[JSC] isRope jump in StringSlice should not jump over register allocations
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] isRope jump in StringSlice should not jump over register allocations
4         https://bugs.webkit.org/show_bug.cgi?id=196716
5
6         Reviewed by Saam Barati.
7
8         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
9         (foo.bar):
10         (foo):
11
12 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
13
14         [JSC] to_index_string should not assume incoming value is Uint32
15         https://bugs.webkit.org/show_bug.cgi?id=196713
16
17         Reviewed by Saam Barati.
18
19         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
20         (foo):
21
22 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
23
24         [JSC] Add more tests for r243966
25         https://bugs.webkit.org/show_bug.cgi?id=196711
26
27         Reviewed by Saam Barati.
28
29         Adding one more test for r243966 fix. The added test will not crash after r243966.
30
31         * stress/stress-cleared-calllinkinfo.js: Added.
32         (runNearStackLimit.t):
33         (runNearStackLimit):
34         (repeat):
35         (cls):
36         (let.item.of.array.runNearStackLimit):
37
38 2019-04-08  Saam Barati  <sbarati@apple.com>
39
40         WebAssembly.RuntimeError missing exception check
41         https://bugs.webkit.org/show_bug.cgi?id=196700
42         <rdar://problem/49693932>
43
44         Reviewed by Yusuke Suzuki.
45
46         * wasm/js-api/runtime-error-should-exception-check.js: Added.
47
48 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
49
50         Unreviewed, rolling in r243948 with test fix
51         https://bugs.webkit.org/show_bug.cgi?id=196486
52
53         * stress/arrow-function-and-use-strict-directive.js: Added.
54         * stress/arrow-function-syntax.js: Added.
55         (checkSyntax):
56         (checkSyntaxError):
57
58 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
59
60         Unreviewed, rolling out r243948.
61
62         Caused inspector/runtime/parse.html to fail
63
64         Reverted changeset:
65
66         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
67         https://bugs.webkit.org/show_bug.cgi?id=196486
68         https://trac.webkit.org/changeset/243948
69
70 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
71
72         Unreviewed, rolling out r243943.
73
74         Caused test262 failures.
75
76         Reverted changeset:
77
78         "[JSC] Filter DontEnum properties in
79         ProxyObject::getOwnPropertyNames()"
80         https://bugs.webkit.org/show_bug.cgi?id=176810
81         https://trac.webkit.org/changeset/243943
82
83 2019-04-07  Michael Saboff  <msaboff@apple.com>
84
85         REGRESSION (r243642): Crash in reddit.com page
86         https://bugs.webkit.org/show_bug.cgi?id=196684
87
88         Reviewed by Geoffrey Garen.
89
90         New regression test.
91
92         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
93
94 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
95
96         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
97         https://bugs.webkit.org/show_bug.cgi?id=196683
98
99         Reviewed by Saam Barati.
100
101         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
102         (foo):
103
104 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
105
106         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
107         https://bugs.webkit.org/show_bug.cgi?id=196582
108
109         Reviewed by Saam Barati.
110
111         * stress/add-overflow-check-with-three-same-registers.js: Added.
112         (foo):
113         (Number.prototype.valueOf):
114         (runWithNumber):
115
116 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
117
118         Unreviewed, rolling out r243665.
119
120         Caused iOS JSC tests to exit with an exception.
121
122         Reverted changeset:
123
124         "Assertion failed in JSC::createError"
125         https://bugs.webkit.org/show_bug.cgi?id=196305
126         https://trac.webkit.org/changeset/243665
127
128 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
129
130         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
131         https://bugs.webkit.org/show_bug.cgi?id=196486
132
133         Reviewed by Saam Barati.
134
135         * stress/arrow-function-and-use-strict-directive.js: Added.
136         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
137         (checkSyntax):
138         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
139
140 2019-04-05  Caitlin Potter  <caitp@igalia.com>
141
142         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
143         https://bugs.webkit.org/show_bug.cgi?id=176810
144
145         Reviewed by Saam Barati.
146
147         Add tests for the DontEnum filtering, and variations of other tests
148         take the DontEnum-filtering path.
149
150         * stress/proxy-own-keys.js:
151         (i.catch):
152         (set assert):
153         (set add):
154         (let.set new):
155         (get let):
156
157 2019-04-05  Caitlin Potter  <caitp@igalia.com>
158
159         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
160         https://bugs.webkit.org/show_bug.cgi?id=185211
161
162         Reviewed by Saam Barati.
163
164         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
165
166         This changes several assertions to expect a TypeError to be thrown (in some cases,
167         changing thee expected message).
168
169         * es6/Proxy_ownKeys_duplicates.js:
170         (handler):
171         (shouldThrow):
172         (test):
173         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
174         (shouldThrow):
175         * stress/proxy-own-keys.js:
176         (i.catch):
177         (assert):
178
179 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
180
181         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
182         https://bugs.webkit.org/show_bug.cgi?id=196631
183
184         Reviewed by Saam Barati.
185
186         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
187         (assert):
188         (test):
189         (foo):
190
191 2019-04-04  Saam Barati  <sbarati@apple.com>
192
193         Unreviewed. Make the test from r243906 catch the thrown exceptions.
194
195         * stress/inferred-types-regex-matches-array.js:
196
197 2019-04-04  Saam Barati  <sbarati@apple.com>
198
199         createRegExpMatchesArray does not respect inferred types
200         https://bugs.webkit.org/show_bug.cgi?id=193287
201
202         Reviewed by Yusuke Suzuki.
203
204         This checks in the test case for 193287. This issue was discovered by
205         Samuel GroƟ of Google Project Zero.
206
207         * stress/inferred-types-regex-matches-array.js: Added.
208
209 2019-04-04  Saam barati  <sbarati@apple.com>
210
211         Teach Call ICs how to call Wasm
212         https://bugs.webkit.org/show_bug.cgi?id=196387
213
214         Reviewed by Filip Pizlo.
215
216         * wasm/function-tests/stack-trace.js:
217
218 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
219
220         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
221         https://bugs.webkit.org/show_bug.cgi?id=194944
222
223         Reviewed by Keith Miller.
224
225         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
226
227 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
228
229         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
230         https://bugs.webkit.org/show_bug.cgi?id=196409
231
232         Reviewed by Saam Barati.
233
234         * stress/bytecode-cache-cached-string-impl.js: Added.
235         (f):
236         (g):
237         * stress/bytecode-cache-run-string.js: Added.
238
239 2019-04-03  Robin Morisset  <rmorisset@apple.com>
240
241         B3 should use associativity to optimize expression trees
242         https://bugs.webkit.org/show_bug.cgi?id=194081
243
244         Reviewed by Filip Pizlo.
245
246         Added three microbenchmarks:
247         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
248         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
249           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
250         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
251
252         * microbenchmarks/add-tree.js: Added.
253         * microbenchmarks/bit-or-tree.js: Added.
254         * microbenchmarks/bit-xor-tree.js: Added.
255
256 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
257
258         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
259         https://bugs.webkit.org/show_bug.cgi?id=196574
260
261         Reviewed by Saam Barati.
262
263         * stress/string-index-of-exception-check.js: Added.
264         (blurType):
265         (1.forEach):
266
267 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
268
269         Assertion failed in JSC::createError
270         https://bugs.webkit.org/show_bug.cgi?id=196305
271         <rdar://problem/49387382>
272
273         Reviewed by Saam Barati.
274
275         * stress/create-error-out-of-memory-rope-string-2.js: Added.
276         (assert):
277         (catch):
278
279 2019-03-28  Saam Barati  <sbarati@apple.com>
280
281         BackwardsGraph needs to consider back edges as the backward's root successor
282         https://bugs.webkit.org/show_bug.cgi?id=195991
283
284         Reviewed by Filip Pizlo.
285
286         * stress/map-b3-licm-infinite-loop.js: Added.
287
288 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
289
290         CodeBlock::jettison() should disallow repatching its own calls
291         https://bugs.webkit.org/show_bug.cgi?id=196359
292         <rdar://problem/48973663>
293
294         Reviewed by Saam Barati.
295
296         * stress/call-link-info-osrexit-repatch.js: Added.
297         (foo):
298
299 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
300
301         [JSC] imports-oom.js intermittently fails
302         https://bugs.webkit.org/show_bug.cgi?id=196373
303
304         Reviewed by Saam Barati.
305
306         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
307         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
308         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
309         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
310         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
311
312         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
313         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
314
315         * wasm/lowExecutableMemory/imports-oom.js:
316
317 2019-03-27  Saam Barati  <sbarati@apple.com>
318
319         validateOSREntryValue with Int52 should box the value being checked into double format
320         https://bugs.webkit.org/show_bug.cgi?id=196313
321         <rdar://problem/49306703>
322
323         Reviewed by Yusuke Suzuki.
324
325         * stress/validate-int-52-ai-state.js: Added.
326
327 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
328
329         [JSC] Owner of watchpoints should validate at GC finalizing phase
330         https://bugs.webkit.org/show_bug.cgi?id=195827
331
332         Reviewed by Filip Pizlo.
333
334         * stress/gc-should-reap-dead-watchpoints.js: Added.
335         (foo):
336         (A.prototype.y):
337         (A):
338
339 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
340
341         Skip WebAssembly test on 32-bit systems
342         https://bugs.webkit.org/show_bug.cgi?id=196206
343
344         Reviewed by Saam Barati.
345
346         Invoking runDefault executes test immediately even though
347         that test should be skipped due to missing WASM support.
348         Therefore remove runDefault.
349
350         * wasm/regress/web-assembly-link-error-exception-check.js:
351
352 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
353
354         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
355         https://bugs.webkit.org/show_bug.cgi?id=196217
356
357         Reviewed by Saam Barati.
358
359         Re-enable all NaN tests for f32.min, f64.min and f64.max.
360
361         * wasm/spec-tests/f32.wast.js:
362         * wasm/spec-tests/f64.wast.js:
363         * wasm/wasm.json:
364
365 2019-03-25  Keith Miller  <keith_miller@apple.com>
366
367         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
368         https://bugs.webkit.org/show_bug.cgi?id=196176
369
370         Reviewed by Saam Barati.
371
372         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
373         (main.v10):
374         (main):
375
376 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
377
378         WebAssembly: f32.max with NaN generates incorrect result
379         https://bugs.webkit.org/show_bug.cgi?id=175691
380         <rdar://problem/33952228>
381
382         Reviewed by Saam Barati.
383
384         Enable all f32.max NaN tests
385
386         * wasm/spec-tests/f32.wast.js:
387         * wasm/wasm.json:
388
389 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
390
391         [JSC] Move test into directory for WASM tests
392         https://bugs.webkit.org/show_bug.cgi?id=196187
393
394         Reviewed by Mark Lam.
395
396         Move Test into wasm-directory. Otherwise this test
397         is also executed on systems without WASM support.
398
399         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
400
401 2019-03-23  Mark Lam  <mark.lam@apple.com>
402
403         Rolling out r243032 and r243071 because the fix is incorrect.
404         https://bugs.webkit.org/show_bug.cgi?id=195892
405         <rdar://problem/48981239>
406
407         Not reviewed.
408
409         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
410
411 2019-03-22  Mark Lam  <mark.lam@apple.com>
412
413         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
414         https://bugs.webkit.org/show_bug.cgi?id=196154
415         <rdar://problem/49145307>
416
417         Reviewed by Filip Pizlo.
418
419         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
420         There's no need to run this test on more than 1 test configuration.
421
422         * stress/typed-array-lastIndexOf-exception-check.js: Added.
423         * stress/web-assembly-link-error-exception-check.js:
424
425 2019-03-22  Mark Lam  <mark.lam@apple.com>
426
427         Placate exception check validation in constructJSWebAssemblyLinkError().
428         https://bugs.webkit.org/show_bug.cgi?id=196152
429         <rdar://problem/49145257>
430
431         Reviewed by Michael Saboff.
432
433         * stress/web-assembly-link-error-exception-check.js: Added.
434
435 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
436
437         Skip tests running out of memory on ARM/MIPS
438         https://bugs.webkit.org/show_bug.cgi?id=196131
439
440         Unreviewed. Skip test if memory is limited.
441
442         * microbenchmarks/put-by-val-direct-large-index.js:
443
444 2019-03-21  Mark Lam  <mark.lam@apple.com>
445
446         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
447         https://bugs.webkit.org/show_bug.cgi?id=196116
448         <rdar://problem/48976951>
449
450         Reviewed by Filip Pizlo.
451
452         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
453
454 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
455
456         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
457         https://bugs.webkit.org/show_bug.cgi?id=196078
458         <rdar://problem/35925380>
459
460         Reviewed by Mark Lam.
461
462         Add a new benchmark that allocates several objects and invokes put_by_val_direct
463         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
464
465         * microbenchmarks/put-by-val-direct-large-index.js: Added.
466
467 2019-03-21  Mark Lam  <mark.lam@apple.com>
468
469         Placate exception check validation in operationArrayIndexOfString().
470         https://bugs.webkit.org/show_bug.cgi?id=196067
471         <rdar://problem/49056572>
472
473         Reviewed by Michael Saboff.
474
475         * stress/string-equal-exception-check.js: Added.
476
477 2019-03-21  Mark Lam  <mark.lam@apple.com>
478
479         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
480         https://bugs.webkit.org/show_bug.cgi?id=196055
481         <rdar://problem/49067448>
482
483         Reviewed by Yusuke Suzuki.
484
485         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
486
487 2019-03-20  Saam Barati  <sbarati@apple.com>
488
489         typeOfDoubleSum is wrong for when NaN can be produced
490         https://bugs.webkit.org/show_bug.cgi?id=196030
491
492         Reviewed by Filip Pizlo.
493
494         * stress/double-add-sub-mul-can-produce-nan.js: Added.
495         (assert):
496         (noInline.sub):
497         (noInline):
498         (assert.mul):
499         (assert.add):
500
501 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
502
503         Update the test to ensure OutOfMemoryError is thrown as intended
504         https://bugs.webkit.org/show_bug.cgi?id=196032
505         <rdar://problem/46842740>
506
507         Rubber stamped by Saam Barati.
508
509         * stress/create-error-out-of-memory-rope-string.js:
510         (assert):
511         (catch):
512
513 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
514
515         JSC::createError needs to check for OOM in errorDescriptionForValue
516         https://bugs.webkit.org/show_bug.cgi?id=196032
517         <rdar://problem/46842740>
518
519         Reviewed by Mark Lam.
520
521         * stress/create-error-out-of-memory-rope-string.js: Added.
522
523 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
524
525         Unreviewed, reduce # of iterations to avoid timing out after r242991
526         https://bugs.webkit.org/show_bug.cgi?id=195791
527
528         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
529
530         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
531
532 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
533
534         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
535         https://bugs.webkit.org/show_bug.cgi?id=195950
536
537         Unreviewed, reducing the amount of memory used on this test to avoid
538         OOM on devices with memory restrictions.
539
540         * microbenchmarks/generate-multiple-llint-entrypoints.js:
541
542 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
543
544         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
545         https://bugs.webkit.org/show_bug.cgi?id=194648
546
547         Reviewed by Keith Miller.
548
549         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
550
551 2019-03-18  Mark Lam  <mark.lam@apple.com>
552
553         Missing a ThrowScope release in JSObject::toString().
554         https://bugs.webkit.org/show_bug.cgi?id=195893
555         <rdar://problem/48970986>
556
557         Reviewed by Michael Saboff.
558
559         * stress/to-string-exception-check-release.js: Added.
560
561 2019-03-18  Mark Lam  <mark.lam@apple.com>
562
563         Structure::flattenDictionary() should clear unused property slots.
564         https://bugs.webkit.org/show_bug.cgi?id=195871
565         <rdar://problem/48959497>
566
567         Reviewed by Michael Saboff.
568
569         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
570
571 2019-03-15  Mark Lam  <mark.lam@apple.com>
572
573         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
574         https://bugs.webkit.org/show_bug.cgi?id=195827
575         <rdar://problem/48845513>
576
577         Reviewed by Filip Pizlo.
578
579         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
580
581 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
582
583         [ARM,MIPS] Skip slow tests
584         https://bugs.webkit.org/show_bug.cgi?id=195799
585
586         Unreviewed, test does not finish on ARM and MIPS within the
587         timeout limit.
588
589         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
590
591 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
592
593         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
594         https://bugs.webkit.org/show_bug.cgi?id=195791
595         <rdar://problem/48806130>
596
597         Reviewed by Mark Lam.
598
599         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
600         (foo):
601
602 2019-03-14  Saam barati  <sbarati@apple.com>
603
604         We can't remove code after ForceOSRExit until after FixupPhase
605         https://bugs.webkit.org/show_bug.cgi?id=186916
606         <rdar://problem/41396612>
607
608         Reviewed by Yusuke Suzuki.
609
610         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
611         (foo):
612         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
613         (foo):
614
615 2019-03-13  Michael Saboff  <msaboff@apple.com>
616
617         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
618         https://bugs.webkit.org/show_bug.cgi?id=195735
619
620         Reviewed by Mark Lam.
621
622         New regression test.
623
624         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
625         (foo):
626         (bar):
627
628 2019-03-14  Saam barati  <sbarati@apple.com>
629
630         Fixup uses KnownInt32 incorrectly in some nodes
631         https://bugs.webkit.org/show_bug.cgi?id=195279
632         <rdar://problem/47915654>
633
634         Reviewed by Yusuke Suzuki.
635
636         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
637         (foo):
638
639 2019-03-14  Keith Miller  <keith_miller@apple.com>
640
641         DFG liveness can't skip tail caller inline frames
642         https://bugs.webkit.org/show_bug.cgi?id=195715
643
644         Reviewed by Saam Barati.
645
646         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
647         (i.foo):
648
649 2019-03-13  Mark Lam  <mark.lam@apple.com>
650
651         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
652         https://bugs.webkit.org/show_bug.cgi?id=195415
653
654         Not reviewed.
655
656         Changed these tests to only run the default configuration.
657         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
658         There's no strong need to run this test on that variant.
659
660         * stress/dfg-to-string-on-int-does-gc.js:
661         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
662
663 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
664
665         String overflow when using StringBuilder in JSC::createError
666         https://bugs.webkit.org/show_bug.cgi?id=194957
667
668         Reviewed by Mark Lam.
669
670         Add test string-overflow-createError-bulder.js that overflows
671         StringBuilder in notAFunctionSourceAppender. The second new test
672         string-overflow-createError-fit.js has an error message that doesn't
673         overflow, it still failed since the String's capacity can't be doubled.
674         Run test string-overflow-createError.js only in the default
675         configuration to reduce memory consumption when running the test
676         in all configurations on multiple CPUs in parallel.
677
678         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
679         (catch):
680         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
681         (catch):
682         * stress/string-overflow-createError.js:
683
684 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
685
686         [JSC] OSR entry should respect abstract values in addition to flush formats
687         https://bugs.webkit.org/show_bug.cgi?id=195653
688
689         Reviewed by Mark Lam.
690
691         * stress/osr-entry-locals-none.js: Added.
692
693 2019-03-12  Michael Saboff  <msaboff@apple.com>
694
695         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
696         https://bugs.webkit.org/show_bug.cgi?id=195613
697
698         Reviewed by Mark Lam.
699
700         New regression test.
701
702         * stress/regexp-backref-inbounds.js: Added.
703         (testRegExp):
704
705 2019-03-12  Mark Lam  <mark.lam@apple.com>
706
707         The HasIndexedProperty node does GC.
708         https://bugs.webkit.org/show_bug.cgi?id=195559
709         <rdar://problem/48767923>
710
711         Reviewed by Yusuke Suzuki.
712
713         * stress/HasIndexedProperty-does-gc.js: Added.
714
715 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
716
717         [ESNext][BigInt] Implement "~" unary operation
718         https://bugs.webkit.org/show_bug.cgi?id=182216
719
720         Reviewed by Keith Miller.
721
722         * stress/big-int-bit-not-general.js: Added.
723         * stress/big-int-bitwise-not-jit.js: Added.
724         * stress/big-int-bitwise-not-wrapped-value.js: Added.
725         * stress/bit-op-with-object-returning-int32.js:
726         * stress/bitwise-not-fixup-rules.js: Added.
727         * stress/value-bit-not-ai-rule.js: Added.
728
729 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
730
731         Invalid flags in a RegExp literal should be an early SyntaxError
732         https://bugs.webkit.org/show_bug.cgi?id=195514
733
734         Reviewed by Darin Adler.
735
736         * test262/expectations.yaml:
737         Mark 4 test cases as passing.
738
739         * stress/regexp-syntax-error-invalid-flags.js:
740         * stress/regress-161995.js: Removed.
741         Update existing test, merging in an older test for the same behavior.
742
743 2019-03-08  Mark Lam  <mark.lam@apple.com>
744
745         Stack overflow crash in JSC::JSObject::hasInstance.
746         https://bugs.webkit.org/show_bug.cgi?id=195458
747         <rdar://problem/48710195>
748
749         Reviewed by Yusuke Suzuki.
750
751         * stress/stack-overflow-in-custom-hasInstance.js: Added.
752
753 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
754
755         op_check_tdz does not def its argument
756         https://bugs.webkit.org/show_bug.cgi?id=192880
757         <rdar://problem/46221598>
758
759         Reviewed by Saam Barati.
760
761         * microbenchmarks/let-for-in.js: Added.
762         (foo):
763
764 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
765
766         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
767         https://bugs.webkit.org/show_bug.cgi?id=195429
768
769         Reviewed by Saam Barati.
770
771         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
772         (foo):
773         * stress/string-from-char-code-255.js: Added.
774
775 2019-03-06  Mark Lam  <mark.lam@apple.com>
776
777         Fix incorrect handling of try-finally completion values.
778         https://bugs.webkit.org/show_bug.cgi?id=195131
779         <rdar://problem/46222079>
780
781         Reviewed by Saam Barati and Yusuke Suzuki.
782
783         Added many permutations of new test case to test-finally.js.  test-finally.js has
784         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
785         tests passes there as well.
786
787         * stress/test-finally.js:
788
789 2019-03-06  Saam Barati  <sbarati@apple.com>
790
791         Air::reportUsedRegisters must padInterference
792         https://bugs.webkit.org/show_bug.cgi?id=195303
793         <rdar://problem/48270343>
794
795         Reviewed by Keith Miller.
796
797         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
798
799 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
800
801         [JSC] AI should not propagate AbstractValue relying on constant folding phase
802         https://bugs.webkit.org/show_bug.cgi?id=195375
803
804         Reviewed by Saam Barati.
805
806         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
807         (let.array):
808
809 2019-03-05  Saam barati  <sbarati@apple.com>
810
811         op_switch_char broken for rope strings after JSRopeString layout rewrite
812         https://bugs.webkit.org/show_bug.cgi?id=195339
813         <rdar://problem/48592545>
814
815         Reviewed by Yusuke Suzuki.
816
817         * stress/switch-on-char-llint-rope.js: Added.
818
819 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
820
821         [JSC] Store bits for JSRopeString in 3 stores
822         https://bugs.webkit.org/show_bug.cgi?id=195234
823
824         Reviewed by Saam Barati.
825
826         * stress/null-rope-and-collectors.js: Added.
827
828 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
829
830         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
831         https://bugs.webkit.org/show_bug.cgi?id=195207
832
833         Unreviewed. After test runtime was reduced in r242213, test can be
834         run again on ARM/MIPS.
835
836         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
837
838 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
839
840         [JSC] sizeof(JSString) should be 16
841         https://bugs.webkit.org/show_bug.cgi?id=194375
842
843         Reviewed by Saam Barati.
844
845         * microbenchmarks/make-rope.js: Added.
846         (makeRope):
847         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
848         (returnRope.helper): Deleted.
849         (returnRope): Deleted.
850
851 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
852
853         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
854         https://bugs.webkit.org/show_bug.cgi?id=195144
855
856         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
857         Change the number from 1e8 to 1e5.
858
859         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
860         (foo):
861
862 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
863
864         Test times out on ARM/MIPS
865         https://bugs.webkit.org/show_bug.cgi?id=195168
866
867         Unreviewed. Skip test on ARM/MIPS.
868
869         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
870
871 2019-02-27  Mark Lam  <mark.lam@apple.com>
872
873         The parser is failing to record the token location of new in new.target.
874         https://bugs.webkit.org/show_bug.cgi?id=195127
875         <rdar://problem/39645578>
876
877         Reviewed by Yusuke Suzuki.
878
879         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
880
881 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
882
883         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
884         https://bugs.webkit.org/show_bug.cgi?id=195144
885         <rdar://problem/47595961>
886
887         Reviewed by Mark Lam.
888
889         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
890         (bar):
891         (foo):
892         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
893         (bar):
894         (foo):
895
896 2019-02-27  Robin Morisset  <rmorisset@apple.com>
897
898         DFG: Loop-invariant code motion (LICM) should not hoist dead code
899         https://bugs.webkit.org/show_bug.cgi?id=194945
900         <rdar://problem/48311657>
901
902         Reviewed by Mark Lam.
903
904         * stress/licm-dead-code.js: Added.
905
906 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
907
908         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
909         https://bugs.webkit.org/show_bug.cgi?id=194677
910         <rdar://problem/48112492>
911
912         Reviewed by Mark Lam.
913
914         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
915         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
916         it immediately fails due the large size.
917
918         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
919         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
920         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
921         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
922
923         This patch changes the test to produce 16bit string from String.fromCharCode.
924
925         * stress/regress-178386.js:
926
927 2019-02-26  Mark Lam  <mark.lam@apple.com>
928
929         wasmToJS() should purify incoming NaNs.
930         https://bugs.webkit.org/show_bug.cgi?id=194807
931         <rdar://problem/48189132>
932
933         Reviewed by Saam Barati.
934
935         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
936
937 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
938
939         [JSC] Repeat string created from Array.prototype.join() take too much memory
940         https://bugs.webkit.org/show_bug.cgi?id=193912
941
942         Reviewed by Saam Barati.
943
944         Added a test and a microbenchmark for corner cases of
945         Array.prototype.join() with an uninitialized array.
946
947         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
948         * stress/array-prototype-join-uninitialized.js: Added.
949         (testArray):
950         (testABC):
951         (B):
952         (C):
953
954 2019-02-22  Robin Morisset  <rmorisset@apple.com>
955
956         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
957         https://bugs.webkit.org/show_bug.cgi?id=194953
958         <rdar://problem/47595253>
959
960         Reviewed by Saam Barati.
961
962         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
963
964         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
965
966 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
967
968         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
969         https://bugs.webkit.org/show_bug.cgi?id=172848
970         <rdar://problem/25709212>
971
972         Reviewed by Mark Lam.
973
974         * typeProfiler/inheritance.js:
975         Rewrite the test slightly for clarity. The hoisting was confusing.
976
977         * heapProfiler/class-names.js: Added.
978         (MyES5Class):
979         (MyES6Class):
980         (MyES6Subclass):
981         Test object types and improved class names.
982
983         * heapProfiler/driver/driver.js:
984         (CheapHeapSnapshotNode):
985         (CheapHeapSnapshot):
986         (createCheapHeapSnapshot):
987         (HeapSnapshot):
988         (createHeapSnapshot):
989         Update snapshot parsing from version 1 to version 2.
990
991 2019-02-19  Truitt Savell  <tsavell@apple.com>
992
993         Unreviewed, rolling out r241784.
994
995         Broke all OpenSource builds.
996
997         Reverted changeset:
998
999         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1000         instances view"
1001         https://bugs.webkit.org/show_bug.cgi?id=172848
1002         https://trac.webkit.org/changeset/241784
1003
1004 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1005
1006         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1007         https://bugs.webkit.org/show_bug.cgi?id=172848
1008         <rdar://problem/25709212>
1009
1010         Reviewed by Mark Lam.
1011
1012         * typeProfiler/inheritance.js:
1013         Rewrite the test slightly for clarity. The hoisting was confusing.
1014
1015         * heapProfiler/class-names.js: Added.
1016         (MyES5Class):
1017         (MyES6Class):
1018         (MyES6Subclass):
1019         Test object types and improved class names.
1020
1021         * heapProfiler/driver/driver.js:
1022         (CheapHeapSnapshotNode):
1023         (CheapHeapSnapshot):
1024         (createCheapHeapSnapshot):
1025         (HeapSnapshot):
1026         (createHeapSnapshot):
1027         Update snapshot parsing from version 1 to version 2.
1028
1029 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1030
1031         [ARM] Fix crash with sampling profiler
1032         https://bugs.webkit.org/show_bug.cgi?id=194772
1033
1034         Reviewed by Mark Lam.
1035
1036         Do not skip test since crash with sampling profiler is now fixed.
1037
1038         * stress/sampling-profiler-richards.js:
1039
1040 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1041
1042         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1043         https://bugs.webkit.org/show_bug.cgi?id=194784
1044         <rdar://problem/48154820>
1045
1046         Reviewed by Mark Lam.
1047
1048         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1049         (getProperties):
1050         (getRandomProperty):
1051         (i.catch):
1052
1053 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1054
1055         [ARM] Test gardening: Test running out of executable memory
1056         https://bugs.webkit.org/show_bug.cgi?id=194771
1057
1058         Unreviewed. Do not run test without LLInt, test is running out of executable
1059         memory on ARM otherwise.
1060
1061         * stress/tagged-template-object-collect.js:
1062
1063 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1064
1065         Unreviewed, skip the test on platforms without sampling profiler
1066
1067         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1068         (platformSupportsSamplingProfiler.foo):
1069         (platformSupportsSamplingProfiler.test):
1070         (platformSupportsSamplingProfiler):
1071         (foo): Deleted.
1072         (test): Deleted.
1073
1074 2019-02-17  Saam Barati  <sbarati@apple.com>
1075
1076         Deadlock when adding a Structure property transition and then doing incremental marking
1077         https://bugs.webkit.org/show_bug.cgi?id=194767
1078
1079         Reviewed by Mark Lam.
1080
1081         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1082
1083 2019-02-15  Michael Saboff  <msaboff@apple.com>
1084
1085         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1086         https://bugs.webkit.org/show_bug.cgi?id=194558
1087
1088         Reviewed by Saam Barati.
1089
1090         New regression test.
1091
1092         * stress/regexp-unicode-within-string.js: Added.
1093
1094 2019-02-15  Mark Lam  <mark.lam@apple.com>
1095
1096         SamplingProfiler::stackTracesAsJSON() should escape strings.
1097         https://bugs.webkit.org/show_bug.cgi?id=194649
1098         <rdar://problem/48072386>
1099
1100         Reviewed by Saam Barati.
1101
1102         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1103         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1104         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1105         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1106
1107 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1108         CodeBlock::jettison should clear related watchpoints
1109         https://bugs.webkit.org/show_bug.cgi?id=194544
1110
1111         Reviewed by Mark Lam.
1112
1113         * stress/regexp-replace-double-watchpoint.js: Added.
1114         (foo):
1115
1116 2019-02-15  Saam barati  <sbarati@apple.com>
1117
1118         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1119         https://bugs.webkit.org/show_bug.cgi?id=194036
1120
1121         Reviewed by Yusuke Suzuki.
1122
1123         * stress/tail-call-many-arguments.js: Added.
1124         (foo):
1125         (bar):
1126
1127 2019-02-14  Saam Barati  <sbarati@apple.com>
1128
1129         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1130         https://bugs.webkit.org/show_bug.cgi?id=194583
1131         <rdar://problem/48028140>
1132
1133         Reviewed by Yusuke Suzuki.
1134
1135         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1136
1137 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1138
1139         [JSC] String.fromCharCode's slow path always generates 16bit string
1140         https://bugs.webkit.org/show_bug.cgi?id=194466
1141
1142         Reviewed by Keith Miller.
1143
1144         * stress/string-from-char-code-slow-path.js: Added.
1145         (shouldBe):
1146         (testWithLength):
1147
1148 2019-02-08  Saam barati  <sbarati@apple.com>
1149
1150         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1151         https://bugs.webkit.org/show_bug.cgi?id=194334
1152         <rdar://problem/47844327>
1153
1154         Reviewed by Mark Lam.
1155
1156         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1157         (func):
1158
1159 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1160
1161         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1162         https://bugs.webkit.org/show_bug.cgi?id=194369
1163         <rdar://problem/47813087>
1164
1165         Reviewed by Saam Barati.
1166
1167         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1168         (A):
1169
1170 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1171
1172         [JSC] PrivateName to PublicName hash table is wasteful
1173         https://bugs.webkit.org/show_bug.cgi?id=194277
1174
1175         Reviewed by Michael Saboff.
1176
1177         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1178
1179         * ChakraCore.yaml:
1180
1181 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1182
1183         [ARM] Test running out of executable memory
1184         https://bugs.webkit.org/show_bug.cgi?id=194285
1185
1186         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1187         executable memory otherwise.
1188
1189         * stress/class-subclassing-function.js:
1190
1191 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1192
1193         when lowering AssertNotEmpty, create the value before creating the patchpoint
1194         https://bugs.webkit.org/show_bug.cgi?id=194231
1195
1196         Reviewed by Saam Barati.
1197
1198         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1199         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1200         So even tiny changes to this test can change the path code taken.
1201
1202         * stress/assert-not-empty.js: Added.
1203         (foo):
1204
1205 2019-02-01  Mark Lam  <mark.lam@apple.com>
1206
1207         Remove invalid assertion in DFG's compileDoubleRep().
1208         https://bugs.webkit.org/show_bug.cgi?id=194130
1209         <rdar://problem/47699474>
1210
1211         Reviewed by Saam Barati.
1212
1213         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1214
1215 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1216
1217         Import latest Test262 updates.
1218
1219         Rubber-stamped by Keith Miller.
1220
1221         * test262.yaml: Deleted.
1222         * test262/config.yaml:
1223         * test262/expectations.yaml:
1224         * test262/latest-changes-summary.txt:
1225         * test262/test/:
1226         * test262/test262-Revision.txt:
1227
1228 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1229
1230         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1231         https://bugs.webkit.org/show_bug.cgi?id=194050
1232         <rdar://problem/47595592>
1233
1234         Reviewed by Yusuke Suzuki.
1235
1236         * stress/object-keys-osr-exit.js: Added.
1237         (foo):
1238         (catch):
1239
1240 2019-01-29  Mark Lam  <mark.lam@apple.com>
1241
1242         ValueRecovery::recover() should purify NaN values it recovers.
1243         https://bugs.webkit.org/show_bug.cgi?id=193978
1244         <rdar://problem/47625488>
1245
1246         Reviewed by Saam Barati.
1247
1248         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1249
1250 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1251
1252         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1253         https://bugs.webkit.org/show_bug.cgi?id=193713
1254
1255         * stress/try-get-by-id-should-spill-registers-dfg.js:
1256         (let.f.createBuiltin):
1257
1258 2019-01-28  Mark Lam  <mark.lam@apple.com>
1259
1260         ToString node actually does GC.
1261         https://bugs.webkit.org/show_bug.cgi?id=193920
1262         <rdar://problem/46695900>
1263
1264         Reviewed by Yusuke Suzuki.
1265
1266         * stress/dfg-to-string-on-int-does-gc.js: Added.
1267         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1268         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1269
1270 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1271
1272         [JSC] NativeErrorConstructor should not have own IsoSubspace
1273         https://bugs.webkit.org/show_bug.cgi?id=193713
1274
1275         Reviewed by Saam Barati.
1276
1277         Remove @Error use.
1278
1279         * stress/try-get-by-id-should-spill-registers-dfg.js:
1280         (let.f.createBuiltin):
1281
1282 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1283
1284         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1285         https://bugs.webkit.org/show_bug.cgi?id=190693
1286
1287         Reviewed by Michael Saboff.
1288
1289         * stress/regress-190693.js: Added.
1290         (truth):
1291         (assert):
1292         (shouldThrowInvalidConstAssignment):
1293         (taz):
1294
1295 2019-01-24  Saam Barati  <sbarati@apple.com>
1296
1297         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1298         https://bugs.webkit.org/show_bug.cgi?id=193751
1299         <rdar://problem/47280215>
1300
1301         Reviewed by Michael Saboff.
1302
1303         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1304         (let.thing):
1305         (foo.let.hello):
1306         (foo):
1307
1308 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1309
1310         [JSC] Reenable baseline JIT on mips
1311         https://bugs.webkit.org/show_bug.cgi?id=192983
1312
1313         Reviewed by Mark Lam.
1314
1315         Added a new test for a case that was triggering a RELEASE_ASSERT when
1316         testing.
1317         Disable some slow tests that were already disabled for arm and x86.
1318
1319         * stress/json-parse-big-object.js: Added.
1320         * stress/new-largeish-contiguous-array-with-size.js:
1321         * stress/op_add.js:
1322         * stress/op_bitand.js:
1323         * stress/op_bitor.js:
1324         * stress/op_bitxor.js:
1325         * stress/op_lshift-ConstVar.js:
1326         * stress/op_lshift-VarConst.js:
1327         * stress/op_lshift-VarVar.js:
1328         * stress/op_mod-ConstVar.js:
1329         * stress/op_mod-VarConst.js:
1330         * stress/op_mod-VarVar.js:
1331         * stress/op_mul-ConstVar.js:
1332         * stress/op_mul-VarConst.js:
1333         * stress/op_mul-VarVar.js:
1334         * stress/op_rshift-ConstVar.js:
1335         * stress/op_rshift-VarConst.js:
1336         * stress/op_rshift-VarVar.js:
1337         * stress/op_sub-ConstVar.js:
1338         * stress/op_sub-VarConst.js:
1339         * stress/op_sub-VarVar.js:
1340         * stress/op_urshift-ConstVar.js:
1341         * stress/op_urshift-VarConst.js:
1342         * stress/op_urshift-VarVar.js:
1343         * stress/sampling-profiler-richards.js:
1344         * stress/spread-forward-call-varargs-stack-overflow.js:
1345
1346 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1347
1348         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1349         https://bugs.webkit.org/show_bug.cgi?id=193711
1350         <rdar://problem/47250262>
1351
1352         Reviewed by Saam Barati.
1353
1354         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1355         (shouldBe):
1356         (foo):
1357         (bar):
1358         (baz):
1359
1360 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1361
1362         Unreviewed, fix initial global lexical binding epoch
1363         https://bugs.webkit.org/show_bug.cgi?id=193603
1364         <rdar://problem/47380869>
1365
1366         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1367         (f1.f2.f3.f4):
1368         (f1.f2.f3):
1369         (f1.f2):
1370         (f1):
1371
1372 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1373
1374         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1375         https://bugs.webkit.org/show_bug.cgi?id=193709
1376         <rdar://problem/47363838>
1377
1378         Unreviewed, rollout to watch the tests.
1379
1380         * stress/object-tostring-changed-proto.js: Removed.
1381         * stress/object-tostring-changed.js: Removed.
1382         * stress/object-tostring-misc.js: Removed.
1383         * stress/object-tostring-other.js: Removed.
1384         * stress/object-tostring-untyped.js: Removed.
1385
1386 2019-01-22  Saam Barati  <sbarati@apple.com>
1387
1388         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1389
1390         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1391         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1392         (testUncheckedLessThanZero):
1393         (testUncheckedLessThanOrEqualZero):
1394         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1395         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1396
1397 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1398
1399         [JSC] Invalidate old scope operations using global lexical binding epoch
1400         https://bugs.webkit.org/show_bug.cgi?id=193603
1401         <rdar://problem/47380869>
1402
1403         Reviewed by Saam Barati.
1404
1405         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1406         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1407         (shouldThrow):
1408         (bar):
1409         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1410         (shouldBe):
1411         (get1):
1412         (get2):
1413         (get1If):
1414         (get2If):
1415         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1416         (shouldThrow):
1417         (foo):
1418
1419 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1420
1421         Unreviewed, roll out r240220 due to date-format-xparb regression
1422         https://bugs.webkit.org/show_bug.cgi?id=193603
1423
1424         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1425         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1426         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1427         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1428
1429 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1430
1431         DoesGC rule is wrong for nodes with BigIntUse
1432         https://bugs.webkit.org/show_bug.cgi?id=193652
1433
1434         Reviewed by Saam Barati.
1435
1436         * stress/big-int-value-op-update-gc-rules.js: Added.
1437         (assert):
1438         (doesGCAdd):
1439         (doesGCSub):
1440         (doesGCDiv):
1441         (doesGCMul):
1442         (doesGCBitAnd):
1443         (doesGCBitOr):
1444         (doesGCBitXor):
1445
1446 2019-01-20  Saam Barati  <sbarati@apple.com>
1447
1448         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1449         https://bugs.webkit.org/show_bug.cgi?id=193644
1450         <rdar://problem/46209745>
1451
1452         Reviewed by Yusuke Suzuki.
1453
1454         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1455         (foo):
1456         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1457         (foo):
1458         (bar):
1459
1460 2019-01-20  Saam Barati  <sbarati@apple.com>
1461
1462         MovHint must merge NodeBytecodeUsesAsValue for its child
1463         https://bugs.webkit.org/show_bug.cgi?id=186916
1464         <rdar://problem/41396612>
1465
1466         Reviewed by Yusuke Suzuki.
1467
1468         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1469         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1470
1471 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1472
1473         [JSC] Invalidate old scope operations using global lexical binding epoch
1474         https://bugs.webkit.org/show_bug.cgi?id=193603
1475         <rdar://problem/47380869>
1476
1477         Reviewed by Saam Barati.
1478
1479         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1480         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1481         (shouldThrow):
1482         (bar):
1483         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1484         (shouldBe):
1485         (get1):
1486         (get2):
1487         (get1If):
1488         (get2If):
1489         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1490         (shouldThrow):
1491         (foo):
1492
1493 2019-01-17  Saam barati  <sbarati@apple.com>
1494
1495         StringObjectUse should not be a structure check for the original string object structure
1496         https://bugs.webkit.org/show_bug.cgi?id=193483
1497         <rdar://problem/47280522>
1498
1499         Reviewed by Yusuke Suzuki.
1500
1501         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1502         (foo):
1503         (a.valueOf.0):
1504
1505 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1506
1507         [JSC] ToThis omission in DFGByteCodeParser is wrong
1508         https://bugs.webkit.org/show_bug.cgi?id=193513
1509         <rdar://problem/45842236>
1510
1511         Reviewed by Saam Barati.
1512
1513         * stress/to-this-omission-with-different-strict-modes.js: Added.
1514         (thisA):
1515         (thisAStrictWrapper):
1516
1517 2019-01-15  Mark Lam  <mark.lam@apple.com>
1518
1519         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1520         https://bugs.webkit.org/show_bug.cgi?id=193423
1521         <rdar://problem/46209355>
1522
1523         Reviewed by Saam Barati.
1524
1525         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1526         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1527         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1528         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1529
1530 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1531
1532         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1533         https://bugs.webkit.org/show_bug.cgi?id=193438
1534         <rdar://problem/45581249>
1535
1536         Reviewed by Saam Barati and Keith Miller.
1537
1538         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1539         Then, GetByVal(String) crashed.
1540
1541         * stress/string-get-by-val-lowering.js: Added.
1542         (shouldBe):
1543         (test):
1544         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1545         (Hello):
1546         (foo):
1547
1548 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1549
1550         Unreviewed, skip JIT tests if it's not enabled
1551
1552         * stress/bit-op-with-object-returning-int32.js:
1553
1554 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1555
1556         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1557         https://bugs.webkit.org/show_bug.cgi?id=192966
1558
1559         Reviewed by Yusuke Suzuki.
1560
1561         * stress/bit-op-with-object-returning-int32.js: Added.
1562
1563 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1564
1565         Skip a slow test and a flakey test on arm
1566
1567         Unreviewed gardening.
1568
1569         * typeProfiler/getter-richards.js:
1570         this test always times out, it used to be always skipped on arm and
1571         mips, but got accidentally enabled by r237919 now that we have DFG on
1572         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1573
1574 2019-01-14  Keith Miller  <keith_miller@apple.com>
1575
1576         Skip type-check-hoisting-phase-hoist... with no jit
1577         https://bugs.webkit.org/show_bug.cgi?id=193421
1578
1579         Reviewed by Mark Lam.
1580
1581         It's timing out the 32-bit bots and takes 330 seconds
1582         on my machine when run by itself.
1583
1584         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1585
1586 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1587
1588         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1589         https://bugs.webkit.org/show_bug.cgi?id=193413
1590         <rdar://problem/46092389>
1591
1592         Reviewed by Keith Miller.
1593
1594         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1595         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1596         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1597         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1598
1599         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1600         (compareArray):
1601
1602 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1603
1604         [BigInt] Literal parsing is crashing when used inside a Object Literal
1605         https://bugs.webkit.org/show_bug.cgi?id=193404
1606
1607         Reviewed by Yusuke Suzuki.
1608
1609         * stress/big-int-literal-inside-literal-object.js: Added.
1610
1611 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1612
1613         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1614         https://bugs.webkit.org/show_bug.cgi?id=193372
1615
1616         Reviewed by Saam Barati.
1617
1618         * stress/typed-array-array-modes-profile.js: Added.
1619         (foo):
1620
1621 2019-01-14  Mark Lam  <mark.lam@apple.com>
1622
1623         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1624         https://bugs.webkit.org/show_bug.cgi?id=193402
1625         <rdar://problem/46012309>
1626
1627         Reviewed by Keith Miller.
1628
1629         * stress/regexp-compile-oom.js:
1630         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1631           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1632
1633 2019-01-11  Saam barati  <sbarati@apple.com>
1634
1635         DFG combined liveness can be wrong for terminal basic blocks
1636         https://bugs.webkit.org/show_bug.cgi?id=193304
1637         <rdar://problem/45268632>
1638
1639         Reviewed by Yusuke Suzuki.
1640
1641         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1642
1643 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1644
1645         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1646         https://bugs.webkit.org/show_bug.cgi?id=193308
1647         <rdar://problem/45546542>
1648
1649         Reviewed by Saam Barati.
1650
1651         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1652         (shouldThrow):
1653         (shouldBe):
1654         (foo):
1655         (get shouldThrow):
1656         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1657         (shouldThrow):
1658         (shouldBe):
1659         (foo):
1660         (get shouldBe):
1661         (get shouldThrow):
1662         (get return):
1663         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1664         (shouldThrow):
1665         (shouldBe):
1666         (foo):
1667         (get shouldBe):
1668         (get shouldThrow):
1669         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1670         (shouldThrow):
1671         (shouldBe):
1672         (foo):
1673         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1674         (shouldThrow):
1675         (shouldBe):
1676         (foo):
1677         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1678         (shouldThrow):
1679         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1680         (shouldThrow):
1681         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1682         (shouldThrow):
1683         (shouldBe):
1684         (foo):
1685         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1686         (shouldThrow):
1687         (shouldBe):
1688         (foo):
1689         (get shouldBe):
1690         (get shouldThrow):
1691         (get return):
1692         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1693         (shouldThrow):
1694         (shouldBe):
1695         (foo):
1696         (get shouldBe):
1697         (get shouldThrow):
1698         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1699         (shouldThrow):
1700         (shouldBe):
1701         (foo):
1702         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1703         (shouldThrow):
1704         (shouldBe):
1705         (foo):
1706
1707 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1708
1709         Enable DFG on ARM/Linux again
1710         https://bugs.webkit.org/show_bug.cgi?id=192496
1711
1712         Reviewed by Yusuke Suzuki.
1713
1714         Test wasn't really skipped before moving the line with skip
1715         to the top.
1716
1717         * stress/regress-192717.js:
1718
1719 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1720
1721         Unreviewed, rolling out r239825.
1722         https://bugs.webkit.org/show_bug.cgi?id=193330
1723
1724         Broke tests on armv7/linux bots (Requested by guijemont on
1725         #webkit).
1726
1727         Reverted changeset:
1728
1729         "Enable DFG on ARM/Linux again"
1730         https://bugs.webkit.org/show_bug.cgi?id=192496
1731         https://trac.webkit.org/changeset/239825
1732
1733 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1734
1735         Enable DFG on ARM/Linux again
1736         https://bugs.webkit.org/show_bug.cgi?id=192496
1737
1738         Reviewed by Yusuke Suzuki.
1739
1740         Test wasn't really skipped before moving the line with skip
1741         to the top.
1742
1743         * stress/regress-192717.js:
1744
1745 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1746
1747         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1748         https://bugs.webkit.org/show_bug.cgi?id=193127
1749
1750         Reviewed by Saam Barati.
1751
1752         * stress/array-species-create-should-handle-masquerader.js: Added.
1753         (shouldThrow):
1754         * stress/is-undefined-or-null-builtin.js: Added.
1755         (shouldBe):
1756         (isUndefinedOrNull.vm.createBuiltin):
1757
1758 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1759
1760         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1761         https://bugs.webkit.org/show_bug.cgi?id=193221
1762
1763         Reviewed by Mark Lam.
1764
1765         * stress/put-by-id-flags.js: Added.
1766         (f):
1767         (g):
1768         (numberOfDFGCompiles):
1769
1770 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1771
1772         Baseline version of get_by_id may corrupt metadata
1773         https://bugs.webkit.org/show_bug.cgi?id=193085
1774         <rdar://problem/23453006>
1775
1776         Reviewed by Saam Barati.
1777
1778         * stress/get-by-id-change-mode.js: Added.
1779         (forEach):
1780
1781 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1782
1783         [JSC] Optimize Object.prototype.toString
1784         https://bugs.webkit.org/show_bug.cgi?id=193031
1785
1786         Reviewed by Saam Barati.
1787
1788         * stress/object-tostring-changed-proto.js: Added.
1789         (shouldBe):
1790         (test):
1791         * stress/object-tostring-changed.js: Added.
1792         (shouldBe):
1793         (test):
1794         * stress/object-tostring-misc.js: Added.
1795         (shouldBe):
1796         (test):
1797         (i.switch):
1798         * stress/object-tostring-other.js: Added.
1799         (shouldBe):
1800         (test):
1801         * stress/object-tostring-untyped.js: Added.
1802         (shouldBe):
1803         (test):
1804         (i.switch):
1805
1806 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1807
1808         test262-runner misbehaves when test file YAML has a trailing space
1809         https://bugs.webkit.org/show_bug.cgi?id=193053
1810
1811         Reviewed by Yusuke Suzuki.
1812
1813         * test262/expectations.yaml:
1814         Mark two dozen tests as passing (and correct the output of another).
1815
1816 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1817
1818         Unreviewed, JSTests gardening with memoryLimited
1819
1820         * stress/string-overflow-createError.js:
1821
1822 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1823
1824         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1825         https://bugs.webkit.org/show_bug.cgi?id=193050
1826
1827         Reviewed by Yusuke Suzuki.
1828
1829         * test262.yaml:
1830         * test262/expectations.yaml:
1831         Mark 16 tests as passing.
1832
1833 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1834
1835         [BigInt] Support BigInt in JSON.stringify
1836         https://bugs.webkit.org/show_bug.cgi?id=192624
1837
1838         Reviewed by Saam Barati.
1839
1840         * stress/big-int-json-stringify-to-json.js: Added.
1841         (shouldBe):
1842         (shouldThrow):
1843         (BigInt.prototype.toJSON):
1844         (shouldBe.JSON.stringify):
1845         * stress/big-int-json-stringify.js: Added.
1846         (shouldBe):
1847         (shouldThrow):
1848
1849 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1850
1851         [JSC] Implement "well-formed JSON.stringify" proposal
1852         https://bugs.webkit.org/show_bug.cgi?id=191677
1853
1854         Reviewed by Darin Adler.
1855
1856         * stress/json-surrogate-pair.js: Added.
1857         (shouldBe):
1858         * test262/expectations.yaml:
1859
1860 2018-12-20  Keith Miller  <keith_miller@apple.com>
1861
1862         Add support for globalThis
1863         https://bugs.webkit.org/show_bug.cgi?id=165171
1864
1865         Reviewed by Mark Lam.
1866
1867         * test262/config.yaml:
1868
1869 2018-12-19  Keith Miller  <keith_miller@apple.com>
1870
1871         Update test262 configuration to not run tests dependent on ICU version.
1872         https://bugs.webkit.org/show_bug.cgi?id=192920
1873
1874         Reviewed by Saam Barati.
1875
1876         * test262/expectations.yaml:
1877
1878 2018-12-20  Mark Lam  <mark.lam@apple.com>
1879
1880         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1881         https://bugs.webkit.org/show_bug.cgi?id=192939
1882         <rdar://problem/46869516>
1883
1884         Reviewed by Keith Miller.
1885
1886         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1887
1888 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1889
1890         WTF::String and StringImpl overflow MaxLength
1891         https://bugs.webkit.org/show_bug.cgi?id=192853
1892         <rdar://problem/45726906>
1893
1894         Reviewed by Mark Lam.
1895
1896         * stress/string-16bit-repeat-overflow.js: Added.
1897         (catch):
1898
1899 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1900
1901         Unreviewed follow-up to r192914.
1902
1903         * test262/expectations.yaml:
1904         Add the last 20 missing expectations.
1905
1906 2018-12-19  Keith Miller  <keith_miller@apple.com>
1907
1908         Fix test262 expectations
1909         https://bugs.webkit.org/show_bug.cgi?id=192914
1910
1911         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1912
1913         * test262/expectations.yaml:
1914
1915 2018-12-19  Keith Miller  <keith_miller@apple.com>
1916
1917         Update test262 tests.
1918         https://bugs.webkit.org/show_bug.cgi?id=192907
1919
1920         Rubber stamped by Mark Lam.
1921
1922         * test262/*: Omitted because prepare-changelog crashes.
1923
1924 2018-12-19  Mark Lam  <mark.lam@apple.com>
1925
1926         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1927         https://bugs.webkit.org/show_bug.cgi?id=192464
1928         <rdar://problem/46519455>
1929
1930         Reviewed by Saam Barati.
1931
1932         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1933         microbenchmark.
1934
1935         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1936         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1937
1938 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1939
1940         String overflow in JSC::createError results in ASSERT in WTF::makeString
1941         https://bugs.webkit.org/show_bug.cgi?id=192833
1942         <rdar://problem/45706868>
1943
1944         Reviewed by Mark Lam.
1945
1946         * stress/string-overflow-createError.js: Added.
1947
1948 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1949
1950         Error message for `-x ** y` contains a typo.
1951         https://bugs.webkit.org/show_bug.cgi?id=192832
1952
1953         Reviewed by Saam Barati.
1954
1955         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1956         (assert.assert.return.throws):
1957         * stress/pow-expects-update-expression-on-lhs.js:
1958         (throw.new.Error):
1959         Update test expectations which match against the exact error message.
1960
1961 2018-12-18  Mark Lam  <mark.lam@apple.com>
1962
1963         Gardening: test options fix.
1964         https://bugs.webkit.org/show_bug.cgi?id=192822
1965
1966         Unreviewed.
1967
1968         * stress/json-stringify-string-builder-overflow.js:
1969
1970 2018-12-18  Mark Lam  <mark.lam@apple.com>
1971
1972         JSON.stringify() should throw OOM on StringBuilder overflows.
1973         https://bugs.webkit.org/show_bug.cgi?id=192822
1974         <rdar://problem/46670577>
1975
1976         Reviewed by Saam Barati.
1977
1978         * stress/json-stringify-string-builder-overflow.js: Added.
1979
1980 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1981
1982         Redeclaration of var over let/const/class should be a syntax error.
1983         https://bugs.webkit.org/show_bug.cgi?id=192298
1984
1985         Reviewed by Keith Miller.
1986
1987         * test262.yaml:
1988         * test262/expectations.yaml:
1989         Mark 46 tests as passing.
1990
1991         * stress/block-scope-redeclarations.js:
1992         Add some new tests.
1993
1994         * stress/for-in-invalidate-context-weird-assignments.js:
1995         * stress/for-in-tests.js:
1996         Replace tests for outdated behavior with tests for SyntaxError.
1997
1998         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1999         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2000         Update expectations.
2001
2002 2018-12-18  Mark Lam  <mark.lam@apple.com>
2003
2004         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2005         https://bugs.webkit.org/show_bug.cgi?id=191374
2006         <rdar://problem/46525447>
2007
2008         Reviewed by Yusuke Suzuki.
2009
2010         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2011
2012         * stress/elidable-new-object-roflcopter-then-exit.js:
2013
2014 2018-12-17  Mark Lam  <mark.lam@apple.com>
2015
2016         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2017         https://bugs.webkit.org/show_bug.cgi?id=192019
2018         <rdar://problem/46525456>
2019
2020         Reviewed by Yusuke Suzuki.
2021
2022         The test runs too slow on 32-bit.
2023
2024         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2025
2026 2018-12-17  Mark Lam  <mark.lam@apple.com>
2027
2028         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2029         https://bugs.webkit.org/show_bug.cgi?id=191373
2030         <rdar://problem/46525458>
2031
2032         Reviewed by Yusuke Suzuki.
2033
2034         The test is already slow running with a JIT on 64-bit.  It will always timeout
2035         on 32-bit without a JIT.
2036
2037         * stress/materialize-regexp-cyclic-regexp.js:
2038
2039 2018-12-17  Mark Lam  <mark.lam@apple.com>
2040
2041         Array unshift/shift should not race against the AI in the compiler thread.
2042         https://bugs.webkit.org/show_bug.cgi?id=192795
2043         <rdar://problem/46724263>
2044
2045         Reviewed by Saam Barati.
2046
2047         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2048
2049 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2050
2051         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2052         https://bugs.webkit.org/show_bug.cgi?id=190047
2053
2054         Reviewed by Saam Barati.
2055
2056         * stress/object-keys-cached-zero.js: Added.
2057         (shouldBe):
2058         (test):
2059         * stress/object-keys-changed-attribute.js: Added.
2060         (shouldBe):
2061         (test):
2062         * stress/object-keys-changed-index.js: Added.
2063         (shouldBe):
2064         (test):
2065         * stress/object-keys-changed.js: Added.
2066         (shouldBe):
2067         (test):
2068         * stress/object-keys-indexed-non-cache.js: Added.
2069         (shouldBe):
2070         (test):
2071         * stress/object-keys-overrides-get-property-names.js: Added.
2072         (shouldBe):
2073         (test):
2074         (noInline):
2075
2076 2018-12-17  Mark Lam  <mark.lam@apple.com>
2077
2078         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2079         https://bugs.webkit.org/show_bug.cgi?id=192779
2080         <rdar://problem/46775869>
2081
2082         Reviewed by Saam Barati.
2083
2084         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2085
2086 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2087
2088         Unreviewed test gardening, address a syntax error in a new test.
2089
2090         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2091
2092 2018-12-17  Mark Lam  <mark.lam@apple.com>
2093
2094         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2095         https://bugs.webkit.org/show_bug.cgi?id=192776
2096         <rdar://problem/46772368>
2097
2098         Reviewed by Keith Miller.
2099
2100         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2101
2102 2018-12-17  Mark Lam  <mark.lam@apple.com>
2103
2104         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2105         https://bugs.webkit.org/show_bug.cgi?id=192770
2106         <rdar://problem/46449037>
2107
2108         Reviewed by Keith Miller.
2109
2110         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2111
2112 2018-12-14  Mark Lam  <mark.lam@apple.com>
2113
2114         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2115         https://bugs.webkit.org/show_bug.cgi?id=192717
2116         <rdar://problem/46660677>
2117
2118         Reviewed by Saam Barati.
2119
2120         * stress/regress-192717.js: Added.
2121
2122 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2123
2124         Unreviewed, rolling out r239153, r239154, and r239155.
2125         https://bugs.webkit.org/show_bug.cgi?id=192715
2126
2127         Caused flaky GC-related crashes seen with layout tests
2128         (Requested by ryanhaddad on #webkit).
2129
2130         Reverted changesets:
2131
2132         "[JSC] Optimize Object.keys by caching own keys results in
2133         StructureRareData"
2134         https://bugs.webkit.org/show_bug.cgi?id=190047
2135         https://trac.webkit.org/changeset/239153
2136
2137         "Unreviewed, build fix after r239153"
2138         https://bugs.webkit.org/show_bug.cgi?id=190047
2139         https://trac.webkit.org/changeset/239154
2140
2141         "Unreviewed, build fix after r239153, part 2"
2142         https://bugs.webkit.org/show_bug.cgi?id=190047
2143         https://trac.webkit.org/changeset/239155
2144
2145 2018-12-14  Keith Miller  <keith_miller@apple.com>
2146
2147         Callers of JSString::getIndex should check for OOM exceptions
2148         https://bugs.webkit.org/show_bug.cgi?id=192709
2149
2150         Reviewed by Mark Lam.
2151
2152         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2153
2154 2018-12-13  Mark Lam  <mark.lam@apple.com>
2155
2156         Add a missing exception check.
2157         https://bugs.webkit.org/show_bug.cgi?id=192626
2158         <rdar://problem/46662163>
2159
2160         Reviewed by Keith Miller.
2161
2162         * stress/regress-192626.js: Added.
2163
2164 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2165
2166         [BigInt] Add ValueDiv into DFG
2167         https://bugs.webkit.org/show_bug.cgi?id=186178
2168
2169         Reviewed by Yusuke Suzuki.
2170
2171         * stress/big-int-div-jit-osr.js: Added.
2172         * stress/big-int-div-jit-untyped.js: Added.
2173         * stress/value-div-fixup-int32-big-int.js: Added.
2174
2175 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2176
2177         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2178         https://bugs.webkit.org/show_bug.cgi?id=190047
2179
2180         Reviewed by Keith Miller.
2181
2182         * stress/object-keys-cached-zero.js: Added.
2183         (shouldBe):
2184         (test):
2185         * stress/object-keys-changed-attribute.js: Added.
2186         (shouldBe):
2187         (test):
2188         * stress/object-keys-changed-index.js: Added.
2189         (shouldBe):
2190         (test):
2191         * stress/object-keys-changed.js: Added.
2192         (shouldBe):
2193         (test):
2194         * stress/object-keys-indexed-non-cache.js: Added.
2195         (shouldBe):
2196         (test):
2197         * stress/object-keys-overrides-get-property-names.js: Added.
2198         (shouldBe):
2199         (test):
2200         (noInline):
2201
2202 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2203
2204         [DFG][FTL] Add NewSymbol
2205         https://bugs.webkit.org/show_bug.cgi?id=192620
2206
2207         Reviewed by Saam Barati.
2208
2209         * microbenchmarks/symbol-creation.js: Added.
2210         (test):
2211         * stress/symbol-description-identity.js: Added.
2212         (shouldBe):
2213         (test):
2214         * stress/symbol-identity.js: Added.
2215         (shouldBe):
2216         (test):
2217         * stress/symbol-with-description-throw-error.js: Added.
2218         (shouldBe):
2219         (shouldThrow):
2220         (test):
2221         (object.toString):
2222
2223 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2224
2225         [BigInt] Implement DFG/FTL typeof for BigInt
2226         https://bugs.webkit.org/show_bug.cgi?id=192619
2227
2228         Reviewed by Keith Miller.
2229
2230         * stress/big-int-boolean-proven-type.js: Added.
2231         (assert):
2232         (bool):
2233         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2234         (assert):
2235         (typeOf):
2236         (i.switch):
2237         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2238         (assert):
2239         (typeOf):
2240         * stress/big-int-type-of.js:
2241         (typeOf):
2242         (func):
2243
2244 2018-12-10  Mark Lam  <mark.lam@apple.com>
2245
2246         PropertyAttribute needs a CustomValue bit.
2247         https://bugs.webkit.org/show_bug.cgi?id=191993
2248         <rdar://problem/46264467>
2249
2250         Reviewed by Saam Barati.
2251
2252         * stress/regress-191993.js: Added.
2253
2254 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2255
2256         [BigInt] Add ValueMul into DFG
2257         https://bugs.webkit.org/show_bug.cgi?id=186175
2258
2259         Reviewed by Yusuke Suzuki.
2260
2261         * stress/big-int-mul-jit-osr.js: Added.
2262         * stress/big-int-mul-jit-untyped.js: Added.
2263         * stress/value-mul-fixup-int32-big-int.js: Added.
2264
2265 2018-12-06  Keith Miller  <keith_miller@apple.com>
2266
2267         stress/big-wasm-memory tests failing on 32-bit JSC bot
2268         https://bugs.webkit.org/show_bug.cgi?id=192020
2269
2270         Reviewed by Saam Barati.
2271
2272         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2273         the wasm stress tests if the WebAssembly object does not exist.
2274
2275         * stress/big-wasm-memory-grow-no-max.js:
2276         (test.foo):
2277         (test):
2278         (foo): Deleted.
2279         (catch): Deleted.
2280         * stress/big-wasm-memory-grow.js:
2281         (test.foo):
2282         (test):
2283         (foo): Deleted.
2284         (catch): Deleted.
2285         * stress/big-wasm-memory.js:
2286         (test.foo):
2287         (test):
2288         (foo): Deleted.
2289         (catch): Deleted.
2290
2291 2018-12-05  Mark Lam  <mark.lam@apple.com>
2292
2293         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2294         https://bugs.webkit.org/show_bug.cgi?id=192441
2295         <rdar://problem/46480355>
2296
2297         Reviewed by Saam Barati.
2298
2299         * stress/regress-192441.js: Added.
2300
2301 2018-12-04  Mark Lam  <mark.lam@apple.com>
2302
2303         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2304         https://bugs.webkit.org/show_bug.cgi?id=192386
2305         <rdar://problem/46445516>
2306
2307         Reviewed by Saam Barati.
2308
2309         * stress/regress-192386.js: Added.
2310
2311 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2312
2313         [ESNext][BigInt] Support logic operations
2314         https://bugs.webkit.org/show_bug.cgi?id=179903
2315
2316         Reviewed by Yusuke Suzuki.
2317
2318         * stress/big-int-branch-usage.js: Added.
2319         * stress/big-int-logical-and.js: Added.
2320         * stress/big-int-logical-not.js: Added.
2321         * stress/big-int-logical-or.js: Added.
2322
2323 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2324
2325         Unreviewed, rolling out r238833.
2326
2327         Breaks macOS and iOS debug builds.
2328
2329         Reverted changeset:
2330
2331         "[ESNext][BigInt] Support logic operations"
2332         https://bugs.webkit.org/show_bug.cgi?id=179903
2333         https://trac.webkit.org/changeset/238833
2334
2335 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2336
2337         [ESNext][BigInt] Support logic operations
2338         https://bugs.webkit.org/show_bug.cgi?id=179903
2339
2340         Reviewed by Yusuke Suzuki.
2341
2342         * stress/big-int-branch-usage.js: Added.
2343         * stress/big-int-logical-and.js: Added.
2344         * stress/big-int-logical-not.js: Added.
2345         * stress/big-int-logical-or.js: Added.
2346
2347 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2348
2349         [ESNext][BigInt] Implement support for "<<" and ">>"
2350         https://bugs.webkit.org/show_bug.cgi?id=186233
2351
2352         Reviewed by Yusuke Suzuki.
2353
2354         * stress/big-int-left-shift-general.js: Added.
2355         * stress/big-int-left-shift-range-error.js: Added.
2356         * stress/big-int-left-shift-type-error.js: Added.
2357         * stress/big-int-left-shift-wrapped-value.js: Added.
2358         * stress/big-int-right-shift-general.js: Added.
2359         * stress/big-int-right-shift-type-error.js: Added.
2360         * stress/big-int-right-shift-wrapped-value.js: Added.
2361         * stress/left-shift-to-primitive-precedence.js: Added.
2362         * stress/right-shift-to-primitive-precedence.js: Added.
2363
2364 2018-11-30  Dean Jackson  <dino@apple.com>
2365
2366         Add first-class support for .mjs files in jsc binary
2367         https://bugs.webkit.org/show_bug.cgi?id=192190
2368         <rdar://problem/46375715>
2369
2370         Reviewed by Keith Miller.
2371
2372         * stress/simple-module.mjs: Added.
2373         * stress/simple-script.js: Added.
2374
2375 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2376
2377         [BigInt] Implement ValueBitXor into DFG
2378         https://bugs.webkit.org/show_bug.cgi?id=190264
2379
2380         Reviewed by Yusuke Suzuki.
2381
2382         * stress/big-int-bitwise-xor-jit.js: Added.
2383         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2384         * stress/big-int-bitwise-xor-untyped.js: Added.
2385
2386 2018-11-27  Saam barati  <sbarati@apple.com>
2387
2388         r238510 broke scopes of size zero
2389         https://bugs.webkit.org/show_bug.cgi?id=192033
2390         <rdar://problem/46281734>
2391
2392         Reviewed by Keith Miller.
2393
2394         * stress/r238510-bad-loop.js: Added.
2395         (foo):
2396
2397 2018-11-27  Mark Lam  <mark.lam@apple.com>
2398
2399         [Re-landing] NaNs read from Wasm code needs to be be purified.
2400         https://bugs.webkit.org/show_bug.cgi?id=191056
2401         <rdar://problem/45660341>
2402
2403         Reviewed by Filip Pizlo.
2404
2405         * wasm/regress/regress-191056.js: Added.
2406
2407 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2408
2409         Unreviewed, rolling out r238509.
2410
2411         Causes JSC tests to fail on iOS.
2412
2413         Reverted changeset:
2414
2415         "NaNs read from Wasm code needs to be be purified."
2416         https://bugs.webkit.org/show_bug.cgi?id=191056
2417         https://trac.webkit.org/changeset/238509
2418
2419 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2420
2421         Re-introduce op_bitnot
2422         https://bugs.webkit.org/show_bug.cgi?id=190923
2423
2424         Reviewed by Yusuke Suzuki.
2425
2426         * stress/bit-not-must-generate.js: Added.
2427         * stress/bitwise-not-no-int32.js: Added.
2428
2429 2018-11-26  Saam barati  <sbarati@apple.com>
2430
2431         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2432         https://bugs.webkit.org/show_bug.cgi?id=191956
2433         <rdar://problem/45665806>
2434
2435         Reviewed by Yusuke Suzuki.
2436
2437         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2438         (bar):
2439         (foo):
2440
2441 2018-11-26  Saam barati  <sbarati@apple.com>
2442
2443         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2444         https://bugs.webkit.org/show_bug.cgi?id=191958
2445         <rdar://problem/46221877>
2446
2447         Reviewed by Yusuke Suzuki.
2448
2449         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2450         (x):
2451         (foo):
2452
2453 2018-11-26  Mark Lam  <mark.lam@apple.com>
2454
2455         NaNs read from Wasm code needs to be be purified.
2456         https://bugs.webkit.org/show_bug.cgi?id=191056
2457         <rdar://problem/45660341>
2458
2459         Reviewed by Filip Pizlo.
2460
2461         * wasm/regress/regress-191056.js: Added.
2462
2463 2018-11-26  Michael Saboff  <msaboff@apple.com>
2464
2465         32-bit JSC test failure: stress/regexp-compile-oom.js
2466         https://bugs.webkit.org/show_bug.cgi?id=191375
2467
2468         Reviewed by Mark Lam.
2469
2470         Disabled the test for 32 bit platforms.
2471
2472         * stress/regexp-compile-oom.js:
2473
2474 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2475
2476         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2477         https://bugs.webkit.org/show_bug.cgi?id=191716
2478         <rdar://problem/45723878>
2479
2480         Reviewed by Saam Barati.
2481
2482         * stress/regress-187373.js: Added.
2483         (async.fn):
2484
2485 2018-11-21  Saam barati  <sbarati@apple.com>
2486
2487         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2488         https://bugs.webkit.org/show_bug.cgi?id=191897
2489         <rdar://problem/45871998>
2490
2491         Reviewed by Mark Lam.
2492
2493         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2494         (bar):
2495         (foo):
2496
2497 2018-11-21  Saam barati  <sbarati@apple.com>
2498
2499         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2500         https://bugs.webkit.org/show_bug.cgi?id=191895
2501         <rdar://problem/46167406>
2502
2503         Reviewed by Mark Lam.
2504
2505         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2506         (foo):
2507         (bar):
2508
2509 2018-11-21  Mark Lam  <mark.lam@apple.com>
2510
2511         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2512         https://bugs.webkit.org/show_bug.cgi?id=191776
2513         <rdar://problem/46152851>
2514
2515         Reviewed by Saam Barati.
2516
2517         * stress/big-wasm-memory-grow-no-max.js:
2518         * stress/big-wasm-memory-grow.js:
2519         * stress/big-wasm-memory.js:
2520         - updated these to expect an OutOfMemoryError.
2521
2522         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2523         (Binary.prototype.emit_u8):
2524         (Binary.prototype.emit_u32v):
2525         (Binary.prototype.emit_header):
2526         (Binary.prototype.emit_section):
2527         (Binary):
2528         (WasmModuleBuilder):
2529         (WasmModuleBuilder.prototype.addMemory):
2530         (WasmModuleBuilder.prototype.toArray):
2531         (WasmModuleBuilder.prototype.toBuffer):
2532         (WasmModuleBuilder.prototype.instantiate):
2533         (catch):
2534         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2535         (catch):
2536
2537 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2538
2539         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2540         https://bugs.webkit.org/show_bug.cgi?id=190836
2541
2542         Reviewed by Saam Barati and Yusuke Suzuki.
2543
2544         * stress/big-int-out-of-memory-tests.js: Added.
2545
2546 2018-11-20  Mark Lam  <mark.lam@apple.com>
2547
2548         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2549         https://bugs.webkit.org/show_bug.cgi?id=191856
2550         <rdar://problem/46089992>
2551
2552         Reviewed by Yusuke Suzuki.
2553
2554         * stress/regress-191856.js: Added.
2555         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2556
2557 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2558
2559         Enable JIT on ARM/Linux
2560         https://bugs.webkit.org/show_bug.cgi?id=191548
2561
2562         Reviewed by Yusuke Suzuki.
2563
2564         Disable test on system with limited memory. Program was killed by
2565         the OS before the exception was thrown.
2566
2567         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2568
2569 2018-11-20  Saam barati  <sbarati@apple.com>
2570
2571         Merging an IC variant may lead to the IC status containing overlapping structure sets
2572         https://bugs.webkit.org/show_bug.cgi?id=191869
2573         <rdar://problem/45403453>
2574
2575         Reviewed by Mark Lam.
2576
2577         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2578
2579 2018-11-19  Mark Lam  <mark.lam@apple.com>
2580
2581         globalFuncImportModule() should return a promise when it clears exceptions.
2582         https://bugs.webkit.org/show_bug.cgi?id=191792
2583         <rdar://problem/46090763>
2584
2585         Reviewed by Michael Saboff.
2586
2587         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2588
2589 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2590
2591         Skip new memory-hungry tests on memory limited devices
2592
2593         Unreviewed gardening.
2594
2595         * stress/big-wasm-memory-grow-no-max.js:
2596         * stress/big-wasm-memory-grow.js:
2597         * stress/big-wasm-memory.js:
2598
2599 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2600
2601         Unreviewed, rolling in the rest of r237254
2602         https://bugs.webkit.org/show_bug.cgi?id=190340
2603
2604         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2605         * stress/function-cache-with-parameters-end-position.js: Added.
2606         (shouldBe):
2607         (shouldThrow):
2608         (i.anonymous):
2609         * stress/function-constructor-name.js: Added.
2610         (shouldBe):
2611         (GeneratorFunction):
2612         (AsyncFunction.async):
2613         (AsyncGeneratorFunction.async):
2614         (anonymous):
2615         (async.anonymous):
2616         * test262/expectations.yaml:
2617
2618 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2619
2620         All users of ArrayBuffer should agree on the same max size
2621         https://bugs.webkit.org/show_bug.cgi?id=191771
2622
2623         Reviewed by Mark Lam.
2624
2625         * stress/big-wasm-memory-grow-no-max.js: Added.
2626         (foo):
2627         (catch):
2628         * stress/big-wasm-memory-grow.js: Added.
2629         (foo):
2630         (catch):
2631         * stress/big-wasm-memory.js: Added.
2632         (foo):
2633         (catch):
2634
2635 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2636
2637         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2638         run for each JSC config since they're regression tests for runtime bugs.
2639
2640         * stress/json-stringified-overflow-2.js:
2641         * stress/json-stringified-overflow.js:
2642
2643 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2644
2645         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2646         config since they're regression tests for runtime bugs.
2647
2648         * stress/large-unshift-splice.js:
2649         * stress/regress-185888.js:
2650
2651 2018-11-16  Saam Barati  <sbarati@apple.com>
2652
2653         KnownCellUse should also have SpecCellCheck as its type filter
2654         https://bugs.webkit.org/show_bug.cgi?id=191729
2655         <rdar://problem/45872852>
2656
2657         Reviewed by Filip Pizlo.
2658
2659         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2660         (C):
2661
2662 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2663
2664         Fix assertion failure on BytecodeGenerator::recordOpcode
2665         https://bugs.webkit.org/show_bug.cgi?id=191724
2666         <rdar://problem/45724395>
2667
2668         Reviewed by Saam Barati.
2669
2670         * stress/regress-187373-2.js: Added.
2671         (foo):
2672
2673 2018-11-15  Mark Lam  <mark.lam@apple.com>
2674
2675         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2676         https://bugs.webkit.org/show_bug.cgi?id=191730
2677         <rdar://problem/46048517>
2678
2679         Reviewed by Saam Barati.
2680
2681         * stress/regress-187006.js: Removed.
2682           - this test is invalid because its sole purpose is to test for the non-spec
2683             compliant behavior that we just fixed.
2684
2685         * stress/regress-191730.js: Added.
2686
2687 2018-11-15  Mark Lam  <mark.lam@apple.com>
2688
2689         RegExp operations should not take fast patch if lastIndex is not numeric.
2690         https://bugs.webkit.org/show_bug.cgi?id=191731
2691         <rdar://problem/46017305>
2692
2693         Reviewed by Saam Barati.
2694
2695         * stress/regress-191731.js: Added.
2696
2697 2018-11-13  Saam Barati  <sbarati@apple.com>
2698
2699         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2700         https://bugs.webkit.org/show_bug.cgi?id=191600
2701
2702         Reviewed by Mark Lam.
2703
2704         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2705         (foo):
2706         (test):
2707         (bar):
2708
2709 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2710
2711         Unreviewed, rolling out r238132.
2712
2713         The test added with this change is timing out on Debug JSC
2714         bots.
2715
2716         Reverted changeset:
2717
2718         "[BigInt] JSBigInt::createWithLength should throw when length
2719         is greater than JSBigInt::maxLength"
2720         https://bugs.webkit.org/show_bug.cgi?id=190836
2721         https://trac.webkit.org/changeset/238132
2722
2723 2018-11-13  Mark Lam  <mark.lam@apple.com>
2724
2725         Add OOM detection to StringPrototype's substituteBackreferences().
2726         https://bugs.webkit.org/show_bug.cgi?id=191563
2727         <rdar://problem/45720428>
2728
2729         Reviewed by Saam Barati.
2730
2731         * stress/regress-191563.js: Added.
2732
2733 2018-11-13  Mark Lam  <mark.lam@apple.com>
2734
2735         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2736         https://bugs.webkit.org/show_bug.cgi?id=191579
2737         <rdar://problem/45942472>
2738
2739         Reviewed by Saam Barati.
2740
2741         * stress/regress-191579.js: Added.
2742
2743 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2744
2745         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2746         https://bugs.webkit.org/show_bug.cgi?id=190836
2747
2748         Reviewed by Saam Barati.
2749
2750         * stress/big-int-out-of-memory-tests.js: Added.
2751
2752 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2753
2754         U+180E is no longer a whitespace character
2755         https://bugs.webkit.org/show_bug.cgi?id=191415
2756
2757         Reviewed by Saam Barati.
2758
2759         * ChakraCore/test/es5/regexSpace.baseline:
2760         * ChakraCore/test/es6/unicode_whitespace.js:
2761         Update tests to latest version.
2762         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2763
2764         * test262.yaml:
2765         * test262/config.yaml:
2766         * test262/expectations.yaml:
2767         Update expectations.
2768
2769 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2770
2771         [BigInt] Add support to BigInt into ValueAdd
2772         https://bugs.webkit.org/show_bug.cgi?id=186177
2773
2774         Reviewed by Keith Miller.
2775
2776         * stress/big-int-negate-jit.js:
2777         * stress/value-add-big-int-and-string.js: Added.
2778         * stress/value-add-big-int-prediction-propagation.js: Added.
2779         * stress/value-add-big-int-untyped.js: Added.
2780
2781 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2782
2783         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2784         https://bugs.webkit.org/show_bug.cgi?id=191184
2785
2786         Reviewed by Saam Barati.
2787
2788         Most tests were failing due to timeouts, since they are too slow to
2789         run on CLoop. The exceptions are:
2790
2791         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2792         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2793         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2794         to change the stack size since CLoop requires it to be page aligned.
2795
2796         * microbenchmarks/array-push-1.js:
2797         * microbenchmarks/array-push-2.js:
2798         * microbenchmarks/elidable-new-object-dag.js:
2799         * microbenchmarks/elidable-new-object-roflcopter.js:
2800         * microbenchmarks/elidable-new-object-tree.js:
2801         * microbenchmarks/getter-richards.js:
2802         * microbenchmarks/sinkable-new-object-dag.js:
2803         * microbenchmarks/string-concat-long-convert.js:
2804         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2805         * slowMicrobenchmarks/array-push-3.js:
2806         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2807         * slowMicrobenchmarks/spread-small-array.js:
2808         * slowMicrobenchmarks/undefined-property-access.js:
2809         * stress/activation-sink-default-value-tdz-error.js:
2810         * stress/activation-sink-default-value.js:
2811         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2812         * stress/activation-sink-osrexit-default-value.js:
2813         * stress/activation-sink-osrexit.js:
2814         * stress/activation-sink.js:
2815         * stress/allow-math-ic-b3-code-duplication.js:
2816         * stress/array-push-multiple-int32.js:
2817         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2818         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2819         * stress/arrowfunction-lexical-this-activation-sink.js:
2820         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2821         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2822         * stress/elide-new-object-dag-then-exit.js:
2823         * stress/materialize-regexp-cyclic.js:
2824         * stress/new-regex-inline.js:
2825         * stress/op_add.js:
2826         * stress/op_bitand.js:
2827         * stress/op_bitor.js:
2828         * stress/op_bitxor.js:
2829         * stress/op_div-ConstVar.js:
2830         * stress/op_div-VarConst.js:
2831         * stress/op_div-VarVar.js:
2832         * stress/op_lshift-ConstVar.js:
2833         * stress/op_lshift-VarConst.js:
2834         * stress/op_lshift-VarVar.js:
2835         * stress/op_mod-ConstVar.js:
2836         * stress/op_mod-VarConst.js:
2837         * stress/op_mod-VarVar.js:
2838         * stress/op_mul-ConstVar.js:
2839         * stress/op_mul-VarConst.js:
2840         * stress/op_mul-VarVar.js:
2841         * stress/op_rshift-ConstVar.js:
2842         * stress/op_rshift-VarConst.js:
2843         * stress/op_rshift-VarVar.js:
2844         * stress/op_sub-ConstVar.js:
2845         * stress/op_sub-VarConst.js:
2846         * stress/op_sub-VarVar.js:
2847         * stress/op_urshift-ConstVar.js:
2848         * stress/op_urshift-VarConst.js:
2849         * stress/op_urshift-VarVar.js:
2850         * stress/proxy-get-set-correct-receiver.js:
2851         * stress/regress-179562.js:
2852         * stress/rest-parameter-many-arguments.js:
2853         * stress/sampling-profiler-richards.js:
2854         * stress/splay-flash-access-1ms.js:
2855         * stress/tailCallForwardArguments.js:
2856         * stress/typed-array-get-by-val-profiling.js:
2857         * typeProfiler/getter-richards.js:
2858
2859 2018-11-06  Michael Saboff  <msaboff@apple.com>
2860
2861         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2862         https://bugs.webkit.org/show_bug.cgi?id=191271
2863
2864         Reviewed by Saam Barati.
2865
2866         Added more test cases and made all test cases run with the same deeply recursive stack
2867         instead of finding that same point for each test case.
2868
2869         * stress/regexp-compile-oom.js:
2870         (prototype.runTest):
2871         (recurseAndTest):
2872         (testList.push.new.TestAndExpectedException):
2873
2874 2018-11-05  Michael Saboff  <msaboff@apple.com>
2875
2876         Unreviewed build fix for linux.
2877
2878         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2879
2880 2018-11-02  Michael Saboff  <msaboff@apple.com>
2881
2882         Rolling in r237753 with unreviewed build fix.
2883
2884         Fixed issues with DECLARE_THROW_SCOPE placement.
2885
2886 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2887
2888         Unreviewed, rolling out r237753.
2889
2890         Introduced JSC test failures
2891
2892         Reverted changeset:
2893
2894         "Running out of stack space not properly handled in
2895         RegExp::compile() and its callers"
2896         https://bugs.webkit.org/show_bug.cgi?id=191206
2897         https://trac.webkit.org/changeset/237753
2898
2899 2018-11-02  Michael Saboff  <msaboff@apple.com>
2900
2901         Running out of stack space not properly handled in RegExp::compile() and its callers
2902         https://bugs.webkit.org/show_bug.cgi?id=191206
2903
2904         Reviewed by Filip Pizlo.
2905
2906         New regression test.
2907
2908         * stress/regexp-compile-oom.js: Added.
2909         (recurseAndTest):
2910
2911 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2912
2913         Skip tests on arm/mips that time out now we're running on CLoop
2914
2915         Unreviewed gardening.
2916
2917         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2918         time out on the bots and need to be disabled. There's more tests
2919         disabled on arm because the timeout is longer on the mips bot (as the
2920         device is slower to start with), so many of the tests don't time out
2921         there.
2922
2923         * microbenchmarks/getter-richards.js: disable on arm and mips.
2924         * stress/op_add.js: disable on arm.
2925         * stress/op_bitand.js: disable on arm.
2926         * stress/op_bitor.js: disable on arm.
2927         * stress/op_bitxor.js: disable on arm.
2928         * stress/op_lshift-ConstVar.js: disable on arm.
2929         * stress/op_lshift-VarConst.js: disable on arm.
2930         * stress/op_lshift-VarVar.js: disable on arm.
2931         * stress/op_mod-ConstVar.js: disable on arm.
2932         * stress/op_mod-VarConst.js: disable on arm.
2933         * stress/op_mod-VarVar.js: disable on arm.
2934         * stress/op_mul-ConstVar.js: disable on arm.
2935         * stress/op_mul-VarConst.js: disable on arm.
2936         * stress/op_mul-VarVar.js: disable on arm.
2937         * stress/op_rshift-ConstVar.js: disable on arm.
2938         * stress/op_rshift-VarConst.js: disable on arm.
2939         * stress/op_rshift-VarVar.js: disable on arm.
2940         * stress/op_sub-ConstVar.js: disable on arm.
2941         * stress/op_sub-VarConst.js: disable on arm.
2942         * stress/op_sub-VarVar.js: disable on arm.
2943         * stress/op_urshift-ConstVar.js: disable on arm.
2944         * stress/op_urshift-VarConst.js: disable on arm.
2945         * stress/op_urshift-VarVar.js: disable on arm.
2946         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2947         * stress/value-to-boolean.js: disable on arm and mips.
2948
2949 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2950
2951         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2952         https://bugs.webkit.org/show_bug.cgi?id=191108
2953         <rdar://problem/45690700>
2954
2955         Reviewed by Saam Barati.
2956
2957         * stress/wide-op_catch.js: Added.
2958         (catch):
2959
2960 2018-10-29  Mark Lam  <mark.lam@apple.com>
2961
2962         Correctly detect string overflow when using the 'Function' constructor.
2963         https://bugs.webkit.org/show_bug.cgi?id=184883
2964         <rdar://problem/36320331>
2965
2966         Reviewed by Saam Barati.
2967
2968         I've verified that this passes on 32-bit as well.
2969
2970         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2971
2972 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2973
2974         Add support for GetStack FlushedDouble
2975         https://bugs.webkit.org/show_bug.cgi?id=191012
2976         <rdar://problem/45265141>
2977
2978         Reviewed by Saam Barati.
2979
2980         * stress/get-stack-double.js: Added.
2981         (bar):
2982         (noInline):
2983
2984 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2985
2986         New bytecode format for JSC
2987         https://bugs.webkit.org/show_bug.cgi?id=187373
2988         <rdar://problem/44186758>
2989
2990         Reviewed by Filip Pizlo.
2991
2992         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2993
2994         * stress/maximum-inline-capacity.js: Added.
2995         (test1):
2996         (test3.Foo):
2997         (test3):
2998
2999 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3000
3001         Unreviewed, rolling out r237479 and r237484.
3002         https://bugs.webkit.org/show_bug.cgi?id=190978
3003
3004         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3005
3006         Reverted changesets:
3007
3008         "New bytecode format for JSC"
3009         https://bugs.webkit.org/show_bug.cgi?id=187373
3010         https://trac.webkit.org/changeset/237479
3011
3012         "Gardening: Build fix after r237479."
3013         https://bugs.webkit.org/show_bug.cgi?id=187373
3014         https://trac.webkit.org/changeset/237484
3015
3016 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3017
3018         New bytecode format for JSC
3019         https://bugs.webkit.org/show_bug.cgi?id=187373
3020         <rdar://problem/44186758>
3021
3022         Reviewed by Filip Pizlo.
3023
3024         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3025
3026         * stress/maximum-inline-capacity.js: Added.
3027         (test1):
3028         (test3.Foo):
3029         (test3):
3030
3031 2018-10-26  Mark Lam  <mark.lam@apple.com>
3032
3033         Fix missing edge cases with JSGlobalObjects having a bad time.
3034         https://bugs.webkit.org/show_bug.cgi?id=189028
3035         <rdar://problem/45204939>
3036
3037         Reviewed by Saam Barati.
3038
3039         * stress/regress-189028.js: Added.
3040
3041 2018-10-22  Mark Lam  <mark.lam@apple.com>
3042
3043         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3044         https://bugs.webkit.org/show_bug.cgi?id=190515
3045         <rdar://problem/45222379>
3046
3047         Rubber-stamped by Saam Barati.
3048
3049         Adding another test.
3050
3051         * stress/regress-190515-2.js: Added.
3052
3053 2018-10-22  Mark Lam  <mark.lam@apple.com>
3054
3055         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3056         https://bugs.webkit.org/show_bug.cgi?id=190515
3057         <rdar://problem/45222379>
3058
3059         Reviewed by Saam Barati.
3060
3061         * stress/regress-190515.js: Added.
3062
3063 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3064
3065         Unreviewed, rolling out r237254.
3066         https://bugs.webkit.org/show_bug.cgi?id=190760
3067
3068         "It regresses JetStream 2 by 5% on some iOS devices"
3069         (Requested by saamyjoon on #webkit).
3070
3071         Reverted changeset:
3072
3073         "[JSC] JSC should have "parseFunction" to optimize Function
3074         constructor"
3075         https://bugs.webkit.org/show_bug.cgi?id=190340
3076         https://trac.webkit.org/changeset/237254
3077
3078 2018-10-19  Saam Barati  <sbarati@apple.com>
3079
3080         vmCall should check if we exit before emitting an OSR exit due to exceptions
3081         https://bugs.webkit.org/show_bug.cgi?id=190740
3082         <rdar://problem/45220139>
3083
3084         Reviewed by Mark Lam.
3085
3086         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3087         (foo):
3088
3089 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3090
3091         [ESNext][BigInt] Implement support for "^"
3092         https://bugs.webkit.org/show_bug.cgi?id=186235
3093
3094         Reviewed by Yusuke Suzuki.
3095
3096         * stress/big-int-bitwise-xor-general.js: Added.
3097         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3098         * stress/big-int-bitwise-xor-type-error.js: Added.
3099         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3100
3101 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3102
3103         [BigInt] Add ValueSub into DFG
3104         https://bugs.webkit.org/show_bug.cgi?id=186176
3105
3106         Reviewed by Yusuke Suzuki.
3107
3108         * stress/big-int-subtraction-jit.js:
3109         * stress/value-sub-big-int-prediction-propagation.js: Added.
3110         * stress/value-sub-big-int-untyped.js: Added.
3111         * stress/value-sub-spec-none-case.js: Added.
3112
3113 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3114
3115         [JSC] JSC should have "parseFunction" to optimize Function constructor
3116         https://bugs.webkit.org/show_bug.cgi?id=190340
3117
3118         Reviewed by Mark Lam.
3119
3120         This patch fixes the line number of syntax errors raised by the Function constructor,
3121         since we now parse the final code only once. And we no longer use block statement
3122         for Function constructor's parsing.
3123
3124         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3125         * stress/function-cache-with-parameters-end-position.js: Added.
3126         (shouldBe):
3127         (shouldThrow):
3128         (i.anonymous):
3129         * stress/function-constructor-name.js: Added.
3130         (shouldBe):
3131         (GeneratorFunction):
3132         (AsyncFunction.async):
3133         (AsyncGeneratorFunction.async):
3134         (anonymous):
3135         (async.anonymous):
3136         * test262/expectations.yaml:
3137
3138 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3139
3140         Unreviewed, rolling out r237242.
3141         https://bugs.webkit.org/show_bug.cgi?id=190701
3142
3143         it breaks "stress/sampling-profiler-basic.js" (Requested by
3144         caiolima on #webkit).
3145
3146         Reverted changeset:
3147
3148         "[BigInt] Add ValueSub into DFG"
3149         https://bugs.webkit.org/show_bug.cgi?id=186176
3150         https://trac.webkit.org/changeset/237242
3151
3152 2018-10-17  Keith Miller  <keith_miller@apple.com>
3153
3154         AI does not clear Phantom allocation nodes.
3155         https://bugs.webkit.org/show_bug.cgi?id=190694
3156
3157         Reviewed by Saam Barati.
3158
3159         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3160         (Day):
3161         (DaysInYear):
3162         (TimeInYear):
3163         (TimeFromYear):
3164         (DayFromYear):
3165         (InLeapYear):
3166         (YearFromTime):
3167         (WeekDay):
3168         (DaylightSavingTA):
3169         (GetSecondSundayInMarch):
3170         (TimeInMonth):
3171
3172 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3173
3174         [BigInt] Add ValueSub into DFG
3175         https://bugs.webkit.org/show_bug.cgi?id=186176
3176
3177         Reviewed by Yusuke Suzuki.
3178
3179         * stress/big-int-subtraction-jit.js:
3180         * stress/value-sub-big-int-prediction-propagation.js: Added.
3181         * stress/value-sub-big-int-untyped.js: Added.
3182
3183 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3184
3185         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3186         https://bugs.webkit.org/show_bug.cgi?id=190611
3187
3188         Reviewed by Saam Barati.
3189
3190         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3191         to improve test runtime. On ARM/MIPS this test even timed out when running all
3192         tests.
3193
3194         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3195         (test):
3196
3197 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3198
3199         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3200
3201         Unreviewed gardening.
3202
3203         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3204
3205 2018-10-15  Saam barati  <sbarati@apple.com>
3206
3207         Emit fjcvtzs on ARM64E on Darwin
3208         https://bugs.webkit.org/show_bug.cgi?id=184023
3209
3210         Reviewed by Yusuke Suzuki and Filip Pizlo.
3211
3212         * stress/double-to-int32-NaN.js: Added.
3213         (assert):
3214         (foo):
3215
3216 2018-10-15  Saam Barati  <sbarati@apple.com>
3217
3218         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3219         https://bugs.webkit.org/show_bug.cgi?id=190262
3220         <rdar://problem/44986241>
3221
3222         Reviewed by Mark Lam.
3223
3224         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3225         (test):
3226         * stress/slice-array-storage-with-holes.js: Added.
3227         (main):
3228
3229 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3230
3231         Unreviewed, rolling out r237054.
3232         https://bugs.webkit.org/show_bug.cgi?id=190593
3233
3234         "this regressed JetStream 2 by 6% on iOS" (Requested by
3235         saamyjoon on #webkit).
3236
3237         Reverted changeset:
3238
3239         "[JSC] JSC should have "parseFunction" to optimize Function
3240         constructor"
3241         https://bugs.webkit.org/show_bug.cgi?id=190340
3242         https://trac.webkit.org/changeset/237054
3243
3244 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3245
3246         [JSC] JSON.stringify can accept call-with-no-arguments
3247         https://bugs.webkit.org/show_bug.cgi?id=190343
3248
3249         Reviewed by Mark Lam.
3250
3251         * stress/json-stringify-no-arguments.js: Added.
3252         (shouldBe):
3253
3254 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3255
3256         [JSC] JSC should have "parseFunction" to optimize Function constructor
3257         https://bugs.webkit.org/show_bug.cgi?id=190340
3258
3259         Reviewed by Mark Lam.
3260
3261         This patch fixes the line number of syntax errors raised by the Function constructor,
3262         since we now parse the final code only once. And we no longer use block statement
3263         for Function constructor's parsing.
3264
3265         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3266         * stress/function-cache-with-parameters-end-position.js: Added.
3267         (shouldBe):
3268         (shouldThrow):
3269         (i.anonymous):
3270         * stress/function-constructor-name.js: Added.
3271         (shouldBe):
3272         (GeneratorFunction):
3273         (AsyncFunction.async):
3274         (AsyncGeneratorFunction.async):
3275         (anonymous):
3276         (async.anonymous):
3277         * test262/expectations.yaml:
3278
3279 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3280
3281         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3282         https://bugs.webkit.org/show_bug.cgi?id=190426
3283
3284         Unreviewed gardening.
3285
3286         * stress/sampling-profiler-richards.js:
3287
3288 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3289
3290         [ESNext][BigInt] Implement support for "|"
3291         https://bugs.webkit.org/show_bug.cgi?id=186229
3292
3293         Reviewed by Yusuke Suzuki.
3294
3295         * stress/big-int-bitwise-and-jit.js:
3296         * stress/big-int-bitwise-or-general.js: Added.
3297         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3298         * stress/big-int-bitwise-or-jit.js: Added.
3299         * stress/big-int-bitwise-or-memory-stress.js: Added.
3300         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3301         * stress/big-int-bitwise-or-type-error.js: Added.
3302         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3303
3304 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3305
3306         Skip test on systems with limited memory
3307         https://bugs.webkit.org/show_bug.cgi?id=190310
3308
3309         Invoking runDefault adds test to runlist, skipping the test in the next
3310         line does not prevent the test from executing. Change order of lines such
3311         that runDefault is only executed if test is not executed.
3312
3313         Reviewed by Mark Lam.
3314
3315         * stress/regress-190187.js:
3316
3317 2018-10-03  Saam barati  <sbarati@apple.com>
3318
3319         lowXYZ in FTLLower should always filter the type of the incoming edge
3320         https://bugs.webkit.org/show_bug.cgi?id=189939
3321         <rdar://problem/44407030>
3322
3323         Reviewed by Michael Saboff.
3324
3325         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3326         (foo):
3327         (test):
3328
3329 2018-10-03  Mark Lam  <mark.lam@apple.com>
3330
3331         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3332         https://bugs.webkit.org/show_bug.cgi?id=190187
3333         <rdar://problem/42512909>
3334
3335         Reviewed by Michael Saboff.
3336
3337         * stress/regress-190187.js: Added.
3338
3339 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3340
3341         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3342         https://bugs.webkit.org/show_bug.cgi?id=190033
3343
3344         Reviewed by Yusuke Suzuki.
3345
3346         * stress/big-int-to-string.js:
3347
3348 2018-10-01  Mark Lam  <mark.lam@apple.com>
3349
3350         Function.toString() should also copy the source code Functions that are class definitions.
3351         https://bugs.webkit.org/show_bug.cgi?id=190186
3352         <rdar://problem/44733360>
3353
3354         Reviewed by Saam Barati.
3355
3356         * stress/regress-190186.js: Added.
3357
3358 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3359
3360         Split NaN-check into separate test
3361         https://bugs.webkit.org/show_bug.cgi?id=190010
3362
3363         Reviewed by Saam Barati.
3364
3365         DataView exposes NaN-representation, which is not necessarily the same on each
3366         architecture. Therefore move the check of the NaN-representation into its own
3367         file such that we can disable this test on MIPS where NaN-representation can be
3368         different on older CPUs.
3369
3370         * stress/dataview-jit-set-nan.js: Added.
3371         (assert):
3372         (test.storeLittleEndian):
3373         (test.storeBigEndian):
3374         (test.store):
3375         (test):
3376         * stress/dataview-jit-set.js:
3377         (test5):
3378
3379 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3380
3381         Unreviewed, rolling out r236647.
3382         https://bugs.webkit.org/show_bug.cgi?id=190124
3383
3384         Breaking test stress/big-int-to-string.js (Requested by
3385         caiolima_ on #webkit).
3386
3387         Reverted changeset:
3388
3389         "[BigInt] BigInt.proptotype.toString is broken when radix is
3390         power of 2"
3391         https://bugs.webkit.org/show_bug.cgi?id=190033
3392         https://trac.webkit.org/changeset/236647
3393
3394 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3395
3396         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3397         https://bugs.webkit.org/show_bug.cgi?id=190033
3398
3399         Reviewed by Yusuke Suzuki.
3400
3401         * stress/big-int-to-string.js:
3402
3403 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3404
3405         [ESNext][BigInt] Implement support for "&"
3406         https://bugs.webkit.org/show_bug.cgi?id=186228
3407
3408         Reviewed by Yusuke Suzuki.
3409
3410         * stress/big-int-bitwise-and-general.js: Added.
3411         (assert):
3412         (assert.sameValue):
3413         * stress/big-int-bitwise-and-jit.js: Added.
3414         (let.assert.sameValue):
3415         (bigIntBitAnd):
3416         * stress/big-int-bitwise-and-memory-stress.js: Added.
3417         (assert):
3418         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3419         (assert.sameValue):
3420         (let.o.Symbol.toPrimitive):
3421         (catch):
3422         * stress/big-int-bitwise-and-type-error.js: Added.
3423         (assert):
3424         (assertThrowTypeError):
3425         (let.o.valueOf):
3426         (o.valueOf):
3427         (o.toString):
3428         (o.Symbol.toPrimitive):
3429         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3430         (assert.sameValue):
3431         (testBitAnd):
3432         (let.o.Symbol.toPrimitive):
3433         (o.valueOf):
3434         (o.toString):
3435
3436 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3437
3438         JSC test stress/jsc-read.js doesn't support CRLF
3439         https://bugs.webkit.org/show_bug.cgi?id=190063
3440
3441         Reviewed by Yusuke Suzuki.
3442
3443         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3444
3445         * stress/jsc-read.js:
3446         (test):
3447
3448 2018-09-27  Saam barati  <sbarati@apple.com>
3449
3450         Verify the contents of AssemblerBuffer on arm64e
3451         https://bugs.webkit.org/show_bug.cgi?id=190057
3452         <rdar://problem/38916630>
3453
3454         Reviewed by Mark Lam.
3455
3456         * stress/regress-189132.js:
3457
3458 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3459
3460         Disable test without LLInt on ARMv7
3461         https://bugs.webkit.org/show_bug.cgi?id=190037
3462
3463         Reviewed by Mark Lam.
3464
3465         Test runs out of executable memory on ARMv7, do not run
3466         this test without LLInt enabled.
3467
3468         * stress/regress-169445.js:
3469
3470 2018-09-26  Keith Miller  <keith_miller@apple.com>
3471
3472         We should zero unused property storage when rebalancing array storage.
3473         https://bugs.webkit.org/show_bug.cgi?id=188151
3474
3475         Reviewed by Michael Saboff.
3476
3477         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3478
3479 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3480
3481         [JSC] Optimize Array#lastIndexOf
3482         https://bugs.webkit.org/show_bug.cgi?id=189780
3483
3484         Reviewed by Saam Barati.
3485
3486         * stress/array-lastindexof-array-prototype-trap.js: Added.
3487         (shouldBe):
3488         (AncestorArray.prototype.get 2):
3489         (AncestorArray):
3490         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3491         (shouldBe):
3492         * stress/array-lastindexof-hole-nan.js: Added.
3493         (shouldBe):
3494         (throw.new.Error):
3495         * stress/array-lastindexof-infinity.js: Added.
3496         (shouldBe):
3497         (throw.new.Error):
3498         * stress/array-lastindexof-negative-zero.js: Added.
3499         (shouldBe):
3500         (throw.new.Error):
3501         * stress/array-lastindexof-own-getter.js: Added.
3502         (shouldBe):
3503         (throw.new.Error.get array):
3504         (get array):
3505         * stress/array-lastindexof-prototype-trap.js: Added.
3506         (shouldBe):
3507         (DerivedArray.prototype.get 2):
3508         (DerivedArray):
3509
3510 2018-09-25  Saam Barati  <sbarati@apple.com>
3511
3512         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3513         https://bugs.webkit.org/show_bug.cgi?id=189940
3514         <rdar://problem/43640987>
3515
3516         Reviewed by Mark Lam.
3517
3518         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3519
3520 2018-09-24  Saam Barati  <sbarati@apple.com>
3521
3522         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3523         https://bugs.webkit.org/show_bug.cgi?id=189922
3524         <rdar://problem/44651275>
3525
3526         Reviewed by Mark Lam.
3527
3528         * stress/array-indexof-fast-path-effects.js: Added.
3529         * stress/array-indexof-cached-length.js: Added.
3530
3531 2018-09-24  Saam barati  <sbarati@apple.com>
3532
3533         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3534         https://bugs.webkit.org/show_bug.cgi?id=189682
3535         <rdar://problem/43557315>
3536
3537         Reviewed by Mark Lam.
3538
3539         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3540         (foo):
3541
3542 2018-09-22  Saam barati  <sbarati@apple.com>
3543
3544         The sampling should not use Strong<CodeBlock> in its machineLocation field
3545         https://bugs.webkit.org/show_bug.cgi?id=189319
3546
3547         Reviewed by Filip Pizlo.
3548
3549         * stress/sampling-profiler-richards.js: Added.
3550
3551 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3552
3553         [JSC] Optimize Array#indexOf in C++ runtime
3554         https://bugs.webkit.org/show_bug.cgi?id=189507
3555
3556         Reviewed by Saam Barati.
3557
3558         * stress/array-indexof-array-prototype-trap.js: Added.
3559         (shouldBe):
3560         (AncestorArray.prototype.get 2):
3561         (AncestorArray):
3562         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3563         (shouldBe):
3564         * stress/array-indexof-hole-nan.js: Added.
3565         (shouldBe):
3566         (throw.new.Error):
3567         * stress/array-indexof-infinity.js: Added.
3568         (shouldBe):
3569         (throw.new.Error):
3570         * stress/array-indexof-negative-zero.js: Added.
3571         (shouldBe):
3572         (throw.new.Error):
3573         * stress/array-indexof-own-getter.js: Added.
3574         (shouldBe):
3575         (throw.new.Error.get array):
3576         (get array):
3577         * stress/array-indexof-prototype-trap.js: Added.
3578         (shouldBe):
3579         (DerivedArray.prototype.get 2):
3580         (DerivedArray):
3581
3582 2018-09-19  Saam barati  <sbarati@apple.com>
3583
3584         AI rule for MultiPutByOffset executes its effects in the wrong order
3585         https://bugs.webkit.org/show_bug.cgi?id=189757
3586         <rdar://problem/43535257>
3587
3588         Reviewed by Michael Saboff.
3589
3590         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3591         (foo):
3592         (Foo):
3593         (g):
3594
3595 2018-09-17  Mark Lam  <mark.lam@apple.com>
3596
3597         Ensure that ForInContexts are invalidated if their loop local is over-written.
3598         https://bugs.webkit.org/show_bug.cgi?id=189571
3599         <rdar://problem/44402277>
3600
3601         Reviewed by Saam Barati.
3602
3603         * stress/regress-189571.js: Added.
3604
3605 2018-09-17  Saam barati  <sbarati@apple.com>
3606
3607         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3608         https://bugs.webkit.org/show_bug.cgi?id=189676
3609         <rdar://problem/39682897>
3610
3611         Reviewed by Michael Saboff.
3612
3613         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3614         (A):
3615         (K):
3616         (i.catch):
3617
3618 2018-09-14  Saam barati  <sbarati@apple.com>
3619
3620         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3621         https://bugs.webkit.org/show_bug.cgi?id=189628
3622         <rdar://problem/39481690>
3623
3624         Reviewed by Mark Lam.
3625
3626         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3627         (foo):
3628
3629 2018-09-11  Mark Lam  <mark.lam@apple.com>
3630
3631         Test for array initialization in arrayProtoFuncSplice.
3632         https://bugs.webkit.org/show_bug.cgi?id=170253
3633         <rdar://problem/31328773>
3634
3635         Rubber-stamped by Saam Barati.
3636
3637         * stress/regress-170253.js: Added.
3638
3639 2018-09-11  Mark Lam  <mark.lam@apple.com>
3640
3641         Test for IntlObject initialization.
3642         https://bugs.webkit.org/show_bug.cgi?id=170251
3643         <rdar://problem/31328419>
3644
3645         Rubber-stamped by Saam Barati.
3646
3647         * stress/regress-170251.js: Added.
3648
3649 2018-09-11  Mark Lam  <mark.lam@apple.com>
3650
3651         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3652         https://bugs.webkit.org/show_bug.cgi?id=169889
3653         <rdar://problem/31155607>
3654
3655         Reviewed by Saam Barati.
3656
3657         * stress/regress-169889-array-concat.js: Added.
3658         * stress/regress-169889-array-concat1.js: Added.
3659         * stress/regress-169889-array-slice.js: Added.
3660
3661 2018-09-11  Mark Lam  <mark.lam@apple.com>
3662
3663         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3664         https://bugs.webkit.org/show_bug.cgi?id=169445
3665         <rdar://problem/30957435>
3666
3667         Reviewed by Saam Barati.
3668
3669         * stress/regress-169445.js: Added.
3670         (let.gun.eval.A):
3671         (let.gun.eval.B.C):
3672         (let.gun.eval.B.C.prototype.trigger):
3673         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3674         (let.gun.eval.B):
3675         (let.gun.eval):
3676
3677 == Rolled over to ChangeLog-2018-09-11 ==