[JSC] LLIntEntryPoint creates same DirectJITCode for all functions
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
2
3         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
4         https://bugs.webkit.org/show_bug.cgi?id=194648
5
6         Reviewed by Keith Miller.
7
8         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
9
10 2019-03-18  Mark Lam  <mark.lam@apple.com>
11
12         Missing a ThrowScope release in JSObject::toString().
13         https://bugs.webkit.org/show_bug.cgi?id=195893
14         <rdar://problem/48970986>
15
16         Reviewed by Michael Saboff.
17
18         * stress/to-string-exception-check-release.js: Added.
19
20 2019-03-18  Mark Lam  <mark.lam@apple.com>
21
22         Structure::flattenDictionary() should clear unused property slots.
23         https://bugs.webkit.org/show_bug.cgi?id=195871
24         <rdar://problem/48959497>
25
26         Reviewed by Michael Saboff.
27
28         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
29
30 2019-03-15  Mark Lam  <mark.lam@apple.com>
31
32         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
33         https://bugs.webkit.org/show_bug.cgi?id=195827
34         <rdar://problem/48845513>
35
36         Reviewed by Filip Pizlo.
37
38         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
39
40 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
41
42         [ARM,MIPS] Skip slow tests
43         https://bugs.webkit.org/show_bug.cgi?id=195799
44
45         Unreviewed, test does not finish on ARM and MIPS within the
46         timeout limit.
47
48         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
49
50 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
51
52         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
53         https://bugs.webkit.org/show_bug.cgi?id=195791
54         <rdar://problem/48806130>
55
56         Reviewed by Mark Lam.
57
58         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
59         (foo):
60
61 2019-03-14  Saam barati  <sbarati@apple.com>
62
63         We can't remove code after ForceOSRExit until after FixupPhase
64         https://bugs.webkit.org/show_bug.cgi?id=186916
65         <rdar://problem/41396612>
66
67         Reviewed by Yusuke Suzuki.
68
69         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
70         (foo):
71         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
72         (foo):
73
74 2019-03-13  Michael Saboff  <msaboff@apple.com>
75
76         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
77         https://bugs.webkit.org/show_bug.cgi?id=195735
78
79         Reviewed by Mark Lam.
80
81         New regression test.
82
83         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
84         (foo):
85         (bar):
86
87 2019-03-14  Saam barati  <sbarati@apple.com>
88
89         Fixup uses KnownInt32 incorrectly in some nodes
90         https://bugs.webkit.org/show_bug.cgi?id=195279
91         <rdar://problem/47915654>
92
93         Reviewed by Yusuke Suzuki.
94
95         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
96         (foo):
97
98 2019-03-14  Keith Miller  <keith_miller@apple.com>
99
100         DFG liveness can't skip tail caller inline frames
101         https://bugs.webkit.org/show_bug.cgi?id=195715
102
103         Reviewed by Saam Barati.
104
105         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
106         (i.foo):
107
108 2019-03-13  Mark Lam  <mark.lam@apple.com>
109
110         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
111         https://bugs.webkit.org/show_bug.cgi?id=195415
112
113         Not reviewed.
114
115         Changed these tests to only run the default configuration.
116         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
117         There's no strong need to run this test on that variant.
118
119         * stress/dfg-to-string-on-int-does-gc.js:
120         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
121
122 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
123
124         String overflow when using StringBuilder in JSC::createError
125         https://bugs.webkit.org/show_bug.cgi?id=194957
126
127         Reviewed by Mark Lam.
128
129         Add test string-overflow-createError-bulder.js that overflows
130         StringBuilder in notAFunctionSourceAppender. The second new test
131         string-overflow-createError-fit.js has an error message that doesn't
132         overflow, it still failed since the String's capacity can't be doubled.
133         Run test string-overflow-createError.js only in the default
134         configuration to reduce memory consumption when running the test
135         in all configurations on multiple CPUs in parallel.
136
137         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
138         (catch):
139         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
140         (catch):
141         * stress/string-overflow-createError.js:
142
143 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
144
145         [JSC] OSR entry should respect abstract values in addition to flush formats
146         https://bugs.webkit.org/show_bug.cgi?id=195653
147
148         Reviewed by Mark Lam.
149
150         * stress/osr-entry-locals-none.js: Added.
151
152 2019-03-12  Michael Saboff  <msaboff@apple.com>
153
154         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
155         https://bugs.webkit.org/show_bug.cgi?id=195613
156
157         Reviewed by Mark Lam.
158
159         New regression test.
160
161         * stress/regexp-backref-inbounds.js: Added.
162         (testRegExp):
163
164 2019-03-12  Mark Lam  <mark.lam@apple.com>
165
166         The HasIndexedProperty node does GC.
167         https://bugs.webkit.org/show_bug.cgi?id=195559
168         <rdar://problem/48767923>
169
170         Reviewed by Yusuke Suzuki.
171
172         * stress/HasIndexedProperty-does-gc.js: Added.
173
174 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
175
176         [ESNext][BigInt] Implement "~" unary operation
177         https://bugs.webkit.org/show_bug.cgi?id=182216
178
179         Reviewed by Keith Miller.
180
181         * stress/big-int-bit-not-general.js: Added.
182         * stress/big-int-bitwise-not-jit.js: Added.
183         * stress/big-int-bitwise-not-wrapped-value.js: Added.
184         * stress/bit-op-with-object-returning-int32.js:
185         * stress/bitwise-not-fixup-rules.js: Added.
186         * stress/value-bit-not-ai-rule.js: Added.
187
188 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
189
190         Invalid flags in a RegExp literal should be an early SyntaxError
191         https://bugs.webkit.org/show_bug.cgi?id=195514
192
193         Reviewed by Darin Adler.
194
195         * test262/expectations.yaml:
196         Mark 4 test cases as passing.
197
198         * stress/regexp-syntax-error-invalid-flags.js:
199         * stress/regress-161995.js: Removed.
200         Update existing test, merging in an older test for the same behavior.
201
202 2019-03-08  Mark Lam  <mark.lam@apple.com>
203
204         Stack overflow crash in JSC::JSObject::hasInstance.
205         https://bugs.webkit.org/show_bug.cgi?id=195458
206         <rdar://problem/48710195>
207
208         Reviewed by Yusuke Suzuki.
209
210         * stress/stack-overflow-in-custom-hasInstance.js: Added.
211
212 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
213
214         op_check_tdz does not def its argument
215         https://bugs.webkit.org/show_bug.cgi?id=192880
216         <rdar://problem/46221598>
217
218         Reviewed by Saam Barati.
219
220         * microbenchmarks/let-for-in.js: Added.
221         (foo):
222
223 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
224
225         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
226         https://bugs.webkit.org/show_bug.cgi?id=195429
227
228         Reviewed by Saam Barati.
229
230         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
231         (foo):
232         * stress/string-from-char-code-255.js: Added.
233
234 2019-03-06  Mark Lam  <mark.lam@apple.com>
235
236         Fix incorrect handling of try-finally completion values.
237         https://bugs.webkit.org/show_bug.cgi?id=195131
238         <rdar://problem/46222079>
239
240         Reviewed by Saam Barati and Yusuke Suzuki.
241
242         Added many permutations of new test case to test-finally.js.  test-finally.js has
243         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
244         tests passes there as well.
245
246         * stress/test-finally.js:
247
248 2019-03-06  Saam Barati  <sbarati@apple.com>
249
250         Air::reportUsedRegisters must padInterference
251         https://bugs.webkit.org/show_bug.cgi?id=195303
252         <rdar://problem/48270343>
253
254         Reviewed by Keith Miller.
255
256         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
257
258 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
259
260         [JSC] AI should not propagate AbstractValue relying on constant folding phase
261         https://bugs.webkit.org/show_bug.cgi?id=195375
262
263         Reviewed by Saam Barati.
264
265         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
266         (let.array):
267
268 2019-03-05  Saam barati  <sbarati@apple.com>
269
270         op_switch_char broken for rope strings after JSRopeString layout rewrite
271         https://bugs.webkit.org/show_bug.cgi?id=195339
272         <rdar://problem/48592545>
273
274         Reviewed by Yusuke Suzuki.
275
276         * stress/switch-on-char-llint-rope.js: Added.
277
278 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
279
280         [JSC] Store bits for JSRopeString in 3 stores
281         https://bugs.webkit.org/show_bug.cgi?id=195234
282
283         Reviewed by Saam Barati.
284
285         * stress/null-rope-and-collectors.js: Added.
286
287 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
288
289         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
290         https://bugs.webkit.org/show_bug.cgi?id=195207
291
292         Unreviewed. After test runtime was reduced in r242213, test can be
293         run again on ARM/MIPS.
294
295         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
296
297 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
298
299         [JSC] sizeof(JSString) should be 16
300         https://bugs.webkit.org/show_bug.cgi?id=194375
301
302         Reviewed by Saam Barati.
303
304         * microbenchmarks/make-rope.js: Added.
305         (makeRope):
306         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
307         (returnRope.helper): Deleted.
308         (returnRope): Deleted.
309
310 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
311
312         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
313         https://bugs.webkit.org/show_bug.cgi?id=195144
314
315         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
316         Change the number from 1e8 to 1e5.
317
318         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
319         (foo):
320
321 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
322
323         Test times out on ARM/MIPS
324         https://bugs.webkit.org/show_bug.cgi?id=195168
325
326         Unreviewed. Skip test on ARM/MIPS.
327
328         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
329
330 2019-02-27  Mark Lam  <mark.lam@apple.com>
331
332         The parser is failing to record the token location of new in new.target.
333         https://bugs.webkit.org/show_bug.cgi?id=195127
334         <rdar://problem/39645578>
335
336         Reviewed by Yusuke Suzuki.
337
338         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
339
340 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
341
342         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
343         https://bugs.webkit.org/show_bug.cgi?id=195144
344         <rdar://problem/47595961>
345
346         Reviewed by Mark Lam.
347
348         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
349         (bar):
350         (foo):
351         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
352         (bar):
353         (foo):
354
355 2019-02-27  Robin Morisset  <rmorisset@apple.com>
356
357         DFG: Loop-invariant code motion (LICM) should not hoist dead code
358         https://bugs.webkit.org/show_bug.cgi?id=194945
359         <rdar://problem/48311657>
360
361         Reviewed by Mark Lam.
362
363         * stress/licm-dead-code.js: Added.
364
365 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
366
367         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
368         https://bugs.webkit.org/show_bug.cgi?id=194677
369         <rdar://problem/48112492>
370
371         Reviewed by Mark Lam.
372
373         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
374         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
375         it immediately fails due the large size.
376
377         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
378         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
379         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
380         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
381
382         This patch changes the test to produce 16bit string from String.fromCharCode.
383
384         * stress/regress-178386.js:
385
386 2019-02-26  Mark Lam  <mark.lam@apple.com>
387
388         wasmToJS() should purify incoming NaNs.
389         https://bugs.webkit.org/show_bug.cgi?id=194807
390         <rdar://problem/48189132>
391
392         Reviewed by Saam Barati.
393
394         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
395
396 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
397
398         [JSC] Repeat string created from Array.prototype.join() take too much memory
399         https://bugs.webkit.org/show_bug.cgi?id=193912
400
401         Reviewed by Saam Barati.
402
403         Added a test and a microbenchmark for corner cases of
404         Array.prototype.join() with an uninitialized array.
405
406         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
407         * stress/array-prototype-join-uninitialized.js: Added.
408         (testArray):
409         (testABC):
410         (B):
411         (C):
412
413 2019-02-22  Robin Morisset  <rmorisset@apple.com>
414
415         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
416         https://bugs.webkit.org/show_bug.cgi?id=194953
417         <rdar://problem/47595253>
418
419         Reviewed by Saam Barati.
420
421         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
422
423         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
424
425 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
426
427         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
428         https://bugs.webkit.org/show_bug.cgi?id=172848
429         <rdar://problem/25709212>
430
431         Reviewed by Mark Lam.
432
433         * typeProfiler/inheritance.js:
434         Rewrite the test slightly for clarity. The hoisting was confusing.
435
436         * heapProfiler/class-names.js: Added.
437         (MyES5Class):
438         (MyES6Class):
439         (MyES6Subclass):
440         Test object types and improved class names.
441
442         * heapProfiler/driver/driver.js:
443         (CheapHeapSnapshotNode):
444         (CheapHeapSnapshot):
445         (createCheapHeapSnapshot):
446         (HeapSnapshot):
447         (createHeapSnapshot):
448         Update snapshot parsing from version 1 to version 2.
449
450 2019-02-19  Truitt Savell  <tsavell@apple.com>
451
452         Unreviewed, rolling out r241784.
453
454         Broke all OpenSource builds.
455
456         Reverted changeset:
457
458         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
459         instances view"
460         https://bugs.webkit.org/show_bug.cgi?id=172848
461         https://trac.webkit.org/changeset/241784
462
463 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
464
465         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
466         https://bugs.webkit.org/show_bug.cgi?id=172848
467         <rdar://problem/25709212>
468
469         Reviewed by Mark Lam.
470
471         * typeProfiler/inheritance.js:
472         Rewrite the test slightly for clarity. The hoisting was confusing.
473
474         * heapProfiler/class-names.js: Added.
475         (MyES5Class):
476         (MyES6Class):
477         (MyES6Subclass):
478         Test object types and improved class names.
479
480         * heapProfiler/driver/driver.js:
481         (CheapHeapSnapshotNode):
482         (CheapHeapSnapshot):
483         (createCheapHeapSnapshot):
484         (HeapSnapshot):
485         (createHeapSnapshot):
486         Update snapshot parsing from version 1 to version 2.
487
488 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
489
490         [ARM] Fix crash with sampling profiler
491         https://bugs.webkit.org/show_bug.cgi?id=194772
492
493         Reviewed by Mark Lam.
494
495         Do not skip test since crash with sampling profiler is now fixed.
496
497         * stress/sampling-profiler-richards.js:
498
499 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
500
501         [JSC] Add LazyClassStructure::getInitializedOnMainThread
502         https://bugs.webkit.org/show_bug.cgi?id=194784
503         <rdar://problem/48154820>
504
505         Reviewed by Mark Lam.
506
507         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
508         (getProperties):
509         (getRandomProperty):
510         (i.catch):
511
512 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
513
514         [ARM] Test gardening: Test running out of executable memory
515         https://bugs.webkit.org/show_bug.cgi?id=194771
516
517         Unreviewed. Do not run test without LLInt, test is running out of executable
518         memory on ARM otherwise.
519
520         * stress/tagged-template-object-collect.js:
521
522 2019-02-18  Tomas Popela  <tpopela@redhat.com>
523
524         Unreviewed, skip the test on platforms without sampling profiler
525
526         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
527         (platformSupportsSamplingProfiler.foo):
528         (platformSupportsSamplingProfiler.test):
529         (platformSupportsSamplingProfiler):
530         (foo): Deleted.
531         (test): Deleted.
532
533 2019-02-17  Saam Barati  <sbarati@apple.com>
534
535         Deadlock when adding a Structure property transition and then doing incremental marking
536         https://bugs.webkit.org/show_bug.cgi?id=194767
537
538         Reviewed by Mark Lam.
539
540         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
541
542 2019-02-15  Michael Saboff  <msaboff@apple.com>
543
544         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
545         https://bugs.webkit.org/show_bug.cgi?id=194558
546
547         Reviewed by Saam Barati.
548
549         New regression test.
550
551         * stress/regexp-unicode-within-string.js: Added.
552
553 2019-02-15  Mark Lam  <mark.lam@apple.com>
554
555         SamplingProfiler::stackTracesAsJSON() should escape strings.
556         https://bugs.webkit.org/show_bug.cgi?id=194649
557         <rdar://problem/48072386>
558
559         Reviewed by Saam Barati.
560
561         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
562         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
563         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
564         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
565
566 2019-02-15  Robin Morisset  <rmorisset@apple.com>
567         CodeBlock::jettison should clear related watchpoints
568         https://bugs.webkit.org/show_bug.cgi?id=194544
569
570         Reviewed by Mark Lam.
571
572         * stress/regexp-replace-double-watchpoint.js: Added.
573         (foo):
574
575 2019-02-15  Saam barati  <sbarati@apple.com>
576
577         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
578         https://bugs.webkit.org/show_bug.cgi?id=194036
579
580         Reviewed by Yusuke Suzuki.
581
582         * stress/tail-call-many-arguments.js: Added.
583         (foo):
584         (bar):
585
586 2019-02-14  Saam Barati  <sbarati@apple.com>
587
588         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
589         https://bugs.webkit.org/show_bug.cgi?id=194583
590         <rdar://problem/48028140>
591
592         Reviewed by Yusuke Suzuki.
593
594         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
595
596 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
597
598         [JSC] String.fromCharCode's slow path always generates 16bit string
599         https://bugs.webkit.org/show_bug.cgi?id=194466
600
601         Reviewed by Keith Miller.
602
603         * stress/string-from-char-code-slow-path.js: Added.
604         (shouldBe):
605         (testWithLength):
606
607 2019-02-08  Saam barati  <sbarati@apple.com>
608
609         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
610         https://bugs.webkit.org/show_bug.cgi?id=194334
611         <rdar://problem/47844327>
612
613         Reviewed by Mark Lam.
614
615         * stress/check-in-bounds-should-be-a-child-use.js: Added.
616         (func):
617
618 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
619
620         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
621         https://bugs.webkit.org/show_bug.cgi?id=194369
622         <rdar://problem/47813087>
623
624         Reviewed by Saam Barati.
625
626         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
627         (A):
628
629 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
630
631         [JSC] PrivateName to PublicName hash table is wasteful
632         https://bugs.webkit.org/show_bug.cgi?id=194277
633
634         Reviewed by Michael Saboff.
635
636         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
637
638         * ChakraCore.yaml:
639
640 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
641
642         [ARM] Test running out of executable memory
643         https://bugs.webkit.org/show_bug.cgi?id=194285
644
645         Unreviewed. Do no execute test with LLInt disabled, test runs out of
646         executable memory otherwise.
647
648         * stress/class-subclassing-function.js:
649
650 2019-02-04  Robin Morisset  <rmorisset@apple.com>
651
652         when lowering AssertNotEmpty, create the value before creating the patchpoint
653         https://bugs.webkit.org/show_bug.cgi?id=194231
654
655         Reviewed by Saam Barati.
656
657         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
658         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
659         So even tiny changes to this test can change the path code taken.
660
661         * stress/assert-not-empty.js: Added.
662         (foo):
663
664 2019-02-01  Mark Lam  <mark.lam@apple.com>
665
666         Remove invalid assertion in DFG's compileDoubleRep().
667         https://bugs.webkit.org/show_bug.cgi?id=194130
668         <rdar://problem/47699474>
669
670         Reviewed by Saam Barati.
671
672         * stress/constant-fold-double-rep-into-double-constant.js: Added.
673
674 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
675
676         Import latest Test262 updates.
677
678         Rubber-stamped by Keith Miller.
679
680         * test262.yaml: Deleted.
681         * test262/config.yaml:
682         * test262/expectations.yaml:
683         * test262/latest-changes-summary.txt:
684         * test262/test/:
685         * test262/test262-Revision.txt:
686
687 2019-01-30  Robin Morisset  <rmorisset@apple.com>
688
689         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
690         https://bugs.webkit.org/show_bug.cgi?id=194050
691         <rdar://problem/47595592>
692
693         Reviewed by Yusuke Suzuki.
694
695         * stress/object-keys-osr-exit.js: Added.
696         (foo):
697         (catch):
698
699 2019-01-29  Mark Lam  <mark.lam@apple.com>
700
701         ValueRecovery::recover() should purify NaN values it recovers.
702         https://bugs.webkit.org/show_bug.cgi?id=193978
703         <rdar://problem/47625488>
704
705         Reviewed by Saam Barati.
706
707         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
708
709 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
710
711         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
712         https://bugs.webkit.org/show_bug.cgi?id=193713
713
714         * stress/try-get-by-id-should-spill-registers-dfg.js:
715         (let.f.createBuiltin):
716
717 2019-01-28  Mark Lam  <mark.lam@apple.com>
718
719         ToString node actually does GC.
720         https://bugs.webkit.org/show_bug.cgi?id=193920
721         <rdar://problem/46695900>
722
723         Reviewed by Yusuke Suzuki.
724
725         * stress/dfg-to-string-on-int-does-gc.js: Added.
726         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
727         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
728
729 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
730
731         [JSC] NativeErrorConstructor should not have own IsoSubspace
732         https://bugs.webkit.org/show_bug.cgi?id=193713
733
734         Reviewed by Saam Barati.
735
736         Remove @Error use.
737
738         * stress/try-get-by-id-should-spill-registers-dfg.js:
739         (let.f.createBuiltin):
740
741 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
742
743         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
744         https://bugs.webkit.org/show_bug.cgi?id=190693
745
746         Reviewed by Michael Saboff.
747
748         * stress/regress-190693.js: Added.
749         (truth):
750         (assert):
751         (shouldThrowInvalidConstAssignment):
752         (taz):
753
754 2019-01-24  Saam Barati  <sbarati@apple.com>
755
756         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
757         https://bugs.webkit.org/show_bug.cgi?id=193751
758         <rdar://problem/47280215>
759
760         Reviewed by Michael Saboff.
761
762         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
763         (let.thing):
764         (foo.let.hello):
765         (foo):
766
767 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
768
769         [JSC] Reenable baseline JIT on mips
770         https://bugs.webkit.org/show_bug.cgi?id=192983
771
772         Reviewed by Mark Lam.
773
774         Added a new test for a case that was triggering a RELEASE_ASSERT when
775         testing.
776         Disable some slow tests that were already disabled for arm and x86.
777
778         * stress/json-parse-big-object.js: Added.
779         * stress/new-largeish-contiguous-array-with-size.js:
780         * stress/op_add.js:
781         * stress/op_bitand.js:
782         * stress/op_bitor.js:
783         * stress/op_bitxor.js:
784         * stress/op_lshift-ConstVar.js:
785         * stress/op_lshift-VarConst.js:
786         * stress/op_lshift-VarVar.js:
787         * stress/op_mod-ConstVar.js:
788         * stress/op_mod-VarConst.js:
789         * stress/op_mod-VarVar.js:
790         * stress/op_mul-ConstVar.js:
791         * stress/op_mul-VarConst.js:
792         * stress/op_mul-VarVar.js:
793         * stress/op_rshift-ConstVar.js:
794         * stress/op_rshift-VarConst.js:
795         * stress/op_rshift-VarVar.js:
796         * stress/op_sub-ConstVar.js:
797         * stress/op_sub-VarConst.js:
798         * stress/op_sub-VarVar.js:
799         * stress/op_urshift-ConstVar.js:
800         * stress/op_urshift-VarConst.js:
801         * stress/op_urshift-VarVar.js:
802         * stress/sampling-profiler-richards.js:
803         * stress/spread-forward-call-varargs-stack-overflow.js:
804
805 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
806
807         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
808         https://bugs.webkit.org/show_bug.cgi?id=193711
809         <rdar://problem/47250262>
810
811         Reviewed by Saam Barati.
812
813         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
814         (shouldBe):
815         (foo):
816         (bar):
817         (baz):
818
819 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
820
821         Unreviewed, fix initial global lexical binding epoch
822         https://bugs.webkit.org/show_bug.cgi?id=193603
823         <rdar://problem/47380869>
824
825         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
826         (f1.f2.f3.f4):
827         (f1.f2.f3):
828         (f1.f2):
829         (f1):
830
831 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
832
833         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
834         https://bugs.webkit.org/show_bug.cgi?id=193709
835         <rdar://problem/47363838>
836
837         Unreviewed, rollout to watch the tests.
838
839         * stress/object-tostring-changed-proto.js: Removed.
840         * stress/object-tostring-changed.js: Removed.
841         * stress/object-tostring-misc.js: Removed.
842         * stress/object-tostring-other.js: Removed.
843         * stress/object-tostring-untyped.js: Removed.
844
845 2019-01-22  Saam Barati  <sbarati@apple.com>
846
847         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
848
849         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
850         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
851         (testUncheckedLessThanZero):
852         (testUncheckedLessThanOrEqualZero):
853         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
854         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
855
856 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
857
858         [JSC] Invalidate old scope operations using global lexical binding epoch
859         https://bugs.webkit.org/show_bug.cgi?id=193603
860         <rdar://problem/47380869>
861
862         Reviewed by Saam Barati.
863
864         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
865         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
866         (shouldThrow):
867         (bar):
868         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
869         (shouldBe):
870         (get1):
871         (get2):
872         (get1If):
873         (get2If):
874         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
875         (shouldThrow):
876         (foo):
877
878 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
879
880         Unreviewed, roll out r240220 due to date-format-xparb regression
881         https://bugs.webkit.org/show_bug.cgi?id=193603
882
883         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
884         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
885         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
886         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
887
888 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
889
890         DoesGC rule is wrong for nodes with BigIntUse
891         https://bugs.webkit.org/show_bug.cgi?id=193652
892
893         Reviewed by Saam Barati.
894
895         * stress/big-int-value-op-update-gc-rules.js: Added.
896         (assert):
897         (doesGCAdd):
898         (doesGCSub):
899         (doesGCDiv):
900         (doesGCMul):
901         (doesGCBitAnd):
902         (doesGCBitOr):
903         (doesGCBitXor):
904
905 2019-01-20  Saam Barati  <sbarati@apple.com>
906
907         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
908         https://bugs.webkit.org/show_bug.cgi?id=193644
909         <rdar://problem/46209745>
910
911         Reviewed by Yusuke Suzuki.
912
913         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
914         (foo):
915         * stress/data-view-set-intrinsic-undefined-result.js: Added.
916         (foo):
917         (bar):
918
919 2019-01-20  Saam Barati  <sbarati@apple.com>
920
921         MovHint must merge NodeBytecodeUsesAsValue for its child
922         https://bugs.webkit.org/show_bug.cgi?id=186916
923         <rdar://problem/41396612>
924
925         Reviewed by Yusuke Suzuki.
926
927         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
928         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
929
930 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
931
932         [JSC] Invalidate old scope operations using global lexical binding epoch
933         https://bugs.webkit.org/show_bug.cgi?id=193603
934         <rdar://problem/47380869>
935
936         Reviewed by Saam Barati.
937
938         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
939         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
940         (shouldThrow):
941         (bar):
942         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
943         (shouldBe):
944         (get1):
945         (get2):
946         (get1If):
947         (get2If):
948         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
949         (shouldThrow):
950         (foo):
951
952 2019-01-17  Saam barati  <sbarati@apple.com>
953
954         StringObjectUse should not be a structure check for the original string object structure
955         https://bugs.webkit.org/show_bug.cgi?id=193483
956         <rdar://problem/47280522>
957
958         Reviewed by Yusuke Suzuki.
959
960         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
961         (foo):
962         (a.valueOf.0):
963
964 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
965
966         [JSC] ToThis omission in DFGByteCodeParser is wrong
967         https://bugs.webkit.org/show_bug.cgi?id=193513
968         <rdar://problem/45842236>
969
970         Reviewed by Saam Barati.
971
972         * stress/to-this-omission-with-different-strict-modes.js: Added.
973         (thisA):
974         (thisAStrictWrapper):
975
976 2019-01-15  Mark Lam  <mark.lam@apple.com>
977
978         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
979         https://bugs.webkit.org/show_bug.cgi?id=193423
980         <rdar://problem/46209355>
981
982         Reviewed by Saam Barati.
983
984         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
985         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
986         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
987         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
988
989 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
990
991         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
992         https://bugs.webkit.org/show_bug.cgi?id=193438
993         <rdar://problem/45581249>
994
995         Reviewed by Saam Barati and Keith Miller.
996
997         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
998         Then, GetByVal(String) crashed.
999
1000         * stress/string-get-by-val-lowering.js: Added.
1001         (shouldBe):
1002         (test):
1003         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1004         (Hello):
1005         (foo):
1006
1007 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1008
1009         Unreviewed, skip JIT tests if it's not enabled
1010
1011         * stress/bit-op-with-object-returning-int32.js:
1012
1013 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1014
1015         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1016         https://bugs.webkit.org/show_bug.cgi?id=192966
1017
1018         Reviewed by Yusuke Suzuki.
1019
1020         * stress/bit-op-with-object-returning-int32.js: Added.
1021
1022 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1023
1024         Skip a slow test and a flakey test on arm
1025
1026         Unreviewed gardening.
1027
1028         * typeProfiler/getter-richards.js:
1029         this test always times out, it used to be always skipped on arm and
1030         mips, but got accidentally enabled by r237919 now that we have DFG on
1031         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1032
1033 2019-01-14  Keith Miller  <keith_miller@apple.com>
1034
1035         Skip type-check-hoisting-phase-hoist... with no jit
1036         https://bugs.webkit.org/show_bug.cgi?id=193421
1037
1038         Reviewed by Mark Lam.
1039
1040         It's timing out the 32-bit bots and takes 330 seconds
1041         on my machine when run by itself.
1042
1043         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1044
1045 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1046
1047         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1048         https://bugs.webkit.org/show_bug.cgi?id=193413
1049         <rdar://problem/46092389>
1050
1051         Reviewed by Keith Miller.
1052
1053         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1054         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1055         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1056         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1057
1058         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1059         (compareArray):
1060
1061 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1062
1063         [BigInt] Literal parsing is crashing when used inside a Object Literal
1064         https://bugs.webkit.org/show_bug.cgi?id=193404
1065
1066         Reviewed by Yusuke Suzuki.
1067
1068         * stress/big-int-literal-inside-literal-object.js: Added.
1069
1070 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1071
1072         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1073         https://bugs.webkit.org/show_bug.cgi?id=193372
1074
1075         Reviewed by Saam Barati.
1076
1077         * stress/typed-array-array-modes-profile.js: Added.
1078         (foo):
1079
1080 2019-01-14  Mark Lam  <mark.lam@apple.com>
1081
1082         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1083         https://bugs.webkit.org/show_bug.cgi?id=193402
1084         <rdar://problem/46012309>
1085
1086         Reviewed by Keith Miller.
1087
1088         * stress/regexp-compile-oom.js:
1089         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1090           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1091
1092 2019-01-11  Saam barati  <sbarati@apple.com>
1093
1094         DFG combined liveness can be wrong for terminal basic blocks
1095         https://bugs.webkit.org/show_bug.cgi?id=193304
1096         <rdar://problem/45268632>
1097
1098         Reviewed by Yusuke Suzuki.
1099
1100         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1101
1102 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1103
1104         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1105         https://bugs.webkit.org/show_bug.cgi?id=193308
1106         <rdar://problem/45546542>
1107
1108         Reviewed by Saam Barati.
1109
1110         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1111         (shouldThrow):
1112         (shouldBe):
1113         (foo):
1114         (get shouldThrow):
1115         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1116         (shouldThrow):
1117         (shouldBe):
1118         (foo):
1119         (get shouldBe):
1120         (get shouldThrow):
1121         (get return):
1122         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1123         (shouldThrow):
1124         (shouldBe):
1125         (foo):
1126         (get shouldBe):
1127         (get shouldThrow):
1128         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1129         (shouldThrow):
1130         (shouldBe):
1131         (foo):
1132         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1133         (shouldThrow):
1134         (shouldBe):
1135         (foo):
1136         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1137         (shouldThrow):
1138         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1139         (shouldThrow):
1140         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1141         (shouldThrow):
1142         (shouldBe):
1143         (foo):
1144         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1145         (shouldThrow):
1146         (shouldBe):
1147         (foo):
1148         (get shouldBe):
1149         (get shouldThrow):
1150         (get return):
1151         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1152         (shouldThrow):
1153         (shouldBe):
1154         (foo):
1155         (get shouldBe):
1156         (get shouldThrow):
1157         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1158         (shouldThrow):
1159         (shouldBe):
1160         (foo):
1161         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1162         (shouldThrow):
1163         (shouldBe):
1164         (foo):
1165
1166 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1167
1168         Enable DFG on ARM/Linux again
1169         https://bugs.webkit.org/show_bug.cgi?id=192496
1170
1171         Reviewed by Yusuke Suzuki.
1172
1173         Test wasn't really skipped before moving the line with skip
1174         to the top.
1175
1176         * stress/regress-192717.js:
1177
1178 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1179
1180         Unreviewed, rolling out r239825.
1181         https://bugs.webkit.org/show_bug.cgi?id=193330
1182
1183         Broke tests on armv7/linux bots (Requested by guijemont on
1184         #webkit).
1185
1186         Reverted changeset:
1187
1188         "Enable DFG on ARM/Linux again"
1189         https://bugs.webkit.org/show_bug.cgi?id=192496
1190         https://trac.webkit.org/changeset/239825
1191
1192 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1193
1194         Enable DFG on ARM/Linux again
1195         https://bugs.webkit.org/show_bug.cgi?id=192496
1196
1197         Reviewed by Yusuke Suzuki.
1198
1199         Test wasn't really skipped before moving the line with skip
1200         to the top.
1201
1202         * stress/regress-192717.js:
1203
1204 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1205
1206         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1207         https://bugs.webkit.org/show_bug.cgi?id=193127
1208
1209         Reviewed by Saam Barati.
1210
1211         * stress/array-species-create-should-handle-masquerader.js: Added.
1212         (shouldThrow):
1213         * stress/is-undefined-or-null-builtin.js: Added.
1214         (shouldBe):
1215         (isUndefinedOrNull.vm.createBuiltin):
1216
1217 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1218
1219         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1220         https://bugs.webkit.org/show_bug.cgi?id=193221
1221
1222         Reviewed by Mark Lam.
1223
1224         * stress/put-by-id-flags.js: Added.
1225         (f):
1226         (g):
1227         (numberOfDFGCompiles):
1228
1229 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1230
1231         Baseline version of get_by_id may corrupt metadata
1232         https://bugs.webkit.org/show_bug.cgi?id=193085
1233         <rdar://problem/23453006>
1234
1235         Reviewed by Saam Barati.
1236
1237         * stress/get-by-id-change-mode.js: Added.
1238         (forEach):
1239
1240 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1241
1242         [JSC] Optimize Object.prototype.toString
1243         https://bugs.webkit.org/show_bug.cgi?id=193031
1244
1245         Reviewed by Saam Barati.
1246
1247         * stress/object-tostring-changed-proto.js: Added.
1248         (shouldBe):
1249         (test):
1250         * stress/object-tostring-changed.js: Added.
1251         (shouldBe):
1252         (test):
1253         * stress/object-tostring-misc.js: Added.
1254         (shouldBe):
1255         (test):
1256         (i.switch):
1257         * stress/object-tostring-other.js: Added.
1258         (shouldBe):
1259         (test):
1260         * stress/object-tostring-untyped.js: Added.
1261         (shouldBe):
1262         (test):
1263         (i.switch):
1264
1265 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1266
1267         test262-runner misbehaves when test file YAML has a trailing space
1268         https://bugs.webkit.org/show_bug.cgi?id=193053
1269
1270         Reviewed by Yusuke Suzuki.
1271
1272         * test262/expectations.yaml:
1273         Mark two dozen tests as passing (and correct the output of another).
1274
1275 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1276
1277         Unreviewed, JSTests gardening with memoryLimited
1278
1279         * stress/string-overflow-createError.js:
1280
1281 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1282
1283         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1284         https://bugs.webkit.org/show_bug.cgi?id=193050
1285
1286         Reviewed by Yusuke Suzuki.
1287
1288         * test262.yaml:
1289         * test262/expectations.yaml:
1290         Mark 16 tests as passing.
1291
1292 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1293
1294         [BigInt] Support BigInt in JSON.stringify
1295         https://bugs.webkit.org/show_bug.cgi?id=192624
1296
1297         Reviewed by Saam Barati.
1298
1299         * stress/big-int-json-stringify-to-json.js: Added.
1300         (shouldBe):
1301         (shouldThrow):
1302         (BigInt.prototype.toJSON):
1303         (shouldBe.JSON.stringify):
1304         * stress/big-int-json-stringify.js: Added.
1305         (shouldBe):
1306         (shouldThrow):
1307
1308 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1309
1310         [JSC] Implement "well-formed JSON.stringify" proposal
1311         https://bugs.webkit.org/show_bug.cgi?id=191677
1312
1313         Reviewed by Darin Adler.
1314
1315         * stress/json-surrogate-pair.js: Added.
1316         (shouldBe):
1317         * test262/expectations.yaml:
1318
1319 2018-12-20  Keith Miller  <keith_miller@apple.com>
1320
1321         Add support for globalThis
1322         https://bugs.webkit.org/show_bug.cgi?id=165171
1323
1324         Reviewed by Mark Lam.
1325
1326         * test262/config.yaml:
1327
1328 2018-12-19  Keith Miller  <keith_miller@apple.com>
1329
1330         Update test262 configuration to not run tests dependent on ICU version.
1331         https://bugs.webkit.org/show_bug.cgi?id=192920
1332
1333         Reviewed by Saam Barati.
1334
1335         * test262/expectations.yaml:
1336
1337 2018-12-20  Mark Lam  <mark.lam@apple.com>
1338
1339         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1340         https://bugs.webkit.org/show_bug.cgi?id=192939
1341         <rdar://problem/46869516>
1342
1343         Reviewed by Keith Miller.
1344
1345         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1346
1347 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1348
1349         WTF::String and StringImpl overflow MaxLength
1350         https://bugs.webkit.org/show_bug.cgi?id=192853
1351         <rdar://problem/45726906>
1352
1353         Reviewed by Mark Lam.
1354
1355         * stress/string-16bit-repeat-overflow.js: Added.
1356         (catch):
1357
1358 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1359
1360         Unreviewed follow-up to r192914.
1361
1362         * test262/expectations.yaml:
1363         Add the last 20 missing expectations.
1364
1365 2018-12-19  Keith Miller  <keith_miller@apple.com>
1366
1367         Fix test262 expectations
1368         https://bugs.webkit.org/show_bug.cgi?id=192914
1369
1370         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1371
1372         * test262/expectations.yaml:
1373
1374 2018-12-19  Keith Miller  <keith_miller@apple.com>
1375
1376         Update test262 tests.
1377         https://bugs.webkit.org/show_bug.cgi?id=192907
1378
1379         Rubber stamped by Mark Lam.
1380
1381         * test262/*: Omitted because prepare-changelog crashes.
1382
1383 2018-12-19  Mark Lam  <mark.lam@apple.com>
1384
1385         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1386         https://bugs.webkit.org/show_bug.cgi?id=192464
1387         <rdar://problem/46519455>
1388
1389         Reviewed by Saam Barati.
1390
1391         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1392         microbenchmark.
1393
1394         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1395         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1396
1397 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1398
1399         String overflow in JSC::createError results in ASSERT in WTF::makeString
1400         https://bugs.webkit.org/show_bug.cgi?id=192833
1401         <rdar://problem/45706868>
1402
1403         Reviewed by Mark Lam.
1404
1405         * stress/string-overflow-createError.js: Added.
1406
1407 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1408
1409         Error message for `-x ** y` contains a typo.
1410         https://bugs.webkit.org/show_bug.cgi?id=192832
1411
1412         Reviewed by Saam Barati.
1413
1414         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1415         (assert.assert.return.throws):
1416         * stress/pow-expects-update-expression-on-lhs.js:
1417         (throw.new.Error):
1418         Update test expectations which match against the exact error message.
1419
1420 2018-12-18  Mark Lam  <mark.lam@apple.com>
1421
1422         Gardening: test options fix.
1423         https://bugs.webkit.org/show_bug.cgi?id=192822
1424
1425         Unreviewed.
1426
1427         * stress/json-stringify-string-builder-overflow.js:
1428
1429 2018-12-18  Mark Lam  <mark.lam@apple.com>
1430
1431         JSON.stringify() should throw OOM on StringBuilder overflows.
1432         https://bugs.webkit.org/show_bug.cgi?id=192822
1433         <rdar://problem/46670577>
1434
1435         Reviewed by Saam Barati.
1436
1437         * stress/json-stringify-string-builder-overflow.js: Added.
1438
1439 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1440
1441         Redeclaration of var over let/const/class should be a syntax error.
1442         https://bugs.webkit.org/show_bug.cgi?id=192298
1443
1444         Reviewed by Keith Miller.
1445
1446         * test262.yaml:
1447         * test262/expectations.yaml:
1448         Mark 46 tests as passing.
1449
1450         * stress/block-scope-redeclarations.js:
1451         Add some new tests.
1452
1453         * stress/for-in-invalidate-context-weird-assignments.js:
1454         * stress/for-in-tests.js:
1455         Replace tests for outdated behavior with tests for SyntaxError.
1456
1457         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1458         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1459         Update expectations.
1460
1461 2018-12-18  Mark Lam  <mark.lam@apple.com>
1462
1463         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1464         https://bugs.webkit.org/show_bug.cgi?id=191374
1465         <rdar://problem/46525447>
1466
1467         Reviewed by Yusuke Suzuki.
1468
1469         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1470
1471         * stress/elidable-new-object-roflcopter-then-exit.js:
1472
1473 2018-12-17  Mark Lam  <mark.lam@apple.com>
1474
1475         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1476         https://bugs.webkit.org/show_bug.cgi?id=192019
1477         <rdar://problem/46525456>
1478
1479         Reviewed by Yusuke Suzuki.
1480
1481         The test runs too slow on 32-bit.
1482
1483         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1484
1485 2018-12-17  Mark Lam  <mark.lam@apple.com>
1486
1487         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1488         https://bugs.webkit.org/show_bug.cgi?id=191373
1489         <rdar://problem/46525458>
1490
1491         Reviewed by Yusuke Suzuki.
1492
1493         The test is already slow running with a JIT on 64-bit.  It will always timeout
1494         on 32-bit without a JIT.
1495
1496         * stress/materialize-regexp-cyclic-regexp.js:
1497
1498 2018-12-17  Mark Lam  <mark.lam@apple.com>
1499
1500         Array unshift/shift should not race against the AI in the compiler thread.
1501         https://bugs.webkit.org/show_bug.cgi?id=192795
1502         <rdar://problem/46724263>
1503
1504         Reviewed by Saam Barati.
1505
1506         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1507
1508 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1509
1510         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1511         https://bugs.webkit.org/show_bug.cgi?id=190047
1512
1513         Reviewed by Saam Barati.
1514
1515         * stress/object-keys-cached-zero.js: Added.
1516         (shouldBe):
1517         (test):
1518         * stress/object-keys-changed-attribute.js: Added.
1519         (shouldBe):
1520         (test):
1521         * stress/object-keys-changed-index.js: Added.
1522         (shouldBe):
1523         (test):
1524         * stress/object-keys-changed.js: Added.
1525         (shouldBe):
1526         (test):
1527         * stress/object-keys-indexed-non-cache.js: Added.
1528         (shouldBe):
1529         (test):
1530         * stress/object-keys-overrides-get-property-names.js: Added.
1531         (shouldBe):
1532         (test):
1533         (noInline):
1534
1535 2018-12-17  Mark Lam  <mark.lam@apple.com>
1536
1537         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1538         https://bugs.webkit.org/show_bug.cgi?id=192779
1539         <rdar://problem/46775869>
1540
1541         Reviewed by Saam Barati.
1542
1543         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1544
1545 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1546
1547         Unreviewed test gardening, address a syntax error in a new test.
1548
1549         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1550
1551 2018-12-17  Mark Lam  <mark.lam@apple.com>
1552
1553         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1554         https://bugs.webkit.org/show_bug.cgi?id=192776
1555         <rdar://problem/46772368>
1556
1557         Reviewed by Keith Miller.
1558
1559         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1560
1561 2018-12-17  Mark Lam  <mark.lam@apple.com>
1562
1563         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1564         https://bugs.webkit.org/show_bug.cgi?id=192770
1565         <rdar://problem/46449037>
1566
1567         Reviewed by Keith Miller.
1568
1569         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1570
1571 2018-12-14  Mark Lam  <mark.lam@apple.com>
1572
1573         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1574         https://bugs.webkit.org/show_bug.cgi?id=192717
1575         <rdar://problem/46660677>
1576
1577         Reviewed by Saam Barati.
1578
1579         * stress/regress-192717.js: Added.
1580
1581 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1582
1583         Unreviewed, rolling out r239153, r239154, and r239155.
1584         https://bugs.webkit.org/show_bug.cgi?id=192715
1585
1586         Caused flaky GC-related crashes seen with layout tests
1587         (Requested by ryanhaddad on #webkit).
1588
1589         Reverted changesets:
1590
1591         "[JSC] Optimize Object.keys by caching own keys results in
1592         StructureRareData"
1593         https://bugs.webkit.org/show_bug.cgi?id=190047
1594         https://trac.webkit.org/changeset/239153
1595
1596         "Unreviewed, build fix after r239153"
1597         https://bugs.webkit.org/show_bug.cgi?id=190047
1598         https://trac.webkit.org/changeset/239154
1599
1600         "Unreviewed, build fix after r239153, part 2"
1601         https://bugs.webkit.org/show_bug.cgi?id=190047
1602         https://trac.webkit.org/changeset/239155
1603
1604 2018-12-14  Keith Miller  <keith_miller@apple.com>
1605
1606         Callers of JSString::getIndex should check for OOM exceptions
1607         https://bugs.webkit.org/show_bug.cgi?id=192709
1608
1609         Reviewed by Mark Lam.
1610
1611         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1612
1613 2018-12-13  Mark Lam  <mark.lam@apple.com>
1614
1615         Add a missing exception check.
1616         https://bugs.webkit.org/show_bug.cgi?id=192626
1617         <rdar://problem/46662163>
1618
1619         Reviewed by Keith Miller.
1620
1621         * stress/regress-192626.js: Added.
1622
1623 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1624
1625         [BigInt] Add ValueDiv into DFG
1626         https://bugs.webkit.org/show_bug.cgi?id=186178
1627
1628         Reviewed by Yusuke Suzuki.
1629
1630         * stress/big-int-div-jit-osr.js: Added.
1631         * stress/big-int-div-jit-untyped.js: Added.
1632         * stress/value-div-fixup-int32-big-int.js: Added.
1633
1634 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1635
1636         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1637         https://bugs.webkit.org/show_bug.cgi?id=190047
1638
1639         Reviewed by Keith Miller.
1640
1641         * stress/object-keys-cached-zero.js: Added.
1642         (shouldBe):
1643         (test):
1644         * stress/object-keys-changed-attribute.js: Added.
1645         (shouldBe):
1646         (test):
1647         * stress/object-keys-changed-index.js: Added.
1648         (shouldBe):
1649         (test):
1650         * stress/object-keys-changed.js: Added.
1651         (shouldBe):
1652         (test):
1653         * stress/object-keys-indexed-non-cache.js: Added.
1654         (shouldBe):
1655         (test):
1656         * stress/object-keys-overrides-get-property-names.js: Added.
1657         (shouldBe):
1658         (test):
1659         (noInline):
1660
1661 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1662
1663         [DFG][FTL] Add NewSymbol
1664         https://bugs.webkit.org/show_bug.cgi?id=192620
1665
1666         Reviewed by Saam Barati.
1667
1668         * microbenchmarks/symbol-creation.js: Added.
1669         (test):
1670         * stress/symbol-description-identity.js: Added.
1671         (shouldBe):
1672         (test):
1673         * stress/symbol-identity.js: Added.
1674         (shouldBe):
1675         (test):
1676         * stress/symbol-with-description-throw-error.js: Added.
1677         (shouldBe):
1678         (shouldThrow):
1679         (test):
1680         (object.toString):
1681
1682 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1683
1684         [BigInt] Implement DFG/FTL typeof for BigInt
1685         https://bugs.webkit.org/show_bug.cgi?id=192619
1686
1687         Reviewed by Keith Miller.
1688
1689         * stress/big-int-boolean-proven-type.js: Added.
1690         (assert):
1691         (bool):
1692         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1693         (assert):
1694         (typeOf):
1695         (i.switch):
1696         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1697         (assert):
1698         (typeOf):
1699         * stress/big-int-type-of.js:
1700         (typeOf):
1701         (func):
1702
1703 2018-12-10  Mark Lam  <mark.lam@apple.com>
1704
1705         PropertyAttribute needs a CustomValue bit.
1706         https://bugs.webkit.org/show_bug.cgi?id=191993
1707         <rdar://problem/46264467>
1708
1709         Reviewed by Saam Barati.
1710
1711         * stress/regress-191993.js: Added.
1712
1713 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1714
1715         [BigInt] Add ValueMul into DFG
1716         https://bugs.webkit.org/show_bug.cgi?id=186175
1717
1718         Reviewed by Yusuke Suzuki.
1719
1720         * stress/big-int-mul-jit-osr.js: Added.
1721         * stress/big-int-mul-jit-untyped.js: Added.
1722         * stress/value-mul-fixup-int32-big-int.js: Added.
1723
1724 2018-12-06  Keith Miller  <keith_miller@apple.com>
1725
1726         stress/big-wasm-memory tests failing on 32-bit JSC bot
1727         https://bugs.webkit.org/show_bug.cgi?id=192020
1728
1729         Reviewed by Saam Barati.
1730
1731         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1732         the wasm stress tests if the WebAssembly object does not exist.
1733
1734         * stress/big-wasm-memory-grow-no-max.js:
1735         (test.foo):
1736         (test):
1737         (foo): Deleted.
1738         (catch): Deleted.
1739         * stress/big-wasm-memory-grow.js:
1740         (test.foo):
1741         (test):
1742         (foo): Deleted.
1743         (catch): Deleted.
1744         * stress/big-wasm-memory.js:
1745         (test.foo):
1746         (test):
1747         (foo): Deleted.
1748         (catch): Deleted.
1749
1750 2018-12-05  Mark Lam  <mark.lam@apple.com>
1751
1752         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1753         https://bugs.webkit.org/show_bug.cgi?id=192441
1754         <rdar://problem/46480355>
1755
1756         Reviewed by Saam Barati.
1757
1758         * stress/regress-192441.js: Added.
1759
1760 2018-12-04  Mark Lam  <mark.lam@apple.com>
1761
1762         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1763         https://bugs.webkit.org/show_bug.cgi?id=192386
1764         <rdar://problem/46445516>
1765
1766         Reviewed by Saam Barati.
1767
1768         * stress/regress-192386.js: Added.
1769
1770 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1771
1772         [ESNext][BigInt] Support logic operations
1773         https://bugs.webkit.org/show_bug.cgi?id=179903
1774
1775         Reviewed by Yusuke Suzuki.
1776
1777         * stress/big-int-branch-usage.js: Added.
1778         * stress/big-int-logical-and.js: Added.
1779         * stress/big-int-logical-not.js: Added.
1780         * stress/big-int-logical-or.js: Added.
1781
1782 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1783
1784         Unreviewed, rolling out r238833.
1785
1786         Breaks macOS and iOS debug builds.
1787
1788         Reverted changeset:
1789
1790         "[ESNext][BigInt] Support logic operations"
1791         https://bugs.webkit.org/show_bug.cgi?id=179903
1792         https://trac.webkit.org/changeset/238833
1793
1794 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1795
1796         [ESNext][BigInt] Support logic operations
1797         https://bugs.webkit.org/show_bug.cgi?id=179903
1798
1799         Reviewed by Yusuke Suzuki.
1800
1801         * stress/big-int-branch-usage.js: Added.
1802         * stress/big-int-logical-and.js: Added.
1803         * stress/big-int-logical-not.js: Added.
1804         * stress/big-int-logical-or.js: Added.
1805
1806 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1807
1808         [ESNext][BigInt] Implement support for "<<" and ">>"
1809         https://bugs.webkit.org/show_bug.cgi?id=186233
1810
1811         Reviewed by Yusuke Suzuki.
1812
1813         * stress/big-int-left-shift-general.js: Added.
1814         * stress/big-int-left-shift-range-error.js: Added.
1815         * stress/big-int-left-shift-type-error.js: Added.
1816         * stress/big-int-left-shift-wrapped-value.js: Added.
1817         * stress/big-int-right-shift-general.js: Added.
1818         * stress/big-int-right-shift-type-error.js: Added.
1819         * stress/big-int-right-shift-wrapped-value.js: Added.
1820         * stress/left-shift-to-primitive-precedence.js: Added.
1821         * stress/right-shift-to-primitive-precedence.js: Added.
1822
1823 2018-11-30  Dean Jackson  <dino@apple.com>
1824
1825         Add first-class support for .mjs files in jsc binary
1826         https://bugs.webkit.org/show_bug.cgi?id=192190
1827         <rdar://problem/46375715>
1828
1829         Reviewed by Keith Miller.
1830
1831         * stress/simple-module.mjs: Added.
1832         * stress/simple-script.js: Added.
1833
1834 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1835
1836         [BigInt] Implement ValueBitXor into DFG
1837         https://bugs.webkit.org/show_bug.cgi?id=190264
1838
1839         Reviewed by Yusuke Suzuki.
1840
1841         * stress/big-int-bitwise-xor-jit.js: Added.
1842         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1843         * stress/big-int-bitwise-xor-untyped.js: Added.
1844
1845 2018-11-27  Saam barati  <sbarati@apple.com>
1846
1847         r238510 broke scopes of size zero
1848         https://bugs.webkit.org/show_bug.cgi?id=192033
1849         <rdar://problem/46281734>
1850
1851         Reviewed by Keith Miller.
1852
1853         * stress/r238510-bad-loop.js: Added.
1854         (foo):
1855
1856 2018-11-27  Mark Lam  <mark.lam@apple.com>
1857
1858         [Re-landing] NaNs read from Wasm code needs to be be purified.
1859         https://bugs.webkit.org/show_bug.cgi?id=191056
1860         <rdar://problem/45660341>
1861
1862         Reviewed by Filip Pizlo.
1863
1864         * wasm/regress/regress-191056.js: Added.
1865
1866 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1867
1868         Unreviewed, rolling out r238509.
1869
1870         Causes JSC tests to fail on iOS.
1871
1872         Reverted changeset:
1873
1874         "NaNs read from Wasm code needs to be be purified."
1875         https://bugs.webkit.org/show_bug.cgi?id=191056
1876         https://trac.webkit.org/changeset/238509
1877
1878 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1879
1880         Re-introduce op_bitnot
1881         https://bugs.webkit.org/show_bug.cgi?id=190923
1882
1883         Reviewed by Yusuke Suzuki.
1884
1885         * stress/bit-not-must-generate.js: Added.
1886         * stress/bitwise-not-no-int32.js: Added.
1887
1888 2018-11-26  Saam barati  <sbarati@apple.com>
1889
1890         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1891         https://bugs.webkit.org/show_bug.cgi?id=191956
1892         <rdar://problem/45665806>
1893
1894         Reviewed by Yusuke Suzuki.
1895
1896         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1897         (bar):
1898         (foo):
1899
1900 2018-11-26  Saam barati  <sbarati@apple.com>
1901
1902         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1903         https://bugs.webkit.org/show_bug.cgi?id=191958
1904         <rdar://problem/46221877>
1905
1906         Reviewed by Yusuke Suzuki.
1907
1908         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1909         (x):
1910         (foo):
1911
1912 2018-11-26  Mark Lam  <mark.lam@apple.com>
1913
1914         NaNs read from Wasm code needs to be be purified.
1915         https://bugs.webkit.org/show_bug.cgi?id=191056
1916         <rdar://problem/45660341>
1917
1918         Reviewed by Filip Pizlo.
1919
1920         * wasm/regress/regress-191056.js: Added.
1921
1922 2018-11-26  Michael Saboff  <msaboff@apple.com>
1923
1924         32-bit JSC test failure: stress/regexp-compile-oom.js
1925         https://bugs.webkit.org/show_bug.cgi?id=191375
1926
1927         Reviewed by Mark Lam.
1928
1929         Disabled the test for 32 bit platforms.
1930
1931         * stress/regexp-compile-oom.js:
1932
1933 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1934
1935         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1936         https://bugs.webkit.org/show_bug.cgi?id=191716
1937         <rdar://problem/45723878>
1938
1939         Reviewed by Saam Barati.
1940
1941         * stress/regress-187373.js: Added.
1942         (async.fn):
1943
1944 2018-11-21  Saam barati  <sbarati@apple.com>
1945
1946         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1947         https://bugs.webkit.org/show_bug.cgi?id=191897
1948         <rdar://problem/45871998>
1949
1950         Reviewed by Mark Lam.
1951
1952         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1953         (bar):
1954         (foo):
1955
1956 2018-11-21  Saam barati  <sbarati@apple.com>
1957
1958         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1959         https://bugs.webkit.org/show_bug.cgi?id=191895
1960         <rdar://problem/46167406>
1961
1962         Reviewed by Mark Lam.
1963
1964         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1965         (foo):
1966         (bar):
1967
1968 2018-11-21  Mark Lam  <mark.lam@apple.com>
1969
1970         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1971         https://bugs.webkit.org/show_bug.cgi?id=191776
1972         <rdar://problem/46152851>
1973
1974         Reviewed by Saam Barati.
1975
1976         * stress/big-wasm-memory-grow-no-max.js:
1977         * stress/big-wasm-memory-grow.js:
1978         * stress/big-wasm-memory.js:
1979         - updated these to expect an OutOfMemoryError.
1980
1981         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1982         (Binary.prototype.emit_u8):
1983         (Binary.prototype.emit_u32v):
1984         (Binary.prototype.emit_header):
1985         (Binary.prototype.emit_section):
1986         (Binary):
1987         (WasmModuleBuilder):
1988         (WasmModuleBuilder.prototype.addMemory):
1989         (WasmModuleBuilder.prototype.toArray):
1990         (WasmModuleBuilder.prototype.toBuffer):
1991         (WasmModuleBuilder.prototype.instantiate):
1992         (catch):
1993         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1994         (catch):
1995
1996 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1997
1998         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1999         https://bugs.webkit.org/show_bug.cgi?id=190836
2000
2001         Reviewed by Saam Barati and Yusuke Suzuki.
2002
2003         * stress/big-int-out-of-memory-tests.js: Added.
2004
2005 2018-11-20  Mark Lam  <mark.lam@apple.com>
2006
2007         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2008         https://bugs.webkit.org/show_bug.cgi?id=191856
2009         <rdar://problem/46089992>
2010
2011         Reviewed by Yusuke Suzuki.
2012
2013         * stress/regress-191856.js: Added.
2014         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2015
2016 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2017
2018         Enable JIT on ARM/Linux
2019         https://bugs.webkit.org/show_bug.cgi?id=191548
2020
2021         Reviewed by Yusuke Suzuki.
2022
2023         Disable test on system with limited memory. Program was killed by
2024         the OS before the exception was thrown.
2025
2026         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2027
2028 2018-11-20  Saam barati  <sbarati@apple.com>
2029
2030         Merging an IC variant may lead to the IC status containing overlapping structure sets
2031         https://bugs.webkit.org/show_bug.cgi?id=191869
2032         <rdar://problem/45403453>
2033
2034         Reviewed by Mark Lam.
2035
2036         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2037
2038 2018-11-19  Mark Lam  <mark.lam@apple.com>
2039
2040         globalFuncImportModule() should return a promise when it clears exceptions.
2041         https://bugs.webkit.org/show_bug.cgi?id=191792
2042         <rdar://problem/46090763>
2043
2044         Reviewed by Michael Saboff.
2045
2046         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2047
2048 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2049
2050         Skip new memory-hungry tests on memory limited devices
2051
2052         Unreviewed gardening.
2053
2054         * stress/big-wasm-memory-grow-no-max.js:
2055         * stress/big-wasm-memory-grow.js:
2056         * stress/big-wasm-memory.js:
2057
2058 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2059
2060         Unreviewed, rolling in the rest of r237254
2061         https://bugs.webkit.org/show_bug.cgi?id=190340
2062
2063         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2064         * stress/function-cache-with-parameters-end-position.js: Added.
2065         (shouldBe):
2066         (shouldThrow):
2067         (i.anonymous):
2068         * stress/function-constructor-name.js: Added.
2069         (shouldBe):
2070         (GeneratorFunction):
2071         (AsyncFunction.async):
2072         (AsyncGeneratorFunction.async):
2073         (anonymous):
2074         (async.anonymous):
2075         * test262/expectations.yaml:
2076
2077 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2078
2079         All users of ArrayBuffer should agree on the same max size
2080         https://bugs.webkit.org/show_bug.cgi?id=191771
2081
2082         Reviewed by Mark Lam.
2083
2084         * stress/big-wasm-memory-grow-no-max.js: Added.
2085         (foo):
2086         (catch):
2087         * stress/big-wasm-memory-grow.js: Added.
2088         (foo):
2089         (catch):
2090         * stress/big-wasm-memory.js: Added.
2091         (foo):
2092         (catch):
2093
2094 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2095
2096         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2097         run for each JSC config since they're regression tests for runtime bugs.
2098
2099         * stress/json-stringified-overflow-2.js:
2100         * stress/json-stringified-overflow.js:
2101
2102 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2103
2104         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2105         config since they're regression tests for runtime bugs.
2106
2107         * stress/large-unshift-splice.js:
2108         * stress/regress-185888.js:
2109
2110 2018-11-16  Saam Barati  <sbarati@apple.com>
2111
2112         KnownCellUse should also have SpecCellCheck as its type filter
2113         https://bugs.webkit.org/show_bug.cgi?id=191729
2114         <rdar://problem/45872852>
2115
2116         Reviewed by Filip Pizlo.
2117
2118         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2119         (C):
2120
2121 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2122
2123         Fix assertion failure on BytecodeGenerator::recordOpcode
2124         https://bugs.webkit.org/show_bug.cgi?id=191724
2125         <rdar://problem/45724395>
2126
2127         Reviewed by Saam Barati.
2128
2129         * stress/regress-187373-2.js: Added.
2130         (foo):
2131
2132 2018-11-15  Mark Lam  <mark.lam@apple.com>
2133
2134         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2135         https://bugs.webkit.org/show_bug.cgi?id=191730
2136         <rdar://problem/46048517>
2137
2138         Reviewed by Saam Barati.
2139
2140         * stress/regress-187006.js: Removed.
2141           - this test is invalid because its sole purpose is to test for the non-spec
2142             compliant behavior that we just fixed.
2143
2144         * stress/regress-191730.js: Added.
2145
2146 2018-11-15  Mark Lam  <mark.lam@apple.com>
2147
2148         RegExp operations should not take fast patch if lastIndex is not numeric.
2149         https://bugs.webkit.org/show_bug.cgi?id=191731
2150         <rdar://problem/46017305>
2151
2152         Reviewed by Saam Barati.
2153
2154         * stress/regress-191731.js: Added.
2155
2156 2018-11-13  Saam Barati  <sbarati@apple.com>
2157
2158         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2159         https://bugs.webkit.org/show_bug.cgi?id=191600
2160
2161         Reviewed by Mark Lam.
2162
2163         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2164         (foo):
2165         (test):
2166         (bar):
2167
2168 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2169
2170         Unreviewed, rolling out r238132.
2171
2172         The test added with this change is timing out on Debug JSC
2173         bots.
2174
2175         Reverted changeset:
2176
2177         "[BigInt] JSBigInt::createWithLength should throw when length
2178         is greater than JSBigInt::maxLength"
2179         https://bugs.webkit.org/show_bug.cgi?id=190836
2180         https://trac.webkit.org/changeset/238132
2181
2182 2018-11-13  Mark Lam  <mark.lam@apple.com>
2183
2184         Add OOM detection to StringPrototype's substituteBackreferences().
2185         https://bugs.webkit.org/show_bug.cgi?id=191563
2186         <rdar://problem/45720428>
2187
2188         Reviewed by Saam Barati.
2189
2190         * stress/regress-191563.js: Added.
2191
2192 2018-11-13  Mark Lam  <mark.lam@apple.com>
2193
2194         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2195         https://bugs.webkit.org/show_bug.cgi?id=191579
2196         <rdar://problem/45942472>
2197
2198         Reviewed by Saam Barati.
2199
2200         * stress/regress-191579.js: Added.
2201
2202 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2203
2204         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2205         https://bugs.webkit.org/show_bug.cgi?id=190836
2206
2207         Reviewed by Saam Barati.
2208
2209         * stress/big-int-out-of-memory-tests.js: Added.
2210
2211 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2212
2213         U+180E is no longer a whitespace character
2214         https://bugs.webkit.org/show_bug.cgi?id=191415
2215
2216         Reviewed by Saam Barati.
2217
2218         * ChakraCore/test/es5/regexSpace.baseline:
2219         * ChakraCore/test/es6/unicode_whitespace.js:
2220         Update tests to latest version.
2221         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2222
2223         * test262.yaml:
2224         * test262/config.yaml:
2225         * test262/expectations.yaml:
2226         Update expectations.
2227
2228 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2229
2230         [BigInt] Add support to BigInt into ValueAdd
2231         https://bugs.webkit.org/show_bug.cgi?id=186177
2232
2233         Reviewed by Keith Miller.
2234
2235         * stress/big-int-negate-jit.js:
2236         * stress/value-add-big-int-and-string.js: Added.
2237         * stress/value-add-big-int-prediction-propagation.js: Added.
2238         * stress/value-add-big-int-untyped.js: Added.
2239
2240 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2241
2242         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2243         https://bugs.webkit.org/show_bug.cgi?id=191184
2244
2245         Reviewed by Saam Barati.
2246
2247         Most tests were failing due to timeouts, since they are too slow to
2248         run on CLoop. The exceptions are:
2249
2250         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2251         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2252         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2253         to change the stack size since CLoop requires it to be page aligned.
2254
2255         * microbenchmarks/array-push-1.js:
2256         * microbenchmarks/array-push-2.js:
2257         * microbenchmarks/elidable-new-object-dag.js:
2258         * microbenchmarks/elidable-new-object-roflcopter.js:
2259         * microbenchmarks/elidable-new-object-tree.js:
2260         * microbenchmarks/getter-richards.js:
2261         * microbenchmarks/sinkable-new-object-dag.js:
2262         * microbenchmarks/string-concat-long-convert.js:
2263         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2264         * slowMicrobenchmarks/array-push-3.js:
2265         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2266         * slowMicrobenchmarks/spread-small-array.js:
2267         * slowMicrobenchmarks/undefined-property-access.js:
2268         * stress/activation-sink-default-value-tdz-error.js:
2269         * stress/activation-sink-default-value.js:
2270         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2271         * stress/activation-sink-osrexit-default-value.js:
2272         * stress/activation-sink-osrexit.js:
2273         * stress/activation-sink.js:
2274         * stress/allow-math-ic-b3-code-duplication.js:
2275         * stress/array-push-multiple-int32.js:
2276         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2277         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2278         * stress/arrowfunction-lexical-this-activation-sink.js:
2279         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2280         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2281         * stress/elide-new-object-dag-then-exit.js:
2282         * stress/materialize-regexp-cyclic.js:
2283         * stress/new-regex-inline.js:
2284         * stress/op_add.js:
2285         * stress/op_bitand.js:
2286         * stress/op_bitor.js:
2287         * stress/op_bitxor.js:
2288         * stress/op_div-ConstVar.js:
2289         * stress/op_div-VarConst.js:
2290         * stress/op_div-VarVar.js:
2291         * stress/op_lshift-ConstVar.js:
2292         * stress/op_lshift-VarConst.js:
2293         * stress/op_lshift-VarVar.js:
2294         * stress/op_mod-ConstVar.js:
2295         * stress/op_mod-VarConst.js:
2296         * stress/op_mod-VarVar.js:
2297         * stress/op_mul-ConstVar.js:
2298         * stress/op_mul-VarConst.js:
2299         * stress/op_mul-VarVar.js:
2300         * stress/op_rshift-ConstVar.js:
2301         * stress/op_rshift-VarConst.js:
2302         * stress/op_rshift-VarVar.js:
2303         * stress/op_sub-ConstVar.js:
2304         * stress/op_sub-VarConst.js:
2305         * stress/op_sub-VarVar.js:
2306         * stress/op_urshift-ConstVar.js:
2307         * stress/op_urshift-VarConst.js:
2308         * stress/op_urshift-VarVar.js:
2309         * stress/proxy-get-set-correct-receiver.js:
2310         * stress/regress-179562.js:
2311         * stress/rest-parameter-many-arguments.js:
2312         * stress/sampling-profiler-richards.js:
2313         * stress/splay-flash-access-1ms.js:
2314         * stress/tailCallForwardArguments.js:
2315         * stress/typed-array-get-by-val-profiling.js:
2316         * typeProfiler/getter-richards.js:
2317
2318 2018-11-06  Michael Saboff  <msaboff@apple.com>
2319
2320         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2321         https://bugs.webkit.org/show_bug.cgi?id=191271
2322
2323         Reviewed by Saam Barati.
2324
2325         Added more test cases and made all test cases run with the same deeply recursive stack
2326         instead of finding that same point for each test case.
2327
2328         * stress/regexp-compile-oom.js:
2329         (prototype.runTest):
2330         (recurseAndTest):
2331         (testList.push.new.TestAndExpectedException):
2332
2333 2018-11-05  Michael Saboff  <msaboff@apple.com>
2334
2335         Unreviewed build fix for linux.
2336
2337         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2338
2339 2018-11-02  Michael Saboff  <msaboff@apple.com>
2340
2341         Rolling in r237753 with unreviewed build fix.
2342
2343         Fixed issues with DECLARE_THROW_SCOPE placement.
2344
2345 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2346
2347         Unreviewed, rolling out r237753.
2348
2349         Introduced JSC test failures
2350
2351         Reverted changeset:
2352
2353         "Running out of stack space not properly handled in
2354         RegExp::compile() and its callers"
2355         https://bugs.webkit.org/show_bug.cgi?id=191206
2356         https://trac.webkit.org/changeset/237753
2357
2358 2018-11-02  Michael Saboff  <msaboff@apple.com>
2359
2360         Running out of stack space not properly handled in RegExp::compile() and its callers
2361         https://bugs.webkit.org/show_bug.cgi?id=191206
2362
2363         Reviewed by Filip Pizlo.
2364
2365         New regression test.
2366
2367         * stress/regexp-compile-oom.js: Added.
2368         (recurseAndTest):
2369
2370 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2371
2372         Skip tests on arm/mips that time out now we're running on CLoop
2373
2374         Unreviewed gardening.
2375
2376         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2377         time out on the bots and need to be disabled. There's more tests
2378         disabled on arm because the timeout is longer on the mips bot (as the
2379         device is slower to start with), so many of the tests don't time out
2380         there.
2381
2382         * microbenchmarks/getter-richards.js: disable on arm and mips.
2383         * stress/op_add.js: disable on arm.
2384         * stress/op_bitand.js: disable on arm.
2385         * stress/op_bitor.js: disable on arm.
2386         * stress/op_bitxor.js: disable on arm.
2387         * stress/op_lshift-ConstVar.js: disable on arm.
2388         * stress/op_lshift-VarConst.js: disable on arm.
2389         * stress/op_lshift-VarVar.js: disable on arm.
2390         * stress/op_mod-ConstVar.js: disable on arm.
2391         * stress/op_mod-VarConst.js: disable on arm.
2392         * stress/op_mod-VarVar.js: disable on arm.
2393         * stress/op_mul-ConstVar.js: disable on arm.
2394         * stress/op_mul-VarConst.js: disable on arm.
2395         * stress/op_mul-VarVar.js: disable on arm.
2396         * stress/op_rshift-ConstVar.js: disable on arm.
2397         * stress/op_rshift-VarConst.js: disable on arm.
2398         * stress/op_rshift-VarVar.js: disable on arm.
2399         * stress/op_sub-ConstVar.js: disable on arm.
2400         * stress/op_sub-VarConst.js: disable on arm.
2401         * stress/op_sub-VarVar.js: disable on arm.
2402         * stress/op_urshift-ConstVar.js: disable on arm.
2403         * stress/op_urshift-VarConst.js: disable on arm.
2404         * stress/op_urshift-VarVar.js: disable on arm.
2405         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2406         * stress/value-to-boolean.js: disable on arm and mips.
2407
2408 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2409
2410         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2411         https://bugs.webkit.org/show_bug.cgi?id=191108
2412         <rdar://problem/45690700>
2413
2414         Reviewed by Saam Barati.
2415
2416         * stress/wide-op_catch.js: Added.
2417         (catch):
2418
2419 2018-10-29  Mark Lam  <mark.lam@apple.com>
2420
2421         Correctly detect string overflow when using the 'Function' constructor.
2422         https://bugs.webkit.org/show_bug.cgi?id=184883
2423         <rdar://problem/36320331>
2424
2425         Reviewed by Saam Barati.
2426
2427         I've verified that this passes on 32-bit as well.
2428
2429         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2430
2431 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2432
2433         Add support for GetStack FlushedDouble
2434         https://bugs.webkit.org/show_bug.cgi?id=191012
2435         <rdar://problem/45265141>
2436
2437         Reviewed by Saam Barati.
2438
2439         * stress/get-stack-double.js: Added.
2440         (bar):
2441         (noInline):
2442
2443 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2444
2445         New bytecode format for JSC
2446         https://bugs.webkit.org/show_bug.cgi?id=187373
2447         <rdar://problem/44186758>
2448
2449         Reviewed by Filip Pizlo.
2450
2451         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2452
2453         * stress/maximum-inline-capacity.js: Added.
2454         (test1):
2455         (test3.Foo):
2456         (test3):
2457
2458 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2459
2460         Unreviewed, rolling out r237479 and r237484.
2461         https://bugs.webkit.org/show_bug.cgi?id=190978
2462
2463         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2464
2465         Reverted changesets:
2466
2467         "New bytecode format for JSC"
2468         https://bugs.webkit.org/show_bug.cgi?id=187373
2469         https://trac.webkit.org/changeset/237479
2470
2471         "Gardening: Build fix after r237479."
2472         https://bugs.webkit.org/show_bug.cgi?id=187373
2473         https://trac.webkit.org/changeset/237484
2474
2475 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2476
2477         New bytecode format for JSC
2478         https://bugs.webkit.org/show_bug.cgi?id=187373
2479         <rdar://problem/44186758>
2480
2481         Reviewed by Filip Pizlo.
2482
2483         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2484
2485         * stress/maximum-inline-capacity.js: Added.
2486         (test1):
2487         (test3.Foo):
2488         (test3):
2489
2490 2018-10-26  Mark Lam  <mark.lam@apple.com>
2491
2492         Fix missing edge cases with JSGlobalObjects having a bad time.
2493         https://bugs.webkit.org/show_bug.cgi?id=189028
2494         <rdar://problem/45204939>
2495
2496         Reviewed by Saam Barati.
2497
2498         * stress/regress-189028.js: Added.
2499
2500 2018-10-22  Mark Lam  <mark.lam@apple.com>
2501
2502         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2503         https://bugs.webkit.org/show_bug.cgi?id=190515
2504         <rdar://problem/45222379>
2505
2506         Rubber-stamped by Saam Barati.
2507
2508         Adding another test.
2509
2510         * stress/regress-190515-2.js: Added.
2511
2512 2018-10-22  Mark Lam  <mark.lam@apple.com>
2513
2514         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2515         https://bugs.webkit.org/show_bug.cgi?id=190515
2516         <rdar://problem/45222379>
2517
2518         Reviewed by Saam Barati.
2519
2520         * stress/regress-190515.js: Added.
2521
2522 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2523
2524         Unreviewed, rolling out r237254.
2525         https://bugs.webkit.org/show_bug.cgi?id=190760
2526
2527         "It regresses JetStream 2 by 5% on some iOS devices"
2528         (Requested by saamyjoon on #webkit).
2529
2530         Reverted changeset:
2531
2532         "[JSC] JSC should have "parseFunction" to optimize Function
2533         constructor"
2534         https://bugs.webkit.org/show_bug.cgi?id=190340
2535         https://trac.webkit.org/changeset/237254
2536
2537 2018-10-19  Saam Barati  <sbarati@apple.com>
2538
2539         vmCall should check if we exit before emitting an OSR exit due to exceptions
2540         https://bugs.webkit.org/show_bug.cgi?id=190740
2541         <rdar://problem/45220139>
2542
2543         Reviewed by Mark Lam.
2544
2545         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2546         (foo):
2547
2548 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2549
2550         [ESNext][BigInt] Implement support for "^"
2551         https://bugs.webkit.org/show_bug.cgi?id=186235
2552
2553         Reviewed by Yusuke Suzuki.
2554
2555         * stress/big-int-bitwise-xor-general.js: Added.
2556         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2557         * stress/big-int-bitwise-xor-type-error.js: Added.
2558         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2559
2560 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2561
2562         [BigInt] Add ValueSub into DFG
2563         https://bugs.webkit.org/show_bug.cgi?id=186176
2564
2565         Reviewed by Yusuke Suzuki.
2566
2567         * stress/big-int-subtraction-jit.js:
2568         * stress/value-sub-big-int-prediction-propagation.js: Added.
2569         * stress/value-sub-big-int-untyped.js: Added.
2570         * stress/value-sub-spec-none-case.js: Added.
2571
2572 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2573
2574         [JSC] JSC should have "parseFunction" to optimize Function constructor
2575         https://bugs.webkit.org/show_bug.cgi?id=190340
2576
2577         Reviewed by Mark Lam.
2578
2579         This patch fixes the line number of syntax errors raised by the Function constructor,
2580         since we now parse the final code only once. And we no longer use block statement
2581         for Function constructor's parsing.
2582
2583         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2584         * stress/function-cache-with-parameters-end-position.js: Added.
2585         (shouldBe):
2586         (shouldThrow):
2587         (i.anonymous):
2588         * stress/function-constructor-name.js: Added.
2589         (shouldBe):
2590         (GeneratorFunction):
2591         (AsyncFunction.async):
2592         (AsyncGeneratorFunction.async):
2593         (anonymous):
2594         (async.anonymous):
2595         * test262/expectations.yaml:
2596
2597 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2598
2599         Unreviewed, rolling out r237242.
2600         https://bugs.webkit.org/show_bug.cgi?id=190701
2601
2602         it breaks "stress/sampling-profiler-basic.js" (Requested by
2603         caiolima on #webkit).
2604
2605         Reverted changeset:
2606
2607         "[BigInt] Add ValueSub into DFG"
2608         https://bugs.webkit.org/show_bug.cgi?id=186176
2609         https://trac.webkit.org/changeset/237242
2610
2611 2018-10-17  Keith Miller  <keith_miller@apple.com>
2612
2613         AI does not clear Phantom allocation nodes.
2614         https://bugs.webkit.org/show_bug.cgi?id=190694
2615
2616         Reviewed by Saam Barati.
2617
2618         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2619         (Day):
2620         (DaysInYear):
2621         (TimeInYear):
2622         (TimeFromYear):
2623         (DayFromYear):
2624         (InLeapYear):
2625         (YearFromTime):
2626         (WeekDay):
2627         (DaylightSavingTA):
2628         (GetSecondSundayInMarch):
2629         (TimeInMonth):
2630
2631 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2632
2633         [BigInt] Add ValueSub into DFG
2634         https://bugs.webkit.org/show_bug.cgi?id=186176
2635
2636         Reviewed by Yusuke Suzuki.
2637
2638         * stress/big-int-subtraction-jit.js:
2639         * stress/value-sub-big-int-prediction-propagation.js: Added.
2640         * stress/value-sub-big-int-untyped.js: Added.
2641
2642 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2643
2644         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2645         https://bugs.webkit.org/show_bug.cgi?id=190611
2646
2647         Reviewed by Saam Barati.
2648
2649         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2650         to improve test runtime. On ARM/MIPS this test even timed out when running all
2651         tests.
2652
2653         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2654         (test):
2655
2656 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2657
2658         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2659
2660         Unreviewed gardening.
2661
2662         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2663
2664 2018-10-15  Saam barati  <sbarati@apple.com>
2665
2666         Emit fjcvtzs on ARM64E on Darwin
2667         https://bugs.webkit.org/show_bug.cgi?id=184023
2668
2669         Reviewed by Yusuke Suzuki and Filip Pizlo.
2670
2671         * stress/double-to-int32-NaN.js: Added.
2672         (assert):
2673         (foo):
2674
2675 2018-10-15  Saam Barati  <sbarati@apple.com>
2676
2677         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2678         https://bugs.webkit.org/show_bug.cgi?id=190262
2679         <rdar://problem/44986241>
2680
2681         Reviewed by Mark Lam.
2682
2683         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2684         (test):
2685         * stress/slice-array-storage-with-holes.js: Added.
2686         (main):
2687
2688 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2689
2690         Unreviewed, rolling out r237054.
2691         https://bugs.webkit.org/show_bug.cgi?id=190593
2692
2693         "this regressed JetStream 2 by 6% on iOS" (Requested by
2694         saamyjoon on #webkit).
2695
2696         Reverted changeset:
2697
2698         "[JSC] JSC should have "parseFunction" to optimize Function
2699         constructor"
2700         https://bugs.webkit.org/show_bug.cgi?id=190340
2701         https://trac.webkit.org/changeset/237054
2702
2703 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2704
2705         [JSC] JSON.stringify can accept call-with-no-arguments
2706         https://bugs.webkit.org/show_bug.cgi?id=190343
2707
2708         Reviewed by Mark Lam.
2709
2710         * stress/json-stringify-no-arguments.js: Added.
2711         (shouldBe):
2712
2713 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2714
2715         [JSC] JSC should have "parseFunction" to optimize Function constructor
2716         https://bugs.webkit.org/show_bug.cgi?id=190340
2717
2718         Reviewed by Mark Lam.
2719
2720         This patch fixes the line number of syntax errors raised by the Function constructor,
2721         since we now parse the final code only once. And we no longer use block statement
2722         for Function constructor's parsing.
2723
2724         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2725         * stress/function-cache-with-parameters-end-position.js: Added.
2726         (shouldBe):
2727         (shouldThrow):
2728         (i.anonymous):
2729         * stress/function-constructor-name.js: Added.
2730         (shouldBe):
2731         (GeneratorFunction):
2732         (AsyncFunction.async):
2733         (AsyncGeneratorFunction.async):
2734         (anonymous):
2735         (async.anonymous):
2736         * test262/expectations.yaml:
2737
2738 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2739
2740         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2741         https://bugs.webkit.org/show_bug.cgi?id=190426
2742
2743         Unreviewed gardening.
2744
2745         * stress/sampling-profiler-richards.js:
2746
2747 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2748
2749         [ESNext][BigInt] Implement support for "|"
2750         https://bugs.webkit.org/show_bug.cgi?id=186229
2751
2752         Reviewed by Yusuke Suzuki.
2753
2754         * stress/big-int-bitwise-and-jit.js:
2755         * stress/big-int-bitwise-or-general.js: Added.
2756         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2757         * stress/big-int-bitwise-or-jit.js: Added.
2758         * stress/big-int-bitwise-or-memory-stress.js: Added.
2759         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2760         * stress/big-int-bitwise-or-type-error.js: Added.
2761         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2762
2763 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2764
2765         Skip test on systems with limited memory
2766         https://bugs.webkit.org/show_bug.cgi?id=190310
2767
2768         Invoking runDefault adds test to runlist, skipping the test in the next
2769         line does not prevent the test from executing. Change order of lines such
2770         that runDefault is only executed if test is not executed.
2771
2772         Reviewed by Mark Lam.
2773
2774         * stress/regress-190187.js:
2775
2776 2018-10-03  Saam barati  <sbarati@apple.com>
2777
2778         lowXYZ in FTLLower should always filter the type of the incoming edge
2779         https://bugs.webkit.org/show_bug.cgi?id=189939
2780         <rdar://problem/44407030>
2781
2782         Reviewed by Michael Saboff.
2783
2784         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2785         (foo):
2786         (test):
2787
2788 2018-10-03  Mark Lam  <mark.lam@apple.com>
2789
2790         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2791         https://bugs.webkit.org/show_bug.cgi?id=190187
2792         <rdar://problem/42512909>
2793
2794         Reviewed by Michael Saboff.
2795
2796         * stress/regress-190187.js: Added.
2797
2798 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2799
2800         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2801         https://bugs.webkit.org/show_bug.cgi?id=190033
2802
2803         Reviewed by Yusuke Suzuki.
2804
2805         * stress/big-int-to-string.js:
2806
2807 2018-10-01  Mark Lam  <mark.lam@apple.com>
2808
2809         Function.toString() should also copy the source code Functions that are class definitions.
2810         https://bugs.webkit.org/show_bug.cgi?id=190186
2811         <rdar://problem/44733360>
2812
2813         Reviewed by Saam Barati.
2814
2815         * stress/regress-190186.js: Added.
2816
2817 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2818
2819         Split NaN-check into separate test
2820         https://bugs.webkit.org/show_bug.cgi?id=190010
2821
2822         Reviewed by Saam Barati.
2823
2824         DataView exposes NaN-representation, which is not necessarily the same on each
2825         architecture. Therefore move the check of the NaN-representation into its own
2826         file such that we can disable this test on MIPS where NaN-representation can be
2827         different on older CPUs.
2828
2829         * stress/dataview-jit-set-nan.js: Added.
2830         (assert):
2831         (test.storeLittleEndian):
2832         (test.storeBigEndian):
2833         (test.store):
2834         (test):
2835         * stress/dataview-jit-set.js:
2836         (test5):
2837
2838 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2839
2840         Unreviewed, rolling out r236647.
2841         https://bugs.webkit.org/show_bug.cgi?id=190124
2842
2843         Breaking test stress/big-int-to-string.js (Requested by
2844         caiolima_ on #webkit).
2845
2846         Reverted changeset:
2847
2848         "[BigInt] BigInt.proptotype.toString is broken when radix is
2849         power of 2"
2850         https://bugs.webkit.org/show_bug.cgi?id=190033
2851         https://trac.webkit.org/changeset/236647
2852
2853 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2854
2855         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2856         https://bugs.webkit.org/show_bug.cgi?id=190033
2857
2858         Reviewed by Yusuke Suzuki.
2859
2860         * stress/big-int-to-string.js:
2861
2862 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2863
2864         [ESNext][BigInt] Implement support for "&"
2865         https://bugs.webkit.org/show_bug.cgi?id=186228
2866
2867         Reviewed by Yusuke Suzuki.
2868
2869         * stress/big-int-bitwise-and-general.js: Added.
2870         (assert):
2871         (assert.sameValue):
2872         * stress/big-int-bitwise-and-jit.js: Added.
2873         (let.assert.sameValue):
2874         (bigIntBitAnd):
2875         * stress/big-int-bitwise-and-memory-stress.js: Added.
2876         (assert):
2877         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2878         (assert.sameValue):
2879         (let.o.Symbol.toPrimitive):
2880         (catch):
2881         * stress/big-int-bitwise-and-type-error.js: Added.
2882         (assert):
2883         (assertThrowTypeError):
2884         (let.o.valueOf):
2885         (o.valueOf):
2886         (o.toString):
2887         (o.Symbol.toPrimitive):
2888         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2889         (assert.sameValue):
2890         (testBitAnd):
2891         (let.o.Symbol.toPrimitive):
2892         (o.valueOf):
2893         (o.toString):
2894
2895 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2896
2897         JSC test stress/jsc-read.js doesn't support CRLF
2898         https://bugs.webkit.org/show_bug.cgi?id=190063
2899
2900         Reviewed by Yusuke Suzuki.
2901
2902         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2903
2904         * stress/jsc-read.js:
2905         (test):
2906
2907 2018-09-27  Saam barati  <sbarati@apple.com>
2908
2909         Verify the contents of AssemblerBuffer on arm64e
2910         https://bugs.webkit.org/show_bug.cgi?id=190057
2911         <rdar://problem/38916630>
2912
2913         Reviewed by Mark Lam.
2914
2915         * stress/regress-189132.js:
2916
2917 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2918
2919         Disable test without LLInt on ARMv7
2920         https://bugs.webkit.org/show_bug.cgi?id=190037
2921
2922         Reviewed by Mark Lam.
2923
2924         Test runs out of executable memory on ARMv7, do not run
2925         this test without LLInt enabled.
2926
2927         * stress/regress-169445.js:
2928
2929 2018-09-26  Keith Miller  <keith_miller@apple.com>
2930
2931         We should zero unused property storage when rebalancing array storage.
2932         https://bugs.webkit.org/show_bug.cgi?id=188151
2933
2934         Reviewed by Michael Saboff.
2935
2936         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2937
2938 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2939
2940         [JSC] Optimize Array#lastIndexOf
2941         https://bugs.webkit.org/show_bug.cgi?id=189780
2942
2943         Reviewed by Saam Barati.
2944
2945         * stress/array-lastindexof-array-prototype-trap.js: Added.
2946         (shouldBe):
2947         (AncestorArray.prototype.get 2):
2948         (AncestorArray):
2949         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2950         (shouldBe):
2951         * stress/array-lastindexof-hole-nan.js: Added.
2952         (shouldBe):
2953         (throw.new.Error):
2954         * stress/array-lastindexof-infinity.js: Added.
2955         (shouldBe):
2956         (throw.new.Error):
2957         * stress/array-lastindexof-negative-zero.js: Added.
2958         (shouldBe):
2959         (throw.new.Error):
2960         * stress/array-lastindexof-own-getter.js: Added.
2961         (shouldBe):
2962         (throw.new.Error.get array):
2963         (get array):
2964         * stress/array-lastindexof-prototype-trap.js: Added.
2965         (shouldBe):
2966         (DerivedArray.prototype.get 2):
2967         (DerivedArray):
2968
2969 2018-09-25  Saam Barati  <sbarati@apple.com>
2970
2971         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2972         https://bugs.webkit.org/show_bug.cgi?id=189940
2973         <rdar://problem/43640987>
2974
2975         Reviewed by Mark Lam.
2976
2977         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2978
2979 2018-09-24  Saam Barati  <sbarati@apple.com>
2980
2981         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2982         https://bugs.webkit.org/show_bug.cgi?id=189922
2983         <rdar://problem/44651275>
2984
2985         Reviewed by Mark Lam.
2986
2987         * stress/array-indexof-fast-path-effects.js: Added.
2988         * stress/array-indexof-cached-length.js: Added.
2989
2990 2018-09-24  Saam barati  <sbarati@apple.com>
2991
2992         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2993         https://bugs.webkit.org/show_bug.cgi?id=189682
2994         <rdar://problem/43557315>
2995
2996         Reviewed by Mark Lam.
2997
2998         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2999         (foo):
3000
3001 2018-09-22  Saam barati  <sbarati@apple.com>
3002
3003         The sampling should not use Strong<CodeBlock> in its machineLocation field
3004         https://bugs.webkit.org/show_bug.cgi?id=189319
3005
3006         Reviewed by Filip Pizlo.
3007
3008         * stress/sampling-profiler-richards.js: Added.
3009
3010 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3011
3012         [JSC] Optimize Array#indexOf in C++ runtime
3013         https://bugs.webkit.org/show_bug.cgi?id=189507
3014
3015         Reviewed by Saam Barati.
3016
3017         * stress/array-indexof-array-prototype-trap.js: Added.
3018         (shouldBe):
3019         (AncestorArray.prototype.get 2):
3020         (AncestorArray):
3021         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3022         (shouldBe):
3023         * stress/array-indexof-hole-nan.js: Added.
3024         (shouldBe):
3025         (throw.new.Error):
3026         * stress/array-indexof-infinity.js: Added.
3027         (shouldBe):
3028         (throw.new.Error):
3029         * stress/array-indexof-negative-zero.js: Added.
3030         (shouldBe):
3031         (throw.new.Error):
3032         * stress/array-indexof-own-getter.js: Added.
3033         (shouldBe):
3034         (throw.new.Error.get array):
3035         (get array):
3036         * stress/array-indexof-prototype-trap.js: Added.
3037         (shouldBe):
3038         (DerivedArray.prototype.get 2):
3039         (DerivedArray):
3040
3041 2018-09-19  Saam barati  <sbarati@apple.com>
3042
3043         AI rule for MultiPutByOffset executes its effects in the wrong order
3044         https://bugs.webkit.org/show_bug.cgi?id=189757
3045         <rdar://problem/43535257>
3046
3047         Reviewed by Michael Saboff.
3048
3049         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3050         (foo):
3051         (Foo):
3052         (g):
3053
3054 2018-09-17  Mark Lam  <mark.lam@apple.com>
3055
3056         Ensure that ForInContexts are invalidated if their loop local is over-written.
3057         https://bugs.webkit.org/show_bug.cgi?id=189571
3058         <rdar://problem/44402277>
3059
3060         Reviewed by Saam Barati.
3061
3062         * stress/regress-189571.js: Added.
3063
3064 2018-09-17  Saam barati  <sbarati@apple.com>
3065
3066         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3067         https://bugs.webkit.org/show_bug.cgi?id=189676
3068         <rdar://problem/39682897>
3069
3070         Reviewed by Michael Saboff.
3071
3072         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3073         (A):
3074         (K):
3075         (i.catch):
3076
3077 2018-09-14  Saam barati  <sbarati@apple.com>
3078
3079         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3080         https://bugs.webkit.org/show_bug.cgi?id=189628
3081         <rdar://problem/39481690>
3082
3083         Reviewed by Mark Lam.
3084
3085         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3086         (foo):
3087
3088 2018-09-11  Mark Lam  <mark.lam@apple.com>
3089
3090         Test for array initialization in arrayProtoFuncSplice.
3091         https://bugs.webkit.org/show_bug.cgi?id=170253
3092         <rdar://problem/31328773>
3093
3094         Rubber-stamped by Saam Barati.
3095
3096         * stress/regress-170253.js: Added.
3097
3098 2018-09-11  Mark Lam  <mark.lam@apple.com>
3099
3100         Test for IntlObject initialization.
3101         https://bugs.webkit.org/show_bug.cgi?id=170251
3102         <rdar://problem/31328419>
3103
3104         Rubber-stamped by Saam Barati.
3105
3106         * stress/regress-170251.js: Added.
3107
3108 2018-09-11  Mark Lam  <mark.lam@apple.com>
3109
3110         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3111         https://bugs.webkit.org/show_bug.cgi?id=169889
3112         <rdar://problem/31155607>
3113
3114         Reviewed by Saam Barati.
3115
3116         * stress/regress-169889-array-concat.js: Added.
3117         * stress/regress-169889-array-concat1.js: Added.
3118         * stress/regress-169889-array-slice.js: Added.
3119
3120 2018-09-11  Mark Lam  <mark.lam@apple.com>
3121
3122         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3123         https://bugs.webkit.org/show_bug.cgi?id=169445
3124         <rdar://problem/30957435>
3125
3126         Reviewed by Saam Barati.
3127
3128         * stress/regress-169445.js: Added.
3129         (let.gun.eval.A):
3130         (let.gun.eval.B.C):
3131         (let.gun.eval.B.C.prototype.trigger):
3132         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3133         (let.gun.eval.B):
3134         (let.gun.eval):
3135
3136 == Rolled over to ChangeLog-2018-09-11 ==