         (foo.let.hello):
1116         (foo):
1117
1118 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1119
1120         [JSC] Reenable baseline JIT on mips
1121         https://bugs.webkit.org/show_bug.cgi?id=192983
1122
1123         Reviewed by Mark Lam.
1124
1125         Added a new test for a case that was triggering a RELEASE_ASSERT when
1126         testing.
1127         Disable some slow tests that were already disabled for arm and x86.
1128
1129         * stress/json-parse-big-object.js: Added.
1130         * stress/new-largeish-contiguous-array-with-size.js:
1131         * stress/op_add.js:
1132         * stress/op_bitand.js:
1133         * stress/op_bitor.js:
1134         * stress/op_bitxor.js:
1135         * stress/op_lshift-ConstVar.js:
1136         * stress/op_lshift-VarConst.js:
1137         * stress/op_lshift-VarVar.js:
1138         * stress/op_mod-ConstVar.js:
1139         * stress/op_mod-VarConst.js:
1140         * stress/op_mod-VarVar.js:
1141         * stress/op_mul-ConstVar.js:
1142         * stress/op_mul-VarConst.js:
1143         * stress/op_mul-VarVar.js:
1144         * stress/op_rshift-ConstVar.js:
1145         * stress/op_rshift-VarConst.js:
1146         * stress/op_rshift-VarVar.js:
1147         * stress/op_sub-ConstVar.js:
1148         * stress/op_sub-VarConst.js:
1149         * stress/op_sub-VarVar.js:
1150         * stress/op_urshift-ConstVar.js:
1151         * stress/op_urshift-VarConst.js:
1152         * stress/op_urshift-VarVar.js:
1153         * stress/sampling-profiler-richards.js:
1154         * stress/spread-forward-call-varargs-stack-overflow.js:
1155
1156 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1157
1158         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1159         https://bugs.webkit.org/show_bug.cgi?id=193711
1160         <rdar://problem/47250262>
1161
1162         Reviewed by Saam Barati.
1163
1164         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1165         (shouldBe):
1166         (foo):
1167         (bar):
1168         (baz):
1169
1170 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1171
1172         Unreviewed, fix initial global lexical binding epoch
1173         https://bugs.webkit.org/show_bug.cgi?id=193603
1174         <rdar://problem/47380869>
1175
1176         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1177         (f1.f2.f3.f4):
1178         (f1.f2.f3):
1179         (f1.f2):
1180         (f1):
1181
1182 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1183
1184         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1185         https://bugs.webkit.org/show_bug.cgi?id=193709
1186         <rdar://problem/47363838>
1187
1188         Unreviewed, rollout to watch the tests.
1189
1190         * stress/object-tostring-changed-proto.js: Removed.
1191         * stress/object-tostring-changed.js: Removed.
1192         * stress/object-tostring-misc.js: Removed.
1193         * stress/object-tostring-other.js: Removed.
1194         * stress/object-tostring-untyped.js: Removed.
1195
1196 2019-01-22  Saam Barati  <sbarati@apple.com>
1197
1198         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1199
1200         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1201         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1202         (testUncheckedLessThanZero):
1203         (testUncheckedLessThanOrEqualZero):
1204         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1205         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1206
1207 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1208
1209         [JSC] Invalidate old scope operations using global lexical binding epoch
1210         https://bugs.webkit.org/show_bug.cgi?id=193603
1211         <rdar://problem/47380869>
1212
1213         Reviewed by Saam Barati.
1214
1215         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1216         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1217         (shouldThrow):
1218         (bar):
1219         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1220         (shouldBe):
1221         (get1):
1222         (get2):
1223         (get1If):
1224         (get2If):
1225         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1226         (shouldThrow):
1227         (foo):
1228
1229 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1230
1231         Unreviewed, roll out r240220 due to date-format-xparb regression
1232         https://bugs.webkit.org/show_bug.cgi?id=193603
1233
1234         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1235         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1236         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1237         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1238
1239 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1240
1241         DoesGC rule is wrong for nodes with BigIntUse
1242         https://bugs.webkit.org/show_bug.cgi?id=193652
1243
1244         Reviewed by Saam Barati.
1245
1246         * stress/big-int-value-op-update-gc-rules.js: Added.
1247         (assert):
1248         (doesGCAdd):
1249         (doesGCSub):
1250         (doesGCDiv):
1251         (doesGCMul):
1252         (doesGCBitAnd):
1253         (doesGCBitOr):
1254         (doesGCBitXor):
1255
1256 2019-01-20  Saam Barati  <sbarati@apple.com>
1257
1258         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1259         https://bugs.webkit.org/show_bug.cgi?id=193644
1260         <rdar://problem/46209745>
1261
1262         Reviewed by Yusuke Suzuki.
1263
1264         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1265         (foo):
1266         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1267         (foo):
1268         (bar):
1269
1270 2019-01-20  Saam Barati  <sbarati@apple.com>
1271
1272         MovHint must merge NodeBytecodeUsesAsValue for its child
1273         https://bugs.webkit.org/show_bug.cgi?id=186916
1274         <rdar://problem/41396612>
1275
1276         Reviewed by Yusuke Suzuki.
1277
1278         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1279         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1280
1281 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1282
1283         [JSC] Invalidate old scope operations using global lexical binding epoch
1284         https://bugs.webkit.org/show_bug.cgi?id=193603
1285         <rdar://problem/47380869>
1286
1287         Reviewed by Saam Barati.
1288
1289         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1290         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1291         (shouldThrow):
1292         (bar):
1293         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1294         (shouldBe):
1295         (get1):
1296         (get2):
1297         (get1If):
1298         (get2If):
1299         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1300         (shouldThrow):
1301         (foo):
1302
1303 2019-01-17  Saam barati  <sbarati@apple.com>
1304
1305         StringObjectUse should not be a structure check for the original string object structure
1306         https://bugs.webkit.org/show_bug.cgi?id=193483
1307         <rdar://problem/47280522>
1308
1309         Reviewed by Yusuke Suzuki.
1310
1311         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1312         (foo):
1313         (a.valueOf.0):
1314
1315 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1316
1317         [JSC] ToThis omission in DFGByteCodeParser is wrong
1318         https://bugs.webkit.org/show_bug.cgi?id=193513
1319         <rdar://problem/45842236>
1320
1321         Reviewed by Saam Barati.
1322
1323         * stress/to-this-omission-with-different-strict-modes.js: Added.
1324         (thisA):
1325         (thisAStrictWrapper):
1326
1327 2019-01-15  Mark Lam  <mark.lam@apple.com>
1328
1329         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1330         https://bugs.webkit.org/show_bug.cgi?id=193423
1331         <rdar://problem/46209355>
1332
1333         Reviewed by Saam Barati.
1334
1335         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1336         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1337         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1338         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1339
1340 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1341
1342         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1343         https://bugs.webkit.org/show_bug.cgi?id=193438
1344         <rdar://problem/45581249>
1345
1346         Reviewed by Saam Barati and Keith Miller.
1347
1348         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1349         Then, GetByVal(String) crashed.
1350
1351         * stress/string-get-by-val-lowering.js: Added.
1352         (shouldBe):
1353         (test):
1354         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1355         (Hello):
1356         (foo):
1357
1358 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1359
1360         Unreviewed, skip JIT tests if it's not enabled
1361
1362         * stress/bit-op-with-object-returning-int32.js:
1363
1364 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1365
1366         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1367         https://bugs.webkit.org/show_bug.cgi?id=192966
1368
1369         Reviewed by Yusuke Suzuki.
1370
1371         * stress/bit-op-with-object-returning-int32.js: Added.
1372
1373 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1374
1375         Skip a slow test and a flakey test on arm
1376
1377         Unreviewed gardening.
1378
1379         * typeProfiler/getter-richards.js:
1380         this test always times out, it used to be always skipped on arm and
1381         mips, but got accidentally enabled by r237919 now that we have DFG on
1382         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1383
1384 2019-01-14  Keith Miller  <keith_miller@apple.com>
1385
1386         Skip type-check-hoisting-phase-hoist... with no jit
1387         https://bugs.webkit.org/show_bug.cgi?id=193421
1388
1389         Reviewed by Mark Lam.
1390
1391         It's timing out the 32-bit bots and takes 330 seconds
1392         on my machine when run by itself.
1393
1394         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1395
1396 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1397
1398         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1399         https://bugs.webkit.org/show_bug.cgi?id=193413
1400         <rdar://problem/46092389>
1401
1402         Reviewed by Keith Miller.
1403
1404         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1405         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1406         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1407         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1408
1409         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1410         (compareArray):
1411
1412 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1413
1414         [BigInt] Literal parsing is crashing when used inside a Object Literal
1415         https://bugs.webkit.org/show_bug.cgi?id=193404
1416
1417         Reviewed by Yusuke Suzuki.
1418
1419         * stress/big-int-literal-inside-literal-object.js: Added.
1420
1421 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1422
1423         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1424         https://bugs.webkit.org/show_bug.cgi?id=193372
1425
1426         Reviewed by Saam Barati.
1427
1428         * stress/typed-array-array-modes-profile.js: Added.
1429         (foo):
1430
1431 2019-01-14  Mark Lam  <mark.lam@apple.com>
1432
1433         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1434         https://bugs.webkit.org/show_bug.cgi?id=193402
1435         <rdar://problem/46012309>
1436
1437         Reviewed by Keith Miller.
1438
1439         * stress/regexp-compile-oom.js:
1440         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1441           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1442
1443 2019-01-11  Saam barati  <sbarati@apple.com>
1444
1445         DFG combined liveness can be wrong for terminal basic blocks
1446         https://bugs.webkit.org/show_bug.cgi?id=193304
1447         <rdar://problem/45268632>
1448
1449         Reviewed by Yusuke Suzuki.
1450
1451         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1452
1453 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1454
1455         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1456         https://bugs.webkit.org/show_bug.cgi?id=193308
1457         <rdar://problem/45546542>
1458
1459         Reviewed by Saam Barati.
1460
1461         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1462         (shouldThrow):
1463         (shouldBe):
1464         (foo):
1465         (get shouldThrow):
1466         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1467         (shouldThrow):
1468         (shouldBe):
1469         (foo):
1470         (get shouldBe):
1471         (get shouldThrow):
1472         (get return):
1473         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1474         (shouldThrow):
1475         (shouldBe):
1476         (foo):
1477         (get shouldBe):
1478         (get shouldThrow):
1479         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1480         (shouldThrow):
1481         (shouldBe):
1482         (foo):
1483         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1484         (shouldThrow):
1485         (shouldBe):
1486         (foo):
1487         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1488         (shouldThrow):
1489         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1490         (shouldThrow):
1491         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1492         (shouldThrow):
1493         (shouldBe):
1494         (foo):
1495         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1496         (shouldThrow):
1497         (shouldBe):
1498         (foo):
1499         (get shouldBe):
1500         (get shouldThrow):
1501         (get return):
1502         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1503         (shouldThrow):
1504         (shouldBe):
1505         (foo):
1506         (get shouldBe):
1507         (get shouldThrow):
1508         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1509         (shouldThrow):
1510         (shouldBe):
1511         (foo):
1512         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1513         (shouldThrow):
1514         (shouldBe):
1515         (foo):
1516
1517 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1518
1519         Enable DFG on ARM/Linux again
1520         https://bugs.webkit.org/show_bug.cgi?id=192496
1521
1522         Reviewed by Yusuke Suzuki.
1523
1524         Test wasn't really skipped before moving the line with skip
1525         to the top.
1526
1527         * stress/regress-192717.js:
1528
1529 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1530
1531         Unreviewed, rolling out r239825.
1532         https://bugs.webkit.org/show_bug.cgi?id=193330
1533
1534         Broke tests on armv7/linux bots (Requested by guijemont on
1535         #webkit).
1536
1537         Reverted changeset:
1538
1539         "Enable DFG on ARM/Linux again"
1540         https://bugs.webkit.org/show_bug.cgi?id=192496
1541         https://trac.webkit.org/changeset/239825
1542
1543 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1544
1545         Enable DFG on ARM/Linux again
1546         https://bugs.webkit.org/show_bug.cgi?id=192496
1547
1548         Reviewed by Yusuke Suzuki.
1549
1550         Test wasn't really skipped before moving the line with skip
1551         to the top.
1552
1553         * stress/regress-192717.js:
1554
1555 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1556
1557         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1558         https://bugs.webkit.org/show_bug.cgi?id=193127
1559
1560         Reviewed by Saam Barati.
1561
1562         * stress/array-species-create-should-handle-masquerader.js: Added.
1563         (shouldThrow):
1564         * stress/is-undefined-or-null-builtin.js: Added.
1565         (shouldBe):
1566         (isUndefinedOrNull.vm.createBuiltin):
1567
1568 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1569
1570         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1571         https://bugs.webkit.org/show_bug.cgi?id=193221
1572
1573         Reviewed by Mark Lam.
1574
1575         * stress/put-by-id-flags.js: Added.
1576         (f):
1577         (g):
1578         (numberOfDFGCompiles):
1579
1580 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1581
1582         Baseline version of get_by_id may corrupt metadata
1583         https://bugs.webkit.org/show_bug.cgi?id=193085
1584         <rdar://problem/23453006>
1585
1586         Reviewed by Saam Barati.
1587
1588         * stress/get-by-id-change-mode.js: Added.
1589         (forEach):
1590
1591 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1592
1593         [JSC] Optimize Object.prototype.toString
1594         https://bugs.webkit.org/show_bug.cgi?id=193031
1595
1596         Reviewed by Saam Barati.
1597
1598         * stress/object-tostring-changed-proto.js: Added.
1599         (shouldBe):
1600         (test):
1601         * stress/object-tostring-changed.js: Added.
1602         (shouldBe):
1603         (test):
1604         * stress/object-tostring-misc.js: Added.
1605         (shouldBe):
1606         (test):
1607         (i.switch):
1608         * stress/object-tostring-other.js: Added.
1609         (shouldBe):
1610         (test):
1611         * stress/object-tostring-untyped.js: Added.
1612         (shouldBe):
1613         (test):
1614         (i.switch):
1615
1616 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1617
1618         test262-runner misbehaves when test file YAML has a trailing space
1619         https://bugs.webkit.org/show_bug.cgi?id=193053
1620
1621         Reviewed by Yusuke Suzuki.
1622
1623         * test262/expectations.yaml:
1624         Mark two dozen tests as passing (and correct the output of another).
1625
1626 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1627
1628         Unreviewed, JSTests gardening with memoryLimited
1629
1630         * stress/string-overflow-createError.js:
1631
1632 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1633
1634         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1635         https://bugs.webkit.org/show_bug.cgi?id=193050
1636
1637         Reviewed by Yusuke Suzuki.
1638
1639         * test262.yaml:
1640         * test262/expectations.yaml:
1641         Mark 16 tests as passing.
1642
1643 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1644
1645         [BigInt] Support BigInt in JSON.stringify
1646         https://bugs.webkit.org/show_bug.cgi?id=192624
1647
1648         Reviewed by Saam Barati.
1649
1650         * stress/big-int-json-stringify-to-json.js: Added.
1651         (shouldBe):
1652         (shouldThrow):
1653         (BigInt.prototype.toJSON):
1654         (shouldBe.JSON.stringify):
1655         * stress/big-int-json-stringify.js: Added.
1656         (shouldBe):
1657         (shouldThrow):
1658
1659 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1660
1661         [JSC] Implement "well-formed JSON.stringify" proposal
1662         https://bugs.webkit.org/show_bug.cgi?id=191677
1663
1664         Reviewed by Darin Adler.
1665
1666         * stress/json-surrogate-pair.js: Added.
1667         (shouldBe):
1668         * test262/expectations.yaml:
1669
1670 2018-12-20  Keith Miller  <keith_miller@apple.com>
1671
1672         Add support for globalThis
1673         https://bugs.webkit.org/show_bug.cgi?id=165171
1674
1675         Reviewed by Mark Lam.
1676
1677         * test262/config.yaml:
1678
1679 2018-12-19  Keith Miller  <keith_miller@apple.com>
1680
1681         Update test262 configuration to not run tests dependent on ICU version.
1682         https://bugs.webkit.org/show_bug.cgi?id=192920
1683
1684         Reviewed by Saam Barati.
1685
1686         * test262/expectations.yaml:
1687
1688 2018-12-20  Mark Lam  <mark.lam@apple.com>
1689
1690         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1691         https://bugs.webkit.org/show_bug.cgi?id=192939
1692         <rdar://problem/46869516>
1693
1694         Reviewed by Keith Miller.
1695
1696         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1697
1698 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1699
1700         WTF::String and StringImpl overflow MaxLength
1701         https://bugs.webkit.org/show_bug.cgi?id=192853
1702         <rdar://problem/45726906>
1703
1704         Reviewed by Mark Lam.
1705
1706         * stress/string-16bit-repeat-overflow.js: Added.
1707         (catch):
1708
1709 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1710
1711         Unreviewed follow-up to r192914.
1712
1713         * test262/expectations.yaml:
1714         Add the last 20 missing expectations.
1715
1716 2018-12-19  Keith Miller  <keith_miller@apple.com>
1717
1718         Fix test262 expectations
1719         https://bugs.webkit.org/show_bug.cgi?id=192914
1720
1721         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1722
1723         * test262/expectations.yaml:
1724
1725 2018-12-19  Keith Miller  <keith_miller@apple.com>
1726
1727         Update test262 tests.
1728         https://bugs.webkit.org/show_bug.cgi?id=192907
1729
1730         Rubber stamped by Mark Lam.
1731
1732         * test262/*: Omitted because prepare-changelog crashes.
1733
1734 2018-12-19  Mark Lam  <mark.lam@apple.com>
1735
1736         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1737         https://bugs.webkit.org/show_bug.cgi?id=192464
1738         <rdar://problem/46519455>
1739
1740         Reviewed by Saam Barati.
1741
1742         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1743         microbenchmark.
1744
1745         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1746         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1747
1748 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1749
1750         String overflow in JSC::createError results in ASSERT in WTF::makeString
1751         https://bugs.webkit.org/show_bug.cgi?id=192833
1752         <rdar://problem/45706868>
1753
1754         Reviewed by Mark Lam.
1755
1756         * stress/string-overflow-createError.js: Added.
1757
1758 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1759
1760         Error message for `-x ** y` contains a typo.
1761         https://bugs.webkit.org/show_bug.cgi?id=192832
1762
1763         Reviewed by Saam Barati.
1764
1765         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1766         (assert.assert.return.throws):
1767         * stress/pow-expects-update-expression-on-lhs.js:
1768         (throw.new.Error):
1769         Update test expectations which match against the exact error message.
1770
1771 2018-12-18  Mark Lam  <mark.lam@apple.com>
1772
1773         Gardening: test options fix.
1774         https://bugs.webkit.org/show_bug.cgi?id=192822
1775
1776         Unreviewed.
1777
1778         * stress/json-stringify-string-builder-overflow.js:
1779
1780 2018-12-18  Mark Lam  <mark.lam@apple.com>
1781
1782         JSON.stringify() should throw OOM on StringBuilder overflows.
1783         https://bugs.webkit.org/show_bug.cgi?id=192822
1784         <rdar://problem/46670577>
1785
1786         Reviewed by Saam Barati.
1787
1788         * stress/json-stringify-string-builder-overflow.js: Added.
1789
1790 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1791
1792         Redeclaration of var over let/const/class should be a syntax error.
1793         https://bugs.webkit.org/show_bug.cgi?id=192298
1794
1795         Reviewed by Keith Miller.
1796
1797         * test262.yaml:
1798         * test262/expectations.yaml:
1799         Mark 46 tests as passing.
1800
1801         * stress/block-scope-redeclarations.js:
1802         Add some new tests.
1803
1804         * stress/for-in-invalidate-context-weird-assignments.js:
1805         * stress/for-in-tests.js:
1806         Replace tests for outdated behavior with tests for SyntaxError.
1807
1808         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1809         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1810         Update expectations.
1811
1812 2018-12-18  Mark Lam  <mark.lam@apple.com>
1813
1814         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1815         https://bugs.webkit.org/show_bug.cgi?id=191374
1816         <rdar://problem/46525447>
1817
1818         Reviewed by Yusuke Suzuki.
1819
1820         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1821
1822         * stress/elidable-new-object-roflcopter-then-exit.js:
1823
1824 2018-12-17  Mark Lam  <mark.lam@apple.com>
1825
1826         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1827         https://bugs.webkit.org/show_bug.cgi?id=192019
1828         <rdar://problem/46525456>
1829
1830         Reviewed by Yusuke Suzuki.
1831
1832         The test runs too slow on 32-bit.
1833
1834         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1835
1836 2018-12-17  Mark Lam  <mark.lam@apple.com>
1837
1838         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1839         https://bugs.webkit.org/show_bug.cgi?id=191373
1840         <rdar://problem/46525458>
1841
1842         Reviewed by Yusuke Suzuki.
1843
1844         The test is already slow running with a JIT on 64-bit.  It will always timeout
1845         on 32-bit without a JIT.
1846
1847         * stress/materialize-regexp-cyclic-regexp.js:
1848
1849 2018-12-17  Mark Lam  <mark.lam@apple.com>
1850
1851         Array unshift/shift should not race against the AI in the compiler thread.
1852         https://bugs.webkit.org/show_bug.cgi?id=192795
1853         <rdar://problem/46724263>
1854
1855         Reviewed by Saam Barati.
1856
1857         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1858
1859 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1860
1861         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1862         https://bugs.webkit.org/show_bug.cgi?id=190047
1863
1864         Reviewed by Saam Barati.
1865
1866         * stress/object-keys-cached-zero.js: Added.
1867         (shouldBe):
1868         (test):
1869         * stress/object-keys-changed-attribute.js: Added.
1870         (shouldBe):
1871         (test):
1872         * stress/object-keys-changed-index.js: Added.
1873         (shouldBe):
1874         (test):
1875         * stress/object-keys-changed.js: Added.
1876         (shouldBe):
1877         (test):
1878         * stress/object-keys-indexed-non-cache.js: Added.
1879         (shouldBe):
1880         (test):
1881         * stress/object-keys-overrides-get-property-names.js: Added.
1882         (shouldBe):
1883         (test):
1884         (noInline):
1885
1886 2018-12-17  Mark Lam  <mark.lam@apple.com>
1887
1888         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1889         https://bugs.webkit.org/show_bug.cgi?id=192779
1890         <rdar://problem/46775869>
1891
1892         Reviewed by Saam Barati.
1893
1894         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1895
1896 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1897
1898         Unreviewed test gardening, address a syntax error in a new test.
1899
1900         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1901
1902 2018-12-17  Mark Lam  <mark.lam@apple.com>
1903
1904         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1905         https://bugs.webkit.org/show_bug.cgi?id=192776
1906         <rdar://problem/46772368>
1907
1908         Reviewed by Keith Miller.
1909
1910         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1911
1912 2018-12-17  Mark Lam  <mark.lam@apple.com>
1913
1914         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1915         https://bugs.webkit.org/show_bug.cgi?id=192770
1916         <rdar://problem/46449037>
1917
1918         Reviewed by Keith Miller.
1919
1920         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1921
1922 2018-12-14  Mark Lam  <mark.lam@apple.com>
1923
1924         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1925         https://bugs.webkit.org/show_bug.cgi?id=192717
1926         <rdar://problem/46660677>
1927
1928         Reviewed by Saam Barati.
1929
1930         * stress/regress-192717.js: Added.
1931
1932 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1933
1934         Unreviewed, rolling out r239153, r239154, and r239155.
1935         https://bugs.webkit.org/show_bug.cgi?id=192715
1936
1937         Caused flaky GC-related crashes seen with layout tests
1938         (Requested by ryanhaddad on #webkit).
1939
1940         Reverted changesets:
1941
1942         "[JSC] Optimize Object.keys by caching own keys results in
1943         StructureRareData"
1944         https://bugs.webkit.org/show_bug.cgi?id=190047
1945         https://trac.webkit.org/changeset/239153
1946
1947         "Unreviewed, build fix after r239153"
1948         https://bugs.webkit.org/show_bug.cgi?id=190047
1949         https://trac.webkit.org/changeset/239154
1950
1951         "Unreviewed, build fix after r239153, part 2"
1952         https://bugs.webkit.org/show_bug.cgi?id=190047
1953         https://trac.webkit.org/changeset/239155
1954
1955 2018-12-14  Keith Miller  <keith_miller@apple.com>
1956
1957         Callers of JSString::getIndex should check for OOM exceptions
1958         https://bugs.webkit.org/show_bug.cgi?id=192709
1959
1960         Reviewed by Mark Lam.
1961
1962         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1963
1964 2018-12-13  Mark Lam  <mark.lam@apple.com>
1965
1966         Add a missing exception check.
1967         https://bugs.webkit.org/show_bug.cgi?id=192626
1968         <rdar://problem/46662163>
1969
1970         Reviewed by Keith Miller.
1971
1972         * stress/regress-192626.js: Added.
1973
1974 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1975
1976         [BigInt] Add ValueDiv into DFG
1977         https://bugs.webkit.org/show_bug.cgi?id=186178
1978
1979         Reviewed by Yusuke Suzuki.
1980
1981         * stress/big-int-div-jit-osr.js: Added.
1982         * stress/big-int-div-jit-untyped.js: Added.
1983         * stress/value-div-fixup-int32-big-int.js: Added.
1984
1985 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1986
1987         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1988         https://bugs.webkit.org/show_bug.cgi?id=190047
1989
1990         Reviewed by Keith Miller.
1991
1992         * stress/object-keys-cached-zero.js: Added.
1993         (shouldBe):
1994         (test):
1995         * stress/object-keys-changed-attribute.js: Added.
1996         (shouldBe):
1997         (test):
1998         * stress/object-keys-changed-index.js: Added.
1999         (shouldBe):
2000         (test):
2001         * stress/object-keys-changed.js: Added.
2002         (shouldBe):
2003         (test):
2004         * stress/object-keys-indexed-non-cache.js: Added.
2005         (shouldBe):
2006         (test):
2007         * stress/object-keys-overrides-get-property-names.js: Added.
2008         (shouldBe):
2009         (test):
2010         (noInline):
2011
2012 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2013
2014         [DFG][FTL] Add NewSymbol
2015         https://bugs.webkit.org/show_bug.cgi?id=192620
2016
2017         Reviewed by Saam Barati.
2018
2019         * microbenchmarks/symbol-creation.js: Added.
2020         (test):
2021         * stress/symbol-description-identity.js: Added.
2022         (shouldBe):
2023         (test):
2024         * stress/symbol-identity.js: Added.
2025         (shouldBe):
2026         (test):
2027         * stress/symbol-with-description-throw-error.js: Added.
2028         (shouldBe):
2029         (shouldThrow):
2030         (test):
2031         (object.toString):
2032
2033 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2034
2035         [BigInt] Implement DFG/FTL typeof for BigInt
2036         https://bugs.webkit.org/show_bug.cgi?id=192619
2037
2038         Reviewed by Keith Miller.
2039
2040         * stress/big-int-boolean-proven-type.js: Added.
2041         (assert):
2042         (bool):
2043         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2044         (assert):
2045         (typeOf):
2046         (i.switch):
2047         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2048         (assert):
2049         (typeOf):
2050         * stress/big-int-type-of.js:
2051         (typeOf):
2052         (func):
2053
2054 2018-12-10  Mark Lam  <mark.lam@apple.com>
2055
2056         PropertyAttribute needs a CustomValue bit.
2057         https://bugs.webkit.org/show_bug.cgi?id=191993
2058         <rdar://problem/46264467>
2059
2060         Reviewed by Saam Barati.
2061
2062         * stress/regress-191993.js: Added.
2063
2064 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2065
2066         [BigInt] Add ValueMul into DFG
2067         https://bugs.webkit.org/show_bug.cgi?id=186175
2068
2069         Reviewed by Yusuke Suzuki.
2070
2071         * stress/big-int-mul-jit-osr.js: Added.
2072         * stress/big-int-mul-jit-untyped.js: Added.
2073         * stress/value-mul-fixup-int32-big-int.js: Added.
2074
2075 2018-12-06  Keith Miller  <keith_miller@apple.com>
2076
2077         stress/big-wasm-memory tests failing on 32-bit JSC bot
2078         https://bugs.webkit.org/show_bug.cgi?id=192020
2079
2080         Reviewed by Saam Barati.
2081
2082         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2083         the wasm stress tests if the WebAssembly object does not exist.
2084
2085         * stress/big-wasm-memory-grow-no-max.js:
2086         (test.foo):
2087         (test):
2088         (foo): Deleted.
2089         (catch): Deleted.
2090         * stress/big-wasm-memory-grow.js:
2091         (test.foo):
2092         (test):
2093         (foo): Deleted.
2094         (catch): Deleted.
2095         * stress/big-wasm-memory.js:
2096         (test.foo):
2097         (test):
2098         (foo): Deleted.
2099         (catch): Deleted.
2100
2101 2018-12-05  Mark Lam  <mark.lam@apple.com>
2102
2103         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2104         https://bugs.webkit.org/show_bug.cgi?id=192441
2105         <rdar://problem/46480355>
2106
2107         Reviewed by Saam Barati.
2108
2109         * stress/regress-192441.js: Added.
2110
2111 2018-12-04  Mark Lam  <mark.lam@apple.com>
2112
2113         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2114         https://bugs.webkit.org/show_bug.cgi?id=192386
2115         <rdar://problem/46445516>
2116
2117         Reviewed by Saam Barati.
2118
2119         * stress/regress-192386.js: Added.
2120
2121 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2122
2123         [ESNext][BigInt] Support logic operations
2124         https://bugs.webkit.org/show_bug.cgi?id=179903
2125
2126         Reviewed by Yusuke Suzuki.
2127
2128         * stress/big-int-branch-usage.js: Added.
2129         * stress/big-int-logical-and.js: Added.
2130         * stress/big-int-logical-not.js: Added.
2131         * stress/big-int-logical-or.js: Added.
2132
2133 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2134
2135         Unreviewed, rolling out r238833.
2136
2137         Breaks macOS and iOS debug builds.
2138
2139         Reverted changeset:
2140
2141         "[ESNext][BigInt] Support logic operations"
2142         https://bugs.webkit.org/show_bug.cgi?id=179903
2143         https://trac.webkit.org/changeset/238833
2144
2145 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2146
2147         [ESNext][BigInt] Support logic operations
2148         https://bugs.webkit.org/show_bug.cgi?id=179903
2149
2150         Reviewed by Yusuke Suzuki.
2151
2152         * stress/big-int-branch-usage.js: Added.
2153         * stress/big-int-logical-and.js: Added.
2154         * stress/big-int-logical-not.js: Added.
2155         * stress/big-int-logical-or.js: Added.
2156
2157 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2158
2159         [ESNext][BigInt] Implement support for "<<" and ">>"
2160         https://bugs.webkit.org/show_bug.cgi?id=186233
2161
2162         Reviewed by Yusuke Suzuki.
2163
2164         * stress/big-int-left-shift-general.js: Added.
2165         * stress/big-int-left-shift-range-error.js: Added.
2166         * stress/big-int-left-shift-type-error.js: Added.
2167         * stress/big-int-left-shift-wrapped-value.js: Added.
2168         * stress/big-int-right-shift-general.js: Added.
2169         * stress/big-int-right-shift-type-error.js: Added.
2170         * stress/big-int-right-shift-wrapped-value.js: Added.
2171         * stress/left-shift-to-primitive-precedence.js: Added.
2172         * stress/right-shift-to-primitive-precedence.js: Added.
2173
2174 2018-11-30  Dean Jackson  <dino@apple.com>
2175
2176         Add first-class support for .mjs files in jsc binary
2177         https://bugs.webkit.org/show_bug.cgi?id=192190
2178         <rdar://problem/46375715>
2179
2180         Reviewed by Keith Miller.
2181
2182         * stress/simple-module.mjs: Added.
2183         * stress/simple-script.js: Added.
2184
2185 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2186
2187         [BigInt] Implement ValueBitXor into DFG
2188         https://bugs.webkit.org/show_bug.cgi?id=190264
2189
2190         Reviewed by Yusuke Suzuki.
2191
2192         * stress/big-int-bitwise-xor-jit.js: Added.
2193         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2194         * stress/big-int-bitwise-xor-untyped.js: Added.
2195
2196 2018-11-27  Saam barati  <sbarati@apple.com>
2197
2198         r238510 broke scopes of size zero
2199         https://bugs.webkit.org/show_bug.cgi?id=192033
2200         <rdar://problem/46281734>
2201
2202         Reviewed by Keith Miller.
2203
2204         * stress/r238510-bad-loop.js: Added.
2205         (foo):
2206
2207 2018-11-27  Mark Lam  <mark.lam@apple.com>
2208
2209         [Re-landing] NaNs read from Wasm code needs to be be purified.
2210         https://bugs.webkit.org/show_bug.cgi?id=191056
2211         <rdar://problem/45660341>
2212
2213         Reviewed by Filip Pizlo.
2214
2215         * wasm/regress/regress-191056.js: Added.
2216
2217 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2218
2219         Unreviewed, rolling out r238509.
2220
2221         Causes JSC tests to fail on iOS.
2222
2223         Reverted changeset:
2224
2225         "NaNs read from Wasm code needs to be be purified."
2226         https://bugs.webkit.org/show_bug.cgi?id=191056
2227         https://trac.webkit.org/changeset/238509
2228
2229 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2230
2231         Re-introduce op_bitnot
2232         https://bugs.webkit.org/show_bug.cgi?id=190923
2233
2234         Reviewed by Yusuke Suzuki.
2235
2236         * stress/bit-not-must-generate.js: Added.
2237         * stress/bitwise-not-no-int32.js: Added.
2238
2239 2018-11-26  Saam barati  <sbarati@apple.com>
2240
2241         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2242         https://bugs.webkit.org/show_bug.cgi?id=191956
2243         <rdar://problem/45665806>
2244
2245         Reviewed by Yusuke Suzuki.
2246
2247         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2248         (bar):
2249         (foo):
2250
2251 2018-11-26  Saam barati  <sbarati@apple.com>
2252
2253         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2254         https://bugs.webkit.org/show_bug.cgi?id=191958
2255         <rdar://problem/46221877>
2256
2257         Reviewed by Yusuke Suzuki.
2258
2259         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2260         (x):
2261         (foo):
2262
2263 2018-11-26  Mark Lam  <mark.lam@apple.com>
2264
2265         NaNs read from Wasm code needs to be be purified.
2266         https://bugs.webkit.org/show_bug.cgi?id=191056
2267         <rdar://problem/45660341>
2268
2269         Reviewed by Filip Pizlo.
2270
2271         * wasm/regress/regress-191056.js: Added.
2272
2273 2018-11-26  Michael Saboff  <msaboff@apple.com>
2274
2275         32-bit JSC test failure: stress/regexp-compile-oom.js
2276         https://bugs.webkit.org/show_bug.cgi?id=191375
2277
2278         Reviewed by Mark Lam.
2279
2280         Disabled the test for 32 bit platforms.
2281
2282         * stress/regexp-compile-oom.js:
2283
2284 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2285
2286         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2287         https://bugs.webkit.org/show_bug.cgi?id=191716
2288         <rdar://problem/45723878>
2289
2290         Reviewed by Saam Barati.
2291
2292         * stress/regress-187373.js: Added.
2293         (async.fn):
2294
2295 2018-11-21  Saam barati  <sbarati@apple.com>
2296
2297         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2298         https://bugs.webkit.org/show_bug.cgi?id=191897
2299         <rdar://problem/45871998>
2300
2301         Reviewed by Mark Lam.
2302
2303         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2304         (bar):
2305         (foo):
2306
2307 2018-11-21  Saam barati  <sbarati@apple.com>
2308
2309         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2310         https://bugs.webkit.org/show_bug.cgi?id=191895
2311         <rdar://problem/46167406>
2312
2313         Reviewed by Mark Lam.
2314
2315         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2316         (foo):
2317         (bar):
2318
2319 2018-11-21  Mark Lam  <mark.lam@apple.com>
2320
2321         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2322         https://bugs.webkit.org/show_bug.cgi?id=191776
2323         <rdar://problem/46152851>
2324
2325         Reviewed by Saam Barati.
2326
2327         * stress/big-wasm-memory-grow-no-max.js:
2328         * stress/big-wasm-memory-grow.js:
2329         * stress/big-wasm-memory.js:
2330         - updated these to expect an OutOfMemoryError.
2331
2332         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2333         (Binary.prototype.emit_u8):
2334         (Binary.prototype.emit_u32v):
2335         (Binary.prototype.emit_header):
2336         (Binary.prototype.emit_section):
2337         (Binary):
2338         (WasmModuleBuilder):
2339         (WasmModuleBuilder.prototype.addMemory):
2340         (WasmModuleBuilder.prototype.toArray):
2341         (WasmModuleBuilder.prototype.toBuffer):
2342         (WasmModuleBuilder.prototype.instantiate):
2343         (catch):
2344         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2345         (catch):
2346
2347 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2348
2349         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2350         https://bugs.webkit.org/show_bug.cgi?id=190836
2351
2352         Reviewed by Saam Barati and Yusuke Suzuki.
2353
2354         * stress/big-int-out-of-memory-tests.js: Added.
2355
2356 2018-11-20  Mark Lam  <mark.lam@apple.com>
2357
2358         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2359         https://bugs.webkit.org/show_bug.cgi?id=191856
2360         <rdar://problem/46089992>
2361
2362         Reviewed by Yusuke Suzuki.
2363
2364         * stress/regress-191856.js: Added.
2365         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2366
2367 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2368
2369         Enable JIT on ARM/Linux
2370         https://bugs.webkit.org/show_bug.cgi?id=191548
2371
2372         Reviewed by Yusuke Suzuki.
2373
2374         Disable test on system with limited memory. Program was killed by
2375         the OS before the exception was thrown.
2376
2377         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2378
2379 2018-11-20  Saam barati  <sbarati@apple.com>
2380
2381         Merging an IC variant may lead to the IC status containing overlapping structure sets
2382         https://bugs.webkit.org/show_bug.cgi?id=191869
2383         <rdar://problem/45403453>
2384
2385         Reviewed by Mark Lam.
2386
2387         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2388
2389 2018-11-19  Mark Lam  <mark.lam@apple.com>
2390
2391         globalFuncImportModule() should return a promise when it clears exceptions.
2392         https://bugs.webkit.org/show_bug.cgi?id=191792
2393         <rdar://problem/46090763>
2394
2395         Reviewed by Michael Saboff.
2396
2397         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2398
2399 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2400
2401         Skip new memory-hungry tests on memory limited devices
2402
2403         Unreviewed gardening.
2404
2405         * stress/big-wasm-memory-grow-no-max.js:
2406         * stress/big-wasm-memory-grow.js:
2407         * stress/big-wasm-memory.js:
2408
2409 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2410
2411         Unreviewed, rolling in the rest of r237254
2412         https://bugs.webkit.org/show_bug.cgi?id=190340
2413
2414         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2415         * stress/function-cache-with-parameters-end-position.js: Added.
2416         (shouldBe):
2417         (shouldThrow):
2418         (i.anonymous):
2419         * stress/function-constructor-name.js: Added.
2420         (shouldBe):
2421         (GeneratorFunction):
2422         (AsyncFunction.async):
2423         (AsyncGeneratorFunction.async):
2424         (anonymous):
2425         (async.anonymous):
2426         * test262/expectations.yaml:
2427
2428 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2429
2430         All users of ArrayBuffer should agree on the same max size
2431         https://bugs.webkit.org/show_bug.cgi?id=191771
2432
2433         Reviewed by Mark Lam.
2434
2435         * stress/big-wasm-memory-grow-no-max.js: Added.
2436         (foo):
2437         (catch):
2438         * stress/big-wasm-memory-grow.js: Added.
2439         (foo):
2440         (catch):
2441         * stress/big-wasm-memory.js: Added.
2442         (foo):
2443         (catch):
2444
2445 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2446
2447         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2448         run for each JSC config since they're regression tests for runtime bugs.
2449
2450         * stress/json-stringified-overflow-2.js:
2451         * stress/json-stringified-overflow.js:
2452
2453 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2454
2455         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2456         config since they're regression tests for runtime bugs.
2457
2458         * stress/large-unshift-splice.js:
2459         * stress/regress-185888.js:
2460
2461 2018-11-16  Saam Barati  <sbarati@apple.com>
2462
2463         KnownCellUse should also have SpecCellCheck as its type filter
2464         https://bugs.webkit.org/show_bug.cgi?id=191729
2465         <rdar://problem/45872852>
2466
2467         Reviewed by Filip Pizlo.
2468
2469         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2470         (C):
2471
2472 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2473
2474         Fix assertion failure on BytecodeGenerator::recordOpcode
2475         https://bugs.webkit.org/show_bug.cgi?id=191724
2476         <rdar://problem/45724395>
2477
2478         Reviewed by Saam Barati.
2479
2480         * stress/regress-187373-2.js: Added.
2481         (foo):
2482
2483 2018-11-15  Mark Lam  <mark.lam@apple.com>
2484
2485         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2486         https://bugs.webkit.org/show_bug.cgi?id=191730
2487         <rdar://problem/46048517>
2488
2489         Reviewed by Saam Barati.
2490
2491         * stress/regress-187006.js: Removed.
2492           - this test is invalid because its sole purpose is to test for the non-spec
2493             compliant behavior that we just fixed.
2494
2495         * stress/regress-191730.js: Added.
2496
2497 2018-11-15  Mark Lam  <mark.lam@apple.com>
2498
2499         RegExp operations should not take fast patch if lastIndex is not numeric.
2500         https://bugs.webkit.org/show_bug.cgi?id=191731
2501         <rdar://problem/46017305>
2502
2503         Reviewed by Saam Barati.
2504
2505         * stress/regress-191731.js: Added.
2506
2507 2018-11-13  Saam Barati  <sbarati@apple.com>
2508
2509         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2510         https://bugs.webkit.org/show_bug.cgi?id=191600
2511
2512         Reviewed by Mark Lam.
2513
2514         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2515         (foo):
2516         (test):
2517         (bar):
2518
2519 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2520
2521         Unreviewed, rolling out r238132.
2522
2523         The test added with this change is timing out on Debug JSC
2524         bots.
2525
2526         Reverted changeset:
2527
2528         "[BigInt] JSBigInt::createWithLength should throw when length
2529         is greater than JSBigInt::maxLength"
2530         https://bugs.webkit.org/show_bug.cgi?id=190836
2531         https://trac.webkit.org/changeset/238132
2532
2533 2018-11-13  Mark Lam  <mark.lam@apple.com>
2534
2535         Add OOM detection to StringPrototype's substituteBackreferences().
2536         https://bugs.webkit.org/show_bug.cgi?id=191563
2537         <rdar://problem/45720428>
2538
2539         Reviewed by Saam Barati.
2540
2541         * stress/regress-191563.js: Added.
2542
2543 2018-11-13  Mark Lam  <mark.lam@apple.com>
2544
2545         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2546         https://bugs.webkit.org/show_bug.cgi?id=191579
2547         <rdar://problem/45942472>
2548
2549         Reviewed by Saam Barati.
2550
2551         * stress/regress-191579.js: Added.
2552
2553 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2554
2555         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2556         https://bugs.webkit.org/show_bug.cgi?id=190836
2557
2558         Reviewed by Saam Barati.
2559
2560         * stress/big-int-out-of-memory-tests.js: Added.
2561
2562 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2563
2564         U+180E is no longer a whitespace character
2565         https://bugs.webkit.org/show_bug.cgi?id=191415
2566
2567         Reviewed by Saam Barati.
2568
2569         * ChakraCore/test/es5/regexSpace.baseline:
2570         * ChakraCore/test/es6/unicode_whitespace.js:
2571         Update tests to latest version.
2572         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2573
2574         * test262.yaml:
2575         * test262/config.yaml:
2576         * test262/expectations.yaml:
2577         Update expectations.
2578
2579 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2580
2581         [BigInt] Add support to BigInt into ValueAdd
2582         https://bugs.webkit.org/show_bug.cgi?id=186177
2583
2584         Reviewed by Keith Miller.
2585
2586         * stress/big-int-negate-jit.js:
2587         * stress/value-add-big-int-and-string.js: Added.
2588         * stress/value-add-big-int-prediction-propagation.js: Added.
2589         * stress/value-add-big-int-untyped.js: Added.
2590
2591 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2592
2593         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2594         https://bugs.webkit.org/show_bug.cgi?id=191184
2595
2596         Reviewed by Saam Barati.
2597
2598         Most tests were failing due to timeouts, since they are too slow to
2599         run on CLoop. The exceptions are:
2600
2601         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2602         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2603         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2604         to change the stack size since CLoop requires it to be page aligned.
2605
2606         * microbenchmarks/array-push-1.js:
2607         * microbenchmarks/array-push-2.js:
2608         * microbenchmarks/elidable-new-object-dag.js:
2609         * microbenchmarks/elidable-new-object-roflcopter.js:
2610         * microbenchmarks/elidable-new-object-tree.js:
2611         * microbenchmarks/getter-richards.js:
2612         * microbenchmarks/sinkable-new-object-dag.js:
2613         * microbenchmarks/string-concat-long-convert.js:
2614         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2615         * slowMicrobenchmarks/array-push-3.js:
2616         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2617         * slowMicrobenchmarks/spread-small-array.js:
2618         * slowMicrobenchmarks/undefined-property-access.js:
2619         * stress/activation-sink-default-value-tdz-error.js:
2620         * stress/activation-sink-default-value.js:
2621         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2622         * stress/activation-sink-osrexit-default-value.js:
2623         * stress/activation-sink-osrexit.js:
2624         * stress/activation-sink.js:
2625         * stress/allow-math-ic-b3-code-duplication.js:
2626         * stress/array-push-multiple-int32.js:
2627         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2628         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2629         * stress/arrowfunction-lexical-this-activation-sink.js:
2630         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2631         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2632         * stress/elide-new-object-dag-then-exit.js:
2633         * stress/materialize-regexp-cyclic.js:
2634         * stress/new-regex-inline.js:
2635         * stress/op_add.js:
2636         * stress/op_bitand.js:
2637         * stress/op_bitor.js:
2638         * stress/op_bitxor.js:
2639         * stress/op_div-ConstVar.js:
2640         * stress/op_div-VarConst.js:
2641         * stress/op_div-VarVar.js:
2642         * stress/op_lshift-ConstVar.js:
2643         * stress/op_lshift-VarConst.js:
2644         * stress/op_lshift-VarVar.js:
2645         * stress/op_mod-ConstVar.js:
2646         * stress/op_mod-VarConst.js:
2647         * stress/op_mod-VarVar.js:
2648         * stress/op_mul-ConstVar.js:
2649         * stress/op_mul-VarConst.js:
2650         * stress/op_mul-VarVar.js:
2651         * stress/op_rshift-ConstVar.js:
2652         * stress/op_rshift-VarConst.js:
2653         * stress/op_rshift-VarVar.js:
2654         * stress/op_sub-ConstVar.js:
2655         * stress/op_sub-VarConst.js:
2656         * stress/op_sub-VarVar.js:
2657         * stress/op_urshift-ConstVar.js:
2658         * stress/op_urshift-VarConst.js:
2659         * stress/op_urshift-VarVar.js:
2660         * stress/proxy-get-set-correct-receiver.js:
2661         * stress/regress-179562.js:
2662         * stress/rest-parameter-many-arguments.js:
2663         * stress/sampling-profiler-richards.js:
2664         * stress/splay-flash-access-1ms.js:
2665         * stress/tailCallForwardArguments.js:
2666         * stress/typed-array-get-by-val-profiling.js:
2667         * typeProfiler/getter-richards.js:
2668
2669 2018-11-06  Michael Saboff  <msaboff@apple.com>
2670
2671         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2672         https://bugs.webkit.org/show_bug.cgi?id=191271
2673
2674         Reviewed by Saam Barati.
2675
2676         Added more test cases and made all test cases run with the same deeply recursive stack
2677         instead of finding that same point for each test case.
2678
2679         * stress/regexp-compile-oom.js:
2680         (prototype.runTest):
2681         (recurseAndTest):
2682         (testList.push.new.TestAndExpectedException):
2683
2684 2018-11-05  Michael Saboff  <msaboff@apple.com>
2685
2686         Unreviewed build fix for linux.
2687
2688         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2689
2690 2018-11-02  Michael Saboff  <msaboff@apple.com>
2691
2692         Rolling in r237753 with unreviewed build fix.
2693
2694         Fixed issues with DECLARE_THROW_SCOPE placement.
2695
2696 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2697
2698         Unreviewed, rolling out r237753.
2699
2700         Introduced JSC test failures
2701
2702         Reverted changeset:
2703
2704         "Running out of stack space not properly handled in
2705         RegExp::compile() and its callers"
2706         https://bugs.webkit.org/show_bug.cgi?id=191206
2707         https://trac.webkit.org/changeset/237753
2708
2709 2018-11-02  Michael Saboff  <msaboff@apple.com>
2710
2711         Running out of stack space not properly handled in RegExp::compile() and its callers
2712         https://bugs.webkit.org/show_bug.cgi?id=191206
2713
2714         Reviewed by Filip Pizlo.
2715
2716         New regression test.
2717
2718         * stress/regexp-compile-oom.js: Added.
2719         (recurseAndTest):
2720
2721 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2722
2723         Skip tests on arm/mips that time out now we're running on CLoop
2724
2725         Unreviewed gardening.
2726
2727         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2728         time out on the bots and need to be disabled. There's more tests
2729         disabled on arm because the timeout is longer on the mips bot (as the
2730         device is slower to start with), so many of the tests don't time out
2731         there.
2732
2733         * microbenchmarks/getter-richards.js: disable on arm and mips.
2734         * stress/op_add.js: disable on arm.
2735         * stress/op_bitand.js: disable on arm.
2736         * stress/op_bitor.js: disable on arm.
2737         * stress/op_bitxor.js: disable on arm.
2738         * stress/op_lshift-ConstVar.js: disable on arm.
2739         * stress/op_lshift-VarConst.js: disable on arm.
2740         * stress/op_lshift-VarVar.js: disable on arm.
2741         * stress/op_mod-ConstVar.js: disable on arm.
2742         * stress/op_mod-VarConst.js: disable on arm.
2743         * stress/op_mod-VarVar.js: disable on arm.
2744         * stress/op_mul-ConstVar.js: disable on arm.
2745         * stress/op_mul-VarConst.js: disable on arm.
2746         * stress/op_mul-VarVar.js: disable on arm.
2747         * stress/op_rshift-ConstVar.js: disable on arm.
2748         * stress/op_rshift-VarConst.js: disable on arm.
2749         * stress/op_rshift-VarVar.js: disable on arm.
2750         * stress/op_sub-ConstVar.js: disable on arm.
2751         * stress/op_sub-VarConst.js: disable on arm.
2752         * stress/op_sub-VarVar.js: disable on arm.
2753         * stress/op_urshift-ConstVar.js: disable on arm.
2754         * stress/op_urshift-VarConst.js: disable on arm.
2755         * stress/op_urshift-VarVar.js: disable on arm.
2756         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2757         * stress/value-to-boolean.js: disable on arm and mips.
2758
2759 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2760
2761         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2762         https://bugs.webkit.org/show_bug.cgi?id=191108
2763         <rdar://problem/45690700>
2764
2765         Reviewed by Saam Barati.
2766
2767         * stress/wide-op_catch.js: Added.
2768         (catch):
2769
2770 2018-10-29  Mark Lam  <mark.lam@apple.com>
2771
2772         Correctly detect string overflow when using the 'Function' constructor.
2773         https://bugs.webkit.org/show_bug.cgi?id=184883
2774         <rdar://problem/36320331>
2775
2776         Reviewed by Saam Barati.
2777
2778         I've verified that this passes on 32-bit as well.
2779
2780         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2781
2782 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2783
2784         Add support for GetStack FlushedDouble
2785         https://bugs.webkit.org/show_bug.cgi?id=191012
2786         <rdar://problem/45265141>
2787
2788         Reviewed by Saam Barati.
2789
2790         * stress/get-stack-double.js: Added.
2791         (bar):
2792         (noInline):
2793
2794 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2795
2796         New bytecode format for JSC
2797         https://bugs.webkit.org/show_bug.cgi?id=187373
2798         <rdar://problem/44186758>
2799
2800         Reviewed by Filip Pizlo.
2801
2802         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2803
2804         * stress/maximum-inline-capacity.js: Added.
2805         (test1):
2806         (test3.Foo):
2807         (test3):
2808
2809 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2810
2811         Unreviewed, rolling out r237479 and r237484.
2812         https://bugs.webkit.org/show_bug.cgi?id=190978
2813
2814         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2815
2816         Reverted changesets:
2817
2818         "New bytecode format for JSC"
2819         https://bugs.webkit.org/show_bug.cgi?id=187373
2820         https://trac.webkit.org/changeset/237479
2821
2822         "Gardening: Build fix after r237479."
2823         https://bugs.webkit.org/show_bug.cgi?id=187373
2824         https://trac.webkit.org/changeset/237484
2825
2826 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2827
2828         New bytecode format for JSC
2829         https://bugs.webkit.org/show_bug.cgi?id=187373
2830         <rdar://problem/44186758>
2831
2832         Reviewed by Filip Pizlo.
2833
2834         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2835
2836         * stress/maximum-inline-capacity.js: Added.
2837         (test1):
2838         (test3.Foo):
2839         (test3):
2840
2841 2018-10-26  Mark Lam  <mark.lam@apple.com>
2842
2843         Fix missing edge cases with JSGlobalObjects having a bad time.
2844         https://bugs.webkit.org/show_bug.cgi?id=189028
2845         <rdar://problem/45204939>
2846
2847         Reviewed by Saam Barati.
2848
2849         * stress/regress-189028.js: Added.
2850
2851 2018-10-22  Mark Lam  <mark.lam@apple.com>
2852
2853         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2854         https://bugs.webkit.org/show_bug.cgi?id=190515
2855         <rdar://problem/45222379>
2856
2857         Rubber-stamped by Saam Barati.
2858
2859         Adding another test.
2860
2861         * stress/regress-190515-2.js: Added.
2862
2863 2018-10-22  Mark Lam  <mark.lam@apple.com>
2864
2865         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2866         https://bugs.webkit.org/show_bug.cgi?id=190515
2867         <rdar://problem/45222379>
2868
2869         Reviewed by Saam Barati.
2870
2871         * stress/regress-190515.js: Added.
2872
2873 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2874
2875         Unreviewed, rolling out r237254.
2876         https://bugs.webkit.org/show_bug.cgi?id=190760
2877
2878         "It regresses JetStream 2 by 5% on some iOS devices"
2879         (Requested by saamyjoon on #webkit).
2880
2881         Reverted changeset:
2882
2883         "[JSC] JSC should have "parseFunction" to optimize Function
2884         constructor"
2885         https://bugs.webkit.org/show_bug.cgi?id=190340
2886         https://trac.webkit.org/changeset/237254
2887
2888 2018-10-19  Saam Barati  <sbarati@apple.com>
2889
2890         vmCall should check if we exit before emitting an OSR exit due to exceptions
2891         https://bugs.webkit.org/show_bug.cgi?id=190740
2892         <rdar://problem/45220139>
2893
2894         Reviewed by Mark Lam.
2895
2896         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2897         (foo):
2898
2899 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2900
2901         [ESNext][BigInt] Implement support for "^"
2902         https://bugs.webkit.org/show_bug.cgi?id=186235
2903
2904         Reviewed by Yusuke Suzuki.
2905
2906         * stress/big-int-bitwise-xor-general.js: Added.
2907         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2908         * stress/big-int-bitwise-xor-type-error.js: Added.
2909         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2910
2911 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2912
2913         [BigInt] Add ValueSub into DFG
2914         https://bugs.webkit.org/show_bug.cgi?id=186176
2915
2916         Reviewed by Yusuke Suzuki.
2917
2918         * stress/big-int-subtraction-jit.js:
2919         * stress/value-sub-big-int-prediction-propagation.js: Added.
2920         * stress/value-sub-big-int-untyped.js: Added.
2921         * stress/value-sub-spec-none-case.js: Added.
2922
2923 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2924
2925         [JSC] JSC should have "parseFunction" to optimize Function constructor
2926         https://bugs.webkit.org/show_bug.cgi?id=190340
2927
2928         Reviewed by Mark Lam.
2929
2930         This patch fixes the line number of syntax errors raised by the Function constructor,
2931         since we now parse the final code only once. And we no longer use block statement
2932         for Function constructor's parsing.
2933
2934         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2935         * stress/function-cache-with-parameters-end-position.js: Added.
2936         (shouldBe):
2937         (shouldThrow):
2938         (i.anonymous):
2939         * stress/function-constructor-name.js: Added.
2940         (shouldBe):
2941         (GeneratorFunction):
2942         (AsyncFunction.async):
2943         (AsyncGeneratorFunction.async):
2944         (anonymous):
2945         (async.anonymous):
2946         * test262/expectations.yaml:
2947
2948 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2949
2950         Unreviewed, rolling out r237242.
2951         https://bugs.webkit.org/show_bug.cgi?id=190701
2952
2953         it breaks "stress/sampling-profiler-basic.js" (Requested by
2954         caiolima on #webkit).
2955
2956         Reverted changeset:
2957
2958         "[BigInt] Add ValueSub into DFG"
2959         https://bugs.webkit.org/show_bug.cgi?id=186176
2960         https://trac.webkit.org/changeset/237242
2961
2962 2018-10-17  Keith Miller  <keith_miller@apple.com>
2963
2964         AI does not clear Phantom allocation nodes.
2965         https://bugs.webkit.org/show_bug.cgi?id=190694
2966
2967         Reviewed by Saam Barati.
2968
2969         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2970         (Day):
2971         (DaysInYear):
2972         (TimeInYear):
2973         (TimeFromYear):
2974         (DayFromYear):
2975         (InLeapYear):
2976         (YearFromTime):
2977         (WeekDay):
2978         (DaylightSavingTA):
2979         (GetSecondSundayInMarch):
2980         (TimeInMonth):
2981
2982 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2983
2984         [BigInt] Add ValueSub into DFG
2985         https://bugs.webkit.org/show_bug.cgi?id=186176
2986
2987         Reviewed by Yusuke Suzuki.
2988
2989         * stress/big-int-subtraction-jit.js:
2990         * stress/value-sub-big-int-prediction-propagation.js: Added.
2991         * stress/value-sub-big-int-untyped.js: Added.
2992
2993 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2994
2995         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2996         https://bugs.webkit.org/show_bug.cgi?id=190611
2997
2998         Reviewed by Saam Barati.
2999
3000         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3001         to improve test runtime. On ARM/MIPS this test even timed out when running all
3002         tests.
3003
3004         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3005         (test):
3006
3007 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3008
3009         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3010
3011         Unreviewed gardening.
3012
3013         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3014
3015 2018-10-15  Saam barati  <sbarati@apple.com>
3016
3017         Emit fjcvtzs on ARM64E on Darwin
3018         https://bugs.webkit.org/show_bug.cgi?id=184023
3019
3020         Reviewed by Yusuke Suzuki and Filip Pizlo.
3021
3022         * stress/double-to-int32-NaN.js: Added.
3023         (assert):
3024         (foo):
3025
3026 2018-10-15  Saam Barati  <sbarati@apple.com>
3027
3028         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3029         https://bugs.webkit.org/show_bug.cgi?id=190262
3030         <rdar://problem/44986241>
3031
3032         Reviewed by Mark Lam.
3033
3034         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3035         (test):
3036         * stress/slice-array-storage-with-holes.js: Added.
3037         (main):
3038
3039 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3040
3041         Unreviewed, rolling out r237054.
3042         https://bugs.webkit.org/show_bug.cgi?id=190593
3043
3044         "this regressed JetStream 2 by 6% on iOS" (Requested by
3045         saamyjoon on #webkit).
3046
3047         Reverted changeset:
3048
3049         "[JSC] JSC should have "parseFunction" to optimize Function
3050         constructor"
3051         https://bugs.webkit.org/show_bug.cgi?id=190340
3052         https://trac.webkit.org/changeset/237054
3053
3054 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3055
3056         [JSC] JSON.stringify can accept call-with-no-arguments
3057         https://bugs.webkit.org/show_bug.cgi?id=190343
3058
3059         Reviewed by Mark Lam.
3060
3061         * stress/json-stringify-no-arguments.js: Added.
3062         (shouldBe):
3063
3064 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3065
3066         [JSC] JSC should have "parseFunction" to optimize Function constructor
3067         https://bugs.webkit.org/show_bug.cgi?id=190340
3068
3069         Reviewed by Mark Lam.
3070
3071         This patch fixes the line number of syntax errors raised by the Function constructor,
3072         since we now parse the final code only once. And we no longer use block statement
3073         for Function constructor's parsing.
3074
3075         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3076         * stress/function-cache-with-parameters-end-position.js: Added.
3077         (shouldBe):
3078         (shouldThrow):
3079         (i.anonymous):
3080         * stress/function-constructor-name.js: Added.
3081         (shouldBe):
3082         (GeneratorFunction):
3083         (AsyncFunction.async):
3084         (AsyncGeneratorFunction.async):
3085         (anonymous):
3086         (async.anonymous):
3087         * test262/expectations.yaml:
3088
3089 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3090
3091         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3092         https://bugs.webkit.org/show_bug.cgi?id=190426
3093
3094         Unreviewed gardening.
3095
3096         * stress/sampling-profiler-richards.js:
3097
3098 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3099
3100         [ESNext][BigInt] Implement support for "|"
3101         https://bugs.webkit.org/show_bug.cgi?id=186229
3102
3103         Reviewed by Yusuke Suzuki.
3104
3105         * stress/big-int-bitwise-and-jit.js:
3106         * stress/big-int-bitwise-or-general.js: Added.
3107         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3108         * stress/big-int-bitwise-or-jit.js: Added.
3109         * stress/big-int-bitwise-or-memory-stress.js: Added.
3110         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3111         * stress/big-int-bitwise-or-type-error.js: Added.
3112         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3113
3114 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3115
3116         Skip test on systems with limited memory
3117         https://bugs.webkit.org/show_bug.cgi?id=190310
3118
3119         Invoking runDefault adds test to runlist, skipping the test in the next
3120         line does not prevent the test from executing. Change order of lines such
3121         that runDefault is only executed if test is not executed.
3122
3123         Reviewed by Mark Lam.
3124
3125         * stress/regress-190187.js:
3126
3127 2018-10-03  Saam barati  <sbarati@apple.com>
3128
3129         lowXYZ in FTLLower should always filter the type of the incoming edge
3130         https://bugs.webkit.org/show_bug.cgi?id=189939
3131         <rdar://problem/44407030>
3132
3133         Reviewed by Michael Saboff.
3134
3135         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3136         (foo):
3137         (test):
3138
3139 2018-10-03  Mark Lam  <mark.lam@apple.com>
3140
3141         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3142         https://bugs.webkit.org/show_bug.cgi?id=190187
3143         <rdar://problem/42512909>
3144
3145         Reviewed by Michael Saboff.
3146
3147         * stress/regress-190187.js: Added.
3148
3149 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3150
3151         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3152         https://bugs.webkit.org/show_bug.cgi?id=190033
3153
3154         Reviewed by Yusuke Suzuki.
3155
3156         * stress/big-int-to-string.js:
3157
3158 2018-10-01  Mark Lam  <mark.lam@apple.com>
3159
3160         Function.toString() should also copy the source code Functions that are class definitions.
3161         https://bugs.webkit.org/show_bug.cgi?id=190186
3162         <rdar://problem/44733360>
3163
3164         Reviewed by Saam Barati.
3165
3166         * stress/regress-190186.js: Added.
3167
3168 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3169
3170         Split NaN-check into separate test
3171         https://bugs.webkit.org/show_bug.cgi?id=190010
3172
3173         Reviewed by Saam Barati.
3174
3175         DataView exposes NaN-representation, which is not necessarily the same on each
3176         architecture. Therefore move the check of the NaN-representation into its own
3177         file such that we can disable this test on MIPS where NaN-representation can be
3178         different on older CPUs.
3179
3180         * stress/dataview-jit-set-nan.js: Added.
3181         (assert):
3182         (test.storeLittleEndian):
3183         (test.storeBigEndian):
3184         (test.store):
3185         (test):
3186         * stress/dataview-jit-set.js:
3187         (test5):
3188
3189 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3190
3191         Unreviewed, rolling out r236647.
3192         https://bugs.webkit.org/show_bug.cgi?id=190124
3193
3194         Breaking test stress/big-int-to-string.js (Requested by
3195         caiolima_ on #webkit).
3196
3197         Reverted changeset:
3198
3199         "[BigInt] BigInt.proptotype.toString is broken when radix is
3200         power of 2"
3201         https://bugs.webkit.org/show_bug.cgi?id=190033
3202         https://trac.webkit.org/changeset/236647
3203
3204 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3205
3206         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3207         https://bugs.webkit.org/show_bug.cgi?id=190033
3208
3209         Reviewed by Yusuke Suzuki.
3210
3211         * stress/big-int-to-string.js:
3212
3213 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3214
3215         [ESNext][BigInt] Implement support for "&"
3216         https://bugs.webkit.org/show_bug.cgi?id=186228
3217
3218         Reviewed by Yusuke Suzuki.
3219
3220         * stress/big-int-bitwise-and-general.js: Added.
3221         (assert):
3222         (assert.sameValue):
3223         * stress/big-int-bitwise-and-jit.js: Added.
3224         (let.assert.sameValue):
3225         (bigIntBitAnd):
3226         * stress/big-int-bitwise-and-memory-stress.js: Added.
3227         (assert):
3228         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3229         (assert.sameValue):
3230         (let.o.Symbol.toPrimitive):
3231         (catch):
3232         * stress/big-int-bitwise-and-type-error.js: Added.
3233         (assert):
3234         (assertThrowTypeError):
3235         (let.o.valueOf):
3236         (o.valueOf):
3237         (o.toString):
3238         (o.Symbol.toPrimitive):
3239         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3240         (assert.sameValue):
3241         (testBitAnd):
3242         (let.o.Symbol.toPrimitive):
3243         (o.valueOf):
3244         (o.toString):
3245
3246 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3247
3248         JSC test stress/jsc-read.js doesn't support CRLF
3249         https://bugs.webkit.org/show_bug.cgi?id=190063
3250
3251         Reviewed by Yusuke Suzuki.
3252
3253         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3254
3255         * stress/jsc-read.js:
3256         (test):
3257
3258 2018-09-27  Saam barati  <sbarati@apple.com>
3259
3260         Verify the contents of AssemblerBuffer on arm64e
3261         https://bugs.webkit.org/show_bug.cgi?id=190057
3262         <rdar://problem/38916630>
3263
3264         Reviewed by Mark Lam.
3265
3266         * stress/regress-189132.js:
3267
3268 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3269
3270         Disable test without LLInt on ARMv7
3271         https://bugs.webkit.org/show_bug.cgi?id=190037
3272
3273         Reviewed by Mark Lam.
3274
3275         Test runs out of executable memory on ARMv7, do not run
3276         this test without LLInt enabled.
3277
3278         * stress/regress-169445.js:
3279
3280 2018-09-26  Keith Miller  <keith_miller@apple.com>
3281
3282         We should zero unused property storage when rebalancing array storage.
3283         https://bugs.webkit.org/show_bug.cgi?id=188151
3284
3285         Reviewed by Michael Saboff.
3286
3287         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3288
3289 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3290
3291         [JSC] Optimize Array#lastIndexOf
3292         https://bugs.webkit.org/show_bug.cgi?id=189780
3293
3294         Reviewed by Saam Barati.
3295
3296         * stress/array-lastindexof-array-prototype-trap.js: Added.
3297         (shouldBe):
3298         (AncestorArray.prototype.get 2):
3299         (AncestorArray):
3300         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3301         (shouldBe):
3302         * stress/array-lastindexof-hole-nan.js: Added.
3303         (shouldBe):
3304         (throw.new.Error):
3305         * stress/array-lastindexof-infinity.js: Added.
3306         (shouldBe):
3307         (throw.new.Error):
3308         * stress/array-lastindexof-negative-zero.js: Added.
3309         (shouldBe):
3310         (throw.new.Error):
3311         * stress/array-lastindexof-own-getter.js: Added.
3312         (shouldBe):
3313         (throw.new.Error.get array):
3314         (get array):
3315         * stress/array-lastindexof-prototype-trap.js: Added.
3316         (shouldBe):
3317         (DerivedArray.prototype.get 2):
3318         (DerivedArray):
3319
3320 2018-09-25  Saam Barati  <sbarati@apple.com>
3321
3322         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3323         https://bugs.webkit.org/show_bug.cgi?id=189940
3324         <rdar://problem/43640987>
3325
3326         Reviewed by Mark Lam.
3327
3328         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3329
3330 2018-09-24  Saam Barati  <sbarati@apple.com>
3331
3332         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3333         https://bugs.webkit.org/show_bug.cgi?id=189922
3334         <rdar://problem/44651275>
3335
3336         Reviewed by Mark Lam.
3337
3338         * stress/array-indexof-fast-path-effects.js: Added.
3339         * stress/array-indexof-cached-length.js: Added.
3340
3341 2018-09-24  Saam barati  <sbarati@apple.com>
3342
3343         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3344         https://bugs.webkit.org/show_bug.cgi?id=189682
3345         <rdar://problem/43557315>
3346
3347         Reviewed by Mark Lam.
3348
3349         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3350         (foo):
3351
3352 2018-09-22  Saam barati  <sbarati@apple.com>
3353
3354         The sampling should not use Strong<CodeBlock> in its machineLocation field
3355         https://bugs.webkit.org/show_bug.cgi?id=189319
3356
3357         Reviewed by Filip Pizlo.
3358
3359         * stress/sampling-profiler-richards.js: Added.
3360
3361 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3362
3363         [JSC] Optimize Array#indexOf in C++ runtime
3364         https://bugs.webkit.org/show_bug.cgi?id=189507
3365
3366         Reviewed by Saam Barati.
3367
3368         * stress/array-indexof-array-prototype-trap.js: Added.
3369         (shouldBe):
3370         (AncestorArray.prototype.get 2):
3371         (AncestorArray):
3372         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3373         (shouldBe):
3374         * stress/array-indexof-hole-nan.js: Added.
3375         (shouldBe):
3376         (throw.new.Error):
3377         * stress/array-indexof-infinity.js: Added.
3378         (shouldBe):
3379         (throw.new.Error):
3380         * stress/array-indexof-negative-zero.js: Added.
3381         (shouldBe):
3382         (throw.new.Error):
3383         * stress/array-indexof-own-getter.js: Added.
3384         (shouldBe):
3385         (throw.new.Error.get array):
3386         (get array):
3387         * stress/array-indexof-prototype-trap.js: Added.
3388         (shouldBe):
3389         (DerivedArray.prototype.get 2):
3390         (DerivedArray):
3391
3392 2018-09-19  Saam barati  <sbarati@apple.com>
3393
3394         AI rule for MultiPutByOffset executes its effects in the wrong order
3395         https://bugs.webkit.org/show_bug.cgi?id=189757
3396         <rdar://problem/43535257>
3397
3398         Reviewed by Michael Saboff.
3399
3400         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3401         (foo):
3402         (Foo):
3403         (g):
3404
3405 2018-09-17  Mark Lam  <mark.lam@apple.com>
3406
3407         Ensure that ForInContexts are invalidated if their loop local is over-written.
3408         https://bugs.webkit.org/show_bug.cgi?id=189571
3409         <rdar://problem/44402277>
3410
3411         Reviewed by Saam Barati.
3412
3413         * stress/regress-189571.js: Added.
3414
3415 2018-09-17  Saam barati  <sbarati@apple.com>
3416
3417         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3418         https://bugs.webkit.org/show_bug.cgi?id=189676
3419         <rdar://problem/39682897>
3420
3421         Reviewed by Michael Saboff.
3422
3423         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3424         (A):
3425         (K):
3426         (i.catch):
3427
3428 2018-09-14  Saam barati  <sbarati@apple.com>
3429
3430         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3431         https://bugs.webkit.org/show_bug.cgi?id=189628
3432         <rdar://problem/39481690>
3433
3434         Reviewed by Mark Lam.
3435
3436         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3437         (foo):
3438
3439 2018-09-11  Mark Lam  <mark.lam@apple.com>
3440
3441         Test for array initialization in arrayProtoFuncSplice.
3442         https://bugs.webkit.org/show_bug.cgi?id=170253
3443         <rdar://problem/31328773>
3444
3445         Rubber-stamped by Saam Barati.
3446
3447         * stress/regress-170253.js: Added.
3448
3449 2018-09-11  Mark Lam  <mark.lam@apple.com>
3450
3451         Test for IntlObject initialization.
3452         https://bugs.webkit.org/show_bug.cgi?id=170251
3453         <rdar://problem/31328419>
3454
3455         Rubber-stamped by Saam Barati.
3456
3457         * stress/regress-170251.js: Added.
3458
3459 2018-09-11  Mark Lam  <mark.lam@apple.com>
3460
3461         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3462         https://bugs.webkit.org/show_bug.cgi?id=169889
3463         <rdar://problem/31155607>
3464
3465         Reviewed by Saam Barati.
3466
3467         * stress/regress-169889-array-concat.js: Added.
3468         * stress/regress-169889-array-concat1.js: Added.
3469         * stress/regress-169889-array-slice.js: Added.
3470
3471 2018-09-11  Mark Lam  <mark.lam@apple.com>
3472
3473         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3474         https://bugs.webkit.org/show_bug.cgi?id=169445
3475         <rdar://problem/30957435>
3476
3477         Reviewed by Saam Barati.
3478
3479         * stress/regress-169445.js: Added.
3480         (let.gun.eval.A):
3481         (let.gun.eval.B.C):
3482         (let.gun.eval.B.C.prototype.trigger):
3483         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3484         (let.gun.eval.B):
3485         (let.gun.eval):
3486
3487 == Rolled over to ChangeLog-2018-09-11 ==