[JSC] Repeat string created from Array.prototype.join() take too much memory
[WebKit-https.git] / JSTests / ChangeLog
1 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
2
3         [JSC] Repeat string created from Array.prototype.join() take too much memory
4         https://bugs.webkit.org/show_bug.cgi?id=193912
5
6         Reviewed by Saam Barati.
7
8         Added a test and a microbenchmark for corner cases of
9         Array.prototype.join() with an uninitialized array.
10
11         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
12         * stress/array-prototype-join-uninitialized.js: Added.
13         (testArray):
14         (testABC):
15         (B):
16         (C):
17
18 2019-02-22  Robin Morisset  <rmorisset@apple.com>
19
20         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
21         https://bugs.webkit.org/show_bug.cgi?id=194953
22         <rdar://problem/47595253>
23
24         Reviewed by Saam Barati.
25
26         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
27
28         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
29
30 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
31
32         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
33         https://bugs.webkit.org/show_bug.cgi?id=172848
34         <rdar://problem/25709212>
35
36         Reviewed by Mark Lam.
37
38         * typeProfiler/inheritance.js:
39         Rewrite the test slightly for clarity. The hoisting was confusing.
40
41         * heapProfiler/class-names.js: Added.
42         (MyES5Class):
43         (MyES6Class):
44         (MyES6Subclass):
45         Test object types and improved class names.
46
47         * heapProfiler/driver/driver.js:
48         (CheapHeapSnapshotNode):
49         (CheapHeapSnapshot):
50         (createCheapHeapSnapshot):
51         (HeapSnapshot):
52         (createHeapSnapshot):
53         Update snapshot parsing from version 1 to version 2.
54
55 2019-02-19  Truitt Savell  <tsavell@apple.com>
56
57         Unreviewed, rolling out r241784.
58
59         Broke all OpenSource builds.
60
61         Reverted changeset:
62
63         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
64         instances view"
65         https://bugs.webkit.org/show_bug.cgi?id=172848
66         https://trac.webkit.org/changeset/241784
67
68 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
69
70         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
71         https://bugs.webkit.org/show_bug.cgi?id=172848
72         <rdar://problem/25709212>
73
74         Reviewed by Mark Lam.
75
76         * typeProfiler/inheritance.js:
77         Rewrite the test slightly for clarity. The hoisting was confusing.
78
79         * heapProfiler/class-names.js: Added.
80         (MyES5Class):
81         (MyES6Class):
82         (MyES6Subclass):
83         Test object types and improved class names.
84
85         * heapProfiler/driver/driver.js:
86         (CheapHeapSnapshotNode):
87         (CheapHeapSnapshot):
88         (createCheapHeapSnapshot):
89         (HeapSnapshot):
90         (createHeapSnapshot):
91         Update snapshot parsing from version 1 to version 2.
92
93 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
94
95         [ARM] Fix crash with sampling profiler
96         https://bugs.webkit.org/show_bug.cgi?id=194772
97
98         Reviewed by Mark Lam.
99
100         Do not skip test since crash with sampling profiler is now fixed.
101
102         * stress/sampling-profiler-richards.js:
103
104 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
105
106         [JSC] Add LazyClassStructure::getInitializedOnMainThread
107         https://bugs.webkit.org/show_bug.cgi?id=194784
108         <rdar://problem/48154820>
109
110         Reviewed by Mark Lam.
111
112         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
113         (getProperties):
114         (getRandomProperty):
115         (i.catch):
116
117 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
118
119         [ARM] Test gardening: Test running out of executable memory
120         https://bugs.webkit.org/show_bug.cgi?id=194771
121
122         Unreviewed. Do not run test without LLInt, test is running out of executable
123         memory on ARM otherwise.
124
125         * stress/tagged-template-object-collect.js:
126
127 2019-02-18  Tomas Popela  <tpopela@redhat.com>
128
129         Unreviewed, skip the test on platforms without sampling profiler
130
131         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
132         (platformSupportsSamplingProfiler.foo):
133         (platformSupportsSamplingProfiler.test):
134         (platformSupportsSamplingProfiler):
135         (foo): Deleted.
136         (test): Deleted.
137
138 2019-02-17  Saam Barati  <sbarati@apple.com>
139
140         Deadlock when adding a Structure property transition and then doing incremental marking
141         https://bugs.webkit.org/show_bug.cgi?id=194767
142
143         Reviewed by Mark Lam.
144
145         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
146
147 2019-02-15  Michael Saboff  <msaboff@apple.com>
148
149         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
150         https://bugs.webkit.org/show_bug.cgi?id=194558
151
152         Reviewed by Saam Barati.
153
154         New regression test.
155
156         * stress/regexp-unicode-within-string.js: Added.
157
158 2019-02-15  Mark Lam  <mark.lam@apple.com>
159
160         SamplingProfiler::stackTracesAsJSON() should escape strings.
161         https://bugs.webkit.org/show_bug.cgi?id=194649
162         <rdar://problem/48072386>
163
164         Reviewed by Saam Barati.
165
166         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
167         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
168         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
169         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
170
171 2019-02-15  Robin Morisset  <rmorisset@apple.com>
172         CodeBlock::jettison should clear related watchpoints
173         https://bugs.webkit.org/show_bug.cgi?id=194544
174
175         Reviewed by Mark Lam.
176
177         * stress/regexp-replace-double-watchpoint.js: Added.
178         (foo):
179
180 2019-02-15  Saam barati  <sbarati@apple.com>
181
182         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
183         https://bugs.webkit.org/show_bug.cgi?id=194036
184
185         Reviewed by Yusuke Suzuki.
186
187         * stress/tail-call-many-arguments.js: Added.
188         (foo):
189         (bar):
190
191 2019-02-14  Saam Barati  <sbarati@apple.com>
192
193         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
194         https://bugs.webkit.org/show_bug.cgi?id=194583
195         <rdar://problem/48028140>
196
197         Reviewed by Yusuke Suzuki.
198
199         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
200
201 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
202
203         [JSC] String.fromCharCode's slow path always generates 16bit string
204         https://bugs.webkit.org/show_bug.cgi?id=194466
205
206         Reviewed by Keith Miller.
207
208         * stress/string-from-char-code-slow-path.js: Added.
209         (shouldBe):
210         (testWithLength):
211
212 2019-02-08  Saam barati  <sbarati@apple.com>
213
214         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
215         https://bugs.webkit.org/show_bug.cgi?id=194334
216         <rdar://problem/47844327>
217
218         Reviewed by Mark Lam.
219
220         * stress/check-in-bounds-should-be-a-child-use.js: Added.
221         (func):
222
223 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
224
225         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
226         https://bugs.webkit.org/show_bug.cgi?id=194369
227         <rdar://problem/47813087>
228
229         Reviewed by Saam Barati.
230
231         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
232         (A):
233
234 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
235
236         [JSC] PrivateName to PublicName hash table is wasteful
237         https://bugs.webkit.org/show_bug.cgi?id=194277
238
239         Reviewed by Michael Saboff.
240
241         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
242
243         * ChakraCore.yaml:
244
245 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
246
247         [ARM] Test running out of executable memory
248         https://bugs.webkit.org/show_bug.cgi?id=194285
249
250         Unreviewed. Do no execute test with LLInt disabled, test runs out of
251         executable memory otherwise.
252
253         * stress/class-subclassing-function.js:
254
255 2019-02-04  Robin Morisset  <rmorisset@apple.com>
256
257         when lowering AssertNotEmpty, create the value before creating the patchpoint
258         https://bugs.webkit.org/show_bug.cgi?id=194231
259
260         Reviewed by Saam Barati.
261
262         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
263         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
264         So even tiny changes to this test can change the path code taken.
265
266         * stress/assert-not-empty.js: Added.
267         (foo):
268
269 2019-02-01  Mark Lam  <mark.lam@apple.com>
270
271         Remove invalid assertion in DFG's compileDoubleRep().
272         https://bugs.webkit.org/show_bug.cgi?id=194130
273         <rdar://problem/47699474>
274
275         Reviewed by Saam Barati.
276
277         * stress/constant-fold-double-rep-into-double-constant.js: Added.
278
279 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
280
281         Import latest Test262 updates.
282
283         Rubber-stamped by Keith Miller.
284
285         * test262.yaml: Deleted.
286         * test262/config.yaml:
287         * test262/expectations.yaml:
288         * test262/latest-changes-summary.txt:
289         * test262/test/:
290         * test262/test262-Revision.txt:
291
292 2019-01-30  Robin Morisset  <rmorisset@apple.com>
293
294         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
295         https://bugs.webkit.org/show_bug.cgi?id=194050
296         <rdar://problem/47595592>
297
298         Reviewed by Yusuke Suzuki.
299
300         * stress/object-keys-osr-exit.js: Added.
301         (foo):
302         (catch):
303
304 2019-01-29  Mark Lam  <mark.lam@apple.com>
305
306         ValueRecovery::recover() should purify NaN values it recovers.
307         https://bugs.webkit.org/show_bug.cgi?id=193978
308         <rdar://problem/47625488>
309
310         Reviewed by Saam Barati.
311
312         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
313
314 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
315
316         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
317         https://bugs.webkit.org/show_bug.cgi?id=193713
318
319         * stress/try-get-by-id-should-spill-registers-dfg.js:
320         (let.f.createBuiltin):
321
322 2019-01-28  Mark Lam  <mark.lam@apple.com>
323
324         ToString node actually does GC.
325         https://bugs.webkit.org/show_bug.cgi?id=193920
326         <rdar://problem/46695900>
327
328         Reviewed by Yusuke Suzuki.
329
330         * stress/dfg-to-string-on-int-does-gc.js: Added.
331         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
332         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
333
334 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
335
336         [JSC] NativeErrorConstructor should not have own IsoSubspace
337         https://bugs.webkit.org/show_bug.cgi?id=193713
338
339         Reviewed by Saam Barati.
340
341         Remove @Error use.
342
343         * stress/try-get-by-id-should-spill-registers-dfg.js:
344         (let.f.createBuiltin):
345
346 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
347
348         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
349         https://bugs.webkit.org/show_bug.cgi?id=190693
350
351         Reviewed by Michael Saboff.
352
353         * stress/regress-190693.js: Added.
354         (truth):
355         (assert):
356         (shouldThrowInvalidConstAssignment):
357         (taz):
358
359 2019-01-24  Saam Barati  <sbarati@apple.com>
360
361         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
362         https://bugs.webkit.org/show_bug.cgi?id=193751
363         <rdar://problem/47280215>
364
365         Reviewed by Michael Saboff.
366
367         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
368         (let.thing):
369         (foo.let.hello):
370         (foo):
371
372 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
373
374         [JSC] Reenable baseline JIT on mips
375         https://bugs.webkit.org/show_bug.cgi?id=192983
376
377         Reviewed by Mark Lam.
378
379         Added a new test for a case that was triggering a RELEASE_ASSERT when
380         testing.
381         Disable some slow tests that were already disabled for arm and x86.
382
383         * stress/json-parse-big-object.js: Added.
384         * stress/new-largeish-contiguous-array-with-size.js:
385         * stress/op_add.js:
386         * stress/op_bitand.js:
387         * stress/op_bitor.js:
388         * stress/op_bitxor.js:
389         * stress/op_lshift-ConstVar.js:
390         * stress/op_lshift-VarConst.js:
391         * stress/op_lshift-VarVar.js:
392         * stress/op_mod-ConstVar.js:
393         * stress/op_mod-VarConst.js:
394         * stress/op_mod-VarVar.js:
395         * stress/op_mul-ConstVar.js:
396         * stress/op_mul-VarConst.js:
397         * stress/op_mul-VarVar.js:
398         * stress/op_rshift-ConstVar.js:
399         * stress/op_rshift-VarConst.js:
400         * stress/op_rshift-VarVar.js:
401         * stress/op_sub-ConstVar.js:
402         * stress/op_sub-VarConst.js:
403         * stress/op_sub-VarVar.js:
404         * stress/op_urshift-ConstVar.js:
405         * stress/op_urshift-VarConst.js:
406         * stress/op_urshift-VarVar.js:
407         * stress/sampling-profiler-richards.js:
408         * stress/spread-forward-call-varargs-stack-overflow.js:
409
410 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
411
412         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
413         https://bugs.webkit.org/show_bug.cgi?id=193711
414         <rdar://problem/47250262>
415
416         Reviewed by Saam Barati.
417
418         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
419         (shouldBe):
420         (foo):
421         (bar):
422         (baz):
423
424 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
425
426         Unreviewed, fix initial global lexical binding epoch
427         https://bugs.webkit.org/show_bug.cgi?id=193603
428         <rdar://problem/47380869>
429
430         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
431         (f1.f2.f3.f4):
432         (f1.f2.f3):
433         (f1.f2):
434         (f1):
435
436 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
437
438         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
439         https://bugs.webkit.org/show_bug.cgi?id=193709
440         <rdar://problem/47363838>
441
442         Unreviewed, rollout to watch the tests.
443
444         * stress/object-tostring-changed-proto.js: Removed.
445         * stress/object-tostring-changed.js: Removed.
446         * stress/object-tostring-misc.js: Removed.
447         * stress/object-tostring-other.js: Removed.
448         * stress/object-tostring-untyped.js: Removed.
449
450 2019-01-22  Saam Barati  <sbarati@apple.com>
451
452         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
453
454         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
455         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
456         (testUncheckedLessThanZero):
457         (testUncheckedLessThanOrEqualZero):
458         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
459         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
460
461 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
462
463         [JSC] Invalidate old scope operations using global lexical binding epoch
464         https://bugs.webkit.org/show_bug.cgi?id=193603
465         <rdar://problem/47380869>
466
467         Reviewed by Saam Barati.
468
469         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
470         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
471         (shouldThrow):
472         (bar):
473         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
474         (shouldBe):
475         (get1):
476         (get2):
477         (get1If):
478         (get2If):
479         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
480         (shouldThrow):
481         (foo):
482
483 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
484
485         Unreviewed, roll out r240220 due to date-format-xparb regression
486         https://bugs.webkit.org/show_bug.cgi?id=193603
487
488         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
489         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
490         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
491         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
492
493 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
494
495         DoesGC rule is wrong for nodes with BigIntUse
496         https://bugs.webkit.org/show_bug.cgi?id=193652
497
498         Reviewed by Saam Barati.
499
500         * stress/big-int-value-op-update-gc-rules.js: Added.
501         (assert):
502         (doesGCAdd):
503         (doesGCSub):
504         (doesGCDiv):
505         (doesGCMul):
506         (doesGCBitAnd):
507         (doesGCBitOr):
508         (doesGCBitXor):
509
510 2019-01-20  Saam Barati  <sbarati@apple.com>
511
512         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
513         https://bugs.webkit.org/show_bug.cgi?id=193644
514         <rdar://problem/46209745>
515
516         Reviewed by Yusuke Suzuki.
517
518         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
519         (foo):
520         * stress/data-view-set-intrinsic-undefined-result.js: Added.
521         (foo):
522         (bar):
523
524 2019-01-20  Saam Barati  <sbarati@apple.com>
525
526         MovHint must merge NodeBytecodeUsesAsValue for its child
527         https://bugs.webkit.org/show_bug.cgi?id=186916
528         <rdar://problem/41396612>
529
530         Reviewed by Yusuke Suzuki.
531
532         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
533         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
534
535 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
536
537         [JSC] Invalidate old scope operations using global lexical binding epoch
538         https://bugs.webkit.org/show_bug.cgi?id=193603
539         <rdar://problem/47380869>
540
541         Reviewed by Saam Barati.
542
543         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
544         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
545         (shouldThrow):
546         (bar):
547         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
548         (shouldBe):
549         (get1):
550         (get2):
551         (get1If):
552         (get2If):
553         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
554         (shouldThrow):
555         (foo):
556
557 2019-01-17  Saam barati  <sbarati@apple.com>
558
559         StringObjectUse should not be a structure check for the original string object structure
560         https://bugs.webkit.org/show_bug.cgi?id=193483
561         <rdar://problem/47280522>
562
563         Reviewed by Yusuke Suzuki.
564
565         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
566         (foo):
567         (a.valueOf.0):
568
569 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
570
571         [JSC] ToThis omission in DFGByteCodeParser is wrong
572         https://bugs.webkit.org/show_bug.cgi?id=193513
573         <rdar://problem/45842236>
574
575         Reviewed by Saam Barati.
576
577         * stress/to-this-omission-with-different-strict-modes.js: Added.
578         (thisA):
579         (thisAStrictWrapper):
580
581 2019-01-15  Mark Lam  <mark.lam@apple.com>
582
583         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
584         https://bugs.webkit.org/show_bug.cgi?id=193423
585         <rdar://problem/46209355>
586
587         Reviewed by Saam Barati.
588
589         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
590         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
591         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
592         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
593
594 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
595
596         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
597         https://bugs.webkit.org/show_bug.cgi?id=193438
598         <rdar://problem/45581249>
599
600         Reviewed by Saam Barati and Keith Miller.
601
602         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
603         Then, GetByVal(String) crashed.
604
605         * stress/string-get-by-val-lowering.js: Added.
606         (shouldBe):
607         (test):
608         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
609         (Hello):
610         (foo):
611
612 2019-01-15  Tomas Popela  <tpopela@redhat.com>
613
614         Unreviewed, skip JIT tests if it's not enabled
615
616         * stress/bit-op-with-object-returning-int32.js:
617
618 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
619
620         DFGByteCodeParser rules for bitwise operations should consider type of their operands
621         https://bugs.webkit.org/show_bug.cgi?id=192966
622
623         Reviewed by Yusuke Suzuki.
624
625         * stress/bit-op-with-object-returning-int32.js: Added.
626
627 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
628
629         Skip a slow test and a flakey test on arm
630
631         Unreviewed gardening.
632
633         * typeProfiler/getter-richards.js:
634         this test always times out, it used to be always skipped on arm and
635         mips, but got accidentally enabled by r237919 now that we have DFG on
636         arm. Also skipping on mips as we plan to soon enable DFG for it too.
637
638 2019-01-14  Keith Miller  <keith_miller@apple.com>
639
640         Skip type-check-hoisting-phase-hoist... with no jit
641         https://bugs.webkit.org/show_bug.cgi?id=193421
642
643         Reviewed by Mark Lam.
644
645         It's timing out the 32-bit bots and takes 330 seconds
646         on my machine when run by itself.
647
648         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
649
650 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
651
652         [JSC] AI should check the given constant's array type when folding GetByVal into constant
653         https://bugs.webkit.org/show_bug.cgi?id=193413
654         <rdar://problem/46092389>
655
656         Reviewed by Keith Miller.
657
658         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
659         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
660         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
661         but GetByVal does not have appropriate ArrayModes, JSC crashes.
662
663         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
664         (compareArray):
665
666 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
667
668         [BigInt] Literal parsing is crashing when used inside a Object Literal
669         https://bugs.webkit.org/show_bug.cgi?id=193404
670
671         Reviewed by Yusuke Suzuki.
672
673         * stress/big-int-literal-inside-literal-object.js: Added.
674
675 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
676
677         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
678         https://bugs.webkit.org/show_bug.cgi?id=193372
679
680         Reviewed by Saam Barati.
681
682         * stress/typed-array-array-modes-profile.js: Added.
683         (foo):
684
685 2019-01-14  Mark Lam  <mark.lam@apple.com>
686
687         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
688         https://bugs.webkit.org/show_bug.cgi?id=193402
689         <rdar://problem/46012309>
690
691         Reviewed by Keith Miller.
692
693         * stress/regexp-compile-oom.js:
694         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
695           is enabled.  As a result, it will fail on cloop builds though there is no bug.
696
697 2019-01-11  Saam barati  <sbarati@apple.com>
698
699         DFG combined liveness can be wrong for terminal basic blocks
700         https://bugs.webkit.org/show_bug.cgi?id=193304
701         <rdar://problem/45268632>
702
703         Reviewed by Yusuke Suzuki.
704
705         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
706
707 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
708
709         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
710         https://bugs.webkit.org/show_bug.cgi?id=193308
711         <rdar://problem/45546542>
712
713         Reviewed by Saam Barati.
714
715         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
716         (shouldThrow):
717         (shouldBe):
718         (foo):
719         (get shouldThrow):
720         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
721         (shouldThrow):
722         (shouldBe):
723         (foo):
724         (get shouldBe):
725         (get shouldThrow):
726         (get return):
727         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
728         (shouldThrow):
729         (shouldBe):
730         (foo):
731         (get shouldBe):
732         (get shouldThrow):
733         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
734         (shouldThrow):
735         (shouldBe):
736         (foo):
737         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
738         (shouldThrow):
739         (shouldBe):
740         (foo):
741         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
742         (shouldThrow):
743         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
744         (shouldThrow):
745         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
746         (shouldThrow):
747         (shouldBe):
748         (foo):
749         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
750         (shouldThrow):
751         (shouldBe):
752         (foo):
753         (get shouldBe):
754         (get shouldThrow):
755         (get return):
756         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
757         (shouldThrow):
758         (shouldBe):
759         (foo):
760         (get shouldBe):
761         (get shouldThrow):
762         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
763         (shouldThrow):
764         (shouldBe):
765         (foo):
766         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
767         (shouldThrow):
768         (shouldBe):
769         (foo):
770
771 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
772
773         Enable DFG on ARM/Linux again
774         https://bugs.webkit.org/show_bug.cgi?id=192496
775
776         Reviewed by Yusuke Suzuki.
777
778         Test wasn't really skipped before moving the line with skip
779         to the top.
780
781         * stress/regress-192717.js:
782
783 2019-01-10  Commit Queue  <commit-queue@webkit.org>
784
785         Unreviewed, rolling out r239825.
786         https://bugs.webkit.org/show_bug.cgi?id=193330
787
788         Broke tests on armv7/linux bots (Requested by guijemont on
789         #webkit).
790
791         Reverted changeset:
792
793         "Enable DFG on ARM/Linux again"
794         https://bugs.webkit.org/show_bug.cgi?id=192496
795         https://trac.webkit.org/changeset/239825
796
797 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
798
799         Enable DFG on ARM/Linux again
800         https://bugs.webkit.org/show_bug.cgi?id=192496
801
802         Reviewed by Yusuke Suzuki.
803
804         Test wasn't really skipped before moving the line with skip
805         to the top.
806
807         * stress/regress-192717.js:
808
809 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
810
811         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
812         https://bugs.webkit.org/show_bug.cgi?id=193127
813
814         Reviewed by Saam Barati.
815
816         * stress/array-species-create-should-handle-masquerader.js: Added.
817         (shouldThrow):
818         * stress/is-undefined-or-null-builtin.js: Added.
819         (shouldBe):
820         (isUndefinedOrNull.vm.createBuiltin):
821
822 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
823
824         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
825         https://bugs.webkit.org/show_bug.cgi?id=193221
826
827         Reviewed by Mark Lam.
828
829         * stress/put-by-id-flags.js: Added.
830         (f):
831         (g):
832         (numberOfDFGCompiles):
833
834 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
835
836         Baseline version of get_by_id may corrupt metadata
837         https://bugs.webkit.org/show_bug.cgi?id=193085
838         <rdar://problem/23453006>
839
840         Reviewed by Saam Barati.
841
842         * stress/get-by-id-change-mode.js: Added.
843         (forEach):
844
845 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
846
847         [JSC] Optimize Object.prototype.toString
848         https://bugs.webkit.org/show_bug.cgi?id=193031
849
850         Reviewed by Saam Barati.
851
852         * stress/object-tostring-changed-proto.js: Added.
853         (shouldBe):
854         (test):
855         * stress/object-tostring-changed.js: Added.
856         (shouldBe):
857         (test):
858         * stress/object-tostring-misc.js: Added.
859         (shouldBe):
860         (test):
861         (i.switch):
862         * stress/object-tostring-other.js: Added.
863         (shouldBe):
864         (test):
865         * stress/object-tostring-untyped.js: Added.
866         (shouldBe):
867         (test):
868         (i.switch):
869
870 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
871
872         test262-runner misbehaves when test file YAML has a trailing space
873         https://bugs.webkit.org/show_bug.cgi?id=193053
874
875         Reviewed by Yusuke Suzuki.
876
877         * test262/expectations.yaml:
878         Mark two dozen tests as passing (and correct the output of another).
879
880 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
881
882         Unreviewed, JSTests gardening with memoryLimited
883
884         * stress/string-overflow-createError.js:
885
886 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
887
888         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
889         https://bugs.webkit.org/show_bug.cgi?id=193050
890
891         Reviewed by Yusuke Suzuki.
892
893         * test262.yaml:
894         * test262/expectations.yaml:
895         Mark 16 tests as passing.
896
897 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
898
899         [BigInt] Support BigInt in JSON.stringify
900         https://bugs.webkit.org/show_bug.cgi?id=192624
901
902         Reviewed by Saam Barati.
903
904         * stress/big-int-json-stringify-to-json.js: Added.
905         (shouldBe):
906         (shouldThrow):
907         (BigInt.prototype.toJSON):
908         (shouldBe.JSON.stringify):
909         * stress/big-int-json-stringify.js: Added.
910         (shouldBe):
911         (shouldThrow):
912
913 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
914
915         [JSC] Implement "well-formed JSON.stringify" proposal
916         https://bugs.webkit.org/show_bug.cgi?id=191677
917
918         Reviewed by Darin Adler.
919
920         * stress/json-surrogate-pair.js: Added.
921         (shouldBe):
922         * test262/expectations.yaml:
923
924 2018-12-20  Keith Miller  <keith_miller@apple.com>
925
926         Add support for globalThis
927         https://bugs.webkit.org/show_bug.cgi?id=165171
928
929         Reviewed by Mark Lam.
930
931         * test262/config.yaml:
932
933 2018-12-19  Keith Miller  <keith_miller@apple.com>
934
935         Update test262 configuration to not run tests dependent on ICU version.
936         https://bugs.webkit.org/show_bug.cgi?id=192920
937
938         Reviewed by Saam Barati.
939
940         * test262/expectations.yaml:
941
942 2018-12-20  Mark Lam  <mark.lam@apple.com>
943
944         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
945         https://bugs.webkit.org/show_bug.cgi?id=192939
946         <rdar://problem/46869516>
947
948         Reviewed by Keith Miller.
949
950         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
951
952 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
953
954         WTF::String and StringImpl overflow MaxLength
955         https://bugs.webkit.org/show_bug.cgi?id=192853
956         <rdar://problem/45726906>
957
958         Reviewed by Mark Lam.
959
960         * stress/string-16bit-repeat-overflow.js: Added.
961         (catch):
962
963 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
964
965         Unreviewed follow-up to r192914.
966
967         * test262/expectations.yaml:
968         Add the last 20 missing expectations.
969
970 2018-12-19  Keith Miller  <keith_miller@apple.com>
971
972         Fix test262 expectations
973         https://bugs.webkit.org/show_bug.cgi?id=192914
974
975         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
976
977         * test262/expectations.yaml:
978
979 2018-12-19  Keith Miller  <keith_miller@apple.com>
980
981         Update test262 tests.
982         https://bugs.webkit.org/show_bug.cgi?id=192907
983
984         Rubber stamped by Mark Lam.
985
986         * test262/*: Omitted because prepare-changelog crashes.
987
988 2018-12-19  Mark Lam  <mark.lam@apple.com>
989
990         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
991         https://bugs.webkit.org/show_bug.cgi?id=192464
992         <rdar://problem/46519455>
993
994         Reviewed by Saam Barati.
995
996         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
997         microbenchmark.
998
999         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1000         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1001
1002 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1003
1004         String overflow in JSC::createError results in ASSERT in WTF::makeString
1005         https://bugs.webkit.org/show_bug.cgi?id=192833
1006         <rdar://problem/45706868>
1007
1008         Reviewed by Mark Lam.
1009
1010         * stress/string-overflow-createError.js: Added.
1011
1012 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1013
1014         Error message for `-x ** y` contains a typo.
1015         https://bugs.webkit.org/show_bug.cgi?id=192832
1016
1017         Reviewed by Saam Barati.
1018
1019         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1020         (assert.assert.return.throws):
1021         * stress/pow-expects-update-expression-on-lhs.js:
1022         (throw.new.Error):
1023         Update test expectations which match against the exact error message.
1024
1025 2018-12-18  Mark Lam  <mark.lam@apple.com>
1026
1027         Gardening: test options fix.
1028         https://bugs.webkit.org/show_bug.cgi?id=192822
1029
1030         Unreviewed.
1031
1032         * stress/json-stringify-string-builder-overflow.js:
1033
1034 2018-12-18  Mark Lam  <mark.lam@apple.com>
1035
1036         JSON.stringify() should throw OOM on StringBuilder overflows.
1037         https://bugs.webkit.org/show_bug.cgi?id=192822
1038         <rdar://problem/46670577>
1039
1040         Reviewed by Saam Barati.
1041
1042         * stress/json-stringify-string-builder-overflow.js: Added.
1043
1044 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1045
1046         Redeclaration of var over let/const/class should be a syntax error.
1047         https://bugs.webkit.org/show_bug.cgi?id=192298
1048
1049         Reviewed by Keith Miller.
1050
1051         * test262.yaml:
1052         * test262/expectations.yaml:
1053         Mark 46 tests as passing.
1054
1055         * stress/block-scope-redeclarations.js:
1056         Add some new tests.
1057
1058         * stress/for-in-invalidate-context-weird-assignments.js:
1059         * stress/for-in-tests.js:
1060         Replace tests for outdated behavior with tests for SyntaxError.
1061
1062         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1063         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1064         Update expectations.
1065
1066 2018-12-18  Mark Lam  <mark.lam@apple.com>
1067
1068         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1069         https://bugs.webkit.org/show_bug.cgi?id=191374
1070         <rdar://problem/46525447>
1071
1072         Reviewed by Yusuke Suzuki.
1073
1074         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1075
1076         * stress/elidable-new-object-roflcopter-then-exit.js:
1077
1078 2018-12-17  Mark Lam  <mark.lam@apple.com>
1079
1080         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1081         https://bugs.webkit.org/show_bug.cgi?id=192019
1082         <rdar://problem/46525456>
1083
1084         Reviewed by Yusuke Suzuki.
1085
1086         The test runs too slow on 32-bit.
1087
1088         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1089
1090 2018-12-17  Mark Lam  <mark.lam@apple.com>
1091
1092         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1093         https://bugs.webkit.org/show_bug.cgi?id=191373
1094         <rdar://problem/46525458>
1095
1096         Reviewed by Yusuke Suzuki.
1097
1098         The test is already slow running with a JIT on 64-bit.  It will always timeout
1099         on 32-bit without a JIT.
1100
1101         * stress/materialize-regexp-cyclic-regexp.js:
1102
1103 2018-12-17  Mark Lam  <mark.lam@apple.com>
1104
1105         Array unshift/shift should not race against the AI in the compiler thread.
1106         https://bugs.webkit.org/show_bug.cgi?id=192795
1107         <rdar://problem/46724263>
1108
1109         Reviewed by Saam Barati.
1110
1111         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1112
1113 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1114
1115         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1116         https://bugs.webkit.org/show_bug.cgi?id=190047
1117
1118         Reviewed by Saam Barati.
1119
1120         * stress/object-keys-cached-zero.js: Added.
1121         (shouldBe):
1122         (test):
1123         * stress/object-keys-changed-attribute.js: Added.
1124         (shouldBe):
1125         (test):
1126         * stress/object-keys-changed-index.js: Added.
1127         (shouldBe):
1128         (test):
1129         * stress/object-keys-changed.js: Added.
1130         (shouldBe):
1131         (test):
1132         * stress/object-keys-indexed-non-cache.js: Added.
1133         (shouldBe):
1134         (test):
1135         * stress/object-keys-overrides-get-property-names.js: Added.
1136         (shouldBe):
1137         (test):
1138         (noInline):
1139
1140 2018-12-17  Mark Lam  <mark.lam@apple.com>
1141
1142         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1143         https://bugs.webkit.org/show_bug.cgi?id=192779
1144         <rdar://problem/46775869>
1145
1146         Reviewed by Saam Barati.
1147
1148         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1149
1150 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1151
1152         Unreviewed test gardening, address a syntax error in a new test.
1153
1154         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1155
1156 2018-12-17  Mark Lam  <mark.lam@apple.com>
1157
1158         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1159         https://bugs.webkit.org/show_bug.cgi?id=192776
1160         <rdar://problem/46772368>
1161
1162         Reviewed by Keith Miller.
1163
1164         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1165
1166 2018-12-17  Mark Lam  <mark.lam@apple.com>
1167
1168         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1169         https://bugs.webkit.org/show_bug.cgi?id=192770
1170         <rdar://problem/46449037>
1171
1172         Reviewed by Keith Miller.
1173
1174         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1175
1176 2018-12-14  Mark Lam  <mark.lam@apple.com>
1177
1178         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1179         https://bugs.webkit.org/show_bug.cgi?id=192717
1180         <rdar://problem/46660677>
1181
1182         Reviewed by Saam Barati.
1183
1184         * stress/regress-192717.js: Added.
1185
1186 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1187
1188         Unreviewed, rolling out r239153, r239154, and r239155.
1189         https://bugs.webkit.org/show_bug.cgi?id=192715
1190
1191         Caused flaky GC-related crashes seen with layout tests
1192         (Requested by ryanhaddad on #webkit).
1193
1194         Reverted changesets:
1195
1196         "[JSC] Optimize Object.keys by caching own keys results in
1197         StructureRareData"
1198         https://bugs.webkit.org/show_bug.cgi?id=190047
1199         https://trac.webkit.org/changeset/239153
1200
1201         "Unreviewed, build fix after r239153"
1202         https://bugs.webkit.org/show_bug.cgi?id=190047
1203         https://trac.webkit.org/changeset/239154
1204
1205         "Unreviewed, build fix after r239153, part 2"
1206         https://bugs.webkit.org/show_bug.cgi?id=190047
1207         https://trac.webkit.org/changeset/239155
1208
1209 2018-12-14  Keith Miller  <keith_miller@apple.com>
1210
1211         Callers of JSString::getIndex should check for OOM exceptions
1212         https://bugs.webkit.org/show_bug.cgi?id=192709
1213
1214         Reviewed by Mark Lam.
1215
1216         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1217
1218 2018-12-13  Mark Lam  <mark.lam@apple.com>
1219
1220         Add a missing exception check.
1221         https://bugs.webkit.org/show_bug.cgi?id=192626
1222         <rdar://problem/46662163>
1223
1224         Reviewed by Keith Miller.
1225
1226         * stress/regress-192626.js: Added.
1227
1228 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1229
1230         [BigInt] Add ValueDiv into DFG
1231         https://bugs.webkit.org/show_bug.cgi?id=186178
1232
1233         Reviewed by Yusuke Suzuki.
1234
1235         * stress/big-int-div-jit-osr.js: Added.
1236         * stress/big-int-div-jit-untyped.js: Added.
1237         * stress/value-div-fixup-int32-big-int.js: Added.
1238
1239 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1240
1241         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1242         https://bugs.webkit.org/show_bug.cgi?id=190047
1243
1244         Reviewed by Keith Miller.
1245
1246         * stress/object-keys-cached-zero.js: Added.
1247         (shouldBe):
1248         (test):
1249         * stress/object-keys-changed-attribute.js: Added.
1250         (shouldBe):
1251         (test):
1252         * stress/object-keys-changed-index.js: Added.
1253         (shouldBe):
1254         (test):
1255         * stress/object-keys-changed.js: Added.
1256         (shouldBe):
1257         (test):
1258         * stress/object-keys-indexed-non-cache.js: Added.
1259         (shouldBe):
1260         (test):
1261         * stress/object-keys-overrides-get-property-names.js: Added.
1262         (shouldBe):
1263         (test):
1264         (noInline):
1265
1266 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1267
1268         [DFG][FTL] Add NewSymbol
1269         https://bugs.webkit.org/show_bug.cgi?id=192620
1270
1271         Reviewed by Saam Barati.
1272
1273         * microbenchmarks/symbol-creation.js: Added.
1274         (test):
1275         * stress/symbol-description-identity.js: Added.
1276         (shouldBe):
1277         (test):
1278         * stress/symbol-identity.js: Added.
1279         (shouldBe):
1280         (test):
1281         * stress/symbol-with-description-throw-error.js: Added.
1282         (shouldBe):
1283         (shouldThrow):
1284         (test):
1285         (object.toString):
1286
1287 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1288
1289         [BigInt] Implement DFG/FTL typeof for BigInt
1290         https://bugs.webkit.org/show_bug.cgi?id=192619
1291
1292         Reviewed by Keith Miller.
1293
1294         * stress/big-int-boolean-proven-type.js: Added.
1295         (assert):
1296         (bool):
1297         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1298         (assert):
1299         (typeOf):
1300         (i.switch):
1301         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1302         (assert):
1303         (typeOf):
1304         * stress/big-int-type-of.js:
1305         (typeOf):
1306         (func):
1307
1308 2018-12-10  Mark Lam  <mark.lam@apple.com>
1309
1310         PropertyAttribute needs a CustomValue bit.
1311         https://bugs.webkit.org/show_bug.cgi?id=191993
1312         <rdar://problem/46264467>
1313
1314         Reviewed by Saam Barati.
1315
1316         * stress/regress-191993.js: Added.
1317
1318 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1319
1320         [BigInt] Add ValueMul into DFG
1321         https://bugs.webkit.org/show_bug.cgi?id=186175
1322
1323         Reviewed by Yusuke Suzuki.
1324
1325         * stress/big-int-mul-jit-osr.js: Added.
1326         * stress/big-int-mul-jit-untyped.js: Added.
1327         * stress/value-mul-fixup-int32-big-int.js: Added.
1328
1329 2018-12-06  Keith Miller  <keith_miller@apple.com>
1330
1331         stress/big-wasm-memory tests failing on 32-bit JSC bot
1332         https://bugs.webkit.org/show_bug.cgi?id=192020
1333
1334         Reviewed by Saam Barati.
1335
1336         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1337         the wasm stress tests if the WebAssembly object does not exist.
1338
1339         * stress/big-wasm-memory-grow-no-max.js:
1340         (test.foo):
1341         (test):
1342         (foo): Deleted.
1343         (catch): Deleted.
1344         * stress/big-wasm-memory-grow.js:
1345         (test.foo):
1346         (test):
1347         (foo): Deleted.
1348         (catch): Deleted.
1349         * stress/big-wasm-memory.js:
1350         (test.foo):
1351         (test):
1352         (foo): Deleted.
1353         (catch): Deleted.
1354
1355 2018-12-05  Mark Lam  <mark.lam@apple.com>
1356
1357         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1358         https://bugs.webkit.org/show_bug.cgi?id=192441
1359         <rdar://problem/46480355>
1360
1361         Reviewed by Saam Barati.
1362
1363         * stress/regress-192441.js: Added.
1364
1365 2018-12-04  Mark Lam  <mark.lam@apple.com>
1366
1367         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1368         https://bugs.webkit.org/show_bug.cgi?id=192386
1369         <rdar://problem/46445516>
1370
1371         Reviewed by Saam Barati.
1372
1373         * stress/regress-192386.js: Added.
1374
1375 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1376
1377         [ESNext][BigInt] Support logic operations
1378         https://bugs.webkit.org/show_bug.cgi?id=179903
1379
1380         Reviewed by Yusuke Suzuki.
1381
1382         * stress/big-int-branch-usage.js: Added.
1383         * stress/big-int-logical-and.js: Added.
1384         * stress/big-int-logical-not.js: Added.
1385         * stress/big-int-logical-or.js: Added.
1386
1387 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1388
1389         Unreviewed, rolling out r238833.
1390
1391         Breaks macOS and iOS debug builds.
1392
1393         Reverted changeset:
1394
1395         "[ESNext][BigInt] Support logic operations"
1396         https://bugs.webkit.org/show_bug.cgi?id=179903
1397         https://trac.webkit.org/changeset/238833
1398
1399 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1400
1401         [ESNext][BigInt] Support logic operations
1402         https://bugs.webkit.org/show_bug.cgi?id=179903
1403
1404         Reviewed by Yusuke Suzuki.
1405
1406         * stress/big-int-branch-usage.js: Added.
1407         * stress/big-int-logical-and.js: Added.
1408         * stress/big-int-logical-not.js: Added.
1409         * stress/big-int-logical-or.js: Added.
1410
1411 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1412
1413         [ESNext][BigInt] Implement support for "<<" and ">>"
1414         https://bugs.webkit.org/show_bug.cgi?id=186233
1415
1416         Reviewed by Yusuke Suzuki.
1417
1418         * stress/big-int-left-shift-general.js: Added.
1419         * stress/big-int-left-shift-range-error.js: Added.
1420         * stress/big-int-left-shift-type-error.js: Added.
1421         * stress/big-int-left-shift-wrapped-value.js: Added.
1422         * stress/big-int-right-shift-general.js: Added.
1423         * stress/big-int-right-shift-type-error.js: Added.
1424         * stress/big-int-right-shift-wrapped-value.js: Added.
1425         * stress/left-shift-to-primitive-precedence.js: Added.
1426         * stress/right-shift-to-primitive-precedence.js: Added.
1427
1428 2018-11-30  Dean Jackson  <dino@apple.com>
1429
1430         Add first-class support for .mjs files in jsc binary
1431         https://bugs.webkit.org/show_bug.cgi?id=192190
1432         <rdar://problem/46375715>
1433
1434         Reviewed by Keith Miller.
1435
1436         * stress/simple-module.mjs: Added.
1437         * stress/simple-script.js: Added.
1438
1439 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1440
1441         [BigInt] Implement ValueBitXor into DFG
1442         https://bugs.webkit.org/show_bug.cgi?id=190264
1443
1444         Reviewed by Yusuke Suzuki.
1445
1446         * stress/big-int-bitwise-xor-jit.js: Added.
1447         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1448         * stress/big-int-bitwise-xor-untyped.js: Added.
1449
1450 2018-11-27  Saam barati  <sbarati@apple.com>
1451
1452         r238510 broke scopes of size zero
1453         https://bugs.webkit.org/show_bug.cgi?id=192033
1454         <rdar://problem/46281734>
1455
1456         Reviewed by Keith Miller.
1457
1458         * stress/r238510-bad-loop.js: Added.
1459         (foo):
1460
1461 2018-11-27  Mark Lam  <mark.lam@apple.com>
1462
1463         [Re-landing] NaNs read from Wasm code needs to be be purified.
1464         https://bugs.webkit.org/show_bug.cgi?id=191056
1465         <rdar://problem/45660341>
1466
1467         Reviewed by Filip Pizlo.
1468
1469         * wasm/regress/regress-191056.js: Added.
1470
1471 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1472
1473         Unreviewed, rolling out r238509.
1474
1475         Causes JSC tests to fail on iOS.
1476
1477         Reverted changeset:
1478
1479         "NaNs read from Wasm code needs to be be purified."
1480         https://bugs.webkit.org/show_bug.cgi?id=191056
1481         https://trac.webkit.org/changeset/238509
1482
1483 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1484
1485         Re-introduce op_bitnot
1486         https://bugs.webkit.org/show_bug.cgi?id=190923
1487
1488         Reviewed by Yusuke Suzuki.
1489
1490         * stress/bit-not-must-generate.js: Added.
1491         * stress/bitwise-not-no-int32.js: Added.
1492
1493 2018-11-26  Saam barati  <sbarati@apple.com>
1494
1495         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1496         https://bugs.webkit.org/show_bug.cgi?id=191956
1497         <rdar://problem/45665806>
1498
1499         Reviewed by Yusuke Suzuki.
1500
1501         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1502         (bar):
1503         (foo):
1504
1505 2018-11-26  Saam barati  <sbarati@apple.com>
1506
1507         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1508         https://bugs.webkit.org/show_bug.cgi?id=191958
1509         <rdar://problem/46221877>
1510
1511         Reviewed by Yusuke Suzuki.
1512
1513         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1514         (x):
1515         (foo):
1516
1517 2018-11-26  Mark Lam  <mark.lam@apple.com>
1518
1519         NaNs read from Wasm code needs to be be purified.
1520         https://bugs.webkit.org/show_bug.cgi?id=191056
1521         <rdar://problem/45660341>
1522
1523         Reviewed by Filip Pizlo.
1524
1525         * wasm/regress/regress-191056.js: Added.
1526
1527 2018-11-26  Michael Saboff  <msaboff@apple.com>
1528
1529         32-bit JSC test failure: stress/regexp-compile-oom.js
1530         https://bugs.webkit.org/show_bug.cgi?id=191375
1531
1532         Reviewed by Mark Lam.
1533
1534         Disabled the test for 32 bit platforms.
1535
1536         * stress/regexp-compile-oom.js:
1537
1538 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1539
1540         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1541         https://bugs.webkit.org/show_bug.cgi?id=191716
1542         <rdar://problem/45723878>
1543
1544         Reviewed by Saam Barati.
1545
1546         * stress/regress-187373.js: Added.
1547         (async.fn):
1548
1549 2018-11-21  Saam barati  <sbarati@apple.com>
1550
1551         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1552         https://bugs.webkit.org/show_bug.cgi?id=191897
1553         <rdar://problem/45871998>
1554
1555         Reviewed by Mark Lam.
1556
1557         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1558         (bar):
1559         (foo):
1560
1561 2018-11-21  Saam barati  <sbarati@apple.com>
1562
1563         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1564         https://bugs.webkit.org/show_bug.cgi?id=191895
1565         <rdar://problem/46167406>
1566
1567         Reviewed by Mark Lam.
1568
1569         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1570         (foo):
1571         (bar):
1572
1573 2018-11-21  Mark Lam  <mark.lam@apple.com>
1574
1575         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1576         https://bugs.webkit.org/show_bug.cgi?id=191776
1577         <rdar://problem/46152851>
1578
1579         Reviewed by Saam Barati.
1580
1581         * stress/big-wasm-memory-grow-no-max.js:
1582         * stress/big-wasm-memory-grow.js:
1583         * stress/big-wasm-memory.js:
1584         - updated these to expect an OutOfMemoryError.
1585
1586         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1587         (Binary.prototype.emit_u8):
1588         (Binary.prototype.emit_u32v):
1589         (Binary.prototype.emit_header):
1590         (Binary.prototype.emit_section):
1591         (Binary):
1592         (WasmModuleBuilder):
1593         (WasmModuleBuilder.prototype.addMemory):
1594         (WasmModuleBuilder.prototype.toArray):
1595         (WasmModuleBuilder.prototype.toBuffer):
1596         (WasmModuleBuilder.prototype.instantiate):
1597         (catch):
1598         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1599         (catch):
1600
1601 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1602
1603         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1604         https://bugs.webkit.org/show_bug.cgi?id=190836
1605
1606         Reviewed by Saam Barati and Yusuke Suzuki.
1607
1608         * stress/big-int-out-of-memory-tests.js: Added.
1609
1610 2018-11-20  Mark Lam  <mark.lam@apple.com>
1611
1612         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1613         https://bugs.webkit.org/show_bug.cgi?id=191856
1614         <rdar://problem/46089992>
1615
1616         Reviewed by Yusuke Suzuki.
1617
1618         * stress/regress-191856.js: Added.
1619         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1620
1621 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1622
1623         Enable JIT on ARM/Linux
1624         https://bugs.webkit.org/show_bug.cgi?id=191548
1625
1626         Reviewed by Yusuke Suzuki.
1627
1628         Disable test on system with limited memory. Program was killed by
1629         the OS before the exception was thrown.
1630
1631         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1632
1633 2018-11-20  Saam barati  <sbarati@apple.com>
1634
1635         Merging an IC variant may lead to the IC status containing overlapping structure sets
1636         https://bugs.webkit.org/show_bug.cgi?id=191869
1637         <rdar://problem/45403453>
1638
1639         Reviewed by Mark Lam.
1640
1641         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1642
1643 2018-11-19  Mark Lam  <mark.lam@apple.com>
1644
1645         globalFuncImportModule() should return a promise when it clears exceptions.
1646         https://bugs.webkit.org/show_bug.cgi?id=191792
1647         <rdar://problem/46090763>
1648
1649         Reviewed by Michael Saboff.
1650
1651         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1652
1653 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1654
1655         Skip new memory-hungry tests on memory limited devices
1656
1657         Unreviewed gardening.
1658
1659         * stress/big-wasm-memory-grow-no-max.js:
1660         * stress/big-wasm-memory-grow.js:
1661         * stress/big-wasm-memory.js:
1662
1663 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1664
1665         Unreviewed, rolling in the rest of r237254
1666         https://bugs.webkit.org/show_bug.cgi?id=190340
1667
1668         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1669         * stress/function-cache-with-parameters-end-position.js: Added.
1670         (shouldBe):
1671         (shouldThrow):
1672         (i.anonymous):
1673         * stress/function-constructor-name.js: Added.
1674         (shouldBe):
1675         (GeneratorFunction):
1676         (AsyncFunction.async):
1677         (AsyncGeneratorFunction.async):
1678         (anonymous):
1679         (async.anonymous):
1680         * test262/expectations.yaml:
1681
1682 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1683
1684         All users of ArrayBuffer should agree on the same max size
1685         https://bugs.webkit.org/show_bug.cgi?id=191771
1686
1687         Reviewed by Mark Lam.
1688
1689         * stress/big-wasm-memory-grow-no-max.js: Added.
1690         (foo):
1691         (catch):
1692         * stress/big-wasm-memory-grow.js: Added.
1693         (foo):
1694         (catch):
1695         * stress/big-wasm-memory.js: Added.
1696         (foo):
1697         (catch):
1698
1699 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1700
1701         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1702         run for each JSC config since they're regression tests for runtime bugs.
1703
1704         * stress/json-stringified-overflow-2.js:
1705         * stress/json-stringified-overflow.js:
1706
1707 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1708
1709         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1710         config since they're regression tests for runtime bugs.
1711
1712         * stress/large-unshift-splice.js:
1713         * stress/regress-185888.js:
1714
1715 2018-11-16  Saam Barati  <sbarati@apple.com>
1716
1717         KnownCellUse should also have SpecCellCheck as its type filter
1718         https://bugs.webkit.org/show_bug.cgi?id=191729
1719         <rdar://problem/45872852>
1720
1721         Reviewed by Filip Pizlo.
1722
1723         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1724         (C):
1725
1726 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1727
1728         Fix assertion failure on BytecodeGenerator::recordOpcode
1729         https://bugs.webkit.org/show_bug.cgi?id=191724
1730         <rdar://problem/45724395>
1731
1732         Reviewed by Saam Barati.
1733
1734         * stress/regress-187373-2.js: Added.
1735         (foo):
1736
1737 2018-11-15  Mark Lam  <mark.lam@apple.com>
1738
1739         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1740         https://bugs.webkit.org/show_bug.cgi?id=191730
1741         <rdar://problem/46048517>
1742
1743         Reviewed by Saam Barati.
1744
1745         * stress/regress-187006.js: Removed.
1746           - this test is invalid because its sole purpose is to test for the non-spec
1747             compliant behavior that we just fixed.
1748
1749         * stress/regress-191730.js: Added.
1750
1751 2018-11-15  Mark Lam  <mark.lam@apple.com>
1752
1753         RegExp operations should not take fast patch if lastIndex is not numeric.
1754         https://bugs.webkit.org/show_bug.cgi?id=191731
1755         <rdar://problem/46017305>
1756
1757         Reviewed by Saam Barati.
1758
1759         * stress/regress-191731.js: Added.
1760
1761 2018-11-13  Saam Barati  <sbarati@apple.com>
1762
1763         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1764         https://bugs.webkit.org/show_bug.cgi?id=191600
1765
1766         Reviewed by Mark Lam.
1767
1768         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1769         (foo):
1770         (test):
1771         (bar):
1772
1773 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1774
1775         Unreviewed, rolling out r238132.
1776
1777         The test added with this change is timing out on Debug JSC
1778         bots.
1779
1780         Reverted changeset:
1781
1782         "[BigInt] JSBigInt::createWithLength should throw when length
1783         is greater than JSBigInt::maxLength"
1784         https://bugs.webkit.org/show_bug.cgi?id=190836
1785         https://trac.webkit.org/changeset/238132
1786
1787 2018-11-13  Mark Lam  <mark.lam@apple.com>
1788
1789         Add OOM detection to StringPrototype's substituteBackreferences().
1790         https://bugs.webkit.org/show_bug.cgi?id=191563
1791         <rdar://problem/45720428>
1792
1793         Reviewed by Saam Barati.
1794
1795         * stress/regress-191563.js: Added.
1796
1797 2018-11-13  Mark Lam  <mark.lam@apple.com>
1798
1799         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1800         https://bugs.webkit.org/show_bug.cgi?id=191579
1801         <rdar://problem/45942472>
1802
1803         Reviewed by Saam Barati.
1804
1805         * stress/regress-191579.js: Added.
1806
1807 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1808
1809         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1810         https://bugs.webkit.org/show_bug.cgi?id=190836
1811
1812         Reviewed by Saam Barati.
1813
1814         * stress/big-int-out-of-memory-tests.js: Added.
1815
1816 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1817
1818         U+180E is no longer a whitespace character
1819         https://bugs.webkit.org/show_bug.cgi?id=191415
1820
1821         Reviewed by Saam Barati.
1822
1823         * ChakraCore/test/es5/regexSpace.baseline:
1824         * ChakraCore/test/es6/unicode_whitespace.js:
1825         Update tests to latest version.
1826         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1827
1828         * test262.yaml:
1829         * test262/config.yaml:
1830         * test262/expectations.yaml:
1831         Update expectations.
1832
1833 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1834
1835         [BigInt] Add support to BigInt into ValueAdd
1836         https://bugs.webkit.org/show_bug.cgi?id=186177
1837
1838         Reviewed by Keith Miller.
1839
1840         * stress/big-int-negate-jit.js:
1841         * stress/value-add-big-int-and-string.js: Added.
1842         * stress/value-add-big-int-prediction-propagation.js: Added.
1843         * stress/value-add-big-int-untyped.js: Added.
1844
1845 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1846
1847         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1848         https://bugs.webkit.org/show_bug.cgi?id=191184
1849
1850         Reviewed by Saam Barati.
1851
1852         Most tests were failing due to timeouts, since they are too slow to
1853         run on CLoop. The exceptions are:
1854
1855         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1856         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1857         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1858         to change the stack size since CLoop requires it to be page aligned.
1859
1860         * microbenchmarks/array-push-1.js:
1861         * microbenchmarks/array-push-2.js:
1862         * microbenchmarks/elidable-new-object-dag.js:
1863         * microbenchmarks/elidable-new-object-roflcopter.js:
1864         * microbenchmarks/elidable-new-object-tree.js:
1865         * microbenchmarks/getter-richards.js:
1866         * microbenchmarks/sinkable-new-object-dag.js:
1867         * microbenchmarks/string-concat-long-convert.js:
1868         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1869         * slowMicrobenchmarks/array-push-3.js:
1870         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1871         * slowMicrobenchmarks/spread-small-array.js:
1872         * slowMicrobenchmarks/undefined-property-access.js:
1873         * stress/activation-sink-default-value-tdz-error.js:
1874         * stress/activation-sink-default-value.js:
1875         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1876         * stress/activation-sink-osrexit-default-value.js:
1877         * stress/activation-sink-osrexit.js:
1878         * stress/activation-sink.js:
1879         * stress/allow-math-ic-b3-code-duplication.js:
1880         * stress/array-push-multiple-int32.js:
1881         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1882         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1883         * stress/arrowfunction-lexical-this-activation-sink.js:
1884         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1885         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1886         * stress/elide-new-object-dag-then-exit.js:
1887         * stress/materialize-regexp-cyclic.js:
1888         * stress/new-regex-inline.js:
1889         * stress/op_add.js:
1890         * stress/op_bitand.js:
1891         * stress/op_bitor.js:
1892         * stress/op_bitxor.js:
1893         * stress/op_div-ConstVar.js:
1894         * stress/op_div-VarConst.js:
1895         * stress/op_div-VarVar.js:
1896         * stress/op_lshift-ConstVar.js:
1897         * stress/op_lshift-VarConst.js:
1898         * stress/op_lshift-VarVar.js:
1899         * stress/op_mod-ConstVar.js:
1900         * stress/op_mod-VarConst.js:
1901         * stress/op_mod-VarVar.js:
1902         * stress/op_mul-ConstVar.js:
1903         * stress/op_mul-VarConst.js:
1904         * stress/op_mul-VarVar.js:
1905         * stress/op_rshift-ConstVar.js:
1906         * stress/op_rshift-VarConst.js:
1907         * stress/op_rshift-VarVar.js:
1908         * stress/op_sub-ConstVar.js:
1909         * stress/op_sub-VarConst.js:
1910         * stress/op_sub-VarVar.js:
1911         * stress/op_urshift-ConstVar.js:
1912         * stress/op_urshift-VarConst.js:
1913         * stress/op_urshift-VarVar.js:
1914         * stress/proxy-get-set-correct-receiver.js:
1915         * stress/regress-179562.js:
1916         * stress/rest-parameter-many-arguments.js:
1917         * stress/sampling-profiler-richards.js:
1918         * stress/splay-flash-access-1ms.js:
1919         * stress/tailCallForwardArguments.js:
1920         * stress/typed-array-get-by-val-profiling.js:
1921         * typeProfiler/getter-richards.js:
1922
1923 2018-11-06  Michael Saboff  <msaboff@apple.com>
1924
1925         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1926         https://bugs.webkit.org/show_bug.cgi?id=191271
1927
1928         Reviewed by Saam Barati.
1929
1930         Added more test cases and made all test cases run with the same deeply recursive stack
1931         instead of finding that same point for each test case.
1932
1933         * stress/regexp-compile-oom.js:
1934         (prototype.runTest):
1935         (recurseAndTest):
1936         (testList.push.new.TestAndExpectedException):
1937
1938 2018-11-05  Michael Saboff  <msaboff@apple.com>
1939
1940         Unreviewed build fix for linux.
1941
1942         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1943
1944 2018-11-02  Michael Saboff  <msaboff@apple.com>
1945
1946         Rolling in r237753 with unreviewed build fix.
1947
1948         Fixed issues with DECLARE_THROW_SCOPE placement.
1949
1950 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1951
1952         Unreviewed, rolling out r237753.
1953
1954         Introduced JSC test failures
1955
1956         Reverted changeset:
1957
1958         "Running out of stack space not properly handled in
1959         RegExp::compile() and its callers"
1960         https://bugs.webkit.org/show_bug.cgi?id=191206
1961         https://trac.webkit.org/changeset/237753
1962
1963 2018-11-02  Michael Saboff  <msaboff@apple.com>
1964
1965         Running out of stack space not properly handled in RegExp::compile() and its callers
1966         https://bugs.webkit.org/show_bug.cgi?id=191206
1967
1968         Reviewed by Filip Pizlo.
1969
1970         New regression test.
1971
1972         * stress/regexp-compile-oom.js: Added.
1973         (recurseAndTest):
1974
1975 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1976
1977         Skip tests on arm/mips that time out now we're running on CLoop
1978
1979         Unreviewed gardening.
1980
1981         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1982         time out on the bots and need to be disabled. There's more tests
1983         disabled on arm because the timeout is longer on the mips bot (as the
1984         device is slower to start with), so many of the tests don't time out
1985         there.
1986
1987         * microbenchmarks/getter-richards.js: disable on arm and mips.
1988         * stress/op_add.js: disable on arm.
1989         * stress/op_bitand.js: disable on arm.
1990         * stress/op_bitor.js: disable on arm.
1991         * stress/op_bitxor.js: disable on arm.
1992         * stress/op_lshift-ConstVar.js: disable on arm.
1993         * stress/op_lshift-VarConst.js: disable on arm.
1994         * stress/op_lshift-VarVar.js: disable on arm.
1995         * stress/op_mod-ConstVar.js: disable on arm.
1996         * stress/op_mod-VarConst.js: disable on arm.
1997         * stress/op_mod-VarVar.js: disable on arm.
1998         * stress/op_mul-ConstVar.js: disable on arm.
1999         * stress/op_mul-VarConst.js: disable on arm.
2000         * stress/op_mul-VarVar.js: disable on arm.
2001         * stress/op_rshift-ConstVar.js: disable on arm.
2002         * stress/op_rshift-VarConst.js: disable on arm.
2003         * stress/op_rshift-VarVar.js: disable on arm.
2004         * stress/op_sub-ConstVar.js: disable on arm.
2005         * stress/op_sub-VarConst.js: disable on arm.
2006         * stress/op_sub-VarVar.js: disable on arm.
2007         * stress/op_urshift-ConstVar.js: disable on arm.
2008         * stress/op_urshift-VarConst.js: disable on arm.
2009         * stress/op_urshift-VarVar.js: disable on arm.
2010         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2011         * stress/value-to-boolean.js: disable on arm and mips.
2012
2013 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2014
2015         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2016         https://bugs.webkit.org/show_bug.cgi?id=191108
2017         <rdar://problem/45690700>
2018
2019         Reviewed by Saam Barati.
2020
2021         * stress/wide-op_catch.js: Added.
2022         (catch):
2023
2024 2018-10-29  Mark Lam  <mark.lam@apple.com>
2025
2026         Correctly detect string overflow when using the 'Function' constructor.
2027         https://bugs.webkit.org/show_bug.cgi?id=184883
2028         <rdar://problem/36320331>
2029
2030         Reviewed by Saam Barati.
2031
2032         I've verified that this passes on 32-bit as well.
2033
2034         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2035
2036 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2037
2038         Add support for GetStack FlushedDouble
2039         https://bugs.webkit.org/show_bug.cgi?id=191012
2040         <rdar://problem/45265141>
2041
2042         Reviewed by Saam Barati.
2043
2044         * stress/get-stack-double.js: Added.
2045         (bar):
2046         (noInline):
2047
2048 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2049
2050         New bytecode format for JSC
2051         https://bugs.webkit.org/show_bug.cgi?id=187373
2052         <rdar://problem/44186758>
2053
2054         Reviewed by Filip Pizlo.
2055
2056         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2057
2058         * stress/maximum-inline-capacity.js: Added.
2059         (test1):
2060         (test3.Foo):
2061         (test3):
2062
2063 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2064
2065         Unreviewed, rolling out r237479 and r237484.
2066         https://bugs.webkit.org/show_bug.cgi?id=190978
2067
2068         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2069
2070         Reverted changesets:
2071
2072         "New bytecode format for JSC"
2073         https://bugs.webkit.org/show_bug.cgi?id=187373
2074         https://trac.webkit.org/changeset/237479
2075
2076         "Gardening: Build fix after r237479."
2077         https://bugs.webkit.org/show_bug.cgi?id=187373
2078         https://trac.webkit.org/changeset/237484
2079
2080 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2081
2082         New bytecode format for JSC
2083         https://bugs.webkit.org/show_bug.cgi?id=187373
2084         <rdar://problem/44186758>
2085
2086         Reviewed by Filip Pizlo.
2087
2088         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2089
2090         * stress/maximum-inline-capacity.js: Added.
2091         (test1):
2092         (test3.Foo):
2093         (test3):
2094
2095 2018-10-26  Mark Lam  <mark.lam@apple.com>
2096
2097         Fix missing edge cases with JSGlobalObjects having a bad time.
2098         https://bugs.webkit.org/show_bug.cgi?id=189028
2099         <rdar://problem/45204939>
2100
2101         Reviewed by Saam Barati.
2102
2103         * stress/regress-189028.js: Added.
2104
2105 2018-10-22  Mark Lam  <mark.lam@apple.com>
2106
2107         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2108         https://bugs.webkit.org/show_bug.cgi?id=190515
2109         <rdar://problem/45222379>
2110
2111         Rubber-stamped by Saam Barati.
2112
2113         Adding another test.
2114
2115         * stress/regress-190515-2.js: Added.
2116
2117 2018-10-22  Mark Lam  <mark.lam@apple.com>
2118
2119         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2120         https://bugs.webkit.org/show_bug.cgi?id=190515
2121         <rdar://problem/45222379>
2122
2123         Reviewed by Saam Barati.
2124
2125         * stress/regress-190515.js: Added.
2126
2127 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2128
2129         Unreviewed, rolling out r237254.
2130         https://bugs.webkit.org/show_bug.cgi?id=190760
2131
2132         "It regresses JetStream 2 by 5% on some iOS devices"
2133         (Requested by saamyjoon on #webkit).
2134
2135         Reverted changeset:
2136
2137         "[JSC] JSC should have "parseFunction" to optimize Function
2138         constructor"
2139         https://bugs.webkit.org/show_bug.cgi?id=190340
2140         https://trac.webkit.org/changeset/237254
2141
2142 2018-10-19  Saam Barati  <sbarati@apple.com>
2143
2144         vmCall should check if we exit before emitting an OSR exit due to exceptions
2145         https://bugs.webkit.org/show_bug.cgi?id=190740
2146         <rdar://problem/45220139>
2147
2148         Reviewed by Mark Lam.
2149
2150         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2151         (foo):
2152
2153 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2154
2155         [ESNext][BigInt] Implement support for "^"
2156         https://bugs.webkit.org/show_bug.cgi?id=186235
2157
2158         Reviewed by Yusuke Suzuki.
2159
2160         * stress/big-int-bitwise-xor-general.js: Added.
2161         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2162         * stress/big-int-bitwise-xor-type-error.js: Added.
2163         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2164
2165 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2166
2167         [BigInt] Add ValueSub into DFG
2168         https://bugs.webkit.org/show_bug.cgi?id=186176
2169
2170         Reviewed by Yusuke Suzuki.
2171
2172         * stress/big-int-subtraction-jit.js:
2173         * stress/value-sub-big-int-prediction-propagation.js: Added.
2174         * stress/value-sub-big-int-untyped.js: Added.
2175         * stress/value-sub-spec-none-case.js: Added.
2176
2177 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2178
2179         [JSC] JSC should have "parseFunction" to optimize Function constructor
2180         https://bugs.webkit.org/show_bug.cgi?id=190340
2181
2182         Reviewed by Mark Lam.
2183
2184         This patch fixes the line number of syntax errors raised by the Function constructor,
2185         since we now parse the final code only once. And we no longer use block statement
2186         for Function constructor's parsing.
2187
2188         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2189         * stress/function-cache-with-parameters-end-position.js: Added.
2190         (shouldBe):
2191         (shouldThrow):
2192         (i.anonymous):
2193         * stress/function-constructor-name.js: Added.
2194         (shouldBe):
2195         (GeneratorFunction):
2196         (AsyncFunction.async):
2197         (AsyncGeneratorFunction.async):
2198         (anonymous):
2199         (async.anonymous):
2200         * test262/expectations.yaml:
2201
2202 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2203
2204         Unreviewed, rolling out r237242.
2205         https://bugs.webkit.org/show_bug.cgi?id=190701
2206
2207         it breaks "stress/sampling-profiler-basic.js" (Requested by
2208         caiolima on #webkit).
2209
2210         Reverted changeset:
2211
2212         "[BigInt] Add ValueSub into DFG"
2213         https://bugs.webkit.org/show_bug.cgi?id=186176
2214         https://trac.webkit.org/changeset/237242
2215
2216 2018-10-17  Keith Miller  <keith_miller@apple.com>
2217
2218         AI does not clear Phantom allocation nodes.
2219         https://bugs.webkit.org/show_bug.cgi?id=190694
2220
2221         Reviewed by Saam Barati.
2222
2223         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2224         (Day):
2225         (DaysInYear):
2226         (TimeInYear):
2227         (TimeFromYear):
2228         (DayFromYear):
2229         (InLeapYear):
2230         (YearFromTime):
2231         (WeekDay):
2232         (DaylightSavingTA):
2233         (GetSecondSundayInMarch):
2234         (TimeInMonth):
2235
2236 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2237
2238         [BigInt] Add ValueSub into DFG
2239         https://bugs.webkit.org/show_bug.cgi?id=186176
2240
2241         Reviewed by Yusuke Suzuki.
2242
2243         * stress/big-int-subtraction-jit.js:
2244         * stress/value-sub-big-int-prediction-propagation.js: Added.
2245         * stress/value-sub-big-int-untyped.js: Added.
2246
2247 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2248
2249         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2250         https://bugs.webkit.org/show_bug.cgi?id=190611
2251
2252         Reviewed by Saam Barati.
2253
2254         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2255         to improve test runtime. On ARM/MIPS this test even timed out when running all
2256         tests.
2257
2258         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2259         (test):
2260
2261 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2262
2263         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2264
2265         Unreviewed gardening.
2266
2267         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2268
2269 2018-10-15  Saam barati  <sbarati@apple.com>
2270
2271         Emit fjcvtzs on ARM64E on Darwin
2272         https://bugs.webkit.org/show_bug.cgi?id=184023
2273
2274         Reviewed by Yusuke Suzuki and Filip Pizlo.
2275
2276         * stress/double-to-int32-NaN.js: Added.
2277         (assert):
2278         (foo):
2279
2280 2018-10-15  Saam Barati  <sbarati@apple.com>
2281
2282         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2283         https://bugs.webkit.org/show_bug.cgi?id=190262
2284         <rdar://problem/44986241>
2285
2286         Reviewed by Mark Lam.
2287
2288         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2289         (test):
2290         * stress/slice-array-storage-with-holes.js: Added.
2291         (main):
2292
2293 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2294
2295         Unreviewed, rolling out r237054.
2296         https://bugs.webkit.org/show_bug.cgi?id=190593
2297
2298         "this regressed JetStream 2 by 6% on iOS" (Requested by
2299         saamyjoon on #webkit).
2300
2301         Reverted changeset:
2302
2303         "[JSC] JSC should have "parseFunction" to optimize Function
2304         constructor"
2305         https://bugs.webkit.org/show_bug.cgi?id=190340
2306         https://trac.webkit.org/changeset/237054
2307
2308 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2309
2310         [JSC] JSON.stringify can accept call-with-no-arguments
2311         https://bugs.webkit.org/show_bug.cgi?id=190343
2312
2313         Reviewed by Mark Lam.
2314
2315         * stress/json-stringify-no-arguments.js: Added.
2316         (shouldBe):
2317
2318 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2319
2320         [JSC] JSC should have "parseFunction" to optimize Function constructor
2321         https://bugs.webkit.org/show_bug.cgi?id=190340
2322
2323         Reviewed by Mark Lam.
2324
2325         This patch fixes the line number of syntax errors raised by the Function constructor,
2326         since we now parse the final code only once. And we no longer use block statement
2327         for Function constructor's parsing.
2328
2329         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2330         * stress/function-cache-with-parameters-end-position.js: Added.
2331         (shouldBe):
2332         (shouldThrow):
2333         (i.anonymous):
2334         * stress/function-constructor-name.js: Added.
2335         (shouldBe):
2336         (GeneratorFunction):
2337         (AsyncFunction.async):
2338         (AsyncGeneratorFunction.async):
2339         (anonymous):
2340         (async.anonymous):
2341         * test262/expectations.yaml:
2342
2343 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2344
2345         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2346         https://bugs.webkit.org/show_bug.cgi?id=190426
2347
2348         Unreviewed gardening.
2349
2350         * stress/sampling-profiler-richards.js:
2351
2352 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2353
2354         [ESNext][BigInt] Implement support for "|"
2355         https://bugs.webkit.org/show_bug.cgi?id=186229
2356
2357         Reviewed by Yusuke Suzuki.
2358
2359         * stress/big-int-bitwise-and-jit.js:
2360         * stress/big-int-bitwise-or-general.js: Added.
2361         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2362         * stress/big-int-bitwise-or-jit.js: Added.
2363         * stress/big-int-bitwise-or-memory-stress.js: Added.
2364         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2365         * stress/big-int-bitwise-or-type-error.js: Added.
2366         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2367
2368 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2369
2370         Skip test on systems with limited memory
2371         https://bugs.webkit.org/show_bug.cgi?id=190310
2372
2373         Invoking runDefault adds test to runlist, skipping the test in the next
2374         line does not prevent the test from executing. Change order of lines such
2375         that runDefault is only executed if test is not executed.
2376
2377         Reviewed by Mark Lam.
2378
2379         * stress/regress-190187.js:
2380
2381 2018-10-03  Saam barati  <sbarati@apple.com>
2382
2383         lowXYZ in FTLLower should always filter the type of the incoming edge
2384         https://bugs.webkit.org/show_bug.cgi?id=189939
2385         <rdar://problem/44407030>
2386
2387         Reviewed by Michael Saboff.
2388
2389         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2390         (foo):
2391         (test):
2392
2393 2018-10-03  Mark Lam  <mark.lam@apple.com>
2394
2395         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2396         https://bugs.webkit.org/show_bug.cgi?id=190187
2397         <rdar://problem/42512909>
2398
2399         Reviewed by Michael Saboff.
2400
2401         * stress/regress-190187.js: Added.
2402
2403 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2404
2405         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2406         https://bugs.webkit.org/show_bug.cgi?id=190033
2407
2408         Reviewed by Yusuke Suzuki.
2409
2410         * stress/big-int-to-string.js:
2411
2412 2018-10-01  Mark Lam  <mark.lam@apple.com>
2413
2414         Function.toString() should also copy the source code Functions that are class definitions.
2415         https://bugs.webkit.org/show_bug.cgi?id=190186
2416         <rdar://problem/44733360>
2417
2418         Reviewed by Saam Barati.
2419
2420         * stress/regress-190186.js: Added.
2421
2422 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2423
2424         Split NaN-check into separate test
2425         https://bugs.webkit.org/show_bug.cgi?id=190010
2426
2427         Reviewed by Saam Barati.
2428
2429         DataView exposes NaN-representation, which is not necessarily the same on each
2430         architecture. Therefore move the check of the NaN-representation into its own
2431         file such that we can disable this test on MIPS where NaN-representation can be
2432         different on older CPUs.
2433
2434         * stress/dataview-jit-set-nan.js: Added.
2435         (assert):
2436         (test.storeLittleEndian):
2437         (test.storeBigEndian):
2438         (test.store):
2439         (test):
2440         * stress/dataview-jit-set.js:
2441         (test5):
2442
2443 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2444
2445         Unreviewed, rolling out r236647.
2446         https://bugs.webkit.org/show_bug.cgi?id=190124
2447
2448         Breaking test stress/big-int-to-string.js (Requested by
2449         caiolima_ on #webkit).
2450
2451         Reverted changeset:
2452
2453         "[BigInt] BigInt.proptotype.toString is broken when radix is
2454         power of 2"
2455         https://bugs.webkit.org/show_bug.cgi?id=190033
2456         https://trac.webkit.org/changeset/236647
2457
2458 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2459
2460         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2461         https://bugs.webkit.org/show_bug.cgi?id=190033
2462
2463         Reviewed by Yusuke Suzuki.
2464
2465         * stress/big-int-to-string.js:
2466
2467 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2468
2469         [ESNext][BigInt] Implement support for "&"
2470         https://bugs.webkit.org/show_bug.cgi?id=186228
2471
2472         Reviewed by Yusuke Suzuki.
2473
2474         * stress/big-int-bitwise-and-general.js: Added.
2475         (assert):
2476         (assert.sameValue):
2477         * stress/big-int-bitwise-and-jit.js: Added.
2478         (let.assert.sameValue):
2479         (bigIntBitAnd):
2480         * stress/big-int-bitwise-and-memory-stress.js: Added.
2481         (assert):
2482         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2483         (assert.sameValue):
2484         (let.o.Symbol.toPrimitive):
2485         (catch):
2486         * stress/big-int-bitwise-and-type-error.js: Added.
2487         (assert):
2488         (assertThrowTypeError):
2489         (let.o.valueOf):
2490         (o.valueOf):
2491         (o.toString):
2492         (o.Symbol.toPrimitive):
2493         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2494         (assert.sameValue):
2495         (testBitAnd):
2496         (let.o.Symbol.toPrimitive):
2497         (o.valueOf):
2498         (o.toString):
2499
2500 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2501
2502         JSC test stress/jsc-read.js doesn't support CRLF
2503         https://bugs.webkit.org/show_bug.cgi?id=190063
2504
2505         Reviewed by Yusuke Suzuki.
2506
2507         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2508
2509         * stress/jsc-read.js:
2510         (test):
2511
2512 2018-09-27  Saam barati  <sbarati@apple.com>
2513
2514         Verify the contents of AssemblerBuffer on arm64e
2515         https://bugs.webkit.org/show_bug.cgi?id=190057
2516         <rdar://problem/38916630>
2517
2518         Reviewed by Mark Lam.
2519
2520         * stress/regress-189132.js:
2521
2522 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2523
2524         Disable test without LLInt on ARMv7
2525         https://bugs.webkit.org/show_bug.cgi?id=190037
2526
2527         Reviewed by Mark Lam.
2528
2529         Test runs out of executable memory on ARMv7, do not run
2530         this test without LLInt enabled.
2531
2532         * stress/regress-169445.js:
2533
2534 2018-09-26  Keith Miller  <keith_miller@apple.com>
2535
2536         We should zero unused property storage when rebalancing array storage.
2537         https://bugs.webkit.org/show_bug.cgi?id=188151
2538
2539         Reviewed by Michael Saboff.
2540
2541         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2542
2543 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2544
2545         [JSC] Optimize Array#lastIndexOf
2546         https://bugs.webkit.org/show_bug.cgi?id=189780
2547
2548         Reviewed by Saam Barati.
2549
2550         * stress/array-lastindexof-array-prototype-trap.js: Added.
2551         (shouldBe):
2552         (AncestorArray.prototype.get 2):
2553         (AncestorArray):
2554         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2555         (shouldBe):
2556         * stress/array-lastindexof-hole-nan.js: Added.
2557         (shouldBe):
2558         (throw.new.Error):
2559         * stress/array-lastindexof-infinity.js: Added.
2560         (shouldBe):
2561         (throw.new.Error):
2562         * stress/array-lastindexof-negative-zero.js: Added.
2563         (shouldBe):
2564         (throw.new.Error):
2565         * stress/array-lastindexof-own-getter.js: Added.
2566         (shouldBe):
2567         (throw.new.Error.get array):
2568         (get array):
2569         * stress/array-lastindexof-prototype-trap.js: Added.
2570         (shouldBe):
2571         (DerivedArray.prototype.get 2):
2572         (DerivedArray):
2573
2574 2018-09-25  Saam Barati  <sbarati@apple.com>
2575
2576         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2577         https://bugs.webkit.org/show_bug.cgi?id=189940
2578         <rdar://problem/43640987>
2579
2580         Reviewed by Mark Lam.
2581
2582         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2583
2584 2018-09-24  Saam Barati  <sbarati@apple.com>
2585
2586         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2587         https://bugs.webkit.org/show_bug.cgi?id=189922
2588         <rdar://problem/44651275>
2589
2590         Reviewed by Mark Lam.
2591
2592         * stress/array-indexof-fast-path-effects.js: Added.
2593         * stress/array-indexof-cached-length.js: Added.
2594
2595 2018-09-24  Saam barati  <sbarati@apple.com>
2596
2597         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2598         https://bugs.webkit.org/show_bug.cgi?id=189682
2599         <rdar://problem/43557315>
2600
2601         Reviewed by Mark Lam.
2602
2603         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2604         (foo):
2605
2606 2018-09-22  Saam barati  <sbarati@apple.com>
2607
2608         The sampling should not use Strong<CodeBlock> in its machineLocation field
2609         https://bugs.webkit.org/show_bug.cgi?id=189319
2610
2611         Reviewed by Filip Pizlo.
2612
2613         * stress/sampling-profiler-richards.js: Added.
2614
2615 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2616
2617         [JSC] Optimize Array#indexOf in C++ runtime
2618         https://bugs.webkit.org/show_bug.cgi?id=189507
2619
2620         Reviewed by Saam Barati.
2621
2622         * stress/array-indexof-array-prototype-trap.js: Added.
2623         (shouldBe):
2624         (AncestorArray.prototype.get 2):
2625         (AncestorArray):
2626         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2627         (shouldBe):
2628         * stress/array-indexof-hole-nan.js: Added.
2629         (shouldBe):
2630         (throw.new.Error):
2631         * stress/array-indexof-infinity.js: Added.
2632         (shouldBe):
2633         (throw.new.Error):
2634         * stress/array-indexof-negative-zero.js: Added.
2635         (shouldBe):
2636         (throw.new.Error):
2637         * stress/array-indexof-own-getter.js: Added.
2638         (shouldBe):
2639         (throw.new.Error.get array):
2640         (get array):
2641         * stress/array-indexof-prototype-trap.js: Added.
2642         (shouldBe):
2643         (DerivedArray.prototype.get 2):
2644         (DerivedArray):
2645
2646 2018-09-19  Saam barati  <sbarati@apple.com>
2647
2648         AI rule for MultiPutByOffset executes its effects in the wrong order
2649         https://bugs.webkit.org/show_bug.cgi?id=189757
2650         <rdar://problem/43535257>
2651
2652         Reviewed by Michael Saboff.
2653
2654         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2655         (foo):
2656         (Foo):
2657         (g):
2658
2659 2018-09-17  Mark Lam  <mark.lam@apple.com>
2660
2661         Ensure that ForInContexts are invalidated if their loop local is over-written.
2662         https://bugs.webkit.org/show_bug.cgi?id=189571
2663         <rdar://problem/44402277>
2664
2665         Reviewed by Saam Barati.
2666
2667         * stress/regress-189571.js: Added.
2668
2669 2018-09-17  Saam barati  <sbarati@apple.com>
2670
2671         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2672         https://bugs.webkit.org/show_bug.cgi?id=189676
2673         <rdar://problem/39682897>
2674
2675         Reviewed by Michael Saboff.
2676
2677         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2678         (A):
2679         (K):
2680         (i.catch):
2681
2682 2018-09-14  Saam barati  <sbarati@apple.com>
2683
2684         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2685         https://bugs.webkit.org/show_bug.cgi?id=189628
2686         <rdar://problem/39481690>
2687
2688         Reviewed by Mark Lam.
2689
2690         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2691         (foo):
2692
2693 2018-09-11  Mark Lam  <mark.lam@apple.com>
2694
2695         Test for array initialization in arrayProtoFuncSplice.
2696         https://bugs.webkit.org/show_bug.cgi?id=170253
2697         <rdar://problem/31328773>
2698
2699         Rubber-stamped by Saam Barati.
2700
2701         * stress/regress-170253.js: Added.
2702
2703 2018-09-11  Mark Lam  <mark.lam@apple.com>
2704
2705         Test for IntlObject initialization.
2706         https://bugs.webkit.org/show_bug.cgi?id=170251
2707         <rdar://problem/31328419>
2708
2709         Rubber-stamped by Saam Barati.
2710
2711         * stress/regress-170251.js: Added.
2712
2713 2018-09-11  Mark Lam  <mark.lam@apple.com>
2714
2715         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2716         https://bugs.webkit.org/show_bug.cgi?id=169889
2717         <rdar://problem/31155607>
2718
2719         Reviewed by Saam Barati.
2720
2721         * stress/regress-169889-array-concat.js: Added.
2722         * stress/regress-169889-array-concat1.js: Added.
2723         * stress/regress-169889-array-slice.js: Added.
2724
2725 2018-09-11  Mark Lam  <mark.lam@apple.com>
2726
2727         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2728         https://bugs.webkit.org/show_bug.cgi?id=169445
2729         <rdar://problem/30957435>
2730
2731         Reviewed by Saam Barati.
2732
2733         * stress/regress-169445.js: Added.
2734         (let.gun.eval.A):
2735         (let.gun.eval.B.C):
2736         (let.gun.eval.B.C.prototype.trigger):
2737         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2738         (let.gun.eval.B):
2739         (let.gun.eval):
2740
2741 == Rolled over to ChangeLog-2018-09-11 ==