[JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of execut...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
2
3         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
4         https://bugs.webkit.org/show_bug.cgi?id=195950
5
6         Unreviewed, reducing the amount of memory used on this test to avoid
7         OOM on devices with memory restrictions.
8
9         * microbenchmarks/generate-multiple-llint-entrypoints.js:
10
11 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
12
13         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
14         https://bugs.webkit.org/show_bug.cgi?id=194648
15
16         Reviewed by Keith Miller.
17
18         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
19
20 2019-03-18  Mark Lam  <mark.lam@apple.com>
21
22         Missing a ThrowScope release in JSObject::toString().
23         https://bugs.webkit.org/show_bug.cgi?id=195893
24         <rdar://problem/48970986>
25
26         Reviewed by Michael Saboff.
27
28         * stress/to-string-exception-check-release.js: Added.
29
30 2019-03-18  Mark Lam  <mark.lam@apple.com>
31
32         Structure::flattenDictionary() should clear unused property slots.
33         https://bugs.webkit.org/show_bug.cgi?id=195871
34         <rdar://problem/48959497>
35
36         Reviewed by Michael Saboff.
37
38         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
39
40 2019-03-15  Mark Lam  <mark.lam@apple.com>
41
42         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
43         https://bugs.webkit.org/show_bug.cgi?id=195827
44         <rdar://problem/48845513>
45
46         Reviewed by Filip Pizlo.
47
48         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
49
50 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
51
52         [ARM,MIPS] Skip slow tests
53         https://bugs.webkit.org/show_bug.cgi?id=195799
54
55         Unreviewed, test does not finish on ARM and MIPS within the
56         timeout limit.
57
58         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
59
60 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
61
62         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
63         https://bugs.webkit.org/show_bug.cgi?id=195791
64         <rdar://problem/48806130>
65
66         Reviewed by Mark Lam.
67
68         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
69         (foo):
70
71 2019-03-14  Saam barati  <sbarati@apple.com>
72
73         We can't remove code after ForceOSRExit until after FixupPhase
74         https://bugs.webkit.org/show_bug.cgi?id=186916
75         <rdar://problem/41396612>
76
77         Reviewed by Yusuke Suzuki.
78
79         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
80         (foo):
81         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
82         (foo):
83
84 2019-03-13  Michael Saboff  <msaboff@apple.com>
85
86         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
87         https://bugs.webkit.org/show_bug.cgi?id=195735
88
89         Reviewed by Mark Lam.
90
91         New regression test.
92
93         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
94         (foo):
95         (bar):
96
97 2019-03-14  Saam barati  <sbarati@apple.com>
98
99         Fixup uses KnownInt32 incorrectly in some nodes
100         https://bugs.webkit.org/show_bug.cgi?id=195279
101         <rdar://problem/47915654>
102
103         Reviewed by Yusuke Suzuki.
104
105         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
106         (foo):
107
108 2019-03-14  Keith Miller  <keith_miller@apple.com>
109
110         DFG liveness can't skip tail caller inline frames
111         https://bugs.webkit.org/show_bug.cgi?id=195715
112
113         Reviewed by Saam Barati.
114
115         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
116         (i.foo):
117
118 2019-03-13  Mark Lam  <mark.lam@apple.com>
119
120         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
121         https://bugs.webkit.org/show_bug.cgi?id=195415
122
123         Not reviewed.
124
125         Changed these tests to only run the default configuration.
126         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
127         There's no strong need to run this test on that variant.
128
129         * stress/dfg-to-string-on-int-does-gc.js:
130         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
131
132 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
133
134         String overflow when using StringBuilder in JSC::createError
135         https://bugs.webkit.org/show_bug.cgi?id=194957
136
137         Reviewed by Mark Lam.
138
139         Add test string-overflow-createError-bulder.js that overflows
140         StringBuilder in notAFunctionSourceAppender. The second new test
141         string-overflow-createError-fit.js has an error message that doesn't
142         overflow, it still failed since the String's capacity can't be doubled.
143         Run test string-overflow-createError.js only in the default
144         configuration to reduce memory consumption when running the test
145         in all configurations on multiple CPUs in parallel.
146
147         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
148         (catch):
149         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
150         (catch):
151         * stress/string-overflow-createError.js:
152
153 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
154
155         [JSC] OSR entry should respect abstract values in addition to flush formats
156         https://bugs.webkit.org/show_bug.cgi?id=195653
157
158         Reviewed by Mark Lam.
159
160         * stress/osr-entry-locals-none.js: Added.
161
162 2019-03-12  Michael Saboff  <msaboff@apple.com>
163
164         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
165         https://bugs.webkit.org/show_bug.cgi?id=195613
166
167         Reviewed by Mark Lam.
168
169         New regression test.
170
171         * stress/regexp-backref-inbounds.js: Added.
172         (testRegExp):
173
174 2019-03-12  Mark Lam  <mark.lam@apple.com>
175
176         The HasIndexedProperty node does GC.
177         https://bugs.webkit.org/show_bug.cgi?id=195559
178         <rdar://problem/48767923>
179
180         Reviewed by Yusuke Suzuki.
181
182         * stress/HasIndexedProperty-does-gc.js: Added.
183
184 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
185
186         [ESNext][BigInt] Implement "~" unary operation
187         https://bugs.webkit.org/show_bug.cgi?id=182216
188
189         Reviewed by Keith Miller.
190
191         * stress/big-int-bit-not-general.js: Added.
192         * stress/big-int-bitwise-not-jit.js: Added.
193         * stress/big-int-bitwise-not-wrapped-value.js: Added.
194         * stress/bit-op-with-object-returning-int32.js:
195         * stress/bitwise-not-fixup-rules.js: Added.
196         * stress/value-bit-not-ai-rule.js: Added.
197
198 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
199
200         Invalid flags in a RegExp literal should be an early SyntaxError
201         https://bugs.webkit.org/show_bug.cgi?id=195514
202
203         Reviewed by Darin Adler.
204
205         * test262/expectations.yaml:
206         Mark 4 test cases as passing.
207
208         * stress/regexp-syntax-error-invalid-flags.js:
209         * stress/regress-161995.js: Removed.
210         Update existing test, merging in an older test for the same behavior.
211
212 2019-03-08  Mark Lam  <mark.lam@apple.com>
213
214         Stack overflow crash in JSC::JSObject::hasInstance.
215         https://bugs.webkit.org/show_bug.cgi?id=195458
216         <rdar://problem/48710195>
217
218         Reviewed by Yusuke Suzuki.
219
220         * stress/stack-overflow-in-custom-hasInstance.js: Added.
221
222 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
223
224         op_check_tdz does not def its argument
225         https://bugs.webkit.org/show_bug.cgi?id=192880
226         <rdar://problem/46221598>
227
228         Reviewed by Saam Barati.
229
230         * microbenchmarks/let-for-in.js: Added.
231         (foo):
232
233 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
234
235         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
236         https://bugs.webkit.org/show_bug.cgi?id=195429
237
238         Reviewed by Saam Barati.
239
240         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
241         (foo):
242         * stress/string-from-char-code-255.js: Added.
243
244 2019-03-06  Mark Lam  <mark.lam@apple.com>
245
246         Fix incorrect handling of try-finally completion values.
247         https://bugs.webkit.org/show_bug.cgi?id=195131
248         <rdar://problem/46222079>
249
250         Reviewed by Saam Barati and Yusuke Suzuki.
251
252         Added many permutations of new test case to test-finally.js.  test-finally.js has
253         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
254         tests passes there as well.
255
256         * stress/test-finally.js:
257
258 2019-03-06  Saam Barati  <sbarati@apple.com>
259
260         Air::reportUsedRegisters must padInterference
261         https://bugs.webkit.org/show_bug.cgi?id=195303
262         <rdar://problem/48270343>
263
264         Reviewed by Keith Miller.
265
266         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
267
268 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
269
270         [JSC] AI should not propagate AbstractValue relying on constant folding phase
271         https://bugs.webkit.org/show_bug.cgi?id=195375
272
273         Reviewed by Saam Barati.
274
275         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
276         (let.array):
277
278 2019-03-05  Saam barati  <sbarati@apple.com>
279
280         op_switch_char broken for rope strings after JSRopeString layout rewrite
281         https://bugs.webkit.org/show_bug.cgi?id=195339
282         <rdar://problem/48592545>
283
284         Reviewed by Yusuke Suzuki.
285
286         * stress/switch-on-char-llint-rope.js: Added.
287
288 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
289
290         [JSC] Store bits for JSRopeString in 3 stores
291         https://bugs.webkit.org/show_bug.cgi?id=195234
292
293         Reviewed by Saam Barati.
294
295         * stress/null-rope-and-collectors.js: Added.
296
297 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
298
299         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
300         https://bugs.webkit.org/show_bug.cgi?id=195207
301
302         Unreviewed. After test runtime was reduced in r242213, test can be
303         run again on ARM/MIPS.
304
305         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
306
307 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
308
309         [JSC] sizeof(JSString) should be 16
310         https://bugs.webkit.org/show_bug.cgi?id=194375
311
312         Reviewed by Saam Barati.
313
314         * microbenchmarks/make-rope.js: Added.
315         (makeRope):
316         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
317         (returnRope.helper): Deleted.
318         (returnRope): Deleted.
319
320 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
321
322         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
323         https://bugs.webkit.org/show_bug.cgi?id=195144
324
325         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
326         Change the number from 1e8 to 1e5.
327
328         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
329         (foo):
330
331 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
332
333         Test times out on ARM/MIPS
334         https://bugs.webkit.org/show_bug.cgi?id=195168
335
336         Unreviewed. Skip test on ARM/MIPS.
337
338         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
339
340 2019-02-27  Mark Lam  <mark.lam@apple.com>
341
342         The parser is failing to record the token location of new in new.target.
343         https://bugs.webkit.org/show_bug.cgi?id=195127
344         <rdar://problem/39645578>
345
346         Reviewed by Yusuke Suzuki.
347
348         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
349
350 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
351
352         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
353         https://bugs.webkit.org/show_bug.cgi?id=195144
354         <rdar://problem/47595961>
355
356         Reviewed by Mark Lam.
357
358         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
359         (bar):
360         (foo):
361         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
362         (bar):
363         (foo):
364
365 2019-02-27  Robin Morisset  <rmorisset@apple.com>
366
367         DFG: Loop-invariant code motion (LICM) should not hoist dead code
368         https://bugs.webkit.org/show_bug.cgi?id=194945
369         <rdar://problem/48311657>
370
371         Reviewed by Mark Lam.
372
373         * stress/licm-dead-code.js: Added.
374
375 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
376
377         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
378         https://bugs.webkit.org/show_bug.cgi?id=194677
379         <rdar://problem/48112492>
380
381         Reviewed by Mark Lam.
382
383         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
384         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
385         it immediately fails due the large size.
386
387         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
388         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
389         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
390         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
391
392         This patch changes the test to produce 16bit string from String.fromCharCode.
393
394         * stress/regress-178386.js:
395
396 2019-02-26  Mark Lam  <mark.lam@apple.com>
397
398         wasmToJS() should purify incoming NaNs.
399         https://bugs.webkit.org/show_bug.cgi?id=194807
400         <rdar://problem/48189132>
401
402         Reviewed by Saam Barati.
403
404         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
405
406 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
407
408         [JSC] Repeat string created from Array.prototype.join() take too much memory
409         https://bugs.webkit.org/show_bug.cgi?id=193912
410
411         Reviewed by Saam Barati.
412
413         Added a test and a microbenchmark for corner cases of
414         Array.prototype.join() with an uninitialized array.
415
416         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
417         * stress/array-prototype-join-uninitialized.js: Added.
418         (testArray):
419         (testABC):
420         (B):
421         (C):
422
423 2019-02-22  Robin Morisset  <rmorisset@apple.com>
424
425         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
426         https://bugs.webkit.org/show_bug.cgi?id=194953
427         <rdar://problem/47595253>
428
429         Reviewed by Saam Barati.
430
431         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
432
433         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
434
435 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
436
437         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
438         https://bugs.webkit.org/show_bug.cgi?id=172848
439         <rdar://problem/25709212>
440
441         Reviewed by Mark Lam.
442
443         * typeProfiler/inheritance.js:
444         Rewrite the test slightly for clarity. The hoisting was confusing.
445
446         * heapProfiler/class-names.js: Added.
447         (MyES5Class):
448         (MyES6Class):
449         (MyES6Subclass):
450         Test object types and improved class names.
451
452         * heapProfiler/driver/driver.js:
453         (CheapHeapSnapshotNode):
454         (CheapHeapSnapshot):
455         (createCheapHeapSnapshot):
456         (HeapSnapshot):
457         (createHeapSnapshot):
458         Update snapshot parsing from version 1 to version 2.
459
460 2019-02-19  Truitt Savell  <tsavell@apple.com>
461
462         Unreviewed, rolling out r241784.
463
464         Broke all OpenSource builds.
465
466         Reverted changeset:
467
468         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
469         instances view"
470         https://bugs.webkit.org/show_bug.cgi?id=172848
471         https://trac.webkit.org/changeset/241784
472
473 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
474
475         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
476         https://bugs.webkit.org/show_bug.cgi?id=172848
477         <rdar://problem/25709212>
478
479         Reviewed by Mark Lam.
480
481         * typeProfiler/inheritance.js:
482         Rewrite the test slightly for clarity. The hoisting was confusing.
483
484         * heapProfiler/class-names.js: Added.
485         (MyES5Class):
486         (MyES6Class):
487         (MyES6Subclass):
488         Test object types and improved class names.
489
490         * heapProfiler/driver/driver.js:
491         (CheapHeapSnapshotNode):
492         (CheapHeapSnapshot):
493         (createCheapHeapSnapshot):
494         (HeapSnapshot):
495         (createHeapSnapshot):
496         Update snapshot parsing from version 1 to version 2.
497
498 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
499
500         [ARM] Fix crash with sampling profiler
501         https://bugs.webkit.org/show_bug.cgi?id=194772
502
503         Reviewed by Mark Lam.
504
505         Do not skip test since crash with sampling profiler is now fixed.
506
507         * stress/sampling-profiler-richards.js:
508
509 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
510
511         [JSC] Add LazyClassStructure::getInitializedOnMainThread
512         https://bugs.webkit.org/show_bug.cgi?id=194784
513         <rdar://problem/48154820>
514
515         Reviewed by Mark Lam.
516
517         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
518         (getProperties):
519         (getRandomProperty):
520         (i.catch):
521
522 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
523
524         [ARM] Test gardening: Test running out of executable memory
525         https://bugs.webkit.org/show_bug.cgi?id=194771
526
527         Unreviewed. Do not run test without LLInt, test is running out of executable
528         memory on ARM otherwise.
529
530         * stress/tagged-template-object-collect.js:
531
532 2019-02-18  Tomas Popela  <tpopela@redhat.com>
533
534         Unreviewed, skip the test on platforms without sampling profiler
535
536         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
537         (platformSupportsSamplingProfiler.foo):
538         (platformSupportsSamplingProfiler.test):
539         (platformSupportsSamplingProfiler):
540         (foo): Deleted.
541         (test): Deleted.
542
543 2019-02-17  Saam Barati  <sbarati@apple.com>
544
545         Deadlock when adding a Structure property transition and then doing incremental marking
546         https://bugs.webkit.org/show_bug.cgi?id=194767
547
548         Reviewed by Mark Lam.
549
550         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
551
552 2019-02-15  Michael Saboff  <msaboff@apple.com>
553
554         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
555         https://bugs.webkit.org/show_bug.cgi?id=194558
556
557         Reviewed by Saam Barati.
558
559         New regression test.
560
561         * stress/regexp-unicode-within-string.js: Added.
562
563 2019-02-15  Mark Lam  <mark.lam@apple.com>
564
565         SamplingProfiler::stackTracesAsJSON() should escape strings.
566         https://bugs.webkit.org/show_bug.cgi?id=194649
567         <rdar://problem/48072386>
568
569         Reviewed by Saam Barati.
570
571         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
572         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
573         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
574         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
575
576 2019-02-15  Robin Morisset  <rmorisset@apple.com>
577         CodeBlock::jettison should clear related watchpoints
578         https://bugs.webkit.org/show_bug.cgi?id=194544
579
580         Reviewed by Mark Lam.
581
582         * stress/regexp-replace-double-watchpoint.js: Added.
583         (foo):
584
585 2019-02-15  Saam barati  <sbarati@apple.com>
586
587         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
588         https://bugs.webkit.org/show_bug.cgi?id=194036
589
590         Reviewed by Yusuke Suzuki.
591
592         * stress/tail-call-many-arguments.js: Added.
593         (foo):
594         (bar):
595
596 2019-02-14  Saam Barati  <sbarati@apple.com>
597
598         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
599         https://bugs.webkit.org/show_bug.cgi?id=194583
600         <rdar://problem/48028140>
601
602         Reviewed by Yusuke Suzuki.
603
604         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
605
606 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
607
608         [JSC] String.fromCharCode's slow path always generates 16bit string
609         https://bugs.webkit.org/show_bug.cgi?id=194466
610
611         Reviewed by Keith Miller.
612
613         * stress/string-from-char-code-slow-path.js: Added.
614         (shouldBe):
615         (testWithLength):
616
617 2019-02-08  Saam barati  <sbarati@apple.com>
618
619         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
620         https://bugs.webkit.org/show_bug.cgi?id=194334
621         <rdar://problem/47844327>
622
623         Reviewed by Mark Lam.
624
625         * stress/check-in-bounds-should-be-a-child-use.js: Added.
626         (func):
627
628 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
629
630         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
631         https://bugs.webkit.org/show_bug.cgi?id=194369
632         <rdar://problem/47813087>
633
634         Reviewed by Saam Barati.
635
636         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
637         (A):
638
639 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
640
641         [JSC] PrivateName to PublicName hash table is wasteful
642         https://bugs.webkit.org/show_bug.cgi?id=194277
643
644         Reviewed by Michael Saboff.
645
646         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
647
648         * ChakraCore.yaml:
649
650 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
651
652         [ARM] Test running out of executable memory
653         https://bugs.webkit.org/show_bug.cgi?id=194285
654
655         Unreviewed. Do no execute test with LLInt disabled, test runs out of
656         executable memory otherwise.
657
658         * stress/class-subclassing-function.js:
659
660 2019-02-04  Robin Morisset  <rmorisset@apple.com>
661
662         when lowering AssertNotEmpty, create the value before creating the patchpoint
663         https://bugs.webkit.org/show_bug.cgi?id=194231
664
665         Reviewed by Saam Barati.
666
667         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
668         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
669         So even tiny changes to this test can change the path code taken.
670
671         * stress/assert-not-empty.js: Added.
672         (foo):
673
674 2019-02-01  Mark Lam  <mark.lam@apple.com>
675
676         Remove invalid assertion in DFG's compileDoubleRep().
677         https://bugs.webkit.org/show_bug.cgi?id=194130
678         <rdar://problem/47699474>
679
680         Reviewed by Saam Barati.
681
682         * stress/constant-fold-double-rep-into-double-constant.js: Added.
683
684 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
685
686         Import latest Test262 updates.
687
688         Rubber-stamped by Keith Miller.
689
690         * test262.yaml: Deleted.
691         * test262/config.yaml:
692         * test262/expectations.yaml:
693         * test262/latest-changes-summary.txt:
694         * test262/test/:
695         * test262/test262-Revision.txt:
696
697 2019-01-30  Robin Morisset  <rmorisset@apple.com>
698
699         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
700         https://bugs.webkit.org/show_bug.cgi?id=194050
701         <rdar://problem/47595592>
702
703         Reviewed by Yusuke Suzuki.
704
705         * stress/object-keys-osr-exit.js: Added.
706         (foo):
707         (catch):
708
709 2019-01-29  Mark Lam  <mark.lam@apple.com>
710
711         ValueRecovery::recover() should purify NaN values it recovers.
712         https://bugs.webkit.org/show_bug.cgi?id=193978
713         <rdar://problem/47625488>
714
715         Reviewed by Saam Barati.
716
717         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
718
719 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
720
721         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
722         https://bugs.webkit.org/show_bug.cgi?id=193713
723
724         * stress/try-get-by-id-should-spill-registers-dfg.js:
725         (let.f.createBuiltin):
726
727 2019-01-28  Mark Lam  <mark.lam@apple.com>
728
729         ToString node actually does GC.
730         https://bugs.webkit.org/show_bug.cgi?id=193920
731         <rdar://problem/46695900>
732
733         Reviewed by Yusuke Suzuki.
734
735         * stress/dfg-to-string-on-int-does-gc.js: Added.
736         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
737         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
738
739 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
740
741         [JSC] NativeErrorConstructor should not have own IsoSubspace
742         https://bugs.webkit.org/show_bug.cgi?id=193713
743
744         Reviewed by Saam Barati.
745
746         Remove @Error use.
747
748         * stress/try-get-by-id-should-spill-registers-dfg.js:
749         (let.f.createBuiltin):
750
751 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
752
753         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
754         https://bugs.webkit.org/show_bug.cgi?id=190693
755
756         Reviewed by Michael Saboff.
757
758         * stress/regress-190693.js: Added.
759         (truth):
760         (assert):
761         (shouldThrowInvalidConstAssignment):
762         (taz):
763
764 2019-01-24  Saam Barati  <sbarati@apple.com>
765
766         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
767         https://bugs.webkit.org/show_bug.cgi?id=193751
768         <rdar://problem/47280215>
769
770         Reviewed by Michael Saboff.
771
772         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
773         (let.thing):
774         (foo.let.hello):
775         (foo):
776
777 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
778
779         [JSC] Reenable baseline JIT on mips
780         https://bugs.webkit.org/show_bug.cgi?id=192983
781
782         Reviewed by Mark Lam.
783
784         Added a new test for a case that was triggering a RELEASE_ASSERT when
785         testing.
786         Disable some slow tests that were already disabled for arm and x86.
787
788         * stress/json-parse-big-object.js: Added.
789         * stress/new-largeish-contiguous-array-with-size.js:
790         * stress/op_add.js:
791         * stress/op_bitand.js:
792         * stress/op_bitor.js:
793         * stress/op_bitxor.js:
794         * stress/op_lshift-ConstVar.js:
795         * stress/op_lshift-VarConst.js:
796         * stress/op_lshift-VarVar.js:
797         * stress/op_mod-ConstVar.js:
798         * stress/op_mod-VarConst.js:
799         * stress/op_mod-VarVar.js:
800         * stress/op_mul-ConstVar.js:
801         * stress/op_mul-VarConst.js:
802         * stress/op_mul-VarVar.js:
803         * stress/op_rshift-ConstVar.js:
804         * stress/op_rshift-VarConst.js:
805         * stress/op_rshift-VarVar.js:
806         * stress/op_sub-ConstVar.js:
807         * stress/op_sub-VarConst.js:
808         * stress/op_sub-VarVar.js:
809         * stress/op_urshift-ConstVar.js:
810         * stress/op_urshift-VarConst.js:
811         * stress/op_urshift-VarVar.js:
812         * stress/sampling-profiler-richards.js:
813         * stress/spread-forward-call-varargs-stack-overflow.js:
814
815 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
816
817         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
818         https://bugs.webkit.org/show_bug.cgi?id=193711
819         <rdar://problem/47250262>
820
821         Reviewed by Saam Barati.
822
823         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
824         (shouldBe):
825         (foo):
826         (bar):
827         (baz):
828
829 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
830
831         Unreviewed, fix initial global lexical binding epoch
832         https://bugs.webkit.org/show_bug.cgi?id=193603
833         <rdar://problem/47380869>
834
835         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
836         (f1.f2.f3.f4):
837         (f1.f2.f3):
838         (f1.f2):
839         (f1):
840
841 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
842
843         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
844         https://bugs.webkit.org/show_bug.cgi?id=193709
845         <rdar://problem/47363838>
846
847         Unreviewed, rollout to watch the tests.
848
849         * stress/object-tostring-changed-proto.js: Removed.
850         * stress/object-tostring-changed.js: Removed.
851         * stress/object-tostring-misc.js: Removed.
852         * stress/object-tostring-other.js: Removed.
853         * stress/object-tostring-untyped.js: Removed.
854
855 2019-01-22  Saam Barati  <sbarati@apple.com>
856
857         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
858
859         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
860         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
861         (testUncheckedLessThanZero):
862         (testUncheckedLessThanOrEqualZero):
863         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
864         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
865
866 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
867
868         [JSC] Invalidate old scope operations using global lexical binding epoch
869         https://bugs.webkit.org/show_bug.cgi?id=193603
870         <rdar://problem/47380869>
871
872         Reviewed by Saam Barati.
873
874         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
875         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
876         (shouldThrow):
877         (bar):
878         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
879         (shouldBe):
880         (get1):
881         (get2):
882         (get1If):
883         (get2If):
884         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
885         (shouldThrow):
886         (foo):
887
888 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
889
890         Unreviewed, roll out r240220 due to date-format-xparb regression
891         https://bugs.webkit.org/show_bug.cgi?id=193603
892
893         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
894         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
895         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
896         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
897
898 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
899
900         DoesGC rule is wrong for nodes with BigIntUse
901         https://bugs.webkit.org/show_bug.cgi?id=193652
902
903         Reviewed by Saam Barati.
904
905         * stress/big-int-value-op-update-gc-rules.js: Added.
906         (assert):
907         (doesGCAdd):
908         (doesGCSub):
909         (doesGCDiv):
910         (doesGCMul):
911         (doesGCBitAnd):
912         (doesGCBitOr):
913         (doesGCBitXor):
914
915 2019-01-20  Saam Barati  <sbarati@apple.com>
916
917         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
918         https://bugs.webkit.org/show_bug.cgi?id=193644
919         <rdar://problem/46209745>
920
921         Reviewed by Yusuke Suzuki.
922
923         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
924         (foo):
925         * stress/data-view-set-intrinsic-undefined-result.js: Added.
926         (foo):
927         (bar):
928
929 2019-01-20  Saam Barati  <sbarati@apple.com>
930
931         MovHint must merge NodeBytecodeUsesAsValue for its child
932         https://bugs.webkit.org/show_bug.cgi?id=186916
933         <rdar://problem/41396612>
934
935         Reviewed by Yusuke Suzuki.
936
937         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
938         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
939
940 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
941
942         [JSC] Invalidate old scope operations using global lexical binding epoch
943         https://bugs.webkit.org/show_bug.cgi?id=193603
944         <rdar://problem/47380869>
945
946         Reviewed by Saam Barati.
947
948         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
949         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
950         (shouldThrow):
951         (bar):
952         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
953         (shouldBe):
954         (get1):
955         (get2):
956         (get1If):
957         (get2If):
958         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
959         (shouldThrow):
960         (foo):
961
962 2019-01-17  Saam barati  <sbarati@apple.com>
963
964         StringObjectUse should not be a structure check for the original string object structure
965         https://bugs.webkit.org/show_bug.cgi?id=193483
966         <rdar://problem/47280522>
967
968         Reviewed by Yusuke Suzuki.
969
970         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
971         (foo):
972         (a.valueOf.0):
973
974 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
975
976         [JSC] ToThis omission in DFGByteCodeParser is wrong
977         https://bugs.webkit.org/show_bug.cgi?id=193513
978         <rdar://problem/45842236>
979
980         Reviewed by Saam Barati.
981
982         * stress/to-this-omission-with-different-strict-modes.js: Added.
983         (thisA):
984         (thisAStrictWrapper):
985
986 2019-01-15  Mark Lam  <mark.lam@apple.com>
987
988         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
989         https://bugs.webkit.org/show_bug.cgi?id=193423
990         <rdar://problem/46209355>
991
992         Reviewed by Saam Barati.
993
994         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
995         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
996         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
997         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
998
999 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1000
1001         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1002         https://bugs.webkit.org/show_bug.cgi?id=193438
1003         <rdar://problem/45581249>
1004
1005         Reviewed by Saam Barati and Keith Miller.
1006
1007         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1008         Then, GetByVal(String) crashed.
1009
1010         * stress/string-get-by-val-lowering.js: Added.
1011         (shouldBe):
1012         (test):
1013         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1014         (Hello):
1015         (foo):
1016
1017 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1018
1019         Unreviewed, skip JIT tests if it's not enabled
1020
1021         * stress/bit-op-with-object-returning-int32.js:
1022
1023 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1024
1025         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1026         https://bugs.webkit.org/show_bug.cgi?id=192966
1027
1028         Reviewed by Yusuke Suzuki.
1029
1030         * stress/bit-op-with-object-returning-int32.js: Added.
1031
1032 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1033
1034         Skip a slow test and a flakey test on arm
1035
1036         Unreviewed gardening.
1037
1038         * typeProfiler/getter-richards.js:
1039         this test always times out, it used to be always skipped on arm and
1040         mips, but got accidentally enabled by r237919 now that we have DFG on
1041         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1042
1043 2019-01-14  Keith Miller  <keith_miller@apple.com>
1044
1045         Skip type-check-hoisting-phase-hoist... with no jit
1046         https://bugs.webkit.org/show_bug.cgi?id=193421
1047
1048         Reviewed by Mark Lam.
1049
1050         It's timing out the 32-bit bots and takes 330 seconds
1051         on my machine when run by itself.
1052
1053         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1054
1055 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1056
1057         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1058         https://bugs.webkit.org/show_bug.cgi?id=193413
1059         <rdar://problem/46092389>
1060
1061         Reviewed by Keith Miller.
1062
1063         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1064         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1065         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1066         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1067
1068         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1069         (compareArray):
1070
1071 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1072
1073         [BigInt] Literal parsing is crashing when used inside a Object Literal
1074         https://bugs.webkit.org/show_bug.cgi?id=193404
1075
1076         Reviewed by Yusuke Suzuki.
1077
1078         * stress/big-int-literal-inside-literal-object.js: Added.
1079
1080 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1081
1082         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1083         https://bugs.webkit.org/show_bug.cgi?id=193372
1084
1085         Reviewed by Saam Barati.
1086
1087         * stress/typed-array-array-modes-profile.js: Added.
1088         (foo):
1089
1090 2019-01-14  Mark Lam  <mark.lam@apple.com>
1091
1092         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1093         https://bugs.webkit.org/show_bug.cgi?id=193402
1094         <rdar://problem/46012309>
1095
1096         Reviewed by Keith Miller.
1097
1098         * stress/regexp-compile-oom.js:
1099         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1100           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1101
1102 2019-01-11  Saam barati  <sbarati@apple.com>
1103
1104         DFG combined liveness can be wrong for terminal basic blocks
1105         https://bugs.webkit.org/show_bug.cgi?id=193304
1106         <rdar://problem/45268632>
1107
1108         Reviewed by Yusuke Suzuki.
1109
1110         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1111
1112 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1113
1114         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1115         https://bugs.webkit.org/show_bug.cgi?id=193308
1116         <rdar://problem/45546542>
1117
1118         Reviewed by Saam Barati.
1119
1120         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1121         (shouldThrow):
1122         (shouldBe):
1123         (foo):
1124         (get shouldThrow):
1125         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1126         (shouldThrow):
1127         (shouldBe):
1128         (foo):
1129         (get shouldBe):
1130         (get shouldThrow):
1131         (get return):
1132         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1133         (shouldThrow):
1134         (shouldBe):
1135         (foo):
1136         (get shouldBe):
1137         (get shouldThrow):
1138         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1139         (shouldThrow):
1140         (shouldBe):
1141         (foo):
1142         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1143         (shouldThrow):
1144         (shouldBe):
1145         (foo):
1146         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1147         (shouldThrow):
1148         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1149         (shouldThrow):
1150         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1151         (shouldThrow):
1152         (shouldBe):
1153         (foo):
1154         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1155         (shouldThrow):
1156         (shouldBe):
1157         (foo):
1158         (get shouldBe):
1159         (get shouldThrow):
1160         (get return):
1161         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1162         (shouldThrow):
1163         (shouldBe):
1164         (foo):
1165         (get shouldBe):
1166         (get shouldThrow):
1167         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1168         (shouldThrow):
1169         (shouldBe):
1170         (foo):
1171         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1172         (shouldThrow):
1173         (shouldBe):
1174         (foo):
1175
1176 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1177
1178         Enable DFG on ARM/Linux again
1179         https://bugs.webkit.org/show_bug.cgi?id=192496
1180
1181         Reviewed by Yusuke Suzuki.
1182
1183         Test wasn't really skipped before moving the line with skip
1184         to the top.
1185
1186         * stress/regress-192717.js:
1187
1188 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1189
1190         Unreviewed, rolling out r239825.
1191         https://bugs.webkit.org/show_bug.cgi?id=193330
1192
1193         Broke tests on armv7/linux bots (Requested by guijemont on
1194         #webkit).
1195
1196         Reverted changeset:
1197
1198         "Enable DFG on ARM/Linux again"
1199         https://bugs.webkit.org/show_bug.cgi?id=192496
1200         https://trac.webkit.org/changeset/239825
1201
1202 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1203
1204         Enable DFG on ARM/Linux again
1205         https://bugs.webkit.org/show_bug.cgi?id=192496
1206
1207         Reviewed by Yusuke Suzuki.
1208
1209         Test wasn't really skipped before moving the line with skip
1210         to the top.
1211
1212         * stress/regress-192717.js:
1213
1214 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1215
1216         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1217         https://bugs.webkit.org/show_bug.cgi?id=193127
1218
1219         Reviewed by Saam Barati.
1220
1221         * stress/array-species-create-should-handle-masquerader.js: Added.
1222         (shouldThrow):
1223         * stress/is-undefined-or-null-builtin.js: Added.
1224         (shouldBe):
1225         (isUndefinedOrNull.vm.createBuiltin):
1226
1227 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1228
1229         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1230         https://bugs.webkit.org/show_bug.cgi?id=193221
1231
1232         Reviewed by Mark Lam.
1233
1234         * stress/put-by-id-flags.js: Added.
1235         (f):
1236         (g):
1237         (numberOfDFGCompiles):
1238
1239 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1240
1241         Baseline version of get_by_id may corrupt metadata
1242         https://bugs.webkit.org/show_bug.cgi?id=193085
1243         <rdar://problem/23453006>
1244
1245         Reviewed by Saam Barati.
1246
1247         * stress/get-by-id-change-mode.js: Added.
1248         (forEach):
1249
1250 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1251
1252         [JSC] Optimize Object.prototype.toString
1253         https://bugs.webkit.org/show_bug.cgi?id=193031
1254
1255         Reviewed by Saam Barati.
1256
1257         * stress/object-tostring-changed-proto.js: Added.
1258         (shouldBe):
1259         (test):
1260         * stress/object-tostring-changed.js: Added.
1261         (shouldBe):
1262         (test):
1263         * stress/object-tostring-misc.js: Added.
1264         (shouldBe):
1265         (test):
1266         (i.switch):
1267         * stress/object-tostring-other.js: Added.
1268         (shouldBe):
1269         (test):
1270         * stress/object-tostring-untyped.js: Added.
1271         (shouldBe):
1272         (test):
1273         (i.switch):
1274
1275 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1276
1277         test262-runner misbehaves when test file YAML has a trailing space
1278         https://bugs.webkit.org/show_bug.cgi?id=193053
1279
1280         Reviewed by Yusuke Suzuki.
1281
1282         * test262/expectations.yaml:
1283         Mark two dozen tests as passing (and correct the output of another).
1284
1285 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1286
1287         Unreviewed, JSTests gardening with memoryLimited
1288
1289         * stress/string-overflow-createError.js:
1290
1291 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1292
1293         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1294         https://bugs.webkit.org/show_bug.cgi?id=193050
1295
1296         Reviewed by Yusuke Suzuki.
1297
1298         * test262.yaml:
1299         * test262/expectations.yaml:
1300         Mark 16 tests as passing.
1301
1302 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1303
1304         [BigInt] Support BigInt in JSON.stringify
1305         https://bugs.webkit.org/show_bug.cgi?id=192624
1306
1307         Reviewed by Saam Barati.
1308
1309         * stress/big-int-json-stringify-to-json.js: Added.
1310         (shouldBe):
1311         (shouldThrow):
1312         (BigInt.prototype.toJSON):
1313         (shouldBe.JSON.stringify):
1314         * stress/big-int-json-stringify.js: Added.
1315         (shouldBe):
1316         (shouldThrow):
1317
1318 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1319
1320         [JSC] Implement "well-formed JSON.stringify" proposal
1321         https://bugs.webkit.org/show_bug.cgi?id=191677
1322
1323         Reviewed by Darin Adler.
1324
1325         * stress/json-surrogate-pair.js: Added.
1326         (shouldBe):
1327         * test262/expectations.yaml:
1328
1329 2018-12-20  Keith Miller  <keith_miller@apple.com>
1330
1331         Add support for globalThis
1332         https://bugs.webkit.org/show_bug.cgi?id=165171
1333
1334         Reviewed by Mark Lam.
1335
1336         * test262/config.yaml:
1337
1338 2018-12-19  Keith Miller  <keith_miller@apple.com>
1339
1340         Update test262 configuration to not run tests dependent on ICU version.
1341         https://bugs.webkit.org/show_bug.cgi?id=192920
1342
1343         Reviewed by Saam Barati.
1344
1345         * test262/expectations.yaml:
1346
1347 2018-12-20  Mark Lam  <mark.lam@apple.com>
1348
1349         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1350         https://bugs.webkit.org/show_bug.cgi?id=192939
1351         <rdar://problem/46869516>
1352
1353         Reviewed by Keith Miller.
1354
1355         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1356
1357 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1358
1359         WTF::String and StringImpl overflow MaxLength
1360         https://bugs.webkit.org/show_bug.cgi?id=192853
1361         <rdar://problem/45726906>
1362
1363         Reviewed by Mark Lam.
1364
1365         * stress/string-16bit-repeat-overflow.js: Added.
1366         (catch):
1367
1368 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1369
1370         Unreviewed follow-up to r192914.
1371
1372         * test262/expectations.yaml:
1373         Add the last 20 missing expectations.
1374
1375 2018-12-19  Keith Miller  <keith_miller@apple.com>
1376
1377         Fix test262 expectations
1378         https://bugs.webkit.org/show_bug.cgi?id=192914
1379
1380         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1381
1382         * test262/expectations.yaml:
1383
1384 2018-12-19  Keith Miller  <keith_miller@apple.com>
1385
1386         Update test262 tests.
1387         https://bugs.webkit.org/show_bug.cgi?id=192907
1388
1389         Rubber stamped by Mark Lam.
1390
1391         * test262/*: Omitted because prepare-changelog crashes.
1392
1393 2018-12-19  Mark Lam  <mark.lam@apple.com>
1394
1395         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1396         https://bugs.webkit.org/show_bug.cgi?id=192464
1397         <rdar://problem/46519455>
1398
1399         Reviewed by Saam Barati.
1400
1401         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1402         microbenchmark.
1403
1404         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1405         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1406
1407 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1408
1409         String overflow in JSC::createError results in ASSERT in WTF::makeString
1410         https://bugs.webkit.org/show_bug.cgi?id=192833
1411         <rdar://problem/45706868>
1412
1413         Reviewed by Mark Lam.
1414
1415         * stress/string-overflow-createError.js: Added.
1416
1417 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1418
1419         Error message for `-x ** y` contains a typo.
1420         https://bugs.webkit.org/show_bug.cgi?id=192832
1421
1422         Reviewed by Saam Barati.
1423
1424         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1425         (assert.assert.return.throws):
1426         * stress/pow-expects-update-expression-on-lhs.js:
1427         (throw.new.Error):
1428         Update test expectations which match against the exact error message.
1429
1430 2018-12-18  Mark Lam  <mark.lam@apple.com>
1431
1432         Gardening: test options fix.
1433         https://bugs.webkit.org/show_bug.cgi?id=192822
1434
1435         Unreviewed.
1436
1437         * stress/json-stringify-string-builder-overflow.js:
1438
1439 2018-12-18  Mark Lam  <mark.lam@apple.com>
1440
1441         JSON.stringify() should throw OOM on StringBuilder overflows.
1442         https://bugs.webkit.org/show_bug.cgi?id=192822
1443         <rdar://problem/46670577>
1444
1445         Reviewed by Saam Barati.
1446
1447         * stress/json-stringify-string-builder-overflow.js: Added.
1448
1449 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1450
1451         Redeclaration of var over let/const/class should be a syntax error.
1452         https://bugs.webkit.org/show_bug.cgi?id=192298
1453
1454         Reviewed by Keith Miller.
1455
1456         * test262.yaml:
1457         * test262/expectations.yaml:
1458         Mark 46 tests as passing.
1459
1460         * stress/block-scope-redeclarations.js:
1461         Add some new tests.
1462
1463         * stress/for-in-invalidate-context-weird-assignments.js:
1464         * stress/for-in-tests.js:
1465         Replace tests for outdated behavior with tests for SyntaxError.
1466
1467         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1468         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1469         Update expectations.
1470
1471 2018-12-18  Mark Lam  <mark.lam@apple.com>
1472
1473         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1474         https://bugs.webkit.org/show_bug.cgi?id=191374
1475         <rdar://problem/46525447>
1476
1477         Reviewed by Yusuke Suzuki.
1478
1479         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1480
1481         * stress/elidable-new-object-roflcopter-then-exit.js:
1482
1483 2018-12-17  Mark Lam  <mark.lam@apple.com>
1484
1485         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1486         https://bugs.webkit.org/show_bug.cgi?id=192019
1487         <rdar://problem/46525456>
1488
1489         Reviewed by Yusuke Suzuki.
1490
1491         The test runs too slow on 32-bit.
1492
1493         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1494
1495 2018-12-17  Mark Lam  <mark.lam@apple.com>
1496
1497         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1498         https://bugs.webkit.org/show_bug.cgi?id=191373
1499         <rdar://problem/46525458>
1500
1501         Reviewed by Yusuke Suzuki.
1502
1503         The test is already slow running with a JIT on 64-bit.  It will always timeout
1504         on 32-bit without a JIT.
1505
1506         * stress/materialize-regexp-cyclic-regexp.js:
1507
1508 2018-12-17  Mark Lam  <mark.lam@apple.com>
1509
1510         Array unshift/shift should not race against the AI in the compiler thread.
1511         https://bugs.webkit.org/show_bug.cgi?id=192795
1512         <rdar://problem/46724263>
1513
1514         Reviewed by Saam Barati.
1515
1516         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1517
1518 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1519
1520         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1521         https://bugs.webkit.org/show_bug.cgi?id=190047
1522
1523         Reviewed by Saam Barati.
1524
1525         * stress/object-keys-cached-zero.js: Added.
1526         (shouldBe):
1527         (test):
1528         * stress/object-keys-changed-attribute.js: Added.
1529         (shouldBe):
1530         (test):
1531         * stress/object-keys-changed-index.js: Added.
1532         (shouldBe):
1533         (test):
1534         * stress/object-keys-changed.js: Added.
1535         (shouldBe):
1536         (test):
1537         * stress/object-keys-indexed-non-cache.js: Added.
1538         (shouldBe):
1539         (test):
1540         * stress/object-keys-overrides-get-property-names.js: Added.
1541         (shouldBe):
1542         (test):
1543         (noInline):
1544
1545 2018-12-17  Mark Lam  <mark.lam@apple.com>
1546
1547         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1548         https://bugs.webkit.org/show_bug.cgi?id=192779
1549         <rdar://problem/46775869>
1550
1551         Reviewed by Saam Barati.
1552
1553         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1554
1555 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1556
1557         Unreviewed test gardening, address a syntax error in a new test.
1558
1559         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1560
1561 2018-12-17  Mark Lam  <mark.lam@apple.com>
1562
1563         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1564         https://bugs.webkit.org/show_bug.cgi?id=192776
1565         <rdar://problem/46772368>
1566
1567         Reviewed by Keith Miller.
1568
1569         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1570
1571 2018-12-17  Mark Lam  <mark.lam@apple.com>
1572
1573         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1574         https://bugs.webkit.org/show_bug.cgi?id=192770
1575         <rdar://problem/46449037>
1576
1577         Reviewed by Keith Miller.
1578
1579         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1580
1581 2018-12-14  Mark Lam  <mark.lam@apple.com>
1582
1583         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1584         https://bugs.webkit.org/show_bug.cgi?id=192717
1585         <rdar://problem/46660677>
1586
1587         Reviewed by Saam Barati.
1588
1589         * stress/regress-192717.js: Added.
1590
1591 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1592
1593         Unreviewed, rolling out r239153, r239154, and r239155.
1594         https://bugs.webkit.org/show_bug.cgi?id=192715
1595
1596         Caused flaky GC-related crashes seen with layout tests
1597         (Requested by ryanhaddad on #webkit).
1598
1599         Reverted changesets:
1600
1601         "[JSC] Optimize Object.keys by caching own keys results in
1602         StructureRareData"
1603         https://bugs.webkit.org/show_bug.cgi?id=190047
1604         https://trac.webkit.org/changeset/239153
1605
1606         "Unreviewed, build fix after r239153"
1607         https://bugs.webkit.org/show_bug.cgi?id=190047
1608         https://trac.webkit.org/changeset/239154
1609
1610         "Unreviewed, build fix after r239153, part 2"
1611         https://bugs.webkit.org/show_bug.cgi?id=190047
1612         https://trac.webkit.org/changeset/239155
1613
1614 2018-12-14  Keith Miller  <keith_miller@apple.com>
1615
1616         Callers of JSString::getIndex should check for OOM exceptions
1617         https://bugs.webkit.org/show_bug.cgi?id=192709
1618
1619         Reviewed by Mark Lam.
1620
1621         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1622
1623 2018-12-13  Mark Lam  <mark.lam@apple.com>
1624
1625         Add a missing exception check.
1626         https://bugs.webkit.org/show_bug.cgi?id=192626
1627         <rdar://problem/46662163>
1628
1629         Reviewed by Keith Miller.
1630
1631         * stress/regress-192626.js: Added.
1632
1633 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1634
1635         [BigInt] Add ValueDiv into DFG
1636         https://bugs.webkit.org/show_bug.cgi?id=186178
1637
1638         Reviewed by Yusuke Suzuki.
1639
1640         * stress/big-int-div-jit-osr.js: Added.
1641         * stress/big-int-div-jit-untyped.js: Added.
1642         * stress/value-div-fixup-int32-big-int.js: Added.
1643
1644 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1645
1646         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1647         https://bugs.webkit.org/show_bug.cgi?id=190047
1648
1649         Reviewed by Keith Miller.
1650
1651         * stress/object-keys-cached-zero.js: Added.
1652         (shouldBe):
1653         (test):
1654         * stress/object-keys-changed-attribute.js: Added.
1655         (shouldBe):
1656         (test):
1657         * stress/object-keys-changed-index.js: Added.
1658         (shouldBe):
1659         (test):
1660         * stress/object-keys-changed.js: Added.
1661         (shouldBe):
1662         (test):
1663         * stress/object-keys-indexed-non-cache.js: Added.
1664         (shouldBe):
1665         (test):
1666         * stress/object-keys-overrides-get-property-names.js: Added.
1667         (shouldBe):
1668         (test):
1669         (noInline):
1670
1671 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1672
1673         [DFG][FTL] Add NewSymbol
1674         https://bugs.webkit.org/show_bug.cgi?id=192620
1675
1676         Reviewed by Saam Barati.
1677
1678         * microbenchmarks/symbol-creation.js: Added.
1679         (test):
1680         * stress/symbol-description-identity.js: Added.
1681         (shouldBe):
1682         (test):
1683         * stress/symbol-identity.js: Added.
1684         (shouldBe):
1685         (test):
1686         * stress/symbol-with-description-throw-error.js: Added.
1687         (shouldBe):
1688         (shouldThrow):
1689         (test):
1690         (object.toString):
1691
1692 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1693
1694         [BigInt] Implement DFG/FTL typeof for BigInt
1695         https://bugs.webkit.org/show_bug.cgi?id=192619
1696
1697         Reviewed by Keith Miller.
1698
1699         * stress/big-int-boolean-proven-type.js: Added.
1700         (assert):
1701         (bool):
1702         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1703         (assert):
1704         (typeOf):
1705         (i.switch):
1706         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1707         (assert):
1708         (typeOf):
1709         * stress/big-int-type-of.js:
1710         (typeOf):
1711         (func):
1712
1713 2018-12-10  Mark Lam  <mark.lam@apple.com>
1714
1715         PropertyAttribute needs a CustomValue bit.
1716         https://bugs.webkit.org/show_bug.cgi?id=191993
1717         <rdar://problem/46264467>
1718
1719         Reviewed by Saam Barati.
1720
1721         * stress/regress-191993.js: Added.
1722
1723 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1724
1725         [BigInt] Add ValueMul into DFG
1726         https://bugs.webkit.org/show_bug.cgi?id=186175
1727
1728         Reviewed by Yusuke Suzuki.
1729
1730         * stress/big-int-mul-jit-osr.js: Added.
1731         * stress/big-int-mul-jit-untyped.js: Added.
1732         * stress/value-mul-fixup-int32-big-int.js: Added.
1733
1734 2018-12-06  Keith Miller  <keith_miller@apple.com>
1735
1736         stress/big-wasm-memory tests failing on 32-bit JSC bot
1737         https://bugs.webkit.org/show_bug.cgi?id=192020
1738
1739         Reviewed by Saam Barati.
1740
1741         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1742         the wasm stress tests if the WebAssembly object does not exist.
1743
1744         * stress/big-wasm-memory-grow-no-max.js:
1745         (test.foo):
1746         (test):
1747         (foo): Deleted.
1748         (catch): Deleted.
1749         * stress/big-wasm-memory-grow.js:
1750         (test.foo):
1751         (test):
1752         (foo): Deleted.
1753         (catch): Deleted.
1754         * stress/big-wasm-memory.js:
1755         (test.foo):
1756         (test):
1757         (foo): Deleted.
1758         (catch): Deleted.
1759
1760 2018-12-05  Mark Lam  <mark.lam@apple.com>
1761
1762         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1763         https://bugs.webkit.org/show_bug.cgi?id=192441
1764         <rdar://problem/46480355>
1765
1766         Reviewed by Saam Barati.
1767
1768         * stress/regress-192441.js: Added.
1769
1770 2018-12-04  Mark Lam  <mark.lam@apple.com>
1771
1772         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1773         https://bugs.webkit.org/show_bug.cgi?id=192386
1774         <rdar://problem/46445516>
1775
1776         Reviewed by Saam Barati.
1777
1778         * stress/regress-192386.js: Added.
1779
1780 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1781
1782         [ESNext][BigInt] Support logic operations
1783         https://bugs.webkit.org/show_bug.cgi?id=179903
1784
1785         Reviewed by Yusuke Suzuki.
1786
1787         * stress/big-int-branch-usage.js: Added.
1788         * stress/big-int-logical-and.js: Added.
1789         * stress/big-int-logical-not.js: Added.
1790         * stress/big-int-logical-or.js: Added.
1791
1792 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1793
1794         Unreviewed, rolling out r238833.
1795
1796         Breaks macOS and iOS debug builds.
1797
1798         Reverted changeset:
1799
1800         "[ESNext][BigInt] Support logic operations"
1801         https://bugs.webkit.org/show_bug.cgi?id=179903
1802         https://trac.webkit.org/changeset/238833
1803
1804 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1805
1806         [ESNext][BigInt] Support logic operations
1807         https://bugs.webkit.org/show_bug.cgi?id=179903
1808
1809         Reviewed by Yusuke Suzuki.
1810
1811         * stress/big-int-branch-usage.js: Added.
1812         * stress/big-int-logical-and.js: Added.
1813         * stress/big-int-logical-not.js: Added.
1814         * stress/big-int-logical-or.js: Added.
1815
1816 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1817
1818         [ESNext][BigInt] Implement support for "<<" and ">>"
1819         https://bugs.webkit.org/show_bug.cgi?id=186233
1820
1821         Reviewed by Yusuke Suzuki.
1822
1823         * stress/big-int-left-shift-general.js: Added.
1824         * stress/big-int-left-shift-range-error.js: Added.
1825         * stress/big-int-left-shift-type-error.js: Added.
1826         * stress/big-int-left-shift-wrapped-value.js: Added.
1827         * stress/big-int-right-shift-general.js: Added.
1828         * stress/big-int-right-shift-type-error.js: Added.
1829         * stress/big-int-right-shift-wrapped-value.js: Added.
1830         * stress/left-shift-to-primitive-precedence.js: Added.
1831         * stress/right-shift-to-primitive-precedence.js: Added.
1832
1833 2018-11-30  Dean Jackson  <dino@apple.com>
1834
1835         Add first-class support for .mjs files in jsc binary
1836         https://bugs.webkit.org/show_bug.cgi?id=192190
1837         <rdar://problem/46375715>
1838
1839         Reviewed by Keith Miller.
1840
1841         * stress/simple-module.mjs: Added.
1842         * stress/simple-script.js: Added.
1843
1844 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1845
1846         [BigInt] Implement ValueBitXor into DFG
1847         https://bugs.webkit.org/show_bug.cgi?id=190264
1848
1849         Reviewed by Yusuke Suzuki.
1850
1851         * stress/big-int-bitwise-xor-jit.js: Added.
1852         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1853         * stress/big-int-bitwise-xor-untyped.js: Added.
1854
1855 2018-11-27  Saam barati  <sbarati@apple.com>
1856
1857         r238510 broke scopes of size zero
1858         https://bugs.webkit.org/show_bug.cgi?id=192033
1859         <rdar://problem/46281734>
1860
1861         Reviewed by Keith Miller.
1862
1863         * stress/r238510-bad-loop.js: Added.
1864         (foo):
1865
1866 2018-11-27  Mark Lam  <mark.lam@apple.com>
1867
1868         [Re-landing] NaNs read from Wasm code needs to be be purified.
1869         https://bugs.webkit.org/show_bug.cgi?id=191056
1870         <rdar://problem/45660341>
1871
1872         Reviewed by Filip Pizlo.
1873
1874         * wasm/regress/regress-191056.js: Added.
1875
1876 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1877
1878         Unreviewed, rolling out r238509.
1879
1880         Causes JSC tests to fail on iOS.
1881
1882         Reverted changeset:
1883
1884         "NaNs read from Wasm code needs to be be purified."
1885         https://bugs.webkit.org/show_bug.cgi?id=191056
1886         https://trac.webkit.org/changeset/238509
1887
1888 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1889
1890         Re-introduce op_bitnot
1891         https://bugs.webkit.org/show_bug.cgi?id=190923
1892
1893         Reviewed by Yusuke Suzuki.
1894
1895         * stress/bit-not-must-generate.js: Added.
1896         * stress/bitwise-not-no-int32.js: Added.
1897
1898 2018-11-26  Saam barati  <sbarati@apple.com>
1899
1900         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1901         https://bugs.webkit.org/show_bug.cgi?id=191956
1902         <rdar://problem/45665806>
1903
1904         Reviewed by Yusuke Suzuki.
1905
1906         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1907         (bar):
1908         (foo):
1909
1910 2018-11-26  Saam barati  <sbarati@apple.com>
1911
1912         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1913         https://bugs.webkit.org/show_bug.cgi?id=191958
1914         <rdar://problem/46221877>
1915
1916         Reviewed by Yusuke Suzuki.
1917
1918         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1919         (x):
1920         (foo):
1921
1922 2018-11-26  Mark Lam  <mark.lam@apple.com>
1923
1924         NaNs read from Wasm code needs to be be purified.
1925         https://bugs.webkit.org/show_bug.cgi?id=191056
1926         <rdar://problem/45660341>
1927
1928         Reviewed by Filip Pizlo.
1929
1930         * wasm/regress/regress-191056.js: Added.
1931
1932 2018-11-26  Michael Saboff  <msaboff@apple.com>
1933
1934         32-bit JSC test failure: stress/regexp-compile-oom.js
1935         https://bugs.webkit.org/show_bug.cgi?id=191375
1936
1937         Reviewed by Mark Lam.
1938
1939         Disabled the test for 32 bit platforms.
1940
1941         * stress/regexp-compile-oom.js:
1942
1943 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1944
1945         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1946         https://bugs.webkit.org/show_bug.cgi?id=191716
1947         <rdar://problem/45723878>
1948
1949         Reviewed by Saam Barati.
1950
1951         * stress/regress-187373.js: Added.
1952         (async.fn):
1953
1954 2018-11-21  Saam barati  <sbarati@apple.com>
1955
1956         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1957         https://bugs.webkit.org/show_bug.cgi?id=191897
1958         <rdar://problem/45871998>
1959
1960         Reviewed by Mark Lam.
1961
1962         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1963         (bar):
1964         (foo):
1965
1966 2018-11-21  Saam barati  <sbarati@apple.com>
1967
1968         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1969         https://bugs.webkit.org/show_bug.cgi?id=191895
1970         <rdar://problem/46167406>
1971
1972         Reviewed by Mark Lam.
1973
1974         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1975         (foo):
1976         (bar):
1977
1978 2018-11-21  Mark Lam  <mark.lam@apple.com>
1979
1980         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1981         https://bugs.webkit.org/show_bug.cgi?id=191776
1982         <rdar://problem/46152851>
1983
1984         Reviewed by Saam Barati.
1985
1986         * stress/big-wasm-memory-grow-no-max.js:
1987         * stress/big-wasm-memory-grow.js:
1988         * stress/big-wasm-memory.js:
1989         - updated these to expect an OutOfMemoryError.
1990
1991         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1992         (Binary.prototype.emit_u8):
1993         (Binary.prototype.emit_u32v):
1994         (Binary.prototype.emit_header):
1995         (Binary.prototype.emit_section):
1996         (Binary):
1997         (WasmModuleBuilder):
1998         (WasmModuleBuilder.prototype.addMemory):
1999         (WasmModuleBuilder.prototype.toArray):
2000         (WasmModuleBuilder.prototype.toBuffer):
2001         (WasmModuleBuilder.prototype.instantiate):
2002         (catch):
2003         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2004         (catch):
2005
2006 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2007
2008         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2009         https://bugs.webkit.org/show_bug.cgi?id=190836
2010
2011         Reviewed by Saam Barati and Yusuke Suzuki.
2012
2013         * stress/big-int-out-of-memory-tests.js: Added.
2014
2015 2018-11-20  Mark Lam  <mark.lam@apple.com>
2016
2017         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2018         https://bugs.webkit.org/show_bug.cgi?id=191856
2019         <rdar://problem/46089992>
2020
2021         Reviewed by Yusuke Suzuki.
2022
2023         * stress/regress-191856.js: Added.
2024         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2025
2026 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2027
2028         Enable JIT on ARM/Linux
2029         https://bugs.webkit.org/show_bug.cgi?id=191548
2030
2031         Reviewed by Yusuke Suzuki.
2032
2033         Disable test on system with limited memory. Program was killed by
2034         the OS before the exception was thrown.
2035
2036         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2037
2038 2018-11-20  Saam barati  <sbarati@apple.com>
2039
2040         Merging an IC variant may lead to the IC status containing overlapping structure sets
2041         https://bugs.webkit.org/show_bug.cgi?id=191869
2042         <rdar://problem/45403453>
2043
2044         Reviewed by Mark Lam.
2045
2046         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2047
2048 2018-11-19  Mark Lam  <mark.lam@apple.com>
2049
2050         globalFuncImportModule() should return a promise when it clears exceptions.
2051         https://bugs.webkit.org/show_bug.cgi?id=191792
2052         <rdar://problem/46090763>
2053
2054         Reviewed by Michael Saboff.
2055
2056         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2057
2058 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2059
2060         Skip new memory-hungry tests on memory limited devices
2061
2062         Unreviewed gardening.
2063
2064         * stress/big-wasm-memory-grow-no-max.js:
2065         * stress/big-wasm-memory-grow.js:
2066         * stress/big-wasm-memory.js:
2067
2068 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2069
2070         Unreviewed, rolling in the rest of r237254
2071         https://bugs.webkit.org/show_bug.cgi?id=190340
2072
2073         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2074         * stress/function-cache-with-parameters-end-position.js: Added.
2075         (shouldBe):
2076         (shouldThrow):
2077         (i.anonymous):
2078         * stress/function-constructor-name.js: Added.
2079         (shouldBe):
2080         (GeneratorFunction):
2081         (AsyncFunction.async):
2082         (AsyncGeneratorFunction.async):
2083         (anonymous):
2084         (async.anonymous):
2085         * test262/expectations.yaml:
2086
2087 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2088
2089         All users of ArrayBuffer should agree on the same max size
2090         https://bugs.webkit.org/show_bug.cgi?id=191771
2091
2092         Reviewed by Mark Lam.
2093
2094         * stress/big-wasm-memory-grow-no-max.js: Added.
2095         (foo):
2096         (catch):
2097         * stress/big-wasm-memory-grow.js: Added.
2098         (foo):
2099         (catch):
2100         * stress/big-wasm-memory.js: Added.
2101         (foo):
2102         (catch):
2103
2104 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2105
2106         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2107         run for each JSC config since they're regression tests for runtime bugs.
2108
2109         * stress/json-stringified-overflow-2.js:
2110         * stress/json-stringified-overflow.js:
2111
2112 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2113
2114         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2115         config since they're regression tests for runtime bugs.
2116
2117         * stress/large-unshift-splice.js:
2118         * stress/regress-185888.js:
2119
2120 2018-11-16  Saam Barati  <sbarati@apple.com>
2121
2122         KnownCellUse should also have SpecCellCheck as its type filter
2123         https://bugs.webkit.org/show_bug.cgi?id=191729
2124         <rdar://problem/45872852>
2125
2126         Reviewed by Filip Pizlo.
2127
2128         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2129         (C):
2130
2131 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2132
2133         Fix assertion failure on BytecodeGenerator::recordOpcode
2134         https://bugs.webkit.org/show_bug.cgi?id=191724
2135         <rdar://problem/45724395>
2136
2137         Reviewed by Saam Barati.
2138
2139         * stress/regress-187373-2.js: Added.
2140         (foo):
2141
2142 2018-11-15  Mark Lam  <mark.lam@apple.com>
2143
2144         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2145         https://bugs.webkit.org/show_bug.cgi?id=191730
2146         <rdar://problem/46048517>
2147
2148         Reviewed by Saam Barati.
2149
2150         * stress/regress-187006.js: Removed.
2151           - this test is invalid because its sole purpose is to test for the non-spec
2152             compliant behavior that we just fixed.
2153
2154         * stress/regress-191730.js: Added.
2155
2156 2018-11-15  Mark Lam  <mark.lam@apple.com>
2157
2158         RegExp operations should not take fast patch if lastIndex is not numeric.
2159         https://bugs.webkit.org/show_bug.cgi?id=191731
2160         <rdar://problem/46017305>
2161
2162         Reviewed by Saam Barati.
2163
2164         * stress/regress-191731.js: Added.
2165
2166 2018-11-13  Saam Barati  <sbarati@apple.com>
2167
2168         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2169         https://bugs.webkit.org/show_bug.cgi?id=191600
2170
2171         Reviewed by Mark Lam.
2172
2173         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2174         (foo):
2175         (test):
2176         (bar):
2177
2178 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2179
2180         Unreviewed, rolling out r238132.
2181
2182         The test added with this change is timing out on Debug JSC
2183         bots.
2184
2185         Reverted changeset:
2186
2187         "[BigInt] JSBigInt::createWithLength should throw when length
2188         is greater than JSBigInt::maxLength"
2189         https://bugs.webkit.org/show_bug.cgi?id=190836
2190         https://trac.webkit.org/changeset/238132
2191
2192 2018-11-13  Mark Lam  <mark.lam@apple.com>
2193
2194         Add OOM detection to StringPrototype's substituteBackreferences().
2195         https://bugs.webkit.org/show_bug.cgi?id=191563
2196         <rdar://problem/45720428>
2197
2198         Reviewed by Saam Barati.
2199
2200         * stress/regress-191563.js: Added.
2201
2202 2018-11-13  Mark Lam  <mark.lam@apple.com>
2203
2204         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2205         https://bugs.webkit.org/show_bug.cgi?id=191579
2206         <rdar://problem/45942472>
2207
2208         Reviewed by Saam Barati.
2209
2210         * stress/regress-191579.js: Added.
2211
2212 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2213
2214         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2215         https://bugs.webkit.org/show_bug.cgi?id=190836
2216
2217         Reviewed by Saam Barati.
2218
2219         * stress/big-int-out-of-memory-tests.js: Added.
2220
2221 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2222
2223         U+180E is no longer a whitespace character
2224         https://bugs.webkit.org/show_bug.cgi?id=191415
2225
2226         Reviewed by Saam Barati.
2227
2228         * ChakraCore/test/es5/regexSpace.baseline:
2229         * ChakraCore/test/es6/unicode_whitespace.js:
2230         Update tests to latest version.
2231         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2232
2233         * test262.yaml:
2234         * test262/config.yaml:
2235         * test262/expectations.yaml:
2236         Update expectations.
2237
2238 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2239
2240         [BigInt] Add support to BigInt into ValueAdd
2241         https://bugs.webkit.org/show_bug.cgi?id=186177
2242
2243         Reviewed by Keith Miller.
2244
2245         * stress/big-int-negate-jit.js:
2246         * stress/value-add-big-int-and-string.js: Added.
2247         * stress/value-add-big-int-prediction-propagation.js: Added.
2248         * stress/value-add-big-int-untyped.js: Added.
2249
2250 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2251
2252         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2253         https://bugs.webkit.org/show_bug.cgi?id=191184
2254
2255         Reviewed by Saam Barati.
2256
2257         Most tests were failing due to timeouts, since they are too slow to
2258         run on CLoop. The exceptions are:
2259
2260         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2261         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2262         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2263         to change the stack size since CLoop requires it to be page aligned.
2264
2265         * microbenchmarks/array-push-1.js:
2266         * microbenchmarks/array-push-2.js:
2267         * microbenchmarks/elidable-new-object-dag.js:
2268         * microbenchmarks/elidable-new-object-roflcopter.js:
2269         * microbenchmarks/elidable-new-object-tree.js:
2270         * microbenchmarks/getter-richards.js:
2271         * microbenchmarks/sinkable-new-object-dag.js:
2272         * microbenchmarks/string-concat-long-convert.js:
2273         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2274         * slowMicrobenchmarks/array-push-3.js:
2275         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2276         * slowMicrobenchmarks/spread-small-array.js:
2277         * slowMicrobenchmarks/undefined-property-access.js:
2278         * stress/activation-sink-default-value-tdz-error.js:
2279         * stress/activation-sink-default-value.js:
2280         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2281         * stress/activation-sink-osrexit-default-value.js:
2282         * stress/activation-sink-osrexit.js:
2283         * stress/activation-sink.js:
2284         * stress/allow-math-ic-b3-code-duplication.js:
2285         * stress/array-push-multiple-int32.js:
2286         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2287         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2288         * stress/arrowfunction-lexical-this-activation-sink.js:
2289         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2290         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2291         * stress/elide-new-object-dag-then-exit.js:
2292         * stress/materialize-regexp-cyclic.js:
2293         * stress/new-regex-inline.js:
2294         * stress/op_add.js:
2295         * stress/op_bitand.js:
2296         * stress/op_bitor.js:
2297         * stress/op_bitxor.js:
2298         * stress/op_div-ConstVar.js:
2299         * stress/op_div-VarConst.js:
2300         * stress/op_div-VarVar.js:
2301         * stress/op_lshift-ConstVar.js:
2302         * stress/op_lshift-VarConst.js:
2303         * stress/op_lshift-VarVar.js:
2304         * stress/op_mod-ConstVar.js:
2305         * stress/op_mod-VarConst.js:
2306         * stress/op_mod-VarVar.js:
2307         * stress/op_mul-ConstVar.js:
2308         * stress/op_mul-VarConst.js:
2309         * stress/op_mul-VarVar.js:
2310         * stress/op_rshift-ConstVar.js:
2311         * stress/op_rshift-VarConst.js:
2312         * stress/op_rshift-VarVar.js:
2313         * stress/op_sub-ConstVar.js:
2314         * stress/op_sub-VarConst.js:
2315         * stress/op_sub-VarVar.js:
2316         * stress/op_urshift-ConstVar.js:
2317         * stress/op_urshift-VarConst.js:
2318         * stress/op_urshift-VarVar.js:
2319         * stress/proxy-get-set-correct-receiver.js:
2320         * stress/regress-179562.js:
2321         * stress/rest-parameter-many-arguments.js:
2322         * stress/sampling-profiler-richards.js:
2323         * stress/splay-flash-access-1ms.js:
2324         * stress/tailCallForwardArguments.js:
2325         * stress/typed-array-get-by-val-profiling.js:
2326         * typeProfiler/getter-richards.js:
2327
2328 2018-11-06  Michael Saboff  <msaboff@apple.com>
2329
2330         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2331         https://bugs.webkit.org/show_bug.cgi?id=191271
2332
2333         Reviewed by Saam Barati.
2334
2335         Added more test cases and made all test cases run with the same deeply recursive stack
2336         instead of finding that same point for each test case.
2337
2338         * stress/regexp-compile-oom.js:
2339         (prototype.runTest):
2340         (recurseAndTest):
2341         (testList.push.new.TestAndExpectedException):
2342
2343 2018-11-05  Michael Saboff  <msaboff@apple.com>
2344
2345         Unreviewed build fix for linux.
2346
2347         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2348
2349 2018-11-02  Michael Saboff  <msaboff@apple.com>
2350
2351         Rolling in r237753 with unreviewed build fix.
2352
2353         Fixed issues with DECLARE_THROW_SCOPE placement.
2354
2355 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2356
2357         Unreviewed, rolling out r237753.
2358
2359         Introduced JSC test failures
2360
2361         Reverted changeset:
2362
2363         "Running out of stack space not properly handled in
2364         RegExp::compile() and its callers"
2365         https://bugs.webkit.org/show_bug.cgi?id=191206
2366         https://trac.webkit.org/changeset/237753
2367
2368 2018-11-02  Michael Saboff  <msaboff@apple.com>
2369
2370         Running out of stack space not properly handled in RegExp::compile() and its callers
2371         https://bugs.webkit.org/show_bug.cgi?id=191206
2372
2373         Reviewed by Filip Pizlo.
2374
2375         New regression test.
2376
2377         * stress/regexp-compile-oom.js: Added.
2378         (recurseAndTest):
2379
2380 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2381
2382         Skip tests on arm/mips that time out now we're running on CLoop
2383
2384         Unreviewed gardening.
2385
2386         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2387         time out on the bots and need to be disabled. There's more tests
2388         disabled on arm because the timeout is longer on the mips bot (as the
2389         device is slower to start with), so many of the tests don't time out
2390         there.
2391
2392         * microbenchmarks/getter-richards.js: disable on arm and mips.
2393         * stress/op_add.js: disable on arm.
2394         * stress/op_bitand.js: disable on arm.
2395         * stress/op_bitor.js: disable on arm.
2396         * stress/op_bitxor.js: disable on arm.
2397         * stress/op_lshift-ConstVar.js: disable on arm.
2398         * stress/op_lshift-VarConst.js: disable on arm.
2399         * stress/op_lshift-VarVar.js: disable on arm.
2400         * stress/op_mod-ConstVar.js: disable on arm.
2401         * stress/op_mod-VarConst.js: disable on arm.
2402         * stress/op_mod-VarVar.js: disable on arm.
2403         * stress/op_mul-ConstVar.js: disable on arm.
2404         * stress/op_mul-VarConst.js: disable on arm.
2405         * stress/op_mul-VarVar.js: disable on arm.
2406         * stress/op_rshift-ConstVar.js: disable on arm.
2407         * stress/op_rshift-VarConst.js: disable on arm.
2408         * stress/op_rshift-VarVar.js: disable on arm.
2409         * stress/op_sub-ConstVar.js: disable on arm.
2410         * stress/op_sub-VarConst.js: disable on arm.
2411         * stress/op_sub-VarVar.js: disable on arm.
2412         * stress/op_urshift-ConstVar.js: disable on arm.
2413         * stress/op_urshift-VarConst.js: disable on arm.
2414         * stress/op_urshift-VarVar.js: disable on arm.
2415         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2416         * stress/value-to-boolean.js: disable on arm and mips.
2417
2418 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2419
2420         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2421         https://bugs.webkit.org/show_bug.cgi?id=191108
2422         <rdar://problem/45690700>
2423
2424         Reviewed by Saam Barati.
2425
2426         * stress/wide-op_catch.js: Added.
2427         (catch):
2428
2429 2018-10-29  Mark Lam  <mark.lam@apple.com>
2430
2431         Correctly detect string overflow when using the 'Function' constructor.
2432         https://bugs.webkit.org/show_bug.cgi?id=184883
2433         <rdar://problem/36320331>
2434
2435         Reviewed by Saam Barati.
2436
2437         I've verified that this passes on 32-bit as well.
2438
2439         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2440
2441 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2442
2443         Add support for GetStack FlushedDouble
2444         https://bugs.webkit.org/show_bug.cgi?id=191012
2445         <rdar://problem/45265141>
2446
2447         Reviewed by Saam Barati.
2448
2449         * stress/get-stack-double.js: Added.
2450         (bar):
2451         (noInline):
2452
2453 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2454
2455         New bytecode format for JSC
2456         https://bugs.webkit.org/show_bug.cgi?id=187373
2457         <rdar://problem/44186758>
2458
2459         Reviewed by Filip Pizlo.
2460
2461         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2462
2463         * stress/maximum-inline-capacity.js: Added.
2464         (test1):
2465         (test3.Foo):
2466         (test3):
2467
2468 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2469
2470         Unreviewed, rolling out r237479 and r237484.
2471         https://bugs.webkit.org/show_bug.cgi?id=190978
2472
2473         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2474
2475         Reverted changesets:
2476
2477         "New bytecode format for JSC"
2478         https://bugs.webkit.org/show_bug.cgi?id=187373
2479         https://trac.webkit.org/changeset/237479
2480
2481         "Gardening: Build fix after r237479."
2482         https://bugs.webkit.org/show_bug.cgi?id=187373
2483         https://trac.webkit.org/changeset/237484
2484
2485 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2486
2487         New bytecode format for JSC
2488         https://bugs.webkit.org/show_bug.cgi?id=187373
2489         <rdar://problem/44186758>
2490
2491         Reviewed by Filip Pizlo.
2492
2493         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2494
2495         * stress/maximum-inline-capacity.js: Added.
2496         (test1):
2497         (test3.Foo):
2498         (test3):
2499
2500 2018-10-26  Mark Lam  <mark.lam@apple.com>
2501
2502         Fix missing edge cases with JSGlobalObjects having a bad time.
2503         https://bugs.webkit.org/show_bug.cgi?id=189028
2504         <rdar://problem/45204939>
2505
2506         Reviewed by Saam Barati.
2507
2508         * stress/regress-189028.js: Added.
2509
2510 2018-10-22  Mark Lam  <mark.lam@apple.com>
2511
2512         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2513         https://bugs.webkit.org/show_bug.cgi?id=190515
2514         <rdar://problem/45222379>
2515
2516         Rubber-stamped by Saam Barati.
2517
2518         Adding another test.
2519
2520         * stress/regress-190515-2.js: Added.
2521
2522 2018-10-22  Mark Lam  <mark.lam@apple.com>
2523
2524         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2525         https://bugs.webkit.org/show_bug.cgi?id=190515
2526         <rdar://problem/45222379>
2527
2528         Reviewed by Saam Barati.
2529
2530         * stress/regress-190515.js: Added.
2531
2532 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2533
2534         Unreviewed, rolling out r237254.
2535         https://bugs.webkit.org/show_bug.cgi?id=190760
2536
2537         "It regresses JetStream 2 by 5% on some iOS devices"
2538         (Requested by saamyjoon on #webkit).
2539
2540         Reverted changeset:
2541
2542         "[JSC] JSC should have "parseFunction" to optimize Function
2543         constructor"
2544         https://bugs.webkit.org/show_bug.cgi?id=190340
2545         https://trac.webkit.org/changeset/237254
2546
2547 2018-10-19  Saam Barati  <sbarati@apple.com>
2548
2549         vmCall should check if we exit before emitting an OSR exit due to exceptions
2550         https://bugs.webkit.org/show_bug.cgi?id=190740
2551         <rdar://problem/45220139>
2552
2553         Reviewed by Mark Lam.
2554
2555         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2556         (foo):
2557
2558 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2559
2560         [ESNext][BigInt] Implement support for "^"
2561         https://bugs.webkit.org/show_bug.cgi?id=186235
2562
2563         Reviewed by Yusuke Suzuki.
2564
2565         * stress/big-int-bitwise-xor-general.js: Added.
2566         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2567         * stress/big-int-bitwise-xor-type-error.js: Added.
2568         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2569
2570 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2571
2572         [BigInt] Add ValueSub into DFG
2573         https://bugs.webkit.org/show_bug.cgi?id=186176
2574
2575         Reviewed by Yusuke Suzuki.
2576
2577         * stress/big-int-subtraction-jit.js:
2578         * stress/value-sub-big-int-prediction-propagation.js: Added.
2579         * stress/value-sub-big-int-untyped.js: Added.
2580         * stress/value-sub-spec-none-case.js: Added.
2581
2582 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2583
2584         [JSC] JSC should have "parseFunction" to optimize Function constructor
2585         https://bugs.webkit.org/show_bug.cgi?id=190340
2586
2587         Reviewed by Mark Lam.
2588
2589         This patch fixes the line number of syntax errors raised by the Function constructor,
2590         since we now parse the final code only once. And we no longer use block statement
2591         for Function constructor's parsing.
2592
2593         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2594         * stress/function-cache-with-parameters-end-position.js: Added.
2595         (shouldBe):
2596         (shouldThrow):
2597         (i.anonymous):
2598         * stress/function-constructor-name.js: Added.
2599         (shouldBe):
2600         (GeneratorFunction):
2601         (AsyncFunction.async):
2602         (AsyncGeneratorFunction.async):
2603         (anonymous):
2604         (async.anonymous):
2605         * test262/expectations.yaml:
2606
2607 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2608
2609         Unreviewed, rolling out r237242.
2610         https://bugs.webkit.org/show_bug.cgi?id=190701
2611
2612         it breaks "stress/sampling-profiler-basic.js" (Requested by
2613         caiolima on #webkit).
2614
2615         Reverted changeset:
2616
2617         "[BigInt] Add ValueSub into DFG"
2618         https://bugs.webkit.org/show_bug.cgi?id=186176
2619         https://trac.webkit.org/changeset/237242
2620
2621 2018-10-17  Keith Miller  <keith_miller@apple.com>
2622
2623         AI does not clear Phantom allocation nodes.
2624         https://bugs.webkit.org/show_bug.cgi?id=190694
2625
2626         Reviewed by Saam Barati.
2627
2628         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2629         (Day):
2630         (DaysInYear):
2631         (TimeInYear):
2632         (TimeFromYear):
2633         (DayFromYear):
2634         (InLeapYear):
2635         (YearFromTime):
2636         (WeekDay):
2637         (DaylightSavingTA):
2638         (GetSecondSundayInMarch):
2639         (TimeInMonth):
2640
2641 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2642
2643         [BigInt] Add ValueSub into DFG
2644         https://bugs.webkit.org/show_bug.cgi?id=186176
2645
2646         Reviewed by Yusuke Suzuki.
2647
2648         * stress/big-int-subtraction-jit.js:
2649         * stress/value-sub-big-int-prediction-propagation.js: Added.
2650         * stress/value-sub-big-int-untyped.js: Added.
2651
2652 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2653
2654         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2655         https://bugs.webkit.org/show_bug.cgi?id=190611
2656
2657         Reviewed by Saam Barati.
2658
2659         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2660         to improve test runtime. On ARM/MIPS this test even timed out when running all
2661         tests.
2662
2663         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2664         (test):
2665
2666 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2667
2668         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2669
2670         Unreviewed gardening.
2671
2672         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2673
2674 2018-10-15  Saam barati  <sbarati@apple.com>
2675
2676         Emit fjcvtzs on ARM64E on Darwin
2677         https://bugs.webkit.org/show_bug.cgi?id=184023
2678
2679         Reviewed by Yusuke Suzuki and Filip Pizlo.
2680
2681         * stress/double-to-int32-NaN.js: Added.
2682         (assert):
2683         (foo):
2684
2685 2018-10-15  Saam Barati  <sbarati@apple.com>
2686
2687         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2688         https://bugs.webkit.org/show_bug.cgi?id=190262
2689         <rdar://problem/44986241>
2690
2691         Reviewed by Mark Lam.
2692
2693         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2694         (test):
2695         * stress/slice-array-storage-with-holes.js: Added.
2696         (main):
2697
2698 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2699
2700         Unreviewed, rolling out r237054.
2701         https://bugs.webkit.org/show_bug.cgi?id=190593
2702
2703         "this regressed JetStream 2 by 6% on iOS" (Requested by
2704         saamyjoon on #webkit).
2705
2706         Reverted changeset:
2707
2708         "[JSC] JSC should have "parseFunction" to optimize Function
2709         constructor"
2710         https://bugs.webkit.org/show_bug.cgi?id=190340
2711         https://trac.webkit.org/changeset/237054
2712
2713 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2714
2715         [JSC] JSON.stringify can accept call-with-no-arguments
2716         https://bugs.webkit.org/show_bug.cgi?id=190343
2717
2718         Reviewed by Mark Lam.
2719
2720         * stress/json-stringify-no-arguments.js: Added.
2721         (shouldBe):
2722
2723 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2724
2725         [JSC] JSC should have "parseFunction" to optimize Function constructor
2726         https://bugs.webkit.org/show_bug.cgi?id=190340
2727
2728         Reviewed by Mark Lam.
2729
2730         This patch fixes the line number of syntax errors raised by the Function constructor,
2731         since we now parse the final code only once. And we no longer use block statement
2732         for Function constructor's parsing.
2733
2734         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2735         * stress/function-cache-with-parameters-end-position.js: Added.
2736         (shouldBe):
2737         (shouldThrow):
2738         (i.anonymous):
2739         * stress/function-constructor-name.js: Added.
2740         (shouldBe):
2741         (GeneratorFunction):
2742         (AsyncFunction.async):
2743         (AsyncGeneratorFunction.async):
2744         (anonymous):
2745         (async.anonymous):
2746         * test262/expectations.yaml:
2747
2748 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2749
2750         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2751         https://bugs.webkit.org/show_bug.cgi?id=190426
2752
2753         Unreviewed gardening.
2754
2755         * stress/sampling-profiler-richards.js:
2756
2757 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2758
2759         [ESNext][BigInt] Implement support for "|"
2760         https://bugs.webkit.org/show_bug.cgi?id=186229
2761
2762         Reviewed by Yusuke Suzuki.
2763
2764         * stress/big-int-bitwise-and-jit.js:
2765         * stress/big-int-bitwise-or-general.js: Added.
2766         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2767         * stress/big-int-bitwise-or-jit.js: Added.
2768         * stress/big-int-bitwise-or-memory-stress.js: Added.
2769         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2770         * stress/big-int-bitwise-or-type-error.js: Added.
2771         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2772
2773 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2774
2775         Skip test on systems with limited memory
2776         https://bugs.webkit.org/show_bug.cgi?id=190310
2777
2778         Invoking runDefault adds test to runlist, skipping the test in the next
2779         line does not prevent the test from executing. Change order of lines such
2780         that runDefault is only executed if test is not executed.
2781
2782         Reviewed by Mark Lam.
2783
2784         * stress/regress-190187.js:
2785
2786 2018-10-03  Saam barati  <sbarati@apple.com>
2787
2788         lowXYZ in FTLLower should always filter the type of the incoming edge
2789         https://bugs.webkit.org/show_bug.cgi?id=189939
2790         <rdar://problem/44407030>
2791
2792         Reviewed by Michael Saboff.
2793
2794         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2795         (foo):
2796         (test):
2797
2798 2018-10-03  Mark Lam  <mark.lam@apple.com>
2799
2800         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2801         https://bugs.webkit.org/show_bug.cgi?id=190187
2802         <rdar://problem/42512909>
2803
2804         Reviewed by Michael Saboff.
2805
2806         * stress/regress-190187.js: Added.
2807
2808 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2809
2810         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2811         https://bugs.webkit.org/show_bug.cgi?id=190033
2812
2813         Reviewed by Yusuke Suzuki.
2814
2815         * stress/big-int-to-string.js:
2816
2817 2018-10-01  Mark Lam  <mark.lam@apple.com>
2818
2819         Function.toString() should also copy the source code Functions that are class definitions.
2820         https://bugs.webkit.org/show_bug.cgi?id=190186
2821         <rdar://problem/44733360>
2822
2823         Reviewed by Saam Barati.
2824
2825         * stress/regress-190186.js: Added.
2826
2827 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2828
2829         Split NaN-check into separate test
2830         https://bugs.webkit.org/show_bug.cgi?id=190010
2831
2832         Reviewed by Saam Barati.
2833
2834         DataView exposes NaN-representation, which is not necessarily the same on each
2835         architecture. Therefore move the check of the NaN-representation into its own
2836         file such that we can disable this test on MIPS where NaN-representation can be
2837         different on older CPUs.
2838
2839         * stress/dataview-jit-set-nan.js: Added.
2840         (assert):
2841         (test.storeLittleEndian):
2842         (test.storeBigEndian):
2843         (test.store):
2844         (test):
2845         * stress/dataview-jit-set.js:
2846         (test5):
2847
2848 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2849
2850         Unreviewed, rolling out r236647.
2851         https://bugs.webkit.org/show_bug.cgi?id=190124
2852
2853         Breaking test stress/big-int-to-string.js (Requested by
2854         caiolima_ on #webkit).
2855
2856         Reverted changeset:
2857
2858         "[BigInt] BigInt.proptotype.toString is broken when radix is
2859         power of 2"
2860         https://bugs.webkit.org/show_bug.cgi?id=190033
2861         https://trac.webkit.org/changeset/236647
2862
2863 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2864
2865         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2866         https://bugs.webkit.org/show_bug.cgi?id=190033
2867
2868         Reviewed by Yusuke Suzuki.
2869
2870         * stress/big-int-to-string.js:
2871
2872 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2873
2874         [ESNext][BigInt] Implement support for "&"
2875         https://bugs.webkit.org/show_bug.cgi?id=186228
2876
2877         Reviewed by Yusuke Suzuki.
2878
2879         * stress/big-int-bitwise-and-general.js: Added.
2880         (assert):
2881         (assert.sameValue):
2882         * stress/big-int-bitwise-and-jit.js: Added.
2883         (let.assert.sameValue):
2884         (bigIntBitAnd):
2885         * stress/big-int-bitwise-and-memory-stress.js: Added.
2886         (assert):
2887         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2888         (assert.sameValue):
2889         (let.o.Symbol.toPrimitive):
2890         (catch):
2891         * stress/big-int-bitwise-and-type-error.js: Added.
2892         (assert):
2893         (assertThrowTypeError):
2894         (let.o.valueOf):
2895         (o.valueOf):
2896         (o.toString):
2897         (o.Symbol.toPrimitive):
2898         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2899         (assert.sameValue):
2900         (testBitAnd):
2901         (let.o.Symbol.toPrimitive):
2902         (o.valueOf):
2903         (o.toString):
2904
2905 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2906
2907         JSC test stress/jsc-read.js doesn't support CRLF
2908         https://bugs.webkit.org/show_bug.cgi?id=190063
2909
2910         Reviewed by Yusuke Suzuki.
2911
2912         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2913
2914         * stress/jsc-read.js:
2915         (test):
2916
2917 2018-09-27  Saam barati  <sbarati@apple.com>
2918
2919         Verify the contents of AssemblerBuffer on arm64e
2920         https://bugs.webkit.org/show_bug.cgi?id=190057
2921         <rdar://problem/38916630>
2922
2923         Reviewed by Mark Lam.
2924
2925         * stress/regress-189132.js:
2926
2927 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2928
2929         Disable test without LLInt on ARMv7
2930         https://bugs.webkit.org/show_bug.cgi?id=190037
2931
2932         Reviewed by Mark Lam.
2933
2934         Test runs out of executable memory on ARMv7, do not run
2935         this test without LLInt enabled.
2936
2937         * stress/regress-169445.js:
2938
2939 2018-09-26  Keith Miller  <keith_miller@apple.com>
2940
2941         We should zero unused property storage when rebalancing array storage.
2942         https://bugs.webkit.org/show_bug.cgi?id=188151
2943
2944         Reviewed by Michael Saboff.
2945
2946         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2947
2948 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2949
2950         [JSC] Optimize Array#lastIndexOf
2951         https://bugs.webkit.org/show_bug.cgi?id=189780
2952
2953         Reviewed by Saam Barati.
2954
2955         * stress/array-lastindexof-array-prototype-trap.js: Added.
2956         (shouldBe):
2957         (AncestorArray.prototype.get 2):
2958         (AncestorArray):
2959         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2960         (shouldBe):
2961         * stress/array-lastindexof-hole-nan.js: Added.
2962         (shouldBe):
2963         (throw.new.Error):
2964         * stress/array-lastindexof-infinity.js: Added.
2965         (shouldBe):
2966         (throw.new.Error):
2967         * stress/array-lastindexof-negative-zero.js: Added.
2968         (shouldBe):
2969         (throw.new.Error):
2970         * stress/array-lastindexof-own-getter.js: Added.
2971         (shouldBe):
2972         (throw.new.Error.get array):
2973         (get array):
2974         * stress/array-lastindexof-prototype-trap.js: Added.
2975         (shouldBe):
2976         (DerivedArray.prototype.get 2):
2977         (DerivedArray):
2978
2979 2018-09-25  Saam Barati  <sbarati@apple.com>
2980
2981         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2982         https://bugs.webkit.org/show_bug.cgi?id=189940
2983         <rdar://problem/43640987>
2984
2985         Reviewed by Mark Lam.
2986
2987         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2988
2989 2018-09-24  Saam Barati  <sbarati@apple.com>
2990
2991         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2992         https://bugs.webkit.org/show_bug.cgi?id=189922
2993         <rdar://problem/44651275>
2994
2995         Reviewed by Mark Lam.
2996
2997         * stress/array-indexof-fast-path-effects.js: Added.
2998         * stress/array-indexof-cached-length.js: Added.
2999
3000 2018-09-24  Saam barati  <sbarati@apple.com>
3001
3002         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3003         https://bugs.webkit.org/show_bug.cgi?id=189682
3004         <rdar://problem/43557315>
3005
3006         Reviewed by Mark Lam.
3007
3008         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3009         (foo):
3010
3011 2018-09-22  Saam barati  <sbarati@apple.com>
3012
3013         The sampling should not use Strong<CodeBlock> in its machineLocation field
3014         https://bugs.webkit.org/show_bug.cgi?id=189319
3015
3016         Reviewed by Filip Pizlo.
3017
3018         * stress/sampling-profiler-richards.js: Added.
3019
3020 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3021
3022         [JSC] Optimize Array#indexOf in C++ runtime
3023         https://bugs.webkit.org/show_bug.cgi?id=189507
3024
3025         Reviewed by Saam Barati.
3026
3027         * stress/array-indexof-array-prototype-trap.js: Added.
3028         (shouldBe):
3029         (AncestorArray.prototype.get 2):
3030         (AncestorArray):
3031         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3032         (shouldBe):
3033         * stress/array-indexof-hole-nan.js: Added.
3034         (shouldBe):
3035         (throw.new.Error):
3036         * stress/array-indexof-infinity.js: Added.
3037         (shouldBe):
3038         (throw.new.Error):
3039         * stress/array-indexof-negative-zero.js: Added.
3040         (shouldBe):
3041         (throw.new.Error):
3042         * stress/array-indexof-own-getter.js: Added.
3043         (shouldBe):
3044         (throw.new.Error.get array):
3045         (get array):
3046         * stress/array-indexof-prototype-trap.js: Added.
3047         (shouldBe):
3048         (DerivedArray.prototype.get 2):
3049         (DerivedArray):
3050
3051 2018-09-19  Saam barati  <sbarati@apple.com>
3052
3053         AI rule for MultiPutByOffset executes its effects in the wrong order
3054         https://bugs.webkit.org/show_bug.cgi?id=189757
3055         <rdar://problem/43535257>
3056
3057         Reviewed by Michael Saboff.
3058
3059         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3060         (foo):
3061         (Foo):
3062         (g):
3063
3064 2018-09-17  Mark Lam  <mark.lam@apple.com>
3065
3066         Ensure that ForInContexts are invalidated if their loop local is over-written.
3067         https://bugs.webkit.org/show_bug.cgi?id=189571
3068         <rdar://problem/44402277>
3069
3070         Reviewed by Saam Barati.
3071
3072         * stress/regress-189571.js: Added.
3073
3074 2018-09-17  Saam barati  <sbarati@apple.com>
3075
3076         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3077         https://bugs.webkit.org/show_bug.cgi?id=189676
3078         <rdar://problem/39682897>
3079
3080         Reviewed by Michael Saboff.
3081
3082         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3083         (A):
3084         (K):
3085         (i.catch):
3086
3087 2018-09-14  Saam barati  <sbarati@apple.com>
3088
3089         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3090         https://bugs.webkit.org/show_bug.cgi?id=189628
3091         <rdar://problem/39481690>
3092
3093         Reviewed by Mark Lam.
3094
3095         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3096         (foo):
3097
3098 2018-09-11  Mark Lam  <mark.lam@apple.com>
3099
3100         Test for array initialization in arrayProtoFuncSplice.
3101         https://bugs.webkit.org/show_bug.cgi?id=170253
3102         <rdar://problem/31328773>
3103
3104         Rubber-stamped by Saam Barati.
3105
3106         * stress/regress-170253.js: Added.
3107
3108 2018-09-11  Mark Lam  <mark.lam@apple.com>
3109
3110         Test for IntlObject initialization.
3111         https://bugs.webkit.org/show_bug.cgi?id=170251
3112         <rdar://problem/31328419>
3113
3114         Rubber-stamped by Saam Barati.
3115
3116         * stress/regress-170251.js: Added.
3117
3118 2018-09-11  Mark Lam  <mark.lam@apple.com>
3119
3120         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3121         https://bugs.webkit.org/show_bug.cgi?id=169889
3122         <rdar://problem/31155607>
3123
3124         Reviewed by Saam Barati.
3125
3126         * stress/regress-169889-array-concat.js: Added.
3127         * stress/regress-169889-array-concat1.js: Added.
3128         * stress/regress-169889-array-slice.js: Added.
3129
3130 2018-09-11  Mark Lam  <mark.lam@apple.com>
3131
3132         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3133         https://bugs.webkit.org/show_bug.cgi?id=169445
3134         <rdar://problem/30957435>
3135
3136         Reviewed by Saam Barati.
3137
3138         * stress/regress-169445.js: Added.
3139         (let.gun.eval.A):
3140         (let.gun.eval.B.C):
3141         (let.gun.eval.B.C.prototype.trigger):
3142         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3143         (let.gun.eval.B):
3144         (let.gun.eval):
3145
3146 == Rolled over to ChangeLog-2018-09-11 ==