Clean up Int52 code and some bugs in it
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-09  Saam barati  <sbarati@apple.com>
2
3         Clean up Int52 code and some bugs in it
4         https://bugs.webkit.org/show_bug.cgi?id=196639
5         <rdar://problem/49515757>
6
7         Reviewed by Yusuke Suzuki.
8
9         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
10
11 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
12
13         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
14         https://bugs.webkit.org/show_bug.cgi?id=196708
15         <rdar://problem/49556803>
16
17         Reviewed by Yusuke Suzuki.
18
19         * stress/proxy-getter-stack-overflow.js: Added.
20         (const.handler.get target):
21         (const.handler.has):
22         (try.with):
23         (catch):
24
25 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
26
27         [JSC] DFG should respect node's strict flag
28         https://bugs.webkit.org/show_bug.cgi?id=196617
29
30         Reviewed by Saam Barati.
31
32         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
33         (shouldEqual):
34         (makeUnwriteableUnconfigurableObject):
35         (runTest):
36         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
37         (shouldBe):
38         (shouldThrow):
39         (with.result):
40         (with.putValueStrict):
41         (with.putValueSloppy):
42
43 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
44
45         [JSC] isRope jump in StringSlice should not jump over register allocations
46         https://bugs.webkit.org/show_bug.cgi?id=196716
47
48         Reviewed by Saam Barati.
49
50         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
51         (foo.bar):
52         (foo):
53
54 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
55
56         [JSC] to_index_string should not assume incoming value is Uint32
57         https://bugs.webkit.org/show_bug.cgi?id=196713
58
59         Reviewed by Saam Barati.
60
61         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
62         (foo):
63
64 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
65
66         [JSC] Add more tests for r243966
67         https://bugs.webkit.org/show_bug.cgi?id=196711
68
69         Reviewed by Saam Barati.
70
71         Adding one more test for r243966 fix. The added test will not crash after r243966.
72
73         * stress/stress-cleared-calllinkinfo.js: Added.
74         (runNearStackLimit.t):
75         (runNearStackLimit):
76         (repeat):
77         (cls):
78         (let.item.of.array.runNearStackLimit):
79
80 2019-04-08  Saam Barati  <sbarati@apple.com>
81
82         WebAssembly.RuntimeError missing exception check
83         https://bugs.webkit.org/show_bug.cgi?id=196700
84         <rdar://problem/49693932>
85
86         Reviewed by Yusuke Suzuki.
87
88         * wasm/js-api/runtime-error-should-exception-check.js: Added.
89
90 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
91
92         Unreviewed, rolling in r243948 with test fix
93         https://bugs.webkit.org/show_bug.cgi?id=196486
94
95         * stress/arrow-function-and-use-strict-directive.js: Added.
96         * stress/arrow-function-syntax.js: Added.
97         (checkSyntax):
98         (checkSyntaxError):
99
100 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
101
102         Unreviewed, rolling out r243948.
103
104         Caused inspector/runtime/parse.html to fail
105
106         Reverted changeset:
107
108         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
109         https://bugs.webkit.org/show_bug.cgi?id=196486
110         https://trac.webkit.org/changeset/243948
111
112 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
113
114         Unreviewed, rolling out r243943.
115
116         Caused test262 failures.
117
118         Reverted changeset:
119
120         "[JSC] Filter DontEnum properties in
121         ProxyObject::getOwnPropertyNames()"
122         https://bugs.webkit.org/show_bug.cgi?id=176810
123         https://trac.webkit.org/changeset/243943
124
125 2019-04-07  Michael Saboff  <msaboff@apple.com>
126
127         REGRESSION (r243642): Crash in reddit.com page
128         https://bugs.webkit.org/show_bug.cgi?id=196684
129
130         Reviewed by Geoffrey Garen.
131
132         New regression test.
133
134         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
135
136 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
137
138         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
139         https://bugs.webkit.org/show_bug.cgi?id=196683
140
141         Reviewed by Saam Barati.
142
143         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
144         (foo):
145
146 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
147
148         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
149         https://bugs.webkit.org/show_bug.cgi?id=196582
150
151         Reviewed by Saam Barati.
152
153         * stress/add-overflow-check-with-three-same-registers.js: Added.
154         (foo):
155         (Number.prototype.valueOf):
156         (runWithNumber):
157
158 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
159
160         Unreviewed, rolling out r243665.
161
162         Caused iOS JSC tests to exit with an exception.
163
164         Reverted changeset:
165
166         "Assertion failed in JSC::createError"
167         https://bugs.webkit.org/show_bug.cgi?id=196305
168         https://trac.webkit.org/changeset/243665
169
170 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
171
172         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
173         https://bugs.webkit.org/show_bug.cgi?id=196486
174
175         Reviewed by Saam Barati.
176
177         * stress/arrow-function-and-use-strict-directive.js: Added.
178         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
179         (checkSyntax):
180         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
181
182 2019-04-05  Caitlin Potter  <caitp@igalia.com>
183
184         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
185         https://bugs.webkit.org/show_bug.cgi?id=176810
186
187         Reviewed by Saam Barati.
188
189         Add tests for the DontEnum filtering, and variations of other tests
190         take the DontEnum-filtering path.
191
192         * stress/proxy-own-keys.js:
193         (i.catch):
194         (set assert):
195         (set add):
196         (let.set new):
197         (get let):
198
199 2019-04-05  Caitlin Potter  <caitp@igalia.com>
200
201         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
202         https://bugs.webkit.org/show_bug.cgi?id=185211
203
204         Reviewed by Saam Barati.
205
206         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
207
208         This changes several assertions to expect a TypeError to be thrown (in some cases,
209         changing thee expected message).
210
211         * es6/Proxy_ownKeys_duplicates.js:
212         (handler):
213         (shouldThrow):
214         (test):
215         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
216         (shouldThrow):
217         * stress/proxy-own-keys.js:
218         (i.catch):
219         (assert):
220
221 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
222
223         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
224         https://bugs.webkit.org/show_bug.cgi?id=196631
225
226         Reviewed by Saam Barati.
227
228         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
229         (assert):
230         (test):
231         (foo):
232
233 2019-04-04  Saam Barati  <sbarati@apple.com>
234
235         Unreviewed. Make the test from r243906 catch the thrown exceptions.
236
237         * stress/inferred-types-regex-matches-array.js:
238
239 2019-04-04  Saam Barati  <sbarati@apple.com>
240
241         createRegExpMatchesArray does not respect inferred types
242         https://bugs.webkit.org/show_bug.cgi?id=193287
243
244         Reviewed by Yusuke Suzuki.
245
246         This checks in the test case for 193287. This issue was discovered by
247         Samuel GroƟ of Google Project Zero.
248
249         * stress/inferred-types-regex-matches-array.js: Added.
250
251 2019-04-04  Saam barati  <sbarati@apple.com>
252
253         Teach Call ICs how to call Wasm
254         https://bugs.webkit.org/show_bug.cgi?id=196387
255
256         Reviewed by Filip Pizlo.
257
258         * wasm/function-tests/stack-trace.js:
259
260 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
261
262         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
263         https://bugs.webkit.org/show_bug.cgi?id=194944
264
265         Reviewed by Keith Miller.
266
267         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
268
269 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
270
271         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
272         https://bugs.webkit.org/show_bug.cgi?id=196409
273
274         Reviewed by Saam Barati.
275
276         * stress/bytecode-cache-cached-string-impl.js: Added.
277         (f):
278         (g):
279         * stress/bytecode-cache-run-string.js: Added.
280
281 2019-04-03  Robin Morisset  <rmorisset@apple.com>
282
283         B3 should use associativity to optimize expression trees
284         https://bugs.webkit.org/show_bug.cgi?id=194081
285
286         Reviewed by Filip Pizlo.
287
288         Added three microbenchmarks:
289         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
290         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
291           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
292         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
293
294         * microbenchmarks/add-tree.js: Added.
295         * microbenchmarks/bit-or-tree.js: Added.
296         * microbenchmarks/bit-xor-tree.js: Added.
297
298 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
299
300         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
301         https://bugs.webkit.org/show_bug.cgi?id=196574
302
303         Reviewed by Saam Barati.
304
305         * stress/string-index-of-exception-check.js: Added.
306         (blurType):
307         (1.forEach):
308
309 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
310
311         Assertion failed in JSC::createError
312         https://bugs.webkit.org/show_bug.cgi?id=196305
313         <rdar://problem/49387382>
314
315         Reviewed by Saam Barati.
316
317         * stress/create-error-out-of-memory-rope-string-2.js: Added.
318         (assert):
319         (catch):
320
321 2019-03-28  Saam Barati  <sbarati@apple.com>
322
323         BackwardsGraph needs to consider back edges as the backward's root successor
324         https://bugs.webkit.org/show_bug.cgi?id=195991
325
326         Reviewed by Filip Pizlo.
327
328         * stress/map-b3-licm-infinite-loop.js: Added.
329
330 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
331
332         CodeBlock::jettison() should disallow repatching its own calls
333         https://bugs.webkit.org/show_bug.cgi?id=196359
334         <rdar://problem/48973663>
335
336         Reviewed by Saam Barati.
337
338         * stress/call-link-info-osrexit-repatch.js: Added.
339         (foo):
340
341 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
342
343         [JSC] imports-oom.js intermittently fails
344         https://bugs.webkit.org/show_bug.cgi?id=196373
345
346         Reviewed by Saam Barati.
347
348         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
349         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
350         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
351         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
352         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
353
354         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
355         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
356
357         * wasm/lowExecutableMemory/imports-oom.js:
358
359 2019-03-27  Saam Barati  <sbarati@apple.com>
360
361         validateOSREntryValue with Int52 should box the value being checked into double format
362         https://bugs.webkit.org/show_bug.cgi?id=196313
363         <rdar://problem/49306703>
364
365         Reviewed by Yusuke Suzuki.
366
367         * stress/validate-int-52-ai-state.js: Added.
368
369 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
370
371         [JSC] Owner of watchpoints should validate at GC finalizing phase
372         https://bugs.webkit.org/show_bug.cgi?id=195827
373
374         Reviewed by Filip Pizlo.
375
376         * stress/gc-should-reap-dead-watchpoints.js: Added.
377         (foo):
378         (A.prototype.y):
379         (A):
380
381 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
382
383         Skip WebAssembly test on 32-bit systems
384         https://bugs.webkit.org/show_bug.cgi?id=196206
385
386         Reviewed by Saam Barati.
387
388         Invoking runDefault executes test immediately even though
389         that test should be skipped due to missing WASM support.
390         Therefore remove runDefault.
391
392         * wasm/regress/web-assembly-link-error-exception-check.js:
393
394 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
395
396         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
397         https://bugs.webkit.org/show_bug.cgi?id=196217
398
399         Reviewed by Saam Barati.
400
401         Re-enable all NaN tests for f32.min, f64.min and f64.max.
402
403         * wasm/spec-tests/f32.wast.js:
404         * wasm/spec-tests/f64.wast.js:
405         * wasm/wasm.json:
406
407 2019-03-25  Keith Miller  <keith_miller@apple.com>
408
409         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
410         https://bugs.webkit.org/show_bug.cgi?id=196176
411
412         Reviewed by Saam Barati.
413
414         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
415         (main.v10):
416         (main):
417
418 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
419
420         WebAssembly: f32.max with NaN generates incorrect result
421         https://bugs.webkit.org/show_bug.cgi?id=175691
422         <rdar://problem/33952228>
423
424         Reviewed by Saam Barati.
425
426         Enable all f32.max NaN tests
427
428         * wasm/spec-tests/f32.wast.js:
429         * wasm/wasm.json:
430
431 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
432
433         [JSC] Move test into directory for WASM tests
434         https://bugs.webkit.org/show_bug.cgi?id=196187
435
436         Reviewed by Mark Lam.
437
438         Move Test into wasm-directory. Otherwise this test
439         is also executed on systems without WASM support.
440
441         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
442
443 2019-03-23  Mark Lam  <mark.lam@apple.com>
444
445         Rolling out r243032 and r243071 because the fix is incorrect.
446         https://bugs.webkit.org/show_bug.cgi?id=195892
447         <rdar://problem/48981239>
448
449         Not reviewed.
450
451         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
452
453 2019-03-22  Mark Lam  <mark.lam@apple.com>
454
455         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
456         https://bugs.webkit.org/show_bug.cgi?id=196154
457         <rdar://problem/49145307>
458
459         Reviewed by Filip Pizlo.
460
461         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
462         There's no need to run this test on more than 1 test configuration.
463
464         * stress/typed-array-lastIndexOf-exception-check.js: Added.
465         * stress/web-assembly-link-error-exception-check.js:
466
467 2019-03-22  Mark Lam  <mark.lam@apple.com>
468
469         Placate exception check validation in constructJSWebAssemblyLinkError().
470         https://bugs.webkit.org/show_bug.cgi?id=196152
471         <rdar://problem/49145257>
472
473         Reviewed by Michael Saboff.
474
475         * stress/web-assembly-link-error-exception-check.js: Added.
476
477 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
478
479         Skip tests running out of memory on ARM/MIPS
480         https://bugs.webkit.org/show_bug.cgi?id=196131
481
482         Unreviewed. Skip test if memory is limited.
483
484         * microbenchmarks/put-by-val-direct-large-index.js:
485
486 2019-03-21  Mark Lam  <mark.lam@apple.com>
487
488         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
489         https://bugs.webkit.org/show_bug.cgi?id=196116
490         <rdar://problem/48976951>
491
492         Reviewed by Filip Pizlo.
493
494         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
495
496 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
497
498         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
499         https://bugs.webkit.org/show_bug.cgi?id=196078
500         <rdar://problem/35925380>
501
502         Reviewed by Mark Lam.
503
504         Add a new benchmark that allocates several objects and invokes put_by_val_direct
505         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
506
507         * microbenchmarks/put-by-val-direct-large-index.js: Added.
508
509 2019-03-21  Mark Lam  <mark.lam@apple.com>
510
511         Placate exception check validation in operationArrayIndexOfString().
512         https://bugs.webkit.org/show_bug.cgi?id=196067
513         <rdar://problem/49056572>
514
515         Reviewed by Michael Saboff.
516
517         * stress/string-equal-exception-check.js: Added.
518
519 2019-03-21  Mark Lam  <mark.lam@apple.com>
520
521         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
522         https://bugs.webkit.org/show_bug.cgi?id=196055
523         <rdar://problem/49067448>
524
525         Reviewed by Yusuke Suzuki.
526
527         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
528
529 2019-03-20  Saam Barati  <sbarati@apple.com>
530
531         typeOfDoubleSum is wrong for when NaN can be produced
532         https://bugs.webkit.org/show_bug.cgi?id=196030
533
534         Reviewed by Filip Pizlo.
535
536         * stress/double-add-sub-mul-can-produce-nan.js: Added.
537         (assert):
538         (noInline.sub):
539         (noInline):
540         (assert.mul):
541         (assert.add):
542
543 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
544
545         Update the test to ensure OutOfMemoryError is thrown as intended
546         https://bugs.webkit.org/show_bug.cgi?id=196032
547         <rdar://problem/46842740>
548
549         Rubber stamped by Saam Barati.
550
551         * stress/create-error-out-of-memory-rope-string.js:
552         (assert):
553         (catch):
554
555 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
556
557         JSC::createError needs to check for OOM in errorDescriptionForValue
558         https://bugs.webkit.org/show_bug.cgi?id=196032
559         <rdar://problem/46842740>
560
561         Reviewed by Mark Lam.
562
563         * stress/create-error-out-of-memory-rope-string.js: Added.
564
565 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
566
567         Unreviewed, reduce # of iterations to avoid timing out after r242991
568         https://bugs.webkit.org/show_bug.cgi?id=195791
569
570         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
571
572         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
573
574 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
575
576         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
577         https://bugs.webkit.org/show_bug.cgi?id=195950
578
579         Unreviewed, reducing the amount of memory used on this test to avoid
580         OOM on devices with memory restrictions.
581
582         * microbenchmarks/generate-multiple-llint-entrypoints.js:
583
584 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
585
586         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
587         https://bugs.webkit.org/show_bug.cgi?id=194648
588
589         Reviewed by Keith Miller.
590
591         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
592
593 2019-03-18  Mark Lam  <mark.lam@apple.com>
594
595         Missing a ThrowScope release in JSObject::toString().
596         https://bugs.webkit.org/show_bug.cgi?id=195893
597         <rdar://problem/48970986>
598
599         Reviewed by Michael Saboff.
600
601         * stress/to-string-exception-check-release.js: Added.
602
603 2019-03-18  Mark Lam  <mark.lam@apple.com>
604
605         Structure::flattenDictionary() should clear unused property slots.
606         https://bugs.webkit.org/show_bug.cgi?id=195871
607         <rdar://problem/48959497>
608
609         Reviewed by Michael Saboff.
610
611         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
612
613 2019-03-15  Mark Lam  <mark.lam@apple.com>
614
615         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
616         https://bugs.webkit.org/show_bug.cgi?id=195827
617         <rdar://problem/48845513>
618
619         Reviewed by Filip Pizlo.
620
621         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
622
623 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
624
625         [ARM,MIPS] Skip slow tests
626         https://bugs.webkit.org/show_bug.cgi?id=195799
627
628         Unreviewed, test does not finish on ARM and MIPS within the
629         timeout limit.
630
631         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
632
633 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
634
635         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
636         https://bugs.webkit.org/show_bug.cgi?id=195791
637         <rdar://problem/48806130>
638
639         Reviewed by Mark Lam.
640
641         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
642         (foo):
643
644 2019-03-14  Saam barati  <sbarati@apple.com>
645
646         We can't remove code after ForceOSRExit until after FixupPhase
647         https://bugs.webkit.org/show_bug.cgi?id=186916
648         <rdar://problem/41396612>
649
650         Reviewed by Yusuke Suzuki.
651
652         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
653         (foo):
654         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
655         (foo):
656
657 2019-03-13  Michael Saboff  <msaboff@apple.com>
658
659         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
660         https://bugs.webkit.org/show_bug.cgi?id=195735
661
662         Reviewed by Mark Lam.
663
664         New regression test.
665
666         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
667         (foo):
668         (bar):
669
670 2019-03-14  Saam barati  <sbarati@apple.com>
671
672         Fixup uses KnownInt32 incorrectly in some nodes
673         https://bugs.webkit.org/show_bug.cgi?id=195279
674         <rdar://problem/47915654>
675
676         Reviewed by Yusuke Suzuki.
677
678         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
679         (foo):
680
681 2019-03-14  Keith Miller  <keith_miller@apple.com>
682
683         DFG liveness can't skip tail caller inline frames
684         https://bugs.webkit.org/show_bug.cgi?id=195715
685
686         Reviewed by Saam Barati.
687
688         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
689         (i.foo):
690
691 2019-03-13  Mark Lam  <mark.lam@apple.com>
692
693         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
694         https://bugs.webkit.org/show_bug.cgi?id=195415
695
696         Not reviewed.
697
698         Changed these tests to only run the default configuration.
699         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
700         There's no strong need to run this test on that variant.
701
702         * stress/dfg-to-string-on-int-does-gc.js:
703         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
704
705 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
706
707         String overflow when using StringBuilder in JSC::createError
708         https://bugs.webkit.org/show_bug.cgi?id=194957
709
710         Reviewed by Mark Lam.
711
712         Add test string-overflow-createError-bulder.js that overflows
713         StringBuilder in notAFunctionSourceAppender. The second new test
714         string-overflow-createError-fit.js has an error message that doesn't
715         overflow, it still failed since the String's capacity can't be doubled.
716         Run test string-overflow-createError.js only in the default
717         configuration to reduce memory consumption when running the test
718         in all configurations on multiple CPUs in parallel.
719
720         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
721         (catch):
722         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
723         (catch):
724         * stress/string-overflow-createError.js:
725
726 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
727
728         [JSC] OSR entry should respect abstract values in addition to flush formats
729         https://bugs.webkit.org/show_bug.cgi?id=195653
730
731         Reviewed by Mark Lam.
732
733         * stress/osr-entry-locals-none.js: Added.
734
735 2019-03-12  Michael Saboff  <msaboff@apple.com>
736
737         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
738         https://bugs.webkit.org/show_bug.cgi?id=195613
739
740         Reviewed by Mark Lam.
741
742         New regression test.
743
744         * stress/regexp-backref-inbounds.js: Added.
745         (testRegExp):
746
747 2019-03-12  Mark Lam  <mark.lam@apple.com>
748
749         The HasIndexedProperty node does GC.
750         https://bugs.webkit.org/show_bug.cgi?id=195559
751         <rdar://problem/48767923>
752
753         Reviewed by Yusuke Suzuki.
754
755         * stress/HasIndexedProperty-does-gc.js: Added.
756
757 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
758
759         [ESNext][BigInt] Implement "~" unary operation
760         https://bugs.webkit.org/show_bug.cgi?id=182216
761
762         Reviewed by Keith Miller.
763
764         * stress/big-int-bit-not-general.js: Added.
765         * stress/big-int-bitwise-not-jit.js: Added.
766         * stress/big-int-bitwise-not-wrapped-value.js: Added.
767         * stress/bit-op-with-object-returning-int32.js:
768         * stress/bitwise-not-fixup-rules.js: Added.
769         * stress/value-bit-not-ai-rule.js: Added.
770
771 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
772
773         Invalid flags in a RegExp literal should be an early SyntaxError
774         https://bugs.webkit.org/show_bug.cgi?id=195514
775
776         Reviewed by Darin Adler.
777
778         * test262/expectations.yaml:
779         Mark 4 test cases as passing.
780
781         * stress/regexp-syntax-error-invalid-flags.js:
782         * stress/regress-161995.js: Removed.
783         Update existing test, merging in an older test for the same behavior.
784
785 2019-03-08  Mark Lam  <mark.lam@apple.com>
786
787         Stack overflow crash in JSC::JSObject::hasInstance.
788         https://bugs.webkit.org/show_bug.cgi?id=195458
789         <rdar://problem/48710195>
790
791         Reviewed by Yusuke Suzuki.
792
793         * stress/stack-overflow-in-custom-hasInstance.js: Added.
794
795 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
796
797         op_check_tdz does not def its argument
798         https://bugs.webkit.org/show_bug.cgi?id=192880
799         <rdar://problem/46221598>
800
801         Reviewed by Saam Barati.
802
803         * microbenchmarks/let-for-in.js: Added.
804         (foo):
805
806 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
807
808         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
809         https://bugs.webkit.org/show_bug.cgi?id=195429
810
811         Reviewed by Saam Barati.
812
813         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
814         (foo):
815         * stress/string-from-char-code-255.js: Added.
816
817 2019-03-06  Mark Lam  <mark.lam@apple.com>
818
819         Fix incorrect handling of try-finally completion values.
820         https://bugs.webkit.org/show_bug.cgi?id=195131
821         <rdar://problem/46222079>
822
823         Reviewed by Saam Barati and Yusuke Suzuki.
824
825         Added many permutations of new test case to test-finally.js.  test-finally.js has
826         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
827         tests passes there as well.
828
829         * stress/test-finally.js:
830
831 2019-03-06  Saam Barati  <sbarati@apple.com>
832
833         Air::reportUsedRegisters must padInterference
834         https://bugs.webkit.org/show_bug.cgi?id=195303
835         <rdar://problem/48270343>
836
837         Reviewed by Keith Miller.
838
839         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
840
841 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
842
843         [JSC] AI should not propagate AbstractValue relying on constant folding phase
844         https://bugs.webkit.org/show_bug.cgi?id=195375
845
846         Reviewed by Saam Barati.
847
848         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
849         (let.array):
850
851 2019-03-05  Saam barati  <sbarati@apple.com>
852
853         op_switch_char broken for rope strings after JSRopeString layout rewrite
854         https://bugs.webkit.org/show_bug.cgi?id=195339
855         <rdar://problem/48592545>
856
857         Reviewed by Yusuke Suzuki.
858
859         * stress/switch-on-char-llint-rope.js: Added.
860
861 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
862
863         [JSC] Store bits for JSRopeString in 3 stores
864         https://bugs.webkit.org/show_bug.cgi?id=195234
865
866         Reviewed by Saam Barati.
867
868         * stress/null-rope-and-collectors.js: Added.
869
870 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
871
872         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
873         https://bugs.webkit.org/show_bug.cgi?id=195207
874
875         Unreviewed. After test runtime was reduced in r242213, test can be
876         run again on ARM/MIPS.
877
878         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
879
880 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
881
882         [JSC] sizeof(JSString) should be 16
883         https://bugs.webkit.org/show_bug.cgi?id=194375
884
885         Reviewed by Saam Barati.
886
887         * microbenchmarks/make-rope.js: Added.
888         (makeRope):
889         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
890         (returnRope.helper): Deleted.
891         (returnRope): Deleted.
892
893 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
894
895         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
896         https://bugs.webkit.org/show_bug.cgi?id=195144
897
898         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
899         Change the number from 1e8 to 1e5.
900
901         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
902         (foo):
903
904 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
905
906         Test times out on ARM/MIPS
907         https://bugs.webkit.org/show_bug.cgi?id=195168
908
909         Unreviewed. Skip test on ARM/MIPS.
910
911         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
912
913 2019-02-27  Mark Lam  <mark.lam@apple.com>
914
915         The parser is failing to record the token location of new in new.target.
916         https://bugs.webkit.org/show_bug.cgi?id=195127
917         <rdar://problem/39645578>
918
919         Reviewed by Yusuke Suzuki.
920
921         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
922
923 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
924
925         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
926         https://bugs.webkit.org/show_bug.cgi?id=195144
927         <rdar://problem/47595961>
928
929         Reviewed by Mark Lam.
930
931         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
932         (bar):
933         (foo):
934         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
935         (bar):
936         (foo):
937
938 2019-02-27  Robin Morisset  <rmorisset@apple.com>
939
940         DFG: Loop-invariant code motion (LICM) should not hoist dead code
941         https://bugs.webkit.org/show_bug.cgi?id=194945
942         <rdar://problem/48311657>
943
944         Reviewed by Mark Lam.
945
946         * stress/licm-dead-code.js: Added.
947
948 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
949
950         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
951         https://bugs.webkit.org/show_bug.cgi?id=194677
952         <rdar://problem/48112492>
953
954         Reviewed by Mark Lam.
955
956         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
957         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
958         it immediately fails due the large size.
959
960         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
961         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
962         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
963         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
964
965         This patch changes the test to produce 16bit string from String.fromCharCode.
966
967         * stress/regress-178386.js:
968
969 2019-02-26  Mark Lam  <mark.lam@apple.com>
970
971         wasmToJS() should purify incoming NaNs.
972         https://bugs.webkit.org/show_bug.cgi?id=194807
973         <rdar://problem/48189132>
974
975         Reviewed by Saam Barati.
976
977         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
978
979 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
980
981         [JSC] Repeat string created from Array.prototype.join() take too much memory
982         https://bugs.webkit.org/show_bug.cgi?id=193912
983
984         Reviewed by Saam Barati.
985
986         Added a test and a microbenchmark for corner cases of
987         Array.prototype.join() with an uninitialized array.
988
989         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
990         * stress/array-prototype-join-uninitialized.js: Added.
991         (testArray):
992         (testABC):
993         (B):
994         (C):
995
996 2019-02-22  Robin Morisset  <rmorisset@apple.com>
997
998         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
999         https://bugs.webkit.org/show_bug.cgi?id=194953
1000         <rdar://problem/47595253>
1001
1002         Reviewed by Saam Barati.
1003
1004         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1005
1006         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1007
1008 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1009
1010         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1011         https://bugs.webkit.org/show_bug.cgi?id=172848
1012         <rdar://problem/25709212>
1013
1014         Reviewed by Mark Lam.
1015
1016         * typeProfiler/inheritance.js:
1017         Rewrite the test slightly for clarity. The hoisting was confusing.
1018
1019         * heapProfiler/class-names.js: Added.
1020         (MyES5Class):
1021         (MyES6Class):
1022         (MyES6Subclass):
1023         Test object types and improved class names.
1024
1025         * heapProfiler/driver/driver.js:
1026         (CheapHeapSnapshotNode):
1027         (CheapHeapSnapshot):
1028         (createCheapHeapSnapshot):
1029         (HeapSnapshot):
1030         (createHeapSnapshot):
1031         Update snapshot parsing from version 1 to version 2.
1032
1033 2019-02-19  Truitt Savell  <tsavell@apple.com>
1034
1035         Unreviewed, rolling out r241784.
1036
1037         Broke all OpenSource builds.
1038
1039         Reverted changeset:
1040
1041         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1042         instances view"
1043         https://bugs.webkit.org/show_bug.cgi?id=172848
1044         https://trac.webkit.org/changeset/241784
1045
1046 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1047
1048         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1049         https://bugs.webkit.org/show_bug.cgi?id=172848
1050         <rdar://problem/25709212>
1051
1052         Reviewed by Mark Lam.
1053
1054         * typeProfiler/inheritance.js:
1055         Rewrite the test slightly for clarity. The hoisting was confusing.
1056
1057         * heapProfiler/class-names.js: Added.
1058         (MyES5Class):
1059         (MyES6Class):
1060         (MyES6Subclass):
1061         Test object types and improved class names.
1062
1063         * heapProfiler/driver/driver.js:
1064         (CheapHeapSnapshotNode):
1065         (CheapHeapSnapshot):
1066         (createCheapHeapSnapshot):
1067         (HeapSnapshot):
1068         (createHeapSnapshot):
1069         Update snapshot parsing from version 1 to version 2.
1070
1071 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1072
1073         [ARM] Fix crash with sampling profiler
1074         https://bugs.webkit.org/show_bug.cgi?id=194772
1075
1076         Reviewed by Mark Lam.
1077
1078         Do not skip test since crash with sampling profiler is now fixed.
1079
1080         * stress/sampling-profiler-richards.js:
1081
1082 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1083
1084         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1085         https://bugs.webkit.org/show_bug.cgi?id=194784
1086         <rdar://problem/48154820>
1087
1088         Reviewed by Mark Lam.
1089
1090         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1091         (getProperties):
1092         (getRandomProperty):
1093         (i.catch):
1094
1095 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1096
1097         [ARM] Test gardening: Test running out of executable memory
1098         https://bugs.webkit.org/show_bug.cgi?id=194771
1099
1100         Unreviewed. Do not run test without LLInt, test is running out of executable
1101         memory on ARM otherwise.
1102
1103         * stress/tagged-template-object-collect.js:
1104
1105 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1106
1107         Unreviewed, skip the test on platforms without sampling profiler
1108
1109         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1110         (platformSupportsSamplingProfiler.foo):
1111         (platformSupportsSamplingProfiler.test):
1112         (platformSupportsSamplingProfiler):
1113         (foo): Deleted.
1114         (test): Deleted.
1115
1116 2019-02-17  Saam Barati  <sbarati@apple.com>
1117
1118         Deadlock when adding a Structure property transition and then doing incremental marking
1119         https://bugs.webkit.org/show_bug.cgi?id=194767
1120
1121         Reviewed by Mark Lam.
1122
1123         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1124
1125 2019-02-15  Michael Saboff  <msaboff@apple.com>
1126
1127         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1128         https://bugs.webkit.org/show_bug.cgi?id=194558
1129
1130         Reviewed by Saam Barati.
1131
1132         New regression test.
1133
1134         * stress/regexp-unicode-within-string.js: Added.
1135
1136 2019-02-15  Mark Lam  <mark.lam@apple.com>
1137
1138         SamplingProfiler::stackTracesAsJSON() should escape strings.
1139         https://bugs.webkit.org/show_bug.cgi?id=194649
1140         <rdar://problem/48072386>
1141
1142         Reviewed by Saam Barati.
1143
1144         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1145         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1146         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1147         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1148
1149 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1150         CodeBlock::jettison should clear related watchpoints
1151         https://bugs.webkit.org/show_bug.cgi?id=194544
1152
1153         Reviewed by Mark Lam.
1154
1155         * stress/regexp-replace-double-watchpoint.js: Added.
1156         (foo):
1157
1158 2019-02-15  Saam barati  <sbarati@apple.com>
1159
1160         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1161         https://bugs.webkit.org/show_bug.cgi?id=194036
1162
1163         Reviewed by Yusuke Suzuki.
1164
1165         * stress/tail-call-many-arguments.js: Added.
1166         (foo):
1167         (bar):
1168
1169 2019-02-14  Saam Barati  <sbarati@apple.com>
1170
1171         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1172         https://bugs.webkit.org/show_bug.cgi?id=194583
1173         <rdar://problem/48028140>
1174
1175         Reviewed by Yusuke Suzuki.
1176
1177         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1178
1179 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1180
1181         [JSC] String.fromCharCode's slow path always generates 16bit string
1182         https://bugs.webkit.org/show_bug.cgi?id=194466
1183
1184         Reviewed by Keith Miller.
1185
1186         * stress/string-from-char-code-slow-path.js: Added.
1187         (shouldBe):
1188         (testWithLength):
1189
1190 2019-02-08  Saam barati  <sbarati@apple.com>
1191
1192         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1193         https://bugs.webkit.org/show_bug.cgi?id=194334
1194         <rdar://problem/47844327>
1195
1196         Reviewed by Mark Lam.
1197
1198         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1199         (func):
1200
1201 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1202
1203         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1204         https://bugs.webkit.org/show_bug.cgi?id=194369
1205         <rdar://problem/47813087>
1206
1207         Reviewed by Saam Barati.
1208
1209         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1210         (A):
1211
1212 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1213
1214         [JSC] PrivateName to PublicName hash table is wasteful
1215         https://bugs.webkit.org/show_bug.cgi?id=194277
1216
1217         Reviewed by Michael Saboff.
1218
1219         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1220
1221         * ChakraCore.yaml:
1222
1223 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1224
1225         [ARM] Test running out of executable memory
1226         https://bugs.webkit.org/show_bug.cgi?id=194285
1227
1228         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1229         executable memory otherwise.
1230
1231         * stress/class-subclassing-function.js:
1232
1233 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1234
1235         when lowering AssertNotEmpty, create the value before creating the patchpoint
1236         https://bugs.webkit.org/show_bug.cgi?id=194231
1237
1238         Reviewed by Saam Barati.
1239
1240         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1241         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1242         So even tiny changes to this test can change the path code taken.
1243
1244         * stress/assert-not-empty.js: Added.
1245         (foo):
1246
1247 2019-02-01  Mark Lam  <mark.lam@apple.com>
1248
1249         Remove invalid assertion in DFG's compileDoubleRep().
1250         https://bugs.webkit.org/show_bug.cgi?id=194130
1251         <rdar://problem/47699474>
1252
1253         Reviewed by Saam Barati.
1254
1255         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1256
1257 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1258
1259         Import latest Test262 updates.
1260
1261         Rubber-stamped by Keith Miller.
1262
1263         * test262.yaml: Deleted.
1264         * test262/config.yaml:
1265         * test262/expectations.yaml:
1266         * test262/latest-changes-summary.txt:
1267         * test262/test/:
1268         * test262/test262-Revision.txt:
1269
1270 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1271
1272         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1273         https://bugs.webkit.org/show_bug.cgi?id=194050
1274         <rdar://problem/47595592>
1275
1276         Reviewed by Yusuke Suzuki.
1277
1278         * stress/object-keys-osr-exit.js: Added.
1279         (foo):
1280         (catch):
1281
1282 2019-01-29  Mark Lam  <mark.lam@apple.com>
1283
1284         ValueRecovery::recover() should purify NaN values it recovers.
1285         https://bugs.webkit.org/show_bug.cgi?id=193978
1286         <rdar://problem/47625488>
1287
1288         Reviewed by Saam Barati.
1289
1290         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1291
1292 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1293
1294         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1295         https://bugs.webkit.org/show_bug.cgi?id=193713
1296
1297         * stress/try-get-by-id-should-spill-registers-dfg.js:
1298         (let.f.createBuiltin):
1299
1300 2019-01-28  Mark Lam  <mark.lam@apple.com>
1301
1302         ToString node actually does GC.
1303         https://bugs.webkit.org/show_bug.cgi?id=193920
1304         <rdar://problem/46695900>
1305
1306         Reviewed by Yusuke Suzuki.
1307
1308         * stress/dfg-to-string-on-int-does-gc.js: Added.
1309         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1310         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1311
1312 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1313
1314         [JSC] NativeErrorConstructor should not have own IsoSubspace
1315         https://bugs.webkit.org/show_bug.cgi?id=193713
1316
1317         Reviewed by Saam Barati.
1318
1319         Remove @Error use.
1320
1321         * stress/try-get-by-id-should-spill-registers-dfg.js:
1322         (let.f.createBuiltin):
1323
1324 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1325
1326         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1327         https://bugs.webkit.org/show_bug.cgi?id=190693
1328
1329         Reviewed by Michael Saboff.
1330
1331         * stress/regress-190693.js: Added.
1332         (truth):
1333         (assert):
1334         (shouldThrowInvalidConstAssignment):
1335         (taz):
1336
1337 2019-01-24  Saam Barati  <sbarati@apple.com>
1338
1339         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1340         https://bugs.webkit.org/show_bug.cgi?id=193751
1341         <rdar://problem/47280215>
1342
1343         Reviewed by Michael Saboff.
1344
1345         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1346         (let.thing):
1347         (foo.let.hello):
1348         (foo):
1349
1350 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1351
1352         [JSC] Reenable baseline JIT on mips
1353         https://bugs.webkit.org/show_bug.cgi?id=192983
1354
1355         Reviewed by Mark Lam.
1356
1357         Added a new test for a case that was triggering a RELEASE_ASSERT when
1358         testing.
1359         Disable some slow tests that were already disabled for arm and x86.
1360
1361         * stress/json-parse-big-object.js: Added.
1362         * stress/new-largeish-contiguous-array-with-size.js:
1363         * stress/op_add.js:
1364         * stress/op_bitand.js:
1365         * stress/op_bitor.js:
1366         * stress/op_bitxor.js:
1367         * stress/op_lshift-ConstVar.js:
1368         * stress/op_lshift-VarConst.js:
1369         * stress/op_lshift-VarVar.js:
1370         * stress/op_mod-ConstVar.js:
1371         * stress/op_mod-VarConst.js:
1372         * stress/op_mod-VarVar.js:
1373         * stress/op_mul-ConstVar.js:
1374         * stress/op_mul-VarConst.js:
1375         * stress/op_mul-VarVar.js:
1376         * stress/op_rshift-ConstVar.js:
1377         * stress/op_rshift-VarConst.js:
1378         * stress/op_rshift-VarVar.js:
1379         * stress/op_sub-ConstVar.js:
1380         * stress/op_sub-VarConst.js:
1381         * stress/op_sub-VarVar.js:
1382         * stress/op_urshift-ConstVar.js:
1383         * stress/op_urshift-VarConst.js:
1384         * stress/op_urshift-VarVar.js:
1385         * stress/sampling-profiler-richards.js:
1386         * stress/spread-forward-call-varargs-stack-overflow.js:
1387
1388 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1389
1390         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1391         https://bugs.webkit.org/show_bug.cgi?id=193711
1392         <rdar://problem/47250262>
1393
1394         Reviewed by Saam Barati.
1395
1396         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1397         (shouldBe):
1398         (foo):
1399         (bar):
1400         (baz):
1401
1402 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1403
1404         Unreviewed, fix initial global lexical binding epoch
1405         https://bugs.webkit.org/show_bug.cgi?id=193603
1406         <rdar://problem/47380869>
1407
1408         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1409         (f1.f2.f3.f4):
1410         (f1.f2.f3):
1411         (f1.f2):
1412         (f1):
1413
1414 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1415
1416         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1417         https://bugs.webkit.org/show_bug.cgi?id=193709
1418         <rdar://problem/47363838>
1419
1420         Unreviewed, rollout to watch the tests.
1421
1422         * stress/object-tostring-changed-proto.js: Removed.
1423         * stress/object-tostring-changed.js: Removed.
1424         * stress/object-tostring-misc.js: Removed.
1425         * stress/object-tostring-other.js: Removed.
1426         * stress/object-tostring-untyped.js: Removed.
1427
1428 2019-01-22  Saam Barati  <sbarati@apple.com>
1429
1430         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1431
1432         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1433         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1434         (testUncheckedLessThanZero):
1435         (testUncheckedLessThanOrEqualZero):
1436         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1437         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1438
1439 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1440
1441         [JSC] Invalidate old scope operations using global lexical binding epoch
1442         https://bugs.webkit.org/show_bug.cgi?id=193603
1443         <rdar://problem/47380869>
1444
1445         Reviewed by Saam Barati.
1446
1447         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1448         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1449         (shouldThrow):
1450         (bar):
1451         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1452         (shouldBe):
1453         (get1):
1454         (get2):
1455         (get1If):
1456         (get2If):
1457         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1458         (shouldThrow):
1459         (foo):
1460
1461 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1462
1463         Unreviewed, roll out r240220 due to date-format-xparb regression
1464         https://bugs.webkit.org/show_bug.cgi?id=193603
1465
1466         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1467         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1468         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1469         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1470
1471 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1472
1473         DoesGC rule is wrong for nodes with BigIntUse
1474         https://bugs.webkit.org/show_bug.cgi?id=193652
1475
1476         Reviewed by Saam Barati.
1477
1478         * stress/big-int-value-op-update-gc-rules.js: Added.
1479         (assert):
1480         (doesGCAdd):
1481         (doesGCSub):
1482         (doesGCDiv):
1483         (doesGCMul):
1484         (doesGCBitAnd):
1485         (doesGCBitOr):
1486         (doesGCBitXor):
1487
1488 2019-01-20  Saam Barati  <sbarati@apple.com>
1489
1490         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1491         https://bugs.webkit.org/show_bug.cgi?id=193644
1492         <rdar://problem/46209745>
1493
1494         Reviewed by Yusuke Suzuki.
1495
1496         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1497         (foo):
1498         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1499         (foo):
1500         (bar):
1501
1502 2019-01-20  Saam Barati  <sbarati@apple.com>
1503
1504         MovHint must merge NodeBytecodeUsesAsValue for its child
1505         https://bugs.webkit.org/show_bug.cgi?id=186916
1506         <rdar://problem/41396612>
1507
1508         Reviewed by Yusuke Suzuki.
1509
1510         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1511         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1512
1513 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1514
1515         [JSC] Invalidate old scope operations using global lexical binding epoch
1516         https://bugs.webkit.org/show_bug.cgi?id=193603
1517         <rdar://problem/47380869>
1518
1519         Reviewed by Saam Barati.
1520
1521         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1522         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1523         (shouldThrow):
1524         (bar):
1525         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1526         (shouldBe):
1527         (get1):
1528         (get2):
1529         (get1If):
1530         (get2If):
1531         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1532         (shouldThrow):
1533         (foo):
1534
1535 2019-01-17  Saam barati  <sbarati@apple.com>
1536
1537         StringObjectUse should not be a structure check for the original string object structure
1538         https://bugs.webkit.org/show_bug.cgi?id=193483
1539         <rdar://problem/47280522>
1540
1541         Reviewed by Yusuke Suzuki.
1542
1543         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1544         (foo):
1545         (a.valueOf.0):
1546
1547 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1548
1549         [JSC] ToThis omission in DFGByteCodeParser is wrong
1550         https://bugs.webkit.org/show_bug.cgi?id=193513
1551         <rdar://problem/45842236>
1552
1553         Reviewed by Saam Barati.
1554
1555         * stress/to-this-omission-with-different-strict-modes.js: Added.
1556         (thisA):
1557         (thisAStrictWrapper):
1558
1559 2019-01-15  Mark Lam  <mark.lam@apple.com>
1560
1561         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1562         https://bugs.webkit.org/show_bug.cgi?id=193423
1563         <rdar://problem/46209355>
1564
1565         Reviewed by Saam Barati.
1566
1567         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1568         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1569         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1570         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1571
1572 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1573
1574         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1575         https://bugs.webkit.org/show_bug.cgi?id=193438
1576         <rdar://problem/45581249>
1577
1578         Reviewed by Saam Barati and Keith Miller.
1579
1580         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1581         Then, GetByVal(String) crashed.
1582
1583         * stress/string-get-by-val-lowering.js: Added.
1584         (shouldBe):
1585         (test):
1586         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1587         (Hello):
1588         (foo):
1589
1590 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1591
1592         Unreviewed, skip JIT tests if it's not enabled
1593
1594         * stress/bit-op-with-object-returning-int32.js:
1595
1596 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1597
1598         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1599         https://bugs.webkit.org/show_bug.cgi?id=192966
1600
1601         Reviewed by Yusuke Suzuki.
1602
1603         * stress/bit-op-with-object-returning-int32.js: Added.
1604
1605 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1606
1607         Skip a slow test and a flakey test on arm
1608
1609         Unreviewed gardening.
1610
1611         * typeProfiler/getter-richards.js:
1612         this test always times out, it used to be always skipped on arm and
1613         mips, but got accidentally enabled by r237919 now that we have DFG on
1614         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1615
1616 2019-01-14  Keith Miller  <keith_miller@apple.com>
1617
1618         Skip type-check-hoisting-phase-hoist... with no jit
1619         https://bugs.webkit.org/show_bug.cgi?id=193421
1620
1621         Reviewed by Mark Lam.
1622
1623         It's timing out the 32-bit bots and takes 330 seconds
1624         on my machine when run by itself.
1625
1626         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1627
1628 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1629
1630         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1631         https://bugs.webkit.org/show_bug.cgi?id=193413
1632         <rdar://problem/46092389>
1633
1634         Reviewed by Keith Miller.
1635
1636         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1637         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1638         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1639         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1640
1641         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1642         (compareArray):
1643
1644 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1645
1646         [BigInt] Literal parsing is crashing when used inside a Object Literal
1647         https://bugs.webkit.org/show_bug.cgi?id=193404
1648
1649         Reviewed by Yusuke Suzuki.
1650
1651         * stress/big-int-literal-inside-literal-object.js: Added.
1652
1653 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1654
1655         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1656         https://bugs.webkit.org/show_bug.cgi?id=193372
1657
1658         Reviewed by Saam Barati.
1659
1660         * stress/typed-array-array-modes-profile.js: Added.
1661         (foo):
1662
1663 2019-01-14  Mark Lam  <mark.lam@apple.com>
1664
1665         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1666         https://bugs.webkit.org/show_bug.cgi?id=193402
1667         <rdar://problem/46012309>
1668
1669         Reviewed by Keith Miller.
1670
1671         * stress/regexp-compile-oom.js:
1672         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1673           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1674
1675 2019-01-11  Saam barati  <sbarati@apple.com>
1676
1677         DFG combined liveness can be wrong for terminal basic blocks
1678         https://bugs.webkit.org/show_bug.cgi?id=193304
1679         <rdar://problem/45268632>
1680
1681         Reviewed by Yusuke Suzuki.
1682
1683         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1684
1685 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1686
1687         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1688         https://bugs.webkit.org/show_bug.cgi?id=193308
1689         <rdar://problem/45546542>
1690
1691         Reviewed by Saam Barati.
1692
1693         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1694         (shouldThrow):
1695         (shouldBe):
1696         (foo):
1697         (get shouldThrow):
1698         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1699         (shouldThrow):
1700         (shouldBe):
1701         (foo):
1702         (get shouldBe):
1703         (get shouldThrow):
1704         (get return):
1705         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1706         (shouldThrow):
1707         (shouldBe):
1708         (foo):
1709         (get shouldBe):
1710         (get shouldThrow):
1711         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1712         (shouldThrow):
1713         (shouldBe):
1714         (foo):
1715         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1716         (shouldThrow):
1717         (shouldBe):
1718         (foo):
1719         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1720         (shouldThrow):
1721         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1722         (shouldThrow):
1723         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1724         (shouldThrow):
1725         (shouldBe):
1726         (foo):
1727         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1728         (shouldThrow):
1729         (shouldBe):
1730         (foo):
1731         (get shouldBe):
1732         (get shouldThrow):
1733         (get return):
1734         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1735         (shouldThrow):
1736         (shouldBe):
1737         (foo):
1738         (get shouldBe):
1739         (get shouldThrow):
1740         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1741         (shouldThrow):
1742         (shouldBe):
1743         (foo):
1744         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1745         (shouldThrow):
1746         (shouldBe):
1747         (foo):
1748
1749 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1750
1751         Enable DFG on ARM/Linux again
1752         https://bugs.webkit.org/show_bug.cgi?id=192496
1753
1754         Reviewed by Yusuke Suzuki.
1755
1756         Test wasn't really skipped before moving the line with skip
1757         to the top.
1758
1759         * stress/regress-192717.js:
1760
1761 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1762
1763         Unreviewed, rolling out r239825.
1764         https://bugs.webkit.org/show_bug.cgi?id=193330
1765
1766         Broke tests on armv7/linux bots (Requested by guijemont on
1767         #webkit).
1768
1769         Reverted changeset:
1770
1771         "Enable DFG on ARM/Linux again"
1772         https://bugs.webkit.org/show_bug.cgi?id=192496
1773         https://trac.webkit.org/changeset/239825
1774
1775 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1776
1777         Enable DFG on ARM/Linux again
1778         https://bugs.webkit.org/show_bug.cgi?id=192496
1779
1780         Reviewed by Yusuke Suzuki.
1781
1782         Test wasn't really skipped before moving the line with skip
1783         to the top.
1784
1785         * stress/regress-192717.js:
1786
1787 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1788
1789         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1790         https://bugs.webkit.org/show_bug.cgi?id=193127
1791
1792         Reviewed by Saam Barati.
1793
1794         * stress/array-species-create-should-handle-masquerader.js: Added.
1795         (shouldThrow):
1796         * stress/is-undefined-or-null-builtin.js: Added.
1797         (shouldBe):
1798         (isUndefinedOrNull.vm.createBuiltin):
1799
1800 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1801
1802         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1803         https://bugs.webkit.org/show_bug.cgi?id=193221
1804
1805         Reviewed by Mark Lam.
1806
1807         * stress/put-by-id-flags.js: Added.
1808         (f):
1809         (g):
1810         (numberOfDFGCompiles):
1811
1812 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1813
1814         Baseline version of get_by_id may corrupt metadata
1815         https://bugs.webkit.org/show_bug.cgi?id=193085
1816         <rdar://problem/23453006>
1817
1818         Reviewed by Saam Barati.
1819
1820         * stress/get-by-id-change-mode.js: Added.
1821         (forEach):
1822
1823 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1824
1825         [JSC] Optimize Object.prototype.toString
1826         https://bugs.webkit.org/show_bug.cgi?id=193031
1827
1828         Reviewed by Saam Barati.
1829
1830         * stress/object-tostring-changed-proto.js: Added.
1831         (shouldBe):
1832         (test):
1833         * stress/object-tostring-changed.js: Added.
1834         (shouldBe):
1835         (test):
1836         * stress/object-tostring-misc.js: Added.
1837         (shouldBe):
1838         (test):
1839         (i.switch):
1840         * stress/object-tostring-other.js: Added.
1841         (shouldBe):
1842         (test):
1843         * stress/object-tostring-untyped.js: Added.
1844         (shouldBe):
1845         (test):
1846         (i.switch):
1847
1848 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1849
1850         test262-runner misbehaves when test file YAML has a trailing space
1851         https://bugs.webkit.org/show_bug.cgi?id=193053
1852
1853         Reviewed by Yusuke Suzuki.
1854
1855         * test262/expectations.yaml:
1856         Mark two dozen tests as passing (and correct the output of another).
1857
1858 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1859
1860         Unreviewed, JSTests gardening with memoryLimited
1861
1862         * stress/string-overflow-createError.js:
1863
1864 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1865
1866         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1867         https://bugs.webkit.org/show_bug.cgi?id=193050
1868
1869         Reviewed by Yusuke Suzuki.
1870
1871         * test262.yaml:
1872         * test262/expectations.yaml:
1873         Mark 16 tests as passing.
1874
1875 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1876
1877         [BigInt] Support BigInt in JSON.stringify
1878         https://bugs.webkit.org/show_bug.cgi?id=192624
1879
1880         Reviewed by Saam Barati.
1881
1882         * stress/big-int-json-stringify-to-json.js: Added.
1883         (shouldBe):
1884         (shouldThrow):
1885         (BigInt.prototype.toJSON):
1886         (shouldBe.JSON.stringify):
1887         * stress/big-int-json-stringify.js: Added.
1888         (shouldBe):
1889         (shouldThrow):
1890
1891 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1892
1893         [JSC] Implement "well-formed JSON.stringify" proposal
1894         https://bugs.webkit.org/show_bug.cgi?id=191677
1895
1896         Reviewed by Darin Adler.
1897
1898         * stress/json-surrogate-pair.js: Added.
1899         (shouldBe):
1900         * test262/expectations.yaml:
1901
1902 2018-12-20  Keith Miller  <keith_miller@apple.com>
1903
1904         Add support for globalThis
1905         https://bugs.webkit.org/show_bug.cgi?id=165171
1906
1907         Reviewed by Mark Lam.
1908
1909         * test262/config.yaml:
1910
1911 2018-12-19  Keith Miller  <keith_miller@apple.com>
1912
1913         Update test262 configuration to not run tests dependent on ICU version.
1914         https://bugs.webkit.org/show_bug.cgi?id=192920
1915
1916         Reviewed by Saam Barati.
1917
1918         * test262/expectations.yaml:
1919
1920 2018-12-20  Mark Lam  <mark.lam@apple.com>
1921
1922         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1923         https://bugs.webkit.org/show_bug.cgi?id=192939
1924         <rdar://problem/46869516>
1925
1926         Reviewed by Keith Miller.
1927
1928         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1929
1930 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1931
1932         WTF::String and StringImpl overflow MaxLength
1933         https://bugs.webkit.org/show_bug.cgi?id=192853
1934         <rdar://problem/45726906>
1935
1936         Reviewed by Mark Lam.
1937
1938         * stress/string-16bit-repeat-overflow.js: Added.
1939         (catch):
1940
1941 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1942
1943         Unreviewed follow-up to r192914.
1944
1945         * test262/expectations.yaml:
1946         Add the last 20 missing expectations.
1947
1948 2018-12-19  Keith Miller  <keith_miller@apple.com>
1949
1950         Fix test262 expectations
1951         https://bugs.webkit.org/show_bug.cgi?id=192914
1952
1953         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1954
1955         * test262/expectations.yaml:
1956
1957 2018-12-19  Keith Miller  <keith_miller@apple.com>
1958
1959         Update test262 tests.
1960         https://bugs.webkit.org/show_bug.cgi?id=192907
1961
1962         Rubber stamped by Mark Lam.
1963
1964         * test262/*: Omitted because prepare-changelog crashes.
1965
1966 2018-12-19  Mark Lam  <mark.lam@apple.com>
1967
1968         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1969         https://bugs.webkit.org/show_bug.cgi?id=192464
1970         <rdar://problem/46519455>
1971
1972         Reviewed by Saam Barati.
1973
1974         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1975         microbenchmark.
1976
1977         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1978         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1979
1980 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1981
1982         String overflow in JSC::createError results in ASSERT in WTF::makeString
1983         https://bugs.webkit.org/show_bug.cgi?id=192833
1984         <rdar://problem/45706868>
1985
1986         Reviewed by Mark Lam.
1987
1988         * stress/string-overflow-createError.js: Added.
1989
1990 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1991
1992         Error message for `-x ** y` contains a typo.
1993         https://bugs.webkit.org/show_bug.cgi?id=192832
1994
1995         Reviewed by Saam Barati.
1996
1997         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1998         (assert.assert.return.throws):
1999         * stress/pow-expects-update-expression-on-lhs.js:
2000         (throw.new.Error):
2001         Update test expectations which match against the exact error message.
2002
2003 2018-12-18  Mark Lam  <mark.lam@apple.com>
2004
2005         Gardening: test options fix.
2006         https://bugs.webkit.org/show_bug.cgi?id=192822
2007
2008         Unreviewed.
2009
2010         * stress/json-stringify-string-builder-overflow.js:
2011
2012 2018-12-18  Mark Lam  <mark.lam@apple.com>
2013
2014         JSON.stringify() should throw OOM on StringBuilder overflows.
2015         https://bugs.webkit.org/show_bug.cgi?id=192822
2016         <rdar://problem/46670577>
2017
2018         Reviewed by Saam Barati.
2019
2020         * stress/json-stringify-string-builder-overflow.js: Added.
2021
2022 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2023
2024         Redeclaration of var over let/const/class should be a syntax error.
2025         https://bugs.webkit.org/show_bug.cgi?id=192298
2026
2027         Reviewed by Keith Miller.
2028
2029         * test262.yaml:
2030         * test262/expectations.yaml:
2031         Mark 46 tests as passing.
2032
2033         * stress/block-scope-redeclarations.js:
2034         Add some new tests.
2035
2036         * stress/for-in-invalidate-context-weird-assignments.js:
2037         * stress/for-in-tests.js:
2038         Replace tests for outdated behavior with tests for SyntaxError.
2039
2040         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2041         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2042         Update expectations.
2043
2044 2018-12-18  Mark Lam  <mark.lam@apple.com>
2045
2046         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2047         https://bugs.webkit.org/show_bug.cgi?id=191374
2048         <rdar://problem/46525447>
2049
2050         Reviewed by Yusuke Suzuki.
2051
2052         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2053
2054         * stress/elidable-new-object-roflcopter-then-exit.js:
2055
2056 2018-12-17  Mark Lam  <mark.lam@apple.com>
2057
2058         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2059         https://bugs.webkit.org/show_bug.cgi?id=192019
2060         <rdar://problem/46525456>
2061
2062         Reviewed by Yusuke Suzuki.
2063
2064         The test runs too slow on 32-bit.
2065
2066         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2067
2068 2018-12-17  Mark Lam  <mark.lam@apple.com>
2069
2070         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2071         https://bugs.webkit.org/show_bug.cgi?id=191373
2072         <rdar://problem/46525458>
2073
2074         Reviewed by Yusuke Suzuki.
2075
2076         The test is already slow running with a JIT on 64-bit.  It will always timeout
2077         on 32-bit without a JIT.
2078
2079         * stress/materialize-regexp-cyclic-regexp.js:
2080
2081 2018-12-17  Mark Lam  <mark.lam@apple.com>
2082
2083         Array unshift/shift should not race against the AI in the compiler thread.
2084         https://bugs.webkit.org/show_bug.cgi?id=192795
2085         <rdar://problem/46724263>
2086
2087         Reviewed by Saam Barati.
2088
2089         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2090
2091 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2092
2093         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2094         https://bugs.webkit.org/show_bug.cgi?id=190047
2095
2096         Reviewed by Saam Barati.
2097
2098         * stress/object-keys-cached-zero.js: Added.
2099         (shouldBe):
2100         (test):
2101         * stress/object-keys-changed-attribute.js: Added.
2102         (shouldBe):
2103         (test):
2104         * stress/object-keys-changed-index.js: Added.
2105         (shouldBe):
2106         (test):
2107         * stress/object-keys-changed.js: Added.
2108         (shouldBe):
2109         (test):
2110         * stress/object-keys-indexed-non-cache.js: Added.
2111         (shouldBe):
2112         (test):
2113         * stress/object-keys-overrides-get-property-names.js: Added.
2114         (shouldBe):
2115         (test):
2116         (noInline):
2117
2118 2018-12-17  Mark Lam  <mark.lam@apple.com>
2119
2120         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2121         https://bugs.webkit.org/show_bug.cgi?id=192779
2122         <rdar://problem/46775869>
2123
2124         Reviewed by Saam Barati.
2125
2126         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2127
2128 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2129
2130         Unreviewed test gardening, address a syntax error in a new test.
2131
2132         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2133
2134 2018-12-17  Mark Lam  <mark.lam@apple.com>
2135
2136         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2137         https://bugs.webkit.org/show_bug.cgi?id=192776
2138         <rdar://problem/46772368>
2139
2140         Reviewed by Keith Miller.
2141
2142         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2143
2144 2018-12-17  Mark Lam  <mark.lam@apple.com>
2145
2146         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2147         https://bugs.webkit.org/show_bug.cgi?id=192770
2148         <rdar://problem/46449037>
2149
2150         Reviewed by Keith Miller.
2151
2152         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2153
2154 2018-12-14  Mark Lam  <mark.lam@apple.com>
2155
2156         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2157         https://bugs.webkit.org/show_bug.cgi?id=192717
2158         <rdar://problem/46660677>
2159
2160         Reviewed by Saam Barati.
2161
2162         * stress/regress-192717.js: Added.
2163
2164 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2165
2166         Unreviewed, rolling out r239153, r239154, and r239155.
2167         https://bugs.webkit.org/show_bug.cgi?id=192715
2168
2169         Caused flaky GC-related crashes seen with layout tests
2170         (Requested by ryanhaddad on #webkit).
2171
2172         Reverted changesets:
2173
2174         "[JSC] Optimize Object.keys by caching own keys results in
2175         StructureRareData"
2176         https://bugs.webkit.org/show_bug.cgi?id=190047
2177         https://trac.webkit.org/changeset/239153
2178
2179         "Unreviewed, build fix after r239153"
2180         https://bugs.webkit.org/show_bug.cgi?id=190047
2181         https://trac.webkit.org/changeset/239154
2182
2183         "Unreviewed, build fix after r239153, part 2"
2184         https://bugs.webkit.org/show_bug.cgi?id=190047
2185         https://trac.webkit.org/changeset/239155
2186
2187 2018-12-14  Keith Miller  <keith_miller@apple.com>
2188
2189         Callers of JSString::getIndex should check for OOM exceptions
2190         https://bugs.webkit.org/show_bug.cgi?id=192709
2191
2192         Reviewed by Mark Lam.
2193
2194         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2195
2196 2018-12-13  Mark Lam  <mark.lam@apple.com>
2197
2198         Add a missing exception check.
2199         https://bugs.webkit.org/show_bug.cgi?id=192626
2200         <rdar://problem/46662163>
2201
2202         Reviewed by Keith Miller.
2203
2204         * stress/regress-192626.js: Added.
2205
2206 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2207
2208         [BigInt] Add ValueDiv into DFG
2209         https://bugs.webkit.org/show_bug.cgi?id=186178
2210
2211         Reviewed by Yusuke Suzuki.
2212
2213         * stress/big-int-div-jit-osr.js: Added.
2214         * stress/big-int-div-jit-untyped.js: Added.
2215         * stress/value-div-fixup-int32-big-int.js: Added.
2216
2217 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2218
2219         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2220         https://bugs.webkit.org/show_bug.cgi?id=190047
2221
2222         Reviewed by Keith Miller.
2223
2224         * stress/object-keys-cached-zero.js: Added.
2225         (shouldBe):
2226         (test):
2227         * stress/object-keys-changed-attribute.js: Added.
2228         (shouldBe):
2229         (test):
2230         * stress/object-keys-changed-index.js: Added.
2231         (shouldBe):
2232         (test):
2233         * stress/object-keys-changed.js: Added.
2234         (shouldBe):
2235         (test):
2236         * stress/object-keys-indexed-non-cache.js: Added.
2237         (shouldBe):
2238         (test):
2239         * stress/object-keys-overrides-get-property-names.js: Added.
2240         (shouldBe):
2241         (test):
2242         (noInline):
2243
2244 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2245
2246         [DFG][FTL] Add NewSymbol
2247         https://bugs.webkit.org/show_bug.cgi?id=192620
2248
2249         Reviewed by Saam Barati.
2250
2251         * microbenchmarks/symbol-creation.js: Added.
2252         (test):
2253         * stress/symbol-description-identity.js: Added.
2254         (shouldBe):
2255         (test):
2256         * stress/symbol-identity.js: Added.
2257         (shouldBe):
2258         (test):
2259         * stress/symbol-with-description-throw-error.js: Added.
2260         (shouldBe):
2261         (shouldThrow):
2262         (test):
2263         (object.toString):
2264
2265 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2266
2267         [BigInt] Implement DFG/FTL typeof for BigInt
2268         https://bugs.webkit.org/show_bug.cgi?id=192619
2269
2270         Reviewed by Keith Miller.
2271
2272         * stress/big-int-boolean-proven-type.js: Added.
2273         (assert):
2274         (bool):
2275         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2276         (assert):
2277         (typeOf):
2278         (i.switch):
2279         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2280         (assert):
2281         (typeOf):
2282         * stress/big-int-type-of.js:
2283         (typeOf):
2284         (func):
2285
2286 2018-12-10  Mark Lam  <mark.lam@apple.com>
2287
2288         PropertyAttribute needs a CustomValue bit.
2289         https://bugs.webkit.org/show_bug.cgi?id=191993
2290         <rdar://problem/46264467>
2291
2292         Reviewed by Saam Barati.
2293
2294         * stress/regress-191993.js: Added.
2295
2296 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2297
2298         [BigInt] Add ValueMul into DFG
2299         https://bugs.webkit.org/show_bug.cgi?id=186175
2300
2301         Reviewed by Yusuke Suzuki.
2302
2303         * stress/big-int-mul-jit-osr.js: Added.
2304         * stress/big-int-mul-jit-untyped.js: Added.
2305         * stress/value-mul-fixup-int32-big-int.js: Added.
2306
2307 2018-12-06  Keith Miller  <keith_miller@apple.com>
2308
2309         stress/big-wasm-memory tests failing on 32-bit JSC bot
2310         https://bugs.webkit.org/show_bug.cgi?id=192020
2311
2312         Reviewed by Saam Barati.
2313
2314         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2315         the wasm stress tests if the WebAssembly object does not exist.
2316
2317         * stress/big-wasm-memory-grow-no-max.js:
2318         (test.foo):
2319         (test):
2320         (foo): Deleted.
2321         (catch): Deleted.
2322         * stress/big-wasm-memory-grow.js:
2323         (test.foo):
2324         (test):
2325         (foo): Deleted.
2326         (catch): Deleted.
2327         * stress/big-wasm-memory.js:
2328         (test.foo):
2329         (test):
2330         (foo): Deleted.
2331         (catch): Deleted.
2332
2333 2018-12-05  Mark Lam  <mark.lam@apple.com>
2334
2335         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2336         https://bugs.webkit.org/show_bug.cgi?id=192441
2337         <rdar://problem/46480355>
2338
2339         Reviewed by Saam Barati.
2340
2341         * stress/regress-192441.js: Added.
2342
2343 2018-12-04  Mark Lam  <mark.lam@apple.com>
2344
2345         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2346         https://bugs.webkit.org/show_bug.cgi?id=192386
2347         <rdar://problem/46445516>
2348
2349         Reviewed by Saam Barati.
2350
2351         * stress/regress-192386.js: Added.
2352
2353 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2354
2355         [ESNext][BigInt] Support logic operations
2356         https://bugs.webkit.org/show_bug.cgi?id=179903
2357
2358         Reviewed by Yusuke Suzuki.
2359
2360         * stress/big-int-branch-usage.js: Added.
2361         * stress/big-int-logical-and.js: Added.
2362         * stress/big-int-logical-not.js: Added.
2363         * stress/big-int-logical-or.js: Added.
2364
2365 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2366
2367         Unreviewed, rolling out r238833.
2368
2369         Breaks macOS and iOS debug builds.
2370
2371         Reverted changeset:
2372
2373         "[ESNext][BigInt] Support logic operations"
2374         https://bugs.webkit.org/show_bug.cgi?id=179903
2375         https://trac.webkit.org/changeset/238833
2376
2377 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2378
2379         [ESNext][BigInt] Support logic operations
2380         https://bugs.webkit.org/show_bug.cgi?id=179903
2381
2382         Reviewed by Yusuke Suzuki.
2383
2384         * stress/big-int-branch-usage.js: Added.
2385         * stress/big-int-logical-and.js: Added.
2386         * stress/big-int-logical-not.js: Added.
2387         * stress/big-int-logical-or.js: Added.
2388
2389 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2390
2391         [ESNext][BigInt] Implement support for "<<" and ">>"
2392         https://bugs.webkit.org/show_bug.cgi?id=186233
2393
2394         Reviewed by Yusuke Suzuki.
2395
2396         * stress/big-int-left-shift-general.js: Added.
2397         * stress/big-int-left-shift-range-error.js: Added.
2398         * stress/big-int-left-shift-type-error.js: Added.
2399         * stress/big-int-left-shift-wrapped-value.js: Added.
2400         * stress/big-int-right-shift-general.js: Added.
2401         * stress/big-int-right-shift-type-error.js: Added.
2402         * stress/big-int-right-shift-wrapped-value.js: Added.
2403         * stress/left-shift-to-primitive-precedence.js: Added.
2404         * stress/right-shift-to-primitive-precedence.js: Added.
2405
2406 2018-11-30  Dean Jackson  <dino@apple.com>
2407
2408         Add first-class support for .mjs files in jsc binary
2409         https://bugs.webkit.org/show_bug.cgi?id=192190
2410         <rdar://problem/46375715>
2411
2412         Reviewed by Keith Miller.
2413
2414         * stress/simple-module.mjs: Added.
2415         * stress/simple-script.js: Added.
2416
2417 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2418
2419         [BigInt] Implement ValueBitXor into DFG
2420         https://bugs.webkit.org/show_bug.cgi?id=190264
2421
2422         Reviewed by Yusuke Suzuki.
2423
2424         * stress/big-int-bitwise-xor-jit.js: Added.
2425         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2426         * stress/big-int-bitwise-xor-untyped.js: Added.
2427
2428 2018-11-27  Saam barati  <sbarati@apple.com>
2429
2430         r238510 broke scopes of size zero
2431         https://bugs.webkit.org/show_bug.cgi?id=192033
2432         <rdar://problem/46281734>
2433
2434         Reviewed by Keith Miller.
2435
2436         * stress/r238510-bad-loop.js: Added.
2437         (foo):
2438
2439 2018-11-27  Mark Lam  <mark.lam@apple.com>
2440
2441         [Re-landing] NaNs read from Wasm code needs to be be purified.
2442         https://bugs.webkit.org/show_bug.cgi?id=191056
2443         <rdar://problem/45660341>
2444
2445         Reviewed by Filip Pizlo.
2446
2447         * wasm/regress/regress-191056.js: Added.
2448
2449 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2450
2451         Unreviewed, rolling out r238509.
2452
2453         Causes JSC tests to fail on iOS.
2454
2455         Reverted changeset:
2456
2457         "NaNs read from Wasm code needs to be be purified."
2458         https://bugs.webkit.org/show_bug.cgi?id=191056
2459         https://trac.webkit.org/changeset/238509
2460
2461 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2462
2463         Re-introduce op_bitnot
2464         https://bugs.webkit.org/show_bug.cgi?id=190923
2465
2466         Reviewed by Yusuke Suzuki.
2467
2468         * stress/bit-not-must-generate.js: Added.
2469         * stress/bitwise-not-no-int32.js: Added.
2470
2471 2018-11-26  Saam barati  <sbarati@apple.com>
2472
2473         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2474         https://bugs.webkit.org/show_bug.cgi?id=191956
2475         <rdar://problem/45665806>
2476
2477         Reviewed by Yusuke Suzuki.
2478
2479         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2480         (bar):
2481         (foo):
2482
2483 2018-11-26  Saam barati  <sbarati@apple.com>
2484
2485         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2486         https://bugs.webkit.org/show_bug.cgi?id=191958
2487         <rdar://problem/46221877>
2488
2489         Reviewed by Yusuke Suzuki.
2490
2491         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2492         (x):
2493         (foo):
2494
2495 2018-11-26  Mark Lam  <mark.lam@apple.com>
2496
2497         NaNs read from Wasm code needs to be be purified.
2498         https://bugs.webkit.org/show_bug.cgi?id=191056
2499         <rdar://problem/45660341>
2500
2501         Reviewed by Filip Pizlo.
2502
2503         * wasm/regress/regress-191056.js: Added.
2504
2505 2018-11-26  Michael Saboff  <msaboff@apple.com>
2506
2507         32-bit JSC test failure: stress/regexp-compile-oom.js
2508         https://bugs.webkit.org/show_bug.cgi?id=191375
2509
2510         Reviewed by Mark Lam.
2511
2512         Disabled the test for 32 bit platforms.
2513
2514         * stress/regexp-compile-oom.js:
2515
2516 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2517
2518         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2519         https://bugs.webkit.org/show_bug.cgi?id=191716
2520         <rdar://problem/45723878>
2521
2522         Reviewed by Saam Barati.
2523
2524         * stress/regress-187373.js: Added.
2525         (async.fn):
2526
2527 2018-11-21  Saam barati  <sbarati@apple.com>
2528
2529         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2530         https://bugs.webkit.org/show_bug.cgi?id=191897
2531         <rdar://problem/45871998>
2532
2533         Reviewed by Mark Lam.
2534
2535         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2536         (bar):
2537         (foo):
2538
2539 2018-11-21  Saam barati  <sbarati@apple.com>
2540
2541         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2542         https://bugs.webkit.org/show_bug.cgi?id=191895
2543         <rdar://problem/46167406>
2544
2545         Reviewed by Mark Lam.
2546
2547         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2548         (foo):
2549         (bar):
2550
2551 2018-11-21  Mark Lam  <mark.lam@apple.com>
2552
2553         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2554         https://bugs.webkit.org/show_bug.cgi?id=191776
2555         <rdar://problem/46152851>
2556
2557         Reviewed by Saam Barati.
2558
2559         * stress/big-wasm-memory-grow-no-max.js:
2560         * stress/big-wasm-memory-grow.js:
2561         * stress/big-wasm-memory.js:
2562         - updated these to expect an OutOfMemoryError.
2563
2564         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2565         (Binary.prototype.emit_u8):
2566         (Binary.prototype.emit_u32v):
2567         (Binary.prototype.emit_header):
2568         (Binary.prototype.emit_section):
2569         (Binary):
2570         (WasmModuleBuilder):
2571         (WasmModuleBuilder.prototype.addMemory):
2572         (WasmModuleBuilder.prototype.toArray):
2573         (WasmModuleBuilder.prototype.toBuffer):
2574         (WasmModuleBuilder.prototype.instantiate):
2575         (catch):
2576         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2577         (catch):
2578
2579 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2580
2581         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2582         https://bugs.webkit.org/show_bug.cgi?id=190836
2583
2584         Reviewed by Saam Barati and Yusuke Suzuki.
2585
2586         * stress/big-int-out-of-memory-tests.js: Added.
2587
2588 2018-11-20  Mark Lam  <mark.lam@apple.com>
2589
2590         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2591         https://bugs.webkit.org/show_bug.cgi?id=191856
2592         <rdar://problem/46089992>
2593
2594         Reviewed by Yusuke Suzuki.
2595
2596         * stress/regress-191856.js: Added.
2597         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2598
2599 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2600
2601         Enable JIT on ARM/Linux
2602         https://bugs.webkit.org/show_bug.cgi?id=191548
2603
2604         Reviewed by Yusuke Suzuki.
2605
2606         Disable test on system with limited memory. Program was killed by
2607         the OS before the exception was thrown.
2608
2609         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2610
2611 2018-11-20  Saam barati  <sbarati@apple.com>
2612
2613         Merging an IC variant may lead to the IC status containing overlapping structure sets
2614         https://bugs.webkit.org/show_bug.cgi?id=191869
2615         <rdar://problem/45403453>
2616
2617         Reviewed by Mark Lam.
2618
2619         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2620
2621 2018-11-19  Mark Lam  <mark.lam@apple.com>
2622
2623         globalFuncImportModule() should return a promise when it clears exceptions.
2624         https://bugs.webkit.org/show_bug.cgi?id=191792
2625         <rdar://problem/46090763>
2626
2627         Reviewed by Michael Saboff.
2628
2629         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2630
2631 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2632
2633         Skip new memory-hungry tests on memory limited devices
2634
2635         Unreviewed gardening.
2636
2637         * stress/big-wasm-memory-grow-no-max.js:
2638         * stress/big-wasm-memory-grow.js:
2639         * stress/big-wasm-memory.js:
2640
2641 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2642
2643         Unreviewed, rolling in the rest of r237254
2644         https://bugs.webkit.org/show_bug.cgi?id=190340
2645
2646         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2647         * stress/function-cache-with-parameters-end-position.js: Added.
2648         (shouldBe):
2649         (shouldThrow):
2650         (i.anonymous):
2651         * stress/function-constructor-name.js: Added.
2652         (shouldBe):
2653         (GeneratorFunction):
2654         (AsyncFunction.async):
2655         (AsyncGeneratorFunction.async):
2656         (anonymous):
2657         (async.anonymous):
2658         * test262/expectations.yaml:
2659
2660 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2661
2662         All users of ArrayBuffer should agree on the same max size
2663         https://bugs.webkit.org/show_bug.cgi?id=191771
2664
2665         Reviewed by Mark Lam.
2666
2667         * stress/big-wasm-memory-grow-no-max.js: Added.
2668         (foo):
2669         (catch):
2670         * stress/big-wasm-memory-grow.js: Added.
2671         (foo):
2672         (catch):
2673         * stress/big-wasm-memory.js: Added.
2674         (foo):
2675         (catch):
2676
2677 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2678
2679         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2680         run for each JSC config since they're regression tests for runtime bugs.
2681
2682         * stress/json-stringified-overflow-2.js:
2683         * stress/json-stringified-overflow.js:
2684
2685 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2686
2687         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2688         config since they're regression tests for runtime bugs.
2689
2690         * stress/large-unshift-splice.js:
2691         * stress/regress-185888.js:
2692
2693 2018-11-16  Saam Barati  <sbarati@apple.com>
2694
2695         KnownCellUse should also have SpecCellCheck as its type filter
2696         https://bugs.webkit.org/show_bug.cgi?id=191729
2697         <rdar://problem/45872852>
2698
2699         Reviewed by Filip Pizlo.
2700
2701         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2702         (C):
2703
2704 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2705
2706         Fix assertion failure on BytecodeGenerator::recordOpcode
2707         https://bugs.webkit.org/show_bug.cgi?id=191724
2708         <rdar://problem/45724395>
2709
2710         Reviewed by Saam Barati.
2711
2712         * stress/regress-187373-2.js: Added.
2713         (foo):
2714
2715 2018-11-15  Mark Lam  <mark.lam@apple.com>
2716
2717         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2718         https://bugs.webkit.org/show_bug.cgi?id=191730
2719         <rdar://problem/46048517>
2720
2721         Reviewed by Saam Barati.
2722
2723         * stress/regress-187006.js: Removed.
2724           - this test is invalid because its sole purpose is to test for the non-spec
2725             compliant behavior that we just fixed.
2726
2727         * stress/regress-191730.js: Added.
2728
2729 2018-11-15  Mark Lam  <mark.lam@apple.com>
2730
2731         RegExp operations should not take fast patch if lastIndex is not numeric.
2732         https://bugs.webkit.org/show_bug.cgi?id=191731
2733         <rdar://problem/46017305>
2734
2735         Reviewed by Saam Barati.
2736
2737         * stress/regress-191731.js: Added.
2738
2739 2018-11-13  Saam Barati  <sbarati@apple.com>
2740
2741         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2742         https://bugs.webkit.org/show_bug.cgi?id=191600
2743
2744         Reviewed by Mark Lam.
2745
2746         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2747         (foo):
2748         (test):
2749         (bar):
2750
2751 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2752
2753         Unreviewed, rolling out r238132.
2754
2755         The test added with this change is timing out on Debug JSC
2756         bots.
2757
2758         Reverted changeset:
2759
2760         "[BigInt] JSBigInt::createWithLength should throw when length
2761         is greater than JSBigInt::maxLength"
2762         https://bugs.webkit.org/show_bug.cgi?id=190836
2763         https://trac.webkit.org/changeset/238132
2764
2765 2018-11-13  Mark Lam  <mark.lam@apple.com>
2766
2767         Add OOM detection to StringPrototype's substituteBackreferences().
2768         https://bugs.webkit.org/show_bug.cgi?id=191563
2769         <rdar://problem/45720428>
2770
2771         Reviewed by Saam Barati.
2772
2773         * stress/regress-191563.js: Added.
2774
2775 2018-11-13  Mark Lam  <mark.lam@apple.com>
2776
2777         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2778         https://bugs.webkit.org/show_bug.cgi?id=191579
2779         <rdar://problem/45942472>
2780
2781         Reviewed by Saam Barati.
2782
2783         * stress/regress-191579.js: Added.
2784
2785 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2786
2787         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2788         https://bugs.webkit.org/show_bug.cgi?id=190836
2789
2790         Reviewed by Saam Barati.
2791
2792         * stress/big-int-out-of-memory-tests.js: Added.
2793
2794 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2795
2796         U+180E is no longer a whitespace character
2797         https://bugs.webkit.org/show_bug.cgi?id=191415
2798
2799         Reviewed by Saam Barati.
2800
2801         * ChakraCore/test/es5/regexSpace.baseline:
2802         * ChakraCore/test/es6/unicode_whitespace.js:
2803         Update tests to latest version.
2804         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2805
2806         * test262.yaml:
2807         * test262/config.yaml:
2808         * test262/expectations.yaml:
2809         Update expectations.
2810
2811 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2812
2813         [BigInt] Add support to BigInt into ValueAdd
2814         https://bugs.webkit.org/show_bug.cgi?id=186177
2815
2816         Reviewed by Keith Miller.
2817
2818         * stress/big-int-negate-jit.js:
2819         * stress/value-add-big-int-and-string.js: Added.
2820         * stress/value-add-big-int-prediction-propagation.js: Added.
2821         * stress/value-add-big-int-untyped.js: Added.
2822
2823 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2824
2825         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2826         https://bugs.webkit.org/show_bug.cgi?id=191184
2827
2828         Reviewed by Saam Barati.
2829
2830         Most tests were failing due to timeouts, since they are too slow to
2831         run on CLoop. The exceptions are:
2832
2833         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2834         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2835         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2836         to change the stack size since CLoop requires it to be page aligned.
2837
2838         * microbenchmarks/array-push-1.js:
2839         * microbenchmarks/array-push-2.js:
2840         * microbenchmarks/elidable-new-object-dag.js:
2841         * microbenchmarks/elidable-new-object-roflcopter.js:
2842         * microbenchmarks/elidable-new-object-tree.js:
2843         * microbenchmarks/getter-richards.js:
2844         * microbenchmarks/sinkable-new-object-dag.js:
2845         * microbenchmarks/string-concat-long-convert.js:
2846         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2847         * slowMicrobenchmarks/array-push-3.js:
2848         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2849         * slowMicrobenchmarks/spread-small-array.js:
2850         * slowMicrobenchmarks/undefined-property-access.js:
2851         * stress/activation-sink-default-value-tdz-error.js:
2852         * stress/activation-sink-default-value.js:
2853         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2854         * stress/activation-sink-osrexit-default-value.js:
2855         * stress/activation-sink-osrexit.js:
2856         * stress/activation-sink.js:
2857         * stress/allow-math-ic-b3-code-duplication.js:
2858         * stress/array-push-multiple-int32.js:
2859         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2860         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2861         * stress/arrowfunction-lexical-this-activation-sink.js:
2862         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2863         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2864         * stress/elide-new-object-dag-then-exit.js:
2865         * stress/materialize-regexp-cyclic.js:
2866         * stress/new-regex-inline.js:
2867         * stress/op_add.js:
2868         * stress/op_bitand.js:
2869         * stress/op_bitor.js:
2870         * stress/op_bitxor.js:
2871         * stress/op_div-ConstVar.js:
2872         * stress/op_div-VarConst.js:
2873         * stress/op_div-VarVar.js:
2874         * stress/op_lshift-ConstVar.js:
2875         * stress/op_lshift-VarConst.js:
2876         * stress/op_lshift-VarVar.js:
2877         * stress/op_mod-ConstVar.js:
2878         * stress/op_mod-VarConst.js:
2879         * stress/op_mod-VarVar.js:
2880         * stress/op_mul-ConstVar.js:
2881         * stress/op_mul-VarConst.js:
2882         * stress/op_mul-VarVar.js:
2883         * stress/op_rshift-ConstVar.js:
2884         * stress/op_rshift-VarConst.js:
2885         * stress/op_rshift-VarVar.js:
2886         * stress/op_sub-ConstVar.js:
2887         * stress/op_sub-VarConst.js:
2888         * stress/op_sub-VarVar.js:
2889         * stress/op_urshift-ConstVar.js:
2890         * stress/op_urshift-VarConst.js:
2891         * stress/op_urshift-VarVar.js:
2892         * stress/proxy-get-set-correct-receiver.js:
2893         * stress/regress-179562.js:
2894         * stress/rest-parameter-many-arguments.js:
2895         * stress/sampling-profiler-richards.js:
2896         * stress/splay-flash-access-1ms.js:
2897         * stress/tailCallForwardArguments.js:
2898         * stress/typed-array-get-by-val-profiling.js:
2899         * typeProfiler/getter-richards.js:
2900
2901 2018-11-06  Michael Saboff  <msaboff@apple.com>
2902
2903         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2904         https://bugs.webkit.org/show_bug.cgi?id=191271
2905
2906         Reviewed by Saam Barati.
2907
2908         Added more test cases and made all test cases run with the same deeply recursive stack
2909         instead of finding that same point for each test case.
2910
2911         * stress/regexp-compile-oom.js:
2912         (prototype.runTest):
2913         (recurseAndTest):
2914         (testList.push.new.TestAndExpectedException):
2915
2916 2018-11-05  Michael Saboff  <msaboff@apple.com>
2917
2918         Unreviewed build fix for linux.
2919
2920         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2921
2922 2018-11-02  Michael Saboff  <msaboff@apple.com>
2923
2924         Rolling in r237753 with unreviewed build fix.
2925
2926         Fixed issues with DECLARE_THROW_SCOPE placement.
2927
2928 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2929
2930         Unreviewed, rolling out r237753.
2931
2932         Introduced JSC test failures
2933
2934         Reverted changeset:
2935
2936         "Running out of stack space not properly handled in
2937         RegExp::compile() and its callers"
2938         https://bugs.webkit.org/show_bug.cgi?id=191206
2939         https://trac.webkit.org/changeset/237753
2940
2941 2018-11-02  Michael Saboff  <msaboff@apple.com>
2942
2943         Running out of stack space not properly handled in RegExp::compile() and its callers
2944         https://bugs.webkit.org/show_bug.cgi?id=191206
2945
2946         Reviewed by Filip Pizlo.
2947
2948         New regression test.
2949
2950         * stress/regexp-compile-oom.js: Added.
2951         (recurseAndTest):
2952
2953 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2954
2955         Skip tests on arm/mips that time out now we're running on CLoop
2956
2957         Unreviewed gardening.
2958
2959         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2960         time out on the bots and need to be disabled. There's more tests
2961         disabled on arm because the timeout is longer on the mips bot (as the
2962         device is slower to start with), so many of the tests don't time out
2963         there.
2964
2965         * microbenchmarks/getter-richards.js: disable on arm and mips.
2966         * stress/op_add.js: disable on arm.
2967         * stress/op_bitand.js: disable on arm.
2968         * stress/op_bitor.js: disable on arm.
2969         * stress/op_bitxor.js: disable on arm.
2970         * stress/op_lshift-ConstVar.js: disable on arm.
2971         * stress/op_lshift-VarConst.js: disable on arm.
2972         * stress/op_lshift-VarVar.js: disable on arm.
2973         * stress/op_mod-ConstVar.js: disable on arm.
2974         * stress/op_mod-VarConst.js: disable on arm.
2975         * stress/op_mod-VarVar.js: disable on arm.
2976         * stress/op_mul-ConstVar.js: disable on arm.
2977         * stress/op_mul-VarConst.js: disable on arm.
2978         * stress/op_mul-VarVar.js: disable on arm.
2979         * stress/op_rshift-ConstVar.js: disable on arm.
2980         * stress/op_rshift-VarConst.js: disable on arm.
2981         * stress/op_rshift-VarVar.js: disable on arm.
2982         * stress/op_sub-ConstVar.js: disable on arm.
2983         * stress/op_sub-VarConst.js: disable on arm.
2984         * stress/op_sub-VarVar.js: disable on arm.
2985         * stress/op_urshift-ConstVar.js: disable on arm.
2986         * stress/op_urshift-VarConst.js: disable on arm.
2987         * stress/op_urshift-VarVar.js: disable on arm.
2988         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2989         * stress/value-to-boolean.js: disable on arm and mips.
2990
2991 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2992
2993         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2994         https://bugs.webkit.org/show_bug.cgi?id=191108
2995         <rdar://problem/45690700>
2996
2997         Reviewed by Saam Barati.
2998
2999         * stress/wide-op_catch.js: Added.
3000         (catch):
3001
3002 2018-10-29  Mark Lam  <mark.lam@apple.com>
3003
3004         Correctly detect string overflow when using the 'Function' constructor.
3005         https://bugs.webkit.org/show_bug.cgi?id=184883
3006         <rdar://problem/36320331>
3007
3008         Reviewed by Saam Barati.
3009
3010         I've verified that this passes on 32-bit as well.
3011
3012         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3013
3014 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3015
3016         Add support for GetStack FlushedDouble
3017         https://bugs.webkit.org/show_bug.cgi?id=191012
3018         <rdar://problem/45265141>
3019
3020         Reviewed by Saam Barati.
3021
3022         * stress/get-stack-double.js: Added.
3023         (bar):
3024         (noInline):
3025
3026 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3027
3028         New bytecode format for JSC
3029         https://bugs.webkit.org/show_bug.cgi?id=187373
3030         <rdar://problem/44186758>
3031
3032         Reviewed by Filip Pizlo.
3033
3034         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3035
3036         * stress/maximum-inline-capacity.js: Added.
3037         (test1):
3038         (test3.Foo):
3039         (test3):
3040
3041 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3042
3043         Unreviewed, rolling out r237479 and r237484.
3044         https://bugs.webkit.org/show_bug.cgi?id=190978
3045
3046         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3047
3048         Reverted changesets:
3049
3050         "New bytecode format for JSC"
3051         https://bugs.webkit.org/show_bug.cgi?id=187373
3052         https://trac.webkit.org/changeset/237479
3053
3054         "Gardening: Build fix after r237479."
3055         https://bugs.webkit.org/show_bug.cgi?id=187373
3056         https://trac.webkit.org/changeset/237484
3057
3058 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3059
3060         New bytecode format for JSC
3061         https://bugs.webkit.org/show_bug.cgi?id=187373
3062         <rdar://problem/44186758>
3063
3064         Reviewed by Filip Pizlo.
3065
3066         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3067
3068         * stress/maximum-inline-capacity.js: Added.
3069         (test1):
3070         (test3.Foo):
3071         (test3):
3072
3073 2018-10-26  Mark Lam  <mark.lam@apple.com>
3074
3075         Fix missing edge cases with JSGlobalObjects having a bad time.
3076         https://bugs.webkit.org/show_bug.cgi?id=189028
3077         <rdar://problem/45204939>
3078
3079         Reviewed by Saam Barati.
3080
3081         * stress/regress-189028.js: Added.
3082
3083 2018-10-22  Mark Lam  <mark.lam@apple.com>
3084
3085         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3086         https://bugs.webkit.org/show_bug.cgi?id=190515
3087         <rdar://problem/45222379>
3088
3089         Rubber-stamped by Saam Barati.
3090
3091         Adding another test.
3092
3093         * stress/regress-190515-2.js: Added.
3094
3095 2018-10-22  Mark Lam  <mark.lam@apple.com>
3096
3097         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3098         https://bugs.webkit.org/show_bug.cgi?id=190515
3099         <rdar://problem/45222379>
3100
3101         Reviewed by Saam Barati.
3102
3103         * stress/regress-190515.js: Added.
3104
3105 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3106
3107         Unreviewed, rolling out r237254.
3108         https://bugs.webkit.org/show_bug.cgi?id=190760
3109
3110         "It regresses JetStream 2 by 5% on some iOS devices"
3111         (Requested by saamyjoon on #webkit).
3112
3113         Reverted changeset:
3114
3115         "[JSC] JSC should have "parseFunction" to optimize Function
3116         constructor"
3117         https://bugs.webkit.org/show_bug.cgi?id=190340
3118         https://trac.webkit.org/changeset/237254
3119
3120 2018-10-19  Saam Barati  <sbarati@apple.com>
3121
3122         vmCall should check if we exit before emitting an OSR exit due to exceptions
3123         https://bugs.webkit.org/show_bug.cgi?id=190740
3124         <rdar://problem/45220139>
3125
3126         Reviewed by Mark Lam.
3127
3128         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3129         (foo):
3130
3131 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3132
3133         [ESNext][BigInt] Implement support for "^"
3134         https://bugs.webkit.org/show_bug.cgi?id=186235
3135
3136         Reviewed by Yusuke Suzuki.
3137
3138         * stress/big-int-bitwise-xor-general.js: Added.
3139         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3140         * stress/big-int-bitwise-xor-type-error.js: Added.
3141         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3142
3143 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3144
3145         [BigInt] Add ValueSub into DFG
3146         https://bugs.webkit.org/show_bug.cgi?id=186176
3147
3148         Reviewed by Yusuke Suzuki.
3149
3150         * stress/big-int-subtraction-jit.js:
3151         * stress/value-sub-big-int-prediction-propagation.js: Added.
3152         * stress/value-sub-big-int-untyped.js: Added.
3153         * stress/value-sub-spec-none-case.js: Added.
3154
3155 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3156
3157         [JSC] JSC should have "parseFunction" to optimize Function constructor
3158         https://bugs.webkit.org/show_bug.cgi?id=190340
3159
3160         Reviewed by Mark Lam.
3161
3162         This patch fixes the line number of syntax errors raised by the Function constructor,
3163         since we now parse the final code only once. And we no longer use block statement
3164         for Function constructor's parsing.
3165
3166         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3167         * stress/function-cache-with-parameters-end-position.js: Added.
3168         (shouldBe):
3169         (shouldThrow):
3170         (i.anonymous):
3171         * stress/function-constructor-name.js: Added.
3172         (shouldBe):
3173         (GeneratorFunction):
3174         (AsyncFunction.async):
3175         (AsyncGeneratorFunction.async):
3176         (anonymous):
3177         (async.anonymous):
3178         * test262/expectations.yaml:
3179
3180 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3181
3182         Unreviewed, rolling out r237242.
3183         https://bugs.webkit.org/show_bug.cgi?id=190701
3184
3185         it breaks "stress/sampling-profiler-basic.js" (Requested by
3186         caiolima on #webkit).
3187
3188         Reverted changeset:
3189
3190         "[BigInt] Add ValueSub into DFG"
3191         https://bugs.webkit.org/show_bug.cgi?id=186176
3192         https://trac.webkit.org/changeset/237242
3193
3194 2018-10-17  Keith Miller  <keith_miller@apple.com>
3195
3196         AI does not clear Phantom allocation nodes.
3197         https://bugs.webkit.org/show_bug.cgi?id=190694
3198
3199         Reviewed by Saam Barati.
3200
3201         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3202         (Day):
3203         (DaysInYear):
3204         (TimeInYear):
3205         (TimeFromYear):
3206         (DayFromYear):
3207         (InLeapYear):
3208         (YearFromTime):
3209         (WeekDay):
3210         (DaylightSavingTA):
3211         (GetSecondSundayInMarch):
3212         (TimeInMonth):
3213
3214 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3215
3216         [BigInt] Add ValueSub into DFG
3217         https://bugs.webkit.org/show_bug.cgi?id=186176
3218
3219         Reviewed by Yusuke Suzuki.
3220
3221         * stress/big-int-subtraction-jit.js:
3222         * stress/value-sub-big-int-prediction-propagation.js: Added.
3223         * stress/value-sub-big-int-untyped.js: Added.
3224
3225 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3226
3227         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3228         https://bugs.webkit.org/show_bug.cgi?id=190611
3229
3230         Reviewed by Saam Barati.
3231
3232         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3233         to improve test runtime. On ARM/MIPS this test even timed out when running all
3234         tests.
3235
3236         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3237         (test):
3238
3239 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3240
3241         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3242
3243         Unreviewed gardening.
3244
3245         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3246
3247 2018-10-15  Saam barati  <sbarati@apple.com>
3248
3249         Emit fjcvtzs on ARM64E on Darwin
3250         https://bugs.webkit.org/show_bug.cgi?id=184023
3251
3252         Reviewed by Yusuke Suzuki and Filip Pizlo.
3253
3254         * stress/double-to-int32-NaN.js: Added.
3255         (assert):
3256         (foo):
3257
3258 2018-10-15  Saam Barati  <sbarati@apple.com>
3259
3260         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3261         https://bugs.webkit.org/show_bug.cgi?id=190262
3262         <rdar://problem/44986241>
3263
3264         Reviewed by Mark Lam.
3265
3266         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3267         (test):
3268         * stress/slice-array-storage-with-holes.js: Added.
3269         (main):
3270
3271 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3272
3273         Unreviewed, rolling out r237054.
3274         https://bugs.webkit.org/show_bug.cgi?id=190593
3275
3276         "this regressed JetStream 2 by 6% on iOS" (Requested by
3277         saamyjoon on #webkit).
3278
3279         Reverted changeset:
3280
3281         "[JSC] JSC should have "parseFunction" to optimize Function
3282         constructor"
3283         https://bugs.webkit.org/show_bug.cgi?id=190340
3284         https://trac.webkit.org/changeset/237054
3285
3286 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3287
3288         [JSC] JSON.stringify can accept call-with-no-arguments
3289         https://bugs.webkit.org/show_bug.cgi?id=190343
3290
3291         Reviewed by Mark Lam.
3292
3293         * stress/json-stringify-no-arguments.js: Added.
3294         (shouldBe):
3295
3296 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3297
3298         [JSC] JSC should have "parseFunction" to optimize Function constructor
3299         https://bugs.webkit.org/show_bug.cgi?id=190340
3300
3301         Reviewed by Mark Lam.
3302
3303         This patch fixes the line number of syntax errors raised by the Function constructor,
3304         since we now parse the final code only once. And we no longer use block statement
3305         for Function constructor's parsing.
3306
3307         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3308         * stress/function-cache-with-parameters-end-position.js: Added.
3309         (shouldBe):
3310         (shouldThrow):
3311         (i.anonymous):
3312         * stress/function-constructor-name.js: Added.
3313         (shouldBe):
3314         (GeneratorFunction):
3315         (AsyncFunction.async):
3316         (AsyncGeneratorFunction.async):
3317         (anonymous):
3318         (async.anonymous):
3319         * test262/expectations.yaml:
3320
3321 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3322
3323         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3324         https://bugs.webkit.org/show_bug.cgi?id=190426
3325
3326         Unreviewed gardening.
3327
3328         * stress/sampling-profiler-richards.js:
3329
3330 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3331
3332         [ESNext][BigInt] Implement support for "|"
3333         https://bugs.webkit.org/show_bug.cgi?id=186229
3334
3335         Reviewed by Yusuke Suzuki.
3336
3337         * stress/big-int-bitwise-and-jit.js:
3338         * stress/big-int-bitwise-or-general.js: Added.
3339         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3340         * stress/big-int-bitwise-or-jit.js: Added.
3341         * stress/big-int-bitwise-or-memory-stress.js: Added.
3342         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3343         * stress/big-int-bitwise-or-type-error.js: Added.
3344         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3345
3346 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3347
3348         Skip test on systems with limited memory
3349         https://bugs.webkit.org/show_bug.cgi?id=190310
3350
3351         Invoking runDefault adds test to runlist, skipping the test in the next
3352         line does not prevent the test from executing. Change order of lines such
3353         that runDefault is only executed if test is not executed.
3354
3355         Reviewed by Mark Lam.
3356
3357         * stress/regress-190187.js:
3358
3359 2018-10-03  Saam barati  <sbarati@apple.com>
3360
3361         lowXYZ in FTLLower should always filter the type of the incoming edge
3362         https://bugs.webkit.org/show_bug.cgi?id=189939
3363         <rdar://problem/44407030>
3364
3365         Reviewed by Michael Saboff.
3366
3367         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3368         (foo):
3369         (test):
3370
3371 2018-10-03  Mark Lam  <mark.lam@apple.com>
3372
3373         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3374         https://bugs.webkit.org/show_bug.cgi?id=190187
3375         <rdar://problem/42512909>
3376
3377         Reviewed by Michael Saboff.
3378
3379         * stress/regress-190187.js: Added.
3380
3381 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3382
3383         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3384         https://bugs.webkit.org/show_bug.cgi?id=190033
3385
3386         Reviewed by Yusuke Suzuki.
3387
3388         * stress/big-int-to-string.js:
3389
3390 2018-10-01  Mark Lam  <mark.lam@apple.com>
3391
3392         Function.toString() should also copy the source code Functions that are class definitions.
3393         https://bugs.webkit.org/show_bug.cgi?id=190186
3394         <rdar://problem/44733360>
3395
3396         Reviewed by Saam Barati.
3397
3398         * stress/regress-190186.js: Added.
3399
3400 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3401
3402         Split NaN-check into separate test
3403         https://bugs.webkit.org/show_bug.cgi?id=190010
3404
3405         Reviewed by Saam Barati.
3406
3407         DataView exposes NaN-representation, which is not necessarily the same on each
3408         architecture. Therefore move the check of the NaN-representation into its own
3409         file such that we can disable this test on MIPS where NaN-representation can be
3410         different on older CPUs.
3411
3412         * stress/dataview-jit-set-nan.js: Added.
3413         (assert):
3414         (test.storeLittleEndian):
3415         (test.storeBigEndian):
3416         (test.store):
3417         (test):
3418         * stress/dataview-jit-set.js:
3419         (test5):
3420
3421 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3422
3423         Unreviewed, rolling out r236647.
3424         https://bugs.webkit.org/show_bug.cgi?id=190124
3425
3426         Breaking test stress/big-int-to-string.js (Requested by
3427         caiolima_ on #webkit).
3428
3429         Reverted changeset:
3430
3431         "[BigInt] BigInt.proptotype.toString is broken when radix is
3432         power of 2"
3433         https://bugs.webkit.org/show_bug.cgi?id=190033
3434         https://trac.webkit.org/changeset/236647
3435
3436 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3437
3438         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3439         https://bugs.webkit.org/show_bug.cgi?id=190033
3440
3441         Reviewed by Yusuke Suzuki.
3442
3443         * stress/big-int-to-string.js:
3444
3445 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3446
3447         [ESNext][BigInt] Implement support for "&"
3448         https://bugs.webkit.org/show_bug.cgi?id=186228
3449
3450         Reviewed by Yusuke Suzuki.
3451
3452         * stress/big-int-bitwise-and-general.js: Added.
3453         (assert):
3454         (assert.sameValue):
3455         * stress/big-int-bitwise-and-jit.js: Added.
3456         (let.assert.sameValue):
3457         (bigIntBitAnd):
3458         * stress/big-int-bitwise-and-memory-stress.js: Added.
3459         (assert):
3460         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3461         (assert.sameValue):
3462         (let.o.Symbol.toPrimitive):
3463         (catch):
3464         * stress/big-int-bitwise-and-type-error.js: Added.
3465         (assert):
3466         (assertThrowTypeError):
3467         (let.o.valueOf):
3468         (o.valueOf):
3469         (o.toString):
3470         (o.Symbol.toPrimitive):
3471         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3472         (assert.sameValue):
3473         (testBitAnd):
3474         (let.o.Symbol.toPrimitive):
3475         (o.valueOf):
3476         (o.toString):
3477
3478 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3479
3480         JSC test stress/jsc-read.js doesn't support CRLF
3481         https://bugs.webkit.org/show_bug.cgi?id=190063
3482
3483         Reviewed by Yusuke Suzuki.
3484
3485         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3486
3487         * stress/jsc-read.js:
3488         (test):
3489
3490 2018-09-27  Saam barati  <sbarati@apple.com>
3491
3492         Verify the contents of AssemblerBuffer on arm64e
3493         https://bugs.webkit.org/show_bug.cgi?id=190057
3494         <rdar://problem/38916630>
3495
3496         Reviewed by Mark Lam.
3497
3498         * stress/regress-189132.js:
3499
3500 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3501
3502         Disable test without LLInt on ARMv7
3503         https://bugs.webkit.org/show_bug.cgi?id=190037
3504
3505         Reviewed by Mark Lam.
3506
3507         Test runs out of executable memory on ARMv7, do not run
3508         this test without LLInt enabled.
3509
3510         * stress/regress-169445.js:
3511
3512 2018-09-26  Keith Miller  <keith_miller@apple.com>
3513
3514         We should zero unused property storage when rebalancing array storage.
3515         https://bugs.webkit.org/show_bug.cgi?id=188151
3516
3517         Reviewed by Michael Saboff.
3518
3519         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3520
3521 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3522
3523         [JSC] Optimize Array#lastIndexOf
3524         https://bugs.webkit.org/show_bug.cgi?id=189780
3525
3526         Reviewed by Saam Barati.
3527
3528         * stress/array-lastindexof-array-prototype-trap.js: Added.
3529         (shouldBe):
3530         (AncestorArray.prototype.get 2):
3531         (AncestorArray):
3532         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3533         (shouldBe):
3534         * stress/array-lastindexof-hole-nan.js: Added.
3535         (shouldBe):
3536         (throw.new.Error):
3537         * stress/array-lastindexof-infinity.js: Added.
3538         (shouldBe):
3539         (throw.new.Error):
3540         * stress/array-lastindexof-negative-zero.js: Added.
3541         (shouldBe):
3542         (throw.new.Error):
3543         * stress/array-lastindexof-own-getter.js: Added.
3544         (shouldBe):
3545         (throw.new.Error.get array):
3546         (get array):
3547         * stress/array-lastindexof-prototype-trap.js: Added.
3548         (shouldBe):
3549         (DerivedArray.prototype.get 2):
3550         (DerivedArray):
3551
3552 2018-09-25  Saam Barati  <sbarati@apple.com>
3553
3554         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3555         https://bugs.webkit.org/show_bug.cgi?id=189940
3556         <rdar://problem/43640987>
3557
3558         Reviewed by Mark Lam.
3559
3560         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3561
3562 2018-09-24  Saam Barati  <sbarati@apple.com>
3563
3564         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3565         https://bugs.webkit.org/show_bug.cgi?id=189922
3566         <rdar://problem/44651275>
3567
3568         Reviewed by Mark Lam.
3569
3570         * stress/array-indexof-fast-path-effects.js: Added.
3571         * stress/array-indexof-cached-length.js: Added.
3572
3573 2018-09-24  Saam barati  <sbarati@apple.com>
3574
3575         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3576         https://bugs.webkit.org/show_bug.cgi?id=189682
3577         <rdar://problem/43557315>
3578
3579         Reviewed by Mark Lam.
3580
3581         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3582         (foo):
3583
3584 2018-09-22  Saam barati  <sbarati@apple.com>
3585
3586         The sampling should not use Strong<CodeBlock> in its machineLocation field
3587         https://bugs.webkit.org/show_bug.cgi?id=189319
3588
3589         Reviewed by Filip Pizlo.
3590
3591         * stress/sampling-profiler-richards.js: Added.
3592
3593 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3594
3595         [JSC] Optimize Array#indexOf in C++ runtime
3596         https://bugs.webkit.org/show_bug.cgi?id=189507
3597
3598         Reviewed by Saam Barati.
3599
3600         * stress/array-indexof-array-prototype-trap.js: Added.
3601         (shouldBe):
3602         (AncestorArray.prototype.get 2):
3603         (AncestorArray):
3604         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3605         (shouldBe):
3606         * stress/array-indexof-hole-nan.js: Added.
3607         (shouldBe):
3608         (throw.new.Error):
3609         * stress/array-indexof-infinity.js: Added.
3610         (shouldBe):
3611         (throw.new.Error):
3612         * stress/array-indexof-negative-zero.js: Added.
3613         (shouldBe):
3614         (throw.new.Error):
3615         * stress/array-indexof-own-getter.js: Added.
3616         (shouldBe):
3617         (throw.new.Error.get array):
3618         (get array):
3619         * stress/array-indexof-prototype-trap.js: Added.
3620         (shouldBe):
3621         (DerivedArray.prototype.get 2):
3622         (DerivedArray):
3623
3624 2018-09-19  Saam barati  <sbarati@apple.com>
3625
3626         AI rule for MultiPutByOffset executes its effects in the wrong order
3627         https://bugs.webkit.org/show_bug.cgi?id=189757
3628         <rdar://problem/43535257>
3629
3630         Reviewed by Michael Saboff.
3631
3632         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3633         (foo):
3634         (Foo):
3635         (g):
3636
3637 2018-09-17  Mark Lam  <mark.lam@apple.com>
3638
3639         Ensure that ForInContexts are invalidated if their loop local is over-written.
3640         https://bugs.webkit.org/show_bug.cgi?id=189571
3641         <rdar://problem/44402277>
3642
3643         Reviewed by Saam Barati.
3644
3645         * stress/regress-189571.js: Added.
3646
3647 2018-09-17  Saam barati  <sbarati@apple.com>
3648
3649         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3650         https://bugs.webkit.org/show_bug.cgi?id=189676
3651         <rdar://problem/39682897>
3652
3653         Reviewed by Michael Saboff.
3654
3655         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3656         (A):
3657         (K):
3658         (i.catch):
3659
3660 2018-09-14  Saam barati  <sbarati@apple.com>
3661
3662         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3663         https://bugs.webkit.org/show_bug.cgi?id=189628
3664         <rdar://problem/39481690>
3665
3666         Reviewed by Mark Lam.
3667
3668         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3669         (foo):
3670
3671 2018-09-11  Mark Lam  <mark.lam@apple.com>
3672
3673         Test for array initialization in arrayProtoFuncSplice.
3674         https://bugs.webkit.org/show_bug.cgi?id=170253
3675         <rdar://problem/31328773>
3676
3677         Rubber-stamped by Saam Barati.
3678
3679         * stress/regress-170253.js: Added.
3680
3681 2018-09-11  Mark Lam  <mark.lam@apple.com>
3682
3683         Test for IntlObject initialization.
3684         https://bugs.webkit.org/show_bug.cgi?id=170251
3685         <rdar://problem/31328419>
3686
3687         Rubber-stamped by Saam Barati.
3688
3689         * stress/regress-170251.js: Added.
3690
3691 2018-09-11  Mark Lam  <mark.lam@apple.com>
3692
3693         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3694         https://bugs.webkit.org/show_bug.cgi?id=169889
3695         <rdar://problem/31155607>
3696
3697         Reviewed by Saam Barati.
3698
3699         * stress/regress-169889-array-concat.js: Added.
3700         * stress/regress-169889-array-concat1.js: Added.
3701         * stress/regress-169889-array-slice.js: Added.
3702
3703 2018-09-11  Mark Lam  <mark.lam@apple.com>
3704
3705         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3706         https://bugs.webkit.org/show_bug.cgi?id=169445
3707         <rdar://problem/30957435>
3708
3709         Reviewed by Saam Barati.
3710
3711         * stress/regress-169445.js: Added.
3712         (let.gun.eval.A):
3713         (let.gun.eval.B.C):
3714         (let.gun.eval.B.C.prototype.trigger):
3715         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3716         (let.gun.eval.B):
3717         (let.gun.eval):
3718
3719 == Rolled over to ChangeLog-2018-09-11 ==